Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

ImageX Bluescreen in NTFS with Vista Install.WIM...

OSR_Community_UserOSR_Community_User Member Posts: 110,217

I realize that this is not exactly ntdev list material, but the subject of ImageX has come up here before, and the official Microsoft support list for the WAIK seems to have disappeared.

I'm getting a blue screen due to an access violation caused (according to !analyze -v; see below) by NTFS when ImageX (and the WIM FS Filter) is used to mount and copy some the kernels and hals for the 5472-x86-CHK build of Vista:

MD C:\Mnt\5472-x86-CHK
IMAGEX /MOUNT Z:\Sources\Install.WIM 1 C:\Mnt\5472-x86-CHK

COPY C:\Mnt\5472-x86-CHK\Windows\System32\NTOSKRNL.EXE
COPY C:\Mnt\5472-x86-CHK\Windows\System32\NTKRNLPA.EXE
DIR C:\Mnt\5472-x86-CHK\Windows\System32\HAL*.DLL


COPY C:\Mnt\5472-x86-CHK\Windows\System32\HAL*.DLL

The really bizzare part is that it is always this step, and I have reproduced it on two machines.

Below is the !analyze -v trace. In included it only for completeness, because, all I'm looking for here is where anyone has heard of anything like this problem, and there is something simple (new version?) that can be done to remedy it; otherwise, I have no intention of debugging this one, as I'll just go back to installing, copying and removing to get checked images, instead of using ImageX.



* *
* Bugcheck Analysis *
* *

If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
Arg1: 001902fe
Arg2: f2a3e898
Arg3: f2a3e594
Arg4: f63fe4dd

Debugging Details:

EXCEPTION_RECORD: f2a3e898 -- (.exr fffffffff2a3e898)
ExceptionAddress: f63fe4dd (Ntfs!NtfsCleanupIrpContext+0x000000ac)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000014
Attempt to read from address 00000014

CONTEXT: f2a3e594 -- (.cxr fffffffff2a3e594)
eax=00000000 ebx=00000000 ecx=00180001 edx=f9d92290 esi=fa2a7728 edi=e0a6c9e6
eip=f63fe4dd esp=f2a3e960 ebp=f2a3e96c iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
f63fe4dd ff7014 push dword ptr [eax+14h] ds:0023:00000014=????????
Resetting default scope


ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

READ_ADDRESS: 00000014



LAST_CONTROL_TRANSFER: from f63fe6e6 to f63fe4dd

f2a3e96c f63fe6e6 fa2a7728 00000001 e2db1540 Ntfs!NtfsCleanupIrpContext+0xac
f2a3e984 f63ffbba fa2a7728 f9e51880 00000000 Ntfs!NtfsCompleteRequest+0x35
f2a3eb70 f63ffc97 fa2a7728 f9e51880 f9e51880 Ntfs!NtfsCommonWrite+0x2095
f2a3ebd4 e0a16df9 f9ee3020 f9e51880 facf3ed8 Ntfs!NtfsFsdWrite+0xf3
f2a3ebe4 f64a23ca 00000000 f9deb898 f2a3ec28 nt!IopfCallDriver+0x31
f2a3ebf4 e0a16df9 fa3ea688 e17fd3c8 f9e51880 sr!SrWrite+0xaa
f2a3ec04 f64b7e67 f9de7638 f9e51880 00000000 nt!IopfCallDriver+0x31
f2a3ec28 f64b800c f2a3ec48 f9e1f6a8 00000000 fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b
f2a3ec60 e0a16df9 f9e1f6a8 f9e51880 e08022d0 fltMgr!FltpDispatch+0x104
f2a3ec70 e0a9cb42 f9e51a34 00000000 f9e51880 nt!IopfCallDriver+0x31
f2a3ec84 e0a9a6b8 f9e1f6a8 f9e51880 fa27e8e8 nt!IopSynchronousServiceTail+0x60
f2a3ed38 e0a65808 00000078 00000000 00000000 nt!NtWriteFile+0x602
f2a3ed38 7c90eb94 00000078 00000000 00000000 nt!KiFastCallEntry+0xf8
WARNING: Frame IP not in any known module. Following frames may be wrong.
0013ea44 7c82fa88 00000078 00990000 00010000 0x7c90eb94
0013f128 7c82eec5 0013f624 0000007c 80000000 0x7c82fa88
0013f538 7c82f02b 0013f624 0013fa34 00000000 0x7c82eec5
0013f594 4ad075e7 0013f624 0013fa34 00000000 0x7c82f02b
0013fc40 4ad0777f 0015a8e8 001613b8 0015bc38 0x4ad075e7
0013fc60 4ad076cb 00159658 0013fe9c 4ad05aa2 0x4ad0777f
0013fc6c 4ad05aa2 0015bc38 00000000 0015bc38 0x4ad076cb
0013fe9c 4ad013eb 0015bc38 0015bc38 00000002 0x4ad05aa2
0013ffd0 e0a6cdfd 0013ffc8 f9e2d6c0 ffffffff 0x4ad013eb
0013ff44 4ad05164 00000003 000325d0 00032bc8 nt!ExFreePoolWithTag+0x417
0013ffd0 e0a6cdfd 0013ffc8 f9e2d6c0 ffffffff 0x4ad05164
0013fff0 00000000 4ad05056 00000000 78746341 nt!ExFreePoolWithTag+0x417

f63fe4dd ff7014 push dword ptr [eax+14h]


SYMBOL_NAME: Ntfs!NtfsCleanupIrpContext+ac



IMAGE_NAME: Ntfs.sys


STACK_COMMAND: .cxr 0xfffffffff2a3e594 ; kb

FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsCleanupIrpContext+ac

BUCKET_ID: 0x24_Ntfs!NtfsCleanupIrpContext+ac

Followup: MachineOwner
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 12 September 2022 Live, Online
Internals & Software Drivers 23 October 2022 Live, Online
Kernel Debugging 14 November 2022 Live, Online
Developing Minifilters 5 December 2022 Live, Online