000035725 - Blue screen of death on Windows 10 systems (IOCTL_GET_DRIVER_STATUS) due to RSA NetWitness Endpoint agent

Document created by RSA Customer Support Employee on Dec 1, 2017Last modified by RSA Customer Support Employee on Dec 2, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035725
Applies ToRSA Product Set: NetWitness Endpoint
RSA Product/Service Type: Agent
RSA Version/Condition:,,,, 4.2.x
Platform: Windows 10
IssueThe agent causes a BSOD crash due to a known bug in Windows 10 related to Windows versions prior to installing kb 4016871. Errors include the following:


This is during the processing of IOCTL_GET_DRIVER_STATUS call from the user mode agent.
CauseCorrelations include the use of attestation signing and the use of Windows 10 secure boot. The agent will randomly, with low probability, cause a BSOD crash on the endpoint.
ResolutionThe permanent fix to this issue was included as a code update into the NetWitness Endpoint agent version. Upgrading will prevent this BSOD from recurring.
WorkaroundNo workaround to prevent the BSOD from recurring other than performing the recommended upgrade of the endpoint agent.