aswMonFlt.sys causes Win8.1 to crash

[REDACTED]

Hi everyone,

I'm an AVID Avast fan for years and years, but it seems it is now giving me some grief...

Using 2015.10.0.2208 on a fresh Win8.1 64bit installation. System crashes every now and than, and the culprit seems to be aswMonFlt.sys.
Am I doomed?! What to do?

The dump file is available at: https://onedrive.live.com/redir?resid=C53AD4C9BEAB7CC1%21141

Thanks,
The Scraffy

[jursa]

Hi, mentioned link with the dump is broken: "This item might not exist or is no longer available", could you provide a new link for us ? Thanks, David.

[CSEngineer]

I have a similar problem, not a pristine system, but I've pinned it down so I can reproduce it about 80% of the time.  Windows 8.1 gives a BSOD consistently when I dismount a TrueCrypt file container.  Also happens much more infrequent when I remove a USB flashdrive.  Started having this problem after the latest Avast update, never had it with previous versions.  Debug follows:

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff802ca74d596, The address that the exception occurred at
Arg3: ffffd00194f36978, Exception Record Address
Arg4: ffffd00194f36180, Context Record Address

Debugging Details:
------------------


DUMP_FILE_ATTRIBUTES: 0x8
  Kernel Generated Triage Dump

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
nt!ExfReleaseRundownProtection+6
fffff802`ca74d596 488b09          mov     rcx,qword ptr [rcx]

EXCEPTION_RECORD:  ffffd00194f36978 -- (.exr 0xffffd00194f36978)
ExceptionAddress: fffff802ca74d596 (nt!ExfReleaseRundownProtection+0x0000000000000006)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000008
Attempt to read from address 0000000000000008

CONTEXT:  ffffd00194f36180 -- (.cxr 0xffffd00194f36180;r)
rax=00000000c0000022 rbx=0000000000000007 rcx=0000000000000008
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000001
rip=fffff802ca74d596 rsp=ffffd00194f36bb8 rbp=ffffc00160db2be0
 r8=0000000000000008  r9=ffffd00194f36a40 r10=fffff802ca95ae80
r11=ffffd00194f36b00 r12=ffffe0012069c000 r13=0000000000000000
r14=ffffc0015290cbe0 r15=ffffe0012062dcf0
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0000  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
nt!ExfReleaseRundownProtection+0x6:
fffff802`ca74d596 488b09          mov     rcx,qword ptr [rcx] ds:002b:00000000`00000008=?
Last set context:
rax=00000000c0000022 rbx=0000000000000007 rcx=0000000000000008
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000001
rip=fffff802ca74d596 rsp=ffffd00194f36bb8 rbp=ffffc00160db2be0
 r8=0000000000000008  r9=ffffd00194f36a40 r10=fffff802ca95ae80
r11=ffffd00194f36b00 r12=ffffe0012069c000 r13=0000000000000000
r14=ffffc0015290cbe0 r15=ffffe0012062dcf0
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0000  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
nt!ExfReleaseRundownProtection+0x6:
fffff802`ca74d596 488b09          mov     rcx,qword ptr [rcx] ds:002b:00000000`00000008=?
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  System

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000000008

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff802ca9d5138
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
 0000000000000008 

FOLLOWUP_IP: 
aswMonFlt+60e6
fffff801`00ba60e6 ??              

BUGCHECK_STR:  AV

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

LAST_CONTROL_TRANSFER:  from fffff80100ba60e6 to fffff802ca74d596

STACK_TEXT:  
ffffd001`94f36bb8 fffff801`00ba60e6 : 00000000`00000001 fffff801`00bac830 00000000`a8d683c3 00000000`00001b8d : nt!ExfReleaseRundownProtection+0x6
ffffd001`94f36bc0 00000000`00000001 : fffff801`00bac830 00000000`a8d683c3 00000000`00001b8d ffffd001`94f36c68 : aswMonFlt+0x60e6
ffffd001`94f36bc8 fffff801`00bac830 : 00000000`a8d683c3 00000000`00001b8d ffffd001`94f36c68 ffffd001`94f36ca0 : 0x1
ffffd001`94f36bd0 00000000`a8d683c3 : 00000000`00001b8d ffffd001`94f36c68 ffffd001`94f36ca0 00000000`00000000 : aswMonFlt+0xc830
ffffd001`94f36bd8 00000000`00001b8d : ffffd001`94f36c68 ffffd001`94f36ca0 00000000`00000000 00000000`00000000 : 0xa8d683c3
ffffd001`94f36be0 ffffd001`94f36c68 : ffffd001`94f36ca0 00000000`00000000 00000000`00000000 ffffe001`00000007 : 0x1b8d
ffffd001`94f36be8 ffffd001`94f36ca0 : 00000000`00000000 00000000`00000000 ffffe001`00000007 ffffd001`00000001 : 0xffffd001`94f36c68
ffffd001`94f36bf0 00000000`00000000 : 00000000`00000000 ffffe001`00000007 ffffd001`00000001 ffffe001`00000020 : 0xffffd001`94f36ca0


SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  aswMonFlt+60e6

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: aswMonFlt

IMAGE_NAME:  aswMonFlt.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  54f45429

STACK_COMMAND:  .cxr 0xffffd00194f36180 ; kb

FAILURE_BUCKET_ID:  AV_aswMonFlt+60e6

BUCKET_ID:  AV_aswMonFlt+60e6

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:av_aswmonflt+60e6

FAILURE_ID_HASH:  {b2b6d12b-9d74-103e-1256-3bd74dcb76c3}

Followup: MachineOwner
---------

0: kd> lmvm aswMonFlt
start             end                 module name
fffff801`00ba0000 fffff801`00bc3000   aswMonFlt T (no symbols)           
    Loaded symbol image file: aswMonFlt.sys
    Image path: aswMonFlt.sys
    Image name: aswMonFlt.sys
    Timestamp:        Mon Mar 02 06:14:33 2015 (54F45429)
    CheckSum:         0001FE48
    ImageSize:        00023000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

[jursa]

Will be fixed in next service pack. Thanks, D.

[REDACTED]

I never had problems, but since an Update of Avast around 22nd of March 2015 I get BSODs on shutdown of Windows 8.1 (64 Bit) very often.

It's always a SYSTEM_THREAD_EXCEPTION_NOT_HANDLED which is caused by aswMonFlt.sys / fltmgr.sys.

My currently used Avast version is 2015.10.2.2215.

Maybe I have a similar issue as CSEngineer as I'm also using TrueCrypt (7.1a), though I never noticed problems when mounting/dismounting the drives manually.

My C: with Windows is not encrypted, but I have some drives mounted with TrueCrypt D:, E: and F: which are encrypted.