Share via

Blue Screen of Death: Driver IRQL Not Less or Equal (Windows 7)

Anonymous
2014-01-24T06:48:36+00:00

My computer started crashing after I downloaded the latest batch of Windows updates. I presume there's a connection, but I could be mistaken. I was able to photograph the screen this last time. (I'm sorry for the reflection at the top, but it's still readable) Any suggestions? I'd very much appreciate any help y'all can provide.

Thanks!

Windows for home | Previous Windows versions | Windows update

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

Anonymous
2014-01-24T23:22:23+00:00

My pleasure, I look forward to your update.

I would not by any means reinstall Norton, it is not a good antivirus despite what many say. I'd stay far away from Norton + McAfee. For now, go several days without any 3rdparty antivirus. If the crashes cease, you know it was both conflicting and you can move on to try others... although I dislike most as I see how many conflicts they can cause, and I deal with it on a daily basis.

For the record though, Malwarebytes is fantastic and you would be just fine installing that right now if you wish.

Regards,

Patrick

Was this answer helpful?

100+ people found this answer helpful.
0 comments

Answer accepted by question author

Anonymous
2014-01-24T22:07:35+00:00

Perfect, thank you! You should also be happy to know that this at first glance appears to be a very simple and easy to solve issue.

Right, so all of the attached DMP files are of the DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) bug check.

This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.

A driver tried to access an address that is pageable (or that is completely invalid) while the IRQL was too high. This bug check is usually caused by drivers that have used improper addresses.

If we take a look at the call stack:

1: kd> kvChild-SP          RetAddr           : Args to Child                                                           : Call Sitefffff8800c070a58 fffff8000308f169 : 000000000000000a 0000000000000008 0000000000000002 0000000000000000 : nt!KeBugCheckExfffff8800c070a60 fffff8000308dde0 : fffff8800c070c20 fffffa800edcc4d8 0000000000000000 fffff8800c070f50 : nt!KiBugCheckDispatch+0x69fffff8800c070ba0 fffff88001928a1d : fffffa8005a44338 fffffa8005a44330 0000000000000001 fffff8800193c827 : nt!KiPageFault+0x260 (TrapFrame @ fffff8800c070ba0)fffff8800c070d30 fffff880019320d4 : fffff8800c070f50 fffff8800c070f50 fffff8800c071150 fffffa800db76280 : NETIO!CalloutStreamDataInit+0x1dfffff8800c070d70 fffff8800193de98 : 0000000000000000 fffff8800c071150 fffff8800c070f00 fffff8800c070f88 : NETIO!StreamInvokeCalloutAndNormalizeAction+0x54fffff8800c070e10 fffff8800193ee91 : fffffa800f81e5f0 fffff8800c071150 fffff8800c070f50 fffff8800c0715a0 : NETIO!StreamCalloutProcessData+0x48fffff8800c070e60 fffff8800193fee8 : fffff8800c070f50 fffff8800c0715a0 fffff8800c071101 fffffa800f81e5f0 : NETIO!StreamCalloutProcessingLoop+0xa1fffff8800c070ef0 fffff88001920a2a : fffff8800c071150 fffff88009b8e690 0000000000000000 fffffa800e550014 : NETIO!StreamProcessCallout+0x1e8fffff8800c070fe0 fffff88001907f58 : fffff8a00fc50014 fffffa800ea8dc30 fffffa800593ae08 fffff8800c0715a0 : NETIO! ?? ::FNODOBFM::string'+0x71f2fffff8800c071100 fffff880019095d2 : fffff8800c070014 fffffa800ea8dc30 fffffa800e55b4e0 0000000000000000 : NETIO!ArbitrateAndEnforce+0x238fffff8800c0711d0 fffff880019423b3 : fffff8800c071674 fffffa800ea8dc30 0000000000000001 fffff8800c0715a0 : NETIO!KfdClassify+0x934fffff8800c071540 fffff8800194299a : 0000000000000000 0000000000010000 00000000003793f8 fffffa800e55b420 : NETIO!StreamInternalClassify+0xf3fffff8800c071610 fffff88001942d8e : 0000000000000014 0000000000000100 0000000000000000 fffffa800e7a98e0 : NETIO!StreamInject+0x1cafffff8800c0716e0 fffff88001997dd7 : fffffa800e55b370 000000000000015c fffffa800dcd5be0 fffff800031c3d00 : NETIO!FwppStreamInject+0x12efffff8800c071770 fffff88009afec44 : fffffa800e081360 0000000000000000 fffffa801084e1c0 fffffa8005b61c10 : fwpkclnt!FwpsStreamInjectAsync0+0xcffffff8800c0717d0 fffffa800e081360 : 0000000000000000 fffffa801084e1c0 fffffa8005b61c10 fffff8a00000015c :UrlFilter+0x1c44fffff8800c0717d8 0000000000000000 : fffffa801084e1c0 fffffa8005b61c10 fffff8a00000015c fffff80000000014 : 0xfffffa80`0e081360

We can see a UrlFilter.sys call which is a component of IObit. After we have that call, it leads into MANY Network I/O Subsystem routine calls, which goes directly into a page fault and then the bug check itself.

Unable to load image ??\C:\Program Files (x86)\IObit\IObit Malware Fighter\drivers\win7_amd64*UrlFilter.sys, Win32 error 0n2*** WARNING: Unable to verify timestamp for UrlFilter.sys*** ERROR: Module load completed but symbols could not be loaded for UrlFilter.sys*

Overall, what's happening? IObit Malware Fighter of no surprise to me (as I always see it) is causing NETBIOS conflicts with Norton which then causes memory corruption. Ultimately, this crashes your computer.

------------------

  1. Uninstall IObit.
  2. Remove and replace Norton with Microsoft Security Essentials for temporary troubleshooting purposes:

Norton removal -https://support.norton.com/sp/en/us/home/current/solutions/kb20080710133834EN_EndUserProfile_en_us;jsessionid=841A6D40BA6872C47697C6C6B19C8E11.4?entsrc=redirect_pubweb&pvid=f-home

MSE -  http://windows.microsoft.com/en-us/windows/security-essentials-download

Your crashes should cease after this, so please keep me updated.

Also, you may want to read this about IObit - IOBit Steals Malwarebytes' Intellectual Property.

Regards,

Patrick****

Was this answer helpful?

100+ people found this answer helpful.
0 comments

59 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2014-01-24T22:32:36+00:00

    Thank you, Patrick.  I've uninstalled both programs. If this solves the problem, is it safe to reinstall one, but not both programs? Would Norton and Malwarebytes, for instance, work together well?

    That's very disturbing news. I really love several of IOBit's products. Thanks for the information.

    Thanks again for your help. I'll let you know how it works out.

    Was this answer helpful?

    0 comments
  2. Anonymous
    2014-01-24T21:49:09+00:00

    All right, are these files of more help to you? DMP Set 2

    Was this answer helpful?

    0 comments
  3. Anonymous
    2014-01-24T21:07:41+00:00

    It appears your DMP files are severely corrupt, as all have very strange names and are of the 0 KB's in file size. Let's do the following in preparation for the next system crash:

    1.

    1. Start > type %systemroot% which should show the Windows folder, click on it. Once inside that folder, ensure there is a Minidump folder created. If not, CTRL-SHIFT-N to make a New Folder and name it Minidump.
    2. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Performance > Settings > Advanced > Ensure there's a check-mark for 'Automatically manage paging file size for all drives'.
    3. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Startup and Recovery > Settings > System Failure > ensure there is a check mark next to 'Write an event to the system log'.

    Ensure Small Memory Dump is selected and ensure the path is %systemroot%\Minidump.

    1. Double check that the WERS is ENABLED:

    Start > Search > type services.msc > Under the name tab, find Windows Error Reporting Service > If the status of the service is not Started then right click it and select Start. Also ensure that under Startup Type it is set to Automatic rather than Manual. You can do this by right clicking it, selecting properties, and under General selecting startup type to 'Automatic', and then click Apply.

    2. Enable Driver Verifier:

    Driver Verifier:

    What is Driver Verifier?

    Driver Verifier is included in Windows 8, 7, Windows Server 2008 R2, Windows Vista, Windows Server 2008, Windows 2000, Windows XP, and Windows Server 2003 to promote stability and reliability; you can use this tool to troubleshoot driver issues. Windows kernel-mode components can cause system corruption or system failures as a result of an improperly written driver, such as an earlier version of a Windows Driver Model (WDM) driver.

    Essentially, if there's a 3rd party driver believed to be at issue, enabling Driver Verifier will help flush out the rogue driver if it detects a violation.

    Before enabling Driver Verifier, it is recommended to create a System Restore Point:

    Vista - START | type rstrui - create a restore point

    Windows 7 - START | type create | select "Create a Restore Point"

    Windows 8 - http://www.eightforums.com/tutorials/4690-restore-point-create-windows-8-a.html

    How to enable Driver Verifier:

    Start > type "verifier" without the quotes > Select the following options -

    1. Select - "Create custom settings (for code developers)"
    2. Select - "Select individual settings from a full list"
    3. Check the following boxes -
    • Special Pool
    • Pool Tracking
    • Force IRQL Checking
    • Deadlock Detection
    • Security Checks (Windows 7 & 8)
    • DDI compliance checking (Windows 8)
    • Miscellaneous Checks
    1. Select  - "Select driver names from a list"
    2. Click on the "Provider" tab. This will sort all of the drivers by the provider.
    3. Check EVERY box that is [B]NOT[/B] provided by Microsoft / Microsoft Corporation.
    4. Click on Finish.
    5. Restart.

    Important information regarding Driver Verifier:

    • If Driver Verifier finds a violation, the system will BSOD.
    • After enabling Driver Verifier and restarting the system, depending on the culprit, if for example the driver is on start-up, you may not be able to get back into normal Windows because Driver Verifier will flag it, and as stated above, that will cause / force a BSOD.

    If this happens, do not panic, do the following:

    • Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
    • Once in Safe Mode - Start > Search > type "cmd" without the quotes.
    • To turn off Driver Verifier, type in cmd "verifier /reset" without the quotes.

    ・    Restart and boot into normal Windows.

    If your OS became corrupt or you cannot boot into Windows after disabling verifier via Safe Mode:

    • Boot into Safe Mode by repeatedly tapping the F8 key during boot-up.
    • Once in Safe Mode - Start > type "system restore" without the quotes.
    • Choose the restore point you created earlier.

    How long should I keep Driver Verifier enabled for?

    It varies, many experts and analysts have different recommendations. Personally, I recommend keeping it enabled for at least 24 hours. If you don't BSOD by then, disable Driver Verifier.

    My system BSOD'd, where can I find the crash dumps?

    They will be located in %systemroot%\Minidump

    Any other questions can most likely be answered by this article:

    http://support.microsoft.com/kb/244617

    ------------------

    With all of this in place, hopefully we'll get a non-corrupt dump.

    Regards,

    Patrick

    Was this answer helpful?

    0 comments