Wednesday, February 12, 2014

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) NETIO.sys Debugging

This will be my first among many debugging tutorials (aside from older ones)! I very much want to get back into writing tutorials for a few reasons, but the main is that they are very fun, and I obviously learn more and more every day! Another thing about tutorials is they are all over the web on various blogs, forums, etc, but many have different styles of the way they were written. Some may contain more info, etc, and different methods of explaining, etc. My goal with everything regarding debugging has always and will always be explain as much as my personal knowledge permits, and do it in the way that anyone that doesn't know how to do it can learn it by reading and then performing it hands on by themselves.

--------------------

Let's get started! We're going to start off with the *D1 bug check, but more specifically when NETIO.sys is the labeled fault of the crash. I've been debugging online on various forums for a little over two years now, and in the past few months to a year, I have seen a huge increase in NETIO.sys *D1's. I am going to tell you right now that NETIO.sys *D1 bug checks are caused 100% of the time from what I have seen (and I have debugged and solved MANY NETIO.sys *D1's) by either the following:

1. Network drivers themselves; whether they need to be updated, reinstalled due to corruption, rolled back due to bug in latest version, etc.

2. 3rd party antivirus or firewall software causing NETBIOS and/or network related conflicts.
 (99% of the time #2 is the cause, and rarely have I seen #1 but it's of course possible).
Right, so with all of this said, what's NETIO.sys? NETIO.sys is Microsoft Windows' Network I/O Subsystem.

First of all, Input and Output (I/O) is actually extremely in-depth and will not be explained in this blog post. If you of course would however like to read about it and learn (which I highly recommend), read the following from the msdn website.

More specifically, we're interested in Network I/O operations in this regard - msdn link here

--------------------

With this said, the basic definition (per msdn) for the *D1 bug check is the following:

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.
A driver tried to access an address that is pageable (or that is completely invalid) while the IRQL was too high. This bug check is usually caused by drivers that have used improper addresses. 
So, this is a fairly standard explanation for a person who understands how Windows' memory manager works. If you don't however, you can kinda sorta get the gist of it, but at the same time it may not really mean much to you. Let's go into detail on the memory manager subsystem, because we're all about learning!

Windows' memory manager runs at IRQL 0 (PASSIVE_LEVEL), which is the layer that threads run at. If for example a driver attempts to access memory that is not currently in RAM (paged), this will cause an exception (thrown by the processor). When this exception happens, Windows' memory manager will go ahead and catch the exception, fetch memory from the hard disk, and then finally the processor will then go ahead and return to the driver that attempted to access this memory which was not paged, but at this point will now be paged.

Alright, great, so why do we get this bug check? *D1 occurs when a driver attempts to access memory that is running at a higher IRQL. This is not good (clearly), because when the driver attempts to access paged-out memory at IRQL[n] (I use (n) because there are different levels, but I will go ahead and say that 2 is the most common, so from this point on I will use 2), Windows' memory manager will page-in the memory and run at IRQL 0. This cannot happen, so Windows' memory manager will bug check the system as a deadlock will occur.

This can also occur not only if a driver attempts to access memory that is running at a higher IRQL, but if a driver attempts to access an invalid memory address.

--------------------

Now that we have all of that said, let's move onto an example crash dump (just a random *D1 NETIO.sys dump from a user that I managed to dig up):

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000028, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80000f8c43f, address which referenced memory

Debugging Details:
------------------
Right away we can see that the 2nd parameter and/or argument of the *D1 bug check itself is 0000000000000002 (2) as I mentioned earlier. There are various other ways to display the parameters of a bug check in different ways.

For example, by running the .bugcheck command:

0: kd> .bugcheck
Bugcheck code 000000D1
Arguments 00000000`00000028 00000000`00000002 00000000`00000000 fffff800`00f8c43f

I've highlighted where '00000000`00000002' = 2.

Before running !analyze v it's listed:

BugCheck D1, {28, 2, 0, fffff80000f8c43f}
It's also listed after running !analyze v further in the dump:

CURRENT_IRQL:  2
So, with this specific crash dump, it was a minidump and didn't contain very much information. For example, just have a look at the call stack:

STACK_TEXT: 
ffffd000`253ab288 fffff801`9776d7e9 : 00000000`0000000a 00000000`00000028 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffd000`253ab290 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
We can see from the stack that we just have Windows' usual error handling and fault tolerance bug check related routines. No driver calls, etc. Very dead stack. Let's go ahead and refer to the FBID:

FAILURE_BUCKET_ID:  X64_0xD1_NETIO!RtlCopyBufferToMdl+1f
We can see the fault of the crash is NETIO.sys (calling into?) the RtlCopyBufferToMdl routine. I am not entirely sure actually what this routine implies, however just from knowing the acronyms...

Rtl = Run-Time Library.

Mdl = Memory Descriptor List.

I can imagine there's some sort of buffer being copied from an RTL routine to an MDL. So, what does this mean to us? Well, nothing really. It's a minidump with not very much information. All we know is something is conflicting with NETIO.sys. Let's go ahead and take a look at the loaded modules list (Debug > Modules). Now, in NETIO.sys dumps you are going to want to check for popular antivirus drivers. I would list them here, but there are so many. I think I'll add them over time. I will just go ahead and let you know that this specific dump contained ggc.sys which is a driver in relation to Quick Heal AntiVirus.

0: kd> lmvm ggc
start             end                 module name
fffff800`01600000 fffff800`01618000   ggc        (deferred)           
    Image path: \SystemRoot\system32\DRIVERS\ggc.sys
    Image name: ggc.sys
    Timestamp:        Wed Sep 04 02:43:22 2013
So, there's ggc.sys. Now, at this point I recommend removal of QuickHeal and explained that it was likely causing network related conflicts, which in turn caused the system to crash. After QuickHeal was removed, the crashes stopped.

--------------------

-- Today when I wake up I will add a list of antiviruses and firewalls that I have seen cause this bug check.

54 comments:

  1. hi Patrick

    not really understand how you figure out the problem is related to ggc.sys, could you elaborate a bit? I'm struggling in a similar situation for a while

    thanks

    ReplyDelete
  2. Thank you very much i understand what you saying it is amazing i really impressive your article its amazing work done dude
    Tony Stark Hoodie

    ReplyDelete
  3. This is the first time that I visit here. I found so many exciting matters in this particular blog, One thing I would like to request you that pls keep posting such type of informative blog. James Bond Jacket

    ReplyDelete
  4. I appreciate this blog your blog is vert help full for me i really enjoyed this stuff dude. Top Gun Jacket

    ReplyDelete
  5. Great information about wilderness for beginners giving the opportunity for new people. Van Helsing Coat

    ReplyDelete
  6. I read this article. I think You put a lot of effort to create this article. I appreciate your work.
    Gaming Jackets

    ReplyDelete
  7. “Barbie Doll” by Marge Piercy mirrors the life story of a typical girl, who, since her childhood, falls victim to conventionality reigning in a society and eventually dies. The following short description will explain you everything in short https://best-writing-service.net/essays/literature/barbie-doll-by-marge-piercy.html

    ReplyDelete
  8. This is the first time that I visit here. I found so many exciting matters in this particular blog,halloween leather jacket One thing I would like to request you that please keep posting such type of informatics blog.

    ReplyDelete
  9. Our the purpose is to share the reviews about the latest Jackets,Coats and Vests also share the related Movies,Gaming, Casual,Faux Leather and Leather materials available Thomas Shelby Coat

    ReplyDelete
  10. Nice Blog !
    Here We are Specialist in Manufacturing of Movies, Gaming, Casual, Faux Leather Jackets, Coats And Vests See Eddie Murphy Detroit Lions Jacket

    ReplyDelete
  11. The great website and information shared are also very appreciable. Usmle Step 3

    ReplyDelete
  12. No doubt, your article is very knowledgeable. Post more articles
    deku jacket
    mens jacket

    ReplyDelete
  13. Cheerleading Varsity Red Bomber Glee Cheerios Jacket SHOP NOW......

    ReplyDelete
  14. Thanks for sharing this informative blog, keep sharing informative content blog.
    SalezShark
    CRM software in Bangalore
    is developed and strategized ideally. Its techniques are customized to manage and analyze the customers efficiently. CRM software Bangalore Makes use of a group of businesses, especially designed to handle many organization Processes like customer information, track lead, and promotion.

    ReplyDelete
  15. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.
    Click here

    ReplyDelete
  16. This comment has been removed by the author.

    ReplyDelete
  17. Nice Blog. Thanks for sharing with us. Such amazing information.

    How to make your kitchen stylish effectively

    ReplyDelete
  18. Your post was amazing. I love it to recommend Leather Store to the users. Where they can crawl Exciting Products Super Star Jackets Platform is providing 100% Geniune Leather Products All products are available in Feasible Prices The best seller SuperStar is offering amazing Leather Jackets to its customers. You can Click Here to get exciting Leather Products Offers

    ReplyDelete
  19. https://www.soorban.com/business/1593-best-xiaomi-phonesthe mid-range models of Xiaomi phones that can offer you attractive models to buy. These models often have good prices and features that make them the most sold.

    ReplyDelete
  20. Such an interesting article here.I was searching for something like that for quite a long time and at last I have found it here.
    Marty Mcfly Denim Jacket

    ReplyDelete
  21. Thanks for the best blog. it was very useful for me.keep sharing such ideas in the future as well. Donovan Mitchell Jacket

    ReplyDelete
  22. Hy I'm Designer For Customize Leather Jackets. Please Visit Our Website. Johnny Depp Motorcycle Faux Leather Jacket

    ReplyDelete
  23. Alon Digital Currency is one of the tokens in the cryptocurrency market. This token entered the global cryptocurrency market https://isiarticles.com/blog/143 in April 2021. Kevin Market Cup has referred to this currency as Meem Coin, but the creators claim that Alon Currency has big goals and serious projects.

    ReplyDelete
  24. Wow such an amazing content i never read this before keep it up and keep sharing with us more useful information. Check this gmg transport coupon code now and avail it.

    ReplyDelete
  25. These jackets are the perfect jackets for casual use. They can keep you warm in extreme conditions. Moreover, these jackets are comfortable and stylish so they can slay at almost any gathering.
    Pelle Pelle Soda Club Leather Jacket

    ReplyDelete
  26. Saving Cents Together provide different promo code for brands of all categories you can avail them and save your money on items

    ReplyDelete
  27. Elon Currency Development Team believes that this currency is completely different from صرافی نیل Sheiba or Dodge Quinn digital currency and is a token that is developing day by day.

    ReplyDelete
  28. Thanks for writing a superb Blog. On this website, I always see quality-dependent articles. I also follow you. I want to be the best blogger like you—every time I like to read your writing stuff because I get very useful content there. You do great work. home maintenance services dubai

    ReplyDelete
  29. HARDCORE CYCLES was started in the Greater Philadelphia area by a group of tight friends with a passion for V-Twin performance aftermarket parts.Visit our Website Thanks
    Progressive 465 Series Shock for Softails

    ReplyDelete
  30. Fortune Jackets Care for your Fashion Requirements. We Uphold the Premium Quality Custom Deigns Leather jackets. Visit My site Best Custom Leather Jackets Thanks.

    ReplyDelete
  31. Your post was amazing. I love it to recommend Leather Store to the users. Where they can crawl Exciting Products Super Star Jackets Platform is providing 100% Geniune Leather Products All products are available in Feasible Prices The best seller SuperStar is offering amazing Leather Jackets to its customers. You can Click Here to get exciting Leather Products Offers

    ReplyDelete
  32. Generally unprecedented done, I think it is bewildering the way that you've related with such vast people across the world! I feel truly leaned toward to see the inflexible you oblige others notwithstanding being limited nasa bomber jacket

    ReplyDelete
  33. I constantly read the smaller articles as well as clarify their motives, and that also happens with this article!Supreme Scarface Jacket

    ReplyDelete
  34. I am very impressed to read this blog. I hope you will continue to upload similar blogs. Thank you very much. I have an online store with the name FLYING LEATHER JACKET please visit for an awesome collection.
    MEN AVIATOR LEATHER JACKETS
    B3 BOMBER JACKETS
    MOTOGP LEATHER SUIT
    MOTOGP LEATHER JACKETS

    ReplyDelete
  35. We are looking for an informative post it is very helpful thanks for sharing it. We are offering all types of leather jackets with worldwide free shipping.
    Black Leather Jacket
    Leather Bomber Jacket
    Mens Biker Leather Jacket
    Western Leather Jackets

    ReplyDelete
  36. I constantly read the smaller articles as well as clarify their motives, and that also happens with this article!The 355 Outfits

    ReplyDelete
  37. I am so happy to come across this piece of write up, very much advanced my understanding to the next top level. Great job and continue to do same.Oscar Isaac Moon Knight Jacket

    ReplyDelete


  38. This is the first time that I visit here. I found so many exciting matters in this particular blog. Dr.Michael Morbius Black Leather Coat

    ReplyDelete
  39. "When it comes to internet mentions in Pakistan, Pizzeria has a significant lead over Pizzeria. However, not all of the results were beneficial for the pizza brand; in Pakistan, just 18 percent of Pizzeria-related remarks were positive. pizza fries online order karachi
    Location: karachi, Pakistan
    Phone Orders: (021) 111 981 111
    Email Orders: info@pizzeria.com.pk
    WhatsApp: +92 311 1981111"

    ReplyDelete
  40. I constantly read the smaller articles as well as clarify their motives, and that also happens with this article!Suede Leather Studs Jacket

    ReplyDelete

  41. Thanks for sharing your precious time to create this post, it's so informative, and the content makes the post more interesting. really appreciated. negan jacket

    ReplyDelete
  42. We introduces ourselves as a leading Manufacturer & Exporters of complete range of Fitness wear as well as other Garments Wear.

    lwisonsapparel
    Baseball Uniform
    Momber Jacket
    Hoodies
    Soccer Uniform

    ReplyDelete
  43. Thank You Very Much For This Wonderful Blog. I Really Enjoy It. I've Never Read Such Informative Content Before. I'll Keep Sharing Such Information With Us Men Brown Leather Jacket

    ReplyDelete