Lỗi driver_irql_not_less_or_equal netio.sys năm 2024
I just wonder if somebody could help me with analysing memory.dmp file. Recently we moved around 80 machines to Office 365 and Azure Active Directory. Mostly they are working fine, however 8 of them blue screen every few days (or more often). There is no pattern in terms of hardware, as we have 5 years old HP ZBook, few HP EliteBook 840 G3, few new XPS (PC, laptops different models). Analyse of memory.dmp file shows, that all of them are crashing due to DRIVER_IRQL_NOT_LESS_OR_EQUAL and NETIO.SYS which is not very helpful. All machines are rebuilt with Windows 10 Pro image and latest drivers. Common things to all (crashing and not crashing) machines in this company:
We are trying to resolve this issue for few weeks with no success do I would be very grateful if somebody could help Thank you
philc43BSOD Forum Moderator, BSOD Academy Instructor, BSOD Kernel Dump Expert
Hello PiotrIr, I can see you have been a member for some time but this is your first post! Welcome! I've looked at your two most recent crash dumps provided in the FileCollection zip and can see reference to a Rivet Networks Killer Network driver which seems to be the cause for the crash. Please try and look into this driver - it may be getting loaded by mistake as there is also another driver listed in the msinfo kfecosvc KfeCoSvc c:\windows\system32\drivers\rivetnetworks\killer\kfeco10x64.sys Code:
Last edited: Dec 14, 2020
Many thanks for your reply and welcome. Is any thing in memory.dmp which wold point to something else than NIC driver? I have 8 different machines with different NIC models (Intel as well), on some I've already updated drivers - and this didn't help... philc43BSOD Forum Moderator, BSOD Academy Instructor, BSOD Kernel Dump Expert
Without seeing the crash dumps from all 8 machines it would be difficult to give an opinion. If any of the other 8 do not have the Rivet Killer Network device I would be interested in seeing their crash dumps.
There are tcpip.sys and fwpkclnt.sys, both microsoft drivers. Fwpkclnt.sys could have something to do with security, hence firewall/antivirus. You could try to uninstall eset altogether in this machine to see if it resolves the issue. Last edited: Dec 14, 2020
It's not do with the NIC directly, it's related to one of the network filter drivers, which usually end up causing issues since the level of privilege they have within the kernel. Rich (BB code):
The crash was caused because a driver used a pointer which contains a garbage address and hence couldn't be resolved by the page fault handler. I would be suspicous of ESET due to the issues I've seen it cause in the past. It would be worthwhile seeing the other crash dumps though.
Thank you for all your replies. I will organise other dump file from machine which doesn't have killer NIC - they show the same reason - DRIVER_IRQL_NOT_LESS_OR_EQUAL and NETIO.SYS. We are on latest version of ESET and we are using it on around 500 machines so this is why I didn't suspect this. I'm attaching crash dump from another XPS with killer.
This is crash dump from laptop which doesn't have the Killer NIC. I just wander - is i possible to list network filter drivers which may be responsible for this issue?
5 minidumps for this machine. They say BugCheck 116, {DifferentAddressForAllDumps, DifferentAddressForAllDumps, 0, d} Probably caused by : nvlddmkm.sys. Resolution:
Given that the driver is already updated, you can try the NVIDIA Studio Driver (instead of game ready). If that won't work: - load bios (optimized) defaults - run memtest (see hardware tutorials). Last edited: Dec 14, 2020
Hmm, as all 8 laptops are on similar set (O365, Intune, Safetica, ESET, Duo) I was suspecting the same reason for all of them, especially memory dump points to the same - DRIVER_IRQL_NOT_LESS_OR_EQUAL and NETIO.SYS. philc43BSOD Forum Moderator, BSOD Academy Instructor, BSOD Kernel Dump Expert
This set of logfiles for the laptop without the Killer driver does not show any BSOD crash dumps. What I can see that is common to both laptop type whether Killer or Intel is the driver called: netmonitor_wfp.sys Thu Jul 2 11:14:53 2020 This was implicated in the crash analysis I did for you in my first post. I could not determine where this driver came from, perhaps you will know?
If you're able could you please check the following directory on one of the problematic machines: The file will need to be zipped and then uploaded to a file sharing site such as DropBox or OneDrive. I want try and see if I find what netmonitor_wfp.sys belongs to.
Thank you! I'm really grateful for your help. Yes, netmonitor_wfp belongs to Safetca and this may cause BOSD (it has in past). However is past I got clear pointing in memory.dmp which showed this. I can log a call with their support but somehow need to proof this is their issue. Is it possible to list filters attached to network adapter? Do they have also order which matters? I would like to have something to compare with laptops which actually work... Dump file from EliteBook below: MEMORY.zip
Thanks for providing me with the dump file, I'll have a look into it and see what I can find.
Thank you! I will start from removing safetica first to see if this resolved the issue!
Rich (BB code):
The reason I'm suspicious of the Safetca driver is because it's the last third-party callout driver which was present at the time of the crash. Rich (BB code):
Essentially, what is happening is the NIC receives a TCP packet which is then passed through the network stack and then passed to the filter engine which then executes the filter callout drivers. In this case, it's the ESET firewall and the Safetica monitoring program, which will inspect the network data byte stream and do what they've been written to do. More information is available here - Windows Filtering Platform Architecture Overview - Windows drivers Here's a list of the third-party callout filter drivers which are possible culprits: Rich (BB code):
Thank you! This is great answer. I've just removed Safetica on 3 machines to see if this resolve issue. |