Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

BSOD PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc) happens after volume gets dismounted(Minifilter)

Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

Hi,

I am working on encryption based minifilter driver. I have a cluster environment with 2 machines and a stress script is running to down cluster nodes simultaneously so as to move cluster disk from one node to another and vice versa.
My encryption driver is installed on both machines. As one node goes down,my minifilter driver's Instance TeardownStart/TeardownComplete and Instance Cleanup callbacks gets called in response to volume dismount.After random number of iterations, bugcheck happens.

And i have checked that this issue happens after FLT_VOLUME: ffffcf807f1787f0 "\Device\HarddiskVolume64" volume has been dismounted.

Can anyone help me to understand root cause ?

Thanks a lot for any of your suggestion!

Comments

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
    Memory was referenced after it was freed.
    This cannot be protected by try-except.
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: ffffcf8080a90be0, memory referenced
    Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
    Arg4: 0000000000000000, Mm internal code.

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    0: kd> !fltkd.volumes

    Volume List: ffffcf80702629b0 "Frame 0"
    FLT_VOLUME: ffffcf80702aa800 "\Device\Mup"
    FLT_INSTANCE: ffffcf8076bbc6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf80702f8c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf807364ed90 "CCFFilter" "261160"
    FLT_INSTANCE: ffffcf80702606c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf807038a7f0 "\Device\HarddiskVolume2"
    FLT_INSTANCE: ffffcf807193cc30 "CsvNSFlt Instance" "404900"
    FLT_INSTANCE: ffffcf807f12c6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070876c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf80709fe6c0 "Sfntpffd Instance" "144200"
    FLT_INSTANCE: ffffcf80719984c0 "luafv" "135000"
    FLT_VOLUME: ffffcf807073e7f0 "\Device\HarddiskVolume3"
    FLT_INSTANCE: ffffcf807f13a6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf80707c2c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf807077e6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf80707bc7f0 "\Device\NamedPipe"
    FLT_INSTANCE: ffffcf807076cd30 "npsvctrig" "46000"
    FLT_VOLUME: ffffcf807070a7f0 "\Device\Mailslot"
    FLT_VOLUME: ffffcf80707d47f0 "\Device\HarddiskVolume4"
    FLT_INSTANCE: ffffcf807cbcc6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf807066e6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf80706787f0 "\Device\HarddiskVolume5"
    FLT_INSTANCE: ffffcf807f1386a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070a306c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070b9a7f0 "\Device\HarddiskVolume1"
    FLT_INSTANCE: ffffcf807e92c6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070be8c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070b466c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070ae67f0 "\Device\HarddiskVolume6"
    FLT_INSTANCE: ffffcf807e84e6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070a48c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070a246c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070a4e7f0 "\Device\HarddiskVolume7"
    FLT_INSTANCE: ffffcf807deb26a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070aeec30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070b5c6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf808068e7f0 "\Device\HarddiskVolume61"
    FLT_INSTANCE: ffffcf80806e06a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf807e29ac30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8081748b40 "ResumeKeyFilter" "202000"
    FLT_INSTANCE: ffffcf80816a26c0 "Sfntpffd Instance" "144200"
    ** FLT_VOLUME: ffffcf807f1787f0 "\Device\HarddiskVolume64"**

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,017

    So, what does !verifier say. In particular !verifier 80 ffffcf8080a90be0. A stack might be helpful too.

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    STACK_TEXT:
    nt!DbgBreakPointWithStatus
    nt!KiBugCheckDebugBreak+0x12
    nt!KeBugCheck2+0x8a2
    nt!KeBugCheckEx+0x104
    nt!MiSystemFault+0x1048
    nt!MmAccessFault+0x219
    nt!KiPageFault+0x317
    nt!FsRtlLookupReservedPerFileContext
    nt!FsRtlRemoveReservedPerFileContext+0xe
    fltmgr!FltpDeleteAllFileListCtrls+0x9e98
    fltmgr!FltpFreeVolume+0xdf
    fltmgr!FltpCleanupDeviceObject+0x6b
    fltmgr!FltpFastIoDetachDeviceWorker+0x15
    nt!ExpWorkerThread+0x69f
    nt!PspSystemThreadStartup+0x18a
    nt!KiStartSystemThread+0x16

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    Thanks for responding!
    I am posting !verifier 80 information from similar crash and it points to my encryption driver in stack.
    But still I cannot relate how this is directly linked to my crash.

    !verifier 80 ffffcf8070f7cbe0

    Log of recent kernel pool Allocate and Free operations:

    There are up to 0x10000 entries in the log.

    Parsing 0x0000000000010000 log entries, searching for address 0xffffcf8070f7cbe0.

    ======================================================================
    Pool block ffffcf8070f7cb40, Size 00000000000004c0, Thread ffffe000a072e880
    fffff80376486bf2 nt!VfFreePoolNotification+0x4a
    fffff8037609f0b2 nt!ExFreePoolWithTag+0xb2
    fffff80376478130 nt!VerifierExFreePoolWithTag+0x44
    fffff800b04ac7fd Encryption!ExFreeToNPagedLookasideList+0x5d
    fffff800b04c046f Encryption!PfmDerefenceFcb+0x3cf
    fffff800b04b8de4 Encryption!PfmCloseCallback+0x414
    fffff800b0250d31 fltmgr!FltvPreOperation+0xf5
    fffff800b02020ba fltmgr!FltpPerformPreCallbacks+0x31a
    fffff800b0202d0c fltmgr!FltpPassThroughInternal+0x8c
    fffff800b0201934 fltmgr!FltpPassThrough+0x2b5
    fffff800b02010aa fltmgr!FltpDispatch+0x9a
    fffff80376476911 nt!IovCallDriver+0x3cd
    fffff803761adabc nt!IopDeleteFile+0x128

    Finished parsing all pool tracking information.

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,017

    Mismatched FltGet***Context/FltReleaseContext. !Verifier is your friend

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    Hi Rod,

    Can you please help to elaborate upon Mismatched FltGet***Context/FltReleaseContext
    in this particular context.

    Thanks a lot!
    Pooja

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,017

    Well I would guess from the stack that the crash happens when the filter manager tries to disconnect the contexts from the file objects as a result of a dismount. It has gone through the contexts it has and it has tried to dereference each one. Only it has tripped over some memory that you have already freed. This could either be a FilterManager Context or it could be something you have thrown into FileObject->FsContext (somewhere in the FSRTL_ADVANCED_FCB_HEADER), or it could be both - I have no idea of your architecture. The address might give you a clue, as might he code at the point of failure.

    You obviously have a referenced structure and it equally obviously is being freed before everything is done with it - so you are probably either missing reference/dereference pair or you have a dereference which is missing its matching reference.

    The Get/Release context reference was because the most commont reference/dereference opertations are the ones that the minifilter does for you to handle context (File/Stream/Volume/Instance/StreamHandle) lifetimes.

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    Hi Rod,

    To relate to your post, my minifilter driver architecture is based upon shadow file object design, where I have set fileobject->FScontext to my own created FCB.

    Now, in test operation, before dismount, IRP_MJ_CLOSE has happened for one of file on same volume to be dismounted.
    And in that Close operation handling , we have freed my own created fcb structure(This is the one which has been freed up in callstack of !verifier 80 ffffcf8070f7cbe0 )

    Now in dismount operation,after ContextCleanup call back has completed , bugcheck happens creeping for above address in ltmgr!FltpDeleteAllFileListCtrls+0x9e98

    So, I am trying to relate what is actually happening in FltpDeleteAllFileListCtrls operation for my fcb related structure..

    I hope, it makes sense.

    Thanks a lot!

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,017

    So, I am trying to relate what is actually happening in FltpDeleteAllFileListCtrls operation for my fcb related structure..

    You'll have to determine that but it will be one of four things

    • If your FCB also masquerades as a filter manager Stream context for the lower file object then it could be being detached from the lower file object .
    • The Filter Manager could be looking at YourFcb->AdvHeader.FilterContexts to remove all the stream contexts that other filters have attached
    • If your FCB also masquerades as a filter manager File context for the lower file object then it could be being detached from the lower file object .
    • The Filter Manager could be looking at *YourFcb->AdvHeader.FileContextSupport to remove all the file contexts that other filters have attached.

    You'll need to determine which yourself - you have all the information you need.

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    Hi Rod,

    Thank you so much for your prompt responses.

    To relate to your suggestions,in driver, to initialize advancedFCBHeader,there is a call to FsRtlSetupAdvancedHeaderEx(1stParam,2ndParam,&fcb->FileCtxSupportPointer)

    And as per FsRtlSetupAdvancedHeaderEx() code in Ntifs.h ,
    (_advhdr)->FileContextSupportPointer = &fcb->FileCtxSupportPointer;

    and localAdvHdr->Flags2 |= FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS;

    which means, we do support PerStreamContext and PerFileContext.

    In IRP_MJ_Close callback , we have called FsRtlTeardownPerStreamContexts(AdvacncedFCBHeader) to teardown streamcontext.

    Should we call FsRtlTeardownPerFileContexts() to teardown filecontexts as well??

    Thanks a lot!

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,017

    Hey, guess what the documentation for FsRtlTeardownPerFileContexts had disappeared alongside nearly every other useful IFS api. That's two weeks and counting. If anyone would like to add their distress at this breakage to the case it might be useful.

    Anyway to the case in point - that sounds like a good plan. Without the documentation I cannot be sure...

  • Peter_ScottPeter_Scott Member - All Emails Posts: 747
    via Email
    Gotta love that! Though it does appear to still be present on the Korean(?) version of the help docs.

    Pete

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

    Kernel Drivers
    Windows File System and Device Driver Consulting
    www.KernelDrivers.com
    866.263.9295

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,017
    edited October 2018

    To follow up you can get an a approximation of the document here. It looks like this is required during IRP_MJ_CLOSE handling (or during final deref)

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    BSOD details:
    PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
    Memory was referenced after it was freed.
    This cannot be protected by try-except.
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: ffffcf8080a90be0, memory referenced
    Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
    Arg4: 0000000000000000, Mm internal code.

    BUGCHECK_P1: ffffcf8080a90be0

    BUGCHECK_P2: 0

    BUGCHECK_P3: fffff800365ba96c

    BUGCHECK_P4: 0

    READ_ADDRESS: ffffcf8080a90be0 Special pool

    FAULTING_IP:
    nt!FsRtlLookupReservedPerFileContext+0
    fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]

    MM_INTERNAL_CODE: 0

    DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

    BUGCHECK_STR: 0xCC

    PROCESS_NAME: System

    CURRENT_IRQL: 0

    ANALYSIS_VERSION: 10.0.17763.1 amd64fre

    TRAP_FRAME: ffffd000233aa860 -- (.trap 0xffffd000233aa860)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
    rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
    r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
    r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei ng nz na po nc
    nt!FsRtlLookupReservedPerFileContext:
    fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf8080a90be0=????????????????
    Resetting default scope

    LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500

    STACK_TEXT:
    ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
    ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
    ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
    ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
    ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
    ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
    ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
    ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
    ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
    ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
    ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
    ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
    ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
    ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
    ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
    ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

    FOLLOWUP_IP:
    nt!FsRtlLookupReservedPerFileContext+0
    fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]

    FAULT_INSTR_CODE: 48018b48

    SYMBOL_STACK_INDEX: 7

    SYMBOL_NAME: nt!FsRtlLookupReservedPerFileContext+0

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: nt

    IMAGE_NAME: ntkrnlmp.exe

    DEBUG_FLR_IMAGE_TIMESTAMP: 5b93e6c7

    STACK_COMMAND: .thread ; .cxr ; kb

    BUCKET_ID_FUNC_OFFSET: 0

    FAILURE_BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext

    BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext

    PRIMARY_PROBLEM_CLASS: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
    FAILURE_ID_HASH_STRING: km:0xcc_vrf_nt!fsrtllookupreservedperfilecontext

    0: kd> !fltkd.volumes

    Volume List: ffffcf80702629b0 "Frame 0"
    FLT_VOLUME: ffffcf80702aa800 "\Device\Mup"
    FLT_INSTANCE: ffffcf8076bbc6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf80702f8c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf807364ed90 "CCFFilter" "261160"
    FLT_INSTANCE: ffffcf80702606c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf807038a7f0 "\Device\HarddiskVolume2"
    FLT_INSTANCE: ffffcf807193cc30 "CsvNSFlt Instance" "404900"
    FLT_INSTANCE: ffffcf807f12c6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070876c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf80709fe6c0 "Sfntpffd Instance" "144200"
    FLT_INSTANCE: ffffcf80719984c0 "luafv" "135000"
    FLT_VOLUME: ffffcf807073e7f0 "\Device\HarddiskVolume3"
    FLT_INSTANCE: ffffcf807f13a6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf80707c2c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf807077e6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf80707bc7f0 "\Device\NamedPipe"
    FLT_INSTANCE: ffffcf807076cd30 "npsvctrig" "46000"
    FLT_VOLUME: ffffcf807070a7f0 "\Device\Mailslot"
    FLT_VOLUME: ffffcf80707d47f0 "\Device\HarddiskVolume4"
    FLT_INSTANCE: ffffcf807cbcc6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf807066e6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf80706787f0 "\Device\HarddiskVolume5"
    FLT_INSTANCE: ffffcf807f1386a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070a306c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070b9a7f0 "\Device\HarddiskVolume1"
    FLT_INSTANCE: ffffcf807e92c6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070be8c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070b466c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070ae67f0 "\Device\HarddiskVolume6"
    FLT_INSTANCE: ffffcf807e84e6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070a48c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070a246c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070a4e7f0 "\Device\HarddiskVolume7"
    FLT_INSTANCE: ffffcf807deb26a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070aeec30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070b5c6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf808068e7f0 "\Device\HarddiskVolume61"
    FLT_INSTANCE: ffffcf80806e06a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf807e29ac30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8081748b40 "ResumeKeyFilter" "202000"
    FLT_INSTANCE: ffffcf80816a26c0 "Sfntpffd Instance" "144200"
    ** FLT_VOLUME: ffffcf807f1787f0 "\Device\HarddiskVolume64"**

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
    Memory was referenced after it was freed.
    This cannot be protected by try-except.
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: ffffcf8080a90be0, memory referenced
    Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
    Arg4: 0000000000000000, Mm internal code.

    BUGCHECK_P1: ffffcf8080a90be0

    BUGCHECK_P2: 0

    BUGCHECK_P3: fffff800365ba96c

    BUGCHECK_P4: 0

    READ_ADDRESS: ffffcf8080a90be0 Special pool

    FAULTING_IP:
    nt!FsRtlLookupReservedPerFileContext+0
    fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]

    MM_INTERNAL_CODE: 0

    DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

    BUGCHECK_STR: 0xCC

    PROCESS_NAME: System

    CURRENT_IRQL: 0

    ANALYSIS_VERSION: 10.0.17763.1 amd64fre

    TRAP_FRAME: ffffd000233aa860 -- (.trap 0xffffd000233aa860)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
    rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
    r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
    r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei ng nz na po nc
    nt!FsRtlLookupReservedPerFileContext:
    fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf8080a90be0=????????????????
    Resetting default scope

    LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500

    STACK_TEXT:
    ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
    ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
    ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
    ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
    ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
    ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
    ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
    ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
    ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
    ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
    ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
    ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
    ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
    ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
    ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
    ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

    FOLLOWUP_IP:
    nt!FsRtlLookupReservedPerFileContext+0
    fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]

    FAULT_INSTR_CODE: 48018b48

    SYMBOL_STACK_INDEX: 7

    SYMBOL_NAME: nt!FsRtlLookupReservedPerFileContext+0

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: nt

    IMAGE_NAME: ntkrnlmp.exe

    DEBUG_FLR_IMAGE_TIMESTAMP: 5b93e6c7

    STACK_COMMAND: .thread ; .cxr ; kb

    BUCKET_ID_FUNC_OFFSET: 0

    FAILURE_BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext

    BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext

    PRIMARY_PROBLEM_CLASS: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
    FAILURE_ID_HASH_STRING: km:0xcc_vrf_nt!fsrtllookupreservedperfilecontext

    0: kd> !fltkd.volumes

    Volume List: ffffcf80702629b0 "Frame 0"
    FLT_VOLUME: ffffcf80702aa800 "\Device\Mup"
    FLT_INSTANCE: ffffcf8076bbc6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf80702f8c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf807364ed90 "CCFFilter" "261160"
    FLT_INSTANCE: ffffcf80702606c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf807038a7f0 "\Device\HarddiskVolume2"
    FLT_INSTANCE: ffffcf807193cc30 "CsvNSFlt Instance" "404900"
    FLT_INSTANCE: ffffcf807f12c6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070876c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf80709fe6c0 "Sfntpffd Instance" "144200"
    FLT_INSTANCE: ffffcf80719984c0 "luafv" "135000"
    FLT_VOLUME: ffffcf807073e7f0 "\Device\HarddiskVolume3"
    FLT_INSTANCE: ffffcf807f13a6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf80707c2c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf807077e6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf80707bc7f0 "\Device\NamedPipe"
    FLT_INSTANCE: ffffcf807076cd30 "npsvctrig" "46000"
    FLT_VOLUME: ffffcf807070a7f0 "\Device\Mailslot"
    FLT_VOLUME: ffffcf80707d47f0 "\Device\HarddiskVolume4"
    FLT_INSTANCE: ffffcf807cbcc6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf807066e6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf80706787f0 "\Device\HarddiskVolume5"
    FLT_INSTANCE: ffffcf807f1386a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070a306c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070b9a7f0 "\Device\HarddiskVolume1"
    FLT_INSTANCE: ffffcf807e92c6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070be8c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070b466c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070ae67f0 "\Device\HarddiskVolume6"
    FLT_INSTANCE: ffffcf807e84e6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070a48c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070a246c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070a4e7f0 "\Device\HarddiskVolume7"
    FLT_INSTANCE: ffffcf807deb26a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070aeec30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070b5c6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf808068e7f0 "\Device\HarddiskVolume61"
    FLT_INSTANCE: ffffcf80806e06a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf807e29ac30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8081748b40 "ResumeKeyFilter" "202000"
    FLT_INSTANCE: ffffcf80816a26c0 "Sfntpffd Instance" "144200"
    ** FLT_VOLUME: ffffcf807f1787f0 "\Device\HarddiskVolume64"**

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
    Memory was referenced after it was freed.
    This cannot be protected by try-except.
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: ffffcf8080a90be0, memory referenced
    Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
    Arg4: 0000000000000000, Mm internal code.

    TRAP_FRAME: ffffd000233aa860 -- (.trap 0xffffd000233aa860)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
    rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
    r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
    r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei ng nz na po nc
    nt!FsRtlLookupReservedPerFileContext:
    fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf8080a90be0=????????????????
    Resetting default scope

    LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500

    STACK_TEXT:
    ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
    ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
    ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
    ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
    ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
    ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
    ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
    ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
    ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
    ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
    ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
    ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
    ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
    ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
    ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
    ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

    0: kd> !fltkd.volumes

    Volume List: ffffcf80702629b0 "Frame 0"
    FLT_VOLUME: ffffcf80702aa800 "\Device\Mup"
    FLT_INSTANCE: ffffcf8076bbc6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf80702f8c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf807364ed90 "CCFFilter" "261160"
    FLT_INSTANCE: ffffcf80702606c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf807038a7f0 "\Device\HarddiskVolume2"
    FLT_INSTANCE: ffffcf807193cc30 "CsvNSFlt Instance" "404900"
    FLT_INSTANCE: ffffcf807f12c6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070876c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf80709fe6c0 "Sfntpffd Instance" "144200"
    FLT_INSTANCE: ffffcf80719984c0 "luafv" "135000"
    FLT_VOLUME: ffffcf807073e7f0 "\Device\HarddiskVolume3"
    FLT_INSTANCE: ffffcf807f13a6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf80707c2c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf807077e6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf80707bc7f0 "\Device\NamedPipe"
    FLT_INSTANCE: ffffcf807076cd30 "npsvctrig" "46000"
    FLT_VOLUME: ffffcf807070a7f0 "\Device\Mailslot"
    FLT_VOLUME: ffffcf80707d47f0 "\Device\HarddiskVolume4"
    FLT_INSTANCE: ffffcf807cbcc6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf807066e6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf80706787f0 "\Device\HarddiskVolume5"
    FLT_INSTANCE: ffffcf807f1386a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070a306c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070b9a7f0 "\Device\HarddiskVolume1"
    FLT_INSTANCE: ffffcf807e92c6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070be8c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070b466c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070ae67f0 "\Device\HarddiskVolume6"
    FLT_INSTANCE: ffffcf807e84e6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070a48c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070a246c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070a4e7f0 "\Device\HarddiskVolume7"
    FLT_INSTANCE: ffffcf807deb26a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070aeec30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070b5c6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf808068e7f0 "\Device\HarddiskVolume61"
    FLT_INSTANCE: ffffcf80806e06a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf807e29ac30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8081748b40 "ResumeKeyFilter" "202000"
    FLT_INSTANCE: ffffcf80816a26c0 "Sfntpffd Instance" "144200"
    ** FLT_VOLUME: ffffcf807f1787f0 "\Device\HarddiskVolume64"**

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    STACK_TEXT:
    ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
    ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
    ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
    ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
    ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
    ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
    ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
    ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
    ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
    ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
    ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
    ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
    ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
    ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
    ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
    ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    STACK_TEXT:
    ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
    ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
    ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
    ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
    ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
    ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
    ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
    ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
    ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
    ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
    ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
    ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
    ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
    ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
    ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
    ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    One observation is that rdx register has same value of FLT_VOLUME: ffffcf807f1787f0 for which last volume dismount has happened.

    TRAP_FRAME: ffffd000233aa860 -- (.trap 0xffffd000233aa860)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
    rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
    r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
    r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei ng nz na po nc
    nt!FsRtlLookupReservedPerFileContext:
    fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf8080a90be0=????????????????
    Resetting default scope

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    One observation is that rdx register has same value of FLT_VOLUME: ffffcf807f1787f0 for which last volume dismount has happened.

    TRAP_FRAME: ffffd000233aa860 -- (.trap 0xffffd000233aa860)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
    rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
    r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
    r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei ng nz na po nc
    nt!FsRtlLookupReservedPerFileContext:
    fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf8080a90be0=????????????????
    Resetting default scope

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    BSOD details:
    PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
    Memory was referenced after it was freed.
    This cannot be protected by try-except.
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: ffffcf8080a90be0, memory referenced
    Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
    Arg4: 0000000000000000, Mm internal code.

    BUGCHECK_P1: ffffcf8080a90be0

    BUGCHECK_P2: 0

    BUGCHECK_P3: fffff800365ba96c

    BUGCHECK_P4: 0

    READ_ADDRESS: ffffcf8080a90be0 Special pool

    FAULTING_IP:
    nt!FsRtlLookupReservedPerFileContext+0
    fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]

    MM_INTERNAL_CODE: 0

    DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

    BUGCHECK_STR: 0xCC

    PROCESS_NAME: System

    CURRENT_IRQL: 0

    ANALYSIS_VERSION: 10.0.17763.1 amd64fre

    TRAP_FRAME: ffffd000233aa860 -- (.trap 0xffffd000233aa860)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
    rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
    r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
    r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei ng nz na po nc
    nt!FsRtlLookupReservedPerFileContext:
    fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf8080a90be0=????????????????
    Resetting default scope

    LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500

    STACK_TEXT:
    ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
    ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
    ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
    ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
    ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
    ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
    ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
    ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
    ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
    ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
    ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
    ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
    ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
    ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
    ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
    ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

    FOLLOWUP_IP:
    nt!FsRtlLookupReservedPerFileContext+0
    fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]

    FAULT_INSTR_CODE: 48018b48

    SYMBOL_STACK_INDEX: 7

    SYMBOL_NAME: nt!FsRtlLookupReservedPerFileContext+0

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: nt

    IMAGE_NAME: ntkrnlmp.exe

    DEBUG_FLR_IMAGE_TIMESTAMP: 5b93e6c7

    STACK_COMMAND: .thread ; .cxr ; kb

    BUCKET_ID_FUNC_OFFSET: 0

    FAILURE_BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext

    BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext

    PRIMARY_PROBLEM_CLASS: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
    FAILURE_ID_HASH_STRING: km:0xcc_vrf_nt!fsrtllookupreservedperfilecontext

    0: kd> !fltkd.volumes

    Volume List: ffffcf80702629b0 "Frame 0"
    FLT_VOLUME: ffffcf80702aa800 "\Device\Mup"
    FLT_INSTANCE: ffffcf8076bbc6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf80702f8c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf807364ed90 "CCFFilter" "261160"
    FLT_INSTANCE: ffffcf80702606c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf807038a7f0 "\Device\HarddiskVolume2"
    FLT_INSTANCE: ffffcf807193cc30 "CsvNSFlt Instance" "404900"
    FLT_INSTANCE: ffffcf807f12c6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070876c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf80709fe6c0 "Sfntpffd Instance" "144200"
    FLT_INSTANCE: ffffcf80719984c0 "luafv" "135000"
    FLT_VOLUME: ffffcf807073e7f0 "\Device\HarddiskVolume3"
    FLT_INSTANCE: ffffcf807f13a6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf80707c2c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf807077e6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf80707bc7f0 "\Device\NamedPipe"
    FLT_INSTANCE: ffffcf807076cd30 "npsvctrig" "46000"
    FLT_VOLUME: ffffcf807070a7f0 "\Device\Mailslot"
    FLT_VOLUME: ffffcf80707d47f0 "\Device\HarddiskVolume4"
    FLT_INSTANCE: ffffcf807cbcc6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf807066e6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf80706787f0 "\Device\HarddiskVolume5"
    FLT_INSTANCE: ffffcf807f1386a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070a306c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070b9a7f0 "\Device\HarddiskVolume1"
    FLT_INSTANCE: ffffcf807e92c6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070be8c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070b466c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070ae67f0 "\Device\HarddiskVolume6"
    FLT_INSTANCE: ffffcf807e84e6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070a48c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070a246c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070a4e7f0 "\Device\HarddiskVolume7"
    FLT_INSTANCE: ffffcf807deb26a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070aeec30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070b5c6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf808068e7f0 "\Device\HarddiskVolume61"
    FLT_INSTANCE: ffffcf80806e06a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf807e29ac30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8081748b40 "ResumeKeyFilter" "202000"
    FLT_INSTANCE: ffffcf80816a26c0 "Sfntpffd Instance" "144200"
    ** FLT_VOLUME: ffffcf807f1787f0 "\Device\HarddiskVolume64"**

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
    Memory was referenced after it was freed.
    This cannot be protected by try-except.
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: ffffcf8080a90be0, memory referenced
    Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
    Arg4: 0000000000000000, Mm internal code.

    BUGCHECK_P1: ffffcf8080a90be0

    BUGCHECK_P2: 0

    BUGCHECK_P3: fffff800365ba96c

    BUGCHECK_P4: 0

    READ_ADDRESS: ffffcf8080a90be0 Special pool

    FAULTING_IP:
    nt!FsRtlLookupReservedPerFileContext+0
    fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]

    MM_INTERNAL_CODE: 0

    DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

    BUGCHECK_STR: 0xCC

    PROCESS_NAME: System

    CURRENT_IRQL: 0

    ANALYSIS_VERSION: 10.0.17763.1 amd64fre

    TRAP_FRAME: ffffd000233aa860 -- (.trap 0xffffd000233aa860)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
    rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
    r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
    r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei ng nz na po nc
    nt!FsRtlLookupReservedPerFileContext:
    fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf8080a90be0=????????????????
    Resetting default scope

    LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500

    STACK_TEXT:
    ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
    ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
    ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
    ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
    ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
    ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
    ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
    ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
    ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
    ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
    ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
    ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
    ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
    ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
    ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
    ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

    FOLLOWUP_IP:
    nt!FsRtlLookupReservedPerFileContext+0
    fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]

    FAULT_INSTR_CODE: 48018b48

    SYMBOL_STACK_INDEX: 7

    SYMBOL_NAME: nt!FsRtlLookupReservedPerFileContext+0

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: nt

    IMAGE_NAME: ntkrnlmp.exe

    DEBUG_FLR_IMAGE_TIMESTAMP: 5b93e6c7

    STACK_COMMAND: .thread ; .cxr ; kb

    BUCKET_ID_FUNC_OFFSET: 0

    FAILURE_BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext

    BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext

    PRIMARY_PROBLEM_CLASS: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
    FAILURE_ID_HASH_STRING: km:0xcc_vrf_nt!fsrtllookupreservedperfilecontext

    0: kd> !fltkd.volumes

    Volume List: ffffcf80702629b0 "Frame 0"
    FLT_VOLUME: ffffcf80702aa800 "\Device\Mup"
    FLT_INSTANCE: ffffcf8076bbc6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf80702f8c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf807364ed90 "CCFFilter" "261160"
    FLT_INSTANCE: ffffcf80702606c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf807038a7f0 "\Device\HarddiskVolume2"
    FLT_INSTANCE: ffffcf807193cc30 "CsvNSFlt Instance" "404900"
    FLT_INSTANCE: ffffcf807f12c6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070876c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf80709fe6c0 "Sfntpffd Instance" "144200"
    FLT_INSTANCE: ffffcf80719984c0 "luafv" "135000"
    FLT_VOLUME: ffffcf807073e7f0 "\Device\HarddiskVolume3"
    FLT_INSTANCE: ffffcf807f13a6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf80707c2c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf807077e6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf80707bc7f0 "\Device\NamedPipe"
    FLT_INSTANCE: ffffcf807076cd30 "npsvctrig" "46000"
    FLT_VOLUME: ffffcf807070a7f0 "\Device\Mailslot"
    FLT_VOLUME: ffffcf80707d47f0 "\Device\HarddiskVolume4"
    FLT_INSTANCE: ffffcf807cbcc6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf807066e6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf80706787f0 "\Device\HarddiskVolume5"
    FLT_INSTANCE: ffffcf807f1386a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070a306c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070b9a7f0 "\Device\HarddiskVolume1"
    FLT_INSTANCE: ffffcf807e92c6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070be8c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070b466c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070ae67f0 "\Device\HarddiskVolume6"
    FLT_INSTANCE: ffffcf807e84e6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070a48c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070a246c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070a4e7f0 "\Device\HarddiskVolume7"
    FLT_INSTANCE: ffffcf807deb26a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070aeec30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070b5c6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf808068e7f0 "\Device\HarddiskVolume61"
    FLT_INSTANCE: ffffcf80806e06a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf807e29ac30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8081748b40 "ResumeKeyFilter" "202000"
    FLT_INSTANCE: ffffcf80816a26c0 "Sfntpffd Instance" "144200"
    ** FLT_VOLUME: ffffcf807f1787f0 "\Device\HarddiskVolume64"**

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
    Memory was referenced after it was freed.
    This cannot be protected by try-except.
    When possible, the guilty driver's name (Unicode string) is printed on
    the bugcheck screen and saved in KiBugCheckDriver.
    Arguments:
    Arg1: ffffcf8080a90be0, memory referenced
    Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
    Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
    Arg4: 0000000000000000, Mm internal code.

    TRAP_FRAME: ffffd000233aa860 -- (.trap 0xffffd000233aa860)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
    rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
    r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
    r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei ng nz na po nc
    nt!FsRtlLookupReservedPerFileContext:
    fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf8080a90be0=????????????????
    Resetting default scope

    LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500

    STACK_TEXT:
    ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
    ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
    ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
    ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
    ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
    ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
    ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
    ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
    ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
    ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
    ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
    ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
    ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
    ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
    ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
    ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

    0: kd> !fltkd.volumes

    Volume List: ffffcf80702629b0 "Frame 0"
    FLT_VOLUME: ffffcf80702aa800 "\Device\Mup"
    FLT_INSTANCE: ffffcf8076bbc6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf80702f8c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf807364ed90 "CCFFilter" "261160"
    FLT_INSTANCE: ffffcf80702606c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf807038a7f0 "\Device\HarddiskVolume2"
    FLT_INSTANCE: ffffcf807193cc30 "CsvNSFlt Instance" "404900"
    FLT_INSTANCE: ffffcf807f12c6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070876c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf80709fe6c0 "Sfntpffd Instance" "144200"
    FLT_INSTANCE: ffffcf80719984c0 "luafv" "135000"
    FLT_VOLUME: ffffcf807073e7f0 "\Device\HarddiskVolume3"
    FLT_INSTANCE: ffffcf807f13a6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf80707c2c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf807077e6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf80707bc7f0 "\Device\NamedPipe"
    FLT_INSTANCE: ffffcf807076cd30 "npsvctrig" "46000"
    FLT_VOLUME: ffffcf807070a7f0 "\Device\Mailslot"
    FLT_VOLUME: ffffcf80707d47f0 "\Device\HarddiskVolume4"
    FLT_INSTANCE: ffffcf807cbcc6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf807066e6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf80706787f0 "\Device\HarddiskVolume5"
    FLT_INSTANCE: ffffcf807f1386a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070a306c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070b9a7f0 "\Device\HarddiskVolume1"
    FLT_INSTANCE: ffffcf807e92c6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070be8c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070b466c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070ae67f0 "\Device\HarddiskVolume6"
    FLT_INSTANCE: ffffcf807e84e6a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070a48c30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070a246c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf8070a4e7f0 "\Device\HarddiskVolume7"
    FLT_INSTANCE: ffffcf807deb26a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf8070aeec30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8070b5c6c0 "Sfntpffd Instance" "144200"
    FLT_VOLUME: ffffcf808068e7f0 "\Device\HarddiskVolume61"
    FLT_INSTANCE: ffffcf80806e06a0 "Process Monitor 23 Instance" "385200"
    FLT_INSTANCE: ffffcf807e29ac30 "vsepflt Instance" "328200"
    FLT_INSTANCE: ffffcf8081748b40 "ResumeKeyFilter" "202000"
    FLT_INSTANCE: ffffcf80816a26c0 "Sfntpffd Instance" "144200"
    ** FLT_VOLUME: ffffcf807f1787f0 "\Device\HarddiskVolume64"**

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    STACK_TEXT:
    ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
    ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
    ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
    ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
    ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
    ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
    ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
    ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
    ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
    ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
    ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
    ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
    ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
    ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
    ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
    ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    STACK_TEXT:
    ffffd000233a9f28 fffff800365d2d5a : 0000000000000000 0000000000000000 ffffd000233aa090 fffff800364c2f90 : nt!DbgBreakPointWithStatus
    ffffd000233a9f30 fffff800365d2686 : 0000000000000003 ffffd000233aa090 fffff8003656fb00 00000000000000cc : nt!KiBugCheckDebugBreak+0x12
    ffffd000233a9f90 fffff8003655d3a4 : 4f808126e0000000 fffff80036459262 0000000000000002 0000000000000000 : nt!KeBugCheck2+0x8a2
    ffffd000233aa690 fffff80036602af4 : 0000000000000050 ffffcf8080a90be0 0000000000000000 ffffd000233aa860 : nt!KeBugCheckEx+0x104
    ffffd000233aa6d0 fffff800364509d9 : 0000000000000000 ffffcf8080a90be0 ffffd000233aa860 ffffcf8080a90be0 : nt!MiSystemFault+0x1048
    ffffd000233aa760 fffff8003656a957 : ffffcf807f178d78 fffffffffa0a1f00 0000000000000000 fffff80036641f90 : nt!MmAccessFault+0x219
    ffffd000233aa860 fffff800365ba96c : fffff800365bad7a ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 : nt!KiPageFault+0x317
    ffffd000233aa9f8 fffff800365bad7a : ffffd000233aaa60 ffffcf8000000000 fffff8015c1d68f6 ffffcf807f1787f0 : nt!FsRtlLookupReservedPerFileContext
    ffffd000233aaa00 fffff8015c1e0748 : ffffcf807f1788e8 ffffcf807f178d78 ffffcf807f1788e8 fffff800366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
    ffffd000233aaa30 fffff8015c1d670f : ffffcf807f1788e8 ffffcf807f1787f0 ffffcf807f7386c0 ffffcf807f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
    ffffd000233aaa80 fffff8015c1d687b : ffffe00045f73a50 0000000000000008 ffffe00045f73900 0000000000000000 : fltmgr!FltpFreeVolume+0xdf
    ffffd000233aaac0 fffff8015c1d67e8 : ffffcf8080888f90 ffffe0004521f040 ffffcf8080888f98 0000000000000018 : fltmgr!FltpCleanupDeviceObject+0x6b
    ffffd000233aab20 fffff8003646799f : 0000000000000000 ffffe0004521f040 ffffcf8080888f98 0000000000000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
    ffffd000233aab50 fffff800364f052a : ffffe00044db1ce0 ffffd001572d5180 0000000000000080 ffffe00041c885c0 : nt!ExpWorkerThread+0x69f
    ffffd000233aac00 fffff80036564d56 : ffffd001572d5180 ffffe0004521f040 ffffe00044a28080 0000000000000004 : nt!PspSystemThreadStartup+0x18a
    ffffd000233aac60 0000000000000000 : ffffd000233ab000 ffffd000233a5000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    One observation is that rdx register has same value of FLT_VOLUME: ffffcf807f1787f0 for which last volume dismount has happened.

    TRAP_FRAME: ffffd000233aa860 -- (.trap 0xffffd000233aa860)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
    rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
    r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
    r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei ng nz na po nc
    nt!FsRtlLookupReservedPerFileContext:
    fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf8080a90be0=????????????????
    Resetting default scope

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    One observation is that rdx register has same value of FLT_VOLUME: ffffcf807f1787f0 for which last volume dismount has happened.

    TRAP_FRAME: ffffd000233aa860 -- (.trap 0xffffd000233aa860)
    NOTE: The trap frame does not contain all registers.
    Some register values may be zeroed or incorrect.
    rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
    rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
    r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
    r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
    r14=0000000000000000 r15=0000000000000000
    iopl=0 nv up ei ng nz na po nc
    nt!FsRtlLookupReservedPerFileContext:
    fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf8080a90be0=????????????????
    Resetting default scope

  • Pooja_BansalPooja_Bansal Member - All Emails Posts: 44

    Thanks Rod and Peter for your valuable suggestions. This issue seems to be resolved with FsRtlTeardownPerFileContexts () while clearing FCB structure.

    Thanks again!

  • NtDev_GeekNtDev_Geek Member - All Emails Posts: 98

    Using this blindly "FsRtlTeardownPerFileContexts ()" can let you away this time but be cautious.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 25 Feb 2019 OSR Seminar Space
Developing Minifilters 8 April 2019 OSR Seminar Space