MpKslDrv.sys BSOD

standuhuajun 36 Reputation points
2021-05-09T01:43:19.853+00:00

Hi,

We meet BSOD today,The following is the dump file,we can see the IMAGE_NAME: MpKslDrv.sys. So we want to know why MpKslDrv.sys would cause BSOD. And what is this driver(MpKslDrv.sys)?

Microsoft (R) Windows Debugger Version 10.0.19041.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\Stan.Du\Desktop\050921-32140-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

************* Path validation summary **************
Response Time (ms) Location
Deferred SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols
Symbol search path is: SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 14393 MP (48 procs) Free x64
Product: Server, suite: TerminalServer DataCenter SingleUserTS
Built by: 14393.4283.amd64fre.rs1_release.210303-1802
Machine Name:
Kernel base = 0xfffff80348c8d000 PsLoadedModuleList = 0xfffff80348f910a0
Debug session time: Sun May 9 02:06:52.403 2021 (UTC + 8:00)
System Uptime: 53 days 15:58:00.789
Loading Kernel Symbols
...............................................................
................................................................
...............................................................
Loading User Symbols
Loading unloaded module list
..................................................
For analysis of this file, run !analyze -v
*** WARNING: Unable to verify timestamp for MpKslDrv.sys
0: kd> !analyze -v


  • *
  • Bugcheck Analysis *
  • *

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80348dbe107, The address that the exception occurred at
Arg3: ffffb880bfaec428, Exception Record Address
Arg4: ffffb880bfaebc70, Context Record Address

Debugging Details:


KEY_VALUES_STRING: 1

Key  : AV.Fault
Value: Read

Key  : Analysis.CPU.Sec
Value: 2

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on CNSH-01CPIA13

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 2

Key  : Analysis.Memory.CommitPeak.Mb
Value: 77

Key  : Analysis.System
Value: CreateObject

DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump

BUGCHECK_CODE: 7e

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: fffff80348dbe107

BUGCHECK_P3: ffffb880bfaec428

BUGCHECK_P4: ffffb880bfaebc70

EXCEPTION_RECORD: ffffb880bfaec428 -- (.exr 0xffffb880bfaec428)
ExceptionAddress: fffff80348dbe107 (nt!KeDeregisterBugCheckReasonCallback+0x000000000000003f)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT: ffffb880bfaebc70 -- (.cxr 0xffffb880bfaebc70)
rax=ffffca0129aff010 rbx=ffffca01512abe48 rcx=c2eb26500ccfaea2
rdx=0000000000000000 rsi=0000000000000000 rdi=ffffca01512abe00
rip=fffff80348dbe107 rsp=ffffb880bfaec660 rbp=ffffb880bfaec830
r8=0000000000000000 r9=fffff80348c8d000 r10=fffff80348fd0320
r11=ffff8f0e4079af50 r12=0000000000000000 r13=fffff8078fc76008
r14=ffffca0fdaa41b00 r15=ffffca00e9aba000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!KeDeregisterBugCheckReasonCallback+0x3f:
fffff80348dbe107 48395908 cmp qword ptr [rcx+8],rbx ds:002b:c2eb26500ccfaeaa=????????????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

READ_ADDRESS: fffff80349033338: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff80348f7edf0: Unable to get Flags value from nt!KdVersionBlock
ffffffffffffffff

ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%p 0x%p %s

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: ffffffffffffffff

EXCEPTION_STR: 0xc0000005

STACK_TEXT:
ffffb880bfaec660 fffff8078fc6b1d5 : ffffca01512abe30 00000000c0000002 0000000000000000 ffffb88000030190 : nt!KeDeregisterBugCheckReasonCallback+0x3f
ffffb880bfaec690 ffffca01512abe30 : 00000000c0000002 0000000000000000 ffffb88000030190 0000000000460044 : MpKslDrv+0xb1d5
ffffb880bfaec698 00000000c0000002 : 0000000000000000 ffffb88000030190 0000000000460044 fffff8078fc740f0 : 0xffffca01512abe30 ffffb880bfaec6a0 0000000000000000 : ffffb88000030190 0000000000460044 fffff8078fc740f0 ffffca01`512abe30 : 0xc0000002

SYMBOL_NAME: MpKslDrv+b1d5

MODULE_NAME: MpKslDrv

IMAGE_NAME: MpKslDrv.sys

STACK_COMMAND: .cxr 0xffffb880bfaebc70 ; kb

BUCKET_ID_FUNC_OFFSET: b1d5

FAILURE_BUCKET_ID: AV_MpKslDrv!unknown_function

OS_VERSION: 10.0.14393.4283

BUILDLAB_STR: rs1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {6edae0dc-9dc2-be77-fe82-074577005d71}

Followup: MachineOwner


Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,760 questions
{count} votes

6 answers

Sort by: Most helpful
  1. Carl Fan 6,681 Reputation points Microsoft Employee
    2021-05-10T03:11:26.517+00:00

    Hi,
    The process known as KSLDriver or MpKslDrv belongs to software Microsoft Malware Protection

    Based on my research, after new define update, the old MpKsl service would be deleted and a new MpKsl would be started.

    You could try to uninstall Microsoft Security Essential to check how it works.

    If this issue still exists, I suggest you could post our corresponding forum which focuses on Microsoft Security Essential issue:

    Microsoft Security Essentials
    https://answers.microsoft.com/en-us/protect/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAfter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1
    Hope this helps and please help to accept as Answer if the response is useful.
    Best Regards,
    Carl

    No comments

  2. Anonymous Test 1 Reputation point
    2021-05-10T08:37:21.697+00:00

    Same problem here since 2021/05/06:


    • *
    • Bugcheck Analysis *
    • *

    Use !analyze -v to get detailed debugging information.

    BugCheck A, {8, f, 0, fffff80219731a4b}

    * WARNING: Unable to verify timestamp for MpKslDrv.sys
    *
    ERROR: Module load completed but symbols could not be loaded for MpKslDrv.sys
    Probably caused by : MpKslDrv.sys ( MpKslDrv+b1d5 )

    Followup: MachineOwner


    5: kd> !analyze -v


    • *
    • Bugcheck Analysis *
    • *

    IRQL_NOT_LESS_OR_EQUAL (a)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high. This is usually
    caused by drivers using improper addresses.
    If a kernel debugger is available get the stack backtrace.
    Arguments:
    Arg1: 0000000000000008, memory referenced
    Arg2: 000000000000000f, IRQL
    Arg3: 0000000000000000, bitfield :
    bit 0 : value 0 = read operation, 1 = write operation
    bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
    Arg4: fffff80219731a4b, address which referenced memory

    Debugging Details:


    READ_ADDRESS: unable to get nt!MmSpecialPoolStart
    unable to get nt!MmSpecialPoolEnd
    unable to get nt!MmPagedPoolEnd
    unable to get nt!MmNonPagedPoolStart
    unable to get nt!MmSizeOfNonPagedPoolInBytes
    0000000000000008

    CURRENT_IRQL: f

    FAULTING_IP:
    nt!KeDeregisterBugCheckReasonCallback+3f
    fffff802`19731a4b 48395908 cmp qword ptr [rcx+8],rbx

    CUSTOMER_CRASH_COUNT: 1

    DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

    BUGCHECK_STR: AV

    PROCESS_NAME: System

    ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

    TRAP_FRAME: ffffd00025fb64d0 -- (.trap 0xffffd00025fb64d0)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
    rdx=ffffc002300ad700 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff80219731a4b rsp=ffffd00025fb6660 rbp=ffffd00025fb6830
    r8=ffffc002300ad700 r9=00000000000007ff r10=ffffd001dab54320
    r11=ffffc0022e5f8560 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei pl zr na po nc
    nt!KeDeregisterBugCheckReasonCallback+0x3f:
    fffff80219731a4b 48395908 cmp qword ptr [rcx+8],rbx ds:0000000000000008=????????????????
    Resetting default scope

    LAST_CONTROL_TRANSFER: from fffff802197692e9 to fffff8021975e760

    STACK_TEXT:
    ffffd00025fb6388 fffff802197692e9 : 000000000000000a 0000000000000008 000000000000000f 0000000000000000 : nt!KeBugCheckEx
    ffffd00025fb6390 fffff80219767ac7 : ffffe001c479b1b0 ffffc0023a26f000 00000000000000af fffff80193320000 : nt!KiBugCheckDispatch+0x69
    ffffd00025fb64d0 fffff80219731a4b : 000000000001546e 00000000c0000002 0000000000000000 0000000000000000 : nt!KiPageFault+0x247
    ffffd00025fb6660 fffff8019332b1d5 : ffffe001c4518010 00000000c0000002 0000000000000000 fffff80200010110 : nt!KeDeregisterBugCheckReasonCallback+0x3f
    ffffd00025fb6690 ffffe001c4518010 : 00000000c0000002 0000000000000000 fffff80200010110 0000000000460044 : MpKslDrv+0xb1d5
    ffffd00025fb6698 00000000c0000002 : 0000000000000000 fffff80200010110 0000000000460044 fffff801933340f0 : 0xffffe001c4518010 ffffd00025fb66a0 0000000000000000 : fffff80200010110 0000000000460044 fffff801933340f0 ffffe001`c4518010 : 0xc0000002

    STACK_COMMAND: kb

    FOLLOWUP_IP:
    MpKslDrv+b1d5
    fffff801`9332b1d5 488d5368 lea rdx,[rbx+68h]

    SYMBOL_STACK_INDEX: 4

    SYMBOL_NAME: MpKslDrv+b1d5

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: MpKslDrv

    IMAGE_NAME: MpKslDrv.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 3bb0694c

    FAILURE_BUCKET_ID: OLD_IMAGE_MpKslDrv.sys

    BUCKET_ID: OLD_IMAGE_MpKslDrv.sys

    ANALYSIS_SOURCE: KM

    FAILURE_ID_HASH_STRING: km:old_image_mpksldrv.sys

    FAILURE_ID_HASH: {3a18e1b4-4291-0614-9ea3-9371ece6202e}

    Followup: MachineOwner


    No comments

  3. Perfexpert 1 Reputation point
    2021-05-10T12:38:47.23+00:00

    Please confirm the other AV product installed on the server as the same thing was happening with us and also was the server rebooted only once by this bug check code or multiple times, please let me know.


  4. Shiv S Singh 1 Reputation point
    2021-05-10T16:28:47.89+00:00

    We also ran in same issue where our 2016 Server got crashed & dump file pointing issue with MpKslDrv.sys. Is there any issue going in with recent defender updates. Please confirm.


  5. Andy De Deckker 36 Reputation points
    2021-05-12T12:01:59.18+00:00

    I can confirm we also ran into this issue 4 days ago. (Windows Server 2016)

    No comments