# [SOLVED] Windows 7 BSOD: tcpip.sys and ntoskrnl.exe



## HalydeX (Feb 20, 2011)

*bsod windows 7 tcpip and ntoskrnl* 
My computer keeps crashing. I need help deciphering my blue screen of death. I have bluescreenview and it highlighted "ntoskrnl.exe" and "tcpip.sys." Also used a debugger.

Thanks, J


```
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
 
 
Loading Dump File [C:\Windows\Minidump\021911-22744-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
 
Symbol search path is: SRV*C:\Symbols*[URL]http://msdl.microsoft.com/download/symbols[/URL]
Executable search path is: 
Windows 7 Kernel Version 7600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7600.16617.amd64fre.win7_gdr.100618-1621
Machine Name:
Kernel base = 0xfffff800`02c49000 PsLoadedModuleList = 0xfffff800`02e86e50
Debug session time: Sat Feb 19 17:29:54.783 2011 (UTC - 8:00)
System Uptime: 0 days 0:31:42.360
Loading Kernel Symbols
...............................................................
................................................................
.........................................
Loading User Symbols
Loading unloaded module list
........................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck D1, {0, 2, 0, fffff88002c8c7a0}
 
Unable to load image PctWfpFilter64.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for PctWfpFilter64.sys
*** ERROR: Module load completed but symbols could not be loaded for PctWfpFilter64.sys
Probably caused by : NETIO.SYS ( NETIO!NetioDereferenceNetBufferList+86 )
 
Followup: MachineOwner
---------
 
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff88002c8c7a0, address which referenced memory
 
Debugging Details:
------------------
 
 
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002ef10e0
 0000000000000000 
 
CURRENT_IRQL:  2
 
FAULTING_IP: 
tcpip! ?? ::FNODOBFM::`string'+56f4
fffff880`02c8c7a0 488b01          mov     rax,qword ptr [rcx]
 
CUSTOMER_CRASH_COUNT:  1
 
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
 
BUGCHECK_STR:  0xD1
 
PROCESS_NAME:  System
 
TRAP_FRAME:  fffff88003b2d520 -- (.trap 0xfffff88003b2d520)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa800a241d70 rbx=0000000000000000 rcx=0000000000000000
rdx=fffffa800a241d71 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88002c8c7a0 rsp=fffff88003b2d6b0 rbp=0000000000000000
 r8=fffffa800a241d70  r9=00000000000000d0 r10=fffff880009e9e80
r11=fffffa800a2b4500 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po nc
tcpip! ?? ::FNODOBFM::`string'+0x56f4:
fffff880`02c8c7a0 488b01          mov     rax,qword ptr [rcx] ds:07ff:00000000`00000000=????????????????
Resetting default scope
 
LAST_CONTROL_TRANSFER:  from fffff80002cb8ca9 to fffff80002cb9740
 
STACK_TEXT:  
fffff880`03b2d3d8 fffff800`02cb8ca9 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`03b2d3e0 fffff800`02cb7920 : fffffa80`08f61140  fffffa80`04357030 fffffa80`00000000 fffff880`043ea753 :  nt!KiBugCheckDispatch+0x69
fffff880`03b2d520 fffff880`02c8c7a0 : fffffa80`04357030  fffff880`041d3aca fffff880`206c644d fffffa80`0a4d27a0 :  nt!KiPageFault+0x260
fffff880`03b2d6b0 fffff880`018046a6 : fffffa80`04357030  00000000`07a56000 00000000`00000000 fffffa80`07a56000 : tcpip! ??  ::FNODOBFM::`string'+0x56f4
fffff880`03b2d700 fffff880`0180235d : 00000000`00000000  fffffa80`0a4d27a0 00000000`00000000 fffff880`02d6e9a0 :  NETIO!NetioDereferenceNetBufferList+0x86
fffff880`03b2d730 fffff880`02c60e26 : fffffa80`07a56000  fffffa80`0a4d2800 00000000`00000011 fffffa80`04357030 :  NETIO!NetioDereferenceNetBufferListChain+0x2dd
fffff880`03b2d7b0 fffff880`02c5fb21 : 00000000`00000000  fffffa80`07a56000 fffff880`02d6e9a0 00000000`044b2901 :  tcpip!IppReceiveHeaderBatch+0x3c7
fffff880`03b2d890 fffff880`02d37542 : fffffa80`07c6a580  00000000`00000000 fffffa80`044b2901 00000000`00000001 :  tcpip!IpFlcReceivePackets+0x651
fffff880`03b2da90 fffff880`04153afa : fffffa80`0826e702  fffffa80`0826e7c0 00000000`00000002 00000000`00000000 :  tcpip!IppInspectInjectReceive+0xf2
fffff880`03b2dad0 fffff880`041cc71d : fffffa80`08d51780  fffffa80`044b2950 00000000`c0000000 fffff880`00000000 :  fwpkclnt!FwpsInjectTransportReceiveAsync0+0x256
fffff880`03b2db80 fffffa80`08d51780 : fffffa80`044b2950  00000000`c0000000 fffff880`00000000 fffffa80`04d60002 :  PctWfpFilter64+0xd71d
fffff880`03b2db88 fffffa80`044b2950 : 00000000`c0000000  fffff880`00000000 fffffa80`04d60002 fffffa80`00000001 :  0xfffffa80`08d51780
fffff880`03b2db90 00000000`c0000000 : fffff880`00000000  fffffa80`04d60002 fffffa80`00000001 fffffa80`0000000d :  0xfffffa80`044b2950
fffff880`03b2db98 fffff880`00000000 : fffffa80`04d60002 fffffa80`00000001 fffffa80`0000000d fffffa80`00000000 : 0xc0000000
fffff880`03b2dba0 fffffa80`04d60002 : fffffa80`00000001  fffffa80`0000000d fffffa80`00000000 fffffa80`00000000 :  0xfffff880`00000000
fffff880`03b2dba8 fffffa80`00000001 : fffffa80`0000000d  fffffa80`00000000 fffffa80`00000000 fffff880`041cc250 :  0xfffffa80`04d60002
fffff880`03b2dbb0 fffffa80`0000000d : fffffa80`00000000  fffffa80`00000000 fffff880`041cc250 fffffa80`044b2950 :  0xfffffa80`00000001
fffff880`03b2dbb8 fffffa80`00000000 : fffffa80`00000000  fffff880`041cc250 fffffa80`044b2950 00000000`53636670 :  0xfffffa80`0000000d
fffff880`03b2dbc0 fffffa80`00000000 : fffff880`041cc250  fffffa80`044b2950 00000000`53636670 fffffa80`0a4d27a0 :  0xfffffa80`00000000
fffff880`03b2dbc8 fffff880`041cc250 : fffffa80`044b2950  00000000`53636670 fffffa80`0a4d27a0 fffff880`041db338 :  0xfffffa80`00000000
fffff880`03b2dbd0 fffffa80`044b2950 : 00000000`53636670  fffffa80`0a4d27a0 fffff880`041db338 00000000`00000000 :  PctWfpFilter64+0xd250
fffff880`03b2dbd8 00000000`53636670 : fffffa80`0a4d27a0  fffff880`041db338 00000000`00000000 00000000`00000000 :  0xfffffa80`044b2950
fffff880`03b2dbe0 fffffa80`0a4d27a0 : fffff880`041db338 00000000`00000000 00000000`00000000 00000000`53636670 : 0x53636670
fffff880`03b2dbe8 fffff880`041db338 : 00000000`00000000  00000000`00000000 00000000`53636670 fffffa80`09b3d9f0 :  0xfffffa80`0a4d27a0
fffff880`03b2dbf0 00000000`00000000 : 00000000`00000000  00000000`53636670 fffffa80`09b3d9f0 fffff880`041de128 :  PctWfpFilter64+0x1c338
 
 
STACK_COMMAND:  kb
 
FOLLOWUP_IP: 
NETIO!NetioDereferenceNetBufferList+86
fffff880`018046a6 4885ff          test    rdi,rdi
 
SYMBOL_STACK_INDEX:  4
 
SYMBOL_NAME:  NETIO!NetioDereferenceNetBufferList+86
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: NETIO
 
IMAGE_NAME:  NETIO.SYS
 
DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc18a
 
FAILURE_BUCKET_ID:  X64_0xD1_NETIO!NetioDereferenceNetBufferList+86
 
BUCKET_ID:  X64_0xD1_NETIO!NetioDereferenceNetBufferList+86
 
Followup: MachineOwner
```


----------



## jcgriff2 (Sep 30, 2007)

*Re: Windows 7 BSOD: tcpip.sys and ntoskrnl.exe*



HalydeX said:


> I have bluescreenview and it highlighted "ntoskrnl.exe" and "tcpip.sys." Also used a debugger.


Hi - 

*ntoskrnl.exe* = the Windows NT Kernel & Executive
*tcpip.sys* = Microsoft TCP/IP networking related driver

The dump actually named netio.sys as the probable cause - 

```
[FONT=Lucida Console]Probably caused by : [COLOR=red]NETIO.SYS[/COLOR] ( NETIO!NetioDereferenceNetBufferList+86 )[/FONT]
```
*netio.sys* = Microsoft Networking I/O subsystem driver

Microsoft OS drivers are often listed as the probable cause of software-related BSODs because there are no symbol files available for 3rd party drivers to identify them.

The real culprit - more than likely PC Tools Internet Security - it is the only 3rd party driver visible on the stack - 

```
[FONT=lucida console][B]STACK_TEXT: [/B][/FONT]
[FONT=lucida console]00000002 00000000`00000000 : nt!KeBugCheckEx[/FONT]
[FONT=lucida console]00000000 fffff880`043ea753 :  nt!KiBugCheckDispatch+0x69[/FONT]
[FONT=lucida console]206c644d fffffa80`0a4d27a0 :  nt!KiPageFault+0x260[/FONT]
[FONT=lucida console]00000000 fffffa80`07a56000 : tcpip! ??  ::FNODOBFM::`string'+0x56f4[/FONT]
[FONT=lucida console]00000000 fffff880`02d6e9a0 :  NETIO!NetioDereferenceNetBufferList+0x86[/FONT]
[FONT=lucida console]00000011 fffffa80`04357030 :  NETIO!NetioDereferenceNetBufferListChain+0x2dd[/FONT]
[FONT=lucida console]02d6e9a0 00000000`044b2901 :  tcpip!IppReceiveHeaderBatch+0x3c7[/FONT]
[FONT=lucida console]044b2901 00000000`00000001 :  tcpip!IpFlcReceivePackets+0x651[/FONT]
[FONT=lucida console]00000002 00000000`00000000 :  tcpip!IppInspectInjectReceive+0xf2[/FONT]
[FONT=lucida console]c0000000 fffff880`00000000 :  fwpkclnt!FwpsInjectTransportReceiveAsync0+0x256[/FONT]
[FONT=lucida console]00000000 fffffa80`04d60002 :  [COLOR=red]PctWfpFilter64[/COLOR]+0xd71d[/FONT]
[FONT=lucida console]04d60002 fffffa80`00000001 :  0xfffffa80`08d51780[/FONT]
[FONT=lucida console]00000001 fffffa80`0000000d :  0xfffffa80`044b2950[/FONT]
[FONT=lucida console]000000d fffffa80`00000000 : 0xc0000000[/FONT]
[FONT=lucida console]00000000 fffffa80`00000000 :  0xfffff880`00000000[/FONT]
[FONT=lucida console]00000000 fffff880`041cc250 :  0xfffffa80`04d60002[/FONT]
[FONT=lucida console]041cc250 fffffa80`044b2950 :  0xfffffa80`00000001[/FONT]
[FONT=lucida console]044b2950 00000000`53636670 :  0xfffffa80`0000000d[/FONT]
[FONT=lucida console]53636670 fffffa80`0a4d27a0 :  0xfffffa80`00000000[/FONT]
[FONT=lucida console]0a4d27a0 fffff880`041db338 :  0xfffffa80`00000000[/FONT]
[FONT=lucida console]041db338 00000000`00000000 :  [COLOR=red]PctWfpFilter64[/COLOR]+0xd250[/FONT]
[FONT=lucida console]00000000 00000000`00000000 :  0xfffffa80`044b2950[/FONT]
[FONT=lucida console]0000000 00000000`53636670 : 0x53636670[/FONT]
[FONT=lucida console]53636670 fffffa80`09b3d9f0 :  0xfffffa80`0a4d27a0[/FONT]
[FONT=lucida console]09b3d9f0 fffff880`041de128 :  [COLOR=red]PctWfpFilter64[/COLOR]+0x1c338[/FONT]
```
 
Driver Reference Table - PctWfpFilter64.sys - sysnative.com - MVP

Get rid of PC Tools Internet Security. 

Use removal tool, if available - Uninstallers (removal tools) for common antivirus software - ESET Knowledgebase

Reboot upon completion. Install MSE - http://www.microsoft.com/security_essentials/

Regards. . .

jcgriff2

`


----------



## HalydeX (Feb 20, 2011)

*Re: Windows 7 BSOD: tcpip.sys and ntoskrnl.exe*

hm.. i was beginng to suspect pc tools. oh well i uninstalled pc tools and downloaded the microsoft security essentials. I will keep you updated.

thanks,

J


----------



## HalydeX (Feb 20, 2011)

*Re: Windows 7 BSOD: tcpip.sys and ntoskrnl.exe*

Update: no more crashes. pctools has bad juju.


----------



## jcgriff2 (Sep 30, 2007)

*Re: Windows 7 BSOD: tcpip.sys and ntoskrnl.exe*

You are not the first to have BSODs caused by PC Tools Internet Security. 

I'm glad to hear it is history ... along with your BSODs.

Thank you for posting back letting us know the outcome - much appreciated.

Have a good weekend!

jcgriff2

`


----------

