BSOD tcpip.sys

Discussion in 'Windows 7 Blue Screen of Death (BSOD)' started by agtsoul, Jul 6, 2011.

  1. agtsoul

    agtsoul New Member

    Joined:
    Jul 6, 2011
    Messages:
    6
    Likes Received:
    2
    My System is a Desktop with the following hardware/software:
    Software:
    Windows 7 ultimate 64bt
    McAfee VirusScan Enterprise +AntiSpyware Enterprise 8.8
    Spyware Doctor 8.0.0.652

    Hardware:
    Hitachi Deskstar 2TB 7200RPM Sata 6.0Gb/s
    LITE-ON 12x Blu-ray SATA
    MSI 890GXM-G65 Motherboard
    G. Skill Ripjaws X Series 8GB 240pin
    AMD Phenom II X6 1100T 3.3GHz
    APEVIA HTPC Case
    500W Power Supply

    I get a random BSOD once or twice a day here lately and I know it says something along these lines:
    DRIVER_IRQL_NOT_LESS_OR_EQUAL
    and something about tcpip.sys

    It happens at random times. Minidumps attached. Please help!
     

    Attached Files:

  2. zigzag3143

    zigzag3143 Honorable Member
    Microsoft MVP

    Joined:
    Jun 2, 2009
    Messages:
    812
    Likes Received:
    115
    When tcpip.sys is blamed it usually is one of two things. PCTools, and Zone alarm. Which ever you have remove it to test at least.

    http://www.threatfire.com/files/RemoveThreatFire(3.0).zip

    http://download.zonealarm.com/bin/free/support/cpes_clean.exe

    Virus, Spyware & Malware Protection | Microsoft Security Essentials
     
  3. agtsoul

    agtsoul New Member

    Joined:
    Jul 6, 2011
    Messages:
    6
    Likes Received:
    2
    Okay I removed PCtools Spyware doctor to test and also found a thread on a possible fix if it is the cause. Where you able to find any other info from the minidumps?
     
  4. zigzag3143

    zigzag3143 Honorable Member
    Microsoft MVP

    Joined:
    Jun 2, 2009
    Messages:
    812
    Likes Received:
    115

    Um no you didnt remove PCTools. The latest crash still has it on and loaded (see snip). Also of note Macaffee is also a known cause of these type of crashes. So guess what I would recommend.

    http://service.mcafee.com/FAQDocument.aspx?id=TS100507View attachment 15038
     
  5. kaos

    kaos Senior Member

    Joined:
    May 9, 2011
    Messages:
    1,747
    Likes Received:
    33
    minidump

    Code:
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: 000000000000000a, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg4: fffff880018650f5, address which referenced memory
    Debugging Details:
    ------------------
    
    READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800030c40e0
     000000000000000a 
    CURRENT_IRQL:  2
    FAULTING_IP: 
    tcpip!IppSendDatagramsCommon+7a5
    fffff880`018650f5 f6470a05        test    byte ptr [rdi+0Ah],5
    CUSTOMER_CRASH_COUNT:  1
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
    BUGCHECK_STR:  0xD1
    PROCESS_NAME:  System
    TRAP_FRAME:  fffff88007574440 -- (.trap 0xfffff88007574440)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=000000000000b47c rbx=0000000000000000 rcx=00000000154b9f31
    rdx=000000000000000d rsi=0000000000000000 rdi=0000000000000000
    rip=fffff880018650f5 rsp=fffff880075745d0 rbp=fffffa8010ea0890
     r8=0000000000000000  r9=fffff8800185c72e r10=0000000000000000
    r11=fffffa8010fa2200 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl nz ac pe nc
    tcpip!IppSendDatagramsCommon+0x7a5:
    fffff880`018650f5 f6470a05        test    byte ptr [rdi+0Ah],5 ds:9310:00000000`0000000a=??
    Resetting default scope
    LAST_CONTROL_TRANSFER:  from fffff80002e8bc69 to fffff80002e8c700
    STACK_TEXT:  
    fffff880`075742f8 fffff800`02e8bc69 : 00000000`0000000a 00000000`0000000a 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
    fffff880`07574300 fffff800`02e8a8e0 : fffffa80`10ec0220 00000000`0000059e fffffa80`0af8cc90 fffffa80`0b280080 : nt!KiBugCheckDispatch+0x69
    fffff880`07574440 fffff880`018650f5 : 00000000`00000000 00000000`00000002 fffffa80`0b280045 00000000`0000ba05 : nt!KiPageFault+0x260
    fffff880`075745d0 fffff880`01935859 : fffffa80`07342b40 fffffa80`10ea0704 fffff880`0196c9a0 fffffa80`0b350280 : tcpip!IppSendDatagramsCommon+0x7a5
    fffff880`075748a0 fffff880`0179e74b : 00000000`00000000 00000000`00000004 fffff880`07574be0 fffffa80`10ea0760 : tcpip!IppInspectInjectTlSend+0x1b9
    fffff880`075749c0 fffff880`0179e823 : 00000000`00000000 00000000`00000000 fffffa80`06753a01 00000000`00000000 : fwpkclnt!FwppInjectTransportSendAsync+0x41f
    fffff880`07574aa0 fffff880`02e69572 : fffff880`07574bc0 fffff880`07574b20 fffffa80`0b348000 00000000`00000000 : fwpkclnt!FwpsInjectTransportSendAsync0+0x63
    fffff880`07574b10 fffff880`07574bc0 : fffff880`07574b20 fffffa80`0b348000 00000000`00000000 fffff880`07574be0 : PctWfpFilter64+0x11572
    fffff880`07574b18 fffff880`07574b20 : fffffa80`0b348000 00000000`00000000 fffff880`07574be0 fffff880`02e50002 : 0xfffff880`07574bc0
    fffff880`07574b20 fffffa80`0b348000 : 00000000`00000000 fffff880`07574be0 fffff880`02e50002 00000000`00000001 : 0xfffff880`07574b20
    fffff880`07574b28 00000000`00000000 : fffff880`07574be0 fffff880`02e50002 00000000`00000001 fffffa80`10ea0760 : 0xfffffa80`0b348000
    
    STACK_COMMAND:  kb
    FOLLOWUP_IP: 
    fwpkclnt!FwppInjectTransportSendAsync+41f
    fffff880`0179e74b 8b942484000000  mov     edx,dword ptr [rsp+84h]
    SYMBOL_STACK_INDEX:  5
    SYMBOL_NAME:  fwpkclnt!FwppInjectTransportSendAsync+41f
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: fwpkclnt
    IMAGE_NAME:  fwpkclnt.sys
    DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc164
    FAILURE_BUCKET_ID:  X64_0xD1_fwpkclnt!FwppInjectTransportSendAsync+41f
    BUCKET_ID:  X64_0xD1_fwpkclnt!FwppInjectTransportSendAsync+41f
    Followup: MachineOwner
    ---------
     
    
    
    Code:
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If kernel debugger is available get stack backtrace.
    Arguments:
    Arg1: 000000000000000a, memory referenced
    Arg2: 0000000000000002, IRQL
    Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg4: fffff88001a670f5, address which referenced memory
    Debugging Details:
    ------------------
    
    READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800032fd0e0
     000000000000000a 
    CURRENT_IRQL:  2
    FAULTING_IP: 
    tcpip!IppSendDatagramsCommon+7a5
    fffff880`01a670f5 f6470a05        test    byte ptr [rdi+0Ah],5
    CUSTOMER_CRASH_COUNT:  1
    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
    BUGCHECK_STR:  0xD1
    PROCESS_NAME:  System
    TRAP_FRAME:  fffff88005732440 -- (.trap 0xfffff88005732440)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000a0d rbx=0000000000000000 rcx=000000000a0d0000
    rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff88001a670f5 rsp=fffff880057325d0 rbp=fffffa800ca5ba30
     r8=0000000000000002  r9=fffff88001a5e72e r10=0000000000000000
    r11=fffffa8012d519c0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl nz ac pe nc
    tcpip!IppSendDatagramsCommon+0x7a5:
    fffff880`01a670f5 f6470a05        test    byte ptr [rdi+0Ah],5 ds:1310:00000000`0000000a=??
    Resetting default scope
    LAST_CONTROL_TRANSFER:  from fffff800030c4c69 to fffff800030c5700
    STACK_TEXT:  
    fffff880`057322f8 fffff800`030c4c69 : 00000000`0000000a 00000000`0000000a 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
    fffff880`05732300 fffff800`030c38e0 : fffffa80`0acf7080 00000000`00000002 fffffa80`0a804201 fffff880`057324e0 : nt!KiBugCheckDispatch+0x69
    fffff880`05732440 fffff880`01a670f5 : 00000000`00000000 00000000`00000002 fffffa80`0acf0045 00000000`00001e00 : nt!KiPageFault+0x260
    fffff880`057325d0 fffff880`01b37859 : fffffa80`07342b40 fffffa80`0ca5b904 fffff880`01b6e9a0 fffffa80`06b95db0 : tcpip!IppSendDatagramsCommon+0x7a5
    fffff880`057328a0 fffff880`019bd74b : fffffa80`0acf7080 00000000`00000004 fffff880`05732be0 fffffa80`0ca5b900 : tcpip!IppInspectInjectTlSend+0x1b9
    fffff880`057329c0 fffff880`019bd823 : 00000000`00000000 00000000`00000000 fffffa80`067cab01 00000000`00000000 : fwpkclnt!FwppInjectTransportSendAsync+0x41f
    fffff880`05732aa0 fffff880`02ef1572 : fffff880`05732bc0 fffff880`05732b20 fffffa80`0b187900 00000000`00000000 : fwpkclnt!FwpsInjectTransportSendAsync0+0x63
    fffff880`05732b10 fffff880`05732bc0 : fffff880`05732b20 fffffa80`0b187900 00000000`00000000 fffff880`05732be0 : PctWfpFilter64+0x11572
    fffff880`05732b18 fffff880`05732b20 : fffffa80`0b187900 00000000`00000000 fffff880`05732be0 fffff880`02ee0002 : 0xfffff880`05732bc0
    fffff880`05732b20 fffffa80`0b187900 : 00000000`00000000 fffff880`05732be0 fffff880`02ee0002 00000000`00000001 : 0xfffff880`05732b20
    fffff880`05732b28 00000000`00000000 : fffff880`05732be0 fffff880`02ee0002 00000000`00000001 fffffa80`0ca5b900 : 0xfffffa80`0b187900
    
    STACK_COMMAND:  kb
    FOLLOWUP_IP: 
    fwpkclnt!FwppInjectTransportSendAsync+41f
    fffff880`019bd74b 8b942484000000  mov     edx,dword ptr [rsp+84h]
    SYMBOL_STACK_INDEX:  5
    SYMBOL_NAME:  fwpkclnt!FwppInjectTransportSendAsync+41f
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: fwpkclnt
    IMAGE_NAME:  fwpkclnt.sys
    DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc164
    FAILURE_BUCKET_ID:  X64_0xD1_fwpkclnt!FwppInjectTransportSendAsync+41f
    BUCKET_ID:  X64_0xD1_fwpkclnt!FwppInjectTransportSendAsync+41f
    Followup: MachineOwner
    ---------
    
    
    
    You need to remove the Check Point Software Technologies, Inc products, such as zone alarm and other programs that relate to this driver
    IMAGE_NAME: fwpkclnt.sys
     
  6. kaos

    kaos Senior Member

    Joined:
    May 9, 2011
    Messages:
    1,747
    Likes Received:
    33
    i would just like to add , i personally believe the TCPIP.sys doesnt play any part in these blue screens
     
  7. zigzag3143

    zigzag3143 Honorable Member
    Microsoft MVP

    Joined:
    Jun 2, 2009
    Messages:
    812
    Likes Received:
    115
    The only part tcpip.sys plays is it is the protocol that the FWP/IPsec Kernel-Mode API driver (fwpkclnt.sys) uses. Its part in the crash was just a bystander.
     
    1 person likes this.
  8. kaos

    kaos Senior Member

    Joined:
    May 9, 2011
    Messages:
    1,747
    Likes Received:
    33
    Thanks Zigzag , ive learned something new today, :)
     
    1 person likes this.
  9. agtsoul

    agtsoul New Member

    Joined:
    Jul 6, 2011
    Messages:
    6
    Likes Received:
    2
    Thank you for solving my problem. Everysince I uninstalled Spyware Doctor I have not had any BSOD.
     
    2 people like this.

Share This Page

Loading...