CMDGUARD.sys and INSPECT.sys

Hi, I’ve been getting a few BSOD’s lately that I think have been pointing to cmdguard.sys and inspect.sys.
It usually happens when I leave my pc idle and I come back and find a bsod, sometimes when I’m just on firefox(v3).
Utorrent is always running in the background, and I have tcip patched.
I’ve had CPF installed a long time, and even though I’ve had a few bsod’s before, the last few weeks is only when cmdguard and inspect have been involved.
I have winxpro sp2, nod32, GB ds3p.


DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

Debugging Details:

READ_ADDRESS: 00000054

CURRENT_IRQL: 2

FAULTING_IP:
inspect+5411
b9d38411 8a4f54 mov cl,byte ptr [edi+54h]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: System

LAST_CONTROL_TRANSFER: from 00000000 to b9d38411

STACK_TEXT:
00000000 00000000 00000000 00000000 00000000 inspect+0x5411

STACK_COMMAND: kb

FOLLOWUP_IP:
inspect+5411
b9d38411 8a4f54 mov cl,byte ptr [edi+54h]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: inspect+5411

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: inspect

IMAGE_NAME: inspect.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48344138

FAILURE_BUCKET_ID: 0xD1_inspect+5411

BUCKET_ID: 0xD1_inspect+5411

Followup: MachineOwner



KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
nt!IoGetRelatedDeviceObject+38
804ef690 837f1000 cmp dword ptr [edi+10h],0

TRAP_FRAME: a99437fc – (.trap 0xffffffffa99437fc)
.trap 0xffffffffa99437fc
ErrCode = 00000000
eax=0f000003 ebx=00000000 ecx=e100c2c0 edx=000002d7 esi=898c5ac8 edi=0f000003
eip=804ef690 esp=a9943870 ebp=a9943878 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!IoGetRelatedDeviceObject+0x38:
804ef690 837f1000 cmp dword ptr [edi+10h],0 ds:0023:0f000013=???
.trap
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: scrnsave.scr

LAST_CONTROL_TRANSFER: from 8056afd9 to 804ef690

STACK_TEXT:
a9943878 8056afd9 898c5ac8 898c5ac8 e100c2c0 nt!IoGetRelatedDeviceObject+0x38
a99439c4 8056c02b 898c5ac8 00000000 00000000 nt!FsRtlAcquireFileExclusiveCommon+0x2f
a99439d8 804e5ed1 898c5ac8 00000000 e100c2c0 nt!FsRtlAcquireFileExclusive+0x11
a9943a08 805a9fea 898c5ac8 00000000 879f6888 nt!CcZeroEndOfLastPage+0x1f
a9943a5c ac56133d a9943bc0 0000000d a9943b90 nt!NtCreateSection+0x14c
WARNING: Stack unwind information not available. Following frames may be wrong.
a9943acc 8054086c a9943bc0 0000000d a9943b90 cmdguard+0x433d
a9943acc 804ff64d a9943bc0 0000000d a9943b90 nt!KiFastCallEntry+0xfc
a9943b60 8061cc34 a9943bc0 0000000d a9943b90 nt!ZwCreateSection+0x11
a9943bb8 8061e19b a9943be0 00000081 a9943c18 nt!CcPfGetSectionObject+0xca
a9943c4c 8061ed9d a9943c74 01000000 00000000 nt!CcPfPrefetchSections+0x2b7
a9943c8c 8061f1c6 e57b6000 00080000 879d16e8 nt!CcPfPrefetchScenario+0x7b
a9943d08 805ce7a1 879d16e8 e27f4c60 00000000 nt!CcPfBeginAppLaunch+0x158
a9943d50 8054532e 00000000 7c810665 00000001 nt!PspUserThreadStartup+0xeb
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
cmdguard+433d
ac56133d e8a39a0000 call cmdguard+0xdde5 (ac56ade5)

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: cmdguard+433d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: cmdguard

IMAGE_NAME: cmdguard.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48344145

FAILURE_BUCKET_ID: 0x8E_cmdguard+433d

BUCKET_ID: 0x8E_cmdguard+433d

Followup: MachineOwner


Also got an DRIVER_IRQL_NOT_LESS_OR_EQUAL (stop:0x000000D1), Driver Fault, Idle, ntkrpamp.exe.
yesterday, if thats linked in any way.

There is a topic to post CFP BSOD crashdumps that describe also how to locate those minidumps ref: BSODs: Please add your minidump files here.