Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Npcap 0.03 call for test

From: Yang Luo <hsluoyb@xxxxxxxxx>
Date: Mon, 3 Aug 2015 15:33:58 +0800
Hi list,

I think have fixed the BAD_POOL_CALLER BSoD in Npcap 0.03 r3 version, it turns out to be a memory double-free bug in WFP classifyFn function used for loopback packet capturing. The lastest installer is: https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.03-r3.exe

I have tested it under Win 8.1 x64 with VMware Workstation 11 installed and Win10 x64, if you encounter any BSoDs with this version, please let me know.


Cheers,
Yang


On Sun, Aug 2, 2015 at 7:45 PM, Yang Luo <hsluoyb@xxxxxxxxx> wrote:
Hi Tyson,

Thanks for these tests. From all your elaborated BSoD descriptions, I think there are only two kinds of BSoD, BAD_POOL_CALLER and SYSTEM_SERVICE_EXCEPTION (Tell me if I am wrong). I don't know which version Npcap you used for SYSTEM_SERVICE_EXCEPTION BSoD test, but I think I have fixed the SYSTEM_SERVICE_EXCEPTION one in https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.03-r2.exe. And I am working on the BAD_POOL_CALLER one. So if you still encounter a SYSTEM_SERVICE_EXCEPTION BSoD in npcap-nmap-0.03-r2.exe, plz let me know.


Cheers,
Yang


On Sun, Aug 2, 2015 at 6:35 AM, Tyson Key <tyson.key@xxxxxxxxx> wrote:
Apologies for all of the spam, and indirection that my brief sojourn with an ancient version of NPCap caused (I shouldn't be doing this kind of repetitive testing, whilst I'm tired) - but it probably provides a control/benchmark, as far as "this is (kinda) the way things are supposed to work, on my machine" goes.

Anyway, after reinstalling the correct version (linked to in the very first mail from Yang), I get an instant, particularly nasty BSoD, as soon as I launch Wireshark, after rebooting:


Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Only kernel address space is available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*C:\Symbols\*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Symbols\*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 8 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 9600.17736.amd64fre.winblue_r9.150322-1500
Machine Name:
Kernel base = 0xfffff800`0ce07000 PsLoadedModuleList = 0xfffff800`0d0e0850
Debug session time: Tue Jul 28 16:30:31.391 2015 (UTC + 1:00)
System Uptime: 0 days 0:07:03.265
Loading Kernel Symbols
................

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

...............................................
................................................................
..........................Page 110aba not present in the dump file. Type ".hh dbgerr004" for details
..Page 122ed4 not present in the dump file. Type ".hh dbgerr004" for details
..................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00007ff7`093db018).  Type ".hh dbgerr001" for details
Loading unloaded module list
....................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, 1200, 117ec1, ffffe0015aeeaec8}

unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
Probably caused by : NETIO.SYS ( NETIO!NetioCompleteCloneNetBufferListChain+1508d )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 0000000000001200, (reserved)
Arg3: 0000000000117ec1, Memory contents of the pool block
Arg4: ffffe0015aeeaec8, Address of the block of pool being deallocated

Debugging Details:
------------------


POOL_ADDRESS:  ffffe0015aeeaec8 

FREED_POOL_TAG:  NDnd

BUGCHECK_STR:  0xc2_7_NDnd

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  2

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

LAST_CONTROL_TRANSFER:  from fffff8000d0abff2 to fffff8000cf57ca0

STACK_TEXT:  
ffffd000`9bba4ba8 fffff800`0d0abff2 : 00000000`000000c2 00000000`00000007 00000000`00001200 00000000`00117ec1 : nt!KeBugCheckEx
ffffd000`9bba4bb0 fffff801`14a2f83d : 00000000`00000000 ffffe001`5a593040 000008fe`00000010 00000014`00000011 : nt!ExAllocatePoolWithTag+0x1102
ffffd000`9bba4ca0 fffff801`14a013f1 : 00000000`00000000 ffffe001`59b5b600 00000000`00000000 00000000`00000000 : NETIO!NetioCompleteCloneNetBufferListChain+0x1508d
ffffd000`9bba4d10 fffff801`14d2bc18 : fffff801`14a66228 00000000`00000001 00000000`00000000 00000000`00000000 : NETIO!NetioDereferenceNetBufferListChain+0x2d1
ffffd000`9bba4db0 fffff801`14d0118c : ffffe001`5de21fcc 00000000`0000a567 00000000`00000000 00000000`00000000 : tcpip!TcpFlushDelay+0x88
ffffd000`9bba4e60 fffff801`14d36f9f : ffffe001`5a527d80 ffffd000`9bba350b ffffd000`9bba81c1 ffffe001`5a4f81c1 : tcpip!TcpPreValidatedReceive+0x3cc
ffffd000`9bba4f60 fffff801`14d33143 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!IppDeliverListToProtocol+0x4f
ffffd000`9bba5020 fffff801`14d31525 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffd000`9bba5128 : tcpip!IppProcessDeliverList+0x63
ffffd000`9bba50c0 fffff801`14ce9c9d : 00000000`00000000 00000000`00000000 00000000`00000000 ffffd000`9bba52d8 : tcpip!IppReceiveHeaderBatch+0x235
ffffd000`9bba51f0 fffff801`14ce91cc : ffffd000`9bba5300 00000000`00000000 ffffe001`5cdfa540 ffffd000`9bba5440 : tcpip!IppLoopbackIndicatePackets+0x39d
ffffd000`9bba52d0 fffff801`14d06eb8 : ffffe001`59e84600 346dc5d6`38865900 ffffd000`9bba5500 00000000`00000000 : tcpip!IppLoopbackEnqueue+0x3dc
ffffd000`9bba5400 fffff801`14d06389 : fffff801`14e81180 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!IppDispatchSendPacketHelper+0x398
ffffd000`9bba5590 fffff801`14d0491e : ffff0014`00000001 ffffe001`5a4bc568 00000000`00000002 ffffd000`9bba59e0 : tcpip!IppPacketizeDatagrams+0x2d9
ffffd000`9bba5730 fffff801`14d09ab7 : fffff801`14cca4f0 00000000`00000007 fffff801`14e81180 ffffe001`5c76f8c0 : tcpip!IppSendDatagramsCommon+0x49e
ffffd000`9bba5910 fffff801`14cff435 : ffffd000`9bba5cf2 00000000`00000000 ffffe001`5caff550 ffffd000`9bba5f90 : tcpip!TcpTcbSend+0x55b
ffffd000`9bba5c60 fffff801`14cff07c : 00000000`0000a567 ffffe001`5c76f8c0 ffffd000`9bba5cf1 ffffd000`9bba5f00 : tcpip!TcpEnqueueTcbSendOlmNotifySendComplete+0xa5
ffffd000`9bba5c90 fffff801`14cff538 : ffffc001`5b0b1b02 00000000`00000000 ffffe001`5dbf5100 00000000`0ce5a000 : tcpip!TcpEnqueueTcbSend+0x2ac
ffffd000`9bba5d90 fffff800`0ce79703 : ffffe001`5dbf51e0 fffff801`14cff7f6 fffff801`14cff510 ffffd000`9bba5e50 : tcpip!TcpTlConnectionSendCalloutRoutine+0x28
ffffd000`9bba5e10 fffff801`14cff7f6 : fffff801`14cff510 ffffd000`9bba5f30 ffffc001`5b0b1e00 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0xf3
ffffd000`9bba5f00 fffff801`15402ecf : ffffe001`5dbf51e0 ffffe001`59f3c4c0 00000000`00000000 ffffe001`5db660c0 : tcpip!TcpTlConnectionSend+0x76
ffffd000`9bba5f70 fffff801`184e7860 : ffffe001`5c7b9cb0 00000000`00000002 ffffe001`5db660c0 ffffe001`5c75b050 : afd!WskProIRPSend+0xbf
ffffd000`9bba5fe0 fffff801`184e647c : 00000000`ffffffff ffffe001`59fc96f8 00000580`00000000 fffffa80`001ca790 : HTTP!UxTlInitiateSend+0x1e0
ffffd000`9bba60a0 fffff801`1855b0ea : ffffe001`59fc96f8 00000000`00000000 00000000`00000001 00000000`00000000 : HTTP!UxpTpFastTransmit+0x19c
ffffd000`9bba6140 fffff801`184e7cad : ffffe001`59fc9420 fffff801`184e64ff 00000000`00000000 ffffe001`58ef53b0 : HTTP!UxTpTransmitPacket+0xba
ffffd000`9bba61e0 fffff801`18559bbf : 00000000`00000000 00000000`00000000 fffff801`18536ae0 ffffe001`58ef53b0 : HTTP!UlSendData+0xdd
ffffd000`9bba6270 fffff801`18574a7f : 00000000`00000000 fffff801`18536ae0 ffffe001`5a211850 ffffe001`5a211850 : HTTP!UlFastSendHttpResponse+0x1765
ffffd000`9bba6500 fffff801`184e42b8 : 00000000`00124043 fffff801`1854c180 00000000`00000020 ffffe001`5a2119f8 : HTTP!UlSendEntityBodyIoctl+0xd2f
ffffd000`9bba6840 fffff800`0d22c77f : 00000000`00000000 ffffd000`9bba6b80 ffffe001`5a211850 00000000`00000004 : HTTP!UlDeviceControl+0x78
ffffd000`9bba6880 fffff800`0d22bd22 : ffffd000`9bba6a38 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
ffffd000`9bba6a20 fffff800`0cf634b3 : ffffe001`58edf080 00000000`001f0003 00000031`01acf0f8 00000000`00000001 : nt!NtDeviceIoControlFile+0x56
ffffd000`9bba6a90 00007ff8`24c3123a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000031`01ace928 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff8`24c3123a


STACK_COMMAND:  kb

FOLLOWUP_IP: 
NETIO!NetioCompleteCloneNetBufferListChain+1508d
fffff801`14a2f83d 90              nop

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  NETIO!NetioCompleteCloneNetBufferListChain+1508d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  540ebbe6

BUCKET_ID_FUNC_OFFSET:  1508d

FAILURE_BUCKET_ID:  0xc2_7_NDnd_NETIO!NetioCompleteCloneNetBufferListChain

BUCKET_ID:  0xc2_7_NDnd_NETIO!NetioCompleteCloneNetBufferListChain

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xc2_7_ndnd_netio!netiocompleteclonenetbufferlistchain

FAILURE_ID_HASH:  {ec09700b-3916-f849-b5d5-75c2ba7b02db}

Followup: MachineOwner
---------

Sadly, this dump has overwritten my last one (which I didn't get chance to back-up), but it seems to be one of the clearest expressions of the BAD_POOL_CALLER error that I've seen, on this machine (at least after removing a bunch of other software that also intimately hooked into WinSock).

Tyson.

2015-08-01 23:12 GMT+01:00 Tyson Key <tyson.key@xxxxxxxxx>:
Oops, it seems that I did all of that testing, against the wrong version (a 0.01 build, instead of 0.03) - but still, some of this info maybe useful :(

Tyson.

2015-08-01 22:48 GMT+01:00 Tyson Key <tyson.key@xxxxxxxxx>:
Aah, if I disable using the .NET Reference Source Symbol Service, and restart WinDBG, I can receive the following information:


Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Only kernel address space is available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*C:\Symbols\*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Symbols\*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 8 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 9600.17736.amd64fre.winblue_r9.150322-1500
Machine Name:
Kernel base = 0xfffff800`0ce07000 PsLoadedModuleList = 0xfffff800`0d0e0850
Debug session time: Tue Jul 28 16:30:31.391 2015 (UTC + 1:00)
System Uptime: 0 days 0:07:03.265
Loading Kernel Symbols
...............................................................
................................................................
..........................Page 110aba not present in the dump file. Type ".hh dbgerr004" for details
..Page 122ed4 not present in the dump file. Type ".hh dbgerr004" for details
..................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00007ff7`093db018).  Type ".hh dbgerr001" for details
Loading unloaded module list
....................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, 1200, 117ec1, ffffe0015aeeaec8}

unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
Probably caused by : NETIO.SYS ( NETIO!NetioCompleteCloneNetBufferListChain+1508d )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 0000000000000007, Attempt to free pool which was already freed
Arg2: 0000000000001200, (reserved)
Arg3: 0000000000117ec1, Memory contents of the pool block
Arg4: ffffe0015aeeaec8, Address of the block of pool being deallocated

Debugging Details:
------------------


POOL_ADDRESS:  ffffe0015aeeaec8 

FREED_POOL_TAG:  NDnd

BUGCHECK_STR:  0xc2_7_NDnd

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  2

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

LAST_CONTROL_TRANSFER:  from fffff8000d0abff2 to fffff8000cf57ca0

STACK_TEXT:  
ffffd000`9bba4ba8 fffff800`0d0abff2 : 00000000`000000c2 00000000`00000007 00000000`00001200 00000000`00117ec1 : nt!KeBugCheckEx
ffffd000`9bba4bb0 fffff801`14a2f83d : 00000000`00000000 ffffe001`5a593040 000008fe`00000010 00000014`00000011 : nt!ExAllocatePoolWithTag+0x1102
ffffd000`9bba4ca0 fffff801`14a013f1 : 00000000`00000000 ffffe001`59b5b600 00000000`00000000 00000000`00000000 : NETIO!NetioCompleteCloneNetBufferListChain+0x1508d
ffffd000`9bba4d10 fffff801`14d2bc18 : fffff801`14a66228 00000000`00000001 00000000`00000000 00000000`00000000 : NETIO!NetioDereferenceNetBufferListChain+0x2d1
ffffd000`9bba4db0 fffff801`14d0118c : ffffe001`5de21fcc 00000000`0000a567 00000000`00000000 00000000`00000000 : tcpip!TcpFlushDelay+0x88
ffffd000`9bba4e60 fffff801`14d36f9f : ffffe001`5a527d80 ffffd000`9bba350b ffffd000`9bba81c1 ffffe001`5a4f81c1 : tcpip!TcpPreValidatedReceive+0x3cc
ffffd000`9bba4f60 fffff801`14d33143 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!IppDeliverListToProtocol+0x4f
ffffd000`9bba5020 fffff801`14d31525 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffd000`9bba5128 : tcpip!IppProcessDeliverList+0x63
ffffd000`9bba50c0 fffff801`14ce9c9d : 00000000`00000000 00000000`00000000 00000000`00000000 ffffd000`9bba52d8 : tcpip!IppReceiveHeaderBatch+0x235
ffffd000`9bba51f0 fffff801`14ce91cc : ffffd000`9bba5300 00000000`00000000 ffffe001`5cdfa540 ffffd000`9bba5440 : tcpip!IppLoopbackIndicatePackets+0x39d
ffffd000`9bba52d0 fffff801`14d06eb8 : ffffe001`59e84600 346dc5d6`38865900 ffffd000`9bba5500 00000000`00000000 : tcpip!IppLoopbackEnqueue+0x3dc
ffffd000`9bba5400 fffff801`14d06389 : fffff801`14e81180 00000000`00000000 00000000`00000000 00000000`00000000 : tcpip!IppDispatchSendPacketHelper+0x398
ffffd000`9bba5590 fffff801`14d0491e : ffff0014`00000001 ffffe001`5a4bc568 00000000`00000002 ffffd000`9bba59e0 : tcpip!IppPacketizeDatagrams+0x2d9
ffffd000`9bba5730 fffff801`14d09ab7 : fffff801`14cca4f0 00000000`00000007 fffff801`14e81180 ffffe001`5c76f8c0 : tcpip!IppSendDatagramsCommon+0x49e
ffffd000`9bba5910 fffff801`14cff435 : ffffd000`9bba5cf2 00000000`00000000 ffffe001`5caff550 ffffd000`9bba5f90 : tcpip!TcpTcbSend+0x55b
ffffd000`9bba5c60 fffff801`14cff07c : 00000000`0000a567 ffffe001`5c76f8c0 ffffd000`9bba5cf1 ffffd000`9bba5f00 : tcpip!TcpEnqueueTcbSendOlmNotifySendComplete+0xa5
ffffd000`9bba5c90 fffff801`14cff538 : ffffc001`5b0b1b02 00000000`00000000 ffffe001`5dbf5100 00000000`0ce5a000 : tcpip!TcpEnqueueTcbSend+0x2ac
ffffd000`9bba5d90 fffff800`0ce79703 : ffffe001`5dbf51e0 fffff801`14cff7f6 fffff801`14cff510 ffffd000`9bba5e50 : tcpip!TcpTlConnectionSendCalloutRoutine+0x28
ffffd000`9bba5e10 fffff801`14cff7f6 : fffff801`14cff510 ffffd000`9bba5f30 ffffc001`5b0b1e00 00000000`00000000 : nt!KeExpandKernelStackAndCalloutInternal+0xf3
ffffd000`9bba5f00 fffff801`15402ecf : ffffe001`5dbf51e0 ffffe001`59f3c4c0 00000000`00000000 ffffe001`5db660c0 : tcpip!TcpTlConnectionSend+0x76
ffffd000`9bba5f70 fffff801`184e7860 : ffffe001`5c7b9cb0 00000000`00000002 ffffe001`5db660c0 ffffe001`5c75b050 : afd!WskProIRPSend+0xbf
ffffd000`9bba5fe0 fffff801`184e647c : 00000000`ffffffff ffffe001`59fc96f8 00000580`00000000 fffffa80`001ca790 : HTTP!UxTlInitiateSend+0x1e0
ffffd000`9bba60a0 fffff801`1855b0ea : ffffe001`59fc96f8 00000000`00000000 00000000`00000001 00000000`00000000 : HTTP!UxpTpFastTransmit+0x19c
ffffd000`9bba6140 fffff801`184e7cad : ffffe001`59fc9420 fffff801`184e64ff 00000000`00000000 ffffe001`58ef53b0 : HTTP!UxTpTransmitPacket+0xba
ffffd000`9bba61e0 fffff801`18559bbf : 00000000`00000000 00000000`00000000 fffff801`18536ae0 ffffe001`58ef53b0 : HTTP!UlSendData+0xdd
ffffd000`9bba6270 fffff801`18574a7f : 00000000`00000000 fffff801`18536ae0 ffffe001`5a211850 ffffe001`5a211850 : HTTP!UlFastSendHttpResponse+0x1765
ffffd000`9bba6500 fffff801`184e42b8 : 00000000`00124043 fffff801`1854c180 00000000`00000020 ffffe001`5a2119f8 : HTTP!UlSendEntityBodyIoctl+0xd2f
ffffd000`9bba6840 fffff800`0d22c77f : 00000000`00000000 ffffd000`9bba6b80 ffffe001`5a211850 00000000`00000004 : HTTP!UlDeviceControl+0x78
ffffd000`9bba6880 fffff800`0d22bd22 : ffffd000`9bba6a38 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xa4f
ffffd000`9bba6a20 fffff800`0cf634b3 : ffffe001`58edf080 00000000`001f0003 00000031`01acf0f8 00000000`00000001 : nt!NtDeviceIoControlFile+0x56
ffffd000`9bba6a90 00007ff8`24c3123a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000031`01ace928 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ff8`24c3123a


STACK_COMMAND:  kb

FOLLOWUP_IP: 
NETIO!NetioCompleteCloneNetBufferListChain+1508d
fffff801`14a2f83d 90              nop

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  NETIO!NetioCompleteCloneNetBufferListChain+1508d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: NETIO

IMAGE_NAME:  NETIO.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  540ebbe6

BUCKET_ID_FUNC_OFFSET:  1508d

FAILURE_BUCKET_ID:  0xc2_7_NDnd_NETIO!NetioCompleteCloneNetBufferListChain

BUCKET_ID:  0xc2_7_NDnd_NETIO!NetioCompleteCloneNetBufferListChain

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xc2_7_ndnd_netio!netiocompleteclonenetbufferlistchain

FAILURE_ID_HASH:  {ec09700b-3916-f849-b5d5-75c2ba7b02db}

Followup: MachineOwner
---------

This seems a lot more useful, I think...

Tyson.

2015-08-01 22:43 GMT+01:00 Tyson Key <tyson.key@xxxxxxxxx>:
Hi Yang,

This is something of an anti-climax, after doing the post-mortem (I waited a long time to receive this BSoD! :(), but the means of triggering it are really interesting; and I managed to crash Wireshark itself, before I was able to restart it, and do another trace...

I was trying to use Linn Kinsky to play some music via UPnP, on a Raspberry Pi running upmpdcli; and noticed that Asset UPnP (my media streaming server) wasn't being detected as a source in Kinsky, despite the upmpdcli being detected as a "Room"/sink for media playback (due to some problems with multicast traffic, and local unicast server traffic being incorrectly passed into the NPCap Loopback Adapter, instead of my WLAN adapter). 

So whilst Wireshark was still happily capturing packets (as it had been, for about an hour), I decided to use "Play To" in Windows Media Player, to send/stream an AAC file - which worked, although oddly, I couldn't see all of the traffic between WMP, and upmpdcli, despite capturing on all interfaces at once, after doing diagnostic on my WLAN, a few times; so I started saving the trace, and tried to start a new one. At this stage, Wireshark crashed; and I ended up restarting it, whilst the media was still streaming (and I could now see the HTTP traffic between the two UPnP implementations) - but about 20 minutes later, I received a long-awaited BSoD...

WinDBG only seems to give me the following information, which suggests that I may have a problem with some symbol files:


Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Only kernel address space is available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*C:\Symbols\*http://msdl.microsoft.com/download/symbols*http://referencesource.microsoft.com/symbols
Executable search path is: 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe - 
Windows 8 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 9600.17736.amd64fre.winblue_r9.150322-1500
Machine Name:
Kernel base = 0xfffff800`0ce07000 PsLoadedModuleList = 0xfffff800`0d0e0850
Debug session time: Tue Jul 28 16:30:31.391 2015 (UTC + 1:00)
System Uptime: 0 days 0:07:03.265
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlmp.exe - 
Loading Kernel Symbols
...............

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

................................................
................................................................
..........................Page 110aba not present in the dump file. Type ".hh dbgerr004" for details
..Page 122ed4 not present in the dump file. Type ".hh dbgerr004" for details
..................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00007ff7`093db018).  Type ".hh dbgerr001" for details
Loading unloaded module list
....................

************* Symbol Loading Error Summary **************
Module name            Error
ntkrnlmp               The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C2, {7, 1200, 117ec1, ffffe0015aeeaec8}

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for NETIO.SYS - 
*** ERROR: Module load completed but symbols could not be loaded for tcpip.sys
*** ERROR: Module load completed but symbols could not be loaded for afd.sys
*** ERROR: Module load completed but symbols could not be loaded for HTTP.sys
***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!PVOID                                      ***
***                                                                   ***
*************************************************************************
unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_POOL_HEADER                               ***
***                                                                   ***
*************************************************************************
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_POOL_HEADER                               ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_POOL_TRACKER_BIG_PAGES                    ***
***                                                                   ***
*************************************************************************
Cannot get _POOL_TRACKER_BIG_PAGES type size
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
Probably caused by : NETIO.SYS ( NETIO!KfdQueryLayerStats+2049 )

Followup: MachineOwner
---------

I'm going to retry analysis with "unqualified symbols" enabled - but I thought that I already had all of these symbols installed (for both System32, and SysWoW64), although maybe they became corrupted during installation?
 
As for the VMware Player issues, I noticed this, in the Event Log:

The application (VMware Player, from vendor VMware, Inc.) has the following problem: To function properly, VMware Player must be reinstalled after you upgrade Windows.

Since I don't have VMware's proprietary symbols, I only get this information from its coredump - but it may still be interesting...

Microsoft (R) Windows Debugger Version 6.3.9600.17336 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\tyson_000\AppData\Local\Temp\vmware-tyson_000\vmplayer-10248.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*C:\Symbols\*http://msdl.microsoft.com/download/symbols*http://referencesource.microsoft.com/symbols
Executable search path is: 
Windows 8 Version 9600 MP (4 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS Personal
Built by: 6.3.9600.17031 (winblue_gdr.140221-1952)
Machine Name:
Debug session time: Sat Aug  1 21:51:12.000 2015 (UTC + 1:00)
System Uptime: not available
Process Uptime: 0 days 0:00:22.000
................................................................
................................................................
.
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(2808.2818): Unknown exception - code cafebabe (first/second chance not available)
*** WARNING: Unable to verify timestamp for ntdll.dll
*** ERROR: Module load completed but symbols could not be loaded for ntdll.dll
eax=00000000 ebx=05262c20 ecx=00000000 edx=00000000 esi=05262bd8 edi=05262be8
eip=76fad28c esp=0734a34c ebp=0734a358 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll+0x3d28c:
76fad28c c20800          ret     8
0:014> .excr
           ^ Syntax error in '.excr'
0:014> !verify
No export verify found
0:014> !validate
No export validate found
0:014> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify timestamp for kernel32.dll
*** ERROR: Module load completed but symbols could not be loaded for kernel32.dll
***** OS symbols are WRONG. Please fix symbols to do analysis.

Unable to load image C:\Windows\System32\KERNELBASE.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for KERNELBASE.dll
*** ERROR: Module load completed but symbols could not be loaded for KERNELBASE.dll
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Either you specified an unqualified symbol, or your debugger   ***
***    doesn't have full symbol information.  Unqualified symbol      ***
***    resolution is turned off by default. Please either specify a   ***
***    fully qualified symbol module!symbolname, or enable resolution ***
***    of unqualified symbols by typing ".symopt- 100". Note that   ***
***    enabling unqualified symbol resolution with network symbol     ***
***    server shares in the symbol path may cause the debugger to     ***
***    appear to hang for long periods of time when an incorrect      ***
***    symbol name is typed or the network symbol server is down.     ***
***                                                                   ***
***    For some commands to work properly, your symbol path           ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!IMAGE_NT_HEADERS32                         ***
***                                                                   ***
*************************************************************************
Unable to load image C:\Windows\System32\user32.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for user32.dll
*** ERROR: Module load completed but symbols could not be loaded for user32.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for vmplayer.exe - 
Unable to load image C:\Windows\System32\ole32.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ole32.dll
*** ERROR: Module load completed but symbols could not be loaded for ole32.dll

************* Symbol Loading Error Summary **************
Module name            Error
ole32                  PDB not found : srv*c:\symbols\*http://msdl.microsoft.com/download/symbols*http://referencesource.microsoft.com/symbols

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
Unable to load image C:\Windows\System32\combase.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for combase.dll
*** ERROR: Module load completed but symbols could not be loaded for combase.dll

************* Symbol Loading Error Summary **************
Module name            Error
combase                PDB not found : srv*c:\symbols\*http://msdl.microsoft.com/download/symbols*http://referencesource.microsoft.com/symbols

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for GdiPlus.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for nuragoLSPService.DLL - 
*** WARNING: Unable to verify timestamp for ws2_32.dll
*** ERROR: Module load completed but symbols could not be loaded for ws2_32.dll
*** WARNING: Unable to verify timestamp for mswsock.dll
*** ERROR: Module load completed but symbols could not be loaded for mswsock.dll

FAULTING_IP: 
KERNELBASE+14598
76a14598 8b4c2454        mov     ecx,dword ptr [esp+54h]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 76a14598 (KERNELBASE+0x00014598)
   ExceptionCode: cafebabe
  ExceptionFlags: 00000000
NumberParameters: 0

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=00000000 ebx=05262c20 ecx=00000000 edx=00000000 esi=05262bd8 edi=05262be8
eip=76fad28c esp=0734a34c ebp=0734a358 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll+0x3d28c:
76fad28c c20800          ret     8

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

PROCESS_NAME:  vmplayer.exe

ADDITIONAL_DEBUG_TEXT:  
You can run '.symfix; .reload' to try to fix the symbol path and load symbols.

FAULTING_MODULE: 76f70000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  558b015c

ERROR_CODE: (NTSTATUS) 0xcafebabe - <Unable to get error code text>

EXCEPTION_CODE: (NTSTATUS) 0xcafebabe - <Unable to get error code text>

APP:  vmplayer.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

LAST_CONTROL_TRANSFER:  from 6e2ed56a to 6e2ca092

PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0734b0d0 6e2ed56a 0734f83b 04693798 5f544f4e vmwarebase!Ordinal478+0xc12
0734b4e0 6e2ed5b0 6e58c6fc 0734b4fc 0734f84c vmwarebase!Ordinal1473+0xea
0734b4f0 6e373e96 6e58c6fc 6e5d1aa4 00000f2e vmwarebase!Ordinal3+0x10
0734f84c 76807c04 04693798 76807be0 614f3b9d vmwarebase!Ordinal1438+0x2fa6
0734f860 76fcad1f 04693798 60d8b8da 00000000 kernel32+0x17c04
0734f8a8 76fcacea ffffffff 76fb021c 00000000 ntdll+0x5ad1f
0734f8b8 00000000 6e373bf0 04693798 00000000 ntdll+0x5acea


FOLLOWUP_IP: 
vmwarebase!Ordinal478+c12
6e2ca092 8f8570fdffff    pop     dword ptr [ebp-290h]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  vmwarebase!Ordinal478+c12

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: vmwarebase

IMAGE_NAME:  vmwarebase.DLL

STACK_COMMAND:  ~14s; .ecxr ; kb

BUCKET_ID:  WRONG_SYMBOLS

FAILURE_BUCKET_ID:  WRONG_SYMBOLS_cafebabe_vmwarebase.DLL!Ordinal478

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:wrong_symbols_cafebabe_vmwarebase.dll!ordinal478

FAILURE_ID_HASH:  {e43078e2-dbb2-d9e8-8a03-1b6323ba8806}

Followup: MachineOwner
---------

0:014> .symfix; .reload
................................................................
................................................................
.
0:014> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for vmplayer.exe - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for nuragoLSPService.DLL - 

FAULTING_IP: 
KERNELBASE!RaiseException+48
76a14598 8b4c2454        mov     ecx,dword ptr [esp+54h]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 76a14598 (KERNELBASE!RaiseException+0x00000048)
   ExceptionCode: cafebabe
  ExceptionFlags: 00000000
NumberParameters: 0

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=00000000 ebx=05262c20 ecx=00000000 edx=00000000 esi=05262bd8 edi=05262be8
eip=76fad28c esp=0734a34c ebp=0734a358 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!NtGetContextThread+0xc:
76fad28c c20800          ret     8

DEFAULT_BUCKET_ID:  APPLICATION_FAULT

PROCESS_NAME:  vmplayer.exe

ERROR_CODE: (NTSTATUS) 0xcafebabe - <Unable to get error code text>

EXCEPTION_CODE: (NTSTATUS) 0xcafebabe - <Unable to get error code text>

APPLICATION_VERIFIER_FLAGS:  0

APP:  vmplayer.exe

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

FAULTING_THREAD:  00002818

PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

BUGCHECK_STR:  APPLICATION_FAULT_APPLICATION_FAULT

LAST_CONTROL_TRANSFER:  from 6e2ed56a to 6e2ca092

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0734b0d0 6e2ed56a 0734f83b 04693798 5f544f4e vmwarebase!Ordinal478+0xc12
0734b4e0 6e2ed5b0 6e58c6fc 0734b4fc 0734f84c vmwarebase!Ordinal1473+0xea
0734b4f0 6e373e96 6e58c6fc 6e5d1aa4 00000f2e vmwarebase!Ordinal3+0x10
0734f84c 76807c04 04693798 76807be0 614f3b9d vmwarebase!Ordinal1438+0x2fa6
0734f860 76fcad1f 04693798 60d8b8da 00000000 kernel32!BaseThreadInitThunk+0x24
0734f8a8 76fcacea ffffffff 76fb021c 00000000 ntdll!__RtlUserThreadStart+0x2f
0734f8b8 00000000 6e373bf0 04693798 00000000 ntdll!_RtlUserThreadStart+0x1b


FOLLOWUP_IP: 
vmwarebase!Ordinal478+c12
6e2ca092 8f8570fdffff    pop     dword ptr [ebp-290h]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  vmwarebase!Ordinal478+c12

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: vmwarebase

IMAGE_NAME:  vmwarebase.DLL

DEBUG_FLR_IMAGE_TIMESTAMP:  558b015c

STACK_COMMAND:  ~14s; .ecxr ; kb

FAILURE_BUCKET_ID:  APPLICATION_FAULT_cafebabe_vmwarebase.DLL!Ordinal478

BUCKET_ID:  APPLICATION_FAULT_APPLICATION_FAULT_vmwarebase!Ordinal478+c12

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:application_fault_cafebabe_vmwarebase.dll!ordinal478

FAILURE_ID_HASH:  {9a30121c-2058-3ec3-2830-959a8e02a5af}

Followup: MachineOwner
---------

I hope that helps,

Tyson.

2015-08-01 21:20 GMT+01:00 Tyson Key <tyson.key@xxxxxxxxx>:
As for the loss of connectivity, Event Viewer just says:

Details about network adapter diagnosis: 

Network adapter Wi-Fi driver information:

   Description . . . . . . . . . . : Qualcomm Atheros AR9485WB-EG Wireless Network Adapter
   Manufacturer  . . . . . . . . . : Qualcomm Atheros Communications Inc.
   Provider  . . . . . . . . . . . : Qualcomm Atheros Communications Inc.
   Version   . . . . . . . . . . . : 10.0.0.242
   Inf File Name . . . . . . . . . : C:\WINDOWS\INF\oem14.inf
   Inf File Date . . . . . . . . . : Friday, March 29, 2013  3:07:20 AM
   Section Name  . . . . . . . . . : ATHR_DEV_OS61_321817AA.ndi
   Hardware ID . . . . . . . . . . : pci\ven_168c&dev_0032&subsys_321817aa
   Instance Status Flags . . . . . : 0x180200a
   Device Manager Status Code  . . : 0
   IfType  . . . . . . . . . . . . : 71
   Physical Media Type . . . . . . : 9

Details about wireless connectivity diagnosis: 

Information for connection being diagnosed
 Interface GUID: 125860e2-8019-475a-806c-2d553e9e8c8c
 Interface name: Qualcomm Atheros AR9485WB-EG Wireless Network Adapter
 Interface type: Native WiFi

Connection incident diagnosed
 Auto Configuration ID: 1
 Connection ID: 1

Connection status summary
 Connection started at: 2015-08-01 20:44:24-417
 Profile match: Success
 Pre-Association: Success
 Association: Success
 Security and Authentication: Success

List of visible access point(s): 6 item(s) total, 6 item(s) displayed
        BSSID BSS Type PHY Signal(dB) Chnl/freq    SSID
-------------------------------------------------------------------------
54-A5-1B-FA-0C-B0 Infra <unknown> -91 1 TALKTALK-FA0CA8
58-98-35-C1-56-4B Infra <unknown> -93 1 JohnLewisWirelessC1564B
C4-3D-C7-BF-6F-8E Infra g -70 6 Da
...

[Message clipped]  
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe