inspect.sys bleu screen of death

Altough i like the product the new version caused an Bleu screen.
This had not happen before.

So here i go with my info:

Stoperror : 0x…D1 (0x…50, 0x…2, 0x…00 ) QXEd048e3e
An error in inspect.sys
Adres ED048e3e
base ed040000
datestamp 45af5205
System windows 2000 SP4 + latest patches

ComodoFirewall version 2.4.16.174
inspect.sys dll version 2.0.0.1

Network adapter Winbond W89C940 PCI network adapter

still (L)

Hi PermanentMarker, welcome to the forums.

Did the BSOD generate a dump?

PS I locked your Poll & moved the topic to a section where it would get better exposure.

I’m sorry my system should write full memory dumps but a dump was not created.
there was no file like %systemroot%\memory.dmp
Iknow what %means just folowed to the system path url.

The reason why i still saw it was that my system is not configured not to reboot, i never do that because in cases like these you wouldnt know what happened at al if it had rebooted.
By not rebooting i can keep the bleu screen on and write down, as i did.
(oh and the … between the 0x…50 (are a bunch of zeros )

I’m a technical support person too, perhaps i should run driver verfier from MS, altough it is one of the rare tools i have sofar not needed to use
(i’d used a lot of tools and did pre eamination of braindumps in my job)

So for the moment i can only say that my previous post contained all the info.
The eventviewer also doenst mention problems realted to comodo, network card or general system, just bleu infoos all there

I’m sorry if my typing is wrong but i’m head injured (thats no joke).

Hi PermanentMarker, sorry about your injury. I hope you get better soon.

Perhaps W2k generated a minidump in %systemroot%\Minidump?

I think Egemen (CFP developer) will need the dump to investigate this issue.

No i have configured it for full dumps, so minidumps are not created.
But nothing has been created at all
This can ocure during some crashes i know, had cases like these before myself.
At least i got it all written down in my first post. (as i know that is sometimes the only way to get some info).

If you have other questions i’ll answer them tomorow because my head needs rest now.
I’ll see it in my mail then.

G’day,

Winbond W89C940 or W89C840? According to Winbond’s site, the 940 is a 10MB NIC and there are no Win2K orXP specific drivers listed on their site.

Is it possible for you to test with a different NIC?

Just a thought.

Ewen :slight_smile:

Actualy it is possible, as i got two nic’s in my system.

Although it might bewrongly reported in comodo as my LAN nic is a
Compex RL2000 PCI Ethernet Adapter, using the standard windows 2000 drivers.
A pretty general nic seen them everywhere in the past (an oldy), i use this one as internet connection.

My other nic which normaly is disabled (but which i will try it tomorow)
is a Realtek RTL8139/810x Family Fast Ethernet NIC
In the past i had this system to function as a relay host, the reason i used the other nic is that i had in that time no CAT5 cabling (so i couldnt do 100Mbit)

oh another note i had not seen this crash before i’m using comodo for a while now.
At the moment when it happened my computer was running for a long night time (for a download), might be a leak perhaps.

Had it again today another bleu screen using a different network nic.
The problem is in inspect.sys

Bleu screen 0x0…d1 0x0…50 0x0…2 0x.00EB048e3e
Driver IRQL not less or equal

Adress EB048f3e base at EB040000 date stamp 45af5205 inspect.sys

As like the previous one again no memory.dmp file (should have done a fule dmp now).

Again no dump file, but i think we can rule out it is bvecause of the network card as i’m using the other one, another note i wasn’t real networking during the time of the crash i played a game, altough it might have been some other app triggering comodo firewall.

I changed the dump settings to write a small memory dump is that something usefull for your people ? i’m not sure but hope changing dump type will have some effect. It doesnt happen often but hope to tackle it.

:oWow they keep ■■■■■■■ here is a crash dump analysus using windbg
I show the full output of windbg from beginnin so you can see i have the correct symbol files even for NTOSkrnl.exe

`
Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [E:\WINNT\Minidump\Mini021307-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: e:\winnt;e:\winnt\symbols;e:\winnt\system32
Executable search path is:
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Kernel base = 0x80400000 PsLoadedModuleList = 0x80481580
Debug session time: Tue Feb 13 20:59:02.495 2007 (GMT+1)
System Uptime: not available
Loading Kernel Symbols

Loading User Symbols
Loading unloaded module list


  •                                                                         *
    
  •                    Bugcheck Analysis                                    *
    
  •                                                                         *
    

Use !analyze -v to get detailed debugging information.

BugCheck D1, {54, 2, 0, eb048dee}

*** ERROR: Module load completed but symbols could not be loaded for inspect.sys
Probably caused by : inspect.sys ( inspect+8dee )

Followup: MachineOwner

kd> !analyze -v


  •                                                                         *
    
  •                    Bugcheck Analysis                                    *
    
  •                                                                         *
    

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000054, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: eb048dee, address which referenced memory

Debugging Details:

READ_ADDRESS: unable to read from 804815d8
unable to read from 80481288
unable to read from 80481168
unable to read from 80472ea0
unable to read from 80481180
unable to read from 80481284
unable to read from 80472ea4
unable to read from 80481344
unable to read from 80481578
00000054

CURRENT_IRQL: 2

FAULTING_IP:
inspect+8dee
eb048dee 8a4f54 mov cl,byte ptr [edi+54h]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xD1

PROCESS_NAME: avant.exe

TRAP_FRAME: f43be548 – (.trap fffffffff43be548)
ErrCode = 00000000
eax=00000001 ebx=00000484 ecx=00000001 edx=1bce393e esi=f9bf99e8 edi=00000000
eip=eb048dee esp=f43be5bc ebp=f9bf99e8 iopl=0 nv up ei ng nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287
inspect+0x8dee:
eb048dee 8a4f54 mov cl,byte ptr [edi+54h] ds:0023:00000054=??
Resetting default scope

LAST_CONTROL_TRANSFER: from eb048dee to 80467df7

STACK_TEXT:
f43be548 eb048dee 00001fa8 00000207 8046c299 nt!KiTrap0E+0x20b
WARNING: Stack unwind information not available. Following frames may be wrong.
f43be5c0 eb0493cc 00000000 f9bf99e8 00000001 inspect+0x8dee
f43be5e0 eb04665a f9b8c000 f9bf99e8 00000001 inspect+0x93cc
f43be5fc eb04980d f9bf99e8 f97a91e8 f43be6a8 inspect+0x665a
f43be684 eb043e0a f9bf99e8 f97a91e8 f43be6a8 inspect+0x980d
00000000 00000000 00000000 00000000 00000000 inspect+0x3e0a

STACK_COMMAND: kb

FOLLOWUP_IP:
inspect+8dee
eb048dee 8a4f54 mov cl,byte ptr [edi+54h]

SYMBOL_STACK_INDEX: 1

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: inspect

IMAGE_NAME: inspect.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45bc9145

SYMBOL_NAME: inspect+8dee

FAILURE_BUCKET_ID: 0xD1_inspect+8dee

BUCKET_ID: 0xD1_inspect+8dee

Followup: MachineOwner
---------`

some more info

kd> lmvm inspect start end module name eb040000 eb04c880 inspect (no symbols) Loaded symbol image file: inspect.sys Mapped memory image file: e:\winnt\system32\drivers\inspect.sys Image path: inspect.sys Image name: inspect.sys Timestamp: Sun Jan 28 13:04:21 2007 (45BC9145) CheckSum: 00012FEE ImageSize: 0000C880 File version: 2.0.0.1 Product version: 2.0.0.1 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 3.0 Driver File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: COMODO ProductName: Comodo Personal Firewall Stateful Inspection Engine InternalName: inspect.sys OriginalFilename: inspect.sys ProductVersion: 2, 0, 0, 1 FileVersion: 2, 0, 0, 1 FileDescription: Comodo Personal Firewall Stateful Inspection Engine LegalCopyright: Copyright COMODO © 2006 Comments: Comodo Personal Firewall Stateful Inspection Engine