MpKslDrv.sys BSOD

Question

Hi，

We meet BSOD today，The following is the dump file，we can see the IMAGE_NAME: MpKslDrv.sys. So we want to know why MpKslDrv.sys would cause BSOD. And what is this driver(MpKslDrv.sys)?

Microsoft (R) Windows Debugger Version 10.0.19041.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\Stan.Du\Desktop\050921-32140-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

************* Path validation summary **************
Response Time (ms) Location
Deferred SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols
Symbol search path is: SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 14393 MP (48 procs) Free x64
Product: Server, suite: TerminalServer DataCenter SingleUserTS
Built by: 14393.4283.amd64fre.rs1_release.210303-1802
Machine Name:
Kernel base = 0xfffff80348c8d000 PsLoadedModuleList = 0xfffff80348f910a0
Debug session time: Sun May 9 02:06:52.403 2021 (UTC + 8:00)
System Uptime: 53 days 15:58:00.789
Loading Kernel Symbols
...............................................................
................................................................
...............................................................
Loading User Symbols
Loading unloaded module list
..................................................
For analysis of this file, run !analyze -v
*** WARNING: Unable to verify timestamp for MpKslDrv.sys
0: kd> !analyze -v

---

• *
• Bugcheck Analysis *
• *

  ---

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80348dbe107, The address that the exception occurred at
Arg3: ffffb880bfaec428, Exception Record Address
Arg4: ffffb880bfaebc70, Context Record Address

Debugging Details:

---

KEY_VALUES_STRING: 1

Key  : AV.Fault
Value: Read

Key  : Analysis.CPU.Sec
Value: 2

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on CNSH-01CPIA13

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 2

Key  : Analysis.Memory.CommitPeak.Mb
Value: 77

Key  : Analysis.System
Value: CreateObject

DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump

BUGCHECK_CODE: 7e

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: fffff80348dbe107

BUGCHECK_P3: ffffb880bfaec428

BUGCHECK_P4: ffffb880bfaebc70

EXCEPTION_RECORD: ffffb880bfaec428 -- (.exr 0xffffb880bfaec428)
ExceptionAddress: fffff80348dbe107 (nt!KeDeregisterBugCheckReasonCallback+0x000000000000003f)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT: ffffb880bfaebc70 -- (.cxr 0xffffb880bfaebc70)
rax=ffffca0129aff010 rbx=ffffca01512abe48 rcx=c2eb26500ccfaea2
rdx=0000000000000000 rsi=0000000000000000 rdi=ffffca01512abe00
rip=fffff80348dbe107 rsp=ffffb880bfaec660 rbp=ffffb880bfaec830
r8=0000000000000000 r9=fffff80348c8d000 r10=fffff80348fd0320
r11=ffff8f0e4079af50 r12=0000000000000000 r13=fffff8078fc76008
r14=ffffca0fdaa41b00 r15=ffffca00e9aba000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!KeDeregisterBugCheckReasonCallback+0x3f:
fffff80348dbe107 48395908 cmp qword ptr [rcx+8],rbx ds:002b:c2eb26500ccfaeaa=????????????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

READ_ADDRESS: fffff80349033338: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff80348f7edf0: Unable to get Flags value from nt!KdVersionBlock
ffffffffffffffff

ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%p 0x%p %s

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: ffffffffffffffff

EXCEPTION_STR: 0xc0000005

STACK_TEXT:
ffffb880bfaec660 fffff8078fc6b1d5 : ffffca01512abe30 00000000c0000002 0000000000000000 ffffb88000030190 : nt!KeDeregisterBugCheckReasonCallback+0x3f
ffffb880bfaec690 ffffca01512abe30 : 00000000c0000002 0000000000000000 ffffb88000030190 0000000000460044 : MpKslDrv+0xb1d5
ffffb880bfaec698 00000000c0000002 : 0000000000000000 ffffb88000030190 0000000000460044 fffff8078fc740f0 : 0xffffca01512abe30 ffffb880bfaec6a0 0000000000000000 : ffffb88000030190 0000000000460044 fffff8078fc740f0 ffffca01`512abe30 : 0xc0000002

SYMBOL_NAME: MpKslDrv+b1d5

MODULE_NAME: MpKslDrv

IMAGE_NAME: MpKslDrv.sys

STACK_COMMAND: .cxr 0xffffb880bfaebc70 ; kb

BUCKET_ID_FUNC_OFFSET: b1d5

FAILURE_BUCKET_ID: AV_MpKslDrv!unknown_function

OS_VERSION: 10.0.14393.4283

BUILDLAB_STR: rs1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {6edae0dc-9dc2-be77-fe82-074577005d71}

Followup: MachineOwner

---

Answer 1

Hi,
The process known as KSLDriver or MpKslDrv belongs to software Microsoft Malware Protection

Based on my research, after new define update, the old MpKsl service would be deleted and a new MpKsl would be started.

You could try to uninstall Microsoft Security Essential to check how it works.

If this issue still exists, I suggest you could post our corresponding forum which focuses on Microsoft Security Essential issue:

Microsoft Security Essentials
https://answers.microsoft.com/en-us/protect/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAfter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1
Hope this helps and please help to accept as Answer if the response is useful.
Best Regards,
Carl

Answer 2

Same problem here since 2021/05/06:

---

• *
• Bugcheck Analysis *
• *

  ---

Use !analyze -v to get detailed debugging information.

BugCheck A, {8, f, 0, fffff80219731a4b}

* WARNING: Unable to verify timestamp for MpKslDrv.sys
* ERROR: Module load completed but symbols could not be loaded for MpKslDrv.sys
Probably caused by : MpKslDrv.sys ( MpKslDrv+b1d5 )

Followup: MachineOwner

---

5: kd> !analyze -v

---

• *
• Bugcheck Analysis *
• *

  ---

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000008, memory referenced
Arg2: 000000000000000f, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80219731a4b, address which referenced memory

Debugging Details:

---

READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
0000000000000008

CURRENT_IRQL: f

FAULTING_IP:
nt!KeDeregisterBugCheckReasonCallback+3f
fffff802`19731a4b 48395908 cmp qword ptr [rcx+8],rbx

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: System

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

TRAP_FRAME: ffffd00025fb64d0 -- (.trap 0xffffd00025fb64d0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=ffffc002300ad700 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80219731a4b rsp=ffffd00025fb6660 rbp=ffffd00025fb6830
r8=ffffc002300ad700 r9=00000000000007ff r10=ffffd001dab54320
r11=ffffc0022e5f8560 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
nt!KeDeregisterBugCheckReasonCallback+0x3f:
fffff80219731a4b 48395908 cmp qword ptr [rcx+8],rbx ds:0000000000000008=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff802197692e9 to fffff8021975e760

STACK_TEXT:
ffffd00025fb6388 fffff802197692e9 : 000000000000000a 0000000000000008 000000000000000f 0000000000000000 : nt!KeBugCheckEx
ffffd00025fb6390 fffff80219767ac7 : ffffe001c479b1b0 ffffc0023a26f000 00000000000000af fffff80193320000 : nt!KiBugCheckDispatch+0x69
ffffd00025fb64d0 fffff80219731a4b : 000000000001546e 00000000c0000002 0000000000000000 0000000000000000 : nt!KiPageFault+0x247
ffffd00025fb6660 fffff8019332b1d5 : ffffe001c4518010 00000000c0000002 0000000000000000 fffff80200010110 : nt!KeDeregisterBugCheckReasonCallback+0x3f
ffffd00025fb6690 ffffe001c4518010 : 00000000c0000002 0000000000000000 fffff80200010110 0000000000460044 : MpKslDrv+0xb1d5
ffffd00025fb6698 00000000c0000002 : 0000000000000000 fffff80200010110 0000000000460044 fffff801933340f0 : 0xffffe001c4518010 ffffd00025fb66a0 0000000000000000 : fffff80200010110 0000000000460044 fffff801933340f0 ffffe001`c4518010 : 0xc0000002

STACK_COMMAND: kb

FOLLOWUP_IP:
MpKslDrv+b1d5
fffff801`9332b1d5 488d5368 lea rdx,[rbx+68h]

SYMBOL_STACK_INDEX: 4

SYMBOL_NAME: MpKslDrv+b1d5

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: MpKslDrv

IMAGE_NAME: MpKslDrv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 3bb0694c

FAILURE_BUCKET_ID: OLD_IMAGE_MpKslDrv.sys

BUCKET_ID: OLD_IMAGE_MpKslDrv.sys

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:old_image_mpksldrv.sys

FAILURE_ID_HASH: {3a18e1b4-4291-0614-9ea3-9371ece6202e}

Followup: MachineOwner

---

Answer 3

Please confirm the other AV product installed on the server as the same thing was happening with us and also was the server rebooted only once by this bug check code or multiple times, please let me know.

Answer 4

We also ran in same issue where our 2016 Server got crashed & dump file pointing issue with MpKslDrv.sys. Is there any issue going in with recent defender updates. Please confirm.

Answer 5

I can confirm we also ran into this issue 4 days ago. (Windows Server 2016)