Random BSOD in windows audio drivers

Hi,

We have been encountering few random BSODs (OS: Windows XP SP3), mostly pointing to windows audio drivers(aec.sys, wdmaud.sys, kmixer.sys, etc). BSOD occurs inconsistently typically during windows login.

Dump would typically point to bugcheck PAGE_FAULT_IN_NONPAGED_AREA (50) which indicates that either data/code/thread stack address being referenced is either paged out/invalid. And typically in all the dumps, when i try to look at the PTE of the address referenced it would have PTE value (0), which I suppose shouldn’t be the case. Any thoughts when this can happen?

0: kd> !pte 9bfa9be0
VA 9bfa9be0
PDE at 00000000C06026F8 PTE at 00000000C04DFD48
contains 000000000AC4F963 contains 0000000000000000
pfn ac4f -G-DA–KWEV

Unfortunately, based on occurrences, this is believed to happen only when our product (anti virus product) is installed. This has been reported by few of our external customers as well.

It looks virtually impossible to gather any further clues from the dump and since it does not point to one of our drivers, we really don’t know how to proceed /investigate further on this. Any thoughts/suggestions please?

Here is the dump analysis

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 9bfa9be0, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 9bfc3e5a, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:

*** WARNING: Unable to verify timestamp for aec.sys
*** ERROR: Module load completed but symbols could not be loaded for aec.sys

READ_ADDRESS: 9bfa9be0

FAULTING_IP:
aec+1be5a
9bfc3e5a ff15e09bfa9b call dword ptr [aec+0x1be0 (9bfa9be0)]

MM_INTERNAL_CODE: 0

IMAGE_NAME: aec.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MODULE_NAME: aec

FAULTING_MODULE: 9bfa8000 aec

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: System

TRAP_FRAME: ba513770 -- (.trap 0xffffffffba513770)
ErrCode = 00000000
eax=ba5137f0 ebx=862734dc ecx=9bfc3e4c edx=00000000 esi=871d48fc edi=86ab0ebc
eip=9bfc3e5a esp=ba5137e4 ebp=ba513834 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
aec+0x1be5a:
9bfc3e5a ff15e09bfa9b call dword ptr [aec+0x1be0 (9bfa9be0)] ds:0023:9bfa9be0=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 8052039a to 804f9f43

STACK_TEXT:
ba5136f0 8052039a 00000050 9bfa9be0 00000000 nt!KeBugCheckEx+0x1b
ba513758 805445f0 00000000 9bfa9be0 00000000 nt!MmAccessFault+0x9a8
ba513758 9bfc3e5a 00000000 9bfa9be0 00000000 nt!KiTrap0E+0xd0
WARNING: Stack unwind information not available. Following frames may be wrong.
ba513834 b80d07c4 86ab0efc 86273448 86273448 aec+0x1be5a
ba513850 b80d1246 86273448 00000002 b80d1278 ks!KspCreate+0xbb
ba513884 b80d2634 86273448 9bfc9538 8684d184 ks!CKsFilter::Init+0x3ea
ba5138b4 b80d25a2 86273448 8684d184 8684d184 ks!KspCreateFilter+0x6b
ba5138e8 b80cdfdb 86175190 86273448 86273448 ks!CKsFilterFactory::DispatchCreate+0x43
ba51390c b80d24d4 86175190 00000000 86273458 ks!DispatchCreate+0xc7
ba513928 804ef19f 86175190 86273448 86273448 ks!CKsDevice::DispatchCreate+0x8a
ba513938 80583220 86a5f118 85a0e95c ba513ad0 nt!IopfCallDriver+0x31
ba513a18 805bf488 86a5f130 00000000 85a0e8b8 nt!IopParseDevice+0xa12
ba513a90 805bba14 00000000 ba513ad0 00000240 nt!ObpLookupObjectName+0x53c
ba513ae4 80576057 00000000 00000000 54b6ed00 nt!ObOpenObjectByName+0xea
ba513b60 805769ce ba513d30 c0000000 ba513cd4 nt!IopCreateFile+0x407
ba513bbc 805790d8 ba513d30 c0000000 ba513cd4 nt!IoCreateFile+0x8e
ba513bfc 8054167c ba513d30 c0000000 ba513cd4 nt!NtCreateFile+0x30
ba513bfc 80500031 ba513d30 c0000000 ba513cd4 nt!KiFastCallEntry+0xfc
ba513ca0 9c1cadaf ba513d30 c0000000 ba513cd4 nt!ZwCreateFile+0x11
ba513cfc 9c1ceaac e35b5230 ba513d30 80546a78 sysaudio!OpenDevice+0x56
ba513d3c 9c1cfde5 e35082c8 00000000 ba513d7c sysaudio!AddFilter+0x46
ba513d4c 9c1ce0a6 e35082c8 00000000 8624d090 sysaudio!AddFilterWorker+0xf
ba513d64 b80c47ee 00000000 8624d070 8056485c sysaudio!CQueueWorkListData::AsyncWorker+0x20
ba513d7c 805387cb 8624d070 00000000 8ad36b30 ks!WorkerThread+0x45
ba513dac 805cffa8 8624d070 00000000 00000000 nt!ExpWorkerThread+0xef
ba513ddc 8054615e 805386dc 00000001 00000000 nt!PspSystemThreadStartup+0x34
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
aec+1be5a
9bfc3e5a ff15e09bfa9b call dword ptr [aec+0x1be0 (9bfa9be0)]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: aec+1be5a

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0x50_aec+1be5a

BUCKET_ID: 0x50_aec+1be5a

Followup: MachineOwner

On 11/29/2011 10:01 AM, xxxxx@yahoo.com wrote:

We have been encountering few random BSODs (OS: Windows XP SP3),
mostly pointing to windows audio drivers(aec.sys, wdmaud.sys,
kmixer.sys, etc). BSOD occurs inconsistently typically during windows
login.

[…]

Unfortunately, based on occurrences, this is believed to happen only
when our product (anti virus product) is installed. This has been
reported by few of our external customers as well.

Check all undocumented hooks which your product uses from Windows.

To enforce DRM, Microsoft probably has to prevent any hooking
which could be useful for duplicating digital AV streams.

We don’t use any undocumented hooks as such(it is a normal mini filter driver). Keeping in view of the fact that the issue is not consistent (very infrequent) and happens only on windows xp (sp3) makes me doubt if this has to do with enforcing DRM, undocumented hooks…

I am still not able to come to the terms that this is being caused because of a bug in our product - maybe it is just causing a bug in some other driver surface…?? Is there anything further we can figure out from dump?

On 11/29/2011 10:48 AM, xxxxx@yahoo.com wrote:

We don’t use any undocumented hooks as such([…]

“as such” translates to… what, exactly???

I am still not able to come to the terms that this is being caused
because of a bug in our product - maybe it is just causing a bug in
some other driver surface…??

Major OEMs (like Dell) will probably not care.
“Your product triggers the behavior, so fix your product.”

Is there anything further we can figure out from dump?

Well, reading it might be useful, for a start…

A search for “aec.sys site:microsoft.com” yields
http://support.microsoft.com/kb/900485

Sounds to me like your problem. You did not post any revision info about
the module that actually crashed (and my crystal ball refuses to work),
so it’s hard to make any more helpful suggestions…

On 11/29/2011 10:01 AM, xxxxx@yahoo.com wrote:

We have been encountering few random BSODs (OS: Windows XP SP3),
mostly pointing to windows audio drivers(aec.sys, wdmaud.sys,
kmixer.sys, etc). BSOD occurs inconsistently typically during windows
login.

Did you search for and check/follow these entries?

aec.sys — http://support.microsoft.com/kb/900485
wdmaud.sys — http://support.microsoft.com/kb/325154

Even if updating tha MS audio components fixes the problem, you have to
try to reproduce this on a system with a kernel debugger attached
(either a real system or a virtual machine).

[Maybe the reason it happens during logon is that there a sound is
played. Try disabling the logon sound to see if you can trigger it later.]

You really need to find and pinpoint the real cause of the bugcheck, to
uncover any conflicts of your own driver and the audio subsystem.

Thanks Hagen.

One thing i have noticed is aec.sys is a manual startup driver, so wouldn’t load automatically every time on startup. But when something triggers it to load on reboot (i have verified that windows login sound doesn’t trigger to load this), the issue seems to happen. This probably attributes to it (BSOD) not reproducing consistently. We are now focusing on what would cause this driver to load on reboot. Any suggestions on this are welcome.

And regarding the KBs pointed, they are not applicable in this case - as we are already on XP SP3.

> And regarding the KBs pointed, they are not applicable in this case - as we are already on XP SP3.

You DID verify that the file versions you have are the fixed ones.

To quote Sir A.C.Doyle: “When you have eliminated the impossible,
whatever remains, however improbable, must be the truth”.

You DID verify that the file versions you have are the fixed ones.

>Yes i did. I have already seen these KB’s (before posting to the thread) previously and had validated the versions.

xxxxx@yahoo.com wrote:

We have been encountering few random BSODs (OS: Windows XP SP3), mostly pointing to windows audio drivers(aec.sys, wdmaud.sys, kmixer.sys, etc). BSOD occurs inconsistently typically during windows login.

Dump would typically point to bugcheck PAGE_FAULT_IN_NONPAGED_AREA (50) which indicates that either data/code/thread stack address being referenced is either paged out/invalid. And typically in all the dumps, when i try to look at the PTE of the address referenced it would have PTE value (0), which I suppose shouldn’t be the case. Any thoughts when this can happen?

The obvious answer is that you have overwritten a memory block in the
middle of the page tables. Are you mapping physical memory in your
antivirus? Are you involved in the aging process at all.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim Roberts wrote:

The obvious answer is that you have overwritten a memory block in the
middle of the page tables. Are you mapping physical memory in your
antivirus? Are you involved in the aging process at all.

I don’t usually correct my own typos, but that one is just to funny to
ignore. We’re ALL involved in the aging process. What I meant, of
course, was the “paging process”.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.