Share via

MpKslDrv.sys BSOD

standuhuajun 76 Reputation points
2021-05-09T01:43:19.853+00:00

Hi,

We meet BSOD today,The following is the dump file,we can see the IMAGE_NAME: MpKslDrv.sys. So we want to know why MpKslDrv.sys would cause BSOD. And what is this driver(MpKslDrv.sys)?

Microsoft (R) Windows Debugger Version 10.0.19041.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\Stan.Du\Desktop\050921-32140-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

************* Path validation summary **************
Response Time (ms) Location
Deferred SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols
Symbol search path is: SRVC:\Symbolshttp://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 10 Kernel Version 14393 MP (48 procs) Free x64
Product: Server, suite: TerminalServer DataCenter SingleUserTS
Built by: 14393.4283.amd64fre.rs1_release.210303-1802
Machine Name:
Kernel base = 0xfffff80348c8d000 PsLoadedModuleList = 0xfffff80348f910a0
Debug session time: Sun May 9 02:06:52.403 2021 (UTC + 8:00)
System Uptime: 53 days 15:58:00.789
Loading Kernel Symbols
...............................................................
................................................................
...............................................................
Loading User Symbols
Loading unloaded module list
..................................................
For analysis of this file, run !analyze -v
*** WARNING: Unable to verify timestamp for MpKslDrv.sys
0: kd> !analyze -v

  • *
  • Bugcheck Analysis *
  • *

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80348dbe107, The address that the exception occurred at
Arg3: ffffb880bfaec428, Exception Record Address
Arg4: ffffb880bfaebc70, Context Record Address

Debugging Details:

KEY_VALUES_STRING: 1

Key  : AV.Fault
Value: Read

Key  : Analysis.CPU.Sec
Value: 2

Key  : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on CNSH-01CPIA13

Key  : Analysis.DebugData
Value: CreateObject

Key  : Analysis.DebugModel
Value: CreateObject

Key  : Analysis.Elapsed.Sec
Value: 2

Key  : Analysis.Memory.CommitPeak.Mb
Value: 77

Key  : Analysis.System
Value: CreateObject

DUMP_FILE_ATTRIBUTES: 0x8
Kernel Generated Triage Dump

BUGCHECK_CODE: 7e

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: fffff80348dbe107

BUGCHECK_P3: ffffb880bfaec428

BUGCHECK_P4: ffffb880bfaebc70

EXCEPTION_RECORD: ffffb880bfaec428 -- (.exr 0xffffb880bfaec428)
ExceptionAddress: fffff80348dbe107 (nt!KeDeregisterBugCheckReasonCallback+0x000000000000003f)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT: ffffb880bfaebc70 -- (.cxr 0xffffb880bfaebc70)
rax=ffffca0129aff010 rbx=ffffca01512abe48 rcx=c2eb26500ccfaea2
rdx=0000000000000000 rsi=0000000000000000 rdi=ffffca01512abe00
rip=fffff80348dbe107 rsp=ffffb880bfaec660 rbp=ffffb880bfaec830
r8=0000000000000000 r9=fffff80348c8d000 r10=fffff80348fd0320
r11=ffff8f0e4079af50 r12=0000000000000000 r13=fffff8078fc76008
r14=ffffca0fdaa41b00 r15=ffffca00e9aba000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!KeDeregisterBugCheckReasonCallback+0x3f:
fffff80348dbe107 48395908 cmp qword ptr [rcx+8],rbx ds:002b:c2eb26500ccfaeaa=????????????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

READ_ADDRESS: fffff80349033338: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
fffff80348f7edf0: Unable to get Flags value from nt!KdVersionBlock
ffffffffffffffff

ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%p 0x%p %s

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: ffffffffffffffff

EXCEPTION_STR: 0xc0000005

STACK_TEXT:
ffffb880bfaec660 fffff8078fc6b1d5 : ffffca01512abe30 00000000c0000002 0000000000000000 ffffb88000030190 : nt!KeDeregisterBugCheckReasonCallback+0x3f
ffffb880bfaec690 ffffca01512abe30 : 00000000c0000002 0000000000000000 ffffb88000030190 0000000000460044 : MpKslDrv+0xb1d5
ffffb880bfaec698 00000000c0000002 : 0000000000000000 ffffb88000030190 0000000000460044 fffff8078fc740f0 : 0xffffca01512abe30 ffffb880bfaec6a0 0000000000000000 : ffffb88000030190 0000000000460044 fffff8078fc740f0 ffffca01`512abe30 : 0xc0000002

SYMBOL_NAME: MpKslDrv+b1d5

MODULE_NAME: MpKslDrv

IMAGE_NAME: MpKslDrv.sys

STACK_COMMAND: .cxr 0xffffb880bfaebc70 ; kb

BUCKET_ID_FUNC_OFFSET: b1d5

FAILURE_BUCKET_ID: AV_MpKslDrv!unknown_function

OS_VERSION: 10.0.14393.4283

BUILDLAB_STR: rs1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {6edae0dc-9dc2-be77-fe82-074577005d71}

Followup: MachineOwner

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,436 questions

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael Phillips 1 Reputation point
    2021-05-27T13:17:42.323+00:00

    We have ran into this with Server 2016. Is there any update/fix for this?

    0 comments