Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


windows 2012R2 crash in NtfsDecodeFileObject,someone help

stevezhougsstevezhougs Member Posts: 7
in NTFSD

Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`ff286018). Type ".hh dbgerr001" for details
Loading unloaded module list
.....

  • *
  • Bugcheck Analysis *
  • *

Use !analyze -v to get detailed debugging information.

BugCheck 24, {b500190645, ffffd000ccae02f8, ffffd000ccadfb00, fffff801676ebc5d}

Probably caused by : Ntfs.sys ( Ntfs!NtfsDecodeFileObject+49 )

Followup: MachineOwner

9: kd> !analyze -v

  • *
  • Bugcheck Analysis *
  • *

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 000000b500190645
Arg2: ffffd000ccae02f8
Arg3: ffffd000ccadfb00
Arg4: fffff801676ebc5d

Debugging Details:

KEY_VALUES_STRING: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 9600.17415.amd64fre.winblue_r4.141028-1500

SYSTEM_MANUFACTURER: VMware, Inc.

VIRTUAL_MACHINE: VMware

SYSTEM_PRODUCT_NAME: VMware Virtual Platform

SYSTEM_VERSION: None

BIOS_VENDOR: Phoenix Technologies LTD

BIOS_VERSION: 6.00

BIOS_DATE: 09/30/2014

BASEBOARD_MANUFACTURER: Intel Corporation

BASEBOARD_PRODUCT: 440BX Desktop Reference Platform

BASEBOARD_VERSION: None

DUMP_TYPE: 1

BUGCHECK_P1: b500190645

BUGCHECK_P2: ffffd000ccae02f8

BUGCHECK_P3: ffffd000ccadfb00

BUGCHECK_P4: fffff801676ebc5d

EXCEPTION_RECORD: ffffd000ccae02f8 -- (.exr 0xffffd000ccae02f8)
ExceptionAddress: fffff801676ebc5d (Ntfs!NtfsDecodeFileObject+0x0000000000000049)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000013c04243465e
Attempt to read from address 000013c04243465e

CONTEXT: ffffd000ccadfb00 -- (.cxr 0xffffd000ccadfb00)
rax=000013c04243465a rbx=ffffe4018e4a3830 rcx=0000000000000000
rdx=ffffd000ccae0610 rsi=0000000000000000 rdi=ffffe4018e4a3ab0
rip=fffff801676ebc5d rsp=ffffd000ccae0530 rbp=ffffd000ccae0a00
r8=ffffd000ccae05f8 r9=ffffd000ccae0628 r10=ffffd000ccae0618
r11=ffffd000ccae0780 r12=ffffd000ccae0a70 r13=ffffe4018e4a3830
r14=0000000000000001 r15=ffffd000ccae0780
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010202
Ntfs!NtfsDecodeFileObject+0x49:
fffff801676ebc5d 8b4804 mov ecx,dword ptr [rax+4] ds:002b:000013c04243465e=????????
Resetting default scope

CPU_COUNT: 20

CPU_MHZ: 6a2

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: f

CPU_STEPPING: 1

CPU_MICROCODE: 6,f,1,0 (F,M,S,R) SIG: 38'00000000 (cache) 38'00000000 (init)

DEFAULT_BUCKET_ID: STRING_DEREFERENCE

PROCESS_NAME: ArcMap.exe

CURRENT_IRQL: 0

FOLLOWUP_IP:
Ntfs!NtfsDecodeFileObject+49
fffff801`676ebc5d 8b4804 mov ecx,dword ptr [rax+4]

FAULTING_IP:
Ntfs!NtfsDecodeFileObject+49
fffff801`676ebc5d 8b4804 mov ecx,dword ptr [rax+4]

BUGCHECK_STR: 0x24

READ_ADDRESS: 000013c04243465e

ERROR_CODE: (NTSTATUS) 0xc0000005 -

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 -

EXCEPTION_CODE_STR: c0000005

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: 000013c04243465e

ANALYSIS_SESSION_HOST: ZHOUGS-PC1

ANALYSIS_SESSION_TIME: 09-10-2020 09:56:53.0376

ANALYSIS_VERSION: 10.0.17763.132 amd64fre

DEVICE_OBJECT: 0000000000000004

LAST_CONTROL_TRANSFER: from fffff80167752744 to fffff801676ebc5d

STACK_TEXT:
ffffd000ccae0530 fffff80167752744 : 0000000050000018 fffff802d8cc7d25 000000008e4a3830 fffff80200000000 : Ntfs!NtfsDecodeFileObject+0x49
ffffd000ccae0570 fffff801677c2fee : ffffd000ccae0780 ffffe4018e4a3830 0000000000000000 ffffd000ccae0a00 : Ntfs!NtfsCommonSetEa+0x94
ffffd000ccae06e0 fffff801677c318a : ffffd000ccae0780 ffffe4018e4a3830 ffffe4018e4a3830 fffff80167db54fc : Ntfs!NtfsFsdDispatchSwitch+0x13e
ffffd000ccae0760 fffff8016750db1e : ffffe4018e4a3af8 0000000000000000 fffff6e000919e18 ffffec004c76ddd8 : Ntfs!NtfsFsdDispatchWait+0x47
ffffd000ccae09b0 fffff8016750c0c2 : ffffd000ccae0a70 ffffe0011ae49490 ffffec004c38c070 ffffe4018e4a3830 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2ce
ffffd000ccae0a50 fffff802d8a60788 : 0000000000000001 ffffd000ccae0b31 ffffec004c38c070 0000001e00100090 : fltmgr!FltpDispatch+0xb2
ffffd000ccae0ab0 fffff802d8c59b3a : 0000000000000004 0000000000000000 0000000000000000 ffffe4018e4a3830 : nt!IopSynchronousServiceTail+0x170
ffffd000ccae0b80 fffff802d87d61b3 : ffffe4018e633880 00000000fe894000 0000000000000000 00000000fe892000 : nt!NtSetEaFile+0x4ca
ffffd000ccae0c40 00007ffea401233a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
000000001a8be838 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffe`a401233a

THREAD_SHA1_HASH_MOD_FUNC: 27c3d0634b372cb90f8f7c7c2427b9e8a4b855ca

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 66cdf10b49fdb5426c310d5f89b709d3d1497d07

THREAD_SHA1_HASH_MOD: 9a2ca6154debbb461080755929258901b6e34132

FAULT_INSTR_CODE: f604488b

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Ntfs!NtfsDecodeFileObject+49

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 54387b6b

IMAGE_VERSION: 6.3.9600.17399

STACK_COMMAND: .cxr 0xffffd000ccadfb00 ; kb

BUCKET_ID_FUNC_OFFSET: 49

FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsDecodeFileObject

BUCKET_ID: 0x24_Ntfs!NtfsDecodeFileObject

PRIMARY_PROBLEM_CLASS: 0x24_Ntfs!NtfsDecodeFileObject

TARGET_TIME: 2020-09-09T07:51:35.000Z

OSBUILD: 9600

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 3

OSPLATFORM_TYPE: x64

OSNAME: Windows 8.1

OSEDITION: Windows 8.1 Server TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2014-10-29 08:38:48

BUILDDATESTAMP_STR: 141028-1500

BUILDLAB_STR: winblue_r4

BUILDOSVER_STR: 6.3.9600.17415.amd64fre.winblue_r4.141028-1500

ANALYSIS_SESSION_ELAPSED_TIME: 46c

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x24_ntfs!ntfsdecodefileobject

FAILURE_ID_HASH: {088c6a02-fb95-5b4c-6631-2f37b3c12a38}

Followup: MachineOwner

9: kd> k
# Child-SP RetAddr Call Site
00 ffffd000ccadf158 fffff801676f7eec nt!KeBugCheckEx
01 ffffd000ccadf160 fffff80167818f9b Ntfs!NtfsExceptionFilter+0x1e8c0
02 ffffd000ccadf320 fffff802d87b9a96 Ntfs!NtfsFsdDispatchSwitch$filt$0+0x18
03 ffffd000ccadf360 fffff802d87d1eed nt!_C_specific_handler+0x86
04 ffffd000ccadf3d0 fffff802d8754125 nt!RtlpExecuteHandlerForException+0xd
05 ffffd000ccadf400 fffff802d87584de nt!RtlDispatchException+0x1a5
06 ffffd000ccadfad0 fffff802d87d65c2 nt!KiDispatchException+0x646
07 ffffd000ccae01c0 fffff802d87d4d14 nt!KiExceptionDispatch+0xc2
08 ffffd000ccae03a0 fffff801676ebc5d nt!KiPageFault+0x214
09 ffffd000ccae0530 fffff80167752744 Ntfs!NtfsDecodeFileObject+0x49
0a ffffd000ccae0570 fffff801677c2fee Ntfs!NtfsCommonSetEa+0x94
0b ffffd000ccae06e0 fffff801677c318a Ntfs!NtfsFsdDispatchSwitch+0x13e
0c ffffd000ccae0760 fffff8016750db1e Ntfs!NtfsFsdDispatchWait+0x47
0d ffffd000ccae09b0 fffff8016750c0c2 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2ce
0e ffffd000ccae0a50 fffff802d8a60788 fltmgr!FltpDispatch+0xb2
0f ffffd000ccae0ab0 fffff802d8c59b3a nt!IopSynchronousServiceTail+0x170
10 ffffd000ccae0b80 fffff802d87d61b3 nt!NtSetEaFile+0x4ca
11 ffffd000ccae0c40 00007ffea401233a nt!KiSystemServiceCopyEnd+0x13
12 000000001a8be838 0000000000000000 0x00007ffe`a401233a

· Share on Facebook

Comments

  • rod_widdowsonrod_widdowson Member - All Emails Posts: 1,152

    This means NTFS doesn’t understand the file object it was given. It didn’t get it as an MJ_CREATE & it didn’t create it itself. Something (your filter?) has sent it to the wrong device or forgotten to swap in the correct file object in the (probably) EA path(s)

    That’s the usual reason anyways

    · Share on Facebook
  • stevezhougsstevezhougs Member Posts: 7

    There is also have another dmp

    Use !analyze -v to get detailed debugging information.

    BugCheck 24, {b500190645, ffffd001fb59e538, ffffd001fb59dd40, fffff800ab90aaef}

    Probably caused by : Ntfs.sys ( Ntfs!NtfsCommonSetInformation+8f )

    Followup: MachineOwner

    16: kd> !analyze -v

    • *
    • Bugcheck Analysis *
    • *

    NTFS_FILE_SYSTEM (24)
    If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
    parameters are the exception record and context record. Do a .cxr
    on the 3rd parameter and then kb to obtain a more informative stack
    trace.
    Arguments:
    Arg1: 000000b500190645
    Arg2: ffffd001fb59e538
    Arg3: ffffd001fb59dd40
    Arg4: fffff800ab90aaef

    Debugging Details:

    KEY_VALUES_STRING: 1

    STACKHASH_ANALYSIS: 1

    TIMELINE_ANALYSIS: 1

    DUMP_CLASS: 1

    DUMP_QUALIFIER: 401

    BUILD_VERSION_STRING: 9600.17415.amd64fre.winblue_r4.141028-1500

    SYSTEM_MANUFACTURER: VMware, Inc.

    VIRTUAL_MACHINE: VMware

    SYSTEM_PRODUCT_NAME: VMware Virtual Platform

    SYSTEM_VERSION: None

    BIOS_VENDOR: Phoenix Technologies LTD

    BIOS_VERSION: 6.00

    BIOS_DATE: 09/30/2014

    BASEBOARD_MANUFACTURER: Intel Corporation

    BASEBOARD_PRODUCT: 440BX Desktop Reference Platform

    BASEBOARD_VERSION: None

    DUMP_TYPE: 1

    BUGCHECK_P1: b500190645

    BUGCHECK_P2: ffffd001fb59e538

    BUGCHECK_P3: ffffd001fb59dd40

    BUGCHECK_P4: fffff800ab90aaef

    EXCEPTION_RECORD: ffffd001fb59e538 -- (.exr 0xffffd001fb59e538)
    ExceptionAddress: fffff800ab90aaef (Ntfs!NtfsCommonSetInformation+0x000000000000008f)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 0000000000000000
    Parameter[1]: 000013c04243465e
    Attempt to read from address 000013c04243465e

    CONTEXT: ffffd001fb59dd40 -- (.cxr 0xffffd001fb59dd40)
    rax=ffffe800e4490a00 rbx=000000000000000d rcx=ffffe800e4b9d648
    rdx=000013c04243465a rsi=ffffe40187400000 rdi=ffffe800e43dfb98
    rip=fffff800ab90aaef rsp=ffffd001fb59e770 rbp=ffffd001fb59e900
    r8=0000000000000000 r9=0000000000000003 r10=0000000000000004
    r11=ffffd001fb59e848 r12=0000000000000001 r13=ffffe800e4b9d380
    r14=ffffe800e4b9d380 r15=ffffe40187400000
    iopl=0 nv up ei ng nz na po nc
    cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286
    Ntfs!NtfsCommonSetInformation+0x8f:
    fffff800ab90aaef 8b4204 mov eax,dword ptr [rdx+4] ds:002b:000013c04243465e=????????
    Resetting default scope

    CPU_COUNT: 20

    CPU_MHZ: 6a2

    CPU_VENDOR: GenuineIntel

    CPU_FAMILY: 6

    CPU_MODEL: f

    CPU_STEPPING: 1

    CPU_MICROCODE: 6,f,1,0 (F,M,S,R) SIG: 38'00000000 (cache) 38'00000000 (init)

    DEFAULT_BUCKET_ID: STRING_DEREFERENCE

    PROCESS_NAME: ArcSOC.exe

    CURRENT_IRQL: 0

    FOLLOWUP_IP:
    Ntfs!NtfsCommonSetInformation+8f
    fffff800`ab90aaef 8b4204 mov eax,dword ptr [rdx+4]

    FAULTING_IP:
    Ntfs!NtfsCommonSetInformation+8f
    fffff800`ab90aaef 8b4204 mov eax,dword ptr [rdx+4]

    BUGCHECK_STR: 0x24

    READ_ADDRESS: 000013c04243465e

    ERROR_CODE: (NTSTATUS) 0xc0000005 -

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 -

    EXCEPTION_CODE_STR: c0000005

    EXCEPTION_PARAMETER1: 0000000000000000

    EXCEPTION_PARAMETER2: 000013c04243465e

    ANALYSIS_SESSION_HOST: ZHOUGS-PC1

    ANALYSIS_SESSION_TIME: 09-10-2020 19:34:44.0806

    ANALYSIS_VERSION: 10.0.17763.132 amd64fre

    LAST_CONTROL_TRANSFER: from fffff800ab90d931 to fffff800ab90aaef

    STACK_TEXT:
    ffffd001fb59e770 fffff800ab90d931 : ffffe800e43dfb98 ffffe800e4b9d380 0000000000000000 ffffd001fb59e900 : Ntfs!NtfsCommonSetInformation+0x8f
    ffffd001fb59e850 fffff800aaf99b1e : ffffe800e4e568c0 ffffe800e4b9d380 ffffe800e43dfb98 ffffd001fb59e878 : Ntfs!NtfsFsdSetInformation+0xcd
    ffffd001fb59e8b0 fffff800aaf980c2 : ffffd001fb59e970 ffffe000b0ea0df0 0000000000000000 ffffe800e4b9d380 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2ce
    ffffd001fb59e950 fffff801b38f2e8a : 000000000e20dfe0 ffffd001fb59ecc0 0000000000000000 0000000000000001 : fltmgr!FltpDispatch+0xb2
    ffffd001fb59e9b0 fffff801b39761b3 : fffff6fb7dbed000 fffff6fb7da00008 fffff6fb40001b28 fffff68000365700 : nt!NtSetInformationFile+0x85a
    ffffd001fb59ebd0 00007ffc5a2d0eba : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
    000000000e20dfa8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffc`5a2d0eba

    THREAD_SHA1_HASH_MOD_FUNC: 3d0ae8d610ef241f2cbb495902f493321604249b

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 8cdb328a82028dec043c89d8adf83b32488a99e4

    THREAD_SHA1_HASH_MOD: 946f3aafff33e30710cfc49199b33e153910fd85

    FAULT_INSTR_CODE: 4104428b

    SYMBOL_STACK_INDEX: 0

    SYMBOL_NAME: Ntfs!NtfsCommonSetInformation+8f

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: Ntfs

    IMAGE_NAME: Ntfs.sys

    DEBUG_FLR_IMAGE_TIMESTAMP: 54387b6b

    IMAGE_VERSION: 6.3.9600.17399

    STACK_COMMAND: .cxr 0xffffd001fb59dd40 ; kb

    BUCKET_ID_FUNC_OFFSET: 8f

    FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsCommonSetInformation

    BUCKET_ID: 0x24_Ntfs!NtfsCommonSetInformation

    PRIMARY_PROBLEM_CLASS: 0x24_Ntfs!NtfsCommonSetInformation

    TARGET_TIME: 2020-09-09T01:53:51.000Z

    OSBUILD: 9600

    OSSERVICEPACK: 0

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK: 272

    PRODUCT_TYPE: 3

    OSPLATFORM_TYPE: x64

    OSNAME: Windows 8.1

    OSEDITION: Windows 8.1 Server TerminalServer SingleUserTS

    OS_LOCALE:

    USER_LCID: 0

    OSBUILD_TIMESTAMP: 2014-10-29 08:38:48

    BUILDDATESTAMP_STR: 141028-1500

    BUILDLAB_STR: winblue_r4

    BUILDOSVER_STR: 6.3.9600.17415.amd64fre.winblue_r4.141028-1500

    ANALYSIS_SESSION_ELAPSED_TIME: 4b0

    ANALYSIS_SOURCE: KM

    FAILURE_ID_HASH_STRING: km:0x24_ntfs!ntfscommonsetinformation

    FAILURE_ID_HASH: {d88870db-85a5-faea-ad2f-07b3313627a1}

    Followup: MachineOwner

    16: kd> k
    # Child-SP RetAddr Call Site
    00 ffffd001fb59d3a8 fffff800ab84beec nt!KeBugCheckEx
    01 ffffd001fb59d3b0 fffff800ab8b4e84 Ntfs!NtfsExceptionFilter+0x1e8c0
    02 ffffd001fb59d570 fffff801b3959a96 Ntfs!NtfsFsdSetInformation$filt$0+0x15
    03 ffffd001fb59d5a0 fffff801b3971eed nt!_C_specific_handler+0x86
    04 ffffd001fb59d610 fffff801b38f4125 nt!RtlpExecuteHandlerForException+0xd
    05 ffffd001fb59d640 fffff801b38f84de nt!RtlDispatchException+0x1a5
    06 ffffd001fb59dd10 fffff801b39765c2 nt!KiDispatchException+0x646
    07 ffffd001fb59e400 fffff801b3974d14 nt!KiExceptionDispatch+0xc2
    08 ffffd001fb59e5e0 fffff800ab90aaef nt!KiPageFault+0x214
    09 ffffd001fb59e770 fffff800ab90d931 Ntfs!NtfsCommonSetInformation+0x8f
    0a ffffd001fb59e850 fffff800aaf99b1e Ntfs!NtfsFsdSetInformation+0xcd
    0b ffffd001fb59e8b0 fffff800aaf980c2 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2ce
    0c ffffd001fb59e950 fffff801b38f2e8a fltmgr!FltpDispatch+0xb2
    0d ffffd001fb59e9b0 fffff801b39761b3 nt!NtSetInformationFile+0x85a
    0e ffffd001fb59ebd0 00007ffc5a2d0eba nt!KiSystemServiceCopyEnd+0x13
    0f 000000000e20dfa8 0000000000000000 0x00007ffc`5a2d0eba

    · Share on Facebook
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,343
    edited September 10

    If your are helping your neighbor fix their computer you should just reimage the machine. If this crash happens when a minifilter you are developing is loaded then you need to provide some actual information about what you’re trying to do.

    Post edited by Scott_Noone_(OSR) on

    -scott
    OSR

    · Share on Facebook
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register
Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 30 Nov 2020 LIVE ONLINE
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Developing Minifilters Early 2021 LIVE ONLINE

Categories