Thanks for the reply. And,
Here it is. It says an access violation. but I can’t get much information out of this.
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
RDR_FILE_SYSTEM (27)
If you see RxExceptionFilter on the stack then the 2nd and 3rd parameters are the
exception record and context record. Do a .cxr on the 3rd parameter and then kb to
obtain a more informative stack trace.
The high 16 bits of the first parameter is the RDBSS bugcheck code, which is defined
as follows:
RDBSS_BUG_CHECK_CACHESUP = 0xca550000,
RDBSS_BUG_CHECK_CLEANUP = 0xc1ee0000,
RDBSS_BUG_CHECK_CLOSE = 0xc10e0000,
RDBSS_BUG_CHECK_NTEXCEPT = 0xbaad0000,
Arguments:
Arg1: 00000000baad0073
Arg2: ffffd000bc38c768
Arg3: ffffd000bc38bf70
Arg4: fffff8017970d938
Debugging Details:
EXCEPTION_RECORD: ffffd000bc38c768 – (.exr 0xffffd000bc38c768)
ExceptionAddress: fffff8017970d938 (rdbss!RxInitializeContext+0x000000000001f718)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000000000000004d
Attempt to read from address 000000000000004d
CONTEXT: ffffd000bc38bf70 – (.cxr 0xffffd000bc38bf70;r)
rax=0000000000000000 rbx=ffffe000431e4010 rcx=fffff801796e23e0
rdx=0000000000000000 rsi=ffffe00041aa8f20 rdi=ffffcf814cfa2ed8
rip=fffff8017970d938 rsp=ffffd000bc38c9a0 rbp=ffffcf814cfa2dc0
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=fffff801796bd0d3 r12=ffffd000bc38cb20 r13=0000000000000000
r14=fffff801796e23e0 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
rdbss!RxInitializeContext+0x1f718:
fffff8017970d938 4438784d cmp byte ptr [rax+4Dh],r15b ds:002b:00000000
0000004d=??
Last set context:
rax=0000000000000000 rbx=ffffe000431e4010 rcx=fffff801796e23e0
rdx=0000000000000000 rsi=ffffe00041aa8f20 rdi=ffffcf814cfa2ed8
rip=fffff8017970d938 rsp=ffffd000bc38c9a0 rbp=ffffcf814cfa2dc0
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=fffff801796bd0d3 r12=ffffd000bc38cb20 r13=0000000000000000
r14=fffff801796e23e0 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
rdbss!RxInitializeContext+0x1f718:
fffff8017970d938 4438784d cmp byte ptr [rax+4Dh],r15b ds:002b:00000000
0000004d=??
Resetting default scope
PROCESS_NAME: WmiPrvSE.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 000000000000004d
READ_ADDRESS: unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
000000000000004d
FOLLOWUP_IP:
rdbss!RxInitializeContext+1f718
fffff801`7970d938 4438784d cmp byte ptr [rax+4Dh],r15b
FAULTING_IP:
rdbss!RxInitializeContext+1f718
fffff801`7970d938 4438784d cmp byte ptr [rax+4Dh],r15b
BUGCHECK_STR: 0x27
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
LAST_CONTROL_TRANSFER: from fffff801796bdb3f to fffff8017970d938
STACK_TEXT:
ffffd000bc38c9a0 fffff801
796bdb3f : ffffd000bc38cb20 ffffe000
42815030 ffffcf814cfa2dc0 ffffcf81
4cfa2ed8 : rdbss!RxInitializeContext+0x1f718
ffffd000bc38ca30 fffff801
796ee7df : ffffe000415fc100 ffffe000
415fc100 ffffcf814cfa2dc0 ffffe000
405971c8 : rdbss!RxFsdCommonDispatch+0x30f
ffffd000bc38cba0 fffff801
7a4431b3 : 0000000000000000 ffffe000
42815001 ffffcf814cfa2dc0 00000000
00000000 : rdbss!RxFsdDispatch+0xcf
ffffd000bc38cc10 fffff801
ace77911 : ffffcf814cfa2dc0 ffffe000
42815030 0000000000000002 ffffe000
413d01a0 : mrxsmb!MRxSmbFsdDispatch+0x83
ffffd000bc38cc50 fffff801
793c83cd : ffffe0004272b340 ffffcf81
4cfa2dc0 ffffe00041aa8f20 ffffe000
413d01a0 : nt!IovCallDriver+0x3cd
ffffd000bc38cca0 fffff801
ace77911 : ffffcf814cfa2f68 00000000
00000000 ffffc0016ea2b8c0 00000000
00000000 : mup!MupFsdIrpPassThrough+0x1ee
ffffd000bc38cd20 fffff801
78528989 : ffffcf814cfa2dc0 fffff801
78a02b1e fffff801ac922498 ffffe000
41e86d50 : nt!IovCallDriver+0x3cd
ffffd000bc38cd70 fffff801
78a02b1e : ffffcf814ce4ab80 ffffd000
bc38ce00 0000000000000000 ffffcf81
4ce3ed18 : VerifierExt!IofCallDriver_internal_wrapper+0x71
ffffd000bc38cdb0 fffff801
78a06188 : ffffd000bc38ce78 ffffcf81
4ce4ab80 ffffcf814ce4ac58 00000000
00000000 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2ce
ffffd000bc38ce50 fffff801
78a15551 : ffffcf814ce4ab80 00000000
00000000 0000000000000000 ffffd000
bc38d0c8 : fltmgr!FltPerformSynchronousIo+0x2b8
ffffd000bc38cf00 fffff801
78a150e9 : 0000000000000000 00000000
00000080 0000000000000005 ffffcf81
4ced8f80 : fltmgr!FltReadFileEx+0x451
ffffd000bc38cff0 fffff801
7a9e4150 : ffffcf814b29ac58 ffffcf81
4cf32bc0 0000000000000016 ffffd000
bc38d0f0 : fltmgr!FltReadFile+0x51
ffffd000bc38d060 fffff801
78a50aed : ffffcf814b29ac58 ffffd000
bc38d248 0000000000000000 00000000
00000000 : EncryptionFilter!SwapPostCreate+0x270 [c:\users\john\desktop\rms\src\encryption filter\swapbuffers.c @ 891]
ffffd000bc38d160 fffff801
78a039d7 : ffffcf8100000016 ffffcf81
00000000 0000000000000000 fffff801
00000000 : fltmgr!FltvPostOperation+0xad
ffffd000bc38d200 fffff801
78a0414d : ffffcf814b28cf00 fffff801
78527e00 0000000000000000 00000000
00000000 : fltmgr!FltpPerformPostCallbacks+0x2d7
ffffd000bc38d2d0 fffff801
78a02bc1 : ffffcf814b29ab80 ffffcf81
4b29ab98 ffffcf814b28cf68 ffffcf81
4b29ab80 : fltmgr!FltpPassThroughCompletionWorker+0x7d
ffffd000bc38d340 fffff801
78a2b349 : ffffd000bc38d420 ffffcf81
4b29ab80 ffffcf814b28cdc0 ffffe000
41a10a50 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x371
ffffd000bc38d3e0 fffff801
ace77911 : ffffcf814b28cd00 ffffcf81
4b28cdc0 ffffcf814b28cfb0 fffff801
ac88620d : fltmgr!FltpCreate+0x339
ffffd000bc38d490 fffff801
acbb9b41 : 0000000000000005 ffffd000
bc38d7e1 0000000000000000 ffffe000
41e8d990 : nt!IovCallDriver+0x3cd
ffffd000bc38d4e0 fffff801
acca7854 : 0000000000000000 00000000
00000000 0000000000000000 ffffe000
415fc0d0 : nt!IopParseDevice+0x6c1
ffffd000bc38d700 fffff801
acbc66a3 : 0000000000000000 ffffd000
bc38d8a8 0000000000000040 ffffe000
3f937b00 : nt!ObpLookupObjectName+0x784
ffffd000bc38d830 fffff801
acc59fdb : ffffe00000000001 ffffe000
42cbb978 0000000000000001 00000000
00000020 : nt!ObOpenObjectByName+0x1e3
ffffd000bc38d960 fffff801
acc59c64 : 0000002df8dadf48 0067006f
00100000 0000002df8dadf00 ffffe000
4208a080 : nt!IopCreateFile+0x36b
ffffd000bc38da00 fffff801
ac95d1b3 : ffffe000431e4440 ffffd000
bc38db80 ffffd000bc38daa8 00000000
00000000 : nt!NtCreateFile+0x78
ffffd000bc38da90 00007ffd
fc43172a : 00007ffde8cf23ac 00000000
00000004 0000002df6401b78 00000000
00000000 : nt!KiSystemServiceCopyEnd+0x13
0000002df8dade78 00007ffd
e8cf23ac : 0000000000000004 0000002d
f6401b78 0000000000000000 00000000
00000002 : ntdll!NtCreateFile+0xa
0000002df8dade80 00007ffd
e8cf139e : 96eb9e3e0eec0000 00000000
00000000 0000000000000000 00007ffd
f9812593 : perfnet!OpenRedirObject+0x90
0000002df8dadf40 00007ffd
f9df3f15 : 0000000000000000 00007ffd
00000000 0000000000000001 00000000
00000000 : perfnet!OpenNetSvcsObject+0x4e
0000002df8dadfa0 00007ffd
f9df3c55 : 000000002a7a0237 0000002d
f64018c0 0000002df7e22040 00000000
00000000 : advapi32!OpenExtObjectLibrary+0x271
0000002df8dae970 00007ffd
f9df20e9 : 00000000000e84a0 00000000
00000000 0000002d00000000 00000000
00000000 : advapi32!QueryExtensibleData+0x4a4
0000002df8daeb60 00007ffd
f9866841 : 00007ffde84d5640 00000000
00000000 00000000ffffffff 0000002d
f8daf140 : advapi32!PerfRegQueryValue+0x5dc
0000002df8daf010 00007ffd
f98140b9 : ffffffff80000004 0000002d
f7e22040 0000002df8daf2f0 0000002d
f8daf2e0 : KERNELBASE!LocalBaseRegQueryValue+0x3f6
0000002df8daf190 00007ffd
e8498b02 : ffffffff80000004 0000002d
f8daf2f0 0000002d00100000 0000002d
f8daf264 : KERNELBASE!RegQueryValueExW+0xe9
0000002df8daf230 00007ffd
e849736b : 0000002df637db50 00000000
00000000 0000002d00100000 00000000
0000022c : pdh!GetSystemPerfData+0x9c
0000002df8daf2d0 00007ffd
e84cf8f0 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000204 : pdh!GetMachineEx+0x1e3
0000002df8daf550 00007ffd
e84cb550 : 0000000000000001 00000000
00000000 0000000000000000 0000002d
f8daf698 : pdh!PdhiGetDefaultPerfObjectW+0x1d8
0000002df8daf5d0 00007ffd
e84f2786 : 0000002df6c48c70 00000000
00000000 0000000000000000 0000002d
f8daf698 : pdh!PdhGetDefaultPerfObjectW+0x110
0000002df8daf640 00007ffd
e84e5a19 : 0000000000000028 00000000
00000000 0000002df62ee6c0 0000002d
f636da08 : WmiPerfClass!GetDefaultCounterObject+0x2e
0000002df8daf690 00007ffd
e84e6736 : 0000002df6c42cb0 0000002d
f6b967b0 fffffffffffffffe 00000000
00000000 : WmiPerfClass!CClassCache::RefreshThreadUpdateSelectedProviders+0x3dd
0000002df8daf8a0 00007ffd
e84e4b11 : 0000002df62ee6c0 0000002d
f62ed5e0 0000002df8daf978 0000002d
f8daf978 : WmiPerfClass!CClassCache::RefreshThreadProviderObjectUpdate+0x132
0000002df8daf930 00007ffd
fb6313d2 : 0000002df62ee6c0 0000002d
00000001 0000000100000001 0000002d
f6b96870 : WmiPerfClass!CClassCache::RefreshThreadProc+0x475
0000002df8dafa00 00007ffd
fc3b5454 : 00007ffdfb6313b0 00000000
00000000 0000000000000000 00000000
00000000 : KERNEL32!BaseThreadInitThunk+0x22
0000002df8dafa30 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : ntdll!RtlUserThreadStart+0x34
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: rdbss!RxInitializeContext+1f718
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: rdbss
IMAGE_NAME: rdbss.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 52affb72
STACK_COMMAND: .cxr 0xffffd000bc38bf70 ; kb
BUCKET_ID_FUNC_OFFSET: 1f718
FAILURE_BUCKET_ID: 0x27_VRF_rdbss!RxInitializeContext
BUCKET_ID: 0x27_VRF_rdbss!RxInitializeContext
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x27_vrf_rdbss!rxinitializecontext
FAILURE_ID_HASH: {8fe43332-5f18-10da-ca8e-3c371694e6d4}
Followup: MachineOwner