Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


bugcheck 0x27 RDR_FILE_SYSTEM

Malcolm_McCafferyMalcolm_McCaffery Member - All Emails Posts: 9
Have seen this across an environment Win7/8.1/Win10. It is not high
frequency but does happen. Machines are running 64-bit OS with at
least 4-8GB ram typically.

Now the WinDbg help file suggests:

One possible cause of this bug check is depletion of nonpaged pool
memory. If the nonpaged pool memory is completely depleted, this error
can stop the system. However, during the indexing process, if the
amount of available nonpaged pool memory is very low, another
kernel-mode driver requiring nonpaged pool memory can also trigger
this error.

From what I can see

- non paged pool depletion doesn't seem to be a problem
- does look like it is occurring during indexing process
- mcafee component is using most non-paged pool memory, but it is
small amount (7MB)

Is there any further good diagnostic options for further narrowing
down if a 3rd party component is responsible before logging case with
Microsoft?

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

RDR_FILE_SYSTEM (27)
If you see RxExceptionFilter on the stack then the 2nd and 3rd
parameters are the
exception record and context record. Do a .cxr on the 3rd
parameter and then kb to
obtain a more informative stack trace.
The high 16 bits of the first parameter is the RDBSS bugcheck
code, which is defined
as follows:
RDBSS_BUG_CHECK_CACHESUP = 0xca550000,
RDBSS_BUG_CHECK_CLEANUP = 0xc1ee0000,
RDBSS_BUG_CHECK_CLOSE = 0xc10e0000,
RDBSS_BUG_CHECK_NTEXCEPT = 0xbaad0000,
Arguments:
Arg1: 00000000baad0073
Arg2: ffffd001ca1ab0f8
Arg3: ffffd001ca1aa910
Arg4: fffff801afbb75da

Debugging Details:
------------------

Page 800 not present in the dump file. Type ".hh dbgerr004" for details
Page 800 not present in the dump file. Type ".hh dbgerr004" for details
Page 800 not present in the dump file. Type ".hh dbgerr004" for details
Page 800 not present in the dump file. Type ".hh dbgerr004" for details
Page 800 not present in the dump file. Type ".hh dbgerr004" for details
Page 800 not present in the dump file. Type ".hh dbgerr004" for details
Page 800 not present in the dump file. Type ".hh dbgerr004" for details
Page 800 not present in the dump file. Type ".hh dbgerr004" for details
Page 800 not present in the dump file. Type ".hh dbgerr004" for details

DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 10586.633.amd64fre.th2_release.161004-1602
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 04/14/2014
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 1
BUGCHECK_P1: baad0073
BUGCHECK_P2: ffffd001ca1ab0f8
BUGCHECK_P3: ffffd001ca1aa910
BUGCHECK_P4: fffff801afbb75da

EXCEPTION_RECORD: ffffd001ca1ab0f8 -- (.exr 0xffffd001ca1ab0f8)
.exr 0xffffd001ca1ab0f8
ExceptionAddress: fffff801afbb75da (rdbss! ??
::NNGAKEGL::`string'+0x000000000000743a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000070
Attempt to read from address 0000000000000070

CONTEXT: ffffd001ca1aa910 -- (.cxr 0xffffd001ca1aa910)
.cxr 0xffffd001ca1aa910
rax=ffffc000b8f3c010 rbx=ffffe001c5367cd0 rcx=ffffe001c4a844b0
rdx=0000000000000000 rsi=ffffe001c4a40270 rdi=ffffe001c62a9838
rip=fffff801afbb75da rsp=ffffd001ca1ab330 rbp=0000000000000000
r8=0000000000000003 r9=ffffd001ca1ad000 r10=ffffd001ca1abf18
r11=ffffd001ca1ab300 r12=0000000000000000 r13=ffffd001ca1abef0
r14=ffffe001c62a9690 r15=ffffe001c65407d0
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
rdbss! ?? ::NNGAKEGL::`string'+0x743a:
fffff801`afbb75da 48394a70 cmp qword ptr [rdx+70h],rcx
ds:002b:00000000`00000070=????????????????
.cxr
Resetting default scope

CPU_COUNT: 1
CPU_MHZ: b54
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 25
CPU_STEPPING: 1
CPU_MICROCODE: 6,25,1,0 (F,M,S,R) SIG: 710'00000000 (cache) 710'00000000 (init)
PROCESS_NAME: SearchProtocolHost.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced
memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p
referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000000000070

FOLLOWUP_IP:
rdbss! ?? ::NNGAKEGL::`string'+743a
fffff801`afbb75da 48394a70 cmp qword ptr [rdx+70h],rcx

FAULTING_IP:
rdbss! ?? ::NNGAKEGL::`string'+743a
fffff801`afbb75da 48394a70 cmp qword ptr [rdx+70h],rcx

READ_ADDRESS: 0000000000000070

BUGCHECK_STR: 0x27

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

ANALYSIS_SESSION_HOST: LT704794

ANALYSIS_SESSION_TIME: 10-25-2016 09:56:37.0082

ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

LAST_CONTROL_TRANSFER: from fffff801afb648aa to fffff801afbb75da

STACK_TEXT:
ffffd001`ca1ab330 fffff801`afb648aa : ffffd001`ca1abef0
ffffe001`c6c38300 ffffe001`c62a9690 ffffe001`c62a9690 : rdbss! ??
::NNGAKEGL::`string'+0x743a
ffffd001`ca1ab3d0 fffff801`afba4a96 : fffff801`af4c7000
ffffe001`c49b0d20 00000000`c0000016 ffffe001`c49b0c90 :
rdbss!RxFsdCommonDispatch+0x2ba
ffffd001`ca1ab540 fffff801`b0a46da5 : 00000000`00000000
fffff802`97a39001 00000000`00000000 fffff801`af4c7000 :
rdbss!RxFsdDispatch+0x86
ffffd001`ca1ab590 fffff801`af4cdc6c : ffffe001`c49b0c90
ffffe001`c651eb50 ffffe001`c4a40270 ffffc000`b35be700 :
mrxsmb!MRxSmbFsdDispatch+0x85
ffffd001`ca1ab5d0 fffff801`af4cc5fa : ffffc000`b35be700
ffffe001`c4455750 ffffe001`c4a40270 ffffe001`c62a9690 :
mup!MupStateMachine+0x1dc
ffffd001`ca1ab640 fffff801`ae3f7895 : ffffe001`c67d8b80
00000000`00000000 ffffe001`c49b0c90 ffffe001`c62a9600 :
mup!MupClose+0x8a
ffffd001`ca1ab6a0 fffff801`ae3f5816 : ffffe001`c56b9580
fffff802`97ada426 fffffd7f`fffeef01 ffffe001`c56b9640 :
FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1a5
ffffd001`ca1ab730 fffff801`ae3f5842 : ffffe001`c4875df0
ffffe001`c4875df0 00000000`00000000 00000000`00000001 :
FLTMGR!FltpDispatch+0xb6
ffffd001`ca1ab790 fffff802`97ed7cdd : ffffe001`c4a40270
00000000`00000001 ffffe001`c62a9690 fffffa80`035ce8f0 :
FLTMGR!FltpDispatch+0xe2
ffffd001`ca1ab7f0 fffff802`97eac958 : ffffc000`b6755890
00000000`00000000 ffffe001`c454ec60 00000000`00000000 :
nt!IopDeleteFile+0x12d
ffffd001`ca1ab870 fffff802`97ad94a1 : 00000000`00000000
00000000`00000000 ffffc000`b6755890 ffffe001`c4a40270 :
nt!ObpRemoveObjectRoutine+0x78
ffffd001`ca1ab8d0 fffff802`97e6c08f : 00000000`000800a9
ffffe001`c68678a0 ffffe001`00000000 ffffe001`74536d4d :
nt!ObfDereferenceObject+0xa1
ffffd001`ca1ab910 fffff802`97b0f48a : ffffe001`c68678a0
ffffd001`ca1ab9d0 00000000`00000001 00000000`00000000 :
nt!MiSegmentDelete+0x14b
ffffd001`ca1ab950 fffff802`97a51ae4 : ffffe001`c68678a0
ffffe001`c532fb00 00000000`00000000 00000000`00000000 :
nt!MiCleanSection+0x4e
ffffd001`ca1ab9f0 fffff802`97a519b1 : ffffe001`c68678a0
ffffe001`c532fbc8 00000000`00000000 00000000`c6d440e8 :
nt!MiAttemptSectionDelete+0x88
ffffd001`ca1aba50 fffff802`97a91835 : ffffe001`c65dacd0
00000000`00000000 ffffd001`ca1abb10 ffffe001`c4e1c010 :
nt!MmFlushImageSection+0xc5
ffffd001`ca1aba90 fffff802`97a90c0a : ffffe001`c65dacd0
ffffe001`c65407d0 00000000`00000001 00000000`00000000 :
nt!MiCanFileBeTruncatedInternal+0x149
ffffd001`ca1abad0 fffff801`afb9eba0 : 00000000`00000011
ffffe001`c65dacd0 ffffe001`c65407d0 00000000`00000000 :
nt!MmCanFileBeTruncated+0x1e
ffffd001`ca1abb10 fffff801`afb9c561 : ffffc000`b8f3c010
00000000`00000000 ffffc000`b8f3c010 00000000`00000000 :
rdbss!_RxAcquireFcb+0x370
ffffd001`ca1abb90 fffff801`afb9bc01 : ffffe001`c65dacd0
fffff801`afb62b00 ffffd001`ca1abdc0 ffffd001`ca1abca8 :
rdbss!RxFindOrCreateFcb+0x1c1
ffffd001`ca1abc50 fffff801`afba448e : ffffe001`c6540930
ffffe001`c6540704 ffffe001`c6540930 00000000`00000005 :
rdbss!RxCreateFromNetRoot+0x111
ffffd001`ca1abd60 fffff801`afb64b65 : ffffe001`c6540930
ffffe001`c65dacd0 ffffd001`ca1ac001 ffffe001`c65407d0 :
rdbss!RxCommonCreate+0x12e
ffffd001`ca1abe00 fffff801`afba4a96 : ffffe001`c6540978
00000000`00000000 ffffe001`c6632e70 ffffc000`b34f4c50 :
rdbss!RxFsdCommonDispatch+0x575
ffffd001`ca1abf70 fffff801`b0a46da5 : 00000000`00000000
fffff802`00000030 00000000`00000000 00000000`00000000 :
rdbss!RxFsdDispatch+0x86
ffffd001`ca1abfc0 fffff801`afcc2848 : ffffc000`b6593ab0
ffffd001`ca1ac0b9 ffffe001`c65407d0 ffffe001`c5d7d1f0 :
mrxsmb!MRxSmbFsdDispatch+0x85
ffffd001`ca1ac000 fffff801`afcbf89c : 00000000`00000000
ffffc000`b3ed5b30 ffffc000`b8400c08 00000000`00000000 :
dfsc!DfscCmDataAccessState+0x4f8
ffffd001`ca1ac120 fffff801`afcbf750 : ffffe001`c4f1e4b0
ffffe001`c4f1e400 ffffc000`b6593ab0 00000000`00000000 :
dfsc!DfscSurrogateCreate+0xcc
ffffd001`ca1ac1c0 fffff801`af4cefe2 : ffffe001`c4f1e420
ffffe001`00000000 00000000`00000000 ffffe001`c6480c80 :
dfsc!DfscSurrogatePreProcess+0x40
ffffd001`ca1ac1f0 fffff801`af4ce48d : 00000000`00000000
ffffe001`c4f1e370 00000000`00000000 ffffe001`c6632e70 :
mup!MupCallSurrogatePrePost+0x122
ffffd001`ca1ac250 fffff801`ae3f7895 : 00000000`00000280
00000000`00000800 ffffd001`00000008 ffffe001`00000000 :
mup!MupCreate+0x6dd
ffffd001`ca1ac350 fffff801`ae4262d7 : ffffe001`c57b03e0
fffff802`97ebfa1e ffffe001`00000001 00000000`00000158 :
FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x1a5
ffffd001`ca1ac3e0 fffff801`ae4263fc : ffffe001`00000000
ffffe001`c49c3010 ffffd001`ca1ac558 fffff801`ae425d5d :
FLTMGR!FltpCreate+0x347
ffffd001`ca1ac490 fffff802`97ece208 : 00000000`00000000
00000000`00000045 00000000`00000000 00000000`00000001 :
FLTMGR!FltpCreate+0x46c
ffffd001`ca1ac540 fffff802`97ec8042 : fffff802`97a18000
fffff802`97a18000 00000000`00000001 fffff802`97ecda40 :
nt!IopParseDevice+0x7c8
ffffd001`ca1ac710 fffff802`97ec92ec : ffffe001`c7bb6000
ffffd001`ca1ac900 00000000`00000040 ffffe001`c454ec60 :
nt!ObpLookupObjectName+0x992
ffffd001`ca1ac890 fffff802`97e5aac0 : de200000`00000001
00000000`00000028 00007ffc`c021a930 00000000`000000c0 :
nt!ObOpenObjectByNameEx+0x1ec
ffffd001`ca1ac9b0 fffff802`97b651a3 : ffffe001`c67d4080
00000000`00000000 ffffe001`c67d4080 ffffe001`c4882840 :
nt!NtQueryAttributesFile+0x180
ffffd001`ca1acc40 00007ffc`c38d5884 : 00000000`00000000
00000000`00000000 00000000`00000000 00000000`00000000 :
nt!KiSystemServiceCopyEnd+0x13
000000ee`6d9f7f38 00000000`00000000 : 00000000`00000000
00000000`00000000 00000000`00000000 00000000`00000000 :
0x00007ffc`c38d5884


THREAD_SHA1_HASH_MOD_FUNC: 6ccf7f0032c363ae95946da86f9d9a93dd1534c2
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 955828257a28d548159fb27bc7fae975983d6a7f
THREAD_SHA1_HASH_MOD: c6a24480004c19b0ef4a5ea81d666ddc6f25d42b
FAULT_INSTR_CODE: 704a3948
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: rdbss! ?? ::NNGAKEGL::`string'+743a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: rdbss
IMAGE_NAME: rdbss.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 57f47ad1
STACK_COMMAND: .cxr 0xffffd001ca1aa910 ; kb
BUCKET_ID_FUNC_OFFSET: 743a
FAILURE_BUCKET_ID: 0x27_rdbss!_??_::NNGAKEGL::_string_
BUCKET_ID: 0x27_rdbss!_??_::NNGAKEGL::_string_
PRIMARY_PROBLEM_CLASS: 0x27_rdbss!_??_::NNGAKEGL::_string_
TARGET_TIME: 2016-10-24T01:32:22.000Z
OSBUILD: 10586
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2016-10-05 14:18:01
BUILDDATESTAMP_STR: 161004-1602
BUILDLAB_STR: th2_release
BUILDOSVER_STR: 10.0.10586.633.amd64fre.th2_release.161004-1602
ANALYSIS_SESSION_ELAPSED_TIME: cff6
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x27_rdbss!_??_::nngakegl::_string_
FAILURE_ID_HASH: {4bde0109-c32e-d142-951b-e577b6c3653b}

Followup: MachineOwner
---------

kd> !vm
Page File: \??\C:\pagefile.sys
Current: 720896 Kb Free Space: 700408 Kb
Minimum: 720896 Kb Maximum: 9037948 Kb
Page File: \??\C:\swapfile.sys
Current: 262144 Kb Free Space: 262136 Kb
Minimum: 262144 Kb Maximum: 6290764 Kb
No Name for Paging File
Current: 13231792 Kb Free Space: 13109276 Kb
Minimum: 13231792 Kb Maximum: 13231792 Kb

Physical Memory: 1048461 ( 4193844 Kb)
Available Pages: 718050 ( 2872200 Kb)
ResAvail Pages: 986450 ( 3945800 Kb)
Locked IO Pages: 0 ( 0 Kb)
Free System PTEs: 4294984306 (17179937224 Kb)
Modified Pages: 13251 ( 53004 Kb)
Modified PF Pages: 13184 ( 52736 Kb)
Modified No Write Pages: 0 ( 0 Kb)
NonPagedPool Usage: 232 ( 928 Kb)
NonPagedPoolNx Usage: 17541 ( 70164 Kb)
NonPagedPool Max: 4294967296 (17179869184 Kb)
PagedPool 0 Usage: 39290 ( 157160 Kb)
PagedPool 1 Usage: 6721 ( 26884 Kb)
PagedPool 2 Usage: 2362 ( 9448 Kb)
PagedPool 3 Usage: 2342 ( 9368 Kb)
PagedPool 4 Usage: 2455 ( 9820 Kb)
PagedPool Usage: 53170 ( 212680 Kb)
PagedPool Maximum: 4160749568 (16642998272 Kb)
Session Commit: 2864 ( 11456 Kb)
Shared Commit: 19037 ( 76148 Kb)
Special Pool: 0 ( 0 Kb)
Shared Process: 8473 ( 33892 Kb)
Pages For MDLs: 484 ( 1936 Kb)
Pages For AWE: 0 ( 0 Kb)
NonPagedPool Commit: 16930 ( 67720 Kb)
PagedPool Commit: 53170 ( 212680 Kb)
Driver Commit: 9077 ( 36308 Kb)
Boot Commit: 13371 ( 53484 Kb)
System PageTables: 508 ( 2032 Kb)
VAD/PageTable Bitmaps: 6071 ( 24284 Kb)
ProcessLockedFilePages: 0 ( 0 Kb)
Pagefile Hash Pages: 41 ( 164 Kb)
Sum System Commit: 130026 ( 520104 Kb)
Total Private: 211024 ( 844096 Kb)
Misc/Transient Commit: 1911 ( 7644 Kb)
Committed pages: 342961 ( 1371844 Kb)
Commit limit: 1228685 ( 4914740 Kb)

Pid ImageName Commit SharedCommit Debt

9ec mcshield.exe 125076 Kb 6100 Kb 0 Kb
1d8 svchost.exe 53104 Kb 6100 Kb 0 Kb
618 PwdMgmtProxy.e 48004 Kb 6324 Kb 0 Kb
1434 SearchUI.exe 37844 Kb 8788 Kb 0 Kb
15c svchost.exe 32740 Kb 11340 Kb 0 Kb
624 OfficeClickToR 30268 Kb 6108 Kb 0 Kb
880 SearchIndexer. 30128 Kb 6968 Kb 0 Kb
234 SelfService.ex 27608 Kb 3148 Kb 0 Kb
17a0 CcmExec.exe 24604 Kb 14504 Kb 0 Kb
53c explorer.exe 22648 Kb 12244 Kb 0 Kb
169c OTEditTray.exe 21652 Kb 3316 Kb 0 Kb
12d8 SCNotification 19696 Kb 3112 Kb 0 Kb
3b4 svchost.exe 18484 Kb 5984 Kb 0 Kb
62c FireSvc.exe 18120 Kb 6048 Kb 0 Kb
1390 ShellExperienc 15720 Kb 4960 Kb 0 Kb
16e0 dwm.exe 14400 Kb 14520 Kb 0 Kb
3d0 svchost.exe 13972 Kb 5980 Kb 0 Kb
16e8 WmiPrvSE.exe 12500 Kb 6412 Kb 0 Kb
1128 SelfServicePlu 11468 Kb 7180 Kb 0 Kb
6d8 MADService.exe 10788 Kb 6020 Kb 0 Kb
428 IdentityAgent. 10084 Kb 7136 Kb 0 Kb
278 services.exe 9840 Kb 4784 Kb 0 Kb
bc4 svchost.exe 9472 Kb 6100 Kb 0 Kb
3ac svchost.exe 9296 Kb 6112 Kb 0 Kb
b4c concentr.exe 8972 Kb 7212 Kb 0 Kb
50c ucsync.exe 8836 Kb 3088 Kb 0 Kb
e10 WmiPrvSE.exe 8776 Kb 6244 Kb 0 Kb
634 HipMgmt.exe 8496 Kb 6060 Kb 0 Kb
2c0 svchost.exe 7520 Kb 6320 Kb 0 Kb
3d8 svchost.exe 7500 Kb 5984 Kb 0 Kb
608 svchost.exe 6848 Kb 6224 Kb 0 Kb
1728 Receiver.exe 6692 Kb 7280 Kb 0 Kb
c18 macompatsvc.ex 6452 Kb 6160 Kb 0 Kb
280 lsass.exe 6404 Kb 4464 Kb 0 Kb
560 spoolsv.exe 6396 Kb 6032 Kb 0 Kb
674 RuntimeBroker. 6240 Kb 6724 Kb 0 Kb
12fc msoia.exe 6148 Kb 7096 Kb 0 Kb
11fc mctray.exe 6112 Kb 6204 Kb 0 Kb
914 mfeann.exe 5888 Kb 6136 Kb 0 Kb
69c macmnsvc.exe 5596 Kb 6092 Kb 0 Kb
2f0 svchost.exe 5308 Kb 6032 Kb 0 Kb
1704 OneDrive.exe 5156 Kb 7144 Kb 0 Kb
758 svchost.exe 5088 Kb 6332 Kb 0 Kb
970 wfcrun32.exe 4708 Kb 3160 Kb 0 Kb
714 VsTskMgr.exe 4548 Kb 6040 Kb 0 Kb
688 masvc.exe 4392 Kb 6160 Kb 0 Kb
10f4 WmiPrvSE.exe 3932 Kb 14384 Kb 0 Kb
165c WmiPrvSE.exe 3908 Kb 6016 Kb 0 Kb
7b4 mfevtps.exe 3784 Kb 6008 Kb 0 Kb
f4c CmRcService.ex 3752 Kb 6016 Kb 0 Kb
1674 sihost.exe 3632 Kb 2836 Kb 0 Kb
16a8 dllhost.exe 3612 Kb 2636 Kb 0 Kb
1ae8 SearchFilterHo 3348 Kb 1932 Kb 0 Kb
18a0 shstat.exe 3336 Kb 3588 Kb 0 Kb
189c UpdaterUI.exe 2820 Kb 7176 Kb 0 Kb
13b8 SearchProtocol 2640 Kb 6476 Kb 0 Kb
1630 WmiPrvSE.exe 2500 Kb 2032 Kb 0 Kb
6ac mfevtps.exe 2484 Kb 6008 Kb 0 Kb
1588 mobsync.exe 2464 Kb 7124 Kb 0 Kb
908 mfefire.exe 2388 Kb 6020 Kb 0 Kb
d10 SearchProtocol 2364 Kb 6476 Kb 0 Kb
1780 WmiPrvSE.exe 2244 Kb 1932 Kb 0 Kb
144 svchost.exe 2136 Kb 5976 Kb 0 Kb
d0c taskhostw.exe 2068 Kb 7096 Kb 0 Kb
1310 winlogon.exe 1896 Kb 4772 Kb 0 Kb
1aec SearchProtocol 1852 Kb 6152 Kb 0 Kb
6b4 mfemms.exe 1852 Kb 6008 Kb 0 Kb
1d4 ssonsvr.exe 1736 Kb 3040 Kb 0 Kb
1b80 redirector.exe 1712 Kb 3032 Kb 0 Kb
2fc WUDFHost.exe 1584 Kb 1928 Kb 0 Kb
9d4 svchost.exe 1564 Kb 332 Kb 0 Kb
1c0 csrss.exe 1348 Kb 10112 Kb 0 Kb
928 conhost.exe 1256 Kb 1944 Kb 0 Kb
700 csrss.exe 1232 Kb 13084 Kb 0 Kb
5d0 armsvc.exe 1216 Kb 1944 Kb 0 Kb
12b0 reader_sl.exe 1212 Kb 3016 Kb 0 Kb
208 wininit.exe 1052 Kb 1900 Kb 0 Kb
fb4 userinit.exe 908 Kb 6312 Kb 0 Kb
110 smss.exe 388 Kb 228 Kb 0 Kb
4 System 284 Kb 204 Kb 0 Kb
1494 SkypeHost.exe 0 Kb 0 Kb 0 Kb
13ec MsPwdRegistrat 0 Kb 0 Kb 0 Kb
119c gpscript.exe 0 Kb 0 Kb 0 Kb
e04 explorer.exe 0 Kb 0 Kb 0 Kb
c6c sihost.exe 0 Kb 0 Kb 0 Kb
b3c smss.exe 0 Kb 0 Kb 0 Kb
9cc FireTray.exe 0 Kb 0 Kb 0 Kb
374 runonce.exe 0 Kb 0 Kb 0 Kb
248 winlogon.exe 0 Kb 0 Kb 0 Kb
1a4 MsPwdRegistrat 0 Kb 0 Kb 0 Kb
kd> !poolused /t 10 2
.
Sorting by NonPaged Pool Consumed

NonPaged Paged
Tag Allocs Used Allocs Used

MFEm 37 7346608 0 0 McAfee Anti-Virus
File System Filter Driver
EtwB 71 5689376 5 143360 Etw Buffer , Binary: nt!etw
MFE0 41084 4203104 0 0 Multiple McAfee Drivers
File 9275 3395120 0 0 File objects
VM3D 10 3163168 1 64 Volume Manager ,
Binary: volmgr.sys
Thre 1368 2903488 0 0 Thread objects ,
Binary: nt!ps
FMsl 13291 2551872 0 0 STREAM_LIST_CTRL
structure , Binary: fltmgr.sys
Ntfx 7314 2476016 0 0 General
Allocation , Binary: ntfs.sys
ConT 260 2338816 0 0 UNKNOWN pooltag
'ConT', please update pooltag.txt
MmPb 3 1789952 0 0 Paging file
bitmaps , Binary: nt!mm
MmCa 5433 1772416 0 0 Mm control areas
for mapped files , Binary: nt!mm
Pool 8 1721920 0 0 Pool tables, etc.
EtwR 6764 1487584 0 0 Etw Registration
, Binary: nt!etw
Even 10735 1380128 0 0 Event objects
MmCi 2314 1299728 0 0 Mm control areas
for images , Binary: nt!mm
Vad 8042 1286720 0 0 Mm virtual
address descriptors , Binary: nt!mm

TOTAL 193640 70439632 197400 213654496

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,571
    Malcolm McCaffery wrote:
    > Have seen this across an environment Win7/8.1/Win10. It is not high
    > frequency but does happen. Machines are running 64-bit OS with at
    > least 4-8GB ram typically.
    > ...
    > Is there any further good diagnostic options for further narrowing
    > down if a 3rd party component is responsible before logging case with
    > Microsoft?

    Are these machines you control? Have you tried killing McAfee
    altogether to see whether the problem goes away?

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Malcolm_McCafferyMalcolm_McCaffery Member - All Emails Posts: 9
    Yes we have a machine with McAfee removed to see if it eliminates issue but
    because it only happens about once a week might be some time for it to
    reoccur. McAfee 8.8 Update 1 was known to cause this issue but is supposed
    to be fixed in this latest version we're using.

    In the old version when McAfee caused the 0x27 BSOD we saw mcafee driver in
    the stack trace, this time we don't though

    Thanks
    Malcolm

    On Wednesday, October 26, 2016, Tim Roberts wrote:

    > Malcolm McCaffery wrote:
    > > Have seen this across an environment Win7/8.1/Win10. It is not high
    > > frequency but does happen. Machines are running 64-bit OS with at
    > > least 4-8GB ram typically.
    > > ...
    > > Is there any further good diagnostic options for further narrowing
    > > down if a 3rd party component is responsible before logging case with
    > > Microsoft?
    >
    > Are these machines you control? Have you tried killing McAfee
    > altogether to see whether the problem goes away?
    >
    > --
    > Tim Roberts, [email protected]
    > Providenza & Boekelheide, Inc.
    >
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > OSR is hiring!! Info at http://www.osr.com/careers
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA