Hi, I’ve been getting a few BSOD’s lately that I think have been pointing to cmdguard.sys and inspect.sys.
It usually happens when I leave my pc idle and I come back and find a bsod, sometimes when I’m just on firefox(v3).
Utorrent is always running in the background, and I have tcip patched.
I’ve had CPF installed a long time, and even though I’ve had a few bsod’s before, the last few weeks is only when cmdguard and inspect have been involved.
I have winxpro sp2, nod32, GB ds3p.
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
Debugging Details:
READ_ADDRESS: 00000054
CURRENT_IRQL: 2
FAULTING_IP:
inspect+5411
b9d38411 8a4f54 mov cl,byte ptr [edi+54h]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xD1
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from 00000000 to b9d38411
STACK_TEXT:
00000000 00000000 00000000 00000000 00000000 inspect+0x5411
STACK_COMMAND: kb
FOLLOWUP_IP:
inspect+5411
b9d38411 8a4f54 mov cl,byte ptr [edi+54h]
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: inspect+5411
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: inspect
IMAGE_NAME: inspect.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 48344138
FAILURE_BUCKET_ID: 0xD1_inspect+5411
BUCKET_ID: 0xD1_inspect+5411
Followup: MachineOwner
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.
FAULTING_IP:
nt!IoGetRelatedDeviceObject+38
804ef690 837f1000 cmp dword ptr [edi+10h],0
TRAP_FRAME: a99437fc – (.trap 0xffffffffa99437fc)
.trap 0xffffffffa99437fc
ErrCode = 00000000
eax=0f000003 ebx=00000000 ecx=e100c2c0 edx=000002d7 esi=898c5ac8 edi=0f000003
eip=804ef690 esp=a9943870 ebp=a9943878 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!IoGetRelatedDeviceObject+0x38:
804ef690 837f1000 cmp dword ptr [edi+10h],0 ds:0023:0f000013=???
.trap
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: scrnsave.scr
LAST_CONTROL_TRANSFER: from 8056afd9 to 804ef690
STACK_TEXT:
a9943878 8056afd9 898c5ac8 898c5ac8 e100c2c0 nt!IoGetRelatedDeviceObject+0x38
a99439c4 8056c02b 898c5ac8 00000000 00000000 nt!FsRtlAcquireFileExclusiveCommon+0x2f
a99439d8 804e5ed1 898c5ac8 00000000 e100c2c0 nt!FsRtlAcquireFileExclusive+0x11
a9943a08 805a9fea 898c5ac8 00000000 879f6888 nt!CcZeroEndOfLastPage+0x1f
a9943a5c ac56133d a9943bc0 0000000d a9943b90 nt!NtCreateSection+0x14c
WARNING: Stack unwind information not available. Following frames may be wrong.
a9943acc 8054086c a9943bc0 0000000d a9943b90 cmdguard+0x433d
a9943acc 804ff64d a9943bc0 0000000d a9943b90 nt!KiFastCallEntry+0xfc
a9943b60 8061cc34 a9943bc0 0000000d a9943b90 nt!ZwCreateSection+0x11
a9943bb8 8061e19b a9943be0 00000081 a9943c18 nt!CcPfGetSectionObject+0xca
a9943c4c 8061ed9d a9943c74 01000000 00000000 nt!CcPfPrefetchSections+0x2b7
a9943c8c 8061f1c6 e57b6000 00080000 879d16e8 nt!CcPfPrefetchScenario+0x7b
a9943d08 805ce7a1 879d16e8 e27f4c60 00000000 nt!CcPfBeginAppLaunch+0x158
a9943d50 8054532e 00000000 7c810665 00000001 nt!PspUserThreadStartup+0xeb
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
cmdguard+433d
ac56133d e8a39a0000 call cmdguard+0xdde5 (ac56ade5)
SYMBOL_STACK_INDEX: 5
SYMBOL_NAME: cmdguard+433d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: cmdguard
IMAGE_NAME: cmdguard.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 48344145
FAILURE_BUCKET_ID: 0x8E_cmdguard+433d
BUCKET_ID: 0x8E_cmdguard+433d
Followup: MachineOwner
Also got an DRIVER_IRQL_NOT_LESS_OR_EQUAL (stop:0x000000D1), Driver Fault, Idle, ntkrpamp.exe.
yesterday, if thats linked in any way.