Jump to content

BSOD at startup caused by em018k_64.dll


Recommended Posts

%90 of the time I'm getting BSOD at Windows log in since the last 17063 Build. I've checked the Minidump and it's apperantly caused by ESET. I'm using Windows 10 Insider Preview and that's probably why it's happening :) Here is the information if anyone cares:

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000010, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8018e7d5c88, address which referenced memory

Debugging Details:
------------------

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
 0000000000000010 

CURRENT_IRQL:  2

FAULTING_IP: 
nt!IopInsertRemoveDevice+5c
fffff801`8e7d5c88 488b01          mov     rax,qword ptr [rcx]

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

BUGCHECK_STR:  AV

PROCESS_NAME:  services.exe

TRAP_FRAME:  fffff60d18698710 -- (.trap 0xfffff60d18698710)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000010
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8018e7d5c88 rsp=fffff60d186988a0 rbp=fffff60d18698950
 r8=0000000000000000  r9=ffffe380dc4c1910 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po cy
nt!IopInsertRemoveDevice+0x5c:
fffff801`8e7d5c88 488b01          mov     rax,qword ptr [rcx] ds:00000000`00000010=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff8018e859c29 to fffff8018e84dc00

STACK_TEXT:  
fffff60d`186985c8 fffff801`8e859c29 : 00000000`0000000a 00000000`00000010 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff60d`186985d0 fffff801`8e857e16 : 00000000`00000000 00000000`00000000 fffff801`8e991eb8 ffffd20b`e3d6b5d0 : nt!KiBugCheckDispatch+0x69
fffff60d`18698710 fffff801`8e7d5c88 : ffffd20b`00000000 ffffd20b`e39084b0 ffffd20b`ef14ea60 ffffd20b`e86793f0 : nt!KiPageFault+0x256
fffff60d`186988a0 fffff801`8e7d5af9 : 00000000`00000000 ffffd20b`e86793f0 00000000`0000001a fffff801`00000000 : nt!IopInsertRemoveDevice+0x5c
fffff60d`186988d0 fffff801`8e7d58b6 : 00000000`00000000 ffffd20b`ef0b3400 ffffd20b`ef14ea60 ffffd20b`ef0b34b0 : nt!IopCompleteUnloadOrDelete+0x99
fffff60d`18698990 fffff80e`c4371cd8 : ffffd20b`e6cfc078 00000000`00000000 00000000`00000000 ffffd20b`e6cfc078 : nt!IoDeleteDevice+0x76
fffff60d`186989c0 ffffd20b`e6cfc078 : 00000000`00000000 00000000`00000000 ffffd20b`e6cfc078 ffffd20b`e6cfc078 : em018k_64+0x21cd8
fffff60d`186989c8 00000000`00000000 : 00000000`00000000 ffffd20b`e6cfc078 ffffd20b`e6cfc078 fffff80e`c4371c88 : 0xffffd20b`e6cfc078


STACK_COMMAND:  kb

FOLLOWUP_IP: 
em018k_64+21cd8
fffff80e`c4371cd8 488b4308        mov     rax,qword ptr [rbx+8]

SYMBOL_STACK_INDEX:  6

SYMBOL_NAME:  em018k_64+21cd8

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: em018k_64

IMAGE_NAME:  em018k_64.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5a1c223d

FAILURE_BUCKET_ID:  X64_AV_em018k_64+21cd8

BUCKET_ID:  X64_AV_em018k_64+21cd8

Followup: MachineOwner
---------

Since that I have deleted the previous build files, I'm totally stucked with this new build and I'll probably remove ESET and wait for an update.

ESET Smart Security Version: 10.1.235.1

Link to comment
Share on other sites

  • Administrators

Please continue as follows:

- configure Windows to generate complete memory dumps as per https://support.eset.com/kb380/
- restart Windows and reproduce BSOD
- after a restart, compress the memory dump, upload it to a safe location (e.g. Dropbox, OneDrive, etc.)
- collect logs with ELC and upload the generated archive
- drop me a message with both download links.

Link to comment
Share on other sites

  • Most Valued Members
4 hours ago, Marcos said:

Please continue as follows:

- configure Windows to generate complete memory dumps as per https://support.eset.com/kb380/
- restart Windows and reproduce BSOD
- after a restart, compress the memory dump, upload it to a safe location (e.g. Dropbox, OneDrive, etc.)
- collect logs with ELC and upload the generated archive
- drop me a message with both download links.

I had the same issue although reinstalling eset after removing it via the uninstaller in safe mode seemed to fix it. I couldnt actually boot in normal mode. Have yet to recieve a BSOD yet but occasionaly have to reboot computer after login as it will just freeze. Will send any logs if i do get another BSOD. Should add mine is with em008k 64.dll

Edited by peteyt
Link to comment
Share on other sites

I have the same problem with the newest RS4 Insider.

1 to 10 GSOD on startup - if the system is started correct, it's very stable without any issues of ESET or other software.

 

Link to comment
Share on other sites

22 hours ago, Marcos said:

Please continue as follows:

- configure Windows to generate complete memory dumps as per https://support.eset.com/kb380/
- restart Windows and reproduce BSOD
- after a restart, compress the memory dump, upload it to a safe location (e.g. Dropbox, OneDrive, etc.)
- collect logs with ELC and upload the generated archive
- drop me a message with both download links.

Here is the Minidump files:

https://1drv.ms/u/s!Am0esqMQ79E1niBJ9CL_4hL2sL21.

I've uninstalled ESET due to this issue. So I didn't collect any logs with ELC.

Link to comment
Share on other sites

  • Administrators

A minidump does not provide enough information to determine the root reason of a crash. It may be even another application triggering it which only a complete memory dump would reveal.

Link to comment
Share on other sites

Similar issue here: multiple ESET related BSODs occurred on my Windows 10 Dell notebook (Precision 3520). I think the problems started after updating to the Windows Fall Creators Update (version 1709, build 16299) and EIS 11.0.159.

First received a DPC_WATCHDOG_VIOLATION on epfwwfp.sys, during the installation of an Intel Wifi driver update (latest Proset software for AC 8265 adapter). Could not start Windows in normal mode since that moment, due to BSODs occurring on em008k_64.dll (firewall module) each time during startup, with one the following errors:
ATTEMPTED_WRITE_TO_READONLY_MEMORY
ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY
DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS

A rollback to a previous recovery point didn’t help. Had to boot into safe mode and remove EIS, using the ESET Uninstaller. That solved the problems.

I’ve just updated all Windows drivers and reinstalled EIS 11.0.159 again (clean install, regular version, did not import old settings). No new BSODs have occurred so far, but the firewall still leaks traffic in interactive mode (see other thread for more info)… perhaps that’s a related problem.

Hopefully ESET can soon solve these issues. (I can only provide minidumps, not complete memory dumps unfortunately)

Link to comment
Share on other sites

  • Administrators

Switching to pre-release updates should resolve the issue.

Build 16299 is an Insider preview build. Users with standard release builds of Windows 10 were not affected.

Link to comment
Share on other sites

1 hour ago, Marcos said:

Switching to pre-release updates should resolve the issue.

No, I was running the pre-release version of EIS, with Firewall module 1373 (20171206), when the BSODs occurred. Now I’ve returned to the regular version, with Firewall module 1372 (20171027). Both versions leak traffic in interactive mode. I’ve also encountered some computer freezes/hangs with both EIS versions (after I’ve updated to the Fall Creators Update).

1 hour ago, Marcos said:

Build 16299 is an Insider preview build. Users with standard release builds of Windows 10 were not affected.

Not anymore: 16299 has become the standard build, see https://techjourney.net/windows-10-fall-creators-update-rs3-v-1709-build-16299-15-rtm/ (latest standard build is now 16299.125, since KB4054517). I’ve never installed the Windows insider preview (but the OP, MilkyMeda, has).

Link to comment
Share on other sites

I just noticed that the DPC_WATCHDOG_VIOLATION (SINGLE_DPC_TIMEOUT_EXCEEDED) BSOD that I previously encountered, is almost identical to the issue that’s described in this article:
https://kc.mcafee.com/corporate/index?page=content&id=KB90097

STACK_TEXT of my BSOD with the pre-release version of EIS 11.0.159:
fffff800`7f19dbc8 fffff800`7f62a607 : nt!KeBugCheckEx
fffff800`7f19dbd0 fffff800`7f4e8666 : nt!KeAccumulateTicks+0x140207
fffff800`7f19dc30 fffff800`7f41d3c5 : nt!KeClockInterruptNotify+0xc6
fffff800`7f19df40 fffff800`7f537da5 : hal!HalpTimerClockIpiRoutine+0x15
fffff800`7f19df70 fffff800`7f5fe7fa : nt!KiCallInterruptServiceRoutine+0xa5
fffff800`7f19dfb0 fffff800`7f5fec47 : nt!KiInterruptSubDispatchNoLockNoEtw+0xea
fffff800`7f18b7d0 fffff800`7f4dbcec : nt!KiInterruptDispatchNoLockNoEtw+0x37
fffff800`7f18b960 fffff800`7f4dbca4 : nt!KxWaitForLockOwnerShip+0x2c
fffff800`7f18b990 fffff809`abad3b23 : nt!KeAcquireInStackQueuedSpinLock+0x44
fffff800`7f18b9c0 00000000`00000000 : epfwwfp+0x3b23

STACK_TEXT of McAfee article:
ffffbe00`7ed5fd88 fffff800`56e2fc07 : nt!KeBugCheckEx
ffffbe00`7ed5fd90 fffff800`56e2d868 : nt!KeAccumulateTicks+0x407
ffffbe00`7ed5fdf0 fffff800`576264e5 : nt!KeClockInterruptNotify+0xb8
ffffbe00`7ed5ff40 fffff800`56e20876 : hal!HalpTimerClockIpiRoutine+0x15
ffffbe00`7ed5ff70 fffff800`56f5de0a : nt!KiCallInterruptServiceRoutine+0x106
ffffbe00`7ed5ffb0 fffff800`56f5e257 : nt!KiInterruptSubDispatchNoLockNoEtw+0xea
ffffbe00`7ffb9da0 fffff800`56e86540 : nt!KiInterruptDispatchNoLockNoEtw+0x37
ffffbe00`7ffb9f30 fffff800`56e864f4 : nt!KxWaitForLockOwnerShip+0x30
ffffbe00`7ffb9f60 fffff807`418db3c9 : nt!KeAcquireInStackQueuedSpinLock+0x44
ffffbe00`7ffb9f90 fffff807`418c6249 : mfefirek+0x2b3c9

Perhaps Microsoft has changed something in the Fall Creators Update that can cause these firewall/hips issues??

Link to comment
Share on other sites

Here's a thought.

I am running Win 10 1709, rel. 16299 w/o issue. When I was running Win 10 1703, I had Virtualization enabled for a while in the BIOS. When in this configuration, I was getting intermitted system lockups. Disabling Virtualization eliminated the issue. Win 10 1709 introduced full Hyper-V security support and Microsoft is increasingly utilizing it with each new 1709 release. Those having issues might want to "play" with Hyper-V settings such as disabling it if enabled and see if this eliminates the Eset BSOD's. Also check your BIOS setting to see if its enabled there. My understanding of Hyper-V in 1709 is that it is only troubled free if you have current hardware; CPU, motherboard, etc.  although Microsoft's tech docs. on it say otherwise.

Edited by itman
Link to comment
Share on other sites

Got this problem using windows 10 home.
Was installed eset smart security, it suggested to upgrade to eset internet security. I agreed. After rebooting, the system loaded very long (about 5 minutes normally, the system usually boots in about 30 seconds), and the next again refused to boot at all with a reference to the file em008k_64.dll errors pop up different, the ones that were already mentioned above.
Windows 10 home 1709 16299.125
Virtualization in BIOS was enabled, was turned off, didn't help.
Removed eset S. S. due to this problem, so i dont have any logs stored.

Link to comment
Share on other sites

  • Administrators
On 12/30/2017 at 1:06 AM, Hydro said:

Similar issue here: multiple ESET related BSODs occurred on my Windows 10 Dell notebook (Precision 3520). I think the problems started after updating to the Windows Fall Creators Update (version 1709, build 16299) and EIS 11.0.159.

Are you able reproduce BSOD with the HIPS module 1309 installed? If you have v1308, most likely you haven't switched to pre-release updates.

As for the issue with the firewall, try booting in safe mode and renaming the files epfwdata.bin and epfwuser.dat in the "C:\ProgramData\ESET\ESET Security" folder. Let us know if that helps.

Link to comment
Share on other sites

A few days ago I’ve disabled all Hyper-V features on my Windows 10 notebook, as suggested by itman, and it appears to have improved the stability. Unfortunately, today another computer freeze + BSOD (DPC_WATCHDOG_VIOLATION) occurred, while using Chrome:

The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL or above.
Probably caused by : epfwwfp.sys ( epfwwfp+39fc )

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
FAILURE_BUCKET_ID: 0x133_ISR_epfwwfp!unknown_function
Image path: \SystemRoot\system32\DRIVERS\epfwwfp.sys
Timestamp:  Fri Nov  3 15:53:40 2017 (59FC82F4)

Product: EIS 11.0.159.0 (regular), with Firewall module 1372 (20171027), Network protection module 1583 (20180102) and HIPS module 1309 (20171229)
OS: Windows 10 Enterprise v1709 x64 (10.0.16299.125)

Now I’ve enabled EIS pre-release updates again, and will try it out for a couple of days. The firewall is still leaking traffic though when creating a Deny rule in interactive mode (regardless of the application and network adapter; also occurs after deleting epfwdata.bin and EpfwUser.dat). That issue is 100% reproducible, unlike the BSODs. 

Link to comment
Share on other sites

I am beginning to believe you have a bad epfwwfp.sys driver. Below is a screen shot of details of it on my Win 10 1709, Eset IS 11.0.159 build:

Eset_epfwwfp.thumb.png.1145e86ae6b25dbe6a590f8079ad8403.png

I will also add when I was getting lockups due to virtualization issues it was in my browser which is IE11. Disabling virtualization in the BIOS, did the trick for me. Did you disable it in your BIOS?

Edited by itman
Link to comment
Share on other sites


My firewall driver appears to be identical, although my “Date modified” differs (see below). But the ESET digital signatures are OK (dated Friday, November 3, 2017).

In essence, the firewall driver seems to be functioning correctly, apart from the occasional BSOD (doesn’t occur that often anymore) and a traffic leak issue when using interactive mode (see other thread).

I’ve disabled all virtualization options in the BIOS and disabled all Hyper-V features with the following two actions from an elevated Powershell prompt:

bcdedit /set hypervisorlaunchtype off
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All

image.png.67dae029116b912fbc689ea19b7bd9de.png

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...