Question Attempt of Fixing a BSOD Issue

ksa1978

Honorable
Aug 21, 2015
18
0
10,510
Greetings.
I've been having an issue on my PC for around 4 months now, where it runs into occasional BSOD every few days, it happened once more earlier today and so I decided to investigate the cause.
After running the dump file through WinDBG, here's some of the relevant data for the crash.

SYMBOL_NAME: afd!AfdDerefPollInfoFileObjects+48

MODULE_NAME: afd

IMAGE_NAME: afd.sys

IMAGE_VERSION: 10.0.19041.1767

STACK_COMMAND: .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET: 48

FAILURE_BUCKET_ID: AV_afd!AfdDerefPollInfoFileObjects

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {9a846440-a090-65b4-c1d4-bc8c6183377b}

If anyone knows how to solve this issue, or if more info is needed, kindly let me know.

Thanks in advance.
Best regards.
 

ksa1978

Honorable
Aug 21, 2015
18
0
10,510
Hopefully it's not a power related issue.

You should look at updating all drivers to latest release.

anciliary function driver for winsock. Used by windows to talk to network drivers.
I would update ethernet or WIFI drivers, which ever you use.
I appreciate both responses from both of you, I've looked into it in Device Manager, and sure enough it says the Ethernet drivers are all fully updated, and Ethernet's definitely all I use in my case. So it's clearly not that, any other ideas or suggestions would be appreciated. Thank you.
 

Colif

Win 11 Master
Moderator
Can you follow option one on the following link - here - and then do this step below: Small memory dumps - Have Windows Create a Small Memory Dump (Minidump) on BSOD - that creates a file in c windows/minidump after the next BSOD

  1. Open Windows File Explore
  2. Navigate to C:\Windows\Minidump
  3. Copy the mini-dump files out onto your Desktop
  4. Do not use Winzip, use the built in facility in Windows
  5. Select those files on your Desktop, right click them and choose 'Send to' - Compressed (zipped) folder
  6. Upload the zip file to the Cloud (OneDrive, DropBox . . . etc.)
  7. Then post a link here to the zip file, so we can take a look for you . . .
 

ksa1978

Honorable
Aug 21, 2015
18
0
10,510
Can you follow option one on the following link - here - and then do this step below: Small memory dumps - Have Windows Create a Small Memory Dump (Minidump) on BSOD - that creates a file in c windows/minidump after the next BSOD

  1. Open Windows File Explore
  2. Navigate to C:\Windows\Minidump
  3. Copy the mini-dump files out onto your Desktop
  4. Do not use Winzip, use the built in facility in Windows
  5. Select those files on your Desktop, right click them and choose 'Send to' - Compressed (zipped) folder
  6. Upload the zip file to the Cloud (OneDrive, DropBox . . . etc.)
  7. Then post a link here to the zip file, so we can take a look for you . . .

I apologize for the late response, since then a number of small developments took place, where it turned out Windows itself was stupid and said I updated all network drivers, when it simply wasn't detecting any new ones for some reasons, and so I updated them using a 3rd party software, and wanted to wait a few days to confirm if that was fixed. But it seems that did no good, so we're back to this...

To your suggestion, it crashed again earlier today so as instructed here's a link for the zip file, I hope it's adequate.
https://drive.google.com/file/d/1ACWD0r49uUVLdYDuwK5LcdFquwBGodXS/view?usp=sharing
 
since the bugcheck involved afd.sys a network component you would start by updating the network drivers
and then the vm drivers.

since the bugcheck involved a memory mapped file and most likely a null reference I would be looking at the game drivers or the iobit filter driver causing a delay that led to this bugcheck.

I would download autoruns64 from here
Autoruns for Windows - Windows Sysinternals | Microsoft Docs

and remove any driver I did not need. (see list below for info) Then disable the remaining ones and look for updates. Then see if you still bugcheck.
You can disable drivers, reboot and see if you still have issues, then you can always just re-enable drivers without having to reinstall. Works well for testing.

----------------
network function. Pooltag shows MmCa
which is memory mannager control area for mapped files

scpvbus.sys from 2013 corrupts memory, you need a version from 2016 if you can find it. (public source was fixed but someone needs to compile and provide access to driver)

here are suspects that could cause this bugcheck:

e2xw10x64.sys jan 2020
rtwlane02.sys dated may 2019
vm network drivers and bridge from aug 2019
vm sockets from july 2019
iobit software could also cause this problem.

marvinbus64.sys from 2005 (what is this???, bad)
Pinnacle Video capture device? file date is suspect.

not sure what this is: cy3014x64.sys from apr 2019
(game capture driver from Elgato Systems LLC )

not sure why this is loaded: bazisvirtualcdbus.sys from 2015
(public domain cd emulator)

elgatoVAD.sys from 2016 I would see if I still needed this.

machine bios if from 2016 (old)
msi z170a gaming m5 (ms-7977)
bios 5.11 05/11/2015
cpu i7 6700k with slight overclock 4.008 Ghz
motherboard update site:
MSI Global - The Leading Brand in High-end Gaming & Professional Creation
 
Last edited:

Colif

Win 11 Master
Moderator
marvinbus64.sys from 2005 (what is this???, bad)
Pinnacle Video capture device? file date is suspect.

2005 date could also be a windows driver date, many of the ones that come with windows are from that age.

rtwlane02.sys dated may 2019
i seen a stack of old wifi USB adaptors cause problems so this could be it. depends on if they use WIFI. Knowing what make/model adaptor it is let me look at how old newest driver is for it. Fun part is figuring out what realtek chip is inside.
afd.sys would have made me look at that detail.

scpvbus.sys from 2013 corrupts memory, you need a version from 2016 if you can find it. (public source was fixed but someone needs to compile and provide access to driver)
i wish there was a replacement for Scarlet Crush. I know the toolkit has a github but it hasn't moved in a few years.
 

ksa1978

Honorable
Aug 21, 2015
18
0
10,510
since the bugcheck involved afd.sys a network component you would start by updating the network drivers
and then the vm drivers.

since the bugcheck involved a memory mapped file and most likely a null reference I would be looking at the game drivers or the iobit filter driver causing a delay that led to this bugcheck.

I would download autoruns64 from here
Autoruns for Windows - Windows Sysinternals | Microsoft Docs

and remove any driver I did not need. (see list below for info) Then disable the remaining ones and look for updates. Then see if you still bugcheck.
You can disable drivers, reboot and see if you still have issues, then you can always just re-enable drivers without having to reinstall. Works well for testing.

----------------
network function. Pooltag shows MmCa
which is memory mannager control area for mapped files

scpvbus.sys from 2013 corrupts memory, you need a version from 2016 if you can find it. (public source was fixed but someone needs to compile and provide access to driver)

here are suspects that could cause this bugcheck:

e2xw10x64.sys jan 2020
rtwlane02.sys dated may 2019
vm network drivers and bridge from aug 2019
vm sockets from july 2019
iobit software could also cause this problem.

marvinbus64.sys from 2005 (what is this???, bad)
Pinnacle Video capture device? file date is suspect.

not sure what this is: cy3014x64.sys from apr 2019
(game capture driver from Elgato Systems LLC )

not sure why this is loaded: bazisvirtualcdbus.sys from 2015
(public domain cd emulator)

elgatoVAD.sys from 2016 I would see if I still needed this.

machine bios if from 2016 (old)
msi z170a gaming m5 (ms-7977)
bios 5.11 05/11/2015
cpu i7 6700k with slight overclock 4.008 Ghz
motherboard update site:
MSI Global - The Leading Brand in High-end Gaming & Professional Creation

Alrighty so from the top.

See, that's what I did last time. I used this Iobit software, to update all of my drivers, including the network ones, and for a while I thought the issue was solved as I went nearly a whole week without crash, but afterwards I got 2 crashes anyway thanks to afd.sys, which is what brought me back here.

Hmm...I'll try to check the iobit filter driver afterwards, though what exactly should I be checking for in the game drivers?

Okie dokie, noted! Note though that the crash does not happen daily, it tends to happen every few days so I will give an update when it happens again or if it does not, usually within a week at max.

For scpvbus.sys, I seem to have found the 2016 version on a github link, though I'm unsure how to confirm it replaces the 2013 one on my PC. Should I just delete that one and the PC will then default to the 2016 one?


So assuming unticking the checkbox disables it.
I've disabled e2xw10x64, it's a mini port driver for the gigabit ethernet controller hardware.
Same for rtwlane02.sys
VMnetBridge
I assume Vsock is the one relating to Vm Sockets, so disabled too.

The iobit software, I got for downloading drivers, so I will uninstall that one next, if things don't work with this.

Alright so, marvinbus64.sys, did not come up on Autoruns, but I recognize what this is from your description, It's probably drivers relating to an old Dazzle capture card I had, I don't use it anymore so I would not need the driver so I will remove the piece of software, that probably contains it.

The next one is probably for the Elgato HD60 Capture card that I do commonly use, so I will probably avoid removing it unless I have to.


Huh you're right... I hardly use any sort of virtual disc software, so I'll uncheck it too.

elgatoVAD.sys, I'm guessing is also relating to the HD60 Elgato Capture card too, but I'll try unticking this one.

For the BIOS, I'll update it now. Thanks for all the tips!

UPDATE: I had to enable e2xw10x64 after reboot, as the internet connection would not work when I kept it disabled. But I kept the rest of the items I mentioned above disabled.
 
Last edited:

ksa1978

Honorable
Aug 21, 2015
18
0
10,510
2005 date could also be a windows driver date, many of the ones that come with windows are from that age.


i seen a stack of old wifi USB adaptors cause problems so this could be it. depends on if they use WIFI. Knowing what make/model adaptor it is let me look at how old newest driver is for it. Fun part is figuring out what realtek chip is inside.
afd.sys would have made me look at that detail.


i wish there was a replacement for Scarlet Crush. I know the toolkit has a github but it hasn't moved in a few years.

Well in my case, I rarely use WiFI at all.
 
I figured you will realize you need the network connection.
afd.sys provides network functions including all window socket functions for network communication. Since the problem involved a mapped file. I would guess one of these game capture drivers is creating a socket thru afd.sys and writing to a file that exists only in memory (not on disk) at some point it closed the socket but afd had already closed the socket so it called a bugcheck. afd.sys takes the blame, or the network driver but it really is the creator of the socket that is the cause of the fault. most likely one of the capture drivers or elgato driers.

to find the memory mapped file in the debugger you would have to provide a kernel memory dump, if the same was a 32 bit game you would have to provide a full memory dump which is pretty large. it could provide proof as to which driver is the fault but takes time to figure out.
 

ksa1978

Honorable
Aug 21, 2015
18
0
10,510
I figured you will realize you need the network connection.
afd.sys provides network functions including all window socket functions for network communication. Since the problem involved a mapped file. I would guess one of these game capture drivers is creating a socket thru afd.sys and writing to a file that exists only in memory (not on disk) at some point it closed the socket but afd had already closed the socket so it called a bugcheck. afd.sys takes the blame, or the network driver but it really is the creator of the socket that is the cause of the fault. most likely one of the capture drivers or elgato driers.

to find the memory mapped file in the debugger you would have to provide a kernel memory dump, if the same was a 32 bit game you would have to provide a full memory dump which is pretty large. it could provide proof as to which driver is the fault but takes time to figure out.
It certainly sounds plausible, but it's also possible that one of the drivers I just got done disabling is doing this right? See the thing I'm confused with is that, none of the two game captures I used, need or require an internet connection in any form. So I'm legitimately unsure why they would go through afd.sys.

Nonetheless, though if I get this crash again, I will disable both of their drivers that I did not yet and see if any difference is made and report back here.

Well I looked into it, and I did set it just now to provide a kernel memory dump, should it crash the next time. If it proves insufficient I can provide a full memory dump afterwards.

Thank you so very much for your detailed explanation and I will be sure to report back for any updates!
 
It certainly sounds plausible, but it's also possible that one of the drivers I just got done disabling is doing this right? See the thing I'm confused with is that, none of the two game captures I used, need or require an internet connection in any form. So I'm legitimately unsure why they would go through afd.sys.

Nonetheless, though if I get this crash again, I will disable both of their drivers that I did not yet and see if any difference is made and report back here.

Well I looked into it, and I did set it just now to provide a kernel memory dump, should it crash the next time. If it proves insufficient I can provide a full memory dump afterwards.

Thank you so very much for your detailed explanation and I will be sure to report back for any updates!
yes, the game capture driver would create a local socket using the windows loop back driver.
then write to the socket which would point back to the local machine. address would be 127.0.0.1

you can google "windows socket loopback address"
for info. This would allow socket connections on your local area network between machines as well from your machine back to your machine (loopback)
The WSADuplicateSocket function is used to enable socket sharing between processes. So you could screen capture and play the game at the same time with one socket. I guess the game could exit and afd.sys clean up the socket info then later the game capture driver release the socket and cause afd.sys to bugcheck since the socket is already released.
----------
fyI: microsoft rammap64.exe can show these memory mapped files but there are thousands of them, you would have to look at the list and expand suspect items to figure out what is using the file and where in memory it is. very tedious.
RAMMap - Windows Sysinternals | Microsoft Docs

I generally use the tool to use the various empty function menu items to get windows to release a lot of stored items to make debugging easier. very useful for removing standby memory and reducing the size of a memory dump and distracting info in a full memory dump.
 
Last edited:

ksa1978

Honorable
Aug 21, 2015
18
0
10,510
Well as I entered the 10th day, I was thinking the cause of the crash was indeed identified and it's finally over. However, I unfortunately got another crash today... Same BSOD...
Here's the pastebin once more.
https://pastebin.com/YBZ6tMbF
A few interesting things I've personally noted:
1.It seems it's the same IRQL_NOT_LESS_OR_EQUAL stuff, implying the same socket issue as before.
2.afd.sys is once again here.
3.Discord.PTB is mentioned, and that's interesting, because at the time of the crash I was running both Discord and Discord.PTB, the only different thing the latter was doing was that it was streaming a video from VLC Media Player. So is it the cause somehow? Or is this still one of the drivers mentioned above?
I'm honestly baffled, each time I think I have it solved, it ends up not being the case.
 
Well as I entered the 10th day, I was thinking the cause of the crash was indeed identified and it's finally over. However, I unfortunately got another crash today... Same BSOD...
Here's the pastebin once more.
https://pastebin.com/YBZ6tMbF
A few interesting things I've personally noted:
1.It seems it's the same IRQL_NOT_LESS_OR_EQUAL stuff, implying the same socket issue as before.
2.afd.sys is once again here.
3.Discord.PTB is mentioned, and that's interesting, because at the time of the crash I was running both Discord and Discord.PTB, the only different thing the latter was doing was that it was streaming a video from VLC Media Player. So is it the cause somehow? Or is this still one of the drivers mentioned above?
I'm honestly baffled, each time I think I have it solved, it ends up not being the case.
some program tried sent a null pointer to afd.sys and it called a bugcheck.
you should put up the actual memory dump and I can see if I can find the memory tag and see what allocated it. (it may be gone at the time of the bugcheck)
 

ksa1978

Honorable
Aug 21, 2015
18
0
10,510
some program tried sent a null pointer to afd.sys and it called a bugcheck.
you should put up the actual memory dump and I can see if I can find the memory tag and see what allocated it. (it may be gone at the time of the bugcheck)
Man I can't believe it...
Alrighty, I've set it to dump a Complete Memory Dump, the next time it happens I will be sure to share it here. Thanks for the feedback!