Wednesday, February 12, 2014

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) NETIO.sys Debugging

This will be my first among many debugging tutorials (aside from older ones)! I very much want to get back into writing tutorials for a few reasons, but the main is that they are very fun, and I obviously learn more and more every day! Another thing about tutorials is they are all over the web on various blogs, forums, etc, but many have different styles of the way they were written. Some may contain more info, etc, and different methods of explaining, etc. My goal with everything regarding debugging has always and will always be explain as much as my personal knowledge permits, and do it in the way that anyone that doesn't know how to do it can learn it by reading and then performing it hands on by themselves.

--------------------

Let's get started! We're going to start off with the *D1 bug check, but more specifically when NETIO.sys is the labeled fault of the crash. I've been debugging online on various forums for a little over two years now, and in the past few months to a year, I have seen a huge increase in NETIO.sys *D1's. I am going to tell you right now that NETIO.sys *D1 bug checks are caused 100% of the time from what I have seen (and I have debugged and solved MANY NETIO.sys *D1's) by either the following:

1. Network drivers themselves; whether they need to be updated, reinstalled due to corruption, rolled back due to bug in latest version, etc.

2. 3rd party antivirus or firewall software causing NETBIOS and/or network related conflicts.
 (99% of the time #2 is the cause, and rarely have I seen #1 but it's of course possible).
Right, so with all of this said, what's NETIO.sys? NETIO.sys is Microsoft Windows' Network I/O Subsystem.

First of all, Input and Output (I/O) is actually extremely in-depth and will not be explained in this blog post. If you of course would however like to read about it and learn (which I highly recommend), read the following from the msdn website.

More specifically, we're interested in Network I/O operations in this regard - msdn link here

--------------------

With this said, the basic definition (per msdn) for the *D1 bug check is the following:

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.
A driver tried to access an address that is pageable (or that is completely invalid) while the IRQL was too high. This bug check is usually caused by drivers that have used improper addresses. 
So, this is a fairly standard explanation for a person who understands how Windows' memory manager works. If you don't however, you can kinda sorta get the gist of it, but at the same time it may not really mean much to you. Let's go into detail on the memory manager subsystem, because we're all about learning!

Windows' memory manager runs at IRQL 0 (PASSIVE_LEVEL), which is the layer that threads run at. If for example a driver attempts to access memory that is not currently in RAM (paged), this will cause an exception (thrown by the processor). When this exception happens, Windows' memory manager will go ahead and catch the exception, fetch memory from the hard disk, and then finally the processor will then go ahead and return to the driver that attempted to access this memory which was not paged, but at this point will now be paged.

Alright, great, so why do we get this bug check? *D1 occurs when a driver attempts to access memory that is running at a higher IRQL. This is not good (clearly), because when the driver attempts to access paged-out memory at IRQL[n] (I use (n) because there are different levels, but I will go ahead and say that 2 is the most common, so from this point on I will use 2), Windows' memory manager will page-in the memory and run at IRQL 0. This cannot happen, so Windows' memory manager will bug check the system as a deadlock will occur.

This can also occur not only if a driver attempts to access memory that is running at a higher IRQL, but if a driver attempts to access an invalid memory address.

--------------------

Now that we have all of that said, let's move onto an example crash dump (just a random *D1 NETIO.sys dump from a user that I managed to dig up):

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000028, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80000f8c43f, address which referenced memory

Debugging Details:
------------------
Right away we can see that the 2nd parameter and/or argument of the *D1 bug check itself is 0000000000000002 (2) as I mentioned earlier. There are various other ways to display the parameters of a bug check in different ways.

For example, by running the .bugcheck command:

0: kd> .bugcheck
Bugcheck code 000000D1
Arguments 00000000`00000028 00000000`00000002 00000000`00000000 fffff800`00f8c43f

I've highlighted where '00000000`00000002' = 2.

Before running !analyze v it's listed:

BugCheck D1, {28, 2, 0, fffff80000f8c43f}
It's also listed after running !analyze v further in the dump:

CURRENT_IRQL:  2
So, with this specific crash dump, it was a minidump and didn't contain very much information. For example, just have a look at the call stack:

STACK_TEXT: 
ffffd000`253ab288 fffff801`9776d7e9 : 00000000`0000000a 00000000`00000028 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffd000`253ab290 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x69
We can see from the stack that we just have Windows' usual error handling and fault tolerance bug check related routines. No driver calls, etc. Very dead stack. Let's go ahead and refer to the FBID:

FAILURE_BUCKET_ID:  X64_0xD1_NETIO!RtlCopyBufferToMdl+1f
We can see the fault of the crash is NETIO.sys (calling into?) the RtlCopyBufferToMdl routine. I am not entirely sure actually what this routine implies, however just from knowing the acronyms...

Rtl = Run-Time Library.

Mdl = Memory Descriptor List.

I can imagine there's some sort of buffer being copied from an RTL routine to an MDL. So, what does this mean to us? Well, nothing really. It's a minidump with not very much information. All we know is something is conflicting with NETIO.sys. Let's go ahead and take a look at the loaded modules list (Debug > Modules). Now, in NETIO.sys dumps you are going to want to check for popular antivirus drivers. I would list them here, but there are so many. I think I'll add them over time. I will just go ahead and let you know that this specific dump contained ggc.sys which is a driver in relation to Quick Heal AntiVirus.

0: kd> lmvm ggc
start             end                 module name
fffff800`01600000 fffff800`01618000   ggc        (deferred)           
    Image path: \SystemRoot\system32\DRIVERS\ggc.sys
    Image name: ggc.sys
    Timestamp:        Wed Sep 04 02:43:22 2013
So, there's ggc.sys. Now, at this point I recommend removal of QuickHeal and explained that it was likely causing network related conflicts, which in turn caused the system to crash. After QuickHeal was removed, the crashes stopped.

--------------------

-- Today when I wake up I will add a list of antiviruses and firewalls that I have seen cause this bug check.

66 comments:

  1. hi Patrick

    not really understand how you figure out the problem is related to ggc.sys, could you elaborate a bit? I'm struggling in a similar situation for a while

    thanks

    ReplyDelete
  2. Thank you very much i understand what you saying it is amazing i really impressive your article its amazing work done dude
    Tony Stark Hoodie

    ReplyDelete
  3. Great information about wilderness for beginners giving the opportunity for new people. Van Helsing Coat

    ReplyDelete
  4. I read this article. I think You put a lot of effort to create this article. I appreciate your work.
    Gaming Jackets

    ReplyDelete
  5. “Barbie Doll” by Marge Piercy mirrors the life story of a typical girl, who, since her childhood, falls victim to conventionality reigning in a society and eventually dies. The following short description will explain you everything in short https://best-writing-service.net/essays/literature/barbie-doll-by-marge-piercy.html

    ReplyDelete
  6. This is the first time that I visit here. I found so many exciting matters in this particular blog,halloween leather jacket One thing I would like to request you that please keep posting such type of informatics blog.

    ReplyDelete
  7. Thanks for sharing this informative blog, keep sharing informative content blog.
    SalezShark
    CRM software in Bangalore
    is developed and strategized ideally. Its techniques are customized to manage and analyze the customers efficiently. CRM software Bangalore Makes use of a group of businesses, especially designed to handle many organization Processes like customer information, track lead, and promotion.

    ReplyDelete
  8. Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.
    Click here

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. https://www.soorban.com/business/1593-best-xiaomi-phonesthe mid-range models of Xiaomi phones that can offer you attractive models to buy. These models often have good prices and features that make them the most sold.

    ReplyDelete
  11. Thanks for the best blog. it was very useful for me.keep sharing such ideas in the future as well. Donovan Mitchell Jacket

    ReplyDelete
  12. Hy I'm Designer For Customize Leather Jackets. Please Visit Our Website. Johnny Depp Motorcycle Faux Leather Jacket

    ReplyDelete
  13. Alon Digital Currency is one of the tokens in the cryptocurrency market. This token entered the global cryptocurrency market https://isiarticles.com/blog/143 in April 2021. Kevin Market Cup has referred to this currency as Meem Coin, but the creators claim that Alon Currency has big goals and serious projects.

    ReplyDelete
  14. These jackets are the perfect jackets for casual use. They can keep you warm in extreme conditions. Moreover, these jackets are comfortable and stylish so they can slay at almost any gathering.
    Pelle Pelle Soda Club Leather Jacket

    ReplyDelete
  15. Elon Currency Development Team believes that this currency is completely different from صرافی نیل Sheiba or Dodge Quinn digital currency and is a token that is developing day by day.

    ReplyDelete
  16. Thanks for writing a superb Blog. On this website, I always see quality-dependent articles. I also follow you. I want to be the best blogger like you—every time I like to read your writing stuff because I get very useful content there. You do great work. home maintenance services dubai

    ReplyDelete
  17. HARDCORE CYCLES was started in the Greater Philadelphia area by a group of tight friends with a passion for V-Twin performance aftermarket parts.Visit our Website Thanks
    Progressive 465 Series Shock for Softails

    ReplyDelete
  18. Generally unprecedented done, I think it is bewildering the way that you've related with such vast people across the world! I feel truly leaned toward to see the inflexible you oblige others notwithstanding being limited nasa bomber jacket

    ReplyDelete
  19. I constantly read the smaller articles as well as clarify their motives, and that also happens with this article!Supreme Scarface Jacket

    ReplyDelete
  20. I constantly read the smaller articles as well as clarify their motives, and that also happens with this article!The 355 Outfits

    ReplyDelete
  21. I am so happy to come across this piece of write up, very much advanced my understanding to the next top level. Great job and continue to do same.Oscar Isaac Moon Knight Jacket

    ReplyDelete


  22. This is the first time that I visit here. I found so many exciting matters in this particular blog. Dr.Michael Morbius Black Leather Coat

    ReplyDelete
  23. "When it comes to internet mentions in Pakistan, Pizzeria has a significant lead over Pizzeria. However, not all of the results were beneficial for the pizza brand; in Pakistan, just 18 percent of Pizzeria-related remarks were positive. pizza fries online order karachi
    Location: karachi, Pakistan
    Phone Orders: (021) 111 981 111
    Email Orders: info@pizzeria.com.pk
    WhatsApp: +92 311 1981111"

    ReplyDelete
  24. I constantly read the smaller articles as well as clarify their motives, and that also happens with this article!Suede Leather Studs Jacket

    ReplyDelete
  25. yeezygaphoodies I never stop myself to express something about your nice work. You're working really hard.

    ReplyDelete
  26. Thanks for sharing such beautiful information with us. We hope you will share some more information about ovo clothing.

    ReplyDelete
  27. Thanks for sharing such beautiful information with us fmerchandise.

    ReplyDelete
  28. This comment has been removed by the author.

    ReplyDelete
  29. I never stop myself to express something about your nice work. champhoodies.com You're working really hard.

    ReplyDelete
  30. I never stop myself to express something about your nice work. You're working really hard.stussyclothing.net

    ReplyDelete
  31. Thanks for the information. I really like the way you express complex topics in a lucid way.yeezygapshop It really helps me understand it much better way.

    ReplyDelete
  32. It’s hard to find good quality writing.

    Computer Xperts is the official Alibaba Global Partner in Pakistan. It's the house of business Web Solutions, providing services since 1998. Computer Xpert (web experts) is the best web development company in Sialkot, Pakistan, to build your complete website and implement an adorable new website design.
    like yours these days. thanks for sharing this post.

    SEO Services in Lahore & Sialkot

    Best Pakistan Logo Design Company Sialkot

    Domain & Web Hosting in Sialkot

    Web Xperts Portfolio

    Web Development Services

    Alibaba Official Partner In Sialkot

    Alibaba Service Provider

    ReplyDelete
  33. Thanks very nice blog!. thanks for sharing.

    Dotleatherst Is One of the Best Station for Online Shopping.We Are Offering Premium Real Leather Jacket & Textile Collection for Mens & Womens.

    Visit Now.
    A2 Flight Jacket Mens


    Leather V-Bomber Jacket Men


    MensLeather Bomber Jackets


    Biker Leather Jacket Mens


    Fashion Jackets Mens for Sale

    ReplyDelete
  34. I feel extremely cheerful to have seen your post. I found the most beautiful and fascinating one. I am really extremely glad to visit stussycart your post.

    ReplyDelete
  35. I need information about free Training and Learning Program in London to Write My Research Paper and I would like to join these kinds of free classes. Things Merrill Jacket

    ReplyDelete
  36. Are you planning on moving long distance? If so, you may be considering hiring a moving company to help you out.
    5-benefits-of-hiring-long-distance-movers

    ReplyDelete
  37. I'm looking forward to acknowledge this website as one of the best for new information Infonexts-Wiki

    ReplyDelete
  38. Nice Post! We provide jamie yellowstone jacket for new collections clothing product on 2022.

    ReplyDelete
  39. I really enjoyed reading your blog - it was informative, well-written, and provided a fresh perspective on the topic.gallerydeptstore

    ReplyDelete
  40. The author's point throughout time is that the human body carries out its own functions even if the brain doesn't pay much attention to it. Of course, the brain can still slow down those functions or speed them up or just completely ignore them, but the body seems to regulate itself well in most cases. Maverick Jennifer Connelly Jacket

    ReplyDelete
  41. It was very useful for me. I'm happy I found this blog.
    jack torrance jacket


    ReplyDelete
  42. WHAT A EXCELLENT POST REALLY ENJOY SITE. Areena Design

    ReplyDelete
  43. what hat does beth dutton wear
    We serves as a powerful symbol of her unwavering determination and resilience. Its sharp and commanding design reflects her strong personality, reminding us that she is a force to be reckoned with

    ReplyDelete
  44. When you've got a mission, but staying cozy is a top priority Naruto Akatsuki Puffer Jacket

    ReplyDelete
  45. This yellowstone john dutton quilted jacket an ode to the one favored by the legendary John Dutton, is an embodiment of durability and style. It's the perfect companion for those chilly nights on the ranch or a casual night out in the town

    ReplyDelete
  46. This comment has been removed by the author.

    ReplyDelete
  47. I appreciate how you explained the potential causes and solutions clearly—it’s incredibly helpful for anyone dealing with this problem. Keep up the great work!

    ReplyDelete
  48. Debugging and reverse engineering require a meticulous, systematic approach, similar to how the red one outfits are carefully crafted for precision and impact. Just as these outfits stand out in their design, effective debugging uncovers hidden layers, identifying issues that are not immediately apparent but crucial for optimal performance.






    ReplyDelete