Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Blue screen of death on ntfs.sys

Status
Not open for further replies.

Pipeops

MIS
Apr 28, 2008
77
US
All,

We are expeiencing a blue screen of death for the following module. After analyzing the stacktrace, minidump file, updating ntfs.sys file, we are still experiencing this every 2nd day or so.

Application logs and System logs do not show anything useful.

Can someone take a look and see what applications are actually causing the BSOD as I am not able to do that due to a lack of commands.

Also, How can I tell what else could be an issue here.


I appreciate everyones help!

Debugging Details:
------------------


EXCEPTION_RECORD: 9b8ad30c -- (.exr 0xffffffff9b8ad30c)
ExceptionAddress: 804e1d87 (nt!CcSetDirtyPinnedData+0x0000000f)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 003a003d
Attempt to read from address 003a003d

CONTEXT: 9b8ad008 -- (.cxr 0xffffffff9b8ad008)
eax=003a003d ebx=e101cb18 ecx=c2ee0009 edx=00000000 esi=e999ad68 edi=e612b460
eip=804e1d87 esp=9b8ad3d4 ebp=9b8ad3e8 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!CcSetDirtyPinnedData+0xf:
804e1d87 668138fa02 cmp word ptr [eax],2FAh ds:0023:003a003d=????
Resetting default scope

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 003a003d

READ_ADDRESS: 003a003d

FOLLOWUP_IP:
Ntfs!LfsFlushLfcb+3d6
b7d7bfbd ff7658 push dword ptr [esi+58h]

FAULTING_IP:
nt!CcSetDirtyPinnedData+f
804e1d87 668138fa02 cmp word ptr [eax],2FAh

BUGCHECK_STR: 0x24

DEFAULT_BUCKET_ID: STRING_DEREFERENCE

LAST_CONTROL_TRANSFER: from b7d7bfbd to 804e1d87

STACK_TEXT:
9b8ad3e8 b7d7bfbd 003a003d 00000000 e101cbf0 nt!CcSetDirtyPinnedData+0xf
9b8ad4a8 b7d7c089 e101cb18 ea616800 e101cb18 Ntfs!LfsFlushLfcb+0x3d6
9b8ad4cc b7d863db e101cb18 ea616800 e165f558 Ntfs!LfsFlushLbcb+0x81
9b8ad4f4 b7d7ac60 e101cb18 e41a6b1c 00000014 Ntfs!LfsFlushToLsnPriv+0xf3
9b8ad534 b7d66744 e165f558 e41a6b1c 00000014 Ntfs!LfsFlushToLsn+0x8e
9b8ad71c b7d5bc18 9b8ad72c 88130e28 0110070a Ntfs!NtfsCommonWrite+0x18f1
9b8ad890 804ef19f 8aec3770 88130e28 88130e28 Ntfs!NtfsFsdWrite+0xf3
9b8ad8a0 b7e1409e 8aec4e88 8aebc168 88130e28 nt!IopfCallDriver+0x31
9b8ad8cc 804ef19f 8aec5860 88130e28 8a5226f0 fltMgr!FltpDispatch+0x152
9b8ad8dc b7dfe3ca 00000000 88c37658 9b8ad920 nt!IopfCallDriver+0x31
9b8ad8ec 804ef19f 8aec4dd0 88130e28 88130e28 sr!SrWrite+0xaa
9b8ad8fc b7e13e9b 89c8bb68 88130e28 89c0b3d0 nt!IopfCallDriver+0x31
9b8ad920 b7e1406b 9b8ad940 89c8bb68 00000000 fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b
9b8ad958 804ef19f 89c8bb68 88130e28 00000000 fltMgr!FltpDispatch+0x11f
9b8ad968 804f04e9 9b8ad9a4 883b5590 883b5560 nt!IopfCallDriver+0x31
9b8ad97c 8050f0a2 88d2d70a 9b8ad9a4 9b8ada44 nt!IoSynchronousPageWrite+0xaf
9b8ada64 8050fac4 e7b55008 e7b55048 e7b55048 nt!MiFlushSectionInternal+0x3f8
9b8adaa0 804e4554 883b5590 00000000 00008000 nt!MmFlushSection+0x1f2
9b8adb28 b7d9a1f3 00008000 00000000 00000000 nt!CcFlushCache+0x3a0
9b8adb54 b7d99f45 88266d28 e7c48928 00000000 Ntfs!NtfsFlushUserStream+0x6c
9b8adbc4 b7d9a160 88266d28 8814d008 8aec5860 Ntfs!NtfsCommonFlushBuffers+0x12a
9b8adc28 804ef19f 8aec3770 8814d008 8814d008 Ntfs!NtfsFsdFlushBuffers+0x92
9b8adc38 b7e1409e 89c0b3d0 8aebc168 89c8bb68 nt!IopfCallDriver+0x31
9b8adc64 804ef19f 8aec5860 8814d008 8a5226f0 fltMgr!FltpDispatch+0x152
9b8adc74 b7dfe459 9b8adcb8 804ef19f 8aec4dd0 nt!IopfCallDriver+0x31
9b8adc7c 804ef19f 8aec4dd0 8814d008 8814d008 sr!SrPassThrough+0x31
9b8adc8c b7e1409e 8814d008 8aebc168 881e5f90 nt!IopfCallDriver+0x31
9b8adcb8 804ef19f 89c8bb68 8814d008 806e6410 fltMgr!FltpDispatch+0x152
9b8adcc8 8057f982 881e5f90 8814d008 00000000 nt!IopfCallDriver+0x31
9b8adcdc 80576eb1 89c8bb68 8814d008 881e5f90 nt!IopSynchronousServiceTail+0x70
9b8add54 8054164c 00000278 0195fc18 0195fc20 nt!NtFlushBuffersFile+0x1b9
9b8add54 7c90e514 00000278 0195fc18 0195fc20 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0195fc20 00000000 00000000 00000000 00000000 0x7c90e514


SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: Ntfs!LfsFlushLfcb+3d6

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48025be5

STACK_COMMAND: .cxr 0xffffffff9b8ad008 ; kb

FAILURE_BUCKET_ID: 0x24_Ntfs!LfsFlushLfcb+3d6

BUCKET_ID: 0x24_Ntfs!LfsFlushLfcb+3d6

Followup: MachineOwner
---------


 
The basics first:
Run a memory test (I use Windows memory diagnostic test) first and then the manufacturer's hard drive test. Both are available on this CD if you download it and burn it. It makes a bootable CD (free).

NOT the yellow box at the top - further down the page.

If one of those fails - address the problem.

If both those tests pass, try a malware scan with MalwareByte's anti-malware. Don't skip the first two tests though.

It's the first link if you google mbam-setup.exe
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top