Wednesday, February 12, 2014


This will be my first among many debugging tutorials (aside from older ones)! I very much want to get back into writing tutorials for a few reasons, but the main is that they are very fun, and I obviously learn more and more every day! Another thing about tutorials is they are all over the web on various blogs, forums, etc, but many have different styles of the way they were written. Some may contain more info, etc, and different methods of explaining, etc. My goal with everything regarding debugging has always and will always be explain as much as my personal knowledge permits, and do it in the way that anyone that doesn't know how to do it can learn it by reading and then performing it hands on by themselves.


Let's get started! We're going to start off with the *D1 bug check, but more specifically when NETIO.sys is the labeled fault of the crash. I've been debugging online on various forums for a little over two years now, and in the past few months to a year, I have seen a huge increase in NETIO.sys *D1's. I am going to tell you right now that NETIO.sys *D1 bug checks are caused 100% of the time from what I have seen (and I have debugged and solved MANY NETIO.sys *D1's) by either the following:

1. Network drivers themselves; whether they need to be updated, reinstalled due to corruption, rolled back due to bug in latest version, etc.

2. 3rd party antivirus or firewall software causing NETBIOS and/or network related conflicts.
 (99% of the time #2 is the cause, and rarely have I seen #1 but it's of course possible).
Right, so with all of this said, what's NETIO.sys? NETIO.sys is Microsoft Windows' Network I/O Subsystem.

First of all, Input and Output (I/O) is actually extremely in-depth and will not be explained in this blog post. If you of course would however like to read about it and learn (which I highly recommend), read the following from the msdn website.

More specifically, we're interested in Network I/O operations in this regard - msdn link here


With this said, the basic definition (per msdn) for the *D1 bug check is the following:

This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.
A driver tried to access an address that is pageable (or that is completely invalid) while the IRQL was too high. This bug check is usually caused by drivers that have used improper addresses. 
So, this is a fairly standard explanation for a person who understands how Windows' memory manager works. If you don't however, you can kinda sorta get the gist of it, but at the same time it may not really mean much to you. Let's go into detail on the memory manager subsystem, because we're all about learning!

Windows' memory manager runs at IRQL 0 (PASSIVE_LEVEL), which is the layer that threads run at. If for example a driver attempts to access memory that is not currently in RAM (paged), this will cause an exception (thrown by the processor). When this exception happens, Windows' memory manager will go ahead and catch the exception, fetch memory from the hard disk, and then finally the processor will then go ahead and return to the driver that attempted to access this memory which was not paged, but at this point will now be paged.

Alright, great, so why do we get this bug check? *D1 occurs when a driver attempts to access memory that is running at a higher IRQL. This is not good (clearly), because when the driver attempts to access paged-out memory at IRQL[n] (I use (n) because there are different levels, but I will go ahead and say that 2 is the most common, so from this point on I will use 2), Windows' memory manager will page-in the memory and run at IRQL 0. This cannot happen, so Windows' memory manager will bug check the system as a deadlock will occur.

This can also occur not only if a driver attempts to access memory that is running at a higher IRQL, but if a driver attempts to access an invalid memory address.


Now that we have all of that said, let's move onto an example crash dump (just a random *D1 NETIO.sys dump from a user that I managed to dig up):

0: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arg1: 0000000000000028, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80000f8c43f, address which referenced memory

Debugging Details:
Right away we can see that the 2nd parameter and/or argument of the *D1 bug check itself is 0000000000000002 (2) as I mentioned earlier. There are various other ways to display the parameters of a bug check in different ways.

For example, by running the .bugcheck command:

0: kd> .bugcheck
Bugcheck code 000000D1
Arguments 00000000`00000028 00000000`00000002 00000000`00000000 fffff800`00f8c43f

I've highlighted where '00000000`00000002' = 2.

Before running !analyze v it's listed:

BugCheck D1, {28, 2, 0, fffff80000f8c43f}
It's also listed after running !analyze v further in the dump:

So, with this specific crash dump, it was a minidump and didn't contain very much information. For example, just have a look at the call stack:

ffffd000`253ab288 fffff801`9776d7e9 : 00000000`0000000a 00000000`00000028 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffd000`253ab290 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
We can see from the stack that we just have Windows' usual error handling and fault tolerance bug check related routines. No driver calls, etc. Very dead stack. Let's go ahead and refer to the FBID:

FAILURE_BUCKET_ID:  X64_0xD1_NETIO!RtlCopyBufferToMdl+1f
We can see the fault of the crash is NETIO.sys (calling into?) the RtlCopyBufferToMdl routine. I am not entirely sure actually what this routine implies, however just from knowing the acronyms...

Rtl = Run-Time Library.

Mdl = Memory Descriptor List.

I can imagine there's some sort of buffer being copied from an RTL routine to an MDL. So, what does this mean to us? Well, nothing really. It's a minidump with not very much information. All we know is something is conflicting with NETIO.sys. Let's go ahead and take a look at the loaded modules list (Debug > Modules). Now, in NETIO.sys dumps you are going to want to check for popular antivirus drivers. I would list them here, but there are so many. I think I'll add them over time. I will just go ahead and let you know that this specific dump contained ggc.sys which is a driver in relation to Quick Heal AntiVirus.

0: kd> lmvm ggc
start             end                 module name
fffff800`01600000 fffff800`01618000   ggc        (deferred)           
    Image path: \SystemRoot\system32\DRIVERS\ggc.sys
    Image name: ggc.sys
    Timestamp:        Wed Sep 04 02:43:22 2013
So, there's ggc.sys. Now, at this point I recommend removal of QuickHeal and explained that it was likely causing network related conflicts, which in turn caused the system to crash. After QuickHeal was removed, the crashes stopped.


-- Today when I wake up I will add a list of antiviruses and firewalls that I have seen cause this bug check.


  1. hi Patrick

    not really understand how you figure out the problem is related to ggc.sys, could you elaborate a bit? I'm struggling in a similar situation for a while


  2. Thank you very much i understand what you saying it is amazing i really impressive your article its amazing work done dude
    Tony Stark Hoodie

  3. This is the first time that I visit here. I found so many exciting matters in this particular blog, One thing I would like to request you that pls keep posting such type of informative blog. James Bond Jacket

  4. I appreciate this blog your blog is vert help full for me i really enjoyed this stuff dude. Top Gun Jacket

  5. Great information about wilderness for beginners giving the opportunity for new people. Van Helsing Coat

  6. I read this article. I think You put a lot of effort to create this article. I appreciate your work.
    Gaming Jackets

  7. “Barbie Doll” by Marge Piercy mirrors the life story of a typical girl, who, since her childhood, falls victim to conventionality reigning in a society and eventually dies. The following short description will explain you everything in short

  8. This is the first time that I visit here. I found so many exciting matters in this particular blog,halloween leather jacket One thing I would like to request you that please keep posting such type of informatics blog.

  9. Our the purpose is to share the reviews about the latest Jackets,Coats and Vests also share the related Movies,Gaming, Casual,Faux Leather and Leather materials available Thomas Shelby Coat

  10. Nice Blog !
    Here We are Specialist in Manufacturing of Movies, Gaming, Casual, Faux Leather Jackets, Coats And Vests See Eddie Murphy Detroit Lions Jacket

  11. The great website and information shared are also very appreciable. Usmle Step 3

  12. No doubt, your article is very knowledgeable. Post more articles
    deku jacket
    mens jacket

  13. Thanks for sharing this informative blog, keep sharing informative content blog.
    CRM software in Bangalore
    is developed and strategized ideally. Its techniques are customized to manage and analyze the customers efficiently. CRM software Bangalore Makes use of a group of businesses, especially designed to handle many organization Processes like customer information, track lead, and promotion.

  14. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.
    Click here

  15. This comment has been removed by the author.

  16. Nice Blog. Thanks for sharing with us. Such amazing information.

    How to make your kitchen stylish effectively

  17. Your post was amazing. I love it to recommend Leather Store to the users. Where they can crawl Exciting Products Super Star Jackets Platform is providing 100% Geniune Leather Products All products are available in Feasible Prices The best seller SuperStar is offering amazing Leather Jackets to its customers. You can Click Here to get exciting Leather Products Offers

  18. mid-range models of Xiaomi phones that can offer you attractive models to buy. These models often have good prices and features that make them the most sold.

  19. Such an interesting article here.I was searching for something like that for quite a long time and at last I have found it here.
    Marty Mcfly Denim Jacket

  20. Thanks for the best blog. it was very useful for me.keep sharing such ideas in the future as well. Donovan Mitchell Jacket

  21. Hy I'm Designer For Customize Leather Jackets. Please Visit Our Website. Johnny Depp Motorcycle Faux Leather Jacket

  22. Alon Digital Currency is one of the tokens in the cryptocurrency market. This token entered the global cryptocurrency market in April 2021. Kevin Market Cup has referred to this currency as Meem Coin, but the creators claim that Alon Currency has big goals and serious projects.

  23. Wow such an amazing content i never read this before keep it up and keep sharing with us more useful information. Check this gmg transport coupon code now and avail it.

  24. These jackets are the perfect jackets for casual use. They can keep you warm in extreme conditions. Moreover, these jackets are comfortable and stylish so they can slay at almost any gathering.
    Pelle Pelle Soda Club Leather Jacket

  25. Saving Cents Together provide different promo code for brands of all categories you can avail them and save your money on items

  26. Elon Currency Development Team believes that this currency is completely different from صرافی نیل Sheiba or Dodge Quinn digital currency and is a token that is developing day by day.

  27. Thanks for writing a superb Blog. On this website, I always see quality-dependent articles. I also follow you. I want to be the best blogger like you—every time I like to read your writing stuff because I get very useful content there. You do great work. home maintenance services dubai

  28. HARDCORE CYCLES was started in the Greater Philadelphia area by a group of tight friends with a passion for V-Twin performance aftermarket parts.Visit our Website Thanks
    Progressive 465 Series Shock for Softails

  29. Fortune Jackets Care for your Fashion Requirements. We Uphold the Premium Quality Custom Deigns Leather jackets. Visit My site Best Custom Leather Jackets Thanks.

  30. Your post was amazing. I love it to recommend Leather Store to the users. Where they can crawl Exciting Products Super Star Jackets Platform is providing 100% Geniune Leather Products All products are available in Feasible Prices The best seller SuperStar is offering amazing Leather Jackets to its customers. You can Click Here to get exciting Leather Products Offers

  31. Generally unprecedented done, I think it is bewildering the way that you've related with such vast people across the world! I feel truly leaned toward to see the inflexible you oblige others notwithstanding being limited nasa bomber jacket

  32. I constantly read the smaller articles as well as clarify their motives, and that also happens with this article!Supreme Scarface Jacket

  33. I am very impressed to read this blog. I hope you will continue to upload similar blogs. Thank you very much. I have an online store with the name FLYING LEATHER JACKET please visit for an awesome collection.

  34. We are looking for an informative post it is very helpful thanks for sharing it. We are offering all types of leather jackets with worldwide free shipping.
    Black Leather Jacket
    Leather Bomber Jacket
    Mens Biker Leather Jacket
    Western Leather Jackets

  35. I constantly read the smaller articles as well as clarify their motives, and that also happens with this article!The 355 Outfits

  36. I am so happy to come across this piece of write up, very much advanced my understanding to the next top level. Great job and continue to do same.Oscar Isaac Moon Knight Jacket


  37. This is the first time that I visit here. I found so many exciting matters in this particular blog. Dr.Michael Morbius Black Leather Coat

  38. "When it comes to internet mentions in Pakistan, Pizzeria has a significant lead over Pizzeria. However, not all of the results were beneficial for the pizza brand; in Pakistan, just 18 percent of Pizzeria-related remarks were positive. pizza fries online order karachi
    Location: karachi, Pakistan
    Phone Orders: (021) 111 981 111
    Email Orders:
    WhatsApp: +92 311 1981111"

  39. I constantly read the smaller articles as well as clarify their motives, and that also happens with this article!Suede Leather Studs Jacket


  40. Thanks for sharing your precious time to create this post, it's so informative, and the content makes the post more interesting. really appreciated. negan jacket

  41. This blog always gives valuable content for it's visitors. Thank You for sharing.

  42. Visit our online store to buy northfacepufferjacket and get free delivery around globe northfacepufferjacket

  43. yeezygaphoodies I never stop myself to express something about your nice work. You're working really hard.

  44. Thanks for sharing such beautiful information with us. We hope you will share some more information about ovo clothing.

  45. Thanks for sharing such beautiful information with us fmerchandise.

  46. This comment has been removed by the author.

  47. I never stop myself to express something about your nice work. You're working really hard.

  48. I never stop myself to express something about your nice work. You're working really

  49. This is an incredibly inspiring article. I am basically satisfied with your great work. You put actually quite supportive Keep it up.

  50. Thanks for the information. I really like the way you express complex topics in a lucid way.yeezygapshop It really helps me understand it much better way.

  51. It’s hard to find good quality writing.

    Computer Xperts is the official Alibaba Global Partner in Pakistan. It's the house of business Web Solutions, providing services since 1998. Computer Xpert (web experts) is the best web development company in Sialkot, Pakistan, to build your complete website and implement an adorable new website design.
    like yours these days. thanks for sharing this post.

    SEO Services in Lahore & Sialkot

    Best Pakistan Logo Design Company Sialkot

    Domain & Web Hosting in Sialkot

    Web Xperts Portfolio

    Web Development Services

    Alibaba Official Partner In Sialkot

    Alibaba Service Provider

  52. Thanks very nice blog!. thanks for sharing.

    Dotleatherst Is One of the Best Station for Online Shopping.We Are Offering Premium Real Leather Jacket & Textile Collection for Mens & Womens.

    Visit Now.
    A2 Flight Jacket Mens

    Leather V-Bomber Jacket Men

    MensLeather Bomber Jackets

    Biker Leather Jacket Mens

    Fashion Jackets Mens for Sale

  53. This is a really too good post. This article gives truly quality and helpful information.

  54. I feel extremely cheerful to have seen your post. I found the most beautiful and fascinating one. I am really extremely glad to visit stussycart your post.

  55. I need information about free Training and Learning Program in London to Write My Research Paper and I would like to join these kinds of free classes. Things Merrill Jacket

  56. Are you planning on moving long distance? If so, you may be considering hiring a moving company to help you out.

  57. I'm looking forward to acknowledge this website as one of the best for new information Infonexts-Wiki

  58. Nice Post! We provide jamie yellowstone jacket for new collections clothing product on 2022.