Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`ff286018). Type ".hh dbgerr001" for details
Loading unloaded module list
.....
Use !analyze -v to get detailed debugging information.
BugCheck 24, {b500190645, ffffd000ccae02f8, ffffd000ccadfb00, fffff801676ebc5d}
Probably caused by : Ntfs.sys ( Ntfs!NtfsDecodeFileObject+49 )
9: kd> !analyze -v
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 000000b500190645
Arg2: ffffd000ccae02f8
Arg3: ffffd000ccadfb00
Arg4: fffff801676ebc5d
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 9600.17415.amd64fre.winblue_r4.141028-1500
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 09/30/2014
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 1
BUGCHECK_P1: b500190645
BUGCHECK_P2: ffffd000ccae02f8
BUGCHECK_P3: ffffd000ccadfb00
BUGCHECK_P4: fffff801676ebc5d
EXCEPTION_RECORD: ffffd000ccae02f8 -- (.exr 0xffffd000ccae02f8)
ExceptionAddress: fffff801676ebc5d (Ntfs!NtfsDecodeFileObject+0x0000000000000049)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000013c04243465e
Attempt to read from address 000013c04243465e
CONTEXT: ffffd000ccadfb00 -- (.cxr 0xffffd000ccadfb00)
rax=000013c04243465a rbx=ffffe4018e4a3830 rcx=0000000000000000
rdx=ffffd000ccae0610 rsi=0000000000000000 rdi=ffffe4018e4a3ab0
rip=fffff801676ebc5d rsp=ffffd000ccae0530 rbp=ffffd000ccae0a00
r8=ffffd000ccae05f8 r9=ffffd000ccae0628 r10=ffffd000ccae0618
r11=ffffd000ccae0780 r12=ffffd000ccae0a70 r13=ffffe4018e4a3830
r14=0000000000000001 r15=ffffd000ccae0780
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010202
Ntfs!NtfsDecodeFileObject+0x49:
fffff801676ebc5d 8b4804 mov ecx,dword ptr [rax+4] ds:002b:000013c0
4243465e=????????
Resetting default scope
CPU_COUNT: 20
CPU_MHZ: 6a2
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: f
CPU_STEPPING: 1
CPU_MICROCODE: 6,f,1,0 (F,M,S,R) SIG: 38'00000000 (cache) 38'00000000 (init)
DEFAULT_BUCKET_ID: STRING_DEREFERENCE
PROCESS_NAME: ArcMap.exe
CURRENT_IRQL: 0
FOLLOWUP_IP:
Ntfs!NtfsDecodeFileObject+49
fffff801`676ebc5d 8b4804 mov ecx,dword ptr [rax+4]
FAULTING_IP:
Ntfs!NtfsDecodeFileObject+49
fffff801`676ebc5d 8b4804 mov ecx,dword ptr [rax+4]
BUGCHECK_STR: 0x24
READ_ADDRESS: 000013c04243465e
ERROR_CODE: (NTSTATUS) 0xc0000005 -
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 -
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 000013c04243465e
ANALYSIS_SESSION_HOST: ZHOUGS-PC1
ANALYSIS_SESSION_TIME: 09-10-2020 09:56:53.0376
ANALYSIS_VERSION: 10.0.17763.132 amd64fre
DEVICE_OBJECT: 0000000000000004
LAST_CONTROL_TRANSFER: from fffff80167752744 to fffff801676ebc5d
STACK_TEXT:
ffffd000ccae0530 fffff801
67752744 : 0000000050000018 fffff802
d8cc7d25 000000008e4a3830 fffff802
00000000 : Ntfs!NtfsDecodeFileObject+0x49
ffffd000ccae0570 fffff801
677c2fee : ffffd000ccae0780 ffffe401
8e4a3830 0000000000000000 ffffd000
ccae0a00 : Ntfs!NtfsCommonSetEa+0x94
ffffd000ccae06e0 fffff801
677c318a : ffffd000ccae0780 ffffe401
8e4a3830 ffffe4018e4a3830 fffff801
67db54fc : Ntfs!NtfsFsdDispatchSwitch+0x13e
ffffd000ccae0760 fffff801
6750db1e : ffffe4018e4a3af8 00000000
00000000 fffff6e000919e18 ffffec00
4c76ddd8 : Ntfs!NtfsFsdDispatchWait+0x47
ffffd000ccae09b0 fffff801
6750c0c2 : ffffd000ccae0a70 ffffe001
1ae49490 ffffec004c38c070 ffffe401
8e4a3830 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2ce
ffffd000ccae0a50 fffff802
d8a60788 : 0000000000000001 ffffd000
ccae0b31 ffffec004c38c070 0000001e
00100090 : fltmgr!FltpDispatch+0xb2
ffffd000ccae0ab0 fffff802
d8c59b3a : 0000000000000004 00000000
00000000 0000000000000000 ffffe401
8e4a3830 : nt!IopSynchronousServiceTail+0x170
ffffd000ccae0b80 fffff802
d87d61b3 : ffffe4018e633880 00000000
fe894000 0000000000000000 00000000
fe892000 : nt!NtSetEaFile+0x4ca
ffffd000ccae0c40 00007ffe
a401233a : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x13
000000001a8be838 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : 0x00007ffe`a401233a
THREAD_SHA1_HASH_MOD_FUNC: 27c3d0634b372cb90f8f7c7c2427b9e8a4b855ca
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 66cdf10b49fdb5426c310d5f89b709d3d1497d07
THREAD_SHA1_HASH_MOD: 9a2ca6154debbb461080755929258901b6e34132
FAULT_INSTR_CODE: f604488b
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Ntfs!NtfsDecodeFileObject+49
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 54387b6b
IMAGE_VERSION: 6.3.9600.17399
STACK_COMMAND: .cxr 0xffffd000ccadfb00 ; kb
BUCKET_ID_FUNC_OFFSET: 49
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsDecodeFileObject
BUCKET_ID: 0x24_Ntfs!NtfsDecodeFileObject
PRIMARY_PROBLEM_CLASS: 0x24_Ntfs!NtfsDecodeFileObject
TARGET_TIME: 2020-09-09T07:51:35.000Z
OSBUILD: 9600
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 3
OSPLATFORM_TYPE: x64
OSNAME: Windows 8.1
OSEDITION: Windows 8.1 Server TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2014-10-29 08:38:48
BUILDDATESTAMP_STR: 141028-1500
BUILDLAB_STR: winblue_r4
BUILDOSVER_STR: 6.3.9600.17415.amd64fre.winblue_r4.141028-1500
ANALYSIS_SESSION_ELAPSED_TIME: 46c
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x24_ntfs!ntfsdecodefileobject
FAILURE_ID_HASH: {088c6a02-fb95-5b4c-6631-2f37b3c12a38}
9: kd> k
# Child-SP RetAddr Call Site
00 ffffd000ccadf158 fffff801
676f7eec nt!KeBugCheckEx
01 ffffd000ccadf160 fffff801
67818f9b Ntfs!NtfsExceptionFilter+0x1e8c0
02 ffffd000ccadf320 fffff802
d87b9a96 Ntfs!NtfsFsdDispatchSwitch$filt$0+0x18
03 ffffd000ccadf360 fffff802
d87d1eed nt!_C_specific_handler+0x86
04 ffffd000ccadf3d0 fffff802
d8754125 nt!RtlpExecuteHandlerForException+0xd
05 ffffd000ccadf400 fffff802
d87584de nt!RtlDispatchException+0x1a5
06 ffffd000ccadfad0 fffff802
d87d65c2 nt!KiDispatchException+0x646
07 ffffd000ccae01c0 fffff802
d87d4d14 nt!KiExceptionDispatch+0xc2
08 ffffd000ccae03a0 fffff801
676ebc5d nt!KiPageFault+0x214
09 ffffd000ccae0530 fffff801
67752744 Ntfs!NtfsDecodeFileObject+0x49
0a ffffd000ccae0570 fffff801
677c2fee Ntfs!NtfsCommonSetEa+0x94
0b ffffd000ccae06e0 fffff801
677c318a Ntfs!NtfsFsdDispatchSwitch+0x13e
0c ffffd000ccae0760 fffff801
6750db1e Ntfs!NtfsFsdDispatchWait+0x47
0d ffffd000ccae09b0 fffff801
6750c0c2 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2ce
0e ffffd000ccae0a50 fffff802
d8a60788 fltmgr!FltpDispatch+0xb2
0f ffffd000ccae0ab0 fffff802
d8c59b3a nt!IopSynchronousServiceTail+0x170
10 ffffd000ccae0b80 fffff802
d87d61b3 nt!NtSetEaFile+0x4ca
11 ffffd000ccae0c40 00007ffe
a401233a nt!KiSystemServiceCopyEnd+0x13
12 000000001a8be838 00000000
00000000 0x00007ffe`a401233a
Upcoming OSR Seminars | ||
---|---|---|
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
Writing WDF Drivers | 7 Dec 2020 | LIVE ONLINE |
Internals & Software Drivers | 25 Jan 2021 | LIVE ONLINE |
Developing Minifilters | 8 March 2021 | LIVE ONLINE |
Comments
This means NTFS doesn’t understand the file object it was given. It didn’t get it as an MJ_CREATE & it didn’t create it itself. Something (your filter?) has sent it to the wrong device or forgotten to swap in the correct file object in the (probably) EA path(s)
That’s the usual reason anyways
There is also have another dmp
Use !analyze -v to get detailed debugging information.
BugCheck 24, {b500190645, ffffd001fb59e538, ffffd001fb59dd40, fffff800ab90aaef}
Probably caused by : Ntfs.sys ( Ntfs!NtfsCommonSetInformation+8f )
Followup: MachineOwner
16: kd> !analyze -v
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 000000b500190645
Arg2: ffffd001fb59e538
Arg3: ffffd001fb59dd40
Arg4: fffff800ab90aaef
Debugging Details:
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 9600.17415.amd64fre.winblue_r4.141028-1500
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 09/30/2014
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 1
BUGCHECK_P1: b500190645
BUGCHECK_P2: ffffd001fb59e538
BUGCHECK_P3: ffffd001fb59dd40
BUGCHECK_P4: fffff800ab90aaef
EXCEPTION_RECORD: ffffd001fb59e538 -- (.exr 0xffffd001fb59e538)
ExceptionAddress: fffff800ab90aaef (Ntfs!NtfsCommonSetInformation+0x000000000000008f)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000013c04243465e
Attempt to read from address 000013c04243465e
CONTEXT: ffffd001fb59dd40 -- (.cxr 0xffffd001fb59dd40)
rax=ffffe800e4490a00 rbx=000000000000000d rcx=ffffe800e4b9d648
rdx=000013c04243465a rsi=ffffe40187400000 rdi=ffffe800e43dfb98
rip=fffff800ab90aaef rsp=ffffd001fb59e770 rbp=ffffd001fb59e900
r8=0000000000000000 r9=0000000000000003 r10=0000000000000004
r11=ffffd001fb59e848 r12=0000000000000001 r13=ffffe800e4b9d380
r14=ffffe800e4b9d380 r15=ffffe40187400000
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286
Ntfs!NtfsCommonSetInformation+0x8f:
fffff800
ab90aaef 8b4204 mov eax,dword ptr [rdx+4] ds:002b:000013c0
4243465e=????????Resetting default scope
CPU_COUNT: 20
CPU_MHZ: 6a2
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: f
CPU_STEPPING: 1
CPU_MICROCODE: 6,f,1,0 (F,M,S,R) SIG: 38'00000000 (cache) 38'00000000 (init)
DEFAULT_BUCKET_ID: STRING_DEREFERENCE
PROCESS_NAME: ArcSOC.exe
CURRENT_IRQL: 0
FOLLOWUP_IP:
Ntfs!NtfsCommonSetInformation+8f
fffff800`ab90aaef 8b4204 mov eax,dword ptr [rdx+4]
FAULTING_IP:
Ntfs!NtfsCommonSetInformation+8f
fffff800`ab90aaef 8b4204 mov eax,dword ptr [rdx+4]
BUGCHECK_STR: 0x24
READ_ADDRESS: 000013c04243465e
ERROR_CODE: (NTSTATUS) 0xc0000005 -
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 -
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 000013c04243465e
ANALYSIS_SESSION_HOST: ZHOUGS-PC1
ANALYSIS_SESSION_TIME: 09-10-2020 19:34:44.0806
ANALYSIS_VERSION: 10.0.17763.132 amd64fre
LAST_CONTROL_TRANSFER: from fffff800ab90d931 to fffff800ab90aaef
STACK_TEXT:
ffffd001
fb59e770 fffff800
ab90d931 : ffffe800e43dfb98 ffffe800
e4b9d380 0000000000000000 ffffd001
fb59e900 : Ntfs!NtfsCommonSetInformation+0x8fffffd001
fb59e850 fffff800
aaf99b1e : ffffe800e4e568c0 ffffe800
e4b9d380 ffffe800e43dfb98 ffffd001
fb59e878 : Ntfs!NtfsFsdSetInformation+0xcdffffd001
fb59e8b0 fffff800
aaf980c2 : ffffd001fb59e970 ffffe000
b0ea0df0 0000000000000000 ffffe800
e4b9d380 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2ceffffd001
fb59e950 fffff801
b38f2e8a : 000000000e20dfe0 ffffd001
fb59ecc0 0000000000000000 00000000
00000001 : fltmgr!FltpDispatch+0xb2ffffd001
fb59e9b0 fffff801
b39761b3 : fffff6fb7dbed000 fffff6fb
7da00008 fffff6fb40001b28 fffff680
00365700 : nt!NtSetInformationFile+0x85affffd001
fb59ebd0 00007ffc
5a2d0eba : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x1300000000
0e20dfa8 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : 0x00007ffc`5a2d0ebaTHREAD_SHA1_HASH_MOD_FUNC: 3d0ae8d610ef241f2cbb495902f493321604249b
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 8cdb328a82028dec043c89d8adf83b32488a99e4
THREAD_SHA1_HASH_MOD: 946f3aafff33e30710cfc49199b33e153910fd85
FAULT_INSTR_CODE: 4104428b
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Ntfs!NtfsCommonSetInformation+8f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 54387b6b
IMAGE_VERSION: 6.3.9600.17399
STACK_COMMAND: .cxr 0xffffd001fb59dd40 ; kb
BUCKET_ID_FUNC_OFFSET: 8f
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsCommonSetInformation
BUCKET_ID: 0x24_Ntfs!NtfsCommonSetInformation
PRIMARY_PROBLEM_CLASS: 0x24_Ntfs!NtfsCommonSetInformation
TARGET_TIME: 2020-09-09T01:53:51.000Z
OSBUILD: 9600
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 3
OSPLATFORM_TYPE: x64
OSNAME: Windows 8.1
OSEDITION: Windows 8.1 Server TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2014-10-29 08:38:48
BUILDDATESTAMP_STR: 141028-1500
BUILDLAB_STR: winblue_r4
BUILDOSVER_STR: 6.3.9600.17415.amd64fre.winblue_r4.141028-1500
ANALYSIS_SESSION_ELAPSED_TIME: 4b0
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x24_ntfs!ntfscommonsetinformation
FAILURE_ID_HASH: {d88870db-85a5-faea-ad2f-07b3313627a1}
Followup: MachineOwner
16: kd> k
# Child-SP RetAddr Call Site
00 ffffd001
fb59d3a8 fffff800
ab84beec nt!KeBugCheckEx01 ffffd001
fb59d3b0 fffff800
ab8b4e84 Ntfs!NtfsExceptionFilter+0x1e8c002 ffffd001
fb59d570 fffff801
b3959a96 Ntfs!NtfsFsdSetInformation$filt$0+0x1503 ffffd001
fb59d5a0 fffff801
b3971eed nt!_C_specific_handler+0x8604 ffffd001
fb59d610 fffff801
b38f4125 nt!RtlpExecuteHandlerForException+0xd05 ffffd001
fb59d640 fffff801
b38f84de nt!RtlDispatchException+0x1a506 ffffd001
fb59dd10 fffff801
b39765c2 nt!KiDispatchException+0x64607 ffffd001
fb59e400 fffff801
b3974d14 nt!KiExceptionDispatch+0xc208 ffffd001
fb59e5e0 fffff800
ab90aaef nt!KiPageFault+0x21409 ffffd001
fb59e770 fffff800
ab90d931 Ntfs!NtfsCommonSetInformation+0x8f0a ffffd001
fb59e850 fffff800
aaf99b1e Ntfs!NtfsFsdSetInformation+0xcd0b ffffd001
fb59e8b0 fffff800
aaf980c2 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2ce0c ffffd001
fb59e950 fffff801
b38f2e8a fltmgr!FltpDispatch+0xb20d ffffd001
fb59e9b0 fffff801
b39761b3 nt!NtSetInformationFile+0x85a0e ffffd001
fb59ebd0 00007ffc
5a2d0eba nt!KiSystemServiceCopyEnd+0x130f 00000000
0e20dfa8 00000000
00000000 0x00007ffc`5a2d0ebaIf your are helping your neighbor fix their computer you should just reimage the machine. If this crash happens when a minifilter you are developing is loaded then you need to provide some actual information about what you’re trying to do.
-scott
OSR