[German]Users of Windows 10 Fall Creators Update (V1709) (and also Windows 7 SP1) are facing a sporadic blue screen in module classpnp.sys. The root cause is Kaspersky KIS 2018. Here a few details for affected users.
Windows throws a blue screen
German blog reader Steffen H. contacted me via mail and told me about a strange blue screen issue he had.
Since a few days ago I have had a blues screen on my computer Windows 10 v1709 Build 16299.98, as well as on Windows 7 SP1 with is caused from classpnp.sys.
The build 16299.98 indicates it’s Windows 10 V1709 with the latest cumulative update KB4051963, which I’ve addressed several times within my blog. This update shall fix the Epson dot matrix printer issue. But this is just an information.
Kaspersky is the root cause
Steffen has already researched the internet and sent me the following information, which describes the circumstances for this blue screen.
After a short investigation I discovered that there is probably an error in Kaspersky, if you run Firefox 57.0.1 at the same time.
The error itself cannot be produced directly by calling X-Tabs or certain Internet pages, but unfortunately occurs sporadically but nevertheless frequently.
The issues will be discussed also at tenforums.com within this thread, where a user wrote:
4 BSOD in the last 3 days (only 2 dump files though, don’t know why). 2 while browsing in Firefox (v57), 1 while working in Photoshop CS5, the last one I can’t remember which program I was using when it happened.
Each time it happened, the BSOD is there for a few seconds, then the PC reboots.
Analyzing the dump file resulted, that a driver, maybe klbackupdisk.sys (Kaspersky Labs volume filter driver) is causing the BSOD. I’ve discussed the filter driver issue within my blog post Windows System Restore fails with error 0xC000000D.
German Blog reader Michael Borman analyzed also the kernel dump and posted his analysis within this comment.
# Child-SP RetAddr Call Site
00 fffff880`0c7f9b68 fffff800`03ebf7fe nt!KeBugCheck
01 fffff880`0c7f9b70 fffff800`03ef3d8d nt!KiKernelCalloutExceptionHandler+0xe
02 fffff880`0c7f9ba0 fffff800`03ef2b65 nt!RtlpExecuteHandlerForException+0xd
03 fffff880`0c7f9bd0 fffff800`03f040bd nt!RtlDispatchException+0x415
04 fffff880`0c7fa2b0 fffff800`03ec748e nt!KiDispatchException+0x17d
05 fffff880`0c7fa940 fffff800`03ec5ffa nt!KiExceptionDispatch+0xce
06 fffff880`0c7fab20 fffff880`02365198 nt!KiPageFault+0x23a
07 fffff880`0c7facb0 fffff880`02365975 CLASSPNP!ServiceTransferRequest+0xa8
08 fffff880`0c7fad50 fffff880`017d20af CLASSPNP!ClassReadWrite+0xd5
09 fffff880`0c7fada0 fffff880`017e718c partmgr!PmGlobalDispatch+0x9f
0a fffff880`0c7fadd0 fffff880`023162bf volmgr!VmReadWrite+0x11c
0b fffff880`0c7fae10 fffff880`0231653c fvevol!FveReadWrite+0x47
0c fffff880`0c7fae50 fffff880`02263df4 fvevol!FveFilterRundownReadWrite+0x1dc
0d fffff880`0c7faeb0 fffff880`010ba1dd volsnap! ?? ::FNODOBFM::`string’+0x57b
0e fffff880`0c7faee0 00000000`00000000 klbackupdisk+0x61dd
The module klbackupdisk is causing trouble and hits Ntfs!NtfsStorageDriverCallout, which probably forces the BOSD at least.
A patch is announced
Within the forum thread some other Kaspersky users are reporting the same issue. They are claiming Firefox 57.0.1 and Kaspersky Internet Security 18 (126.96.36.1995(d)) are colliding. But it seems, that also Google Chrome users are affected. There are now the following forum entries:
- An older MS Answers forum thread, dated from November 2017, dealing with CLASSPNP.SYS – Kmode_exception_not_handled, which could not be caused by Update KB4051963 mentioned above.
- A fresh thread in Kaspersky forum, where more users are claiming to be affected by this issue.
There is an announcement within Kaspersky forum, that Kaspersky is working on a patch for KIS 2018. This will update KIS 2018 to version 188.8.131.525(e).
A beta patch is available
Another German user left this comment, informing me, that there is a beta patch available. Here are the steps to install this version:
1. Update product from the standard update source and reboot.
2. Set the product to manual update mode
3. Add new test update source to update settings: http://dnl-test.kaspersky-labs.com/test/ap
4. Disable standard update source
5. Launch the update task
6. Reboot and make sure that patch E was installed (on Support window or on the product icon in tray)
7. Check the initial issue reproduction.
If the issue persist with patch E, then please provide me a new full memory dumps in archive. If the patch is installed, delete the above URL in update settings. Hope that helps.