How a Faulty Windows Driver Can Cause a System Crash and Blue Screen of Death

Cybersecurity

On a recent occasion, an analysis of a Windows kernel-memory dump revealed a DRIVER_POWER_STATE_FAILURE, leading to a critical system error known as the Blue Screen of Death (BSOD).

The error, identified by bugcheck code 0x9F, was linked to the rassstp.sys driver, which is integral to handling Secure Socket Tunneling Protocol (SSTP) VPN connections. This malfunctioning driver caused a system-wide deadlock, culminating in an OS crash.

Technical Analysis

The debugging process involved examining the system state at the time of the crash using the !analyze -v command in the Windows Debugger. This tool identified the DRIVER_POWER_STATE_FAILURE, indicating a failure by a driver to respond to a power-related I/O Request Packet (IRP) within the 300-second timeout period.

The analysis showed the timeout occurred while the system awaited synchronization with the Plug and Play (PnP) subsystem. The PnP manager manages hardware and drivers, and the third argument in the bugcheck pointed to the specific thread holding the PnP lock, obstructing other system processes.

Identifying the Root Cause

Further investigation revealed that a PnP device event worker, operating within the System process, was processing a “surprise removal” of the WAN Miniport (SSTP) network adapter. The worker thread acquired an exclusive lock on the PnP engine (PiEngineLock) to ensure uninterrupted device removal.

However, the process was stalled when the rassstp.sys driver failed to complete its operation, leaving the worker thread in a waiting state and holding the critical PiEngineLock for the entire timeout duration. This affected other system operations requiring access to the PnP subsystem, blocking three other threads.

Notably, one of these threads was part of wininit.exe, a core Windows process for system startup and shutdown. This thread needed the PiEngineLock to notify devices of an impending power change, but the stalled PnP worker already held the lock, halting the shutdown process. The system was thus forced to initiate a bugcheck to prevent further instability.