BSOD Causing ipfltdrv.sys

sai krishna 1 Reputation point
2021-04-27T16:34:59.173+00:00

ipfltdrv.sys causing bsod on windows server 2012 R2.

Microsoft (R) Windows Debugger Version 10.0.21306.1007 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\041621-70281-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Edition build lab: 9600.19939.amd64fre.winblue_ltsb.210109-0600
Machine Name:
Kernel base = 0xfffff80391c15000 PsLoadedModuleList = 0xfffff80391eda5d0
Debug session time: Fri Apr 16 18:08:58.113 2021 (UTC + 5:30)
System Uptime: 27 days 6:37:54.144
Loading Kernel Symbols
...............................................................
................................................................
..............
Loading User Symbols
Loading unloaded module list
....
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff80391d554c0 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffd000244f23a0=0000000000000139
1: kd> !analyze -v


  • *
  • Bugcheck Analysis *
  • *

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffd000244f26c0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd000244f2618, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:


GetUlongPtrFromAddress: unable to read from fffff80391f64308

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 1733

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 5604

Key  : Analysis.Init.CPU.mSec
Value: 936

Key  : Analysis.Init.Elapsed.mSec
Value: 14697

Key  : Analysis.Memory.CommitPeak.Mb
Value: 80

Key  : FailFast.Name
Value: CORRUPT_LIST_ENTRY

Key  : FailFast.Type
Value: 3

Key  : WER.OS.Branch
Value: winblue_ltsb

Key  : WER.OS.Timestamp
Value: 2021-01-09T06:00:00Z

Key  : WER.OS.Version
Value: 8.1.9600.19939

VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: 139

BUGCHECK_P1: 3

BUGCHECK_P2: ffffd000244f26c0

BUGCHECK_P3: ffffd000244f2618

BUGCHECK_P4: 0

TRAP_FRAME: ffffd000244f26c0 -- (.trap 0xffffd000244f26c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe000e79e8010 rbx=0000000000000000 rcx=0000000000000003
rdx=fffff80088dc2168 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80391cd1bdd rsp=ffffd000244f2850 rbp=0000000000000001
r8=ffffe000e7b27250 r9=ffffe000ea60b158 r10=0000000000000000
r11=ffffd000244f28e8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up di pl nz na po nc
nt!ExInterlockedRemoveHeadList+0x89:
fffff803`91cd1bdd cd29 int 29h
Resetting default scope

EXCEPTION_RECORD: ffffd000244f2618 -- (.exr 0xffffd000244f2618)
ExceptionAddress: fffff80391cd1bdd (nt!ExInterlockedRemoveHeadList+0x0000000000000089)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000003
Subcode: 0x3 FAST_FAIL_CORRUPT_LIST_ENTRY

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: svchost.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE_STR: c0000409

EXCEPTION_PARAMETER1: 0000000000000003

EXCEPTION_STR: 0xc0000409

STACK_TEXT:
ffffd000244f2398 fffff80391d65769 : 0000000000000139 0000000000000003 ffffd000244f26c0 ffffd000244f2618 : nt!KeBugCheckEx
ffffd000244f23a0 fffff80391d65ad0 : ffffe000e5b68118 fffff800883394c5 0000000000000000 0000000000000000 : nt!KiBugCheckDispatch+0x69
ffffd000244f24e0 fffff80391d644a2 : 0000020000020001 0000000000000502 ffffe000e5aed990 ffffe000ea283c70 : nt!KiFastFailDispatch+0xd0
ffffd000244f26c0 fffff80391cd1bdd : 0000000000000001 fffff800870fd8fb ffffd000244f2970 fffff8008789ef4b : nt!KiRaiseSecurityCheckFailure+0x2e2
ffffd000244f2850 fffff80088db2ff1 : 0000000000000000 ffffd000244f2900 ffffe000e7b27240 ffffe000ea607000 : nt!ExInterlockedRemoveHeadList+0x89
ffffd000244f2890 fffff80088dac3ad : 000000000000612e ffffe000ed41c24f 0000000000000020 ffffd000244f296c : ipfltdrv!MatchFilterp+0x6be1
ffffd000244f2940 fffff80088dada1a : 0000000000000020 0000000000000014 0000000000000000 ffffd000244f2b58 : ipfltdrv!MatchFilter+0x6d
ffffd000244f2ae0 fffff8008721f2b6 : 000000000000011a ffffe000e5589820 ffffd000244f2fb0 0000000000000014 : ipfltdrv!IpfForwardIpClassifyCallout+0x16a
ffffd000244f2cf0 fffff80087204c30 : 0000000000000008 ffffd000244f3388 0000000000000000 ffffe000e8f4edf0 : NETIO!ProcessCallout+0x226
ffffd000244f2e60 fffff800878da5c6 : ffffe000e56d0b80 ffffe000e6cc83b0 ffffe000e6cc83b0 ffffd000244f34d0 : NETIO!KfdClassify+0x200
ffffd000244f3320 fffff800878da08f : 0000000000000000 0000000000000000 ffffd000244f3550 ffffe000e5c1b040 : tcpip!WfpNlShimInspectForwardDatagram+0x276
ffffd000244f3450 fffff800878c015e : fffff80087a0e180 ffffe000e7bf4010 00000000e0000001 ffffe000e57e7000 : tcpip!IppForwardPackets+0x51f
ffffd000244f3590 fffff80087ecc4e3 : ffffe000e5d041a0 0000000000000000 ffffd000244f3a01 ffffe000eb69f400 : tcpip!IppFlcReceivePacketsCore+0xa5e
ffffd000244f3910 fffff800870eda53 : ffffe000e8f4edf0 0000000000000000 fffff800870fa9a0 0000000000000000 : wanarp!WanNdisReceivePackets+0x3a3
ffffd000244f3a50 fffff800870edf19 : 0000000000000000 0000000000000000 0000000000000000 0000000000000001 : NDIS!NdisAcquireRWLockWrite+0x6b3
ffffd000244f3b10 fffff800870ee6b2 : ffffe000e59da1a0 0000000000000001 fffff800870fa560 ffffe000f7d055d8 : NDIS!NdisAcquireRWLockWrite+0xb79
ffffd000244f3ba0 fffff8008776655c : ffffe000eaea6480 ffffe000e9d213f0 ffffe000e8f4edf0 ffffe000eaea6480 : NDIS!NdisMIndicateReceiveNetBufferLists+0x732
ffffd000244f3d90 fffff8008774796a : ffffe000e9d213f0 ffffe000ed41b180 ffffe000ed41b020 ffffe000ed41c23b : ndiswan!IndicateRecvPacket+0x54c
ffffd000244f3e10 fffff80087766f02 : 0000000000000000 fffff43f00000008 0000000000000000 0000000000000001 : ndiswan!ApplyQoSAndIndicateRecvPacket+0x3a
ffffd000244f3e80 fffff80087766ddf : fffff80087762010 fffff800870fe3bb ffffe000eaea6480 0000000000000035 : ndiswan!ProcessPPPFrame+0xd2
ffffd000244f3f10 fffff8008774781b : ffffe000e9d213f0 ffffe000eaea6480 ffffe000ec78d940 0000000000000000 : ndiswan!ReceivePPP+0x7f
ffffd000244f3f50 fffff800870fe71c : ffffe000e53da010 ffffe000eb5dd540 0000000000000000 ffffe000e5ab83d0 : ndiswan!ProtoCoReceiveNetBufferListChain+0x2db
ffffd000244f3fe0 fffff8008778e8f2 : ffffe000e5b2bd80 ffffe000ed41f000 000000ff6ceea25d 0000000000000035 : NDIS!NdisAdvanceNetBufferListDataStart+0x21c
ffffd000244f4060 fffff800877807e8 : 0000000000000000 ffffe000ed41f000 0000000000000039 0000000000000000 : rassstp!DelinProcessSstpDataFrame+0x1c2
ffffd000244f40b0 fffff8008778e140 : 000000ff6ceea218 0000000000000000 ffffd000244f4400 0000000000004008 : rassstp!DelineateSSTPFrame+0xac
ffffd000244f4100 fffff80392099789 : 0000000000004008 ffffe000e7978af0 0000000000004008 0000000000000000 : rassstp!TpiDispatchFastIoDeviceControl+0x140
ffffd000244f4160 fffff8039206c106 : ffffe000eaef1880 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x7d9
ffffd000244f42a0 fffff80391d653e3 : ffffe000e7a20fa0 000000ff654d2500 ffffe000fe5039c0 000000ff63c8f9d8 : nt!NtDeviceIoControlFile+0x56
ffffd000244f4310 00007ffe0619077a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
000000ff63c8f7a8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffe`0619077a

SYMBOL_NAME: ipfltdrv!MatchFilterp+6be1

MODULE_NAME: ipfltdrv

IMAGE_NAME: ipfltdrv.sys

IMAGE_VERSION: 6.3.9600.16384

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 6be1

FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_ipfltdrv!MatchFilterp

OS_VERSION: 8.1.9600.19939

BUILDLAB_STR: winblue_ltsb

OSPLATFORM_TYPE: x64

OSNAME: Windows 8.1

FAILURE_ID_HASH: {c75aa30a-fb06-ecf5-18d0-1240f977354e}

Followup: MachineOwner


1: kd> lmvm ipfltdrv
Browse full module list
start end module name
fffff80088dab000 fffff80088dca000 ipfltdrv (pdb symbols) C:\ProgramData\Dbg\sym\ipfltdrv.pdb\E0596917AA4D415DADA61CEAEDF39F272\ipfltdrv.pdb
Loaded symbol image file: ipfltdrv.sys
Mapped memory image file: C:\ProgramData\Dbg\sym\ipfltdrv.sys\5215F7961f000\ipfltdrv.sys
Image path: \SystemRoot\system32\DRIVERS\ipfltdrv.sys
Image name: ipfltdrv.sys
Browse all global symbols functions data
Timestamp: Thu Aug 22 17:05:50 2013 (5215F796)
CheckSum: 000188DB
ImageSize: 0001F000
File version: 6.3.9600.16384
Product version: 6.3.9600.16384
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ipfltdrv.sys
OriginalFilename: ipfltdrv.sys
ProductVersion: 6.3.9600.16384
FileVersion: 6.3.9600.16384 (winblue_rtm.130821-1623)
FileDescription: IP FILTER DRIVER
LegalCopyright: © Microsoft Corporation. All rights reserved.

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,178 questions
No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Carl Fan 6,786 Reputation points Microsoft Vendor
    2021-04-30T09:52:47.06+00:00

    Hi,
    Ipfltdrv.sys means that IP FILTER DRIVER.
    According to the information you provided, few steps you could try:
    1.Download and install updates and device drivers for your computer from Windows Update.
    2.Scan your computer for computer viruses.
    3.Type "msconfig" in Search Bar. Select "Service" option, hide all microsoft service. Then disable all no-microsoft service.
    Hope this helps and please help to accept as Answer if the response is useful.
    Best Regards,
    Carl