Hi Rod,
Can you please help to elaborate upon Mismatched FltGet***Context/FltReleaseContext
in this particular context.
Thanks a lot!
Pooja
Hi Rod,
Can you please help to elaborate upon Mismatched FltGet***Context/FltReleaseContext
in this particular context.
Thanks a lot!
Pooja
Well I would guess from the stack that the crash happens when the filter manager tries to disconnect the contexts from the file objects as a result of a dismount. It has gone through the contexts it has and it has tried to dereference each one. Only it has tripped over some memory that you have already freed. This could either be a FilterManager Context or it could be something you have thrown into FileObject->FsContext (somewhere in the FSRTL_ADVANCED_FCB_HEADER), or it could be both - I have no idea of your architecture. The address might give you a clue, as might he code at the point of failure.
You obviously have a referenced structure and it equally obviously is being freed before everything is done with it - so you are probably either missing reference/dereference pair or you have a dereference which is missing its matching reference.
The Get/Release context reference was because the most commont reference/dereference opertations are the ones that the minifilter does for you to handle context (File/Stream/Volume/Instance/StreamHandle) lifetimes.
Hi Rod,
To relate to your post, my minifilter driver architecture is based upon shadow file object design, where I have set fileobject->FScontext to my own created FCB.
Now, in test operation, before dismount, IRP_MJ_CLOSE has happened for one of file on same volume to be dismounted.
And in that Close operation handling , we have freed my own created fcb structure(This is the one which has been freed up in callstack of !verifier 80 ffffcf8070f7cbe0 )
Now in dismount operation,after ContextCleanup call back has completed , bugcheck happens creeping for above address in ltmgr!FltpDeleteAllFileListCtrls+0x9e98
So, I am trying to relate what is actually happening in FltpDeleteAllFileListCtrls operation for my fcb related structure…
I hope, it makes sense.
Thanks a lot!
So, I am trying to relate what is actually happening in FltpDeleteAllFileListCtrls operation for my fcb related structure…
You’ll have to determine that but it will be one of four things
YourFcb->AdvHeader.FilterContexts
to remove all the stream contexts that other filters have attached*YourFcb->AdvHeader.FileContextSupport
to remove all the file contexts that other filters have attached.You’ll need to determine which yourself - you have all the information you need.
Hi Rod,
Thank you so much for your prompt responses.
To relate to your suggestions,in driver, to initialize advancedFCBHeader,there is a call to FsRtlSetupAdvancedHeaderEx(1stParam,2ndParam,&fcb->FileCtxSupportPointer)
And as per FsRtlSetupAdvancedHeaderEx() code in Ntifs.h ,
(_advhdr)->FileContextSupportPointer = &fcb->FileCtxSupportPointer;
and localAdvHdr->Flags2 |= FSRTL_FLAG2_SUPPORTS_FILTER_CONTEXTS;
which means, we do support PerStreamContext and PerFileContext.
In IRP_MJ_Close callback , we have called FsRtlTeardownPerStreamContexts(AdvacncedFCBHeader) to teardown streamcontext.
Should we call FsRtlTeardownPerFileContexts() to teardown filecontexts as well??
Thanks a lot!
Hey, guess what the documentation for FsRtlTeardownPerFileContexts
had disappeared alongside nearly every other useful IFS api. That’s two weeks and counting. If anyone would like to add their distress at this breakage to the case it might be useful.
Anyway to the case in point - that sounds like a good plan. Without the documentation I cannot be sure…
Gotta love that! Though it does appear to still be present on the Korean(?) version of the help docs.
Pete
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
To follow up you can get an a approximation of the document here. It looks like this is required during IRP_MJ_CLOSE handling (or during final deref)
BSOD details:
PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffcf8080a90be0, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, Mm internal code.
BUGCHECK_P1: ffffcf8080a90be0
BUGCHECK_P2: 0
BUGCHECK_P3: fffff800365ba96c
BUGCHECK_P4: 0
READ_ADDRESS: ffffcf8080a90be0 Special pool
FAULTING_IP:
nt!FsRtlLookupReservedPerFileContext+0
fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0xCC
PROCESS_NAME: System
CURRENT_IRQL: 0
ANALYSIS_VERSION: 10.0.17763.1 amd64fre
TRAP_FRAME: ffffd000233aa860 – (.trap 0xffffd000233aa860)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!FsRtlLookupReservedPerFileContext:
fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf80
80a90be0=???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500
STACK_TEXT:
ffffd000233a9f28 fffff800
365d2d5a : 0000000000000000 00000000
00000000 ffffd000233aa090 fffff800
364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800
365d2686 : 0000000000000003 ffffd000
233aa090 fffff8003656fb00 00000000
000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff800
3655d3a4 : 4f808126e0000000 fffff800
36459262 0000000000000002 00000000
00000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff800
36602af4 : 0000000000000050 ffffcf80
80a90be0 0000000000000000 ffffd000
233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800
364509d9 : 0000000000000000 ffffcf80
80a90be0 ffffd000233aa860 ffffcf80
80a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff800
3656a957 : ffffcf807f178d78 ffffffff
fa0a1f00 0000000000000000 fffff800
36641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800
365ba96c : fffff800365bad7a ffffd000
233aaa60 ffffcf8000000000 fffff801
5c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800
365bad7a : ffffd000233aaa60 ffffcf80
00000000 fffff8015c1d68f6 ffffcf80
7f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff801
5c1e0748 : ffffcf807f1788e8 ffffcf80
7f178d78 ffffcf807f1788e8 fffff800
366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff801
5c1d670f : ffffcf807f1788e8 ffffcf80
7f1787f0 ffffcf807f7386c0 ffffcf80
7f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff801
5c1d687b : ffffe00045f73a50 00000000
00000008 ffffe00045f73900 00000000
00000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff801
5c1d67e8 : ffffcf8080888f90 ffffe000
4521f040 ffffcf8080888f98 00000000
00000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff800
3646799f : 0000000000000000 ffffe000
4521f040 ffffcf8080888f98 00000000
00000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800
364f052a : ffffe00044db1ce0 ffffd001
572d5180 0000000000000080 ffffe000
41c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff800
36564d56 : ffffd001572d5180 ffffe000
4521f040 ffffe00044a28080 00000000
00000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 00000000
00000000 : ffffd000233ab000 ffffd000
233a5000 0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x16
FOLLOWUP_IP:
nt!FsRtlLookupReservedPerFileContext+0
fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]
FAULT_INSTR_CODE: 48018b48
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: nt!FsRtlLookupReservedPerFileContext+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5b93e6c7
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 0
FAILURE_BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
PRIMARY_PROBLEM_CLASS: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
FAILURE_ID_HASH_STRING: km:0xcc_vrf_nt!fsrtllookupreservedperfilecontext
0: kd> !fltkd.volumes
Volume List: ffffcf80702629b0 “Frame 0”
FLT_VOLUME: ffffcf80702aa800 “\Device\Mup”
FLT_INSTANCE: ffffcf8076bbc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80702f8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807364ed90 “CCFFilter” “261160”
FLT_INSTANCE: ffffcf80702606c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf807038a7f0 “\Device\HarddiskVolume2”
FLT_INSTANCE: ffffcf807193cc30 “CsvNSFlt Instance” “404900”
FLT_INSTANCE: ffffcf807f12c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070876c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf80709fe6c0 “Sfntpffd Instance” “144200”
FLT_INSTANCE: ffffcf80719984c0 “luafv” “135000”
FLT_VOLUME: ffffcf807073e7f0 “\Device\HarddiskVolume3”
FLT_INSTANCE: ffffcf807f13a6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80707c2c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807077e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80707bc7f0 “\Device\NamedPipe”
FLT_INSTANCE: ffffcf807076cd30 “npsvctrig” “46000”
FLT_VOLUME: ffffcf807070a7f0 “\Device\Mailslot”
FLT_VOLUME: ffffcf80707d47f0 “\Device\HarddiskVolume4”
FLT_INSTANCE: ffffcf807cbcc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807066e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80706787f0 “\Device\HarddiskVolume5”
FLT_INSTANCE: ffffcf807f1386a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a306c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070b9a7f0 “\Device\HarddiskVolume1”
FLT_INSTANCE: ffffcf807e92c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070be8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b466c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070ae67f0 “\Device\HarddiskVolume6”
FLT_INSTANCE: ffffcf807e84e6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a48c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070a246c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070a4e7f0 “\Device\HarddiskVolume7”
FLT_INSTANCE: ffffcf807deb26a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070aeec30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b5c6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf808068e7f0 “\Device\HarddiskVolume61”
FLT_INSTANCE: ffffcf80806e06a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807e29ac30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8081748b40 “ResumeKeyFilter” “202000”
FLT_INSTANCE: ffffcf80816a26c0 “Sfntpffd Instance” “144200”
** FLT_VOLUME: ffffcf807f1787f0 “\Device\HarddiskVolume64”**
PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffcf8080a90be0, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, Mm internal code.
BUGCHECK_P1: ffffcf8080a90be0
BUGCHECK_P2: 0
BUGCHECK_P3: fffff800365ba96c
BUGCHECK_P4: 0
READ_ADDRESS: ffffcf8080a90be0 Special pool
FAULTING_IP:
nt!FsRtlLookupReservedPerFileContext+0
fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0xCC
PROCESS_NAME: System
CURRENT_IRQL: 0
ANALYSIS_VERSION: 10.0.17763.1 amd64fre
TRAP_FRAME: ffffd000233aa860 – (.trap 0xffffd000233aa860)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!FsRtlLookupReservedPerFileContext:
fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf80
80a90be0=???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500
STACK_TEXT:
ffffd000233a9f28 fffff800
365d2d5a : 0000000000000000 00000000
00000000 ffffd000233aa090 fffff800
364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800
365d2686 : 0000000000000003 ffffd000
233aa090 fffff8003656fb00 00000000
000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff800
3655d3a4 : 4f808126e0000000 fffff800
36459262 0000000000000002 00000000
00000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff800
36602af4 : 0000000000000050 ffffcf80
80a90be0 0000000000000000 ffffd000
233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800
364509d9 : 0000000000000000 ffffcf80
80a90be0 ffffd000233aa860 ffffcf80
80a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff800
3656a957 : ffffcf807f178d78 ffffffff
fa0a1f00 0000000000000000 fffff800
36641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800
365ba96c : fffff800365bad7a ffffd000
233aaa60 ffffcf8000000000 fffff801
5c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800
365bad7a : ffffd000233aaa60 ffffcf80
00000000 fffff8015c1d68f6 ffffcf80
7f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff801
5c1e0748 : ffffcf807f1788e8 ffffcf80
7f178d78 ffffcf807f1788e8 fffff800
366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff801
5c1d670f : ffffcf807f1788e8 ffffcf80
7f1787f0 ffffcf807f7386c0 ffffcf80
7f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff801
5c1d687b : ffffe00045f73a50 00000000
00000008 ffffe00045f73900 00000000
00000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff801
5c1d67e8 : ffffcf8080888f90 ffffe000
4521f040 ffffcf8080888f98 00000000
00000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff800
3646799f : 0000000000000000 ffffe000
4521f040 ffffcf8080888f98 00000000
00000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800
364f052a : ffffe00044db1ce0 ffffd001
572d5180 0000000000000080 ffffe000
41c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff800
36564d56 : ffffd001572d5180 ffffe000
4521f040 ffffe00044a28080 00000000
00000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 00000000
00000000 : ffffd000233ab000 ffffd000
233a5000 0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x16
FOLLOWUP_IP:
nt!FsRtlLookupReservedPerFileContext+0
fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]
FAULT_INSTR_CODE: 48018b48
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: nt!FsRtlLookupReservedPerFileContext+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5b93e6c7
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 0
FAILURE_BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
PRIMARY_PROBLEM_CLASS: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
FAILURE_ID_HASH_STRING: km:0xcc_vrf_nt!fsrtllookupreservedperfilecontext
0: kd> !fltkd.volumes
Volume List: ffffcf80702629b0 “Frame 0”
FLT_VOLUME: ffffcf80702aa800 “\Device\Mup”
FLT_INSTANCE: ffffcf8076bbc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80702f8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807364ed90 “CCFFilter” “261160”
FLT_INSTANCE: ffffcf80702606c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf807038a7f0 “\Device\HarddiskVolume2”
FLT_INSTANCE: ffffcf807193cc30 “CsvNSFlt Instance” “404900”
FLT_INSTANCE: ffffcf807f12c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070876c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf80709fe6c0 “Sfntpffd Instance” “144200”
FLT_INSTANCE: ffffcf80719984c0 “luafv” “135000”
FLT_VOLUME: ffffcf807073e7f0 “\Device\HarddiskVolume3”
FLT_INSTANCE: ffffcf807f13a6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80707c2c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807077e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80707bc7f0 “\Device\NamedPipe”
FLT_INSTANCE: ffffcf807076cd30 “npsvctrig” “46000”
FLT_VOLUME: ffffcf807070a7f0 “\Device\Mailslot”
FLT_VOLUME: ffffcf80707d47f0 “\Device\HarddiskVolume4”
FLT_INSTANCE: ffffcf807cbcc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807066e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80706787f0 “\Device\HarddiskVolume5”
FLT_INSTANCE: ffffcf807f1386a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a306c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070b9a7f0 “\Device\HarddiskVolume1”
FLT_INSTANCE: ffffcf807e92c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070be8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b466c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070ae67f0 “\Device\HarddiskVolume6”
FLT_INSTANCE: ffffcf807e84e6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a48c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070a246c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070a4e7f0 “\Device\HarddiskVolume7”
FLT_INSTANCE: ffffcf807deb26a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070aeec30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b5c6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf808068e7f0 “\Device\HarddiskVolume61”
FLT_INSTANCE: ffffcf80806e06a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807e29ac30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8081748b40 “ResumeKeyFilter” “202000”
FLT_INSTANCE: ffffcf80816a26c0 “Sfntpffd Instance” “144200”
** FLT_VOLUME: ffffcf807f1787f0 “\Device\HarddiskVolume64”**
PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffcf8080a90be0, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, Mm internal code.
TRAP_FRAME: ffffd000233aa860 – (.trap 0xffffd000233aa860)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!FsRtlLookupReservedPerFileContext:
fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf80
80a90be0=???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500
STACK_TEXT:
ffffd000233a9f28 fffff800
365d2d5a : 0000000000000000 00000000
00000000 ffffd000233aa090 fffff800
364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800
365d2686 : 0000000000000003 ffffd000
233aa090 fffff8003656fb00 00000000
000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff800
3655d3a4 : 4f808126e0000000 fffff800
36459262 0000000000000002 00000000
00000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff800
36602af4 : 0000000000000050 ffffcf80
80a90be0 0000000000000000 ffffd000
233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800
364509d9 : 0000000000000000 ffffcf80
80a90be0 ffffd000233aa860 ffffcf80
80a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff800
3656a957 : ffffcf807f178d78 ffffffff
fa0a1f00 0000000000000000 fffff800
36641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800
365ba96c : fffff800365bad7a ffffd000
233aaa60 ffffcf8000000000 fffff801
5c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800
365bad7a : ffffd000233aaa60 ffffcf80
00000000 fffff8015c1d68f6 ffffcf80
7f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff801
5c1e0748 : ffffcf807f1788e8 ffffcf80
7f178d78 ffffcf807f1788e8 fffff800
366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff801
5c1d670f : ffffcf807f1788e8 ffffcf80
7f1787f0 ffffcf807f7386c0 ffffcf80
7f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff801
5c1d687b : ffffe00045f73a50 00000000
00000008 ffffe00045f73900 00000000
00000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff801
5c1d67e8 : ffffcf8080888f90 ffffe000
4521f040 ffffcf8080888f98 00000000
00000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff800
3646799f : 0000000000000000 ffffe000
4521f040 ffffcf8080888f98 00000000
00000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800
364f052a : ffffe00044db1ce0 ffffd001
572d5180 0000000000000080 ffffe000
41c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff800
36564d56 : ffffd001572d5180 ffffe000
4521f040 ffffe00044a28080 00000000
00000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 00000000
00000000 : ffffd000233ab000 ffffd000
233a5000 0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x16
0: kd> !fltkd.volumes
Volume List: ffffcf80702629b0 “Frame 0”
FLT_VOLUME: ffffcf80702aa800 “\Device\Mup”
FLT_INSTANCE: ffffcf8076bbc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80702f8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807364ed90 “CCFFilter” “261160”
FLT_INSTANCE: ffffcf80702606c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf807038a7f0 “\Device\HarddiskVolume2”
FLT_INSTANCE: ffffcf807193cc30 “CsvNSFlt Instance” “404900”
FLT_INSTANCE: ffffcf807f12c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070876c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf80709fe6c0 “Sfntpffd Instance” “144200”
FLT_INSTANCE: ffffcf80719984c0 “luafv” “135000”
FLT_VOLUME: ffffcf807073e7f0 “\Device\HarddiskVolume3”
FLT_INSTANCE: ffffcf807f13a6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80707c2c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807077e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80707bc7f0 “\Device\NamedPipe”
FLT_INSTANCE: ffffcf807076cd30 “npsvctrig” “46000”
FLT_VOLUME: ffffcf807070a7f0 “\Device\Mailslot”
FLT_VOLUME: ffffcf80707d47f0 “\Device\HarddiskVolume4”
FLT_INSTANCE: ffffcf807cbcc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807066e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80706787f0 “\Device\HarddiskVolume5”
FLT_INSTANCE: ffffcf807f1386a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a306c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070b9a7f0 “\Device\HarddiskVolume1”
FLT_INSTANCE: ffffcf807e92c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070be8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b466c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070ae67f0 “\Device\HarddiskVolume6”
FLT_INSTANCE: ffffcf807e84e6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a48c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070a246c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070a4e7f0 “\Device\HarddiskVolume7”
FLT_INSTANCE: ffffcf807deb26a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070aeec30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b5c6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf808068e7f0 “\Device\HarddiskVolume61”
FLT_INSTANCE: ffffcf80806e06a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807e29ac30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8081748b40 “ResumeKeyFilter” “202000”
FLT_INSTANCE: ffffcf80816a26c0 “Sfntpffd Instance” “144200”
** FLT_VOLUME: ffffcf807f1787f0 “\Device\HarddiskVolume64”**
STACK_TEXT:
ffffd000233a9f28 fffff800
365d2d5a : 0000000000000000 00000000
00000000 ffffd000233aa090 fffff800
364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800
365d2686 : 0000000000000003 ffffd000
233aa090 fffff8003656fb00 00000000
000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff800
3655d3a4 : 4f808126e0000000 fffff800
36459262 0000000000000002 00000000
00000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff800
36602af4 : 0000000000000050 ffffcf80
80a90be0 0000000000000000 ffffd000
233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800
364509d9 : 0000000000000000 ffffcf80
80a90be0 ffffd000233aa860 ffffcf80
80a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff800
3656a957 : ffffcf807f178d78 ffffffff
fa0a1f00 0000000000000000 fffff800
36641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800
365ba96c : fffff800365bad7a ffffd000
233aaa60 ffffcf8000000000 fffff801
5c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800
365bad7a : ffffd000233aaa60 ffffcf80
00000000 fffff8015c1d68f6 ffffcf80
7f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff801
5c1e0748 : ffffcf807f1788e8 ffffcf80
7f178d78 ffffcf807f1788e8 fffff800
366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff801
5c1d670f : ffffcf807f1788e8 ffffcf80
7f1787f0 ffffcf807f7386c0 ffffcf80
7f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff801
5c1d687b : ffffe00045f73a50 00000000
00000008 ffffe00045f73900 00000000
00000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff801
5c1d67e8 : ffffcf8080888f90 ffffe000
4521f040 ffffcf8080888f98 00000000
00000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff800
3646799f : 0000000000000000 ffffe000
4521f040 ffffcf8080888f98 00000000
00000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800
364f052a : ffffe00044db1ce0 ffffd001
572d5180 0000000000000080 ffffe000
41c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff800
36564d56 : ffffd001572d5180 ffffe000
4521f040 ffffe00044a28080 00000000
00000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 00000000
00000000 : ffffd000233ab000 ffffd000
233a5000 0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x16
STACK_TEXT:
ffffd000233a9f28 fffff800
365d2d5a : 0000000000000000 00000000
00000000 ffffd000233aa090 fffff800
364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800
365d2686 : 0000000000000003 ffffd000
233aa090 fffff8003656fb00 00000000
000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff800
3655d3a4 : 4f808126e0000000 fffff800
36459262 0000000000000002 00000000
00000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff800
36602af4 : 0000000000000050 ffffcf80
80a90be0 0000000000000000 ffffd000
233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800
364509d9 : 0000000000000000 ffffcf80
80a90be0 ffffd000233aa860 ffffcf80
80a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff800
3656a957 : ffffcf807f178d78 ffffffff
fa0a1f00 0000000000000000 fffff800
36641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800
365ba96c : fffff800365bad7a ffffd000
233aaa60 ffffcf8000000000 fffff801
5c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800
365bad7a : ffffd000233aaa60 ffffcf80
00000000 fffff8015c1d68f6 ffffcf80
7f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff801
5c1e0748 : ffffcf807f1788e8 ffffcf80
7f178d78 ffffcf807f1788e8 fffff800
366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff801
5c1d670f : ffffcf807f1788e8 ffffcf80
7f1787f0 ffffcf807f7386c0 ffffcf80
7f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff801
5c1d687b : ffffe00045f73a50 00000000
00000008 ffffe00045f73900 00000000
00000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff801
5c1d67e8 : ffffcf8080888f90 ffffe000
4521f040 ffffcf8080888f98 00000000
00000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff800
3646799f : 0000000000000000 ffffe000
4521f040 ffffcf8080888f98 00000000
00000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800
364f052a : ffffe00044db1ce0 ffffd001
572d5180 0000000000000080 ffffe000
41c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff800
36564d56 : ffffd001572d5180 ffffe000
4521f040 ffffe00044a28080 00000000
00000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 00000000
00000000 : ffffd000233ab000 ffffd000
233a5000 0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x16
One observation is that rdx register has same value of FLT_VOLUME: ffffcf807f1787f0 for which last volume dismount has happened.
TRAP_FRAME: ffffd000233aa860 – (.trap 0xffffd000233aa860)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!FsRtlLookupReservedPerFileContext:
fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf80
80a90be0=???
Resetting default scope
One observation is that rdx register has same value of FLT_VOLUME: ffffcf807f1787f0 for which last volume dismount has happened.
TRAP_FRAME: ffffd000233aa860 – (.trap 0xffffd000233aa860)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!FsRtlLookupReservedPerFileContext:
fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf80
80a90be0=???
Resetting default scope
BSOD details:
PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffcf8080a90be0, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, Mm internal code.
BUGCHECK_P1: ffffcf8080a90be0
BUGCHECK_P2: 0
BUGCHECK_P3: fffff800365ba96c
BUGCHECK_P4: 0
READ_ADDRESS: ffffcf8080a90be0 Special pool
FAULTING_IP:
nt!FsRtlLookupReservedPerFileContext+0
fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0xCC
PROCESS_NAME: System
CURRENT_IRQL: 0
ANALYSIS_VERSION: 10.0.17763.1 amd64fre
TRAP_FRAME: ffffd000233aa860 – (.trap 0xffffd000233aa860)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!FsRtlLookupReservedPerFileContext:
fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf80
80a90be0=???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500
STACK_TEXT:
ffffd000233a9f28 fffff800
365d2d5a : 0000000000000000 00000000
00000000 ffffd000233aa090 fffff800
364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800
365d2686 : 0000000000000003 ffffd000
233aa090 fffff8003656fb00 00000000
000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff800
3655d3a4 : 4f808126e0000000 fffff800
36459262 0000000000000002 00000000
00000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff800
36602af4 : 0000000000000050 ffffcf80
80a90be0 0000000000000000 ffffd000
233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800
364509d9 : 0000000000000000 ffffcf80
80a90be0 ffffd000233aa860 ffffcf80
80a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff800
3656a957 : ffffcf807f178d78 ffffffff
fa0a1f00 0000000000000000 fffff800
36641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800
365ba96c : fffff800365bad7a ffffd000
233aaa60 ffffcf8000000000 fffff801
5c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800
365bad7a : ffffd000233aaa60 ffffcf80
00000000 fffff8015c1d68f6 ffffcf80
7f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff801
5c1e0748 : ffffcf807f1788e8 ffffcf80
7f178d78 ffffcf807f1788e8 fffff800
366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff801
5c1d670f : ffffcf807f1788e8 ffffcf80
7f1787f0 ffffcf807f7386c0 ffffcf80
7f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff801
5c1d687b : ffffe00045f73a50 00000000
00000008 ffffe00045f73900 00000000
00000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff801
5c1d67e8 : ffffcf8080888f90 ffffe000
4521f040 ffffcf8080888f98 00000000
00000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff800
3646799f : 0000000000000000 ffffe000
4521f040 ffffcf8080888f98 00000000
00000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800
364f052a : ffffe00044db1ce0 ffffd001
572d5180 0000000000000080 ffffe000
41c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff800
36564d56 : ffffd001572d5180 ffffe000
4521f040 ffffe00044a28080 00000000
00000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 00000000
00000000 : ffffd000233ab000 ffffd000
233a5000 0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x16
FOLLOWUP_IP:
nt!FsRtlLookupReservedPerFileContext+0
fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]
FAULT_INSTR_CODE: 48018b48
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: nt!FsRtlLookupReservedPerFileContext+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5b93e6c7
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 0
FAILURE_BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
PRIMARY_PROBLEM_CLASS: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
FAILURE_ID_HASH_STRING: km:0xcc_vrf_nt!fsrtllookupreservedperfilecontext
0: kd> !fltkd.volumes
Volume List: ffffcf80702629b0 “Frame 0”
FLT_VOLUME: ffffcf80702aa800 “\Device\Mup”
FLT_INSTANCE: ffffcf8076bbc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80702f8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807364ed90 “CCFFilter” “261160”
FLT_INSTANCE: ffffcf80702606c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf807038a7f0 “\Device\HarddiskVolume2”
FLT_INSTANCE: ffffcf807193cc30 “CsvNSFlt Instance” “404900”
FLT_INSTANCE: ffffcf807f12c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070876c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf80709fe6c0 “Sfntpffd Instance” “144200”
FLT_INSTANCE: ffffcf80719984c0 “luafv” “135000”
FLT_VOLUME: ffffcf807073e7f0 “\Device\HarddiskVolume3”
FLT_INSTANCE: ffffcf807f13a6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80707c2c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807077e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80707bc7f0 “\Device\NamedPipe”
FLT_INSTANCE: ffffcf807076cd30 “npsvctrig” “46000”
FLT_VOLUME: ffffcf807070a7f0 “\Device\Mailslot”
FLT_VOLUME: ffffcf80707d47f0 “\Device\HarddiskVolume4”
FLT_INSTANCE: ffffcf807cbcc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807066e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80706787f0 “\Device\HarddiskVolume5”
FLT_INSTANCE: ffffcf807f1386a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a306c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070b9a7f0 “\Device\HarddiskVolume1”
FLT_INSTANCE: ffffcf807e92c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070be8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b466c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070ae67f0 “\Device\HarddiskVolume6”
FLT_INSTANCE: ffffcf807e84e6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a48c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070a246c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070a4e7f0 “\Device\HarddiskVolume7”
FLT_INSTANCE: ffffcf807deb26a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070aeec30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b5c6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf808068e7f0 “\Device\HarddiskVolume61”
FLT_INSTANCE: ffffcf80806e06a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807e29ac30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8081748b40 “ResumeKeyFilter” “202000”
FLT_INSTANCE: ffffcf80816a26c0 “Sfntpffd Instance” “144200”
** FLT_VOLUME: ffffcf807f1787f0 “\Device\HarddiskVolume64”**
PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffcf8080a90be0, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, Mm internal code.
BUGCHECK_P1: ffffcf8080a90be0
BUGCHECK_P2: 0
BUGCHECK_P3: fffff800365ba96c
BUGCHECK_P4: 0
READ_ADDRESS: ffffcf8080a90be0 Special pool
FAULTING_IP:
nt!FsRtlLookupReservedPerFileContext+0
fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: 0xCC
PROCESS_NAME: System
CURRENT_IRQL: 0
ANALYSIS_VERSION: 10.0.17763.1 amd64fre
TRAP_FRAME: ffffd000233aa860 – (.trap 0xffffd000233aa860)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!FsRtlLookupReservedPerFileContext:
fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf80
80a90be0=???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500
STACK_TEXT:
ffffd000233a9f28 fffff800
365d2d5a : 0000000000000000 00000000
00000000 ffffd000233aa090 fffff800
364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800
365d2686 : 0000000000000003 ffffd000
233aa090 fffff8003656fb00 00000000
000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff800
3655d3a4 : 4f808126e0000000 fffff800
36459262 0000000000000002 00000000
00000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff800
36602af4 : 0000000000000050 ffffcf80
80a90be0 0000000000000000 ffffd000
233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800
364509d9 : 0000000000000000 ffffcf80
80a90be0 ffffd000233aa860 ffffcf80
80a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff800
3656a957 : ffffcf807f178d78 ffffffff
fa0a1f00 0000000000000000 fffff800
36641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800
365ba96c : fffff800365bad7a ffffd000
233aaa60 ffffcf8000000000 fffff801
5c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800
365bad7a : ffffd000233aaa60 ffffcf80
00000000 fffff8015c1d68f6 ffffcf80
7f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff801
5c1e0748 : ffffcf807f1788e8 ffffcf80
7f178d78 ffffcf807f1788e8 fffff800
366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff801
5c1d670f : ffffcf807f1788e8 ffffcf80
7f1787f0 ffffcf807f7386c0 ffffcf80
7f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff801
5c1d687b : ffffe00045f73a50 00000000
00000008 ffffe00045f73900 00000000
00000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff801
5c1d67e8 : ffffcf8080888f90 ffffe000
4521f040 ffffcf8080888f98 00000000
00000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff800
3646799f : 0000000000000000 ffffe000
4521f040 ffffcf8080888f98 00000000
00000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800
364f052a : ffffe00044db1ce0 ffffd001
572d5180 0000000000000080 ffffe000
41c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff800
36564d56 : ffffd001572d5180 ffffe000
4521f040 ffffe00044a28080 00000000
00000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 00000000
00000000 : ffffd000233ab000 ffffd000
233a5000 0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x16
FOLLOWUP_IP:
nt!FsRtlLookupReservedPerFileContext+0
fffff800`365ba96c 488b01 mov rax,qword ptr [rcx]
FAULT_INSTR_CODE: 48018b48
SYMBOL_STACK_INDEX: 7
SYMBOL_NAME: nt!FsRtlLookupReservedPerFileContext+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5b93e6c7
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 0
FAILURE_BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
BUCKET_ID: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
PRIMARY_PROBLEM_CLASS: 0xCC_VRF_nt!FsRtlLookupReservedPerFileContext
FAILURE_ID_HASH_STRING: km:0xcc_vrf_nt!fsrtllookupreservedperfilecontext
0: kd> !fltkd.volumes
Volume List: ffffcf80702629b0 “Frame 0”
FLT_VOLUME: ffffcf80702aa800 “\Device\Mup”
FLT_INSTANCE: ffffcf8076bbc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80702f8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807364ed90 “CCFFilter” “261160”
FLT_INSTANCE: ffffcf80702606c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf807038a7f0 “\Device\HarddiskVolume2”
FLT_INSTANCE: ffffcf807193cc30 “CsvNSFlt Instance” “404900”
FLT_INSTANCE: ffffcf807f12c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070876c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf80709fe6c0 “Sfntpffd Instance” “144200”
FLT_INSTANCE: ffffcf80719984c0 “luafv” “135000”
FLT_VOLUME: ffffcf807073e7f0 “\Device\HarddiskVolume3”
FLT_INSTANCE: ffffcf807f13a6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80707c2c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807077e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80707bc7f0 “\Device\NamedPipe”
FLT_INSTANCE: ffffcf807076cd30 “npsvctrig” “46000”
FLT_VOLUME: ffffcf807070a7f0 “\Device\Mailslot”
FLT_VOLUME: ffffcf80707d47f0 “\Device\HarddiskVolume4”
FLT_INSTANCE: ffffcf807cbcc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807066e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80706787f0 “\Device\HarddiskVolume5”
FLT_INSTANCE: ffffcf807f1386a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a306c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070b9a7f0 “\Device\HarddiskVolume1”
FLT_INSTANCE: ffffcf807e92c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070be8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b466c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070ae67f0 “\Device\HarddiskVolume6”
FLT_INSTANCE: ffffcf807e84e6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a48c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070a246c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070a4e7f0 “\Device\HarddiskVolume7”
FLT_INSTANCE: ffffcf807deb26a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070aeec30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b5c6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf808068e7f0 “\Device\HarddiskVolume61”
FLT_INSTANCE: ffffcf80806e06a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807e29ac30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8081748b40 “ResumeKeyFilter” “202000”
FLT_INSTANCE: ffffcf80816a26c0 “Sfntpffd Instance” “144200”
** FLT_VOLUME: ffffcf807f1787f0 “\Device\HarddiskVolume64”**
PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffffcf8080a90be0, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffff800365ba96c, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, Mm internal code.
TRAP_FRAME: ffffd000233aa860 – (.trap 0xffffd000233aa860)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=ffffcf8080a90be0
rdx=ffffcf807f1787f0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800365ba96c rsp=ffffd000233aa9f8 rbp=ffffd000233aaa60
r8=ffffcf8080a90be0 r9=0000000000000000 r10=0000000000000000
r11=ffffd000233aa9c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nt!FsRtlLookupReservedPerFileContext:
fffff800365ba96c 488b01 mov rax,qword ptr [rcx] ds:ffffcf80
80a90be0=???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800365d2d5a to fffff80036565500
STACK_TEXT:
ffffd000233a9f28 fffff800
365d2d5a : 0000000000000000 00000000
00000000 ffffd000233aa090 fffff800
364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800
365d2686 : 0000000000000003 ffffd000
233aa090 fffff8003656fb00 00000000
000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff800
3655d3a4 : 4f808126e0000000 fffff800
36459262 0000000000000002 00000000
00000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff800
36602af4 : 0000000000000050 ffffcf80
80a90be0 0000000000000000 ffffd000
233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800
364509d9 : 0000000000000000 ffffcf80
80a90be0 ffffd000233aa860 ffffcf80
80a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff800
3656a957 : ffffcf807f178d78 ffffffff
fa0a1f00 0000000000000000 fffff800
36641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800
365ba96c : fffff800365bad7a ffffd000
233aaa60 ffffcf8000000000 fffff801
5c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800
365bad7a : ffffd000233aaa60 ffffcf80
00000000 fffff8015c1d68f6 ffffcf80
7f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff801
5c1e0748 : ffffcf807f1788e8 ffffcf80
7f178d78 ffffcf807f1788e8 fffff800
366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff801
5c1d670f : ffffcf807f1788e8 ffffcf80
7f1787f0 ffffcf807f7386c0 ffffcf80
7f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff801
5c1d687b : ffffe00045f73a50 00000000
00000008 ffffe00045f73900 00000000
00000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff801
5c1d67e8 : ffffcf8080888f90 ffffe000
4521f040 ffffcf8080888f98 00000000
00000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff800
3646799f : 0000000000000000 ffffe000
4521f040 ffffcf8080888f98 00000000
00000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800
364f052a : ffffe00044db1ce0 ffffd001
572d5180 0000000000000080 ffffe000
41c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff800
36564d56 : ffffd001572d5180 ffffe000
4521f040 ffffe00044a28080 00000000
00000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 00000000
00000000 : ffffd000233ab000 ffffd000
233a5000 0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x16
0: kd> !fltkd.volumes
Volume List: ffffcf80702629b0 “Frame 0”
FLT_VOLUME: ffffcf80702aa800 “\Device\Mup”
FLT_INSTANCE: ffffcf8076bbc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80702f8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807364ed90 “CCFFilter” “261160”
FLT_INSTANCE: ffffcf80702606c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf807038a7f0 “\Device\HarddiskVolume2”
FLT_INSTANCE: ffffcf807193cc30 “CsvNSFlt Instance” “404900”
FLT_INSTANCE: ffffcf807f12c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070876c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf80709fe6c0 “Sfntpffd Instance” “144200”
FLT_INSTANCE: ffffcf80719984c0 “luafv” “135000”
FLT_VOLUME: ffffcf807073e7f0 “\Device\HarddiskVolume3”
FLT_INSTANCE: ffffcf807f13a6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf80707c2c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf807077e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80707bc7f0 “\Device\NamedPipe”
FLT_INSTANCE: ffffcf807076cd30 “npsvctrig” “46000”
FLT_VOLUME: ffffcf807070a7f0 “\Device\Mailslot”
FLT_VOLUME: ffffcf80707d47f0 “\Device\HarddiskVolume4”
FLT_INSTANCE: ffffcf807cbcc6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807066e6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf80706787f0 “\Device\HarddiskVolume5”
FLT_INSTANCE: ffffcf807f1386a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a306c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070b9a7f0 “\Device\HarddiskVolume1”
FLT_INSTANCE: ffffcf807e92c6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070be8c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b466c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070ae67f0 “\Device\HarddiskVolume6”
FLT_INSTANCE: ffffcf807e84e6a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070a48c30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070a246c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf8070a4e7f0 “\Device\HarddiskVolume7”
FLT_INSTANCE: ffffcf807deb26a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf8070aeec30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8070b5c6c0 “Sfntpffd Instance” “144200”
FLT_VOLUME: ffffcf808068e7f0 “\Device\HarddiskVolume61”
FLT_INSTANCE: ffffcf80806e06a0 “Process Monitor 23 Instance” “385200”
FLT_INSTANCE: ffffcf807e29ac30 “vsepflt Instance” “328200”
FLT_INSTANCE: ffffcf8081748b40 “ResumeKeyFilter” “202000”
FLT_INSTANCE: ffffcf80816a26c0 “Sfntpffd Instance” “144200”
** FLT_VOLUME: ffffcf807f1787f0 “\Device\HarddiskVolume64”**
STACK_TEXT:
ffffd000233a9f28 fffff800
365d2d5a : 0000000000000000 00000000
00000000 ffffd000233aa090 fffff800
364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800
365d2686 : 0000000000000003 ffffd000
233aa090 fffff8003656fb00 00000000
000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff800
3655d3a4 : 4f808126e0000000 fffff800
36459262 0000000000000002 00000000
00000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff800
36602af4 : 0000000000000050 ffffcf80
80a90be0 0000000000000000 ffffd000
233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800
364509d9 : 0000000000000000 ffffcf80
80a90be0 ffffd000233aa860 ffffcf80
80a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff800
3656a957 : ffffcf807f178d78 ffffffff
fa0a1f00 0000000000000000 fffff800
36641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800
365ba96c : fffff800365bad7a ffffd000
233aaa60 ffffcf8000000000 fffff801
5c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800
365bad7a : ffffd000233aaa60 ffffcf80
00000000 fffff8015c1d68f6 ffffcf80
7f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff801
5c1e0748 : ffffcf807f1788e8 ffffcf80
7f178d78 ffffcf807f1788e8 fffff800
366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff801
5c1d670f : ffffcf807f1788e8 ffffcf80
7f1787f0 ffffcf807f7386c0 ffffcf80
7f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff801
5c1d687b : ffffe00045f73a50 00000000
00000008 ffffe00045f73900 00000000
00000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff801
5c1d67e8 : ffffcf8080888f90 ffffe000
4521f040 ffffcf8080888f98 00000000
00000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff800
3646799f : 0000000000000000 ffffe000
4521f040 ffffcf8080888f98 00000000
00000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800
364f052a : ffffe00044db1ce0 ffffd001
572d5180 0000000000000080 ffffe000
41c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff800
36564d56 : ffffd001572d5180 ffffe000
4521f040 ffffe00044a28080 00000000
00000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 00000000
00000000 : ffffd000233ab000 ffffd000
233a5000 0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x16
STACK_TEXT:
ffffd000233a9f28 fffff800
365d2d5a : 0000000000000000 00000000
00000000 ffffd000233aa090 fffff800
364c2f90 : nt!DbgBreakPointWithStatus
ffffd000233a9f30 fffff800
365d2686 : 0000000000000003 ffffd000
233aa090 fffff8003656fb00 00000000
000000cc : nt!KiBugCheckDebugBreak+0x12
ffffd000233a9f90 fffff800
3655d3a4 : 4f808126e0000000 fffff800
36459262 0000000000000002 00000000
00000000 : nt!KeBugCheck2+0x8a2
ffffd000233aa690 fffff800
36602af4 : 0000000000000050 ffffcf80
80a90be0 0000000000000000 ffffd000
233aa860 : nt!KeBugCheckEx+0x104
ffffd000233aa6d0 fffff800
364509d9 : 0000000000000000 ffffcf80
80a90be0 ffffd000233aa860 ffffcf80
80a90be0 : nt!MiSystemFault+0x1048
ffffd000233aa760 fffff800
3656a957 : ffffcf807f178d78 ffffffff
fa0a1f00 0000000000000000 fffff800
36641f90 : nt!MmAccessFault+0x219
ffffd000233aa860 fffff800
365ba96c : fffff800365bad7a ffffd000
233aaa60 ffffcf8000000000 fffff801
5c1d68f6 : nt!KiPageFault+0x317
ffffd000233aa9f8 fffff800
365bad7a : ffffd000233aaa60 ffffcf80
00000000 fffff8015c1d68f6 ffffcf80
7f1787f0 : nt!FsRtlLookupReservedPerFileContext
ffffd000233aaa00 fffff801
5c1e0748 : ffffcf807f1788e8 ffffcf80
7f178d78 ffffcf807f1788e8 fffff800
366ba400 : nt!FsRtlRemoveReservedPerFileContext+0xe
ffffd000233aaa30 fffff801
5c1d670f : ffffcf807f1788e8 ffffcf80
7f1787f0 ffffcf807f7386c0 ffffcf80
7f1788e8 : fltmgr!FltpDeleteAllFileListCtrls+0x9e98
ffffd000233aaa80 fffff801
5c1d687b : ffffe00045f73a50 00000000
00000008 ffffe00045f73900 00000000
00000000 : fltmgr!FltpFreeVolume+0xdf
ffffd000233aaac0 fffff801
5c1d67e8 : ffffcf8080888f90 ffffe000
4521f040 ffffcf8080888f98 00000000
00000018 : fltmgr!FltpCleanupDeviceObject+0x6b
ffffd000233aab20 fffff800
3646799f : 0000000000000000 ffffe000
4521f040 ffffcf8080888f98 00000000
00000000 : fltmgr!FltpFastIoDetachDeviceWorker+0x15
ffffd000233aab50 fffff800
364f052a : ffffe00044db1ce0 ffffd001
572d5180 0000000000000080 ffffe000
41c885c0 : nt!ExpWorkerThread+0x69f
ffffd000233aac00 fffff800
36564d56 : ffffd001572d5180 ffffe000
4521f040 ffffe00044a28080 00000000
00000004 : nt!PspSystemThreadStartup+0x18a
ffffd000233aac60 00000000
00000000 : ffffd000233ab000 ffffd000
233a5000 0000000000000000 00000000
00000000 : nt!KiStartSystemThread+0x16