Loading...

Knowledge Center


BugCheck 7f - UNEXPECTED_KERNEL_MODE_TRAP (occurs on Windows x86 with Endpoint Security 10.5.0 and Adaptive Threat Protection)
Technical Articles ID:   KB88863
Last Modified:  3/8/2017

Environment

McAfee Endpoint Security (ENS) Adaptive Threat Protection (ATP) 10.5.0
McAfee ENS Threat Prevention 10.5.0

Microsoft Windows x86 (32-bit)

Problem

In very rare circumstances a BugCheck 7f may occur while performing standard operations on files, such as opening files, saving files, and so on, through a variety of applications with ENS 10.5.0 and ATP present.

When viewing the generated dump file of the BugCheck, you can perform some simple analysis using the command !analyze -v, which will produce output similar to below:
 
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 807ce750
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------

DUMP_CLASS: 1

DUMP_QUALIFIER: 402

BUILD_VERSION_STRING:  7601.23572.x86fre.win7sp1_ldr.161011-0600 <- this indicates a 32bit build of Windwos
.
.
.
DUMP_TYPE:  0
BUGCHECK_P1: 8
BUGCHECK_P2: ffffffff807ce750
BUGCHECK_P3: 0
BUGCHECK_P4: 0
BUGCHECK_STR:  0x7f_8
TSS:  00000028 -- (.tss 0x28)
eax=00000001 ebx=86488d48 ecx=cfc01088 edx=000008e1 esi=cfc01088 edi=00000000
eip=83c2cd9b esp=cfc00ffc ebp=cfc0100c iopl=0         nv up di ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010086
hal!HalpSendFlatIpi+0xb:
83c2cd9b 8955f0          mov     dword ptr [ebp-10h],edx ss:0010:cfc00ffc=????????
Resetting default scope
.
.
.
DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT
PROCESS_NAME: 
CURRENT_IRQL:  2
BAD_STACK_POINTER:  807d3b84
LAST_CONTROL_TRANSFER:  from 83c2cd9b to 83840f8c
STACK_OVERFLOW: Stack Limit: cfc01000. Use (kF) and (!stackusage) to investigate stack usage.
STACKUSAGE_IMAGE: The module at base 0x76110000 was blamed for the stack overflow. It is using 5136 bytes of stack.
STACK_COMMAND:  .tss 0x28 ; kb

System Change

Installed ENS 10.5.0 and ATP.

Cause

The system crash occurs because of kernel thread stack size exhaustion, resulting in a BugCheck 7f and made more severe because the system is 32-bit, which limits kernel thread stack size already.

Solution

This issue is resolved in Endpoint Security 10.5.1, which is available from the Product Downloads site at: http://mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Updates are cumulative; Technical Support recommends that you install the latest one.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.