Hi all,
we received a couple of crashes like the following from one of our customers:
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: fffff88007d10038, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff88001627ec0, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
DUMP_CLASS: 1
DUMP_QUALIFIER: 402
BUILD_VERSION_STRING: 7601.23915.amd64fre.win7sp1_ldr.170913-0600
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 09/21/2015
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 0
BUGCHECK_P1: fffff88007d10038
BUGCHECK_P2: 0
BUGCHECK_P3: fffff88001627ec0
BUGCHECK_P4: 0
READ_ADDRESS: fffff88007d10038
FAULTING_IP:
Ntfs!memcpy+250
fffff880`01627ec0 488b440af8 mov rax,qword ptr [rdx+rcx-8]
MM_INTERNAL_CODE: 0
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 59e5328e
MODULE_NAME: Ntfs
FAULTING_MODULE: fffff88001619000 Ntfs
CPU_COUNT: 4
CPU_MHZ: 898
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 2d
CPU_STEPPING: 7
CPU_MICROCODE: 6,2d,7,0 (F,M,S,R) SIG: 710’00000000 (cache) 710’00000000 (init)
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: System
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: VM-DGDEV
ANALYSIS_SESSION_TIME: 03-25-2018 16:02:52.0602
ANALYSIS_VERSION: 10.0.14321.1024 x86fre
TRAP_FRAME: fffff88001fdc280 – (.trap 0xfffff88001fdc280)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff88007d0f040 rbx=0000000000000000 rcx=fffffa80070db800
rdx=fffffe0000c34840 rsi=0000000000000000 rdi=0000000000000000
rip=fffff88001627ec0 rsp=fffff88001fdc418 rbp=0000000000000800
r8=0000000000000800 r9=0000000000000040 r10=0000000000000000
r11=fffffa80070db000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe cy
Ntfs!memcpy+0x250:
fffff88001627ec0 488b440af8 mov rax,qword ptr [rdx+rcx-8] ds:fffff880
07d10038=???
Resetting default scope
BAD_STACK_POINTER: fffff88001fdc118
LAST_CONTROL_TRANSFER: from fffff8000194770e to fffff800018cae00
STACK_TEXT:
fffff88001fdc118 fffff800
0194770e : 0000000000000050 fffff880
07d10038 0000000000000000 fffff880
01fdc280 : nt!KeBugCheckEx
fffff88001fdc120 fffff800
018c8f2e : 0000000000000000 fffff880
07d10038 0000000000000000 00000000
00000000 : nt! ?? ::FNODOBFM::string'+0x3bdaf fffff880
01fdc280 fffff88001627ec0 : fffff880
01648810 fffffa8007b43cc0 fffff880
00000000 0000000000000001 : nt!KiPageFault+0x16e fffff880
01fdc418 fffff88001648810 : fffffa80
07b43cc0 fffff88000000000 00000000
00000001 0000000000000800 : Ntfs!memcpy+0x250 fffff880
01fdc420 fffff880016494d5 : fffff880
01fdc780 fffff88001fdc5b8 00000000
00000000 fffffa800e8fa010 : Ntfs!NtfsCopyFromMdl+0x18d fffff880
01fdc500 fffff88001622ef5 : fffff8a0
192bd820 fffffa800e8fa000 00000000
00000000 0000000000010000 : Ntfs!NtfsPrepareSparseWriteBuffer+0x85 fffff880
01fdc550 fffff8800162d8a9 : fffffa80
076d6e40 fffffa800e8fa010 fffff8a0
192bd820 0000000000020000 : Ntfs!NtfsPrepareComplexBuffers+0x295 fffff880
01fdc6b0 fffff8800162cdf0 : fffff8a0
192bd820 0000000000000000 fffff880
01fdc7d0 000000000001f800 : Ntfs!NtfsPrepareBuffers+0x179 fffff880
01fdc730 fffff88001630f13 : fffffa80
076d6e40 fffffa800e8fa010 00000000
00000000 fffff880016a5b00 : Ntfs!NtfsNonCachedIo+0x310 fffff880
01fdc8f0 fffff8800161c25b : fffffa80
076d6e40 fffffa800e8fa010 fffff8a0
c0000000 fffffa8000001000 : Ntfs!NtfsCommonWrite+0x2f64 fffff880
01fdcaa0 fffff800018d5085 : 00000000
00000000 fffff88005f3f300 00000000
00000000 fffffa8000000000 : Ntfs!NtfsFspDispatch+0x28b fffff880
01fdcb70 fffff80001b65622 : 00000000
00000000 fffffa8006d1e040 00000000
00000080 fffffa8006cae970 : nt!ExpWorkerThread+0x111 fffff880
01fdcc00 fffff800018bcda6 : fffff880
01ee1180 fffffa8006d1e040 fffffa80
06d1f660 0000000000000000 : nt!PspSystemThreadStartup+0x5a fffff880
01fdcc40 0000000000000000 : fffff880
01fdd000 fffff88001fd7000 fffff880
01fdc440 00000000`00000000 : nt!KiStartSystemThread+0x16
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: f38074d07ad66b3f9e2d5388223fbbf4ddbaa89e
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 7c81de6a78e22f1151cfac9128d2288523a00810
THREAD_SHA1_HASH_MOD: e6d638e2379ef50d39ad6a7d17a2cb0ca1708701
FOLLOWUP_IP:
Ntfs!memcpy+250
fffff880`01627ec0 488b440af8 mov rax,qword ptr [rdx+rcx-8]
FAULT_INSTR_CODE: a448b48
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: Ntfs!memcpy+250
FOLLOWUP_NAME: MachineOwner
IMAGE_VERSION: 6.1.7601.23932
FAILURE_BUCKET_ID: X64_0x50_STACKPTR_ERROR_Ntfs!memcpy+250
BUCKET_ID: X64_0x50_STACKPTR_ERROR_Ntfs!memcpy+250
PRIMARY_PROBLEM_CLASS: X64_0x50_STACKPTR_ERROR_Ntfs!memcpy+250
TARGET_TIME: 2018-03-13T06:23:16.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 3
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
OSEDITION: Windows 7 Server (Service Pack 1) TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2017-09-13 16:55:13
BUILDDATESTAMP_STR: 170913-0600
BUILDLAB_STR: win7sp1_ldr
BUILDOSVER_STR: 6.1.7601.23915.amd64fre.win7sp1_ldr.170913-0600
ANALYSIS_SESSION_ELAPSED_TIME: d39
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x50_stackptr_error_ntfs!memcpy+250
FAILURE_ID_HASH: {3cb1e7b2-ecc5-5c98-88a7-ac9f807c58ae}
Followup: MachineOwner
Our minifilter is not in the call stack but active at the time of the crash. It tries to write data to a sparse file using FltWriteFile. From looking at our application logs it is very likely that all observed crashes are caused by the same file.
Question:
Is there an easy way to figure out the file object that the system thread tries to write? This would help finding out what files trigger the issue.
Thanks,
Lars