BSOD, Windows 2022, SeLow_x64.sys

bimecu · Post by **bimecu** » Sun Apr 13, 2025 11:32 pm

Greetings,

As per title ,using SoftEther Server on VPS, Windows 2022,
Getting BSOD every 20-30 mins,
as per dump the problem is in its:

DRIVER_IRQL_NOT_LESS_OR_EQUAL

SYMBOL_NAME: SeLow_x64+1b85
MODULE_NAME: SeLow_x64
IMAGE_NAME: SeLow_x64.sys
STACK_COMMAND: .cxr; .ecxr ; kb
BUCKET_ID_FUNC_OFFSET: 1b85

FAILURE_BUCKET_ID: AV_SeLow_x64!unknown_function

OS_VERSION: 10.0.20348.2849
---------------------------------------------------

The version of SeLow_x64.sys is 4.25.0.9658

server is bridged to local virtual ethernet adapter: Microsoft KM-TEST Loopback Adapter

would anyone have suggestions? where to look or what to try?

Thank you

solo · Post by **solo** » Mon Apr 14, 2025 3:03 am

Hi, please disable SecureNAT (if enabled), unbind on the MLA everything except IPv4, uninstall non-MS antivirus or anything else which is using a network filter driver. Reboot, re-test - if unresolved post as code: ipconfig /all

bimecu · Post by **bimecu** » Tue Apr 15, 2025 4:26 am

Thank you for reply,
Disabled everything on all adapters other than IPV4

results from ipconfig /all

C:\Users\Administrator>ipconfig

Windows IP Configuration

Ethernet adapter Radmin VPN:

Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 26.172.171.53
Subnet Mask . . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . . : 26.0.0.1

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : contaboserver.net
IPv4 Address. . . . . . . . . . . : x.x.x.x (I've masked this as its my public ip)
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : x.x.x.x

Ethernet adapter virt_ether:

Connection-specific DNS Suffix . :
Autoconfiguration IPv4 Address. . : 169.254.12.241
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:0:d5b:9458:10cf:53e:bda1:8dfd
Link-local IPv6 Address . . . . . : fe80::10cf:53e:bda1:8dfd%11
Default Gateway . . . . . . . . . : ::

solo · Post by **solo** » Tue Apr 15, 2025 9:00 am

Temporarily disable Radmin VPN. If you still get BSOD, post as code: ipconfig /all again because '/all' must be included, and 'as code' looks like this:

Code: Select all

ipconfig /all

bimecu · Post by **bimecu** » Wed Apr 16, 2025 12:49 am

Thank you for helping me,
Unfortunately, nothing helps,

Code: Select all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : x
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : contaboserver.net

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : contaboserver.net
   Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-59-C4-61
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : x.x.x.x(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2025 2:17:01 AM
   Lease Expires . . . . . . . . . . : Wednesday, April 16, 2025 3:23:41 AM
   Default Gateway . . . . . . . . . : 66.94.112.1
   DHCP Server . . . . . . . . . . . : 209.126.70.11
   DNS Servers . . . . . . . . . . . : 209.126.70.51
                                       209.126.70.52
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter virt_ether:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft KM-TEST Loopback Adapter
   Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.68.40(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : x.x.x.x(Preferred)
   Link-local IPv6 Address . . . . . : fe80::10cf:53e:bda1:8dfd%11(Preferred)
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 100663296
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2F-7E-2A-42-00-50-56-59-C4-61
   NetBIOS over Tcpip. . . . . . . . : Disabled

solo · Post by **solo** » Wed Apr 16, 2025 1:13 am

No worries. Temporarily disable Teredo Tunneling, note...

Microsoft Windows as of Windows 10, version 1803 and later disable Teredo by default.

https://en.wikipedia.org/wiki/Teredo_tunneling

BSOD?

bimecu · Post by **bimecu** » Wed Apr 16, 2025 4:01 am

Still getting blue screen and restarts every 30-40 mins :/
(everything is fine if softether server is offline)

Same error from dump analysis : AV_SeLow_x64!unknown_function
(more info down in code)

Code: Select all

C:\windows\system32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : x
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : contaboserver.net

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : contaboserver.net
   Description . . . . . . . . . . . : Red Hat VirtIO Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-59-C4-61
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : x.x.x.x(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2025 5:46:34 AM
   Lease Expires . . . . . . . . . . : Wednesday, April 16, 2025 6:53:13 AM
   Default Gateway . . . . . . . . . : 66.94.112.1
   DHCP Server . . . . . . . . . . . : 209.126.70.11
   DNS Servers . . . . . . . . . . . : 209.126.70.51
                                       209.126.70.52
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter virt_ether:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft KM-TEST Loopback Adapter
   Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.68.40(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

C:\windows\system32>

Code: Select all

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 0000000002cc1850, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80129981b85, address which referenced memory

Debugging Details:
------------------

Unable to load image SeLow_x64.sys, Win32 error 0n2

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 1843

    Key  : Analysis.Elapsed.mSec
    Value: 2387

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 0

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 1968

    Key  : Analysis.Init.Elapsed.mSec
    Value: 19855

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 94

    Key  : Bugcheck.Code.KiBugCheckData
    Value: 0xd1

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0xd1

    Key  : Dump.Attributes.AsUlong
    Value: 1000

    Key  : Dump.Attributes.DiagDataWrittenToHeader
    Value: 1

    Key  : Dump.Attributes.ErrorCode
    Value: 0

    Key  : Dump.Attributes.LastLine
    Value: Dump completed successfully.

    Key  : Dump.Attributes.ProgressPercentage
    Value: 100

    Key  : Failure.Bucket
    Value: AV_SeLow_x64!unknown_function

    Key  : Failure.Hash
    Value: {bd1bcd68-c2c9-35ad-b8be-e68cc86707c7}

    Key  : Hypervisor.Enlightenments.Value
    Value: 16752

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 4170

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 1

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 1

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 0

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 0

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 0

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 0

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 1

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 0

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 1

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 0

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 1

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 1

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 536745

    Key  : Hypervisor.Flags.ValueHex
    Value: 830a9

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 1

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 0

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 0

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 0

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 0

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 0

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 0

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 0

    Key  : Hypervisor.RootFlags.Value
    Value: 0

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 0

    Key  : SecureKernel.HalpHvciEnabled
    Value: 0

    Key  : WER.OS.Branch
    Value: fe_release_svc_prod1

    Key  : WER.OS.Version
    Value: 10.0.20348.2849


BUGCHECK_CODE:  d1

BUGCHECK_P1: 2cc1850

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff80129981b85

FILE_IN_CAB:  MEMORY.DMP

DUMP_FILE_ATTRIBUTES: 0x1000

READ_ADDRESS: unable to get nt!PspSessionIdBitmap
 0000000002cc1850 

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXWINLOGON: 1

PROCESS_NAME:  vpnserver_x64.exe

TRAP_FRAME:  ffff970a62ed8610 -- (.trap 0xffff970a62ed8610)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffa5819657a7e0 rbx=0000000000000000 rcx=000000000000000e
rdx=ffffa58197a46090 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80129981b85 rsp=ffff970a62ed87a0 rbp=ffffa58199b56760
 r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
r11=ffff970a62ed8790 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz ac pe nc
SeLow_x64+0x1b85:
fffff801`29981b85 418b76fc        mov     esi,dword ptr [r14-4] ds:ffffffff`fffffffc=????????
Resetting default scope

STACK_TEXT:  
ffff970a`62ed84c8 fffff801`26637d29     : 00000000`0000000a 00000000`02cc1850 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffff970a`62ed84d0 fffff801`26633361     : 00000000`00000000 00000000`00000001 ffffa581`990c29c0 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffff970a`62ed8610 fffff801`29981b85     : ffffa581`97a46090 ffffa581`97ae6210 ffffa581`98fdc900 00000000`00000000 : nt!KiPageFault+0x461
ffff970a`62ed87a0 fffff801`2646bb35     : ffff970a`c0000001 ffffa581`9a1f61c0 ffff970a`00064a4c fffff801`264d9529 : SeLow_x64+0x1b85
ffff970a`62ed8870 fffff801`268a648e     : 00000000`00000001 00000000`00000001 00000000`00000001 fffff801`268ad13c : nt!IofCallDriver+0x55
ffff970a`62ed88b0 fffff801`268acfb1     : ffffa581`00000000 ffff970a`62ed8b60 00000000`00000000 00000000`00000001 : nt!IopSynchronousServiceTail+0x33e
ffff970a`62ed8950 fffff801`266373e5     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtWriteFile+0x8c1
ffff970a`62ed8a70 00007ffa`5b1dfa94     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
00000000`0268e998 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffa`5b1dfa94


SYMBOL_NAME:  SeLow_x64+1b85

MODULE_NAME: SeLow_x64

IMAGE_NAME:  SeLow_x64.sys

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  1b85

FAILURE_BUCKET_ID:  AV_SeLow_x64!unknown_function

OS_VERSION:  10.0.20348.2849

BUILDLAB_STR:  fe_release_svc_prod1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {bd1bcd68-c2c9-35ad-b8be-e68cc86707c7}

Followup:     MachineOwner
---------

solo · Post by **solo** » Wed Apr 16, 2025 4:56 am

Yeah AV_SeLow_x64!unknown_function is very interesting. This bug appears unresolved viewtopic.php?t=67128

Post by cedar » Tue Sep 21, 2021 10:10 am
SeLow is a device driver for processing local bridges. There have been other reports of OS crashes caused by this driver, but the location of the crash seems to be different from the other reports.

You have 3 options:

post more logs to explore this issue further
submit a bug report here https://github.com/SoftEtherVPN/SoftEtherVPN/issues
deploy a workaround

Before you ask about #3...
- delete the bridge
- enable SecureNAT
- apply viewtopic.php?f=7&t=67645#p96384

bimecu · Post by **bimecu** » Thu Apr 17, 2025 11:42 pm

Hi Solo,

Thank you again for suggestions,

The issue is resolved now.

I noticed that one of the services was occasionally using ALL RAM, it was windows defragmentation.

I believe with no RAM left, calling function in SeLow_x64.sys ends up with DRIVER_IRQL_NOT_LESS_OR_EQUAL and system crashes, all this when Local Bridge is set up and SoftEther VPN server is online.

I stopped defragmentation service and have not had any restarts or RAM Issues anymore.

I'm not sure if this project is further developed, but fixing this bug would be nice.

solo · Post by **solo** » Mon Apr 21, 2025 4:02 am

bimecu wrote: ↑
Thu Apr 17, 2025 11:42 pm
I stopped defragmentation service and have not had any restarts or RAM Issues anymore.

Hello bimecu, thank you for your feedback and the solution to this long-standing bug!

BSOD, Windows 2022, SeLow_x64.sys

BSOD, Windows 2022, SeLow_x64.sys

Re: BSOD, Windows 2022, SeLow_x64.sys

Re: BSOD, Windows 2022, SeLow_x64.sys

Re: BSOD, Windows 2022, SeLow_x64.sys

Re: BSOD, Windows 2022, SeLow_x64.sys

Re: BSOD, Windows 2022, SeLow_x64.sys

Re: BSOD, Windows 2022, SeLow_x64.sys

Re: BSOD, Windows 2022, SeLow_x64.sys

Re: BSOD, Windows 2022, SeLow_x64.sys

Re: BSOD, Windows 2022, SeLow_x64.sys