S
ScottFerrell4151
Guest
I did not used to have a problem with bringing PC back from sleep or hibernation. When I did I read a lot of people having this issue. I figured it was caused from Windows (e.g. a Windows Update) but now I believe that it can be a wide range of causes and for me I believe it was VirtualBox SW or VirtualBox config. I am sharing this info in the hopes that it helps save someone else the time that it took me.
I put the PC to sleep in the past but it often failed (i.e. I have to boot the PC from start) so I put PC to hibernate. The hibernate fails less often than sleep but it still fails sometimes (10% vs 25%).
The System Event Logs before and after PC failed to hibernate are pasted below.
The last message prior to hibernate is
Error: Application popup: dwm.exe - System Error : Unknown Hard Error
I powered on the PC then received the following error messages (in chronological order)...
Error: Windows failed to resume from hibernate with error status 0xC0000001.
Error: The previous system shutdown at 11:59:25 AM on 8/4/2020 was unexpected.
Critical: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Warning: The driver \Driver\WudfRd failed to load for the device ACPI\ENE0110\5&138d85c8&0.
Error (3X): The driver detected an internal driver error on \Device\VBoxNetLwf.
Information: The following boot-start or system-start driver(s) did not load: dam
Error: The computer has rebooted from a bugcheck. The bugcheck was: 0x0000009f (0x0000000000000003, 0xffff8b03376ce2b0, 0xfffff803181ec810, 0xffff8b0356b13a60). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 138cd288-3035-4066-a2b6-2e101312120f.
PC is Windows 10 version 2004 (up to date).
Even tho VBoxNetLwf message appeared later than other Errors I uninstalled VirtualBox 6.0.22.
I used Driver Booster to ensure that PC has the latest drivers (it did).
I have a SSD (Windows 10) and HDD (storage with a VeraCrypt volume).
I installed WinDbg Preview from the Windows Store and viewed the MEMORY.DMP.
I ran analyze -v
I don't understand the output (I pasted it below).
The closest I can find on Google when searching
'a device object has been blocking an irp for too long a time "tcpip.sys"'
is link below but no solution.
Bluescreen when Hibernating
When I looked up the first error message it said to run chkdsk /f /r.
I executed via PowerShell chkdsk /f /r c: and chkdsk /f /r d: and chose to check the next time the system restarts. When I rebooted it ran chkdsk for ~ 2 hours twice on D (HDD) never on C (SSD). It rebooted before I saw the results so I don't know if it repaired D.
I have Power Options set to High Performance with Turn off hard disk after On battery and Plugged in set to Never.
The PC stopped failing from hibernate!
I installed the latest VirtualBox (6.1.12) and Extension Pack.
The PC still stopped failing from hibernate!
I installed AutoHotKey.
The PC started failing to hibernate again... and error is VboxNetlwf but uncertain if that is the cause i.e. red herring as indicated on virtualbox.org • View topic - ID Event 12 for VBoxNetLwf
I uninstalled VirtualBox and I have not had a failure with sleep or hibernation for several weeks so I am certain that the problem is from VirtualBox or a VirtualBox config (e.g. pass-thru NIC).
WinDbg Preview
analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_POWER_STATE_FAILURE (9f)
A driver has failed to complete a power IRP within a specific time.
Arguments:
Arg1: 0000000000000003, A device object has been blocking an Irp for too long a time
Arg2: ffff8b03376ce2b0, Physical Device Object of the stack
Arg3: fffff803181ec810, nt!TRIAGE_9F_POWER on Win7 and higher, otherwise the Functional Device Object of the stack
Arg4: ffff8b0356b13a60, The blocked IRP
Debugging Details:
------------------
Page 436a70 not present in the dump file. Type ".hh dbgerr004" for details
Page 26946a not present in the dump file. Type ".hh dbgerr004" for details
Implicit thread is now ffff8b03`48f5c040
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4515
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on MSI
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.mSec
Value: 9671
Key : Analysis.Memory.CommitPeak.Mb
Value: 102
Key : Analysis.System
Value: CreateObject
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
ADDITIONAL_XML: 1
OS_BUILD_LAYERS: 1
BUGCHECK_CODE: 9f
BUGCHECK_P1: 3
BUGCHECK_P2: ffff8b03376ce2b0
BUGCHECK_P3: fffff803181ec810
BUGCHECK_P4: ffff8b0356b13a60
DRVPOWERSTATE_SUBCODE: 3
FAULTING_THREAD: ffff8b0348f5c040
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: System
STACK_TEXT:
ffffdc8f`70ecea60 fffff803`13227da0 : ffff8b03`00000008 fffff803`ffffffff ffffdc8f`00000000 ffff8b03`491b9118 : nt!KiSwapContext+0x76
ffffdc8f`70eceba0 fffff803`132272cf : 00000000`00000004 00000000`0000000d ffffdc8f`70eced60 fffff803`1727e0b8 : nt!KiSwapThread+0x500
ffffdc8f`70ecec50 fffff803`13226b73 : ffffdc8f`00000000 ffffdc8f`00000000 ffffdc8f`70eced00 ffff8b03`48f5c180 : nt!KiCommitThreadWait+0x14f
ffffdc8f`70ececf0 fffff803`132db625 : ffffdc8f`70ecee18 ffffdc8f`00000000 fffff803`176b5100 fffff803`17611700 : nt!KeWaitForSingleObject+0x233
ffffdc8f`70ecede0 fffff803`176f38d4 : fffff803`1753ce50 fffff803`17353048 ffffdc8f`70ecf1a8 ffffdc8f`70ecf1a0 : nt!ExWaitForRundownProtectionReleaseCacheAware+0xb5
ffffdc8f`70ecee50 fffff803`176645da : 00000000`00000b00 fffff803`00000003 ffff8b03`419d2010 00000000`00000fff : tcpip!FlpWaitForMiniportToReturnTransmittedPackets+0x14
ffffdc8f`70ecee80 fffff803`175a5a28 : ffffdc8f`70ecf1a8 ffff8b03`507e91b0 ffffffff`03e80418 ffffdc8f`70ecef80 : tcpip!FlpUninitializePacketProviderInterface+0x52
ffffdc8f`70eceec0 fffff803`1753ce62 : ffff8b03`42696ba0 00000000`00000008 ffffdc8f`70ecf1a0 00000000`00000000 : tcpip!FlPnpEvent+0x68b98
ffffdc8f`70ecef60 fffff803`1736dff9 : ffff8b03`42696ba0 00000000`00000008 ffffdc8f`70ecf1a0 ffff8b03`379138e0 : tcpip!Fl68PnpEvent+0x12
ffffdc8f`70ecef90 fffff803`1736dbeb : 00000000`00000000 ffffdc8f`70ecf1a0 ffff8b03`42696ba0 ffffdc8f`70ecf1a0 : ndis!ndisInvokeNetPnPEvent+0x81
ffffdc8f`70ecf000 fffff803`1739bcb1 : 00000000`00000008 ffffdc8f`70ecf190 ffff8b03`379138e0 ffff8b03`37913928 : ndis!ndisDeliverNetPnPEventSynchronously+0xe7
ffffdc8f`70ecf090 fffff803`1737a139 : ffff8b03`42628a00 ffffdc8f`70ecf300 ffffdc8f`70ecf300 ffff8b03`3cc0a1a0 : ndis!ndisPnPNotifyBinding+0x13d
ffffdc8f`70ecf290 fffff803`1738ff95 : ffff8b03`42696ba0 fffff803`1329a039 fffff803`01b801f4 ffffdc8f`70ecf3b0 : ndis!ndisPnPNotifyBindingUnlocked+0x35
ffffdc8f`70ecf2e0 fffff803`1738fe6d : ffffcc8a`3af11850 ffffcc8a`3af11850 00000000`00000000 ffffdc8f`70ecf540 : ndis!ndisPauseProtocolInner+0x79
ffffdc8f`70ecf3e0 fffff803`17381740 : 00000000`00000000 ffffdc8f`70ecf540 00000000`00000001 ffff8b03`3cc0b590 : ndis!ndisPauseProtocol+0xb1
ffffdc8f`70ecf440 fffff803`173742d8 : ffff8b03`3cc0a1a0 ffff8b03`3cc0a1a0 ffff8b03`3cc0b608 ffff8b03`3cc0b590 : ndis!Ndis::BindEngine::Iterate+0xd3bc
ffffdc8f`70ecf5c0 fffff803`1736d906 : ffff8b03`3cc0b590 ffffdc8f`70ecf800 00000000`00000000 00000000`00000000 : ndis!Ndis::BindEngine::UpdateBindings+0x98
ffffdc8f`70ecf610 fffff803`1736d96c : ffff8b03`3cc0b590 00000000`00000000 ffff8b03`3cc0b590 fffff803`1736b3ef : ndis!Ndis::BindEngine:ispatchPendingWork+0x76
ffffdc8f`70ecf640 fffff803`172b3eb2 : ffff8b03`3cc0a1a0 ffffdc8f`70ecf820 ffff8b03`56b13a60 ffff8b03`56b13a60 : ndis!Ndis::BindEngine::ApplyBindChanges+0x54
ffffdc8f`70ecf690 fffff803`17283e2d : 00000000`00000000 ffff8b03`3cc0a1a0 ffff8b03`3cc0a1a0 fffff803`1736d7aa : ndis!ndisPrepForLowPowerCommon+0x30056
ffffdc8f`70ecf780 fffff803`17284989 : 00000000`00000005 ffff8b03`56b13a60 ffff8b03`3cc0a1a0 fffff803`1727e0b8 : ndis!ndisPrepForLowPower+0x1d
ffffdc8f`70ecf7d0 fffff803`1728522e : 00000000`00000000 ffff8b03`00000004 ffff8b03`3cc0a1a0 ffff8b03`56b13bc0 : ndis!ndisSetSystemPower+0x191
ffffdc8f`70ecf850 fffff803`17286634 : ffff8b03`56b13a60 ffff8b03`376cec20 ffff8b03`56b13bc0 ffff8b03`3cc0a1a0 : ndis!ndisSetPower+0x10a
ffffdc8f`70ecf8b0 fffff803`13382bbf : ffff8b03`56b13a60 ffffdc8f`70ecfbb0 ffff8b03`56b13a60 ffff8b03`3cc07060 : ndis!ndisPowerDispatch+0x114
ffffdc8f`70ecf910 fffff803`13246d5d : ffffdc8f`70ecf958 fffff803`00000000 ffffdc8f`70ecfa28 00000000`00000000 : nt!IopPoHandleIrp+0x3b
ffffdc8f`70ecf940 fffff803`13384e09 : fffff803`13c23b20 ffff8b03`3c972f38 00000000`00000000 00000000`00000004 : nt!IofCallDriver+0x6d
ffffdc8f`70ecf980 fffff803`161b03f9 : ffff8b03`3c9e2dc0 00000000`00000005 ffffdc8f`70ecfbd0 ffff8b03`56b13a60 : nt!IoCallDriver+0x9
ffffdc8f`70ecf9b0 fffff803`161b1246 : ffff8b03`3c972dc0 ffff8b03`3cc07060 ffff8b03`3cc07060 ffffdc8f`70ecfad0 : Wdf01000!FxPkgFdo::_PowerPassDown+0x79 [minkernel\wdf\framework\shared\irphandlers\pnp\fdopower.cpp @ 85]
ffffdc8f`70ecf9e0 fffff803`161b0ffa : ffff8b03`3cc07060 ffffdc8f`70ecfbb0 ffff8b03`3c914680 00000000`00000000 : Wdf01000!FxPkgFdo:ispatchSystemSetPower+0x1b2 [minkernel\wdf\framework\shared\irphandlers\pnp\fdopower.cpp @ 300]
ffffdc8f`70ecfa30 fffff803`161acbaf : ffff8b03`3cc07060 ffff8b03`3c914680 000074fc`c36eb978 00000000`00000000 : Wdf01000!FxPkgFdo::_DispatchSetPower+0x1a [minkernel\wdf\framework\shared\irphandlers\pnp\fdopower.cpp @ 122]
ffffdc8f`70ecfa60 fffff803`161aa866 : ffff8b03`56b13a60 ffff8b03`3c972dc0 ffff8b03`56b13a60 fffff803`13c23360 : Wdf01000!FxPkgPnp:ispatch+0xaf [minkernel\wdf\framework\shared\irphandlers\pnp\fxpkgpnp.cpp @ 765]
ffffdc8f`70ecfad0 fffff803`1338a529 : ffffdc8f`70ecfbd0 00000000`00000000 00000000`00000000 ffff8b03`48f5c040 : Wdf01000!FxDevice:ispatchWithLock+0x156 [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1447]
ffffdc8f`70ecfb30 fffff803`13346735 : ffffffff`fa0a1f00 fffff803`1338a350 ffff8b03`42bf21b0 00000000`00000102 : nt!PopIrpWorker+0x1d9
ffffdc8f`70ecfbd0 fffff803`133e51b8 : ffffe000`c89c0180 ffff8b03`48f5c040 fffff803`133466e0 00000000`00000000 : nt!PspSystemThreadStartup+0x55
ffffdc8f`70ecfc20 00000000`00000000 : ffffdc8f`70ed0000 ffffdc8f`70ec9000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
STACK_COMMAND: .thread 0xffff8b0348f5c040 ; kb
SYMBOL_NAME: tcpip!FlpWaitForMiniportToReturnTransmittedPackets+14
MODULE_NAME: tcpip
IMAGE_NAME: tcpip.sys
BUCKET_ID_FUNC_OFFSET: 14
FAILURE_BUCKET_ID: 0x9F_3_POWER_DOWN_tcpip!FlpWaitForMiniportToReturnTransmittedPackets
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {3a9600b8-5597-3062-7849-e5c3f448bde6}
Followup: MachineOwner
---------
SYSTEM EVENT LOGS (in reverse chronological order)...
Log Name: System
Source: Microsoft-Windows-FilterManager
Date: 8/4/2020 12:59:28 PM
Event ID: 6
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: MSi
Description:
File System Filter 'SymEvnt' (10.0, 2019-12-31T16:09:52.000000000Z) has successfully loaded and registered with Filter Manager.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-FilterManager" Guid="{f3c5e28e-63f6-49c7-a204-e48a1bc4b09d}" />
<EventID>6</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:59:28.7414709Z" />
<EventRecordID>12839</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="392" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="FinalStatus">0x0</Data>
<Data Name="DeviceVersionMajor">10</Data>
<Data Name="DeviceVersionMinor">0</Data>
<Data Name="DeviceNameLength">7</Data>
<Data Name="DeviceName">SymEvnt</Data>
<Data Name="DeviceTime">2019-12-31T16:09:52.0000000Z</Data>
</EventData>
</Event>
Log Name: System
Source: SRTSP
Date: 8/4/2020 12:59:28 PM
Event ID: 2003
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: MSi
Description:
Symantec Antivirus minifilter successfully loaded.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="SRTSP" />
<EventID Qualifiers="16392">2003</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:59:28.6997335Z" />
<EventRecordID>12838</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5376" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Binary>0000000001002C0000000000D3070840000000000000000000000000000000000000000000000000</Binary>
</EventData>
</Event>
Log Name: System
Source: Microsoft-Windows-FilterManager
Date: 8/4/2020 12:59:28 PM
Event ID: 6
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: MSi
Description:
File System Filter 'SRTSP' (10.0, 2020-04-21T18:54:57.000000000Z) has successfully loaded and registered with Filter Manager.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-FilterManager" Guid="{f3c5e28e-63f6-49c7-a204-e48a1bc4b09d}" />
<EventID>6</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:59:28.6735494Z" />
<EventRecordID>12837</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="392" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="FinalStatus">0x0</Data>
<Data Name="DeviceVersionMajor">10</Data>
<Data Name="DeviceVersionMinor">0</Data>
<Data Name="DeviceNameLength">5</Data>
<Data Name="DeviceName">SRTSP</Data>
<Data Name="DeviceTime">2020-04-21T18:54:57.0000000Z</Data>
</EventData>
</Event>
Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 8/4/2020 12:58:46 PM
Event ID: 10016
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: MSi
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
Windows.SecurityCenter.WscBrokerManager
and APPID
Unavailable
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="0">10016</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:58:46.0476212Z" />
<EventRecordID>12836</EventRecordID>
<Correlation ActivityID="{697fe657-b6d3-4403-89c2-5a71c0dc9927}" />
<Execution ProcessID="1064" ThreadID="1768" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="param1">application-specific</Data>
<Data Name="param2">Local</Data>
<Data Name="param3">Launch</Data>
<Data Name="param4">Windows.SecurityCenter.WscBrokerManager</Data>
<Data Name="param5">Unavailable</Data>
<Data Name="param6">NT AUTHORITY</Data>
<Data Name="param7">SYSTEM</Data>
<Data Name="param8">S-1-5-18</Data>
<Data Name="param9">LocalHost (Using LRPC)</Data>
<Data Name="param10">Unavailable</Data>
<Data Name="param11">Unavailable</Data>
</EventData>
</Event>
Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 8/4/2020 12:58:46 PM
Event ID: 10016
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: MSi
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
Windows.SecurityCenter.SecurityAppBroker
and APPID
Unavailable
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="0">10016</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:58:46.0466199Z" />
<EventRecordID>12835</EventRecordID>
<Correlation ActivityID="{dbee915d-c6e4-4664-8463-ce0343136b42}" />
<Execution ProcessID="1064" ThreadID="1732" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="param1">application-specific</Data>
<Data Name="param2">Local</Data>
<Data Name="param3">Launch</Data>
<Data Name="param4">Windows.SecurityCenter.SecurityAppBroker</Data>
<Data Name="param5">Unavailable</Data>
<Data Name="param6">NT AUTHORITY</Data>
<Data Name="param7">SYSTEM</Data>
<Data Name="param8">S-1-5-18</Data>
<Data Name="param9">LocalHost (Using LRPC)</Data>
<Data Name="param10">Unavailable</Data>
<Data Name="param11">Unavailable</Data>
</EventData>
</Event>
Log Name: System
Source: VBoxNetLwf
Date: 8/4/2020 12:58:30 PM
Event ID: 12
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: MSi
Description:
The driver detected an internal driver error on \Device\VBoxNetLwf.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="VBoxNetLwf" />
<EventID Qualifiers="49156">12</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:58:30.3301887Z" />
<EventRecordID>12834</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="6496" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security />
</System>
<EventData>
<Data>\Device\VBoxNetLwf</Data>
<Binary>0000140001000000000000000C0004C0080000000000000000000000000000000000000000000000B46D834DE9C9B46D834DE9C8D8CB8A810E890000</Binary>
</EventData>
</Event>
Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 8/4/2020 12:58:20 PM
Event ID: 10016
Task Category: None
Level: Warning
Keywords: Classic
User: MSI\sferr
Computer: MSi
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}
and APPID
{15C20B67-12E7-4BB6-92BB-7AFF07997402}
to the user MSI\sferr SID (S-1-5-21-3551299564-1785348287-2787167534-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="0">10016</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:58:20.9165539Z" />
<EventRecordID>12833</EventRecordID>
<Correlation ActivityID="{e5295079-49d9-4998-96b7-ea977b6879e3}" />
<Execution ProcessID="1064" ThreadID="1096" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security UserID="S-1-5-21-3551299564-1785348287-2787167534-1001" />
</System>
<EventData>
<Data Name="param1">application-specific</Data>
<Data Name="param2">Local</Data>
<Data Name="param3">Activation</Data>
<Data Name="param4">{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}</Data>
<Data Name="param5">{15C20B67-12E7-4BB6-92BB-7AFF07997402}</Data>
<Data Name="param6">MSI</Data>
<Data Name="param7">sferr</Data>
<Data Name="param8">S-1-5-21-3551299564-1785348287-2787167534-1001</Data>
<Data Name="param9">LocalHost (Using LRPC)</Data>
<Data Name="param10">Unavailable</Data>
<Data Name="param11">Unavailable</Data>
</EventData>
</Event>
Log Name: System
Source: Microsoft-Windows-Kernel-Processor-Power
Date: 8/4/2020 12:57:45 PM
Event ID: 37
Task Category: (7)
Level: Warning
Keywords:
User: SYSTEM
Computer: MSi
Description:
The speed of processor 5 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 3 seconds since the last report.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-Processor-Power" Guid="{0f67e49f-fe51-4e9f-b490-6f2948cc6027}" />
<EventID>37</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:57:45.9037554Z" />
<EventRecordID>12832</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="148" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Group">0</Data>
<Data Name="Number">5</Data>
<Data Name="CapDurationInSeconds">3</Data>
<Data Name="PpcChanges">2</Data>
<Data Name="TpcChanges">0</Data>
<Data Name="PccChanges">0</Data>
</EventData>
</Event>
Continue reading...
I put the PC to sleep in the past but it often failed (i.e. I have to boot the PC from start) so I put PC to hibernate. The hibernate fails less often than sleep but it still fails sometimes (10% vs 25%).
The System Event Logs before and after PC failed to hibernate are pasted below.
The last message prior to hibernate is
Error: Application popup: dwm.exe - System Error : Unknown Hard Error
I powered on the PC then received the following error messages (in chronological order)...
Error: Windows failed to resume from hibernate with error status 0xC0000001.
Error: The previous system shutdown at 11:59:25 AM on 8/4/2020 was unexpected.
Critical: The system has rebooted without cleanly shutting down first. This error could be caused if the system stopped responding, crashed, or lost power unexpectedly.
Warning: The driver \Driver\WudfRd failed to load for the device ACPI\ENE0110\5&138d85c8&0.
Error (3X): The driver detected an internal driver error on \Device\VBoxNetLwf.
Information: The following boot-start or system-start driver(s) did not load: dam
Error: The computer has rebooted from a bugcheck. The bugcheck was: 0x0000009f (0x0000000000000003, 0xffff8b03376ce2b0, 0xfffff803181ec810, 0xffff8b0356b13a60). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: 138cd288-3035-4066-a2b6-2e101312120f.
PC is Windows 10 version 2004 (up to date).
Even tho VBoxNetLwf message appeared later than other Errors I uninstalled VirtualBox 6.0.22.
I used Driver Booster to ensure that PC has the latest drivers (it did).
I have a SSD (Windows 10) and HDD (storage with a VeraCrypt volume).
I installed WinDbg Preview from the Windows Store and viewed the MEMORY.DMP.
I ran analyze -v
I don't understand the output (I pasted it below).
The closest I can find on Google when searching
'a device object has been blocking an irp for too long a time "tcpip.sys"'
is link below but no solution.
Bluescreen when Hibernating
When I looked up the first error message it said to run chkdsk /f /r.
I executed via PowerShell chkdsk /f /r c: and chkdsk /f /r d: and chose to check the next time the system restarts. When I rebooted it ran chkdsk for ~ 2 hours twice on D (HDD) never on C (SSD). It rebooted before I saw the results so I don't know if it repaired D.
I have Power Options set to High Performance with Turn off hard disk after On battery and Plugged in set to Never.
The PC stopped failing from hibernate!
I installed the latest VirtualBox (6.1.12) and Extension Pack.
The PC still stopped failing from hibernate!
I installed AutoHotKey.
The PC started failing to hibernate again... and error is VboxNetlwf but uncertain if that is the cause i.e. red herring as indicated on virtualbox.org • View topic - ID Event 12 for VBoxNetLwf
I uninstalled VirtualBox and I have not had a failure with sleep or hibernation for several weeks so I am certain that the problem is from VirtualBox or a VirtualBox config (e.g. pass-thru NIC).
WinDbg Preview
analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_POWER_STATE_FAILURE (9f)
A driver has failed to complete a power IRP within a specific time.
Arguments:
Arg1: 0000000000000003, A device object has been blocking an Irp for too long a time
Arg2: ffff8b03376ce2b0, Physical Device Object of the stack
Arg3: fffff803181ec810, nt!TRIAGE_9F_POWER on Win7 and higher, otherwise the Functional Device Object of the stack
Arg4: ffff8b0356b13a60, The blocked IRP
Debugging Details:
------------------
Page 436a70 not present in the dump file. Type ".hh dbgerr004" for details
Page 26946a not present in the dump file. Type ".hh dbgerr004" for details
Implicit thread is now ffff8b03`48f5c040
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4515
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on MSI
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.mSec
Value: 9671
Key : Analysis.Memory.CommitPeak.Mb
Value: 102
Key : Analysis.System
Value: CreateObject
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
ADDITIONAL_XML: 1
OS_BUILD_LAYERS: 1
BUGCHECK_CODE: 9f
BUGCHECK_P1: 3
BUGCHECK_P2: ffff8b03376ce2b0
BUGCHECK_P3: fffff803181ec810
BUGCHECK_P4: ffff8b0356b13a60
DRVPOWERSTATE_SUBCODE: 3
FAULTING_THREAD: ffff8b0348f5c040
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME: System
STACK_TEXT:
ffffdc8f`70ecea60 fffff803`13227da0 : ffff8b03`00000008 fffff803`ffffffff ffffdc8f`00000000 ffff8b03`491b9118 : nt!KiSwapContext+0x76
ffffdc8f`70eceba0 fffff803`132272cf : 00000000`00000004 00000000`0000000d ffffdc8f`70eced60 fffff803`1727e0b8 : nt!KiSwapThread+0x500
ffffdc8f`70ecec50 fffff803`13226b73 : ffffdc8f`00000000 ffffdc8f`00000000 ffffdc8f`70eced00 ffff8b03`48f5c180 : nt!KiCommitThreadWait+0x14f
ffffdc8f`70ececf0 fffff803`132db625 : ffffdc8f`70ecee18 ffffdc8f`00000000 fffff803`176b5100 fffff803`17611700 : nt!KeWaitForSingleObject+0x233
ffffdc8f`70ecede0 fffff803`176f38d4 : fffff803`1753ce50 fffff803`17353048 ffffdc8f`70ecf1a8 ffffdc8f`70ecf1a0 : nt!ExWaitForRundownProtectionReleaseCacheAware+0xb5
ffffdc8f`70ecee50 fffff803`176645da : 00000000`00000b00 fffff803`00000003 ffff8b03`419d2010 00000000`00000fff : tcpip!FlpWaitForMiniportToReturnTransmittedPackets+0x14
ffffdc8f`70ecee80 fffff803`175a5a28 : ffffdc8f`70ecf1a8 ffff8b03`507e91b0 ffffffff`03e80418 ffffdc8f`70ecef80 : tcpip!FlpUninitializePacketProviderInterface+0x52
ffffdc8f`70eceec0 fffff803`1753ce62 : ffff8b03`42696ba0 00000000`00000008 ffffdc8f`70ecf1a0 00000000`00000000 : tcpip!FlPnpEvent+0x68b98
ffffdc8f`70ecef60 fffff803`1736dff9 : ffff8b03`42696ba0 00000000`00000008 ffffdc8f`70ecf1a0 ffff8b03`379138e0 : tcpip!Fl68PnpEvent+0x12
ffffdc8f`70ecef90 fffff803`1736dbeb : 00000000`00000000 ffffdc8f`70ecf1a0 ffff8b03`42696ba0 ffffdc8f`70ecf1a0 : ndis!ndisInvokeNetPnPEvent+0x81
ffffdc8f`70ecf000 fffff803`1739bcb1 : 00000000`00000008 ffffdc8f`70ecf190 ffff8b03`379138e0 ffff8b03`37913928 : ndis!ndisDeliverNetPnPEventSynchronously+0xe7
ffffdc8f`70ecf090 fffff803`1737a139 : ffff8b03`42628a00 ffffdc8f`70ecf300 ffffdc8f`70ecf300 ffff8b03`3cc0a1a0 : ndis!ndisPnPNotifyBinding+0x13d
ffffdc8f`70ecf290 fffff803`1738ff95 : ffff8b03`42696ba0 fffff803`1329a039 fffff803`01b801f4 ffffdc8f`70ecf3b0 : ndis!ndisPnPNotifyBindingUnlocked+0x35
ffffdc8f`70ecf2e0 fffff803`1738fe6d : ffffcc8a`3af11850 ffffcc8a`3af11850 00000000`00000000 ffffdc8f`70ecf540 : ndis!ndisPauseProtocolInner+0x79
ffffdc8f`70ecf3e0 fffff803`17381740 : 00000000`00000000 ffffdc8f`70ecf540 00000000`00000001 ffff8b03`3cc0b590 : ndis!ndisPauseProtocol+0xb1
ffffdc8f`70ecf440 fffff803`173742d8 : ffff8b03`3cc0a1a0 ffff8b03`3cc0a1a0 ffff8b03`3cc0b608 ffff8b03`3cc0b590 : ndis!Ndis::BindEngine::Iterate+0xd3bc
ffffdc8f`70ecf5c0 fffff803`1736d906 : ffff8b03`3cc0b590 ffffdc8f`70ecf800 00000000`00000000 00000000`00000000 : ndis!Ndis::BindEngine::UpdateBindings+0x98
ffffdc8f`70ecf610 fffff803`1736d96c : ffff8b03`3cc0b590 00000000`00000000 ffff8b03`3cc0b590 fffff803`1736b3ef : ndis!Ndis::BindEngine:ispatchPendingWork+0x76
ffffdc8f`70ecf640 fffff803`172b3eb2 : ffff8b03`3cc0a1a0 ffffdc8f`70ecf820 ffff8b03`56b13a60 ffff8b03`56b13a60 : ndis!Ndis::BindEngine::ApplyBindChanges+0x54
ffffdc8f`70ecf690 fffff803`17283e2d : 00000000`00000000 ffff8b03`3cc0a1a0 ffff8b03`3cc0a1a0 fffff803`1736d7aa : ndis!ndisPrepForLowPowerCommon+0x30056
ffffdc8f`70ecf780 fffff803`17284989 : 00000000`00000005 ffff8b03`56b13a60 ffff8b03`3cc0a1a0 fffff803`1727e0b8 : ndis!ndisPrepForLowPower+0x1d
ffffdc8f`70ecf7d0 fffff803`1728522e : 00000000`00000000 ffff8b03`00000004 ffff8b03`3cc0a1a0 ffff8b03`56b13bc0 : ndis!ndisSetSystemPower+0x191
ffffdc8f`70ecf850 fffff803`17286634 : ffff8b03`56b13a60 ffff8b03`376cec20 ffff8b03`56b13bc0 ffff8b03`3cc0a1a0 : ndis!ndisSetPower+0x10a
ffffdc8f`70ecf8b0 fffff803`13382bbf : ffff8b03`56b13a60 ffffdc8f`70ecfbb0 ffff8b03`56b13a60 ffff8b03`3cc07060 : ndis!ndisPowerDispatch+0x114
ffffdc8f`70ecf910 fffff803`13246d5d : ffffdc8f`70ecf958 fffff803`00000000 ffffdc8f`70ecfa28 00000000`00000000 : nt!IopPoHandleIrp+0x3b
ffffdc8f`70ecf940 fffff803`13384e09 : fffff803`13c23b20 ffff8b03`3c972f38 00000000`00000000 00000000`00000004 : nt!IofCallDriver+0x6d
ffffdc8f`70ecf980 fffff803`161b03f9 : ffff8b03`3c9e2dc0 00000000`00000005 ffffdc8f`70ecfbd0 ffff8b03`56b13a60 : nt!IoCallDriver+0x9
ffffdc8f`70ecf9b0 fffff803`161b1246 : ffff8b03`3c972dc0 ffff8b03`3cc07060 ffff8b03`3cc07060 ffffdc8f`70ecfad0 : Wdf01000!FxPkgFdo::_PowerPassDown+0x79 [minkernel\wdf\framework\shared\irphandlers\pnp\fdopower.cpp @ 85]
ffffdc8f`70ecf9e0 fffff803`161b0ffa : ffff8b03`3cc07060 ffffdc8f`70ecfbb0 ffff8b03`3c914680 00000000`00000000 : Wdf01000!FxPkgFdo:ispatchSystemSetPower+0x1b2 [minkernel\wdf\framework\shared\irphandlers\pnp\fdopower.cpp @ 300]
ffffdc8f`70ecfa30 fffff803`161acbaf : ffff8b03`3cc07060 ffff8b03`3c914680 000074fc`c36eb978 00000000`00000000 : Wdf01000!FxPkgFdo::_DispatchSetPower+0x1a [minkernel\wdf\framework\shared\irphandlers\pnp\fdopower.cpp @ 122]
ffffdc8f`70ecfa60 fffff803`161aa866 : ffff8b03`56b13a60 ffff8b03`3c972dc0 ffff8b03`56b13a60 fffff803`13c23360 : Wdf01000!FxPkgPnp:ispatch+0xaf [minkernel\wdf\framework\shared\irphandlers\pnp\fxpkgpnp.cpp @ 765]
ffffdc8f`70ecfad0 fffff803`1338a529 : ffffdc8f`70ecfbd0 00000000`00000000 00000000`00000000 ffff8b03`48f5c040 : Wdf01000!FxDevice:ispatchWithLock+0x156 [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1447]
ffffdc8f`70ecfb30 fffff803`13346735 : ffffffff`fa0a1f00 fffff803`1338a350 ffff8b03`42bf21b0 00000000`00000102 : nt!PopIrpWorker+0x1d9
ffffdc8f`70ecfbd0 fffff803`133e51b8 : ffffe000`c89c0180 ffff8b03`48f5c040 fffff803`133466e0 00000000`00000000 : nt!PspSystemThreadStartup+0x55
ffffdc8f`70ecfc20 00000000`00000000 : ffffdc8f`70ed0000 ffffdc8f`70ec9000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
STACK_COMMAND: .thread 0xffff8b0348f5c040 ; kb
SYMBOL_NAME: tcpip!FlpWaitForMiniportToReturnTransmittedPackets+14
MODULE_NAME: tcpip
IMAGE_NAME: tcpip.sys
BUCKET_ID_FUNC_OFFSET: 14
FAILURE_BUCKET_ID: 0x9F_3_POWER_DOWN_tcpip!FlpWaitForMiniportToReturnTransmittedPackets
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {3a9600b8-5597-3062-7849-e5c3f448bde6}
Followup: MachineOwner
---------
SYSTEM EVENT LOGS (in reverse chronological order)...
Log Name: System
Source: Microsoft-Windows-FilterManager
Date: 8/4/2020 12:59:28 PM
Event ID: 6
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: MSi
Description:
File System Filter 'SymEvnt' (10.0, 2019-12-31T16:09:52.000000000Z) has successfully loaded and registered with Filter Manager.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-FilterManager" Guid="{f3c5e28e-63f6-49c7-a204-e48a1bc4b09d}" />
<EventID>6</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:59:28.7414709Z" />
<EventRecordID>12839</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="392" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="FinalStatus">0x0</Data>
<Data Name="DeviceVersionMajor">10</Data>
<Data Name="DeviceVersionMinor">0</Data>
<Data Name="DeviceNameLength">7</Data>
<Data Name="DeviceName">SymEvnt</Data>
<Data Name="DeviceTime">2019-12-31T16:09:52.0000000Z</Data>
</EventData>
</Event>
Log Name: System
Source: SRTSP
Date: 8/4/2020 12:59:28 PM
Event ID: 2003
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: MSi
Description:
Symantec Antivirus minifilter successfully loaded.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="SRTSP" />
<EventID Qualifiers="16392">2003</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:59:28.6997335Z" />
<EventRecordID>12838</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5376" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Binary>0000000001002C0000000000D3070840000000000000000000000000000000000000000000000000</Binary>
</EventData>
</Event>
Log Name: System
Source: Microsoft-Windows-FilterManager
Date: 8/4/2020 12:59:28 PM
Event ID: 6
Task Category: None
Level: Information
Keywords:
User: SYSTEM
Computer: MSi
Description:
File System Filter 'SRTSP' (10.0, 2020-04-21T18:54:57.000000000Z) has successfully loaded and registered with Filter Manager.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-FilterManager" Guid="{f3c5e28e-63f6-49c7-a204-e48a1bc4b09d}" />
<EventID>6</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:59:28.6735494Z" />
<EventRecordID>12837</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="392" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="FinalStatus">0x0</Data>
<Data Name="DeviceVersionMajor">10</Data>
<Data Name="DeviceVersionMinor">0</Data>
<Data Name="DeviceNameLength">5</Data>
<Data Name="DeviceName">SRTSP</Data>
<Data Name="DeviceTime">2020-04-21T18:54:57.0000000Z</Data>
</EventData>
</Event>
Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 8/4/2020 12:58:46 PM
Event ID: 10016
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: MSi
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
Windows.SecurityCenter.WscBrokerManager
and APPID
Unavailable
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="0">10016</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:58:46.0476212Z" />
<EventRecordID>12836</EventRecordID>
<Correlation ActivityID="{697fe657-b6d3-4403-89c2-5a71c0dc9927}" />
<Execution ProcessID="1064" ThreadID="1768" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="param1">application-specific</Data>
<Data Name="param2">Local</Data>
<Data Name="param3">Launch</Data>
<Data Name="param4">Windows.SecurityCenter.WscBrokerManager</Data>
<Data Name="param5">Unavailable</Data>
<Data Name="param6">NT AUTHORITY</Data>
<Data Name="param7">SYSTEM</Data>
<Data Name="param8">S-1-5-18</Data>
<Data Name="param9">LocalHost (Using LRPC)</Data>
<Data Name="param10">Unavailable</Data>
<Data Name="param11">Unavailable</Data>
</EventData>
</Event>
Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 8/4/2020 12:58:46 PM
Event ID: 10016
Task Category: None
Level: Warning
Keywords: Classic
User: SYSTEM
Computer: MSi
Description:
The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID
Windows.SecurityCenter.SecurityAppBroker
and APPID
Unavailable
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="0">10016</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:58:46.0466199Z" />
<EventRecordID>12835</EventRecordID>
<Correlation ActivityID="{dbee915d-c6e4-4664-8463-ce0343136b42}" />
<Execution ProcessID="1064" ThreadID="1732" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="param1">application-specific</Data>
<Data Name="param2">Local</Data>
<Data Name="param3">Launch</Data>
<Data Name="param4">Windows.SecurityCenter.SecurityAppBroker</Data>
<Data Name="param5">Unavailable</Data>
<Data Name="param6">NT AUTHORITY</Data>
<Data Name="param7">SYSTEM</Data>
<Data Name="param8">S-1-5-18</Data>
<Data Name="param9">LocalHost (Using LRPC)</Data>
<Data Name="param10">Unavailable</Data>
<Data Name="param11">Unavailable</Data>
</EventData>
</Event>
Log Name: System
Source: VBoxNetLwf
Date: 8/4/2020 12:58:30 PM
Event ID: 12
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: MSi
Description:
The driver detected an internal driver error on \Device\VBoxNetLwf.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="VBoxNetLwf" />
<EventID Qualifiers="49156">12</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:58:30.3301887Z" />
<EventRecordID>12834</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="6496" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security />
</System>
<EventData>
<Data>\Device\VBoxNetLwf</Data>
<Binary>0000140001000000000000000C0004C0080000000000000000000000000000000000000000000000B46D834DE9C9B46D834DE9C8D8CB8A810E890000</Binary>
</EventData>
</Event>
Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 8/4/2020 12:58:20 PM
Event ID: 10016
Task Category: None
Level: Warning
Keywords: Classic
User: MSI\sferr
Computer: MSi
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}
and APPID
{15C20B67-12E7-4BB6-92BB-7AFF07997402}
to the user MSI\sferr SID (S-1-5-21-3551299564-1785348287-2787167534-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DistributedCOM" Guid="{1B562E86-B7AA-4131-BADC-B6F3A001407E}" EventSourceName="DCOM" />
<EventID Qualifiers="0">10016</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:58:20.9165539Z" />
<EventRecordID>12833</EventRecordID>
<Correlation ActivityID="{e5295079-49d9-4998-96b7-ea977b6879e3}" />
<Execution ProcessID="1064" ThreadID="1096" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security UserID="S-1-5-21-3551299564-1785348287-2787167534-1001" />
</System>
<EventData>
<Data Name="param1">application-specific</Data>
<Data Name="param2">Local</Data>
<Data Name="param3">Activation</Data>
<Data Name="param4">{2593F8B9-4EAF-457C-B68A-50F6B8EA6B54}</Data>
<Data Name="param5">{15C20B67-12E7-4BB6-92BB-7AFF07997402}</Data>
<Data Name="param6">MSI</Data>
<Data Name="param7">sferr</Data>
<Data Name="param8">S-1-5-21-3551299564-1785348287-2787167534-1001</Data>
<Data Name="param9">LocalHost (Using LRPC)</Data>
<Data Name="param10">Unavailable</Data>
<Data Name="param11">Unavailable</Data>
</EventData>
</Event>
Log Name: System
Source: Microsoft-Windows-Kernel-Processor-Power
Date: 8/4/2020 12:57:45 PM
Event ID: 37
Task Category: (7)
Level: Warning
Keywords:
User: SYSTEM
Computer: MSi
Description:
The speed of processor 5 in group 0 is being limited by system firmware. The processor has been in this reduced performance state for 3 seconds since the last report.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kernel-Processor-Power" Guid="{0f67e49f-fe51-4e9f-b490-6f2948cc6027}" />
<EventID>37</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-08-04T16:57:45.9037554Z" />
<EventRecordID>12832</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="148" />
<Channel>System</Channel>
<Computer>MSi</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Group">0</Data>
<Data Name="Number">5</Data>
<Data Name="CapDurationInSeconds">3</Data>
<Data Name="PpcChanges">2</Data>
<Data Name="TpcChanges">0</Data>
<Data Name="PccChanges">0</Data>
</EventData>
</Event>
Continue reading...