HP Sure Click Driver (BrFilter) Causing Windows BSOD: Analysis and Solution

WinDbg Bugcheck Analysis

Blue screens of death (BSODs) can be frustrating, especially when they occur repeatedly after logging in. In this technical deep-dive, I’ll analyze a particularly stubborn BSOD caused by HP Sure Click’s driver and explain the step-by-step troubleshooting process that led to its resolution.

The Symptoms

A Windows 11 system was consistently crashing with a blue screen error just minutes after user login. The system would reboot normally, allow login, and then crash again in an endless cycle – a classic sign of a problematic driver or system service.

Crash Dump Analysis

Using Windows Debugger (WinDbg), I analyzed the minidump file that revealed the following critical information:

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the BugCheck
Arg2: fffff80096f2908b, Address of the instruction which caused the BugCheck
Arg3: ffffac826e79e8d0, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.

The call stack showed:

nt!RtlEqualUnicodeString+0x2b
BrFilter_4_1_0_5714+0x128f2

This tells us several important things:

  1. The bugcheck code 0x3B (SYSTEM_SERVICE_EXCEPTION) indicates an exception occurred in kernel mode
  2. The exception code 0xC0000005 is an access violation – the driver attempted to access invalid memory
  3. The failure happened in nt!RtlEqualUnicodeString, a Windows kernel function for comparing Unicode strings
  4. A driver called BrFilter_4_1_0_5714.sys was involved in the call stack

Identifying the Culprit: BrFilter and HP Sure Click

The BrFilter_4_1_0_5714.sys driver is a filesystem minifilter that belongs to HP Sure Click, which is based on Bromium vSentry technology. This security software uses virtualization-based security to isolate potentially dangerous content.

Additional investigation revealed that this driver file dates back to June 27, 2018 (timestamp: Wed Jun 27 18:03:19 2018), which could indicate compatibility issues with newer Windows 11 builds.

Image path: BrFilter_4_1_0_5714.sys
Image name: BrFilter_4_1_0_5714.sys
Timestamp: Wed Jun 27 18:03:19 2018 (5B33B547)

Understanding the Technical Issue

The crash is happening when the RtlEqualUnicodeString function attempts to compare two Unicode strings, but one of the strings contains an invalid memory address (likely a null pointer or out-of-bounds address). This is evident from the instruction that failed:

nt!RtlEqualUnicodeString+0x2b:
fffff800`96f2908b 663b02          cmp     ax,word ptr [rdx]

The register rdx contains the value 000000000000011f, which is not a valid kernel-mode address. When the instruction tries to read from this memory location, it triggers an access violation.

The Incompatibility Problem

HP Sure Click’s filesystem filter driver is designed to monitor file operations for security purposes. The issue likely stems from one of these scenarios:

  1. The driver is not compatible with the specific Windows 11 build
  2. A Windows update changed kernel behavior that the older driver cannot handle
  3. The driver has a bug that’s triggered under specific circumstances
  4. Conflicts with other security software or system components

The Solution

After identifying HP Sure Click as the culprit, the solution was straightforward but definitive: uninstall HP Sure Click from the PC.

After removing this software, the system stopped experiencing blue screens and functioned normally. This confirms that the BrFilter driver was indeed causing the crashes.

Alternative Security Measures

If you’ve removed HP Sure Click due to these issues but still need robust security, consider these alternatives:

  1. Windows Security (built-in) – Significantly improved in recent years
  2. Microsoft Defender Application Guard – Also uses virtualization-based security
  3. Updated security software – Look for solutions compatible with your Windows version

How to Diagnose Similar Issues

If you’re experiencing similar BSODs, follow these steps:

  1. Collect minidump files – Located in %SystemRoot%\Minidump
  2. Use Windows Debugger (WinDbg) – Available through the Windows SDK
  3. Run !analyze -v – To get detailed crash information
  4. Identify the failing module – Look for third-party drivers in the call stack
  5. Research the module – Determine what software it belongs to
  6. Update or remove – The problematic software

This highlights the importance of driver compatibility in maintaining system stability. Even security software designed to protect your system can sometimes cause problems, especially when using older drivers with newer operating systems.

If you experience recurring blue screens, don’t hesitate to analyze the crash dumps – they often contain the precise information needed to identify and resolve the issue.

Full Bugcheck Analysis

For reference the full Bugcheck Analysis:

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the BugCheck
Arg2: fffff80096f2908b, Address of the instruction which caused the BugCheck
Arg3: ffffac826e79e8d0, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 1171

    Key  : Analysis.Elapsed.mSec
    Value: 1179

    Key  : Analysis.IO.Other.Mb
    Value: 0

    Key  : Analysis.IO.Read.Mb
    Value: 1

    Key  : Analysis.IO.Write.Mb
    Value: 0

    Key  : Analysis.Init.CPU.mSec
    Value: 500

    Key  : Analysis.Init.Elapsed.mSec
    Value: 4508

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 89

    Key  : Analysis.Version.DbgEng
    Value: 10.0.27793.1000

    Key  : Analysis.Version.Description
    Value: 10.2410.02.02 arm64fre

    Key  : Analysis.Version.Ext
    Value: 1.2410.2.2

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0x3b

    Key  : Bugcheck.Code.TargetModel
    Value: 0x3b

    Key  : Dump.Attributes.AsUlong
    Value: 0x21008

    Key  : Dump.Attributes.DiagDataWrittenToHeader
    Value: 1

    Key  : Dump.Attributes.ErrorCode
    Value: 0x0

    Key  : Dump.Attributes.KernelGeneratedTriageDump
    Value: 1

    Key  : Dump.Attributes.LastLine
    Value: Dump completed successfully.

    Key  : Dump.Attributes.ProgressPercentage
    Value: 0

    Key  : Failure.Bucket
    Value: AV_BrFilter_4_1_0_5714!unknown_function

    Key  : Failure.Exception.IP.Address
    Value: 0xfffff80096f2908b

    Key  : Failure.Exception.IP.Module
    Value: nt

    Key  : Failure.Exception.IP.Offset
    Value: 0x92908b

    Key  : Failure.Hash
    Value: {c9691ecc-92c1-61cb-dc96-873dbcf3d077}


BUGCHECK_CODE:  3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff80096f2908b

BUGCHECK_P3: ffffac826e79e8d0

BUGCHECK_P4: 0

FILE_IN_CAB:  050125-10703-01.dmp

DUMP_FILE_ATTRIBUTES: 0x21008
  Kernel Generated Triage Dump

FAULTING_THREAD:  ffffe38bf0ba1080

CONTEXT:  ffffac826e79e8d0 -- (.cxr 0xffffac826e79e8d0)
rax=0000000000000010 rbx=fffff80032db9b10 rcx=0000000000000000
rdx=000000000000011f rsi=ffffe38bf02f30f8 rdi=ffffe38bf02f3150
rip=fffff80096f2908b rsp=ffffac826e79f320 rbp=ffffac826e79f380
 r8=0000000000000001  r9=0000000000000003 r10=fffff800968c9e30
r11=ffff980b3c4be3f0 r12=ffffac826e79f428 r13=ffffe38bd3d1c010
r14=ffffcf829ad80004 r15=ffffac826e79f4b0
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050286
nt!RtlEqualUnicodeString+0x2b:
fffff800`96f2908b 663b02          cmp     ax,word ptr [rdx] ds:002b:00000000`0000011f=????
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  Microsoft.Shar

STACK_TEXT:  
ffffac82`6e79f320 fffff800`32da28f2     : 00000000`00000001 ffffac82`6e79f380 ffffe38b`f02f30f8 ffffe38b`f02f3150 : nt!RtlEqualUnicodeString+0x2b
ffffac82`6e79f350 00000000`00000001     : ffffac82`6e79f380 ffffe38b`f02f30f8 ffffe38b`f02f3150 ffffe38b`d36e8eb0 : BrFilter_4_1_0_5714+0x128f2
ffffac82`6e79f358 ffffac82`6e79f380     : ffffe38b`f02f30f8 ffffe38b`f02f3150 ffffe38b`d36e8eb0 ffffac82`6e79f4b0 : 0x1
ffffac82`6e79f360 ffffe38b`f02f30f8     : ffffe38b`f02f3150 ffffe38b`d36e8eb0 ffffac82`6e79f4b0 ffffe38b`f78b1b50 : 0xffffac82`6e79f380
ffffac82`6e79f368 ffffe38b`f02f3150     : ffffe38b`d36e8eb0 ffffac82`6e79f4b0 ffffe38b`f78b1b50 ffffe38b`e79689e0 : 0xffffe38b`f02f30f8
ffffac82`6e79f370 ffffe38b`d36e8eb0     : ffffac82`6e79f4b0 ffffe38b`f78b1b50 ffffe38b`e79689e0 00000000`00000000 : 0xffffe38b`f02f3150
ffffac82`6e79f378 ffffac82`6e79f4b0     : ffffe38b`f78b1b50 ffffe38b`e79689e0 00000000`00000000 ffffe38b`f02f30f8 : 0xffffe38b`d36e8eb0
ffffac82`6e79f380 ffffe38b`f78b1b50     : ffffe38b`e79689e0 00000000`00000000 ffffe38b`f02f30f8 ffffac82`6e79f4b0 : 0xffffac82`6e79f4b0
ffffac82`6e79f388 ffffe38b`e79689e0     : 00000000`00000000 ffffe38b`f02f30f8 ffffac82`6e79f4b0 fffff800`281b80a9 : 0xffffe38b`f78b1b50
ffffac82`6e79f390 00000000`00000000     : ffffe38b`f02f30f8 ffffac82`6e79f4b0 fffff800`281b80a9 ffffe38b`f14a4170 : 0xffffe38b`e79689e0


SYMBOL_NAME:  BrFilter_4_1_0_5714+128f2

MODULE_NAME: BrFilter_4_1_0_5714

IMAGE_NAME:  BrFilter_4_1_0_5714.sys

STACK_COMMAND:  .cxr 0xffffac826e79e8d0 ; kb

BUCKET_ID_FUNC_OFFSET:  128f2

FAILURE_BUCKET_ID:  AV_BrFilter_4_1_0_5714!unknown_function

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {c9691ecc-92c1-61cb-dc96-873dbcf3d077}

Followup:     MachineOwner
---------

Related Posts

A glowing padlock with a shield icon, symbolizing TLS encryption, against a futuristic cyber network background with interconnected nodes and blue light streaks.
How to Check and Enable TLS 1.2 on Windows Servers with PowerShell

Transport Layer Security (TLS) 1.2 is a secure protocol that encrypts data between clients and servers. Many modern security standards and compliance frameworks now require or strongly recommend using TLS 1.2 to protect sensitive information. In this post, we’ll walk through two PowerShell scripts: Why TLS 1.2 Matters Script 1: Checking TLS 1.2 Configuration Below […]

Futuristic digital keypad with glowing numbers and circuit board patterns, emphasizing a technical and cybersecurity theme in blue tones.
How to Remove a Greyed-Out Windows Hello PIN in Windows 10/11

Windows Hello is Microsoft’s biometric authentication system offering PIN, face, and fingerprint sign-in options. Occasionally, you may find the “Remove PIN” button greyed out in Windows 10/11, preventing you from removing a Windows Hello PIN. This situation typically arises due to organizational policies, misconfigurations, or Windows Hello for Business settings. In this article, we’ll show […]

An IT specialist managing a laptop, with a Windows command-line interface open on the screen in a modern tech-oriented office.
Exploring dsregcmd.exe: The Key to Azure AD Device Registration

As organizations continue shifting to cloud services, hybrid identity scenarios (on-premises Active Directory joined devices and Azure Active Directory joined devices) are becoming more common. Microsoft offers a built-in tool called dsregcmd.exe to help troubleshoot and manage these scenarios. This post will explore: Whether you’re decommissioning a device, dealing with registration errors, or just want […]

5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x