ipfltdrv.sys causing bsod on windows server 2012 R2.
Microsoft (R) Windows Debugger Version 10.0.21306.1007 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\041621-70281-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Path validation summary
Response Time (ms) Location
Deferred srv
Symbol search path is: srv*
Executable search path is:
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Edition build lab: 9600.19939.amd64fre.winblue_ltsb.210109-0600
Machine Name:
Kernel base = 0xfffff803`91c15000 PsLoadedModuleList = 0xfffff803`91eda5d0
Debug session time: Fri Apr 16 18:08:58.113 2021 (UTC + 5:30)
System Uptime: 27 days 6:37:54.144
Loading Kernel Symbols
...............................................................
................................................................
..............
Loading User Symbols
Loading unloaded module list
....
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff803`91d554c0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffd000`244f23a0=0000000000000139
1: kd> !analyze -v
Bugcheck Analysis *
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd000244f26c0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd000244f2618, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
GetUlongPtrFromAddress: unable to read from fffff80391f64308
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 1733
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 5604
Key : Analysis.Init.CPU.mSec
Value: 936
Key : Analysis.Init.Elapsed.mSec
Value: 14697
Key : Analysis.Memory.CommitPeak.Mb
Value: 80
Key : FailFast.Name
Value: CORRUPT_LIST_ENTRY
Key : FailFast.Type
Value: 3
Key : WER.OS.Branch
Value: winblue_ltsb
Key : WER.OS.Timestamp
Value: 2021-01-09T06:00:00Z
Key : WER.OS.Version
Value: 8.1.9600.19939
VIRTUAL_MACHINE: VMware
BUGCHECK_CODE: 139
BUGCHECK_P1: 3
BUGCHECK_P2: ffffd000244f26c0
BUGCHECK_P3: ffffd000244f2618
BUGCHECK_P4: 0
TRAP_FRAME: ffffd000244f26c0 -- (.trap 0xffffd000244f26c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe000e79e8010 rbx=0000000000000000 rcx=0000000000000003
rdx=fffff80088dc2168 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80391cd1bdd rsp=ffffd000244f2850 rbp=0000000000000001
r8=ffffe000e7b27250 r9=ffffe000ea60b158 r10=0000000000000000
r11=ffffd000244f28e8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz na po nc
nt!ExInterlockedRemoveHeadList+0x89:
fffff803`91cd1bdd cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffffd000244f2618 -- (.exr 0xffffd000244f2618)
ExceptionAddress: fffff80391cd1bdd (nt!ExInterlockedRemoveHeadList+0x0000000000000089)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: svchost.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000003
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
ffffd000`244f2398 fffff803`91d65769 : 00000000`00000139 00000000`00000003 ffffd000`244f26c0 ffffd000`244f2618 : nt!KeBugCheckEx
ffffd000`244f23a0 fffff803`91d65ad0 : ffffe000`e5b68118 fffff800`883394c5 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffd000`244f24e0 fffff803`91d644a2 : 00000200`00020001 00000000`00000502 ffffe000`e5aed990 ffffe000`ea283c70 : nt!KiFastFailDispatch+0xd0
ffffd000`244f26c0 fffff803`91cd1bdd : 00000000`00000001 fffff800`870fd8fb ffffd000`244f2970 fffff800`8789ef4b : nt!KiRaiseSecurityCheckFailure+0x2e2
ffffd000`244f2850 fffff800`88db2ff1 : 00000000`00000000 ffffd000`244f2900 ffffe000`e7b27240 ffffe000`ea607000 : nt!ExInterlockedRemoveHeadList+0x89
ffffd000`244f2890 fffff800`88dac3ad : 00000000`0000612e ffffe000`ed41c24f 00000000`00000020 ffffd000`244f296c : ipfltdrv!MatchFilterp+0x6be1
ffffd000`244f2940 fffff800`88dada1a : 00000000`00000020 00000000`00000014 00000000`00000000 ffffd000`244f2b58 : ipfltdrv!MatchFilter+0x6d
ffffd000`244f2ae0 fffff800`8721f2b6 : 00000000`0000011a ffffe000`e5589820 ffffd000`244f2fb0 00000000`00000014 : ipfltdrv!IpfForwardIpClassifyCallout+0x16a
ffffd000`244f2cf0 fffff800`87204c30 : 00000000`00000008 ffffd000`244f3388 00000000`00000000 ffffe000`e8f4edf0 : NETIO!ProcessCallout+0x226
ffffd000`244f2e60 fffff800`878da5c6 : ffffe000`e56d0b80 ffffe000`e6cc83b0 ffffe000`e6cc83b0 ffffd000`244f34d0 : NETIO!KfdClassify+0x200
ffffd000`244f3320 fffff800`878da08f : 00000000`00000000 00000000`00000000 ffffd000`244f3550 ffffe000`e5c1b040 : tcpip!WfpNlShimInspectForwardDatagram+0x276
ffffd000`244f3450 fffff800`878c015e : fffff800`87a0e180 ffffe000`e7bf4010 00000000`e0000001 ffffe000`e57e7000 : tcpip!IppForwardPackets+0x51f
ffffd000`244f3590 fffff800`87ecc4e3 : ffffe000`e5d041a0 00000000`00000000 ffffd000`244f3a01 ffffe000`eb69f400 : tcpip!IppFlcReceivePacketsCore+0xa5e
ffffd000`244f3910 fffff800`870eda53 : ffffe000`e8f4edf0 00000000`00000000 fffff800`870fa9a0 00000000`00000000 : wanarp!WanNdisReceivePackets+0x3a3
ffffd000`244f3a50 fffff800`870edf19 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : NDIS!NdisAcquireRWLockWrite+0x6b3
ffffd000`244f3b10 fffff800`870ee6b2 : ffffe000`e59da1a0 00000000`00000001 fffff800`870fa560 ffffe000`f7d055d8 : NDIS!NdisAcquireRWLockWrite+0xb79
ffffd000`244f3ba0 fffff800`8776655c : ffffe000`eaea6480 ffffe000`e9d213f0 ffffe000`e8f4edf0 ffffe000`eaea6480 : NDIS!NdisMIndicateReceiveNetBufferLists+0x732
ffffd000`244f3d90 fffff800`8774796a : ffffe000`e9d213f0 ffffe000`ed41b180 ffffe000`ed41b020 ffffe000`ed41c23b : ndiswan!IndicateRecvPacket+0x54c
ffffd000`244f3e10 fffff800`87766f02 : 00000000`00000000 fffff43f`00000008 00000000`00000000 00000000`00000001 : ndiswan!ApplyQoSAndIndicateRecvPacket+0x3a
ffffd000`244f3e80 fffff800`87766ddf : fffff800`87762010 fffff800`870fe3bb ffffe000`eaea6480 00000000`00000035 : ndiswan!ProcessPPPFrame+0xd2
ffffd000`244f3f10 fffff800`8774781b : ffffe000`e9d213f0 ffffe000`eaea6480 ffffe000`ec78d940 00000000`00000000 : ndiswan!ReceivePPP+0x7f
ffffd000`244f3f50 fffff800`870fe71c : ffffe000`e53da010 ffffe000`eb5dd540 00000000`00000000 ffffe000`e5ab83d0 : ndiswan!ProtoCoReceiveNetBufferListChain+0x2db
ffffd000`244f3fe0 fffff800`8778e8f2 : ffffe000`e5b2bd80 ffffe000`ed41f000 000000ff`6ceea25d 00000000`00000035 : NDIS!NdisAdvanceNetBufferListDataStart+0x21c
ffffd000`244f4060 fffff800`877807e8 : 00000000`00000000 ffffe000`ed41f000 00000000`00000039 00000000`00000000 : rassstp!DelinProcessSstpDataFrame+0x1c2
ffffd000`244f40b0 fffff800`8778e140 : 000000ff`6ceea218 00000000`00000000 ffffd000`244f4400 00000000`00004008 : rassstp!DelineateSSTPFrame+0xac
ffffd000`244f4100 fffff803`92099789 : 00000000`00004008 ffffe000`e7978af0 00000000`00004008 00000000`00000000 : rassstp!TpiDispatchFastIoDeviceControl+0x140
ffffd000`244f4160 fffff803`9206c106 : ffffe000`eaef1880 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x7d9
ffffd000`244f42a0 fffff803`91d653e3 : ffffe000`e7a20fa0 000000ff`654d2500 ffffe000`fe5039c0 000000ff`63c8f9d8 : nt!NtDeviceIoControlFile+0x56
ffffd000`244f4310 00007ffe`0619077a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
000000ff`63c8f7a8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffe`0619077a
SYMBOL_NAME: ipfltdrv!MatchFilterp+6be1
MODULE_NAME: ipfltdrv
IMAGE_NAME: ipfltdrv.sys
IMAGE_VERSION: 6.3.9600.16384
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 6be1
FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_ipfltdrv!MatchFilterp
OS_VERSION: 8.1.9600.19939
BUILDLAB_STR: winblue_ltsb
OSPLATFORM_TYPE: x64
OSNAME: Windows 8.1
FAILURE_ID_HASH: {c75aa30a-fb06-ecf5-18d0-1240f977354e}
Followup: MachineOwner
1: kd> lmvm ipfltdrv
Browse full module list
start end module name
fffff800`88dab000 fffff800`88dca000 ipfltdrv (pdb symbols) C:\ProgramData\Dbg\sym\ipfltdrv.pdb\E0596917AA4D415DADA61CEAEDF39F272\ipfltdrv.pdb
Loaded symbol image file: ipfltdrv.sys
Mapped memory image file: C:\ProgramData\Dbg\sym\ipfltdrv.sys\5215F7961f000\ipfltdrv.sys
Image path: \SystemRoot\system32\DRIVERS\ipfltdrv.sys
Image name: ipfltdrv.sys
Browse all global symbols functions data
Timestamp: Thu Aug 22 17:05:50 2013 (5215F796)
CheckSum: 000188DB
ImageSize: 0001F000
File version: 6.3.9600.16384
Product version: 6.3.9600.16384
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ipfltdrv.sys
OriginalFilename: ipfltdrv.sys
ProductVersion: 6.3.9600.16384
FileVersion: 6.3.9600.16384 (winblue_rtm.130821-1623)
FileDescription: IP FILTER DRIVER
LegalCopyright: © Microsoft Corporation. All rights reserved.