[DUMP] Windows creates a live kernel dump file after 10 minutes while in idle.

I cannot find out why windows crashes after 10 minutes whenever I don’t do anything.

Dump file is created at C:\Windows\LiveKernelReports\WFP-20181003-1859.dmp

I think this crash is related to windows defender firewall and BFE(?) windows driver but I’m not sure and why this error occurs.

Here is an analyzed dump file.

---

•                                                                         *
  

•                    Bugcheck Analysis                                    *
  

•                                                                         *
  

---

CRITICAL_SERVICE_FAILED (5a)
Arguments:
Arg1: 0000000000000000
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:

KEY_VALUES_STRING: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 17134.1.amd64fre.rs4_release.180410-1804

SYSTEM_PRODUCT_NAME: To Be Filled By O.E.M.

SYSTEM_SKU: To Be Filled By O.E.M.

SYSTEM_VERSION: To Be Filled By O.E.M.

BIOS_VENDOR: American Megatrends Inc.

BIOS_VERSION: P7.30

BIOS_DATE: 12/14/2016

BASEBOARD_MANUFACTURER: ASRock

BASEBOARD_PRODUCT: H110M-DGS

BASEBOARD_VERSION:

DUMP_TYPE: 1

DUMP_FILE_ATTRIBUTES: 0x10
Live Generated Dump

BUGCHECK_P1: 0

BUGCHECK_P2: 0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

BUGCHECK_STR: 0x5A

CPU_COUNT: 4

CPU_MHZ: c78

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 5e

CPU_STEPPING: 3

CPU_MICROCODE: 6,5e,3,0 (F,M,S,R) SIG: BE’00000000 (cache) BE’00000000 (init)

DEFAULT_BUCKET_ID: WINBLUE_LIVE_KERNEL_DUMP

PROCESS_NAME: svchost.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: WONSCH-PC

ANALYSIS_SESSION_TIME: 10-03-2018 19:29:45.0667

ANALYSIS_VERSION: 10.0.17134.1 amd64fre

LAST_CONTROL_TRANSFER: from fffff8010e094682 to fffff8010e09f7ce

STACK_TEXT:
fffffd83974ef150 fffff8010e094682 : ffffffffffffffff 0000000000000011 0000000000000000 0000000000000011 : nt!IopLiveDumpEndMirroringCallback+0x7e
fffffd83974ef1a0 fffff8010e09f473 : 0000000000000000 fffff80100000000 ffff9c0900000001 0000000000000001 : nt!MmDuplicateMemory+0x26e
fffffd83974ef230 fffff8010e33d04d : ffff9c0973345ad0 ffff9c0973345ad0 fffffd83974ef4f8 fffffd83974ef4f8 : nt!IopLiveDumpCaptureMemoryPages+0x7f
fffffd83974ef2f0 fffff8010e330a34 : 0000000000000000 ffffb087b908f950 ffffb087b78b3a80 ffffb087b908f950 : nt!IoCaptureLiveDump+0x289
fffffd83974ef490 fffff8010e331138 : ffffffff8000367c 0000000000000000 0000000000000000 0000000000000000 : nt!DbgkpWerCaptureLiveFullDump+0x134
fffffd83974ef4f0 fffff8010e33088b : 0000000000000002 0000000000000000 0000000000000000 000000000000005a : nt!DbgkpWerProcessPolicyResult+0x30
fffffd83974ef520 fffff80345aa6d9f : 0000000000000000 fffffd83974ef620 ffff9c0972511280 ffff9c0973858a98 : nt!DbgkWerCaptureLiveKernelDump+0x19b
fffffd83974ef570 fffff80345aa5d0b : fffffd83974ef658 0000000000000000 ffff9c0972e3e700 fffff80344d77929 : fwpkclnt!FwppFirewallStateOnChange+0x3f
fffffd83974ef5d0 fffff80345894e45 : 0000000000000000 fffff8010df07306 ffff9c0972b53580 0000000000000000 : fwpkclnt!FwppDispatchDevCtl0+0xc4b
fffffd83974ef640 fffff80345834eb3 : ffff9c0973858a60 fffffd83974ef8c0 0000023e6f6c9a40 0000000000000000 : tcpip!KfdDispatchDevCtl+0x5ff85
fffffd83974ef6d0 fffff8010dc36199 : ffff9c0972e3ed70 fffff8010dc36465 ffff9c0972e3ee40 0000000020206f49 : tcpip!NlDispatchDeviceControl+0x43
fffffd83974ef700 fffff8010e0e954b : ffff9c0973858a60 fffffd83974efa80 0000000000000001 0000000000000000 : nt!IofCallDriver+0x59
fffffd83974ef740 fffff8010e0e8bdf : ffff9c0900000000 ffff9c09724c8570 0000000000000000 fffffd83974efa80 : nt!IopSynchronousServiceTail+0x1ab
fffffd83974ef7f0 fffff8010e0e9386 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!IopXxxControlFile+0x66f
fffffd83974ef920 fffff8010ddd6343 : ffff9c0972e3e700 fffffd83974efa80 000000946c0ff1e8 fffffd83974ef9a8 : nt!NtDeviceIoControlFile+0x56
fffffd83974ef990 00007ffea3cf9f94 : 00007ffe98bf5931 0000023e6f602340 0000000000000000 0000023e6f675510 : nt!KiSystemServiceCopyEnd+0x13
000000946c0ff938 00007ffe98bf5931 : 0000023e6f602340 0000000000000000 0000023e6f675510 000000946b733000 : ntdll!NtDeviceIoControlFile+0x14
000000946c0ff940 00007ffe98bf66bd : 0000023e6f675f50 000000946b733000 000000946c0ffa38 00007ffe00000024 : bfe!BfeDeviceIoControl+0x55
000000946c0ff9b0 00007ffe98c083ec : 0000023e00000000 00007ffe98c65e40 0000000000000004 0000023e6f675f50 : bfe!BfeDriverOnFirewallStateChange+0x3d
000000946c0ffa00 00007ffe98c0846d : 0000023e6ff117f0 000000946c0ffcd8 000000946b733000 0000000000000000 : bfe!BfeFirewallWatchdogTimerCallback+0xdc
000000946c0ffa80 00007ffea3cd558d : 0000023e00000001 000000007ffe0386 0000023e6ff117f0 0000000000000000 : bfe!BfeTimerCallback+0x4d
000000946c0ffad0 00007ffea3c83229 : 0000023e6f63be20 000000007ffe0386 0000023e6f63bee8 0000023e6f674e00 : ntdll!RtlpTpTimerCallback+0x7d
000000946c0ffb20 00007ffea3c7fa2d : 0000023e6f602458 0000023e6f674de0 0000000000000000 0000023e6f602358 : ntdll!TppTimerpExecuteCallback+0xe9
000000946c0ffb70 00007ffea1ea3034 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!TppWorkerThread+0x70d
000000946c0ffe60 00007ffea3cd1431 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x14
000000946c0ffe90 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x21

THREAD_SHA1_HASH_MOD_FUNC: b0094691039a315dd5559c34529062bb26656401

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: dd9bb3e5e399d5a86fb3332cebe96ac1898e61e7

THREAD_SHA1_HASH_MOD: dc47b33cbe982bc9f39474f67241e70cbd948f40

FOLLOWUP_IP:
fwpkclnt!FwppFirewallStateOnChange+3f
fffff803`45aa6d9f 85c0 test eax,eax

FAULT_INSTR_CODE: f74c085

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: fwpkclnt!FwppFirewallStateOnChange+3f

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: fwpkclnt

IMAGE_NAME: fwpkclnt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 27391fb0

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 3f

FAILURE_BUCKET_ID: LKD_0x5A_fwpkclnt!FwppFirewallStateOnChange

BUCKET_ID: LKD_0x5A_fwpkclnt!FwppFirewallStateOnChange

PRIMARY_PROBLEM_CLASS: LKD_0x5A_fwpkclnt!FwppFirewallStateOnChange

TARGET_TIME: 2018-10-03T09:59:50.000Z

OSBUILD: 17134

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2018-08-03 12:10:45

BUILDDATESTAMP_STR: 180410-1804

BUILDLAB_STR: rs4_release

BUILDOSVER_STR: 10.0.17134.1.amd64fre.rs4_release.180410-1804

ANALYSIS_SESSION_ELAPSED_TIME: 5ea

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:lkd_0x5a_fwpkclnt!fwppfirewallstateonchange

FAILURE_ID_HASH: {8b4a8f75-e7e3-1c33-1ac2-57135d2d5ea3}

Followup: MachineOwner

This is probably an OS issue, as you suspected, related to the firewall service not starting. It appears to be fixed in the October 2018 update. My claim is based on a casual glance through some OS code; I don’t work on the firewall so I can’t speak authoritatively.

Live kernel dumps are not supposed to be disruptive. Other than some disk space, does the live kernel dump cause any problems?

Yes but not a serious problem. We are developing a virtual storport driver and every clients write this large live kernel dump file on storport server.

Thank you for information. We will wait next windows updates. (maybe RS5?)

Yes RS5