BSOD due to cmdmon.sys

Hi,

I regularly have a blue screen followed by a reboot under windows XP sp2 since I updated comodo firewall to 2.4.16.174. Here is the windbg analysis:

"*******************************************************************************

  •                                                                         *
    
  •                    Bugcheck Analysis                                    *
    
  •                                                                         *
    

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {16, 2, 0, 804e469a}

*** WARNING: Unable to verify timestamp for cmdmon.sys
*** ERROR: Module load completed but symbols could not be loaded for cmdmon.sys
Probably caused by : cmdmon.sys ( cmdmon+7e2 )

Followup: MachineOwner


  •                                                                         *
    
  •                    Bugcheck Analysis                                    *
    
  •                                                                         *
    

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000016, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 804e469a, address which referenced memory

Debugging Details:

READ_ADDRESS: 00000016

CURRENT_IRQL: 2

FAULTING_IP:
nt!KeSetEvent+30
804e469a 66394616 cmp word ptr [esi+16h],ax

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from ee26cf89 to 804e469a

STACK_TEXT:
f7c0cca4 ee26cf89 8486b254 00000000 00000000 nt!KeSetEvent+0x30
f7c0ccc8 ee26d0bd 848ab6f0 c000023a 00000000 tcpip!TCPDataRequestComplete+0x93
f7c0ccf8 ee24923d 848ab6f0 8486b26c 848ab7a0 tcpip!TCPSendData+0xa6
f7c0cd14 804e37f7 848ab110 848ab6f0 848ab7c4 tcpip!TCPDispatchInternalDeviceControl+0x51
f7c0cd24 ee2307e2 ee23fd90 848a16e4 848a16e4 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
f7c0cd38 ee237263 848ab110 848ab6f0 00000000 cmdmon+0x7e2
f7c0cdac 8057be15 00000000 00000000 00000000 cmdmon+0x7263
f7c0cddc 804fa4da ee236c4a 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
cmdmon+7e2
ee2307e2 ?? ???

SYMBOL_STACK_INDEX: 5

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: cmdmon

IMAGE_NAME: cmdmon.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45ac99c9

SYMBOL_NAME: cmdmon+7e2

FAILURE_BUCKET_ID: 0xA_cmdmon+7e2

BUCKET_ID: 0xA_cmdmon+7e2

Followup: MachineOwner

Any idea??

Thanx

I get the same BSOD. Same OS, same SP, same version of Comodo Firewall:

******************************************************************************* * * * Bugcheck Analysis * * * *******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000000A, {16, 1c, 0, 804f9f6a}

*** WARNING: Unable to verify timestamp for cmdmon.sys
*** ERROR: Module load completed but symbols could not be loaded for cmdmon.sys
Probably caused by : cmdmon.sys ( cmdmon+7263 )

Followup: MachineOwner

1: kd> !analyze -v


  •                                                                         *
    
  •                    Bugcheck Analysis                                    *
    
  •                                                                         *
    

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000016, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 804f9f6a, address which referenced memory

Debugging Details:

READ_ADDRESS: 00000016

CURRENT_IRQL: 1c

FAULTING_IP:
nt!MmDeleteKernelStack+5b
804f9f6a 66394616 cmp word ptr [esi+16h],ax

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from aada0f89 to 804f9f6a

STACK_TEXT:
f70bdca4 aada0f89 8499c58c 00000000 00000000 nt!MmDeleteKernelStack+0x5b
f70bdcc8 aada10bd 84d20e70 c000023a 00000000 tcpip!TCPCancelRequest+0x115
f70bdcf8 aad7d23d 84d20e70 8499c5a4 84d20f20 tcpip!TCPReceiveData+0xcd
f70bdd14 804eeeb1 85b0aa60 84d20e70 84d20f44 tcpip!ARPQueryInfo+0x552
f70bdd38 aad6b263 85b0aa60 84d20e70 00000000 nt!MiAddViewsForSection+0x38
WARNING: Stack unwind information not available. Following frames may be wrong.
f70bddac 805ce794 00000000 00000000 00000000 cmdmon+0x7263
f70bdddc 805450ce aad6ac4a 00000000 00000000 nt!CmpInitializeHive+0x55
f70bde8c 00000000 00000000 00000000 00000000 nt!WmiTraceMessageVa+0x35

STACK_COMMAND: kb

FOLLOWUP_IP:
cmdmon+7263
aad6b263 ?? ???

SYMBOL_STACK_INDEX: 5

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: cmdmon

IMAGE_NAME: cmdmon.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45ac99c9

SYMBOL_NAME: cmdmon+7263

FAILURE_BUCKET_ID: 0xA_cmdmon+7263

BUCKET_ID: 0xA_cmdmon+7263

Followup: MachineOwner
---------

What’s UP?? - Same OS (WinXp Pro SP2) same Firewall Version (2.4.16.174) - same Problem (Restart/Bluescreen after 6-7 hours system-up time!!
same Bugcheck Analysis!

  • Downgrading the Firewall will help at the moment!

PS: I don’t trust in the new version 2.4.17.183 ! - Is this problem fixed?

exact same problem here also (:SAD)

I regularly have a blue screen followed by a reboot under windows XP sp2 and windows 2000 SP4 + Update (I have 2 hard).

Comodo 2.4 Update .

Here is the windbg analysis for XP SP2:


  •                                                                         *
    
  •                    Bugcheck Analysis                                    *
    
  •                                                                         *
    

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000016, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 804e469a, address which referenced memory

Debugging Details:

READ_ADDRESS: 00000016

CURRENT_IRQL: 2

FAULTING_IP:
nt!KeSetEvent+30
804e469a 66394616 cmp word ptr [esi+16h],ax

DEFAULT_BUCKET_ID: INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR: 0xA

PROCESS_NAME: System

TRAP_FRAME: f89f0c24 – (.trap fffffffff89f0c24)
ErrCode = 00000000
eax=00000001 ebx=c0000100 ecx=8163a364 edx=00000000 esi=00000000 edi=00000000
eip=804e469a esp=f89f0c98 ebp=f89f0ca4 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!KeSetEvent+0x30:
804e469a 66394616 cmp word ptr [esi+16h],ax ds:0023:00000016=???
Resetting default scope

LAST_CONTROL_TRANSFER: from 804e469a to 804e187f

STACK_TEXT:
f89f0c24 804e469a badb0d00 00000000 00000000 nt!KiTrap0E+0x233
f89f0ca4 f4a24eeb 8163a364 00000000 00000000 nt!KeSetEvent+0x30
f89f0cc8 f4a2501f 821d3008 c000023a 00000000 tcpip!TCPDataRequestComplete+0x93
f89f0cf8 f4a0127d 821d3008 8163a37c 821d30b8 tcpip!TCPSendData+0xa6
f89f0d14 804e37f7 82091030 821d3008 821d30dc tcpip!TCPDispatchInternalDeviceControl+0x51
f89f0d24 f49e87e2 f49f7e90 81ce4694 81ce4694 nt!IopfCallDriver+0x31
WARNING: Stack unwind information not available. Following frames may be wrong.
f89f0d38 f49ef299 82091030 821d3008 00000000 cmdmon+0x7e2
f89f0dac 8057be15 00000000 00000000 00000000 cmdmon+0x7299
f89f0ddc 804fa4da f49eec80 00000000 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
cmdmon+7e2
f49e87e2 5f pop edi

SYMBOL_STACK_INDEX: 6

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: cmdmon

IMAGE_NAME: cmdmon.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45bc9111

SYMBOL_NAME: cmdmon+7e2

FAILURE_BUCKET_ID: 0xA_cmdmon+7e2

BUCKET_ID: 0xA_cmdmon+7e2

Followup: MachineOwner

I’m having the same issue with 2.4.18.184.

First, let me say that I very much appreciate such an excellent free firewall. Since the latest update, however, I had three IRQL_NOT_LESS_OR_EQUAL BSODs. These tend to occur after several hours of seeding torrents (using the latest uTorrent). This has happened three times in the last four or so days.

I analyzed the minidumps from the last two crashes with with Winternals’ Crash Analysis Wizard. Both times it identified cmdmon.sys as the likely cause of the crash.

The Wizard reported this crash message:


An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000016, memory referenced
Arg2: 0000001c, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 804e5deb, address which referenced memory

I will attach both minidumps and the full logs of the analyses.

Event Viewer lists a critical system error containing the information on lines 45-54 of the analysis log files each time.

In the interim, does anyone know where I can find a slightly older version of CPF?


Update: So far so good after an uninstall/reinstall.

[attachment deleted by admin]

I’m also getting these same BSOD.

v 2.4.18.184

minidump attached for analysis.

I’m very new to using debug tools, and haven’t been able to get the symbols setup correctly for windbg, but I do get the one line which says


Probably caused by : cmdmon.sys ( cmdmon+7299 )

[attachment deleted by admin]

Take a look at: BSODs Please add your minidump files here

Thanks, Soya.

Just saw that thread…happened to find this one first while researching the BSOD.

I’ve attached it there as well.