MilkyMeda 0 Posted December 28, 2017 Share Posted December 28, 2017 %90 of the time I'm getting BSOD at Windows log in since the last 17063 Build. I've checked the Minidump and it's apperantly caused by ESET. I'm using Windows 10 Insider Preview and that's probably why it's happening Here is the information if anyone cares: IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 0000000000000010, memory referenced Arg2: 0000000000000002, IRQL Arg3: 0000000000000000, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: fffff8018e7d5c88, address which referenced memory Debugging Details: ------------------ TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2 READ_ADDRESS: unable to get nt!MmSpecialPoolStart unable to get nt!MmSpecialPoolEnd unable to get nt!MmPagedPoolEnd unable to get nt!MmNonPagedPoolStart unable to get nt!MmSizeOfNonPagedPoolInBytes 0000000000000010 CURRENT_IRQL: 2 FAULTING_IP: nt!IopInsertRemoveDevice+5c fffff801`8e7d5c88 488b01 mov rax,qword ptr [rcx] CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT BUGCHECK_STR: AV PROCESS_NAME: services.exe TRAP_FRAME: fffff60d18698710 -- (.trap 0xfffff60d18698710) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000010 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff8018e7d5c88 rsp=fffff60d186988a0 rbp=fffff60d18698950 r8=0000000000000000 r9=ffffe380dc4c1910 r10=0000000000000000 r11=0000000000000000 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po cy nt!IopInsertRemoveDevice+0x5c: fffff801`8e7d5c88 488b01 mov rax,qword ptr [rcx] ds:00000000`00000010=???????????????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff8018e859c29 to fffff8018e84dc00 STACK_TEXT: fffff60d`186985c8 fffff801`8e859c29 : 00000000`0000000a 00000000`00000010 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx fffff60d`186985d0 fffff801`8e857e16 : 00000000`00000000 00000000`00000000 fffff801`8e991eb8 ffffd20b`e3d6b5d0 : nt!KiBugCheckDispatch+0x69 fffff60d`18698710 fffff801`8e7d5c88 : ffffd20b`00000000 ffffd20b`e39084b0 ffffd20b`ef14ea60 ffffd20b`e86793f0 : nt!KiPageFault+0x256 fffff60d`186988a0 fffff801`8e7d5af9 : 00000000`00000000 ffffd20b`e86793f0 00000000`0000001a fffff801`00000000 : nt!IopInsertRemoveDevice+0x5c fffff60d`186988d0 fffff801`8e7d58b6 : 00000000`00000000 ffffd20b`ef0b3400 ffffd20b`ef14ea60 ffffd20b`ef0b34b0 : nt!IopCompleteUnloadOrDelete+0x99 fffff60d`18698990 fffff80e`c4371cd8 : ffffd20b`e6cfc078 00000000`00000000 00000000`00000000 ffffd20b`e6cfc078 : nt!IoDeleteDevice+0x76 fffff60d`186989c0 ffffd20b`e6cfc078 : 00000000`00000000 00000000`00000000 ffffd20b`e6cfc078 ffffd20b`e6cfc078 : em018k_64+0x21cd8 fffff60d`186989c8 00000000`00000000 : 00000000`00000000 ffffd20b`e6cfc078 ffffd20b`e6cfc078 fffff80e`c4371c88 : 0xffffd20b`e6cfc078 STACK_COMMAND: kb FOLLOWUP_IP: em018k_64+21cd8 fffff80e`c4371cd8 488b4308 mov rax,qword ptr [rbx+8] SYMBOL_STACK_INDEX: 6 SYMBOL_NAME: em018k_64+21cd8 FOLLOWUP_NAME: MachineOwner MODULE_NAME: em018k_64 IMAGE_NAME: em018k_64.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5a1c223d FAILURE_BUCKET_ID: X64_AV_em018k_64+21cd8 BUCKET_ID: X64_AV_em018k_64+21cd8 Followup: MachineOwner --------- Since that I have deleted the previous build files, I'm totally stucked with this new build and I'll probably remove ESET and wait for an update. ESET Smart Security Version: 10.1.235.1 Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted December 28, 2017 Administrators Share Posted December 28, 2017 Please continue as follows: - configure Windows to generate complete memory dumps as per https://support.eset.com/kb380/ - restart Windows and reproduce BSOD - after a restart, compress the memory dump, upload it to a safe location (e.g. Dropbox, OneDrive, etc.) - collect logs with ELC and upload the generated archive - drop me a message with both download links. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted December 28, 2017 Most Valued Members Share Posted December 28, 2017 (edited) 4 hours ago, Marcos said: Please continue as follows: - configure Windows to generate complete memory dumps as per https://support.eset.com/kb380/ - restart Windows and reproduce BSOD - after a restart, compress the memory dump, upload it to a safe location (e.g. Dropbox, OneDrive, etc.) - collect logs with ELC and upload the generated archive - drop me a message with both download links. I had the same issue although reinstalling eset after removing it via the uninstaller in safe mode seemed to fix it. I couldnt actually boot in normal mode. Have yet to recieve a BSOD yet but occasionaly have to reboot computer after login as it will just freeze. Will send any logs if i do get another BSOD. Should add mine is with em008k 64.dll Edited December 28, 2017 by peteyt Link to comment Share on other sites More sharing options...
widestone 1 Posted December 28, 2017 Share Posted December 28, 2017 I have the same problem with the newest RS4 Insider. 1 to 10 GSOD on startup - if the system is started correct, it's very stable without any issues of ESET or other software. Link to comment Share on other sites More sharing options...
MilkyMeda 0 Posted December 29, 2017 Author Share Posted December 29, 2017 22 hours ago, Marcos said: Please continue as follows: - configure Windows to generate complete memory dumps as per https://support.eset.com/kb380/ - restart Windows and reproduce BSOD - after a restart, compress the memory dump, upload it to a safe location (e.g. Dropbox, OneDrive, etc.) - collect logs with ELC and upload the generated archive - drop me a message with both download links. Here is the Minidump files: https://1drv.ms/u/s!Am0esqMQ79E1niBJ9CL_4hL2sL21. I've uninstalled ESET due to this issue. So I didn't collect any logs with ELC. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted December 29, 2017 Administrators Share Posted December 29, 2017 A minidump does not provide enough information to determine the root reason of a crash. It may be even another application triggering it which only a complete memory dump would reveal. Link to comment Share on other sites More sharing options...
Hydro 2 Posted December 30, 2017 Share Posted December 30, 2017 Similar issue here: multiple ESET related BSODs occurred on my Windows 10 Dell notebook (Precision 3520). I think the problems started after updating to the Windows Fall Creators Update (version 1709, build 16299) and EIS 11.0.159. First received a DPC_WATCHDOG_VIOLATION on epfwwfp.sys, during the installation of an Intel Wifi driver update (latest Proset software for AC 8265 adapter). Could not start Windows in normal mode since that moment, due to BSODs occurring on em008k_64.dll (firewall module) each time during startup, with one the following errors: ATTEMPTED_WRITE_TO_READONLY_MEMORY ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS A rollback to a previous recovery point didn’t help. Had to boot into safe mode and remove EIS, using the ESET Uninstaller. That solved the problems. I’ve just updated all Windows drivers and reinstalled EIS 11.0.159 again (clean install, regular version, did not import old settings). No new BSODs have occurred so far, but the firewall still leaks traffic in interactive mode (see other thread for more info)… perhaps that’s a related problem. Hopefully ESET can soon solve these issues. (I can only provide minidumps, not complete memory dumps unfortunately) Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted December 30, 2017 Administrators Share Posted December 30, 2017 Switching to pre-release updates should resolve the issue. Build 16299 is an Insider preview build. Users with standard release builds of Windows 10 were not affected. Link to comment Share on other sites More sharing options...
Hydro 2 Posted December 30, 2017 Share Posted December 30, 2017 1 hour ago, Marcos said: Switching to pre-release updates should resolve the issue. No, I was running the pre-release version of EIS, with Firewall module 1373 (20171206), when the BSODs occurred. Now I’ve returned to the regular version, with Firewall module 1372 (20171027). Both versions leak traffic in interactive mode. I’ve also encountered some computer freezes/hangs with both EIS versions (after I’ve updated to the Fall Creators Update). 1 hour ago, Marcos said: Build 16299 is an Insider preview build. Users with standard release builds of Windows 10 were not affected. Not anymore: 16299 has become the standard build, see https://techjourney.net/windows-10-fall-creators-update-rs3-v-1709-build-16299-15-rtm/ (latest standard build is now 16299.125, since KB4054517). I’ve never installed the Windows insider preview (but the OP, MilkyMeda, has). Link to comment Share on other sites More sharing options...
Hydro 2 Posted December 30, 2017 Share Posted December 30, 2017 I just noticed that the DPC_WATCHDOG_VIOLATION (SINGLE_DPC_TIMEOUT_EXCEEDED) BSOD that I previously encountered, is almost identical to the issue that’s described in this article:https://kc.mcafee.com/corporate/index?page=content&id=KB90097 STACK_TEXT of my BSOD with the pre-release version of EIS 11.0.159: fffff800`7f19dbc8 fffff800`7f62a607 : nt!KeBugCheckEx fffff800`7f19dbd0 fffff800`7f4e8666 : nt!KeAccumulateTicks+0x140207 fffff800`7f19dc30 fffff800`7f41d3c5 : nt!KeClockInterruptNotify+0xc6 fffff800`7f19df40 fffff800`7f537da5 : hal!HalpTimerClockIpiRoutine+0x15 fffff800`7f19df70 fffff800`7f5fe7fa : nt!KiCallInterruptServiceRoutine+0xa5 fffff800`7f19dfb0 fffff800`7f5fec47 : nt!KiInterruptSubDispatchNoLockNoEtw+0xea fffff800`7f18b7d0 fffff800`7f4dbcec : nt!KiInterruptDispatchNoLockNoEtw+0x37 fffff800`7f18b960 fffff800`7f4dbca4 : nt!KxWaitForLockOwnerShip+0x2c fffff800`7f18b990 fffff809`abad3b23 : nt!KeAcquireInStackQueuedSpinLock+0x44 fffff800`7f18b9c0 00000000`00000000 : epfwwfp+0x3b23 STACK_TEXT of McAfee article: ffffbe00`7ed5fd88 fffff800`56e2fc07 : nt!KeBugCheckEx ffffbe00`7ed5fd90 fffff800`56e2d868 : nt!KeAccumulateTicks+0x407 ffffbe00`7ed5fdf0 fffff800`576264e5 : nt!KeClockInterruptNotify+0xb8 ffffbe00`7ed5ff40 fffff800`56e20876 : hal!HalpTimerClockIpiRoutine+0x15 ffffbe00`7ed5ff70 fffff800`56f5de0a : nt!KiCallInterruptServiceRoutine+0x106 ffffbe00`7ed5ffb0 fffff800`56f5e257 : nt!KiInterruptSubDispatchNoLockNoEtw+0xea ffffbe00`7ffb9da0 fffff800`56e86540 : nt!KiInterruptDispatchNoLockNoEtw+0x37 ffffbe00`7ffb9f30 fffff800`56e864f4 : nt!KxWaitForLockOwnerShip+0x30 ffffbe00`7ffb9f60 fffff807`418db3c9 : nt!KeAcquireInStackQueuedSpinLock+0x44 ffffbe00`7ffb9f90 fffff807`418c6249 : mfefirek+0x2b3c9 Perhaps Microsoft has changed something in the Fall Creators Update that can cause these firewall/hips issues?? Link to comment Share on other sites More sharing options...
itman 1,741 Posted December 30, 2017 Share Posted December 30, 2017 (edited) Here's a thought. I am running Win 10 1709, rel. 16299 w/o issue. When I was running Win 10 1703, I had Virtualization enabled for a while in the BIOS. When in this configuration, I was getting intermitted system lockups. Disabling Virtualization eliminated the issue. Win 10 1709 introduced full Hyper-V security support and Microsoft is increasingly utilizing it with each new 1709 release. Those having issues might want to "play" with Hyper-V settings such as disabling it if enabled and see if this eliminates the Eset BSOD's. Also check your BIOS setting to see if its enabled there. My understanding of Hyper-V in 1709 is that it is only troubled free if you have current hardware; CPU, motherboard, etc. although Microsoft's tech docs. on it say otherwise. Edited December 30, 2017 by itman Link to comment Share on other sites More sharing options...
widestone 1 Posted December 30, 2017 Share Posted December 30, 2017 With the new pre-release (1373) my GSOD on boot are gone. Thx Link to comment Share on other sites More sharing options...
Cactiw 0 Posted January 1, 2018 Share Posted January 1, 2018 Got this problem using windows 10 home. Was installed eset smart security, it suggested to upgrade to eset internet security. I agreed. After rebooting, the system loaded very long (about 5 minutes normally, the system usually boots in about 30 seconds), and the next again refused to boot at all with a reference to the file em008k_64.dll errors pop up different, the ones that were already mentioned above. Windows 10 home 1709 16299.125 Virtualization in BIOS was enabled, was turned off, didn't help. Removed eset S. S. due to this problem, so i dont have any logs stored. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted January 2, 2018 Administrators Share Posted January 2, 2018 On 12/30/2017 at 1:06 AM, Hydro said: Similar issue here: multiple ESET related BSODs occurred on my Windows 10 Dell notebook (Precision 3520). I think the problems started after updating to the Windows Fall Creators Update (version 1709, build 16299) and EIS 11.0.159. Are you able reproduce BSOD with the HIPS module 1309 installed? If you have v1308, most likely you haven't switched to pre-release updates. As for the issue with the firewall, try booting in safe mode and renaming the files epfwdata.bin and epfwuser.dat in the "C:\ProgramData\ESET\ESET Security" folder. Let us know if that helps. Link to comment Share on other sites More sharing options...
Hydro 2 Posted January 3, 2018 Share Posted January 3, 2018 A few days ago I’ve disabled all Hyper-V features on my Windows 10 notebook, as suggested by itman, and it appears to have improved the stability. Unfortunately, today another computer freeze + BSOD (DPC_WATCHDOG_VIOLATION) occurred, while using Chrome: The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL or above. Probably caused by : epfwwfp.sys ( epfwwfp+39fc ) DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT FAILURE_BUCKET_ID: 0x133_ISR_epfwwfp!unknown_function Image path: \SystemRoot\system32\DRIVERS\epfwwfp.sys Timestamp: Fri Nov 3 15:53:40 2017 (59FC82F4) Product: EIS 11.0.159.0 (regular), with Firewall module 1372 (20171027), Network protection module 1583 (20180102) and HIPS module 1309 (20171229) OS: Windows 10 Enterprise v1709 x64 (10.0.16299.125) Now I’ve enabled EIS pre-release updates again, and will try it out for a couple of days. The firewall is still leaking traffic though when creating a Deny rule in interactive mode (regardless of the application and network adapter; also occurs after deleting epfwdata.bin and EpfwUser.dat). That issue is 100% reproducible, unlike the BSODs. Link to comment Share on other sites More sharing options...
itman 1,741 Posted January 3, 2018 Share Posted January 3, 2018 (edited) I am beginning to believe you have a bad epfwwfp.sys driver. Below is a screen shot of details of it on my Win 10 1709, Eset IS 11.0.159 build: I will also add when I was getting lockups due to virtualization issues it was in my browser which is IE11. Disabling virtualization in the BIOS, did the trick for me. Did you disable it in your BIOS? Edited January 3, 2018 by itman Link to comment Share on other sites More sharing options...
Hydro 2 Posted January 4, 2018 Share Posted January 4, 2018 My firewall driver appears to be identical, although my “Date modified” differs (see below). But the ESET digital signatures are OK (dated Friday, November 3, 2017). In essence, the firewall driver seems to be functioning correctly, apart from the occasional BSOD (doesn’t occur that often anymore) and a traffic leak issue when using interactive mode (see other thread). I’ve disabled all virtualization options in the BIOS and disabled all Hyper-V features with the following two actions from an elevated Powershell prompt: bcdedit /set hypervisorlaunchtype off Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All Link to comment Share on other sites More sharing options...
Recommended Posts