【Frequent bsod issue】klwtp.sys often causes bsod at the last moment of shutdown when win11 restarts. The minidump file is as follows.

[fantab01]

Related information that may be useful:

First, I used Kaspersky for a long time before and never encountered this problem. Recently, the only software I changed on my computer is installing comfyui, which is an application that builds and use a local server（Connection port is 127.0.0.1:8000） for AI drawing. Before the application was installed, there was no bsod issue.

Second, only one of the crashes left a minidump file. The results of windbg analysis are as follows:

************* Preparing the environment for Debugger Extensions Gallery repositories **************
   ExtensionRepository : Implicit
   UseExperimentalFeatureForNugetShare : true
   AllowNugetExeUpdate : true
   NonInteractiveNuget : true
   AllowNugetMSCredentialProviderInstall : true
   AllowParallelInitializationOfLocalRepositories : true

   EnableRedirectToV8JsProvider : false

   -- Configuring repositories
      ----> Repository : LocalInstalled, Enabled: true
      ----> Repository : UserExtensions, Enabled: true

>>>>>>>>>>>>> Preparing the environment for Debugger Extensions Gallery repositories completed, duration 0.031 seconds

************* Waiting for Debugger Extensions Gallery to Initialize **************

>>>>>>>>>>>>> Waiting for Debugger Extensions Gallery to Initialize completed, duration 0.094 seconds
   ----> Repository : UserExtensions, Enabled: true, Packages count: 0
   ----> Repository : LocalInstalled, Enabled: true, Packages count: 29

Microsoft (R) Windows Debugger Version 10.0.26100.4188 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [D:\01.抽屉\070825-6531-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 26100 MP (16 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Kernel base = 0xfffff803`a1200000 PsLoadedModuleList = 0xfffff803`a20f4b80
Debug session time: Tue Jul  8 04:10:08.667 2025 (UTC + 8:00)
System Uptime: 1 days 11:29:46.340
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.......................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`04f93018).  Type ".hh dbgerr001" for details
Loading unloaded module list
.....................................
For analysis of this file, run !analyze -v
12: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffffdc013eb9d970, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80334abafbc, address which referenced memory

Debugging Details:
------------------

*** WARNING: Unable to verify timestamp for klwtp.sys

KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 1593

    Key  : Analysis.Elapsed.mSec
    Value: 3166

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 10

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 3374

    Key  : Analysis.Init.Elapsed.mSec
    Value: 23051

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 119

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0xd1

    Key  : Dump.Attributes.AsUlong
    Value: 21808

    Key  : Dump.Attributes.DiagDataWrittenToHeader
    Value: 1

    Key  : Dump.Attributes.ErrorCode
    Value: 0

    Key  : Dump.Attributes.KernelGeneratedTriageDump
    Value: 1

    Key  : Dump.Attributes.LastLine
    Value: Dump completed successfully.

    Key  : Dump.Attributes.ProgressPercentage
    Value: 0

    Key  : Failure.Bucket
    Value: AV_fwpkclnt!FwpsFreeCloneNetBufferList0

    Key  : Failure.Hash
    Value: {c8d1af04-4ef8-f0ad-e7e1-bec4e1c2d131}

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 7417df84

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 1

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 0

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 1

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 1

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 1

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 1

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 1

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 1

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 0

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 1

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 1

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 1

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 55185662

    Key  : Hypervisor.Flags.ValueHex
    Value: 34a10fe

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 1

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 1

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 1

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 1

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 1

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 1

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 1

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 1

    Key  : Hypervisor.RootFlags.Value
    Value: 1015

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 3f7

BUGCHECK_CODE:  d1

BUGCHECK_P1: ffffdc013eb9d970

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff80334abafbc

FILE_IN_CAB:  070825-6531-01.dmp

TAG_NOT_DEFINED_202b:  *** Unknown TAG in analysis list 202b

DUMP_FILE_ATTRIBUTES: 0x21808
  Kernel Generated Triage Dump

READ_ADDRESS: fffff803a21c44c0: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
unable to get nt!MmSpecialPagesInUse
 ffffdc013eb9d970 

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  avp.exe

TRAP_FRAME:  ffffca0c91a4eaf0 -- (.trap 0xffffca0c91a4eaf0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000002 rbx=0000000000000000 rcx=ffffdc013eb9d970
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80334abafbc rsp=ffffca0c91a4ec80 rbp=ffffca0c91a4ed00
 r8=fffff80334bc5198  r9=000000006e707746 r10=fffff80334abaf10
r11=ffffdc0fefd8a9e0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
ndis!NdisFreeCloneNetBufferList+0xac:
fffff803`34abafbc 0fb611          movzx   edx,byte ptr [rcx] ds:ffffdc01`3eb9d970=??
Resetting default scope

STACK_TEXT:  
ffffca0c`91a4e9a8 fffff803`a18b8be9     : 00000000`0000000a ffffdc01`3eb9d970 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffca0c`91a4e9b0 fffff803`a18b3ea8     : 00000000`00000000 00000000`00000000 fffff803`34b9f570 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffca0c`91a4eaf0 fffff803`34abafbc     : 00000000`00000000 ffffdc0f`d32fcbb0 ffffdc0f`f60c2b40 ffffaf7f`d7e3801a : nt!KiPageFault+0x468
ffffca0c`91a4ec80 fffff803`34d763a7     : ffffdc0f`f60c29c0 ffffdc0f`00000000 ffffdc0f`f60c29c0 ffffca0c`91a4ef50 : ndis!NdisFreeCloneNetBufferList+0xac
ffffca0c`91a4ed80 fffff803`3621a7fc     : badbadfa`badbadfa ffffdc0f`d423a260 00000000`00000000 00000000`00000000 : fwpkclnt!FwpsFreeCloneNetBufferList0+0x2a7
ffffca0c`91a4ee00 badbadfa`badbadfa     : ffffdc0f`d423a260 00000000`00000000 00000000`00000000 ffffdc0f`e13f1c40 : klwtp+0x1a7fc
ffffca0c`91a4ee08 ffffdc0f`d423a260     : 00000000`00000000 00000000`00000000 ffffdc0f`e13f1c40 fffff803`34d79175 : 0xbadbadfa`badbadfa
ffffca0c`91a4ee10 00000000`00000000     : 00000000`00000000 ffffdc0f`e13f1c40 fffff803`34d79175 ffffdc0f`f60c29c0 : 0xffffdc0f`d423a260

SYMBOL_NAME:  fwpkclnt!FwpsFreeCloneNetBufferList0+2a7

MODULE_NAME: fwpkclnt

IMAGE_NAME:  fwpkclnt.sys

IMAGE_VERSION:  10.0.26100.4484

STACK_COMMAND:  .cxr; .ecxr ; kb

BUCKET_ID_FUNC_OFFSET:  2a7

FAILURE_BUCKET_ID:  AV_fwpkclnt!FwpsFreeCloneNetBufferList0

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {c8d1af04-4ef8-f0ad-e7e1-bec4e1c2d131}

Followup:     MachineOwner
---------

 

[Berny]

@fantab01 Welcome 

For BSODs caused by Kaspersky please contact Kaspersky Technical Support :

https://support.kaspersky.com/b2c/#contacts