1 Reply Latest reply on Dec 24, 2011 3:55 AM by metalhead

    BSOD in mfehidk.sys

      Hello,

       

      We have a client who is running VirusScan Enterprise 8.7.0i on Windows Server 2008 R2 Enterprise:

       

      mfehidk1.png

      They've been experiencing hung network traffic (i.e. copying large number of files to/from a network location hangs), slowdowns of the server, and BSODs in mfehidk.sys.

       

      The mini-dumps point at this:

       

      mfehidk2.png

      A quick !analyze -v shows this:

       

       

      Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64

      Copyright (c) Microsoft Corporation. All rights reserved.

       

       

      Loading Dump File [C:\Windows\Minidump\122211-39249-01.dmp]

      Mini Kernel Dump File: Only registers and stack trace are available

       

      Symbol search path is: srv*d:\symbols*http://msdl.microsoft.com/download/symbols

      Executable search path is:

      Windows 7 Kernel Version 7600 MP (24 procs) Free x64

      Product: Server, suite: Enterprise TerminalServer SingleUserTS

      Built by: 7600.16539.amd64fre.win7_gdr.100226-1909

      Machine Name:

      Kernel base = 0xfffff800`01a57000 PsLoadedModuleList = 0xfffff800`01c94e50

      Debug session time: Thu Dec 22 15:42:32.328 2011 (UTC - 5:00)

      System Uptime: 6 days 4:08:44.316

      Loading Kernel Symbols

      ...............................................................

      ................................................................

      .......................

      Loading User Symbols

      Loading unloaded module list

      .........

      *******************************************************************************

      *                                                                             *

      *                        Bugcheck Analysis                                    *

      *                                                                             *

      *******************************************************************************

       

      Use !analyze -v to get detailed debugging information.

       

      BugCheck D1, {fffffa8058b742d2, 2, 0, fffff88001cfcf40}

       

      Unable to load image \SystemRoot\system32\drivers\mfehidk.sys, Win32 error 0n2

      *** WARNING: Unable to verify timestamp for mfehidk.sys

      *** ERROR: Module load completed but symbols could not be loaded for mfehidk.sys

      Probably caused by : mfehidk.sys ( mfehidk+3cf40 )

       

      Followup: MachineOwner

      ---------

       

      18: kd> !analyze -v

      *******************************************************************************

      *                                                                             *

      *                        Bugcheck Analysis                                    *

      *                                                                             *

      *******************************************************************************

       

      DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

      An attempt was made to access a pageable (or completely invalid) address at an

      interrupt request level (IRQL) that is too high.  This is usually

      caused by drivers using improper addresses.

      If kernel debugger is available get stack backtrace.

      Arguments:

      Arg1: fffffa8058b742d2, memory referenced

      Arg2: 0000000000000002, IRQL

      Arg3: 0000000000000000, value 0 = read operation, 1 = write operation

      Arg4: fffff88001cfcf40, address which referenced memory

       

      Debugging Details:

      ------------------

       

       

      READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80001cff0e0

      fffffa8058b742d2

       

      CURRENT_IRQL:  2

       

      FAULTING_IP:

      mfehidk+3cf40

      fffff880`01cfcf40 8a040a          mov     al,byte ptr [rdx+rcx]

       

      CUSTOMER_CRASH_COUNT:  1

       

      DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

       

      BUGCHECK_STR:  0xD1

       

      PROCESS_NAME:  System

       

      TRAP_FRAME:  fffff880029baf80 -- (.trap 0xfffff880029baf80)

      NOTE: The trap frame does not contain all registers.

      Some register values may be zeroed or incorrect.

      rax=0000000000000000 rbx=0000000000000000 rcx=fffffa80b060dd36

      rdx=ffffffffa856659c rsi=0000000000000000 rdi=0000000000000000

      rip=fffff88001cfcf40 rsp=fffff880029bb118 rbp=fffffa8049bb5000

      r8=0000000000000061  r9=0000000000000061 r10=0000000000009c1a

      r11=fffffa80b060dcd6 r12=0000000000000000 r13=0000000000000000

      r14=0000000000000000 r15=0000000000000000

      iopl=0         nv up ei ng nz na po nc

      mfehidk+0x3cf40:

      fffff880`01cfcf40 8a040a          mov     al,byte ptr [rdx+rcx] ds:59b0:fffffa80`58b742d2=??

      Resetting default scope

       

      LAST_CONTROL_TRANSFER:  from fffff80001ac6b69 to fffff80001ac7600

       

      STACK_TEXT: 

      fffff880`029bae38 fffff800`01ac6b69 : 00000000`0000000a fffffa80`58b742d2 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx

      fffff880`029bae40 fffff800`01ac57e0 : 00000000`00000004 00000000`00000061 fffff880`06675f30 fffffa80`e66c0110 : nt!KiBugCheckDispatch+0x69

      fffff880`029baf80 fffff880`01cfcf40 : fffff880`01cd9036 00000000`00000061 fffffa80`49bb5000 fffffa80`db8b4d20 : nt!KiPageFault+0x260

      fffff880`029bb118 fffff880`01cd9036 : 00000000`00000061 fffffa80`49bb5000 fffffa80`db8b4d20 00000000`000007ff : mfehidk+0x3cf40

      fffff880`029bb120 00000000`00000061 : fffffa80`49bb5000 fffffa80`db8b4d20 00000000`000007ff 00000001`00000000 : mfehidk+0x19036

      fffff880`029bb128 fffffa80`49bb5000 : fffffa80`db8b4d20 00000000`000007ff 00000001`00000000 00000000`30010000 : 0x61

      fffff880`029bb130 fffffa80`db8b4d20 : 00000000`000007ff 00000001`00000000 00000000`30010000 00000000`00000000 : 0xfffffa80`49bb5000

      fffff880`029bb138 00000000`000007ff : 00000001`00000000 00000000`30010000 00000000`00000000 00000000`00000002 : 0xfffffa80`db8b4d20

      fffff880`029bb140 00000001`00000000 : 00000000`30010000 00000000`00000000 00000000`00000002 00000000`424d53fe : 0x7ff

      fffff880`029bb148 00000000`30010000 : 00000000`00000000 00000000`00000002 00000000`424d53fe fffff880`01cf606b : 0x1`00000000

      fffff880`029bb150 00000000`00000000 : 00000000`00000002 00000000`424d53fe fffff880`01cf606b 00000000`00000ab0 : 0x30010000

       

       

      STACK_COMMAND:  kb

       

      FOLLOWUP_IP:

      mfehidk+3cf40

      fffff880`01cfcf40 8a040a          mov     al,byte ptr [rdx+rcx]

       

      SYMBOL_STACK_INDEX:  3

       

      SYMBOL_NAME:  mfehidk+3cf40

       

      FOLLOWUP_NAME:  MachineOwner

       

      MODULE_NAME: mfehidk

       

      IMAGE_NAME:  mfehidk.sys

       

      DEBUG_FLR_IMAGE_TIMESTAMP:  48d2ded8

       

      FAILURE_BUCKET_ID:  X64_0xD1_mfehidk+3cf40

       

      BUCKET_ID:  X64_0xD1_mfehidk+3cf40

       

      Followup: MachineOwner

      ---------

       

      18: kd> lmvm mfehidk

      start             end                 module name

      fffff880`01cc0000 fffff880`01d2f680   mfehidk  T (no symbols)          

          Loaded symbol image file: mfehidk.sys

          Image path: \SystemRoot\system32\drivers\mfehidk.sys

          Image name: mfehidk.sys

          Timestamp:        Thu Sep 18 19:06:00 2008 (48D2DED8)

          CheckSum:         0007B046

          ImageSize:        0006F680

          Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

       

      Is there a known problem with mfehidk.sys? And is there a fix?

       

      Thanks,

       

      Ray

       

      Message was edited by: raymegal on 12/23/11 4:55:33 PM CST