Hi Scott,
The problem occurs in the WppRecorder driver function. When I dump the trap frame it shows accessing some invalid address causing the issue.
But not sure why the BSOD occurs in the WppRecorder driver which is from Microsoft.
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8060feb1349, The address that the exception occurred at
Arg3: fffff38e767a2e78, Parameter 0 of the exception
Arg4: fffff38e767a26b0, Parameter 1 of the exception
Debugging Details:
KEY_VALUES_STRING: 1
PROCESSES_ANALYSIS: 1
SERVICE_ANALYSIS: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 19041.1.amd64fre.vb_release.191206-1406
SYSTEM_MANUFACTURER: Dell Inc.
SYSTEM_PRODUCT_NAME: Inspiron 3420
SYSTEM_SKU: To be filled by O.E.M.
SYSTEM_VERSION: Not Specified
BIOS_VENDOR: Dell Inc.
BIOS_VERSION: A05
BIOS_DATE: 09/28/2012
BASEBOARD_MANUFACTURER: Dell Inc.
BASEBOARD_PRODUCT: 04XGDT
BASEBOARD_VERSION: A05
DUMP_TYPE: 1
BUGCHECK_P1: ffffffffc0000005
BUGCHECK_P2: fffff8060feb1349
BUGCHECK_P3: fffff38e767a2e78
BUGCHECK_P4: fffff38e767a26b0
WRITE_ADDRESS: fffff38e767a26b0
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
FAULTING_IP:
WppRecorder!WppAutoLogTrace+219
fffff806`0feb1349 0fb682dd000000 movzx eax,byte ptr [rdx+0DDh]
EXCEPTION_PARAMETER1: fffff38e767a2e78
EXCEPTION_PARAMETER2: fffff38e767a26b0
BUGCHECK_STR: 0x1E_c0000005
CPU_COUNT: 4
CPU_MHZ: 9be
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3a
CPU_STEPPING: 9
CPU_MICROCODE: 6,3a,9,0 (F,M,S,R) SIG: 21’00000000 (cache) 21’00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: CLW-G4B6HR2
ANALYSIS_SESSION_TIME: 03-30-2021 10:38:54.0655
ANALYSIS_VERSION: 10.0.18362.1 amd64fre
LAST_CONTROL_TRANSFER: from fffff8060db0ed9f to fffff8060d9f5a80
STACK_TEXT:
fffff38e767a1e38 fffff806
0db0ed9f : 000000000000001e ffffffff
c0000005 fffff8060feb1349 fffff38e
767a2e78 : nt!KeBugCheckEx
fffff38e767a1e40 fffff806
0da11c86 : fffff38e767a26b0 fffff806
0d903845 fffff38e767a30b0 fffff806
0feb1349 : nt!KiFatalFilter+0x1f
fffff38e767a1e80 fffff806
0d9cc052 : fffff80600000002 fffff806
0d6d8e34 fffff38e7679e000 fffff38e
767a4000 : nt!KeExpandKernelStackAndCalloutInternal$filt$0+0x16
fffff38e767a1ec0 fffff806
0d9fe942 : fffff8060d6d8e34 fffff38e
767a24a0 fffff8060d9cbfb0 00000000
00000000 : nt!_C_specific_handler+0xa2
fffff38e767a1f30 fffff806
0d92bf97 : fffff38e767a24a0 00000000
00000000 fffff38e767a35e0 fffff806
0d954488 : nt!RtlpExecuteHandlerForException+0x12
fffff38e767a1f60 fffff806
0d92ab86 : fffff38e767a2e78 fffff38e
767a2bb0 fffff38e767a2e78 00000000
00000000 : nt!RtlDispatchException+0x297
fffff38e767a2680 fffff806
0da07bac : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiDispatchException+0x186
fffff38e767a2d40 fffff806
0da038e0 : 000000000000003e 00000000
00000000 ffffa40aa7be6810 fffff806
10e5e23b : nt!KiExceptionDispatch+0x12c
fffff38e767a2f20 fffff806
0feb1349 : 0000000000000000 00000000
63467453 00000000000000a0 00000000
000009a7 : nt!KiGeneralProtectionFault+0x320
fffff38e767a30b0 fffff806
097a5824 : 0000000000000000 fffff806
097bd4f8 0000000000000000 00000000
00000000 : WppRecorder!WppAutoLogTrace+0x219
fffff38e767a3120 fffff806
097a109e : ffffa40aac53d920 ffffa40a
ac0eaf10 0000000000000014 00000000
0000013a : customdrv!WPP_RECORDER_SF_XDD+0x12c
fffff38e767a31a0 fffff806
10c10576 : ffffa40a968958a0 fffff806
097a1010 ffffa40a96840220 fffff806
10a95a2b : customdrv!StreamFlowDeletion+0x8e
fffff38e767a3210 fffff806
10c10037 : 0000000000005d7f ffffa40a
ab11c550 0000000000000000 ffffa40a
96840220 : NETIO!WfpNotifyFlowContextDelete+0x20a
fffff38e767a3290 fffff806
10e5e799 : fffff38e7600ff00 ffffa40a
ac0eaf10 fffff38e767a33f0 ffffa40a
ab11c520 : NETIO!KfdAleNotifyFlowDeletion+0x1c7
fffff38e767a32f0 fffff806
10e5e570 : 0000000000000000 00000000
00000000 ffffa40a96ad7a00 ffffa40a
aa51fa20 : tcpip!TcpCleanupTcbWorkQueueRoutine+0x149
fffff38e767a3450 fffff806
10e5e2a5 : 0000000000000001 fffff38e
767a36c0 fffff38e767a36c0 00000000
00000000 : tcpip!TcpCloseTcb+0x2b0
fffff38e767a35b0 fffff806
0d954488 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000001 : tcpip!TcpTlConnectionCloseEndpointCalloutRoutine+0x15
fffff38e767a35e0 fffff806
0d9543fd : fffff80610e5e290 fffff38e
767a36c0 ffffa40a9681a1e0 00000000
00000000 : nt!KeExpandKernelStackAndCalloutInternal+0x78
fffff38e767a3650 fffff806
10e75b1a : fffff38e767a3908 ffffa40a
ac748700 fffff38e767a3908 00000001
00060000 : nt!KeExpandKernelStackAndCalloutEx+0x1d
fffff38e767a3690 fffff806
1cd229b9 : ffffa40a96c56ce0 00000000
00000000 000000000000006a fffff806
0d848cc2 : tcpip!TcpTlConnectionCloseEndpoint+0x6a
fffff38e767a3700 fffff806
1cd023df : ffffa40aaa85b2b0 ffffa40a
a9aa9b30 ffffa40aa9772e10 fffff806
0d853131 : afd!AfdCloseConnection+0x8d
fffff38e767a3740 fffff806
1cd0231e : ffffa40aaa85b2b0 00000000
00000000 00000000ffff800d ffffa40a
aa85b2b0 : afd!AfdCloseCore+0xaf
fffff38e767a3780 fffff806
1cd1fbfb : ffffa40aac002e60 00000000
00000000 fffff38e767a3a39 fffff806
0d852f97 : afd!AfdClose+0x3a
fffff38e767a37b0 fffff806
0d852f55 : ffffa40aac002e60 fffff38e
767a3a00 0000000000000000 ffffa40a
a9aa9b30 : afd!AfdDispatch+0x7b
fffff38e767a37f0 fffff806
0dc00eea : fffff38e767a3a39 ffffa40a
ac002e60 0000000000000000 00000000
00000000 : nt!IofCallDriver+0x55
fffff38e767a3830 fffff806
0dbfb250 : fffff38e767a3a39 00000000
00000000 ffffa40a95ec12a0 ffffa40a
a9aa9b30 : nt!IopDeleteFile+0x13a
fffff38e767a38b0 fffff806
0d861277 : 0000000000000000 00000000
00000000 fffff38e767a3a39 ffffa40a
ac002e60 : nt!ObpRemoveObjectRoutine+0x80
fffff38e767a3910 fffff806
0dc28cbe : ffffa40a95ec12a0 00000000
00000000 ffffffff00000000 ffffa40a
95ec12a0 : nt!ObfDereferenceObjectWithTag+0xc7
fffff38e767a3950 fffff806
0dc2c93c : 000000000000039c 00000000
00000000 0000000000000000 fffff38e
767a3b80 : nt!ObCloseHandleTableEntry+0x29e
fffff38e767a3a90 fffff806
0da074b8 : ffffa40a00000000 ffffa40a
00000001 fffff38e767a3b80 fffff38e
767a3b80 : nt!NtClose+0xec
fffff38e767a3b00 00007ff9
bdeac804 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x28
000000137207f268 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : 0x00007ff9`bdeac804
THREAD_SHA1_HASH_MOD_FUNC: 62eae1283d3274c50a747d1897548590b36fb6a9
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 1210ea6613a4655fb1dfd96c1191f658fc282959
THREAD_SHA1_HASH_MOD: bec7129f59d735b3ed8a521eeb57280e59c5cb06
FOLLOWUP_IP:
WppRecorder!WppAutoLogTrace+219
fffff806`0feb1349 0fb682dd000000 movzx eax,byte ptr [rdx+0DDh]
FAULT_INSTR_CODE: dd82b60f
SYMBOL_STACK_INDEX: 9
SYMBOL_NAME: WppRecorder!WppAutoLogTrace+219
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: WppRecorder
IMAGE_NAME: WppRecorder.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 15060d00
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 219
FAILURE_BUCKET_ID: 0x1E_c0000005_WppRecorder!WppAutoLogTrace
BUCKET_ID: 0x1E_c0000005_WppRecorder!WppAutoLogTrace
PRIMARY_PROBLEM_CLASS: 0x1E_c0000005_WppRecorder!WppAutoLogTrace
TARGET_TIME: 2021-03-26T14:18:28.000Z
OSBUILD: 19041
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 784
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS Personal
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 1977-03-08 15:51:50
BUILDDATESTAMP_STR: 191206-1406
BUILDLAB_STR: vb_release
BUILDOSVER_STR: 10.0.19041.1.amd64fre.vb_release.191206-1406
ANALYSIS_SESSION_ELAPSED_TIME: 1e92
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x1e_c0000005_wpprecorder!wppautologtrace
FAILURE_ID_HASH: {66a8f622-be9f-28b6-2043-e2f20ce95285}
1: kd> .trap fffff38e767a2f20 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=fffff38e767a31c8 rbx=0000000000000000 rcx=fffff806097b94e0 rdx=0065006800730069 rsi=0000000000000000 rdi=0000000000000000 rip=fffff8060feb1349 rsp=fffff38e767a30b0 rbp=fffff806097b94d0 r8=0000000000000001 r9=fffff806097b94d0 r10=fffff806097bc000 r11=fffff806097b94e0 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc WppRecorder!WppAutoLogTrace+0x219: fffff806
0feb1349 0fb682dd000000 movzx eax,byte ptr [rdx+0DDh] ds:00650068`00730146=??