BSOD tcpip.sys

#1
My System is a Desktop with the following hardware/software:
Software:
Windows 7 ultimate 64bt
McAfee VirusScan Enterprise +AntiSpyware Enterprise 8.8
Spyware Doctor 8.0.0.652

Hardware:
Hitachi Deskstar 2TB 7200RPM Sata 6.0Gb/s
LITE-ON 12x Blu-ray SATA
MSI 890GXM-G65 Motherboard
G. Skill Ripjaws X Series 8GB 240pin
AMD Phenom II X6 1100T 3.3GHz
APEVIA HTPC Case
500W Power Supply

I get a random BSOD once or twice a day here lately and I know it says something along these lines:
DRIVER_IRQL_NOT_LESS_OR_EQUAL
and something about tcpip.sys

It happens at random times. Minidumps attached. Please help!
 


Attachments

zigzag3143

Honorable Member
Microsoft MVP
#2
My System is a Desktop with the following hardware/software:
Software:
Windows 7 ultimate 64bt
McAfee VirusScan Enterprise +AntiSpyware Enterprise 8.8
Spyware Doctor 8.0.0.652

Hardware:
Hitachi Deskstar 2TB 7200RPM Sata 6.0Gb/s
LITE-ON 12x Blu-ray SATA
MSI 890GXM-G65 Motherboard
G. Skill Ripjaws X Series 8GB 240pin
AMD Phenom II X6 1100T 3.3GHz
APEVIA HTPC Case
500W Power Supply

I get a random BSOD once or twice a day here lately and I know it says something along these lines:
DRIVER_IRQL_NOT_LESS_OR_EQUAL
and something about tcpip.sys

It happens at random times. Minidumps attached. Please help!
When tcpip.sys is blamed it usually is one of two things. PCTools, and Zone alarm. Which ever you have remove it to test at least.

http://www.threatfire.com/files/RemoveThreatFire(3.0).zip

http://download.zonealarm.com/bin/free/support/cpes_clean.exe

Virus, Spyware & Malware Protection | Microsoft Security Essentials
 


#3
Okay I removed PCtools Spyware doctor to test and also found a thread on a possible fix if it is the cause. Where you able to find any other info from the minidumps?
 


zigzag3143

Honorable Member
Microsoft MVP
#4
Okay I removed PCtools Spyware doctor to test and also found a thread on a possible fix if it is the cause. Where you able to find any other info from the minidumps?

Um no you didnt remove PCTools. The latest crash still has it on and loaded (see snip). Also of note Macaffee is also a known cause of these type of crashes. So guess what I would recommend.

http://service.mcafee.com/FAQDocument.aspx?id=TS100507 View attachment 15038
 


kaos

Senior Member
#5
minidump

Code:
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000000a, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff880018650f5, address which referenced memory
Debugging Details:
------------------

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800030c40e0
 000000000000000a 
CURRENT_IRQL:  2
FAULTING_IP: 
tcpip!IppSendDatagramsCommon+7a5
fffff880`018650f5 f6470a05        test    byte ptr [rdi+0Ah],5
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  System
TRAP_FRAME:  fffff88007574440 -- (.trap 0xfffff88007574440)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000000b47c rbx=0000000000000000 rcx=00000000154b9f31
rdx=000000000000000d rsi=0000000000000000 rdi=0000000000000000
rip=fffff880018650f5 rsp=fffff880075745d0 rbp=fffffa8010ea0890
 r8=0000000000000000  r9=fffff8800185c72e r10=0000000000000000
r11=fffffa8010fa2200 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz ac pe nc
tcpip!IppSendDatagramsCommon+0x7a5:
fffff880`018650f5 f6470a05        test    byte ptr [rdi+0Ah],5 ds:9310:00000000`0000000a=??
Resetting default scope
LAST_CONTROL_TRANSFER:  from fffff80002e8bc69 to fffff80002e8c700
STACK_TEXT:  
fffff880`075742f8 fffff800`02e8bc69 : 00000000`0000000a 00000000`0000000a 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`07574300 fffff800`02e8a8e0 : fffffa80`10ec0220 00000000`0000059e fffffa80`0af8cc90 fffffa80`0b280080 : nt!KiBugCheckDispatch+0x69
fffff880`07574440 fffff880`018650f5 : 00000000`00000000 00000000`00000002 fffffa80`0b280045 00000000`0000ba05 : nt!KiPageFault+0x260
fffff880`075745d0 fffff880`01935859 : fffffa80`07342b40 fffffa80`10ea0704 fffff880`0196c9a0 fffffa80`0b350280 : tcpip!IppSendDatagramsCommon+0x7a5
fffff880`075748a0 fffff880`0179e74b : 00000000`00000000 00000000`00000004 fffff880`07574be0 fffffa80`10ea0760 : tcpip!IppInspectInjectTlSend+0x1b9
fffff880`075749c0 fffff880`0179e823 : 00000000`00000000 00000000`00000000 fffffa80`06753a01 00000000`00000000 : fwpkclnt!FwppInjectTransportSendAsync+0x41f
fffff880`07574aa0 fffff880`02e69572 : fffff880`07574bc0 fffff880`07574b20 fffffa80`0b348000 00000000`00000000 : fwpkclnt!FwpsInjectTransportSendAsync0+0x63
fffff880`07574b10 fffff880`07574bc0 : fffff880`07574b20 fffffa80`0b348000 00000000`00000000 fffff880`07574be0 : PctWfpFilter64+0x11572
fffff880`07574b18 fffff880`07574b20 : fffffa80`0b348000 00000000`00000000 fffff880`07574be0 fffff880`02e50002 : 0xfffff880`07574bc0
fffff880`07574b20 fffffa80`0b348000 : 00000000`00000000 fffff880`07574be0 fffff880`02e50002 00000000`00000001 : 0xfffff880`07574b20
fffff880`07574b28 00000000`00000000 : fffff880`07574be0 fffff880`02e50002 00000000`00000001 fffffa80`10ea0760 : 0xfffffa80`0b348000

STACK_COMMAND:  kb
FOLLOWUP_IP: 
fwpkclnt!FwppInjectTransportSendAsync+41f
fffff880`0179e74b 8b942484000000  mov     edx,dword ptr [rsp+84h]
SYMBOL_STACK_INDEX:  5
SYMBOL_NAME:  fwpkclnt!FwppInjectTransportSendAsync+41f
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: fwpkclnt
IMAGE_NAME:  fwpkclnt.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc164
FAILURE_BUCKET_ID:  X64_0xD1_fwpkclnt!FwppInjectTransportSendAsync+41f
BUCKET_ID:  X64_0xD1_fwpkclnt!FwppInjectTransportSendAsync+41f
Followup: MachineOwner
---------
Code:
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 000000000000000a, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88001a670f5, address which referenced memory
Debugging Details:
------------------

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800032fd0e0
 000000000000000a 
CURRENT_IRQL:  2
FAULTING_IP: 
tcpip!IppSendDatagramsCommon+7a5
fffff880`01a670f5 f6470a05        test    byte ptr [rdi+0Ah],5
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0xD1
PROCESS_NAME:  System
TRAP_FRAME:  fffff88005732440 -- (.trap 0xfffff88005732440)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000a0d rbx=0000000000000000 rcx=000000000a0d0000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88001a670f5 rsp=fffff880057325d0 rbp=fffffa800ca5ba30
 r8=0000000000000002  r9=fffff88001a5e72e r10=0000000000000000
r11=fffffa8012d519c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz ac pe nc
tcpip!IppSendDatagramsCommon+0x7a5:
fffff880`01a670f5 f6470a05        test    byte ptr [rdi+0Ah],5 ds:1310:00000000`0000000a=??
Resetting default scope
LAST_CONTROL_TRANSFER:  from fffff800030c4c69 to fffff800030c5700
STACK_TEXT:  
fffff880`057322f8 fffff800`030c4c69 : 00000000`0000000a 00000000`0000000a 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`05732300 fffff800`030c38e0 : fffffa80`0acf7080 00000000`00000002 fffffa80`0a804201 fffff880`057324e0 : nt!KiBugCheckDispatch+0x69
fffff880`05732440 fffff880`01a670f5 : 00000000`00000000 00000000`00000002 fffffa80`0acf0045 00000000`00001e00 : nt!KiPageFault+0x260
fffff880`057325d0 fffff880`01b37859 : fffffa80`07342b40 fffffa80`0ca5b904 fffff880`01b6e9a0 fffffa80`06b95db0 : tcpip!IppSendDatagramsCommon+0x7a5
fffff880`057328a0 fffff880`019bd74b : fffffa80`0acf7080 00000000`00000004 fffff880`05732be0 fffffa80`0ca5b900 : tcpip!IppInspectInjectTlSend+0x1b9
fffff880`057329c0 fffff880`019bd823 : 00000000`00000000 00000000`00000000 fffffa80`067cab01 00000000`00000000 : fwpkclnt!FwppInjectTransportSendAsync+0x41f
fffff880`05732aa0 fffff880`02ef1572 : fffff880`05732bc0 fffff880`05732b20 fffffa80`0b187900 00000000`00000000 : fwpkclnt!FwpsInjectTransportSendAsync0+0x63
fffff880`05732b10 fffff880`05732bc0 : fffff880`05732b20 fffffa80`0b187900 00000000`00000000 fffff880`05732be0 : PctWfpFilter64+0x11572
fffff880`05732b18 fffff880`05732b20 : fffffa80`0b187900 00000000`00000000 fffff880`05732be0 fffff880`02ee0002 : 0xfffff880`05732bc0
fffff880`05732b20 fffffa80`0b187900 : 00000000`00000000 fffff880`05732be0 fffff880`02ee0002 00000000`00000001 : 0xfffff880`05732b20
fffff880`05732b28 00000000`00000000 : fffff880`05732be0 fffff880`02ee0002 00000000`00000001 fffffa80`0ca5b900 : 0xfffffa80`0b187900

STACK_COMMAND:  kb
FOLLOWUP_IP: 
fwpkclnt!FwppInjectTransportSendAsync+41f
fffff880`019bd74b 8b942484000000  mov     edx,dword ptr [rsp+84h]
SYMBOL_STACK_INDEX:  5
SYMBOL_NAME:  fwpkclnt!FwppInjectTransportSendAsync+41f
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: fwpkclnt
IMAGE_NAME:  fwpkclnt.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc164
FAILURE_BUCKET_ID:  X64_0xD1_fwpkclnt!FwppInjectTransportSendAsync+41f
BUCKET_ID:  X64_0xD1_fwpkclnt!FwppInjectTransportSendAsync+41f
Followup: MachineOwner
---------
You need to remove the Check Point Software Technologies, Inc products, such as zone alarm and other programs that relate to this driver
IMAGE_NAME: fwpkclnt.sys
 


kaos

Senior Member
#6
i would just like to add , i personally believe the TCPIP.sys doesnt play any part in these blue screens
 


zigzag3143

Honorable Member
Microsoft MVP
#7
The only part tcpip.sys plays is it is the protocol that the FWP/IPsec Kernel-Mode API driver (fwpkclnt.sys) uses. Its part in the crash was just a bystander.
 


kaos

Senior Member
#8
Thanks Zigzag , ive learned something new today, :)
 


#9
Thank you for solving my problem. Everysince I uninstalled Spyware Doctor I have not had any BSOD.
 


This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.
Top