Hi,
We are working on file system encryption minifilter driver.If we copy file in
NAS enccrypted path, then delete, and then restart, bugcheck happens.
It points to rdbss.sys driver not our file system filter driver.
I have made this registry setting to capture stack traces so the guilty driver can be easily identified
set HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management\TrackLockedPages to a DWORD 1
Bug check details:
DRIVER_LEFT_LOCKED_PAGES_IN_PROCESS (cb)
Caused by a driver not cleaning up completely after an I/O.
When possible, the guilty driver’s name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff88002919d4a, The calling address in the driver that locked the pages or if the
IO manager locked the pages this points to the dispatch routine of
the top driver on the stack to which the IRP was sent.
Arg2: 0000000000000000, The caller of the calling address in the driver that locked the
pages. If the IO manager locked the pages this points to the device
object of the top driver on the stack to which the IRP was sent.
Arg3: fffffa8003a43010, A pointer to the MDL containing the locked pages.
Arg4: 0000000000000002, The number of locked pages.
Debugging Details:
DUMP_CLASS: 1
DUMP_QUALIFIER: 402
BUILD_VERSION_STRING: 7601.24214.amd64fre.win7sp1_ldr_escrow.180801-1700
SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware Virtual Platform
SYSTEM_VERSION: None
BIOS_VENDOR: Phoenix Technologies LTD
BIOS_VERSION: 6.00
BIOS_DATE: 07/30/2013
BASEBOARD_MANUFACTURER: Intel Corporation
BASEBOARD_PRODUCT: 440BX Desktop Reference Platform
BASEBOARD_VERSION: None
DUMP_TYPE: 0
BUGCHECK_P1: fffff88002919d4a
BUGCHECK_P2: 0
BUGCHECK_P3: fffffa8003a43010
BUGCHECK_P4: 2
FAULTING_IP:
rdbss!RxLockUserBuffer+b2
fffff88002919d4a eb45 jmp rdbss!RxLockUserBuffer+0xf9 (fffff880
02919d91)
CPU_COUNT: 2
CPU_MHZ: 960
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 2d
CPU_STEPPING: 7
CPU_MICROCODE: 6,2d,7,0 (F,M,S,R) SIG: 710’00000000 (cache) 710’00000000 (init)
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0xCB
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: NOI-D70QD152
ANALYSIS_SESSION_TIME: 08-20-2018 11:16:03.0536
ANALYSIS_VERSION: 10.0.15063.468 amd64fre
LAST_CONTROL_TRANSFER: from fffff8000198f3ac to fffff800016b29a0
STACK_TEXT:
fffff88005d5b858 fffff800
0198f3ac : 00000000000000cb fffff880
02919d4a 0000000000000000 fffffa80
03a43010 : nt!KeBugCheckEx
fffff88005d5b860 fffff800
0192a326 : 0000000000000001 fffffa80
033219f0 fffffa8000000000 fffffa80
00000000 : nt! ?? ::NNGAKEGL::string'+0x131ac fffff880
05d5b8a0 fffff80001659894 : 00000000
00000000 fffffa8001891080 fffffa80
03667ad0 fffff8000191b37b : nt!PspProcessDelete+0x1a2 fffff880
05d5b900 fffff800018f263f : fffffa80
03667b00 0000000000000001 fffffa80
033219f0 fffff8000190b04e : nt!ObfDereferenceObject+0xd4 fffff880
05d5b960 fffff80001659894 : 00000000
00000000 fffffa80036ba160 fffffa80
01891f30 fffffa80036ba160 : nt!PspThreadDelete+0xe3 fffff880
05d5b9a0 fffff8000190b4d1 : fffffa80
036ba160 0000000000000000 fffffa80
033219f0 0000000000000000 : nt!ObfDereferenceObject+0xd4 fffff880
05d5ba00 fffff8000190b1e4 : 00000000
00000b34 fffffa80030deb00 fffff8a0
02028ef0 0000000000000b34 : nt!ObpCloseHandleTableEntry+0xc1 fffff880
05d5ba90 fffff800016c09d3 : fffffa80
033219f0 fffff88005d5bb60 00000000
00000000 0000000000000000 : nt!ObpCloseHandle+0x94 fffff880
05d5bae0 000000007719999a : 000007fe
fccf1873 000000000029eb90 00000000
002d58c0 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 00000000
01c0f6d8 000007fefccf1873 : 00000000
0029eb90 00000000002d58c0 00000000
00000000 000007fefd0b2006 : ntdll!NtClose+0xa 00000000
01c0f6e0 0000000077031951 : 00000000
04710298 0000000089000089 00000000
00000000 000000000022d390 : KERNELBASE!CloseHandle+0x13 00000000
01c0f710 000007fefac45c2c : 00000000
01a7a520 0000000000000000 00000000
00244940 0000000000000000 : kernel32!CloseHandleImplementation+0x3d 00000000
01c0f820 000007fefac3f335 : 00000000
00000000 0000000000000000 00000000
01a7a520 0000000000000000 : shsvcs!COMXProc::CAdviseClient::
vector deleting destructor’+0x3c
0000000001c0f850 000007fe
fac311ac : 0000000001a7d330 00000000
00000000 0000000001a7dde0 00000000
01a7a4a0 : shsvcs!COMXProc::CThreadTaskCheckClients::_DoStuff+0xc9
0000000001c0f890 000007fe
fac3110a : 0000000001a7d330 00000000
00000000 0000000000000000 00000000
00000000 : shsvcs!CThreadTask::_CallDoStuff+0x76
0000000001c0f8c0 00000000
7713d13b : 0000000001e95080 00000000
01e95080 0000000000000000 00000000
00000002 : shsvcs!CThreadTask::_ThreadProc+0x12
0000000001c0f8f0 00000000
77229e87 : 0000000000000000 00000000
01a7d330 0000000000227aa0 00000000
01ef5248 : ntdll!RtlpTpWorkCallback+0x16b
0000000001c0f9d0 00000000
770259cd : 0000000000000002 00000002
00020002 0000000000227aa0 00000000
01e95080 : ntdll!TppWorkerThread+0x6f7
0000000001c0fc60 00000000
7718383d : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : kernel32!BaseThreadInitThunk+0xd
0000000001c0fc90 00000000
00000000 : 0000000000000000 00000000
00000000 0000000000000000 00000000
00000000 : ntdll!RtlUserThreadStart+0x1d
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: 0b89289000e72fa8be7f9b7d086b1768bbb3e1f0
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: bb662d1717cf489f1d9ce6b4c73e2e030aa404ce
THREAD_SHA1_HASH_MOD: d2a905b0950cb2e9ab7e398c3a06ceb0608fb060
FOLLOWUP_IP:
rdbss!RxLockUserBuffer+b2
fffff88002919d4a eb45 jmp rdbss!RxLockUserBuffer+0xf9 (fffff880
02919d91)
FAULT_INSTR_CODE: d88b45eb
SYMBOL_NAME: rdbss!RxLockUserBuffer+b2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: rdbss
IMAGE_NAME: rdbss.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 59deb54c
FAILURE_BUCKET_ID: X64_0xCB_rdbss!RxLockUserBuffer+b2
BUCKET_ID: X64_0xCB_rdbss!RxLockUserBuffer+b2
PRIMARY_PROBLEM_CLASS: X64_0xCB_rdbss!RxLockUserBuffer+b2
TARGET_TIME: 2018-08-17T07:21:16.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 274
PRODUCT_TYPE: 3
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
OSEDITION: Windows 7 Server (Service Pack 1) Enterprise TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2018-08-02 07:48:10
BUILDDATESTAMP_STR: 180801-1700
BUILDLAB_STR: win7sp1_ldr_escrow
BUILDOSVER_STR: 6.1.7601.24214.amd64fre.win7sp1_ldr_escrow.180801-1700
ANALYSIS_SESSION_ELAPSED_TIME: c5fa
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0xcb_rdbss!rxlockuserbuffer+b2
FAILURE_ID_HASH: {1a7b1b6a-d847-222f-47cc-87c5d98ec2b4}
Any help on same?
Thanks in Advance!