kopf1988 Posted February 22, 2009 Posted February 22, 2009 I got an error similar to this thread: http://www.msfn.org/board/index.php?showto...1&st=0&I would really appreciate if someone could take a look at the files I have and tell me what I might suspect, I can't figure out what the cause is myself, but I don't know really how to look at these.Thank you for your help!!minidmp.zip
cluberti Posted February 22, 2009 Posted February 22, 2009 Since you've seen the other post, I won't go into many details, but it looks like the AVG layered service provider (LSP) network filter driver was at fault here. There was obviously a network request work item on this machine that either did not complete, or a socket operation timed out - either way, the TCP TCB has timed out, and is being closed. As with most LSP filter drivers, any activity on the tcp stack in TCPIP.sys (network-related or otherwise) filter through it, and it looks like avg's filter driver came in and did something (can't tell what) as would be expected with AVG installed. Once it's done handling this request as it passes through, it has to send it off to afd.sys to be handled - except, it appears that the driver has munged the ecx register that is being registered by the KeAcquireInStackQueuedSpinLock, and thus the machine is going to bugcheck. See:0: kd> .bugcheckBugcheck code 1000000AArguments 000000e8 00000002 00000001 806e6a160: kd> kChildEBP RetAddr 805510b8 804fc4aa hal!KeAcquireInStackQueuedSpinLock+0x26805510d8 b4b0bf95 nt!KeInsertQueueApc+0x2080551108 804f16c0 afd!AfdRestartConnect+0x17280551138 b4b1fcb1 nt!IopfCompleteRequest+0xa2WARNING: Stack unwind information not available. Following frames may be wrong.805511b4 804f16c0 avgtdix+0x1cb1805511e4 b4b63942 nt!IopfCompleteRequest+0xa2805511fc b4b69471 tcpip!TCPDataRequestComplete+0xa680551210 b4b6f1be tcpip!TCPRequestComplete+0x128055123c b4b69491 tcpip!CloseTCB+0x1ad80551258 b4b6f80b tcpip!DerefTCB+0x60805512d0 b4b5f3ec tcpip!TCBTimeout+0x7ec805512e0 8050220f tcpip!TCBTimeoutdpc+0xf805513fc 8050232b nt!KiTimerListExpire+0x14b80551428 80545e7f nt!KiTimerExpiration+0xb180551440 8055be60 nt!KiRetireDpcList+0x6180551450 80545d64 nt!KiIdleThread080551454 00000000 nt!KiIdleLoop+0x28// The registers showing the register addresses - note ecx is within the first 64k, and as// you know from the post you linked, that memory is PAGE_NO_ACCESS:0: kd> reax=805510cc ebx=8980e870 ecx=000000e8 edx=805510cc esi=00000000 edi=8980e870eip=806e6a16 esp=805510b8 ebp=805510d8 iopl=0 nv up ei pl nz ac po nccs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212hal!KeAcquireInStackQueuedSpinLock+0x26:806e6a16 8711 xchg edx,dword ptr [ecx] ds:0023:000000e8=????????// Here's the eip register unassembled, so you can see why ecx being invalid is bad:0: kd> u eiphal!KeAcquireInStackQueuedSpinLock+0x26:806e6a16 8711 xchg edx,dword ptr [ecx] <- // Trying to write to ecx from the memory address pointer in edx806e6a18 83fa00 cmp edx,0806e6a1b 7507 jne hal!KeAcquireInStackQueuedSpinLock+0x34 (806e6a24)806e6a1d 83c902 or ecx,2806e6a20 894804 mov dword ptr [eax+4],ecx806e6a23 c3 ret806e6a24 83c901 or ecx,1806e6a27 894804 mov dword ptr [eax+4],ecx// The AVG module in question:0: kd> lmvm avgtdixstart end module nameb4b1e000 b4b36900 avgtdix T (no symbols) Loaded symbol image file: avgtdix.sys Image path: avgtdix.sys Image name: avgtdix.sys Timestamp: Wed Dec 10 06:50:42 2008 (493FAD12) CheckSum: 0001B178 ImageSize: 00018900 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4I believe that is the latest version, so if you're stuck using AVG I'd suggest reporting this to their support folks to fix. However, if you are OK using another A/V vendor, consider removing AVG and using a more stable package.
kopf1988 Posted February 22, 2009 Author Posted February 22, 2009 (edited) That was a great, detailed answer, thank you.I have two questions: One, how can I figure that out myself? Would be useful to know how to debug this type of error.Two, do you have an idea of what to use to replace AVG then? I have used it for years and I especially appreciate the fact that it doesn't seem to make my system go much slower (unlike the big evil programs such as McAfee and Norton).Thanks!---EDIT:P.S. Would trying this LSP fix help? http://www.cexx.org/lspfix.htmIf it could be related to software I've recently installed, that might repair something. I installed Winpcap and then uninstalled it a week or so ago, if that might be the problem. EDIT2: LSP fix didn't seem to find any problems, but that was after completely uninstalling winpcap (i actually just disabled/(set to manual) the service before). Edited February 22, 2009 by kopf1988
CoffeeFiend Posted February 22, 2009 Posted February 22, 2009 how can I figure that out myself?windbg and knowledge about the system's internals. Debugging simple errors is easy, but doing fairly advanced/in-depth analysis and really understanding what is going on (there are degrees of difficulty obviously) is a lot harder.Anyways. I've never been a big fan of AVG myself. winpcap isn't to blame for such issues either. It's widely used by a lot of people (myself included), and we're not getting those BSODs. It's really AVG.
cluberti Posted February 22, 2009 Posted February 22, 2009 Just because a driver is malfunctioning doesn't mean that lspfix is going to find anything, as it only scans for errors in the winsock stack. You'd be better off considering Avira antivir, if you really want a recommendation.As to learning how to do it, you first are going to need to understand the programming language(s) involved in what you're debugging (in the case of Windows, you need C and C++, and you may need some .net language and runtime knowledge as well), as well as a decent understanding of how the system works (otherwise, it's really hard to spot when it's not working). Debugging in and of itself is just running commands, but knowing what to do and when takes skill and experience (more of the latter than former, as well). I am not trying to dissuade you at all, so don't think this is a post to do so - I just want you to understand that it's not as easy as it looks.If you are serious about learning, I would recommend learning to program (if you don't already) as a first step, preferably in C or C++. Also, you need to learn a bit more about the internals of Windows and how it works, so pick up Windows Internals 4th Edition by Mark Russinovich and David Solomon. Once you've gotten decent at writing your own apps (you'll pick up some debugging there, as you will find it sometimes necessary to do so to make your apps work), you're going to need to read a bit about some more advanced debugging techniques and tools as you go, so pick up Advanced Windows Debugging by Mario Hewardt and Daniel Pravat whilst you start debugging everything you can get your debugger into. And ultimately, practice, talking to others who do this well, and experience over time is what will ultimately give you what you need. Good luck, if you decide to travel down this road - anyone can write code, and anyone can be an admin, but to be able to do all 3 is something few can do, and something most people want to find. These are good skills to have if you plan to use them, but you'll find that it takes a few years (and then some) before you're good at all 3.
CoffeeFiend Posted February 22, 2009 Posted February 22, 2009 In addition to cluberti's usual most excellent recommendations, I'd like to add Tess' blog on MSDN which I've been following a while. Great resources, and great TechDays presentation too I must say. Mark Russinovich's blog also goes into that stuff sometimes.I've been considering buying some of Dmitry Vostokov's books too, cheap, but no idea if they're any good. He has a pretty decent site too.
cluberti Posted February 22, 2009 Posted February 22, 2009 Dmitry has his Windows Internals cert, and I've enjoyed his posts over the years. I'd trust the book, although it's probably about as deep as Advanced Windows Debugging, so definitely not a good "starter" book either.
kopf1988 Posted February 22, 2009 Author Posted February 22, 2009 Thank you all for your help so far. I know several programming languages(Java,Ruby,Perl,etc, no C, C++, or C# though), it's just that Windows is not really my most comfortable environment, lol. I should start learning more For reference, a lot of Googling lead me to believe that it's a problem with running Ares (Galaxy) or uTorrent, or at least that was the conclusion of a few other people who had similar problems. I'm going to see if nothing happens without running either for a week, and then possibly switch software to see what works.Thanks!
CoffeeFiend Posted February 22, 2009 Posted February 22, 2009 it's a problem with running Ares (Galaxy) or uTorrentUser mode apps like this can't actually cause BSODs. The thing is that they generate a fair amount of traffic, which only exacerbates issues caused by poor network-related drivers (such as AVG's).that was the conclusion of a few other people who had similar problemsMost of such conclusions I've seen are often completely wrong, as most end users are just not capable of diagnosing such issues by themselves. It just seems to me like they managed to get less BSODs caused by network-related drivers simply by minimizing network traffic (much like you're less prone to flat tires when you leave the car in the driveway -- not that it actually solved anything). Correlation is not causation.cluberti really knows what he's saying. His crash dump analysis is certainly worth a LOT more than what a couple of average end-users think is the issue (not much more than plain old guessing, and not always an informed guess even). Besides, IRQL_NOT_LESS_OR_EQUAL are most frequently caused by poor drivers (or otherwise broken hardware). And the crash dump shows avg's driver (avgtdix.sys -- described as "AVG Network connection watcher") in the call stack right before it bugchecked...On a side note, looks like Windows Internals 5th ed should be out in about 3 months!
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now