S
Solvians
Guest
Hi,
One user is already at the second BSOD caused by DPC_WATCHDOG_VIOLATION (133). I do not have the dump of the previous BSOD, but for the current one, the cause seems to be the WinNAT driver:
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DPC_WATCHDOG_VIOLATION (133)
The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL
or above.
Arguments:
Arg1: 0000000000000000, A single DPC or ISR exceeded its time allotment. The offending
component can usually be identified with a stack trace.
Arg2: 0000000000000501, The DPC time count (in ticks).
Arg3: 0000000000000500, The DPC time allotment (in ticks).
Arg4: fffff80478efb320, cast to nt!DPC_WATCHDOG_GLOBAL_TRIAGE_BLOCK, which contains
additional information regarding this single DPC timeout
Debugging Details:
------------------
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: TickPeriods ***
*** ***
*************************************************************************
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 6
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on NB-410483
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 29
Key : Analysis.Memory.CommitPeak.Mb
Value: 79
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: 133
BUGCHECK_P1: 0
BUGCHECK_P2: 501
BUGCHECK_P3: 500
BUGCHECK_P4: fffff80478efb320
DPC_TIMEOUT_TYPE: SINGLE_DPC_TIMEOUT_EXCEEDED
PROCESS_NAME: System
STACK_TEXT:
ffff8780`c7112c88 fffff804`7863ac88 : 00000000`00000133 00000000`00000000 00000000`00000501 00000000`00000500 : nt!KeBugCheckEx
ffff8780`c7112c90 fffff804`7847541d : 0001a122`4824e9cc ffff8780`c70c0180 00000000`00000246 00000000`024ae56a : nt!KeAccumulateTicks+0x1c8a88
ffff8780`c7112cf0 fffff804`784759c1 : 00000000`024ae500 00000000`015dd13e ffff8780`c70c0180 00000000`00000001 : nt!KiUpdateRunTime+0x5d
ffff8780`c7112d40 fffff804`7846f833 : ffff8780`c70c0180 00000000`00000000 fffff804`78e31688 00000000`00000000 : nt!KiUpdateTime+0x4a1
ffff8780`c7112e80 fffff804`784781f2 : ffffe20d`0564dea0 ffffe20d`0564df20 ffffe20d`0564df00 00000000`00000002 : nt!KeClockInterruptNotify+0x2e3
ffff8780`c7112f30 fffff804`78527ef5 : 00000577`6beaf328 ffffcf84`cecc89e0 ffffcf84`cecc8a90 ffff3659`bc51421f : nt!HalpTimerClockInterrupt+0xe2
ffff8780`c7112f60 fffff804`785f752a : ffffe20d`0564df20 ffffcf84`cecc89e0 ffffcf84`f2d15080 00000000`00000000 : nt!KiCallInterruptServiceRoutine+0xa5
ffff8780`c7112fb0 fffff804`785f7a97 : 00000000`00000001 00000000`0000001c 00000000`00000018 fffff804`75414470 : nt!KiInterruptSubDispatchNoLockNoEtw+0xfa
ffffe20d`0564dea0 fffff804`785fd9a7 : ffffcf84`cecb4100 fffff804`754173eb ffffe20d`0564e0f9 fffff804`8fe765db : nt!KiInterruptDispatchNoLockNoEtw+0x37
ffffe20d`0564e030 fffff804`754173eb : ffffe20d`0564e0f9 fffff804`8fe765db ffffcf85`3deccc70 ffffcf84`f94e59a0 : nt!ExpInterlockedPopEntrySListResume
ffffe20d`0564e040 fffff804`7540c17a : ffffe20d`0564e5e0 ffffe20d`0564e3a0 00000000`00000000 00000000`00000000 : winnat!WinNatCreateSessionEntry+0x3ff
ffffe20d`0564e2a0 fffff804`7540d101 : 00000000`00000000 00000000`00000001 ffffcf84`f2d158d0 00000000`00000000 : winnat!SlbNatIpsCreateSessionForInternalDatagram+0x676
ffffe20d`0564e470 fffff804`7540dfed : 00000000`00000002 ffffcf85`36845d2e 00000000`00000002 00000000`00000000 : winnat!SlbNatIpsHandleIncomingUnicastDatagram+0x3c5
ffffe20d`0564e580 fffff804`7f510dd7 : ffffe20d`0564e8c0 ffffe20d`0564e8c0 ffffcf85`359029a0 ffffcf85`147e8c50 : winnat!SlbNatIpsClientReceivePackets+0x2ad
ffffe20d`0564e6e0 fffff804`7f455968 : 00000000`00000000 ffffcf84`e8ccf000 ffffcf84`e8ccf000 00000000`00000000 : tcpip!IppIndicatePacketsToIpsServiceChain+0x293
ffffe20d`0564ec40 fffff804`7f3d34ac : ffffcf85`359029a0 ffffcf84`ee0b5030 00000000`00000001 00000000`00000000 : tcpip!IppFlcReceivePacketsCore+0x7fb88
ffffe20d`0564ed60 fffff804`7f41f770 : ffffcf84`ee0b5030 00000000`00000000 ffffe20d`0564ee31 00000000`00000000 : tcpip!IpFlcReceivePackets+0xc
ffffe20d`0564ed90 fffff804`7f41ed6c : 00000000`00000001 ffffcf84`ecbcb900 fffff804`7f412140 ffffe20d`0564f16c : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x270
ffffe20d`0564ee90 fffff804`78554488 : ffffcf84`e8cff9c0 00000000`00000002 ffff8780`c70cb240 ffffe20d`0564f188 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x17c
ffffe20d`0564efe0 fffff804`785543fd : fffff804`7f41ebf0 ffffe20d`0564f188 ffffcf84`e8ca6300 ffffcf85`41811900 : nt!KeExpandKernelStackAndCalloutInternal+0x78
ffffe20d`0564f050 fffff804`7f411cdd : 00000000`00000000 ffffe20d`0564f109 ffffcf84`ee8821a0 e98ad1d6`0000000c : nt!KeExpandKernelStackAndCalloutEx+0x1d
ffffe20d`0564f090 fffff804`7f4113bd : 00000000`00000001 ffffe20d`0564f1f0 ffffcf84`ecbcb960 ffffe20d`0564f200 : tcpip!NetioExpandKernelStackAndCallout+0x8d
ffffe20d`0564f0f0 fffff804`7f151eb1 : ffffcf85`09b1a301 ffffcf84`f49f5171 00000000`00000020 00000000`00000001 : tcpip!FlReceiveNetBufferListChain+0x46d
ffffe20d`0564f3a0 fffff804`7f151ccb : ffffcf85`11ef03b0 00000000`00000001 ffffe20d`00000000 fffff804`00000001 : ndis!ndisMIndicateNetBufferListsToOpen+0x141
ffffe20d`0564f480 fffff804`7f157ef1 : ffffcf85`3a72a1a0 ffffcf84`ee0b5001 ffffcf85`3a72a1a0 ffffcf85`03f4d701 : ndis!ndisMTopReceiveNetBufferLists+0x22b
ffffe20d`0564f500 fffff804`7f18dee3 : ffffcf84`ee0b5030 ffffe20d`0564f5d1 00000000`00000000 00000000`00000000 : ndis!ndisCallReceiveHandler+0x61
ffffe20d`0564f550 fffff804`7f154a94 : 00000000`024ae069 00000000`00000001 ffffcf85`3a72a1a0 00000000`00000001 : ndis!ndisInvokeNextReceiveHandler+0x1df
ffffe20d`0564f620 fffff804`8fe9d9c2 : 00000000`00000001 00000000`00000001 00000000`00000001 ffffcf84`ee0b5030 : ndis!NdisMIndicateReceiveNetBufferLists+0x104
ffffe20d`0564f6b0 fffff804`8fe7e08a : ffffcf84`e9a17ec0 00000000`00000000 ffffcf84`e9cadcc0 00000000`00400a02 : vmswitch!VmsMpNicPvtReceiveRssProcessNblGroup+0x82
ffffe20d`0564f710 fffff804`7840781e : 00000000`00000000 00000000`00000000 ffff8780`c70c3240 ffffe20d`00000002 : vmswitch!VmsVrssDpc+0x7a
ffffe20d`0564f760 fffff804`78406b04 : 00000000`00000000 00000000`00000000 00000000`00140001 00000000`00000000 : nt!KiExecuteAllDpcs+0x30e
ffffe20d`0564f8d0 fffff804`785f95ee : ffffffff`00000000 ffff8780`c70c0180 ffff8780`c70cb240 ffffcf84`ef642080 : nt!KiRetireDpcList+0x1f4
ffffe20d`0564fb60 00000000`00000000 : ffffe20d`05650000 ffffe20d`05649000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x9e
SYMBOL_NAME: winnat!WinNatCreateSessionEntry+3ff
MODULE_NAME: winnat
IMAGE_NAME: winnat.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 3ff
FAILURE_BUCKET_ID: 0x133_DPC_winnat!WinNatCreateSessionEntry
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {934e7189-2d42-c57f-16ba-74e315071b35}
Followup: MachineOwner
---------
3: kd> lmvm winnat
Browse full module list
start end module name
fffff804`75400000 fffff804`75447000 winnat (pdb symbols) c:\symcache\winnat.pdb\2F5F81BC32F6D116EF5C2B537E3A000C1\winnat.pdb
Loaded symbol image file: winnat.sys
Image path: \SystemRoot\system32\drivers\winnat.sys
Image name: winnat.sys
Browse all global symbols functions data
Image was built with /Brepro flag.
Timestamp: 034F517C (This is a reproducible build file hash, not a timestamp)
CheckSum: 00044A13
ImageSize: 00047000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
After 3-4 hours, on the same laptop there was another BSOD, this time with BAD_POOL_CALLER (c2) bugcheck, but pointing to the same WinNAT:
4: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 000000000000000d, Attempt to release quota on a corrupted pool allocation.
Arg2: ffffae810e6e7b90, Address of pool
Arg3: 00000000ffffae81, Pool allocation's tag
Arg4: a190eb5967fdbc92, Quota process pointer (bad).
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on NB-410483
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 2
Key : Analysis.Memory.CommitPeak.Mb
Value: 66
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: c2
BUGCHECK_P1: d
BUGCHECK_P2: ffffae810e6e7b90
BUGCHECK_P3: ffffae81
BUGCHECK_P4: a190eb5967fdbc92
PROCESS_NAME: System
STACK_TEXT:
fffff906`f1c5f4f8 fffff804`7642d2e8 : 00000000`000000c2 00000000`0000000d ffffae81`0e6e7b90 00000000`ffffae81 : nt!KeBugCheckEx
fffff906`f1c5f500 fffff804`7630d8c9 : ffffae81`04aec040 ffffae81`0e6e7ba0 fffff906`f1c5f790 01000000`00100000 : nt!ExFreeHeapPool+0x1e0b58
fffff906`f1c5f5e0 fffff804`727be21c : ffffffff`e6f74f00 ffffae81`0e6e7c00 ffffae81`0e6e7c88 ffffae81`00d3c080 : nt!ExDeleteWakeTimerInfo+0x9
fffff906`f1c5f610 fffff804`727b819f : ffffae81`04aed480 fffff906`f1c5f790 ffffae81`00d3c0c0 fffff804`727b5ce0 : winnat!PplGenericFreeFunction+0x3c
fffff906`f1c5f640 fffff804`727b6282 : ffffae81`0e6e7ba0 fffff906`f1c5f790 ffffae81`00d3c0c0 ffffae81`0e6e7ba0 : winnat!WinNatLibCleanupSession+0x117
fffff906`f1c5f690 fffff804`76244f12 : 00000000`00000004 ffffc081`ecfc0180 ffffc081`ecfc0180 00000000`00000080 : winnat!WinNatSessionTimerDpc+0x582
fffff906`f1c5f7e0 fffff804`76206eed : 00000000`00000000 00000000`00000000 00000000`00140001 00000000`000c84f9 : nt!KiProcessExpiredTimerList+0x172
fffff906`f1c5f8d0 fffff804`763f95ee : ffffffff`00000000 ffffc081`ecfc0180 ffffc081`ecfcb240 ffffae8f`fdd42080 : nt!KiRetireDpcList+0x5dd
fffff906`f1c5fb60 00000000`00000000 : fffff906`f1c60000 fffff906`f1c59000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x9e
SYMBOL_NAME: winnat!PplGenericFreeFunction+3c
MODULE_NAME: winnat
IMAGE_NAME: winnat.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 3c
FAILURE_BUCKET_ID: 0xc2_d_winnat!PplGenericFreeFunction
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {ac3e5aea-ace0-951b-9c8f-4d91e2c3dfb7}
Followup: MachineOwner
---------
4: kd> lmvm winnat
Browse full module list
start end module name
fffff804`727a0000 fffff804`727e7000 winnat (pdb symbols) c:\symcache\winnat.pdb\2F5F81BC32F6D116EF5C2B537E3A000C1\winnat.pdb
Loaded symbol image file: winnat.sys
Image path: \SystemRoot\system32\drivers\winnat.sys
Image name: winnat.sys
Browse all global symbols functions data
Image was built with /Brepro flag.
Timestamp: 034F517C (This is a reproducible build file hash, not a timestamp)
CheckSum: 00044A13
ImageSize: 00047000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
In both cases, the user just started working in a VM running on Hyper-V on his laptop.
If it would have been caused by some device driver, I would have tried updating / downgrading / reinstalling ... but I am not sure what would be the proper way of handling this one.
Continue reading...
One user is already at the second BSOD caused by DPC_WATCHDOG_VIOLATION (133). I do not have the dump of the previous BSOD, but for the current one, the cause seems to be the WinNAT driver:
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DPC_WATCHDOG_VIOLATION (133)
The DPC watchdog detected a prolonged run time at an IRQL of DISPATCH_LEVEL
or above.
Arguments:
Arg1: 0000000000000000, A single DPC or ISR exceeded its time allotment. The offending
component can usually be identified with a stack trace.
Arg2: 0000000000000501, The DPC time count (in ticks).
Arg3: 0000000000000500, The DPC time allotment (in ticks).
Arg4: fffff80478efb320, cast to nt!DPC_WATCHDOG_GLOBAL_TRIAGE_BLOCK, which contains
additional information regarding this single DPC timeout
Debugging Details:
------------------
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn't have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing ".symopt- 100". Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: TickPeriods ***
*** ***
*************************************************************************
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 6
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on NB-410483
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 29
Key : Analysis.Memory.CommitPeak.Mb
Value: 79
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: 133
BUGCHECK_P1: 0
BUGCHECK_P2: 501
BUGCHECK_P3: 500
BUGCHECK_P4: fffff80478efb320
DPC_TIMEOUT_TYPE: SINGLE_DPC_TIMEOUT_EXCEEDED
PROCESS_NAME: System
STACK_TEXT:
ffff8780`c7112c88 fffff804`7863ac88 : 00000000`00000133 00000000`00000000 00000000`00000501 00000000`00000500 : nt!KeBugCheckEx
ffff8780`c7112c90 fffff804`7847541d : 0001a122`4824e9cc ffff8780`c70c0180 00000000`00000246 00000000`024ae56a : nt!KeAccumulateTicks+0x1c8a88
ffff8780`c7112cf0 fffff804`784759c1 : 00000000`024ae500 00000000`015dd13e ffff8780`c70c0180 00000000`00000001 : nt!KiUpdateRunTime+0x5d
ffff8780`c7112d40 fffff804`7846f833 : ffff8780`c70c0180 00000000`00000000 fffff804`78e31688 00000000`00000000 : nt!KiUpdateTime+0x4a1
ffff8780`c7112e80 fffff804`784781f2 : ffffe20d`0564dea0 ffffe20d`0564df20 ffffe20d`0564df00 00000000`00000002 : nt!KeClockInterruptNotify+0x2e3
ffff8780`c7112f30 fffff804`78527ef5 : 00000577`6beaf328 ffffcf84`cecc89e0 ffffcf84`cecc8a90 ffff3659`bc51421f : nt!HalpTimerClockInterrupt+0xe2
ffff8780`c7112f60 fffff804`785f752a : ffffe20d`0564df20 ffffcf84`cecc89e0 ffffcf84`f2d15080 00000000`00000000 : nt!KiCallInterruptServiceRoutine+0xa5
ffff8780`c7112fb0 fffff804`785f7a97 : 00000000`00000001 00000000`0000001c 00000000`00000018 fffff804`75414470 : nt!KiInterruptSubDispatchNoLockNoEtw+0xfa
ffffe20d`0564dea0 fffff804`785fd9a7 : ffffcf84`cecb4100 fffff804`754173eb ffffe20d`0564e0f9 fffff804`8fe765db : nt!KiInterruptDispatchNoLockNoEtw+0x37
ffffe20d`0564e030 fffff804`754173eb : ffffe20d`0564e0f9 fffff804`8fe765db ffffcf85`3deccc70 ffffcf84`f94e59a0 : nt!ExpInterlockedPopEntrySListResume
ffffe20d`0564e040 fffff804`7540c17a : ffffe20d`0564e5e0 ffffe20d`0564e3a0 00000000`00000000 00000000`00000000 : winnat!WinNatCreateSessionEntry+0x3ff
ffffe20d`0564e2a0 fffff804`7540d101 : 00000000`00000000 00000000`00000001 ffffcf84`f2d158d0 00000000`00000000 : winnat!SlbNatIpsCreateSessionForInternalDatagram+0x676
ffffe20d`0564e470 fffff804`7540dfed : 00000000`00000002 ffffcf85`36845d2e 00000000`00000002 00000000`00000000 : winnat!SlbNatIpsHandleIncomingUnicastDatagram+0x3c5
ffffe20d`0564e580 fffff804`7f510dd7 : ffffe20d`0564e8c0 ffffe20d`0564e8c0 ffffcf85`359029a0 ffffcf85`147e8c50 : winnat!SlbNatIpsClientReceivePackets+0x2ad
ffffe20d`0564e6e0 fffff804`7f455968 : 00000000`00000000 ffffcf84`e8ccf000 ffffcf84`e8ccf000 00000000`00000000 : tcpip!IppIndicatePacketsToIpsServiceChain+0x293
ffffe20d`0564ec40 fffff804`7f3d34ac : ffffcf85`359029a0 ffffcf84`ee0b5030 00000000`00000001 00000000`00000000 : tcpip!IppFlcReceivePacketsCore+0x7fb88
ffffe20d`0564ed60 fffff804`7f41f770 : ffffcf84`ee0b5030 00000000`00000000 ffffe20d`0564ee31 00000000`00000000 : tcpip!IpFlcReceivePackets+0xc
ffffe20d`0564ed90 fffff804`7f41ed6c : 00000000`00000001 ffffcf84`ecbcb900 fffff804`7f412140 ffffe20d`0564f16c : tcpip!FlpReceiveNonPreValidatedNetBufferListChain+0x270
ffffe20d`0564ee90 fffff804`78554488 : ffffcf84`e8cff9c0 00000000`00000002 ffff8780`c70cb240 ffffe20d`0564f188 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0x17c
ffffe20d`0564efe0 fffff804`785543fd : fffff804`7f41ebf0 ffffe20d`0564f188 ffffcf84`e8ca6300 ffffcf85`41811900 : nt!KeExpandKernelStackAndCalloutInternal+0x78
ffffe20d`0564f050 fffff804`7f411cdd : 00000000`00000000 ffffe20d`0564f109 ffffcf84`ee8821a0 e98ad1d6`0000000c : nt!KeExpandKernelStackAndCalloutEx+0x1d
ffffe20d`0564f090 fffff804`7f4113bd : 00000000`00000001 ffffe20d`0564f1f0 ffffcf84`ecbcb960 ffffe20d`0564f200 : tcpip!NetioExpandKernelStackAndCallout+0x8d
ffffe20d`0564f0f0 fffff804`7f151eb1 : ffffcf85`09b1a301 ffffcf84`f49f5171 00000000`00000020 00000000`00000001 : tcpip!FlReceiveNetBufferListChain+0x46d
ffffe20d`0564f3a0 fffff804`7f151ccb : ffffcf85`11ef03b0 00000000`00000001 ffffe20d`00000000 fffff804`00000001 : ndis!ndisMIndicateNetBufferListsToOpen+0x141
ffffe20d`0564f480 fffff804`7f157ef1 : ffffcf85`3a72a1a0 ffffcf84`ee0b5001 ffffcf85`3a72a1a0 ffffcf85`03f4d701 : ndis!ndisMTopReceiveNetBufferLists+0x22b
ffffe20d`0564f500 fffff804`7f18dee3 : ffffcf84`ee0b5030 ffffe20d`0564f5d1 00000000`00000000 00000000`00000000 : ndis!ndisCallReceiveHandler+0x61
ffffe20d`0564f550 fffff804`7f154a94 : 00000000`024ae069 00000000`00000001 ffffcf85`3a72a1a0 00000000`00000001 : ndis!ndisInvokeNextReceiveHandler+0x1df
ffffe20d`0564f620 fffff804`8fe9d9c2 : 00000000`00000001 00000000`00000001 00000000`00000001 ffffcf84`ee0b5030 : ndis!NdisMIndicateReceiveNetBufferLists+0x104
ffffe20d`0564f6b0 fffff804`8fe7e08a : ffffcf84`e9a17ec0 00000000`00000000 ffffcf84`e9cadcc0 00000000`00400a02 : vmswitch!VmsMpNicPvtReceiveRssProcessNblGroup+0x82
ffffe20d`0564f710 fffff804`7840781e : 00000000`00000000 00000000`00000000 ffff8780`c70c3240 ffffe20d`00000002 : vmswitch!VmsVrssDpc+0x7a
ffffe20d`0564f760 fffff804`78406b04 : 00000000`00000000 00000000`00000000 00000000`00140001 00000000`00000000 : nt!KiExecuteAllDpcs+0x30e
ffffe20d`0564f8d0 fffff804`785f95ee : ffffffff`00000000 ffff8780`c70c0180 ffff8780`c70cb240 ffffcf84`ef642080 : nt!KiRetireDpcList+0x1f4
ffffe20d`0564fb60 00000000`00000000 : ffffe20d`05650000 ffffe20d`05649000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x9e
SYMBOL_NAME: winnat!WinNatCreateSessionEntry+3ff
MODULE_NAME: winnat
IMAGE_NAME: winnat.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 3ff
FAILURE_BUCKET_ID: 0x133_DPC_winnat!WinNatCreateSessionEntry
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {934e7189-2d42-c57f-16ba-74e315071b35}
Followup: MachineOwner
---------
3: kd> lmvm winnat
Browse full module list
start end module name
fffff804`75400000 fffff804`75447000 winnat (pdb symbols) c:\symcache\winnat.pdb\2F5F81BC32F6D116EF5C2B537E3A000C1\winnat.pdb
Loaded symbol image file: winnat.sys
Image path: \SystemRoot\system32\drivers\winnat.sys
Image name: winnat.sys
Browse all global symbols functions data
Image was built with /Brepro flag.
Timestamp: 034F517C (This is a reproducible build file hash, not a timestamp)
CheckSum: 00044A13
ImageSize: 00047000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
After 3-4 hours, on the same laptop there was another BSOD, this time with BAD_POOL_CALLER (c2) bugcheck, but pointing to the same WinNAT:
4: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
BAD_POOL_CALLER (c2)
The current thread is making a bad pool request. Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 000000000000000d, Attempt to release quota on a corrupted pool allocation.
Arg2: ffffae810e6e7b90, Address of pool
Arg3: 00000000ffffae81, Pool allocation's tag
Arg4: a190eb5967fdbc92, Quota process pointer (bad).
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on NB-410483
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 2
Key : Analysis.Memory.CommitPeak.Mb
Value: 66
Key : Analysis.System
Value: CreateObject
BUGCHECK_CODE: c2
BUGCHECK_P1: d
BUGCHECK_P2: ffffae810e6e7b90
BUGCHECK_P3: ffffae81
BUGCHECK_P4: a190eb5967fdbc92
PROCESS_NAME: System
STACK_TEXT:
fffff906`f1c5f4f8 fffff804`7642d2e8 : 00000000`000000c2 00000000`0000000d ffffae81`0e6e7b90 00000000`ffffae81 : nt!KeBugCheckEx
fffff906`f1c5f500 fffff804`7630d8c9 : ffffae81`04aec040 ffffae81`0e6e7ba0 fffff906`f1c5f790 01000000`00100000 : nt!ExFreeHeapPool+0x1e0b58
fffff906`f1c5f5e0 fffff804`727be21c : ffffffff`e6f74f00 ffffae81`0e6e7c00 ffffae81`0e6e7c88 ffffae81`00d3c080 : nt!ExDeleteWakeTimerInfo+0x9
fffff906`f1c5f610 fffff804`727b819f : ffffae81`04aed480 fffff906`f1c5f790 ffffae81`00d3c0c0 fffff804`727b5ce0 : winnat!PplGenericFreeFunction+0x3c
fffff906`f1c5f640 fffff804`727b6282 : ffffae81`0e6e7ba0 fffff906`f1c5f790 ffffae81`00d3c0c0 ffffae81`0e6e7ba0 : winnat!WinNatLibCleanupSession+0x117
fffff906`f1c5f690 fffff804`76244f12 : 00000000`00000004 ffffc081`ecfc0180 ffffc081`ecfc0180 00000000`00000080 : winnat!WinNatSessionTimerDpc+0x582
fffff906`f1c5f7e0 fffff804`76206eed : 00000000`00000000 00000000`00000000 00000000`00140001 00000000`000c84f9 : nt!KiProcessExpiredTimerList+0x172
fffff906`f1c5f8d0 fffff804`763f95ee : ffffffff`00000000 ffffc081`ecfc0180 ffffc081`ecfcb240 ffffae8f`fdd42080 : nt!KiRetireDpcList+0x5dd
fffff906`f1c5fb60 00000000`00000000 : fffff906`f1c60000 fffff906`f1c59000 00000000`00000000 00000000`00000000 : nt!KiIdleLoop+0x9e
SYMBOL_NAME: winnat!PplGenericFreeFunction+3c
MODULE_NAME: winnat
IMAGE_NAME: winnat.sys
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 3c
FAILURE_BUCKET_ID: 0xc2_d_winnat!PplGenericFreeFunction
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {ac3e5aea-ace0-951b-9c8f-4d91e2c3dfb7}
Followup: MachineOwner
---------
4: kd> lmvm winnat
Browse full module list
start end module name
fffff804`727a0000 fffff804`727e7000 winnat (pdb symbols) c:\symcache\winnat.pdb\2F5F81BC32F6D116EF5C2B537E3A000C1\winnat.pdb
Loaded symbol image file: winnat.sys
Image path: \SystemRoot\system32\drivers\winnat.sys
Image name: winnat.sys
Browse all global symbols functions data
Image was built with /Brepro flag.
Timestamp: 034F517C (This is a reproducible build file hash, not a timestamp)
CheckSum: 00044A13
ImageSize: 00047000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
In both cases, the user just started working in a VM running on Hyper-V on his laptop.
If it would have been caused by some device driver, I would have tried updating / downgrading / reinstalling ... but I am not sure what would be the proper way of handling this one.
Continue reading...