question

saikrishna-3277 avatar image
0 Votes"
saikrishna-3277 asked CarlFan-MSFT answered

BSOD Causing ipfltdrv.sys

ipfltdrv.sys causing bsod on windows server 2012 R2.


Microsoft (R) Windows Debugger Version 10.0.21306.1007 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\041621-70281-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available


Path validation summary
Response Time (ms) Location
Deferred srv

Symbol search path is: srv*
Executable search path is:
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Edition build lab: 9600.19939.amd64fre.winblue_ltsb.210109-0600
Machine Name:
Kernel base = 0xfffff803`91c15000 PsLoadedModuleList = 0xfffff803`91eda5d0
Debug session time: Fri Apr 16 18:08:58.113 2021 (UTC + 5:30)
System Uptime: 27 days 6:37:54.144
Loading Kernel Symbols
...............................................................
................................................................
..............
Loading User Symbols
Loading unloaded module list
....
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff803`91d554c0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffd000`244f23a0=0000000000000139
1: kd> !analyze -v



  •                      Bugcheck Analysis                                    *
    



KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd000244f26c0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd000244f2618, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:



GetUlongPtrFromAddress: unable to read from fffff80391f64308

KEY_VALUES_STRING: 1

 Key  : Analysis.CPU.mSec
 Value: 1733

 Key  : Analysis.DebugAnalysisManager
 Value: Create

 Key  : Analysis.Elapsed.mSec
 Value: 5604

 Key  : Analysis.Init.CPU.mSec
 Value: 936

 Key  : Analysis.Init.Elapsed.mSec
 Value: 14697

 Key  : Analysis.Memory.CommitPeak.Mb
 Value: 80

 Key  : FailFast.Name
 Value: CORRUPT_LIST_ENTRY

 Key  : FailFast.Type
 Value: 3

 Key  : WER.OS.Branch
 Value: winblue_ltsb

 Key  : WER.OS.Timestamp
 Value: 2021-01-09T06:00:00Z

 Key  : WER.OS.Version
 Value: 8.1.9600.19939


VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: 139

BUGCHECK_P1: 3

BUGCHECK_P2: ffffd000244f26c0

BUGCHECK_P3: ffffd000244f2618

BUGCHECK_P4: 0

TRAP_FRAME: ffffd000244f26c0 -- (.trap 0xffffd000244f26c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe000e79e8010 rbx=0000000000000000 rcx=0000000000000003
rdx=fffff80088dc2168 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80391cd1bdd rsp=ffffd000244f2850 rbp=0000000000000001
r8=ffffe000e7b27250 r9=ffffe000ea60b158 r10=0000000000000000
r11=ffffd000244f28e8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz na po nc
nt!ExInterlockedRemoveHeadList+0x89:
fffff803`91cd1bdd cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: ffffd000244f2618 -- (.exr 0xffffd000244f2618)
ExceptionAddress: fffff80391cd1bdd (nt!ExInterlockedRemoveHeadList+0x0000000000000089)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: svchost.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000003

EXCEPTION_STR: 0xc0000409

STACK_TEXT:
ffffd000`244f2398 fffff803`91d65769 : 00000000`00000139 00000000`00000003 ffffd000`244f26c0 ffffd000`244f2618 : nt!KeBugCheckEx
ffffd000`244f23a0 fffff803`91d65ad0 : ffffe000`e5b68118 fffff800`883394c5 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffd000`244f24e0 fffff803`91d644a2 : 00000200`00020001 00000000`00000502 ffffe000`e5aed990 ffffe000`ea283c70 : nt!KiFastFailDispatch+0xd0
ffffd000`244f26c0 fffff803`91cd1bdd : 00000000`00000001 fffff800`870fd8fb ffffd000`244f2970 fffff800`8789ef4b : nt!KiRaiseSecurityCheckFailure+0x2e2
ffffd000`244f2850 fffff800`88db2ff1 : 00000000`00000000 ffffd000`244f2900 ffffe000`e7b27240 ffffe000`ea607000 : nt!ExInterlockedRemoveHeadList+0x89
ffffd000`244f2890 fffff800`88dac3ad : 00000000`0000612e ffffe000`ed41c24f 00000000`00000020 ffffd000`244f296c : ipfltdrv!MatchFilterp+0x6be1
ffffd000`244f2940 fffff800`88dada1a : 00000000`00000020 00000000`00000014 00000000`00000000 ffffd000`244f2b58 : ipfltdrv!MatchFilter+0x6d
ffffd000`244f2ae0 fffff800`8721f2b6 : 00000000`0000011a ffffe000`e5589820 ffffd000`244f2fb0 00000000`00000014 : ipfltdrv!IpfForwardIpClassifyCallout+0x16a
ffffd000`244f2cf0 fffff800`87204c30 : 00000000`00000008 ffffd000`244f3388 00000000`00000000 ffffe000`e8f4edf0 : NETIO!ProcessCallout+0x226
ffffd000`244f2e60 fffff800`878da5c6 : ffffe000`e56d0b80 ffffe000`e6cc83b0 ffffe000`e6cc83b0 ffffd000`244f34d0 : NETIO!KfdClassify+0x200
ffffd000`244f3320 fffff800`878da08f : 00000000`00000000 00000000`00000000 ffffd000`244f3550 ffffe000`e5c1b040 : tcpip!WfpNlShimInspectForwardDatagram+0x276
ffffd000`244f3450 fffff800`878c015e : fffff800`87a0e180 ffffe000`e7bf4010 00000000`e0000001 ffffe000`e57e7000 : tcpip!IppForwardPackets+0x51f
ffffd000`244f3590 fffff800`87ecc4e3 : ffffe000`e5d041a0 00000000`00000000 ffffd000`244f3a01 ffffe000`eb69f400 : tcpip!IppFlcReceivePacketsCore+0xa5e
ffffd000`244f3910 fffff800`870eda53 : ffffe000`e8f4edf0 00000000`00000000 fffff800`870fa9a0 00000000`00000000 : wanarp!WanNdisReceivePackets+0x3a3
ffffd000`244f3a50 fffff800`870edf19 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : NDIS!NdisAcquireRWLockWrite+0x6b3
ffffd000`244f3b10 fffff800`870ee6b2 : ffffe000`e59da1a0 00000000`00000001 fffff800`870fa560 ffffe000`f7d055d8 : NDIS!NdisAcquireRWLockWrite+0xb79
ffffd000`244f3ba0 fffff800`8776655c : ffffe000`eaea6480 ffffe000`e9d213f0 ffffe000`e8f4edf0 ffffe000`eaea6480 : NDIS!NdisMIndicateReceiveNetBufferLists+0x732
ffffd000`244f3d90 fffff800`8774796a : ffffe000`e9d213f0 ffffe000`ed41b180 ffffe000`ed41b020 ffffe000`ed41c23b : ndiswan!IndicateRecvPacket+0x54c
ffffd000`244f3e10 fffff800`87766f02 : 00000000`00000000 fffff43f`00000008 00000000`00000000 00000000`00000001 : ndiswan!ApplyQoSAndIndicateRecvPacket+0x3a
ffffd000`244f3e80 fffff800`87766ddf : fffff800`87762010 fffff800`870fe3bb ffffe000`eaea6480 00000000`00000035 : ndiswan!ProcessPPPFrame+0xd2
ffffd000`244f3f10 fffff800`8774781b : ffffe000`e9d213f0 ffffe000`eaea6480 ffffe000`ec78d940 00000000`00000000 : ndiswan!ReceivePPP+0x7f
ffffd000`244f3f50 fffff800`870fe71c : ffffe000`e53da010 ffffe000`eb5dd540 00000000`00000000 ffffe000`e5ab83d0 : ndiswan!ProtoCoReceiveNetBufferListChain+0x2db
ffffd000`244f3fe0 fffff800`8778e8f2 : ffffe000`e5b2bd80 ffffe000`ed41f000 000000ff`6ceea25d 00000000`00000035 : NDIS!NdisAdvanceNetBufferListDataStart+0x21c
ffffd000`244f4060 fffff800`877807e8 : 00000000`00000000 ffffe000`ed41f000 00000000`00000039 00000000`00000000 : rassstp!DelinProcessSstpDataFrame+0x1c2
ffffd000`244f40b0 fffff800`8778e140 : 000000ff`6ceea218 00000000`00000000 ffffd000`244f4400 00000000`00004008 : rassstp!DelineateSSTPFrame+0xac
ffffd000`244f4100 fffff803`92099789 : 00000000`00004008 ffffe000`e7978af0 00000000`00004008 00000000`00000000 : rassstp!TpiDispatchFastIoDeviceControl+0x140
ffffd000`244f4160 fffff803`9206c106 : ffffe000`eaef1880 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x7d9
ffffd000`244f42a0 fffff803`91d653e3 : ffffe000`e7a20fa0 000000ff`654d2500 ffffe000`fe5039c0 000000ff`63c8f9d8 : nt!NtDeviceIoControlFile+0x56
ffffd000`244f4310 00007ffe`0619077a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
000000ff`63c8f7a8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`0619077a


SYMBOL_NAME: ipfltdrv!MatchFilterp+6be1

MODULE_NAME: ipfltdrv

IMAGE_NAME: ipfltdrv.sys

IMAGE_VERSION: 6.3.9600.16384

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 6be1

FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_ipfltdrv!MatchFilterp

OS_VERSION: 8.1.9600.19939

BUILDLAB_STR: winblue_ltsb

OSPLATFORM_TYPE: x64

OSNAME: Windows 8.1

FAILURE_ID_HASH: {c75aa30a-fb06-ecf5-18d0-1240f977354e}

Followup: MachineOwner



1: kd> lmvm ipfltdrv
Browse full module list
start end module name
fffff800`88dab000 fffff800`88dca000 ipfltdrv (pdb symbols) C:\ProgramData\Dbg\sym\ipfltdrv.pdb\E0596917AA4D415DADA61CEAEDF39F272\ipfltdrv.pdb
Loaded symbol image file: ipfltdrv.sys
Mapped memory image file: C:\ProgramData\Dbg\sym\ipfltdrv.sys\5215F7961f000\ipfltdrv.sys
Image path: \SystemRoot\system32\DRIVERS\ipfltdrv.sys
Image name: ipfltdrv.sys
Browse all global symbols functions data
Timestamp: Thu Aug 22 17:05:50 2013 (5215F796)
CheckSum: 000188DB
ImageSize: 0001F000
File version: 6.3.9600.16384
Product version: 6.3.9600.16384
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ipfltdrv.sys
OriginalFilename: ipfltdrv.sys
ProductVersion: 6.3.9600.16384
FileVersion: 6.3.9600.16384 (winblue_rtm.130821-1623)
FileDescription: IP FILTER DRIVER
LegalCopyright: © Microsoft Corporation. All rights reserved.

windows-server-2012
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CarlFan-MSFT avatar image
0 Votes"
CarlFan-MSFT answered

Hi,
Ipfltdrv.sys means that IP FILTER DRIVER.
According to the information you provided, few steps you could try:
1.Download and install updates and device drivers for your computer from Windows Update.
2.Scan your computer for computer viruses.
3.Type "msconfig" in Search Bar. Select "Service" option, hide all microsoft service. Then disable all no-microsoft service.
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Docs-4663 avatar image
0 Votes"
Docs-4663 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.