Kaspersky (kltdi.sys) causes a BSOD on Windows Server

Again a nice Blue Screen of Dead troubleshooting today for me. The server causes sometimes a Blue Screen with stopcode 0x7f. The configuration here is a Windows Server 2008 R2 with Kaspersky Endpoint Security for Windows version 10.1.0.867 and after updating to version 10.2.1.23 the BSOD still persists.

The bugcheck shows in the eventviewer:

The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000007f (0x0000000000000008, 0x0000000080050031, 0x00000000000006f8, 0xfffffa6003d97879).

kltdi.sys WinDbg analyze

 

So we put this dumpfile into WinDbg to analyze the problem and we get this output.

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
Arg2: 0000000080050031
Arg3: 00000000000006f8
Arg4: fffffa6003d97879

Debugging Details:
------------------


BUGCHECK_STR:  0x7f_8

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT_SERVER

PROCESS_NAME:  System

CURRENT_IRQL:  0

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) amd64fre

LAST_CONTROL_TRANSFER:  from fffff80001e66eee to fffff80001e67150

STACK_TEXT:  
fffffa60`005f1a68 fffff800`01e66eee : 00000000`0000007f 00000000`00000008 00000000`80050031 00000000`000006f8 : nt!KeBugCheckEx
fffffa60`005f1a70 fffff800`01e65738 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiBugCheckDispatch+0x6e
fffffa60`005f1bb0 fffffa60`03d97879 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDoubleFaultAbort+0xb8
fffffa60`023e6fe0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kltdi+0x1879


STACK_COMMAND:  kb

FOLLOWUP_IP: 
kltdi+1879
fffffa60`03d97879 e896100000      call    kltdi+0x2914 (fffffa60`03d98914)

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  kltdi+1879

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: kltdi

IMAGE_NAME:  kltdi.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  50ade6c4

FAILURE_BUCKET_ID:  X64_0x7f_8_kltdi+1879

BUCKET_ID:  X64_0x7f_8_kltdi+1879

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:x64_0x7f_8_kltdi+1879

FAILURE_ID_HASH:  {037d708d-dd1e-2832-7343-e2f99ee20acc}

Followup: MachineOwner
---------

1: kd> lmvm kltdi
start             end                 module name
fffffa60`03d96000 fffffa60`03da6000   kltdi    T (no symbols)           
    Loaded symbol image file: kltdi.sys
    Image path: kltdi.sys
    Image name: kltdi.sys
    Timestamp:        Thu Nov 22 09:48:04 2012 (50ADE6C4)
    CheckSum:         0001927C
    ImageSize:        00010000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

We see that the kltdi.sys is causing the problem here, so what is kltdi.sys? In the file description we’ll find “Network filtering component”, digitally signed by “Kaspersky Lab” and can be found in the folder “C:WINDOWSsystem32drivers”.

So how to fix this problem with this networking filtering component and the Blue Screens…

Just uninstall Kaspersky from your system… No, I got at this moment no other solution then disable the kltdi.sys to be loaded at the system startup, also the Kaspersky forums haven’t a solution for this. So we gonna disable this driver in the Windows Registry. The key name you’re looking for is:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceskltdi

And set the “Start” data value to 4 to disable it. Reboot the computer/server and you won’t get any Blue Screens anymore. And start praying that in a future update Kaspersky will fix this issue.

I was also wondering what kind of start values are valid to put up there, so after some searching on the support website of Microsoft I found this:

Boot      0x0
System    0x1
Automatic 0x2
Manual    0x3
Disabled  0x4

Note, for services you only got 0x2, 0x3 and 0x4 as valid options, the ones noted above here are values for device drivers.

kldti registry

With the 0x1 value, the driver is loaded when the Windows system is starting.

Note: On some computers the Transport Driver Interface is also called klwfp.sys. I haven’t seen any problems on systems with this driver.

Branko Vucinec

About Branko Vucinec

Hi! I'm Branko, a Systems Engineer focused on Microsoft technologies from the Netherlands. I enjoy helping organizations with the business and people opportunities and challenges surrounding tech.

Comments