Windows 10 Blue Screen of Death caused by cewd64f.sys

  • 1
  • Problem
  • Updated 5 months ago
My Windows 10 desktop PC crashes frequently (as much as 3-4 times a day), and I suspect that most of the crashes are caused by Covenant Eyes.  WinDbg points out the cewd64f.sys driver as a culprit.  I'm currently using 7.2.47.
The following is the output of the debugger (WinDbg) if that helps:

Microsoft (R) Windows Debugger Version 10.0.16299.15 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 16299 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff803`1888b000 PsLoadedModuleList = 0xfffff803`18becff0
Debug session time: Tue Dec 19 19:08:26.007 2017 (UTC - 6:00)
System Uptime: 0 days 0:12:57.781
Loading Kernel Symbols
...............................................................
................................................................
................................................................
......................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000091`f7d12018).  Type ".hh dbgerr001" for details
Loading unloaded module list
...............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {ffffffffc0000005, fffff80318eba169, 0, 8}
*** ERROR: Module load completed but symbols could not be loaded for cewd64f.sys
Probably caused by : cewd64f.sys ( cewd64f+19f6 )
Followup:     MachineOwner
---------
14: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80318eba169, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000000000000008, Parameter 1 of the exception
Debugging Details:
------------------

DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING:  16299.15.amd64fre.rs3_release.170928-1534
DUMP_TYPE:  1
BUGCHECK_P1: ffffffffc0000005
BUGCHECK_P2: fffff80318eba169
BUGCHECK_P3: 0
BUGCHECK_P4: 8
READ_ADDRESS:  0000000000000008
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
FAULTING_IP:
nt!ObpFreeObject+153849
fffff803`18eba169 4c397a08        cmp     qword ptr [rdx+8],r15
EXCEPTION_PARAMETER2:  0000000000000008
BUGCHECK_STR:  0x1E_c0000005_R
CPU_COUNT: 10
CPU_MHZ: c7e
CPU_VENDOR:  GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 4f
CPU_STEPPING: 1
CPU_MICROCODE: 6,4f,1,0 (F,M,S,R)  SIG: B00001C'00000000 (cache) B00001C'00000000 (init)
DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
PROCESS_NAME:  node.exe
CURRENT_IRQL:  0
ANALYSIS_SESSION_HOST:  KENOBI
ANALYSIS_SESSION_TIME:  12-19-2017 19:25:54.0709
ANALYSIS_VERSION: 10.0.16299.15 amd64fre
TRAP_FRAME:  fffffa0845b71958 -- (.trap 0xfffffa0845b71958)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=0000000000000008 rsp=ffff8d0a6ed8f6e0 rbp=0000000000000000
 r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=3     vif nv up di pl nz na pe nc
0001:0008 ??              ???
Resetting default scope
BAD_STACK_POINTER:  ffff8d0a6ed8f6e0
LAST_CONTROL_TRANSFER:  from fffff80318a090d1 to fffff803189ef0e0
STACK_TEXT: 
fffffa08`45b71158 fffff803`18a090d1 : 00000000`0000001e ffffffff`c0000005 fffff803`18eba169 00000000`00000000 : nt!KeBugCheckEx
fffffa08`45b71160 fffff803`189faace : 00000000`00000000 00000000`00000008 fffffa08`45b71958 ffff8d0a`00000000 : nt!KiDispatchException+0x162931
fffffa08`45b71810 fffff803`189f8d57 : ffff8d0a`71e2f3b0 ffff8d0a`7296ce80 ffff8d0a`8345fa80 fffff803`188c38d9 : nt!KiExceptionDispatch+0xce
fffffa08`45b719f0 fffff803`18eba169 : ffff8d0a`85d766e0 ffff8d0a`00000000 00000000`00000000 ffff8d0a`85d76690 : nt!KiPageFault+0x217
fffffa08`45b71b80 fffff803`18d668c6 : ffff8d0a`85d766b0 00000000`00000000 00000000`00000000 00000000`00000000 : nt!ObpFreeObject+0x153849
fffffa08`45b71be0 fffff803`1892f3b6 : 00000000`00000000 00000000`00000000 00000000`00000001 ffff8d0a`85d76710 : nt!ObpRemoveObjectRoutine+0x86
fffffa08`45b71c40 fffff803`18d902ab : 00000000`ffff8002 ffff8d0a`6ed8f6e0 00000000`00000001 ffff8d0a`00000000 : nt!ObfDereferenceObjectWithTag+0xc6
fffffa08`45b71c80 fffff803`18d9267b : ffff8d0a`830fd4b0 fffff807`8674b4e4 00000000`00000000 00000000`00000000 : nt!ObCloseHandleTableEntry+0x25b
fffffa08`45b71dc0 fffff803`189fa553 : fffffa08`00000000 00000000`00000000 ffff8d0a`85de7080 ffff8d0a`7319d880 : nt!NtClose+0xcb
fffffa08`45b71e20 fffff803`189f2370 : fffff807`8677c977 ffff8d0a`70d2ba90 00000000`00000000 ffff8d0a`844c50b0 : nt!KiSystemServiceCopyEnd+0x13
fffffa08`45b71fb8 fffff807`8677c977 : ffff8d0a`70d2ba90 00000000`00000000 ffff8d0a`844c50b0 00000000`00000053 : nt!KiServiceLinkage
fffffa08`45b71fc0 fffff807`8677c7b3 : ffff8d0a`834618c0 fffffa08`45b70000 00000000`00000000 ffff8d0a`844c50b0 : FLTMGR!FltpGetNormalizedFileNameWorker+0x177
fffffa08`45b72010 fffff807`8677bbc6 : ffff8d0a`7319d8e8 fffffa08`45b73000 fffffa08`45b6d000 fffff807`8677817d : FLTMGR!FltpGetNormalizedFileName+0x33
fffffa08`45b72060 fffff807`8674ba25 : c00000bb`85de7000 00000000`00000000 ffff8d0a`834618c0 ffff8d0a`7319de50 : FLTMGR!FltpCreateFileNameInformation+0x326
fffffa08`45b720b0 fffff807`8674a63a : ffff8d0a`7319d7e0 ffff8d0a`834618c0 00000000`00000000 00000000`c00000bb : FLTMGR!HandleStreamListNotSupported+0x115
fffffa08`45b720f0 fffff807`86749d5a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : FLTMGR!FltpGetFileNameInformation+0x7ea
fffffa08`45b72190 fffff807`86ef19f6 : ffff8d0a`85de73a0 00000000`00000001 fffffa08`45b72260 ffff8d0a`703d7890 : FLTMGR!FltGetFileNameInformation+0x1ba
fffffa08`45b72210 fffff807`86747852 : 00000000`00000000 ffff8d0a`844c5190 fffffa08`45b72319 ffff8d0a`844c5010 : cewd64f+0x19f6
fffffa08`45b72260 fffff807`867473f8 : fffffa08`45b723f0 fffffa08`45b72400 00000000`00000000 00000000`00000000 : FLTMGR!FltpPerformPreCallbacks+0x2e2
fffffa08`45b72380 fffff807`8677b56b : fffff807`86767060 00000000`00000000 ffff8d0a`705ba890 fffff803`18d54da4 : FLTMGR!FltpPassThroughInternal+0x88
fffffa08`45b723b0 fffff803`188c38d9 : ffff8d0a`82eec000 00000000`00000005 ffff8d0a`807d8998 ffff8d0a`731768f0 : FLTMGR!FltpCreate+0x2bb
fffffa08`45b72460 fffff803`18d557b2 : 00000000`00000005 fffffa08`45b72760 ffff8d0a`705ba890 00000000`00000989 : nt!IofCallDriver+0x59
fffffa08`45b724a0 fffff803`18d8d987 : fffff803`18d54f90 fffff803`18d54f90 fffffa08`00000000 ffff8d0a`730a1c40 : nt!IopParseDevice+0x822
fffffa08`45b72660 fffff803`18d85060 : ffff8d0a`82c5f600 fffffa08`45b728b8 00000000`00000040 ffff8d0a`6ed8f6e0 : nt!ObpLookupObjectName+0x5b7
fffffa08`45b72820 fffff803`18d81fc1 : ffff8d0a`00000001 00000000`00000000 00000000`00000001 00000000`00000028 : nt!ObOpenObjectByNameEx+0x1e0
fffffa08`45b72960 fffff803`18d7f749 : 00000091`f8bff7c0 00007ff7`b40ddbd8 00000091`f8bff838 00000091`f8bff7d8 : nt!IopCreateFile+0x391
fffffa08`45b72a00 fffff803`189fa553 : ffff8d0a`85de7080 fffffa08`45b72b80 00000091`f8bff918 00000000`00000000 : nt!NtCreateFile+0x79
fffffa08`45b72a90 00007ffc`2fee08e4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000091`f8bff748 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffc`2fee08e4

THREAD_SHA1_HASH_MOD_FUNC:  b6abd2d27ef27dfed4b5ae53c36e9b8c1bf1d2c9
THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  a5aafc3899e9b6ad0209f17afd5b28b9be92428f
THREAD_SHA1_HASH_MOD:  c4cb64a6929d8ae4d2bdcafa83d7018e5e3467e9
FOLLOWUP_IP:
cewd64f+19f6
fffff807`86ef19f6 488b4c2450      mov     rcx,qword ptr [rsp+50h]
FAULT_INSTR_CODE:  244c8b48
SYMBOL_STACK_INDEX:  11
SYMBOL_NAME:  cewd64f+19f6
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: cewd64f
IMAGE_NAME:  cewd64f.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  59d6b510
STACK_COMMAND:  .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET:  19f6
FAILURE_BUCKET_ID:  0x1E_c0000005_R_STACKPTR_ERROR_cewd64f!unknown_function
BUCKET_ID:  0x1E_c0000005_R_STACKPTR_ERROR_cewd64f!unknown_function
PRIMARY_PROBLEM_CLASS:  0x1E_c0000005_R_STACKPTR_ERROR_cewd64f!unknown_function
TARGET_TIME:  2017-12-20T01:08:26.000Z
OSBUILD:  16299
OSSERVICEPACK:  0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK:  272
PRODUCT_TYPE:  1
OSPLATFORM_TYPE:  x64
OSNAME:  Windows 10
OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE: 
USER_LCID:  0
OSBUILD_TIMESTAMP:  2017-12-07 15:55:32
BUILDDATESTAMP_STR:  170928-1534
BUILDLAB_STR:  rs3_release
BUILDOSVER_STR:  10.0.16299.15.amd64fre.rs3_release.170928-1534
ANALYSIS_SESSION_ELAPSED_TIME:  848
ANALYSIS_SOURCE:  KM
FAILURE_ID_HASH_STRING:  km:0x1e_c0000005_r_stackptr_error_cewd64f!unknown_function
FAILURE_ID_HASH:  {e1118302-8a29-eed7-e1d5-1ac6e7548891}
Followup:     MachineOwner
---------
Photo of aggieben

aggieben

  • 57 Posts
  • 8 Reply Likes
  • annoyted

Posted 5 months ago

  • 1
Photo of Chad

Chad, Official Rep

  • 119 Posts
  • 10 Reply Likes
Thank you aggieben,

I've passed your post on to our dev team.

Chad