Please run:
https://www.windowsq.com/resources/v2-log-collector.8/
https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html
BSOD Causing ipfltdrv.sys
ipfltdrv.sys causing bsod on windows server 2012 R2.
Microsoft (R) Windows Debugger Version 10.0.21306.1007 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\041621-70281-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Edition build lab: 9600.19939.amd64fre.winblue_ltsb.210109-0600
Machine Name:
Kernel base = 0xfffff80391c15000 PsLoadedModuleList = 0xfffff803
91eda5d0
Debug session time: Fri Apr 16 18:08:58.113 2021 (UTC + 5:30)
System Uptime: 27 days 6:37:54.144
Loading Kernel Symbols
...............................................................
................................................................
..............
Loading User Symbols
Loading unloaded module list
....
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff80391d554c0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffd000
244f23a0=0000000000000139
1: kd> !analyze -v
- *
- Bugcheck Analysis *
- *
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd000244f26c0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd000244f2618, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
GetUlongPtrFromAddress: unable to read from fffff80391f64308
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 1733
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 5604
Key : Analysis.Init.CPU.mSec
Value: 936
Key : Analysis.Init.Elapsed.mSec
Value: 14697
Key : Analysis.Memory.CommitPeak.Mb
Value: 80
Key : FailFast.Name
Value: CORRUPT_LIST_ENTRY
Key : FailFast.Type
Value: 3
Key : WER.OS.Branch
Value: winblue_ltsb
Key : WER.OS.Timestamp
Value: 2021-01-09T06:00:00Z
Key : WER.OS.Version
Value: 8.1.9600.19939
VIRTUAL_MACHINE: VMware
BUGCHECK_CODE: 139
BUGCHECK_P1: 3
BUGCHECK_P2: ffffd000244f26c0
BUGCHECK_P3: ffffd000244f2618
BUGCHECK_P4: 0
TRAP_FRAME: ffffd000244f26c0 -- (.trap 0xffffd000244f26c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe000e79e8010 rbx=0000000000000000 rcx=0000000000000003
rdx=fffff80088dc2168 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80391cd1bdd rsp=ffffd000244f2850 rbp=0000000000000001
r8=ffffe000e7b27250 r9=ffffe000ea60b158 r10=0000000000000000
r11=ffffd000244f28e8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz na po nc
nt!ExInterlockedRemoveHeadList+0x89:
fffff803`91cd1bdd cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffffd000244f2618 -- (.exr 0xffffd000244f2618)
ExceptionAddress: fffff80391cd1bdd (nt!ExInterlockedRemoveHeadList+0x0000000000000089)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: svchost.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 0000000000000003
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
ffffd000244f2398 fffff803
91d65769 : 0000000000000139 00000000
00000003 ffffd000244f26c0 ffffd000
244f2618 : nt!KeBugCheckEx
ffffd000244f23a0 fffff803
91d65ad0 : ffffe000e5b68118 fffff800
883394c5 0000000000000000 00000000
00000000 : nt!KiBugCheckDispatch+0x69
ffffd000244f24e0 fffff803
91d644a2 : 0000020000020001 00000000
00000502 ffffe000e5aed990 ffffe000
ea283c70 : nt!KiFastFailDispatch+0xd0
ffffd000244f26c0 fffff803
91cd1bdd : 0000000000000001 fffff800
870fd8fb ffffd000244f2970 fffff800
8789ef4b : nt!KiRaiseSecurityCheckFailure+0x2e2
ffffd000244f2850 fffff800
88db2ff1 : 0000000000000000 ffffd000
244f2900 ffffe000e7b27240 ffffe000
ea607000 : nt!ExInterlockedRemoveHeadList+0x89
ffffd000244f2890 fffff800
88dac3ad : 000000000000612e ffffe000
ed41c24f 0000000000000020 ffffd000
244f296c : ipfltdrv!MatchFilterp+0x6be1
ffffd000244f2940 fffff800
88dada1a : 0000000000000020 00000000
00000014 0000000000000000 ffffd000
244f2b58 : ipfltdrv!MatchFilter+0x6d
ffffd000244f2ae0 fffff800
8721f2b6 : 000000000000011a ffffe000
e5589820 ffffd000244f2fb0 00000000
00000014 : ipfltdrv!IpfForwardIpClassifyCallout+0x16a
ffffd000244f2cf0 fffff800
87204c30 : 0000000000000008 ffffd000
244f3388 0000000000000000 ffffe000
e8f4edf0 : NETIO!ProcessCallout+0x226
ffffd000244f2e60 fffff800
878da5c6 : ffffe000e56d0b80 ffffe000
e6cc83b0 ffffe000e6cc83b0 ffffd000
244f34d0 : NETIO!KfdClassify+0x200
ffffd000244f3320 fffff800
878da08f : 0000000000000000 00000000
00000000 ffffd000244f3550 ffffe000
e5c1b040 : tcpip!WfpNlShimInspectForwardDatagram+0x276
ffffd000244f3450 fffff800
878c015e : fffff80087a0e180 ffffe000
e7bf4010 00000000e0000001 ffffe000
e57e7000 : tcpip!IppForwardPackets+0x51f
ffffd000244f3590 fffff800
87ecc4e3 : ffffe000e5d041a0 00000000
00000000 ffffd000244f3a01 ffffe000
eb69f400 : tcpip!IppFlcReceivePacketsCore+0xa5e
ffffd000244f3910 fffff800
870eda53 : ffffe000e8f4edf0 00000000
00000000 fffff800870fa9a0 00000000
00000000 : wanarp!WanNdisReceivePackets+0x3a3
ffffd000244f3a50 fffff800
870edf19 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000001 : NDIS!NdisAcquireRWLockWrite+0x6b3
ffffd000244f3b10 fffff800
870ee6b2 : ffffe000e59da1a0 00000000
00000001 fffff800870fa560 ffffe000
f7d055d8 : NDIS!NdisAcquireRWLockWrite+0xb79
ffffd000244f3ba0 fffff800
8776655c : ffffe000eaea6480 ffffe000
e9d213f0 ffffe000e8f4edf0 ffffe000
eaea6480 : NDIS!NdisMIndicateReceiveNetBufferLists+0x732
ffffd000244f3d90 fffff800
8774796a : ffffe000e9d213f0 ffffe000
ed41b180 ffffe000ed41b020 ffffe000
ed41c23b : ndiswan!IndicateRecvPacket+0x54c
ffffd000244f3e10 fffff800
87766f02 : 0000000000000000 fffff43f
00000008 0000000000000000 00000000
00000001 : ndiswan!ApplyQoSAndIndicateRecvPacket+0x3a
ffffd000244f3e80 fffff800
87766ddf : fffff80087762010 fffff800
870fe3bb ffffe000eaea6480 00000000
00000035 : ndiswan!ProcessPPPFrame+0xd2
ffffd000244f3f10 fffff800
8774781b : ffffe000e9d213f0 ffffe000
eaea6480 ffffe000ec78d940 00000000
00000000 : ndiswan!ReceivePPP+0x7f
ffffd000244f3f50 fffff800
870fe71c : ffffe000e53da010 ffffe000
eb5dd540 0000000000000000 ffffe000
e5ab83d0 : ndiswan!ProtoCoReceiveNetBufferListChain+0x2db
ffffd000244f3fe0 fffff800
8778e8f2 : ffffe000e5b2bd80 ffffe000
ed41f000 000000ff6ceea25d 00000000
00000035 : NDIS!NdisAdvanceNetBufferListDataStart+0x21c
ffffd000244f4060 fffff800
877807e8 : 0000000000000000 ffffe000
ed41f000 0000000000000039 00000000
00000000 : rassstp!DelinProcessSstpDataFrame+0x1c2
ffffd000244f40b0 fffff800
8778e140 : 000000ff6ceea218 00000000
00000000 ffffd000244f4400 00000000
00004008 : rassstp!DelineateSSTPFrame+0xac
ffffd000244f4100 fffff803
92099789 : 0000000000004008 ffffe000
e7978af0 0000000000004008 00000000
00000000 : rassstp!TpiDispatchFastIoDeviceControl+0x140
ffffd000244f4160 fffff803
9206c106 : ffffe000eaef1880 00000000
00000000 0000000000000000 00000000
00000000 : nt!IopXxxControlFile+0x7d9
ffffd000244f42a0 fffff803
91d653e3 : ffffe000e7a20fa0 000000ff
654d2500 ffffe000fe5039c0 000000ff
63c8f9d8 : nt!NtDeviceIoControlFile+0x56
ffffd000244f4310 00007ffe
0619077a : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x13
000000ff63c8f7a8 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : 0x00007ffe`0619077a
SYMBOL_NAME: ipfltdrv!MatchFilterp+6be1
MODULE_NAME: ipfltdrv
IMAGE_NAME: ipfltdrv.sys
IMAGE_VERSION: 6.3.9600.16384
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 6be1
FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_ipfltdrv!MatchFilterp
OS_VERSION: 8.1.9600.19939
BUILDLAB_STR: winblue_ltsb
OSPLATFORM_TYPE: x64
OSNAME: Windows 8.1
FAILURE_ID_HASH: {c75aa30a-fb06-ecf5-18d0-1240f977354e}
Followup: MachineOwner
1: kd> lmvm ipfltdrv
Browse full module list
start end module name
fffff80088dab000 fffff800
88dca000 ipfltdrv (pdb symbols) C:\ProgramData\Dbg\sym\ipfltdrv.pdb\E0596917AA4D415DADA61CEAEDF39F272\ipfltdrv.pdb
Loaded symbol image file: ipfltdrv.sys
Mapped memory image file: C:\ProgramData\Dbg\sym\ipfltdrv.sys\5215F7961f000\ipfltdrv.sys
Image path: \SystemRoot\system32\DRIVERS\ipfltdrv.sys
Image name: ipfltdrv.sys
Browse all global symbols functions data
Timestamp: Thu Aug 22 17:05:50 2013 (5215F796)
CheckSum: 000188DB
ImageSize: 0001F000
File version: 6.3.9600.16384
Product version: 6.3.9600.16384
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ipfltdrv.sys
OriginalFilename: ipfltdrv.sys
ProductVersion: 6.3.9600.16384
FileVersion: 6.3.9600.16384 (winblue_rtm.130821-1623)
FileDescription: IP FILTER DRIVER
LegalCopyright: © Microsoft Corporation. All rights reserved.
2 answers
Sort by: Most helpful
-
-
Carl Fan 6,836 Reputation points
2021-04-30T09:52:47.06+00:00 Hi,
Ipfltdrv.sys means that IP FILTER DRIVER.
According to the information you provided, few steps you could try:
1.Download and install updates and device drivers for your computer from Windows Update.
2.Scan your computer for computer viruses.
3.Type "msconfig" in Search Bar. Select "Service" option, hide all microsoft service. Then disable all no-microsoft service.
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl