Share via

Blue screen wdf01000.sys

Anonymous
2020-05-05T22:50:59+00:00

Please assist.

Recently, been receiving random blue screen restarts, displaying the stop code 'wdf01000.sys'. Nothing specific is being run to trigger this code, which makes it difficult to pinpoint. 

After researching stop code, I began updating the drivers. Updated all drivers. Blue screen occurred the next day. 

Ran sfc /scan - no issues found.

ran chkdsk /f /r - rebooted laptop - scan ran - noting found. - System blue screened 4 hours later. 

Pulled the following minidump information. Any assistance is greatly appreciated. 

WDF_VIOLATION (10d)

The Kernel-Mode Driver Framework was notified that Windows detected an error

in a framework-based driver. In general, the dump file will yield additional

information about the driver that caused this bug check.

Arguments:

Arg1: 0000000000000005, A framework object handle of the incorrect type was passed to

a framework object method.

Arg2: 0000000000000000, The handle value passed in.

Arg3: 0000000000001024, Reserved.

Arg4: ffff8b85a4f63df0, Reserved.

Debugging Details:

*** WARNING: Unable to verify timestamp for vnwcd.sys

KEY_VALUES_STRING: 1

PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING:  17763.1.amd64fre.rs5_release.180914-1434

SYSTEM_MANUFACTURER:  Dell Inc.

SYSTEM_PRODUCT_NAME:  Latitude 5480

SYSTEM_SKU:  07A7

BIOS_VENDOR:  Dell Inc.

BIOS_VERSION:  1.13.0

BIOS_DATE:  11/12/2018

BASEBOARD_MANUFACTURER:  Dell Inc.

BASEBOARD_PRODUCT:  015DR5

BASEBOARD_VERSION:  A00

TAG_NOT_DEFINED_202b:  *** Unknown TAG in analysis list 202b

DUMP_TYPE:  2

BUGCHECK_P1: 5

BUGCHECK_P2: 0

BUGCHECK_P3: 1024

BUGCHECK_P4: ffff8b85a4f63df0

BUGCHECK_STR:  0x10D_5

CPU_COUNT: 4

CPU_MHZ: 9c0

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 4e

CPU_STEPPING: 3

CPU_MICROCODE: 6,4e,3,0 (F,M,S,R)  SIG: C6'00000000 (cache) C6'00000000 (init)

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXPNP: 1 (!blackboxpnp)

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

PROCESS_NAME:  edpa.exe

CURRENT_IRQL:  0

ANALYSIS_SESSION_HOST:  STLL138YL6Y2

ANALYSIS_SESSION_TIME:  05-05-2020 16:26:41.0840

ANALYSIS_VERSION: 10.0.18362.1 x86fre

LAST_CONTROL_TRANSFER:  from fffff8090127b407 to fffff8050e5caab0

STACK_TEXT:  

ffffd28a96a77338 fffff8090127b407 : 000000000000010d 0000000000000005 0000000000000000 0000000000001024 : nt!KeBugCheckEx

ffffd28a96a77340 fffff8090123d769 : ffff8b85a80de300 ffffd28a96a77440 0000000000000020 0000747a56662c08 : Wdf01000!FxVerifierBugCheckWorker+0x1f [minkernel\wdf\framework\shared\object\fxverifierbugcheck.cpp @ 68] 

ffffd28a96a77380 fffff8051b9737d9 : ffff8b85a76d0530 fffff8050ea52622 ffff8b85a999d4f0 0000000000000020 : Wdf01000!imp_WdfSpinLockAcquire+0x1b2a9 [minkernel\wdf\framework\shared\support\fxspinlockapi.cpp @ 126] 

ffffd28a96a773c0 ffff8b85a76d0530 : fffff8050ea52622 ffff8b85a999d4f0 0000000000000020 0000747a56662c08 : vnwcd+0x37d9

ffffd28a96a773c8 fffff8050ea52622 : ffff8b85a999d4f0 0000000000000020 0000747a56662c08 0000747a59f4e728 : 0xffff8b85`a76d0530

ffffd28a96a773d0 ffff8b85a606f728 : fffff809012b5750 ffff8b85a999d3f0 ffff8b85a60b1940 ffffd28a96a77589 : nt!ObpIncrementHandleCountEx+0x252

ffffd28a96a774e0 fffff809012b5750 : ffff8b85a999d3f0 ffff8b85a60b1940 ffffd28a96a77589 ffff8b85a60b18d0 : 0xffff8b85`a606f728

ffffd28a96a774e8 ffff8b85a999d3f0 : ffff8b85a60b1940 ffffd28a96a77589 ffff8b85a60b18d0 fffff80901229297 : Wdf01000!FxPowerIdleMachine::m_StateTable

ffffd28a96a774f0 ffff8b85a60b1940 : ffffd28a96a77589 ffff8b85a60b18d0 fffff80901229297 ffff8b85a74ea000 : 0xffff8b85`a999d3f0

ffffd28a96a774f8 ffffd28a96a77589 : ffff8b85a60b18d0 fffff80901229297 ffff8b85a74ea000 0000000000000470 : 0xffff8b85`a60b1940

ffffd28a96a77500 ffff8b85a60b18d0 : fffff80901229297 ffff8b85a74ea000 0000000000000470 ffffd28a96a775b1 : 0xffffd28a`96a77589

ffffd28a96a77508 fffff80901229297 : ffff8b85a74ea000 0000000000000470 ffffd28a96a775b1 fffff8050e64c835 : 0xffff8b85`a60b18d0

ffffd28a96a77510 fffff809012274e2 : ffff8b85a60b18d0 ffff8b85a606f500 0000000000000000 fffff8050e51f44b : Wdf01000!FxIoQueue::DispatchEvents+0x617 [minkernel\wdf\framework\shared\irphandlers\io\fxioqueue.cpp @ 3125] 

ffffd28a96a775f0 fffff80901226f8d : ffff8b85a606f5a0 ffff8b85a7f24000 ffff8b85a999d3f0 000000006e657601 : Wdf01000!FxPkgIo::DispatchStep1+0x542 [minkernel\wdf\framework\shared\irphandlers\io\fxpkgio.cpp @ 324] 

ffffd28a96a776b0 fffff80901221b73 : ffff8b85a7f24060 ffff8b85a4d75920 ffff8b85ab556670 0000000000000000 : Wdf01000!FxPkgIo::Dispatch+0x5d [minkernel\wdf\framework\shared\irphandlers\io\fxpkgio.cpp @ 119] 

ffffd28a96a77710 fffff8050e51c3c9 : ffff8b85a4d75920 0000000000000000 0000000000000000 0000000000000002 : Wdf01000!FxDevice::DispatchWithLock+0x113 [minkernel\wdf\framework\shared\core\fxdevice.cpp @ 1430] 

ffffd28a96a77770 fffff8050ea7d911 : ffff8b85a7f24060 0000000000000000 0000000000000000 ffff8b85a4d75920 : nt!IofCallDriver+0x59

ffffd28a96a777b0 fffff8050ea583fc : 0000000000000005 ffff8b85a4d75920 ffffd28a20206f49 ffffd28a96a77b00 : nt!IopSynchronousServiceTail+0x1b1

ffffd28a96a77860 fffff8050e9fce36 : 000000004746f438 0000000000001455 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0xe0c

ffffd28a96a779a0 fffff8050e5dbd05 : ffff8b85a80de080 000000004746f418 ffffd28a96a77a28 0000000000000001 : nt!NtDeviceIoControlFile+0x56

ffffd28a96a77a10 00007ff8cd9ef847 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25

000000004746f3c8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ff8`cd9ef847

THREAD_SHA1_HASH_MOD_FUNC:  f3c30c39943180ee1b2862af7e9315f9f99895a1

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  01c7376305d3de77a284d0e7f937f4d61f32f59c

THREAD_SHA1_HASH_MOD:  5e0fe7e7c6803db747095d60f650cb57dc25b4d2

FOLLOWUP_IP: 

vnwcd+37d9

fffff805`1b9737d9 488b17          mov     rdx,qword ptr [rdi]

FAULT_INSTR_CODE:  48178b48

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  vnwcd+37d9

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: vnwcd

IMAGE_NAME:  vnwcd.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  597b0106

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  37d9

FAILURE_BUCKET_ID:  0x10D_5_vnwcd!unknown_function

BUCKET_ID:  0x10D_5_vnwcd!unknown_function

PRIMARY_PROBLEM_CLASS:  0x10D_5_vnwcd!unknown_function

TARGET_TIME:  2020-05-05T20:58:05.000Z

OSBUILD:  17763

OSSERVICEPACK:  1158

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  unknown_date

BUILDDATESTAMP_STR:  180914-1434

BUILDLAB_STR:  rs5_release

BUILDOSVER_STR:  10.0.17763.1.amd64fre.rs5_release.180914-1434

ANALYSIS_SESSION_ELAPSED_TIME:  e95

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x10d_5_vnwcd!unknown_function

FAILURE_ID_HASH:  {bcd2913c-3919-5832-adc9-15e0bf4c3838}

Followup:     MachineOwner

Windows for home | Windows 10 | Performance and system failures

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments
Answer accepted by question author
  1. Anonymous
    2020-05-05T23:14:54+00:00

    Hi Ryan, I am Rob, an independent and a 14 time and dual award MVP specializing in Windows troubleshooting and Bluescreen analysis. Please remember as independents we are not responsible for the development of Windows or the computer hardware and drivers. If you will work with me I will be here to help until the issue is resolved.

    The BugCheck is 10D - the main causes are programs and/or drivers.

    The main problems are edpa.exe vnwcd.sys which are parts of Norton/Symantec. So I would fully uninstall it and use only Windows Defender. In Windows 8/8.1 & 10 WD is a full antivirus. WD has proven to be a true superstar in both protection and compatibility. Since it will load parts of itself into memory at startup which remain active, you will need to fully remove it and not merely disable it,

    AV-TEST Product Review and Certification Report – Jan-Feb/2020

    https://www.av-test.org/en/antivirus/home-windo...

    Troubleshoot blue screen errors <-- read this link

    http://windows.microsoft.com/en-us/windows-10/t...

    Try removing and reseating all cards, memory, and cables (both ends when possible) - actually remove and replace - do not just snug (on a PC) and clean out the dust bunnies and vents. On a laptop about all that can be done is reseat the memory and clean the vents. (Of course remove ALL power prior to opening the case.)

    ==================================================

    Troubleshoot blue screen errors <-- read this link

    http://windows.microsoft.com/en-us/windows-10/t...

    We can analyze the minidumps if you make them available from the OneDrive

    or other file sharing sites (such as MediaFire). If you have problems uploading

    the minidumps copy them to the Desktop or the Documents folder and upload

    them from there.

    One-Drive - Share files and folders and change permissions

    http://windows.microsoft.com/en-us/onedrive/sha...

    Upload photos and files

    http://windows.microsoft.com/en-us/onedrive/add...

    Zip or upload the contents of C:\Windows\minidump

    Use OneDrive to upload collected files

    http://social.technet.microsoft.com/Forums/en-U...

    ==================================================

    This utility makes it easy to see which versions are loaded :

    Run DriverView - set VIEW to Hide Microsoft drivers - update those without

    Dump in their names (and update BIOS and chipset drivers).

    DriverView - Free - utility displays the list of all device drivers currently loaded

    on your system. For each driver in the list, additional useful information is

    displayed: load address of the driver, description, version, product name,

    company that created the driver, and more.

    http://www.nirsoft.net/utils/driverview.html

    For Drivers check System Maker as fallbacks and Device Maker's which are the

    most current. Right Click the Start Button - Device Manager - Display Adapter -

    write down the make and complete model of your video adapter - double click

    • Driver's tab - write down the version info. Now click UPdate Driver (this may not

    do anything as MS is far behind certifying drivers) - then Right Click - Uninstall -

    REBOOT this will refresh the driver stack.

    Repeat that for Network - Network Card (NIC), Wifi, Sound, Mouse and Keyboard

    if 3rd party with their own software and drivers and any other major device drivers

    you have.

    Now go to System Maker's site (Dell, HP, Toshiba as examples) (as rollback) and

    then Device Maker's site (Realtek, Intel, Nvidia, ATI as examples) and get their

    latest versions. (Look for BIOS, Chipset, and software updates at System Maker's

    site while there.)

    Download - SAVE - go to where you put them - Right Click - RUN AD ADMIN -

    REBOOT after each installation.

    Always check in Device Manager - Drivers tab to be sure the version you are

    installing actually shows up. This is because some drivers rollback before the

    latest is installed (sound drivers particularly do this) so install a driver - reboot

    • check to be sure it is installed and repeat as needed.

    Repeat at Device Makers - BTW at Device Makers DO NOT RUN THEIR SCANNER

    • check manually by model.

    Manually look at manufacturer's sites for drivers - and Device Maker's sites.

    http://pcsupport.about.com/od/driverssupport/ht...

    ====================================================

    Memory tests do not catch all errors such as mismatched memory (possible even

    for sticks that appear to be identical) and when faster memory is placed in the system behind slower memory. So it is best to also swap sticks in and out to check for those even if all memory tests fail to show a problem.

    To test RAM check here - let it run 4+ hours or so - over-night is best. <-- best method

    www.memtest.org

    MemTestX86 - Test RAM With

    http://www.tenforums.com/tutorials/14201-memtes...

    For the Windows Memory Diagnostic Tool.

    Type in Cortana's search box -> Windows Memory Diagnostics

    ........find at top of the list - click it. in Windows 8/8.1/10 the name is "Windows Memory Diagnostic".

    ================================================

    After doing ALL the updates you can, and if the issue continues, then run

    Driver Verifier.

    Driver Verifier can help find some BSOD issues :

    Using Driver Verifier to identify issues with Windows drivers for advanced users

    http://support.microsoft.com/kb/244617

    How To Troubleshoot Driver Problems in Windows Vista or 7. (8/8.1 and 10

    are essentially the same).

    http://www.winvistaclub.com/t79.html

    Using Driver Verifier

    https://msdn.microsoft.com/en-us/library/window...

    WINKEY + X - RUN - type in -> verifier /reset hit enter to disable

    If Driver Verifier creates a minidump upload it and post the link here so we can

    analyze it.

    ======

    Running OCCT for Home Use (Free) and Stress Tests may help indicate a cause.

    OCCT - Free for Home use

    https://www.ocbase.com/

    Running Stress Tests might help indicate a cause - use ALL of these.

    PC Stress Test free software for Windows 10

    https://www.thewindowsclub.com/pc-stress-test-f...

    Here to help,

    Rob

    Standard Disclaimer: Those may be non-Microsoft websites. The pages appear to be providing accurate, safe information. Watch out for ads on the site that may advertise products frequently classified as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the site before you decide to download and install it.

    Please let us know the results and if you need further assistance. Feedback definitely helps us help all.

    4 people found this answer helpful.
    0 comments

7 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-05-06T02:53:28+00:00

    Norton Removal Tool

    https://support.norton.com/sp/en/us/home/curren...

    List of anti-malware program cleanup/uninstall tools

    http://answers.microsoft.com/en-us/protect/wiki...

    Eset - Remove Eset and many other makers/types of antivirus such as McAfee, Symantec/Norton, Avast, and others - also removes many other programs

    https://support.eset.com/en/kb3527-eset-av-remo...

    Eset - AV Remover - List of removable applications and instructions to run the Eset AV Remover tool program

    https://support.eset.com/en/kb3527-eset-av-remo...

    ======

    Even two laptops that appear to be identical can have differences in hardware and of course drivers.

    Norton (or its remnants) is involved as cause or by helping to mask the cause. Especially since there are remnants. Removing them may not be the total answer.

    Hopefully, there are no other 3rd party antivirus on the system to complicate the issue.

    Here to help,

    Rob

    Standard Disclaimer: Those may be non-Microsoft websites. The pages appear to be providing accurate, safe information. Watch out for ads on the site that may advertise products frequently classified as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the site before you decide to download and install it.

    Please let us know the results and if you need further assistance. Feedback definitely helps us help all.

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2020-05-06T04:14:58+00:00

    Updates do not appear to have a factor though that is certainly possible.

    When I analyze a DMP I really tear into it and look for all reasonable considerations. And there are no absolutes.... even Microsoft uses "Probably caused by: " when they point out the most likely cause the software can find.

    There may be more to this than we know, however, we are not there yet.

    A notable quote says, "analyzing a DMP file is knowledge mixed with art".

    Here to help,

    Rob

    0 comments
  3. Anonymous
    2020-05-06T03:39:12+00:00

    Interesting. Thanks for the info. Also, could windows updates be a factor in this at all? Or does the logs certainly point to symantec? Im just going through possibilities as to how symantec may have been triggered. Thank you, I appreciate your expertise!

    0 comments
  4. Anonymous
    2020-05-06T01:48:36+00:00

    Thank you for the reply Rob. Last year symantec was removed and replaced with Defender. Im assuming there maybe some traces of symantec somewhere if this is the culprit. Besides removing from add/remove, are there any known ways of fully removing Symantec product and validating completion? 

    Would there also be a reason as to why a certain model laptop with the edpa.exe process running but not experiencing the blue screen error? Maybe in part with updating drivers also? 

    i will take a look at one of the affected machines and look to remove all traces of symantec and report back! Thanks again.

    0 comments