C
clouddark
Hi,
I found out my laptop PC is always unexpected reboot.From event viewer, I see the following message:
The computer has rebooted from a bugcheck. The bugcheck was: 0x000000d1 (0x000000000000006b, 0x0000000000000002, 0x0000000000000000, 0xfffff880048cdc5f). A dump was saved in: C:\windows\MEMORY.DMP. Report Id: 080719-27362-01.
I provided the memory.dmp to miscrosoft online support engineer, they gave me a output and suggested me to post here for help, so is there anyone can help me take a look?
Output from miscrosoft online support engineer
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\svenw\Desktop\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*C:\Symbols*Symbol information
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.24214.amd64fre.win7sp1_ldr_escrow.180801-1700
Machine Name:
Kernel base = 0xfffff800`04002000 PsLoadedModuleList = 0xfffff800`0423cc90
Debug session time: Wed Aug 7 16:04:31.628 2019 (UTC + 8:00)
System Uptime: 0 days 6:27:04.009
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.............
Loading User Symbols
Loading unloaded module list
.................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {6b, 2, 0, fffff880048cdc5f}
*** ERROR: Module load completed but symbols could not be loaded for klim6.sys
Probably caused by : klim6.sys ( klim6+2c5f )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000006b, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff880048cdc5f, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 000000000000006b
CURRENT_IRQL: 2
FAULTING_IP:
klim6+2c5f
fffff880`048cdc5f 488b5168 mov rdx,qword ptr [rcx+68h]
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
TRAP_FRAME: fffff80005c37230 -- (.trap 0xfffff80005c37230)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa800b92d370 rbx=0000000000000000 rcx=0000000000000003
rdx=fffffa80094c0c20 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880048cdc5f rsp=fffff80005c373c8 rbp=fffff80005c374e0
r8=fffffa80094c0c20 r9=0000000000000000 r10=fffff800041e8060
r11=fffff80005c37400 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe nc
klim6+0x2c5f:
fffff880`048cdc5f 488b5168 mov rdx,qword ptr [rcx+68h] ds:a018:006b=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800040a3d69 to fffff800040959a0
STACK_TEXT:
fffff800`05c370e8 fffff800`040a3d69 : 00000000`0000000a 00000000`0000006b 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff800`05c370f0 fffff800`040a1b88 : 00000000`00000000 00000000`0000006b 00000000`00000f00 fffffa80`0b92d360 : nt!KiBugCheckDispatch+0x69
fffff800`05c37230 fffff880`048cdc5f : fffff800`05c374e0 00000000`00000029 fffff880`048cdc48 00000000`00000010 : nt!KiPageFault+0x448
fffff800`05c373c8 fffffa80`094c0c40 : 00000000`00000003 fffffa80`094c0c20 fffffa80`094c0c20 00000000`00000000 : klim6+0x2c5f
fffff800`05c37408 00000000`00000003 : fffffa80`094c0c20 fffffa80`094c0c20 00000000`00000000 fffff880`04995e14 : 0xfffffa80`094c0c40
fffff800`05c37410 fffffa80`094c0c20 : fffffa80`094c0c20 00000000`00000000 fffff880`04995e14 fffffa80`08774840 : 0x3
fffff800`05c37418 fffffa80`094c0c20 : 00000000`00000000 fffff880`04995e14 fffffa80`08774840 fffff880`0498a458 : 0xfffffa80`094c0c20
fffff800`05c37420 00000000`00000000 : fffff880`04995e14 fffffa80`08774840 fffff880`0498a458 fffffa80`0b92d360 : 0xfffffa80`094c0c20
STACK_COMMAND: kb
FOLLOWUP_IP:
klim6+2c5f
fffff880`048cdc5f 488b5168 mov rdx,qword ptr [rcx+68h]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: klim6+2c5f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: klim6
IMAGE_NAME: klim6.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 57bc28a4
FAILURE_BUCKET_ID: X64_0xD1_klim6+2c5f
BUCKET_ID: X64_0xD1_klim6+2c5f
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000006b, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff880048cdc5f, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 000000000000006b
CURRENT_IRQL: 2
FAULTING_IP:
klim6+2c5f
fffff880`048cdc5f 488b5168 mov rdx,qword ptr [rcx+68h]
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
TRAP_FRAME: fffff80005c37230 -- (.trap 0xfffff80005c37230)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa800b92d370 rbx=0000000000000000 rcx=0000000000000003
rdx=fffffa80094c0c20 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880048cdc5f rsp=fffff80005c373c8 rbp=fffff80005c374e0
r8=fffffa80094c0c20 r9=0000000000000000 r10=fffff800041e8060
r11=fffff80005c37400 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe nc
klim6+0x2c5f:
fffff880`048cdc5f 488b5168 mov rdx,qword ptr [rcx+68h] ds:a018:006b=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800040a3d69 to fffff800040959a0
STACK_TEXT:
fffff800`05c370e8 fffff800`040a3d69 : 00000000`0000000a 00000000`0000006b 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff800`05c370f0 fffff800`040a1b88 : 00000000`00000000 00000000`0000006b 00000000`00000f00 fffffa80`0b92d360 : nt!KiBugCheckDispatch+0x69
fffff800`05c37230 fffff880`048cdc5f : fffff800`05c374e0 00000000`00000029 fffff880`048cdc48 00000000`00000010 : nt!KiPageFault+0x448
fffff800`05c373c8 fffffa80`094c0c40 : 00000000`00000003 fffffa80`094c0c20 fffffa80`094c0c20 00000000`00000000 : klim6+0x2c5f
fffff800`05c37408 00000000`00000003 : fffffa80`094c0c20 fffffa80`094c0c20 00000000`00000000 fffff880`04995e14 : 0xfffffa80`094c0c40
fffff800`05c37410 fffffa80`094c0c20 : fffffa80`094c0c20 00000000`00000000 fffff880`04995e14 fffffa80`08774840 : 0x3
fffff800`05c37418 fffffa80`094c0c20 : 00000000`00000000 fffff880`04995e14 fffffa80`08774840 fffff880`0498a458 : 0xfffffa80`094c0c20
fffff800`05c37420 00000000`00000000 : fffff880`04995e14 fffffa80`08774840 fffff880`0498a458 fffffa80`0b92d360 : 0xfffffa80`094c0c20
STACK_COMMAND: kb
FOLLOWUP_IP:
klim6+2c5f
fffff880`048cdc5f 488b5168 mov rdx,qword ptr [rcx+68h]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: klim6+2c5f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: klim6
IMAGE_NAME: klim6.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 57bc28a4
FAILURE_BUCKET_ID: X64_0xD1_klim6+2c5f
BUCKET_ID: X64_0xD1_klim6+2c5f
Followup: MachineOwner
---------
0: kd> lmvm klim6
start end module name
fffff880`048cb000 fffff880`048d7000 klim6 (no symbols)
Loaded symbol image file: klim6.sys
Image path: \SystemRoot\system32\DRIVERS\klim6.sys
Image name: klim6.sys
Timestamp: Tue Aug 23 18:42:44 2016 (57BC28A4)
CheckSum: 00010078
ImageSize: 0000C000
File version: 13.0.0.5
Product version: 13.0.0.5
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: AO Kaspersky Lab
ProductName: System Interceptors PDK
InternalName: klim6
ProductVersion: 13.0.0.5
FileVersion: 13.0.0.5
FileDescription: Packet Network Filter [fre_wlh_x64]
LegalCopyright: © 2016 AO Kaspersky Lab. All Rights Reserved.
LegalTrademarks: Registered trademarks and service marks are the property of their respective owners
Continue reading...
I found out my laptop PC is always unexpected reboot.From event viewer, I see the following message:
The computer has rebooted from a bugcheck. The bugcheck was: 0x000000d1 (0x000000000000006b, 0x0000000000000002, 0x0000000000000000, 0xfffff880048cdc5f). A dump was saved in: C:\windows\MEMORY.DMP. Report Id: 080719-27362-01.
I provided the memory.dmp to miscrosoft online support engineer, they gave me a output and suggested me to post here for help, so is there anyone can help me take a look?
Output from miscrosoft online support engineer
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\svenw\Desktop\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*C:\Symbols*Symbol information
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.24214.amd64fre.win7sp1_ldr_escrow.180801-1700
Machine Name:
Kernel base = 0xfffff800`04002000 PsLoadedModuleList = 0xfffff800`0423cc90
Debug session time: Wed Aug 7 16:04:31.628 2019 (UTC + 8:00)
System Uptime: 0 days 6:27:04.009
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.............
Loading User Symbols
Loading unloaded module list
.................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck D1, {6b, 2, 0, fffff880048cdc5f}
*** ERROR: Module load completed but symbols could not be loaded for klim6.sys
Probably caused by : klim6.sys ( klim6+2c5f )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000006b, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff880048cdc5f, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 000000000000006b
CURRENT_IRQL: 2
FAULTING_IP:
klim6+2c5f
fffff880`048cdc5f 488b5168 mov rdx,qword ptr [rcx+68h]
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
TRAP_FRAME: fffff80005c37230 -- (.trap 0xfffff80005c37230)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa800b92d370 rbx=0000000000000000 rcx=0000000000000003
rdx=fffffa80094c0c20 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880048cdc5f rsp=fffff80005c373c8 rbp=fffff80005c374e0
r8=fffffa80094c0c20 r9=0000000000000000 r10=fffff800041e8060
r11=fffff80005c37400 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe nc
klim6+0x2c5f:
fffff880`048cdc5f 488b5168 mov rdx,qword ptr [rcx+68h] ds:a018:006b=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800040a3d69 to fffff800040959a0
STACK_TEXT:
fffff800`05c370e8 fffff800`040a3d69 : 00000000`0000000a 00000000`0000006b 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff800`05c370f0 fffff800`040a1b88 : 00000000`00000000 00000000`0000006b 00000000`00000f00 fffffa80`0b92d360 : nt!KiBugCheckDispatch+0x69
fffff800`05c37230 fffff880`048cdc5f : fffff800`05c374e0 00000000`00000029 fffff880`048cdc48 00000000`00000010 : nt!KiPageFault+0x448
fffff800`05c373c8 fffffa80`094c0c40 : 00000000`00000003 fffffa80`094c0c20 fffffa80`094c0c20 00000000`00000000 : klim6+0x2c5f
fffff800`05c37408 00000000`00000003 : fffffa80`094c0c20 fffffa80`094c0c20 00000000`00000000 fffff880`04995e14 : 0xfffffa80`094c0c40
fffff800`05c37410 fffffa80`094c0c20 : fffffa80`094c0c20 00000000`00000000 fffff880`04995e14 fffffa80`08774840 : 0x3
fffff800`05c37418 fffffa80`094c0c20 : 00000000`00000000 fffff880`04995e14 fffffa80`08774840 fffff880`0498a458 : 0xfffffa80`094c0c20
fffff800`05c37420 00000000`00000000 : fffff880`04995e14 fffffa80`08774840 fffff880`0498a458 fffffa80`0b92d360 : 0xfffffa80`094c0c20
STACK_COMMAND: kb
FOLLOWUP_IP:
klim6+2c5f
fffff880`048cdc5f 488b5168 mov rdx,qword ptr [rcx+68h]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: klim6+2c5f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: klim6
IMAGE_NAME: klim6.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 57bc28a4
FAILURE_BUCKET_ID: X64_0xD1_klim6+2c5f
BUCKET_ID: X64_0xD1_klim6+2c5f
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000006b, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff880048cdc5f, address which referenced memory
Debugging Details:
------------------
READ_ADDRESS: 000000000000006b
CURRENT_IRQL: 2
FAULTING_IP:
klim6+2c5f
fffff880`048cdc5f 488b5168 mov rdx,qword ptr [rcx+68h]
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
TRAP_FRAME: fffff80005c37230 -- (.trap 0xfffff80005c37230)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa800b92d370 rbx=0000000000000000 rcx=0000000000000003
rdx=fffffa80094c0c20 rsi=0000000000000000 rdi=0000000000000000
rip=fffff880048cdc5f rsp=fffff80005c373c8 rbp=fffff80005c374e0
r8=fffffa80094c0c20 r9=0000000000000000 r10=fffff800041e8060
r11=fffff80005c37400 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe nc
klim6+0x2c5f:
fffff880`048cdc5f 488b5168 mov rdx,qword ptr [rcx+68h] ds:a018:006b=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800040a3d69 to fffff800040959a0
STACK_TEXT:
fffff800`05c370e8 fffff800`040a3d69 : 00000000`0000000a 00000000`0000006b 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff800`05c370f0 fffff800`040a1b88 : 00000000`00000000 00000000`0000006b 00000000`00000f00 fffffa80`0b92d360 : nt!KiBugCheckDispatch+0x69
fffff800`05c37230 fffff880`048cdc5f : fffff800`05c374e0 00000000`00000029 fffff880`048cdc48 00000000`00000010 : nt!KiPageFault+0x448
fffff800`05c373c8 fffffa80`094c0c40 : 00000000`00000003 fffffa80`094c0c20 fffffa80`094c0c20 00000000`00000000 : klim6+0x2c5f
fffff800`05c37408 00000000`00000003 : fffffa80`094c0c20 fffffa80`094c0c20 00000000`00000000 fffff880`04995e14 : 0xfffffa80`094c0c40
fffff800`05c37410 fffffa80`094c0c20 : fffffa80`094c0c20 00000000`00000000 fffff880`04995e14 fffffa80`08774840 : 0x3
fffff800`05c37418 fffffa80`094c0c20 : 00000000`00000000 fffff880`04995e14 fffffa80`08774840 fffff880`0498a458 : 0xfffffa80`094c0c20
fffff800`05c37420 00000000`00000000 : fffff880`04995e14 fffffa80`08774840 fffff880`0498a458 fffffa80`0b92d360 : 0xfffffa80`094c0c20
STACK_COMMAND: kb
FOLLOWUP_IP:
klim6+2c5f
fffff880`048cdc5f 488b5168 mov rdx,qword ptr [rcx+68h]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: klim6+2c5f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: klim6
IMAGE_NAME: klim6.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 57bc28a4
FAILURE_BUCKET_ID: X64_0xD1_klim6+2c5f
BUCKET_ID: X64_0xD1_klim6+2c5f
Followup: MachineOwner
---------
0: kd> lmvm klim6
start end module name
fffff880`048cb000 fffff880`048d7000 klim6 (no symbols)
Loaded symbol image file: klim6.sys
Image path: \SystemRoot\system32\DRIVERS\klim6.sys
Image name: klim6.sys
Timestamp: Tue Aug 23 18:42:44 2016 (57BC28A4)
CheckSum: 00010078
ImageSize: 0000C000
File version: 13.0.0.5
Product version: 13.0.0.5
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: AO Kaspersky Lab
ProductName: System Interceptors PDK
InternalName: klim6
ProductVersion: 13.0.0.5
FileVersion: 13.0.0.5
FileDescription: Packet Network Filter [fre_wlh_x64]
LegalCopyright: © 2016 AO Kaspersky Lab. All Rights Reserved.
LegalTrademarks: Registered trademarks and service marks are the property of their respective owners
Continue reading...