Hi folks,
I’ve been experiencing some hard to debug BSODs on my Machine, and to debug my drivers I’ve enabled the driver verifier to check for issues. After enabling that, I’d get trapped in a BSODs loop due to Glasswire’s gwdrv.sys driver. I am running Glasswire Pro 2.3.413.
You can find my minidump here: dropboxDOTcom/s/s2fl20b49h7nu6o/090122-9734-01.dmp?dl=1 (sorry, new users cannot send links, so please replace DOT by a proper dot so you can download it)
For immediate reference, below is an excerpt of the mini dump’s analyze command:
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 22000 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 22000.1.amd64fre.co_release.210604-1628
Machine Name:
Kernel base = 0xfffff806`33407000 PsLoadedModuleList = 0xfffff806`340306b0
Debug session time: Thu Sep 1 10:11:55.097 2022 (UTC - 3:00)
System Uptime: 0 days 0:00:04.804
Loading Kernel Symbols
...............................................................
...............................
Loading User Symbols
Loading unloaded module list
...
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff806`3381ed40 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffffc04`41c073e0=00000000000000c4
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, BugChecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 0000000000002000, Code Integrity Issue: The caller specified an executable pool type. (Expected: NonPagedPoolNx)
Arg2: fffff80b01131d25, The address in the driver's code where the error was detected.
Arg3: 0000000000000000, Pool Type.
Arg4: 0000000000000000, Pool Tag (if provided).
Debugging Details:
------------------
*** WARNING: Unable to verify timestamp for gwdrv.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 1702
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 27549
Key : Analysis.Init.CPU.mSec
Value: 436
Key : Analysis.Init.Elapsed.mSec
Value: 2738
Key : Analysis.Memory.CommitPeak.Mb
Value: 84
Key : Bugcheck.Code.DumpHeader
Value: 0xc4
Key : Bugcheck.Code.Register
Value: 0xc4
Key : WER.OS.Branch
Value: co_release
Key : WER.OS.Timestamp
Value: 2021-06-04T16:28:00Z
Key : WER.OS.Version
Value: 10.0.22000.1
FILE_IN_CAB: 090122-9734-01.dmp
BUGCHECK_CODE: c4
BUGCHECK_P1: 2000
BUGCHECK_P2: fffff80b01131d25
BUGCHECK_P3: 0
BUGCHECK_P4: 0
BLACKBOXNTFS: 1 (!blackboxntfs)
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
STACK_TEXT:
fffffc04`41c073d8 fffff806`33e8fa81 : 00000000`000000c4 00000000`00002000 fffff80b`01131d25 00000000`00000000 : nt!KeBugCheckEx
fffffc04`41c073e0 fffff806`33a02ee1 : fffff806`34014840 00000000`00002000 fffff80b`01131d25 00000000`00000000 : nt!VerifierBugCheckIfAppropriate+0x14d
fffffc04`41c07480 fffff806`33e85ff8 : 00000000`00000000 fffff806`34014840 fffff80b`01131d25 fffff806`34784c02 : nt!VfReportIssueWithOptions+0x101
fffffc04`41c074d0 fffff806`33e81fee : 00000000`00000000 00000000`44435747 00000000`00000000 fffff806`34783d59 : nt!VfCheckPoolType+0x90
fffffc04`41c07510 fffff80b`01131d25 : 00000000`00000000 fffffc04`41c07699 ffffd60c`ebf76cd0 fffff80b`01137280 : nt!VerifierExAllocatePoolWithTag+0x9e
fffffc04`41c07570 00000000`00000000 : fffffc04`41c07699 ffffd60c`ebf76cd0 fffff80b`01137280 fffff80b`01137280 : gwdrv+0x1d25
SYMBOL_NAME: gwdrv+1d25
MODULE_NAME: gwdrv
IMAGE_NAME: gwdrv.sys
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 1d25
FAILURE_BUCKET_ID: 0xc4_2000_VRF_gwdrv!unknown_function
OS_VERSION: 10.0.22000.1
BUILDLAB_STR: co_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {f59aab69-8684-0a5b-3a7e-4f5c5fc7f7af}
Followup: MachineOwner
---------
Any ideas what could be wrong here or anything else I could send to help investigate?