Closed grnassar closed 3 years ago
Thanks for this report! The minidump shows that the crash is in athw10x.sys:
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff800cd63f0fa, address which referenced memory
Debugging Details:
------------------
DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump
READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
0000000000000000
CURRENT_IRQL: 2
FAULTING_IP:
athw10x+df0fa
fffff800`cd63f0fa 0fb60401 movzx eax,byte ptr [rcx+rax]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: System
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
TRAP_FRAME: ffffdf8d16022550 -- (.trap 0xffffdf8d16022550)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=ffffcf09f5594c00 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800cd63f0fa rsp=ffffdf8d160226e0 rbp=ffffdf8d16022ad9
r8=fffff800cd8760a0 r9=0000000000000142 r10=fffff800bfb44180
r11=fffff800cd64bf14 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
athw10x+0xdf0fa:
fffff800`cd63f0fa 0fb60401 movzx eax,byte ptr [rcx+rax] ds:00000000`00000000=a8
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800c13a9e69 to fffff800c1399330
STACK_TEXT:
ffffdf8d`16022408 fffff800`c13a9e69 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffdf8d`16022410 fffff800`c13a6ae5 : ffffcf09`f43a9428 ffffcf09`00000002 fffff800`cd892250 fffff800`cd892230 : nt!KiBugCheckDispatch+0x69
ffffdf8d`16022550 fffff800`cd63f0fa : ffffcf09`f540d030 ffffcf09`00000000 00000000`00000000 fffff800`cd63db95 : nt!KiPageFault+0x425
ffffdf8d`160226e0 ffffcf09`f540d030 : ffffcf09`00000000 00000000`00000000 fffff800`cd63db95 00000003`f4f00130 : athw10x+0xdf0fa
ffffdf8d`160226e8 ffffcf09`00000000 : 00000000`00000000 fffff800`cd63db95 00000003`f4f00130 ffff0000`e5f52be0 : 0xffffcf09`f540d030
ffffdf8d`160226f0 00000000`00000000 : fffff800`cd63db95 00000003`f4f00130 ffff0000`e5f52be0 ffffcf09`00000f0c : 0xffffcf09`00000000
STACK_COMMAND: kb
FOLLOWUP_IP:
athw10x+df0fa
fffff800`cd63f0fa 0fb60401 movzx eax,byte ptr [rcx+rax]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: athw10x+df0fa
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: athw10x
IMAGE_NAME: athw10x.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 57ccdf8a
FAILURE_BUCKET_ID: AV_athw10x+df0fa
BUCKET_ID: AV_athw10x+df0fa
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_athw10x+df0fa
FAILURE_ID_HASH: {70b7bed7-763b-3f3e-71af-a8dcc88bbc31}
Followup: MachineOwner
---------
As far as I can tell, this is a bug in the chipset driver and not in Npcap, though we would accept any suggestions of how to improve Npcap on this chipset. I had a similar crash with the AR9271 driver on Windows 10, but I was able to get it mostly working by hunting down an older Windows 8 driver on wikidevi.com.
Closing this, since the bug is in the Atheros chipset driver and can be triggered by WlanHelper (which does not do any Npcap-specific operations) and normal network traffic.
Realtek AR9285 driver ver. 10.0.0.347 (most recent available, through Windows Update - verified in MS driver catalog). No other wireless adapters installed.
Can replicate locally by:
npcap is 0.99r6 (also got BSoD with r5). Installed in winpcap compatibility mode. Both services show as running successfully.
minidump and npcap diagnostic enclosed. DiagReport-20180625-142435.txt 062518-7718-01.dmp.zip