Hello,
we have a customer system which regularly hangs. Our filter driver is a HSM style driver using the Filter Manager. McAfee (naiavf5x) is also running on this system. Because we have no direct access to the system we created a kernel dump from that situation.
There are two threads hanging on Ntfs!NtfsWaitForCreateEvent for several hours. Our driver is trying to open a file in PreCreate of a network open request as you can see in the dump. Because there is no other thread with Ntfs or our filter driver we have no indication what ntfs is waiting for. Any one has an idea what Ntfs!NtfsWaitForCreateEvent is waiting for? The event is a notification event which is different for each of the hanging threads. Or any other suggestion in which direction we should look?
Any hints are welcome. See stack trace below.
Best regards,
Detlef Golze
pntvolflt is our filter driver
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp1_rtm.050324-1447
THREAD 84f37400 Cid 0004.0ff0 Teb: 00000000 Win32Thread: 00000000 WAIT: (Unknown) UserMode Non-Alertable
f6efb144 NotificationEvent
IRP List:
852a3568: (0006,01b4) Flags: 00000884 Mdl: 00000000
85930008: (0006,01b4) Flags: 00000884 Mdl: 00000000
Impersonation token: e5195b80 (Level Impersonation)
DeviceMap e3086b48
Owning Process 85fa2648 Image: System
Wait Start TickCount 28333611 Ticks: 3650464 (0:15:50:38.500)
Context Switch Count 2482 NoStackSwap
UserTime 00:00:00.0000
KernelTime 00:00:00.0203
Start Address srv!WorkerThread (0xf6505394)
Stack Init f6efc000 Current f6efafec Base f6efc000 Limit f6ef9000 Call 0
Priority 9 BasePriority 9 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f6efb004 8083e6a2 84f37478 84f37400 84f374a8 nt!KiSwapContext+0x26 (FPO: [EBP 0xf6efb030] [0,0,4])
f6efb030 8083f164 f6efb144 8083ef56 00000000 nt!KiSwapThread+0x284 (FPO: [Non-Fpo])
f6efb078 f724fb4d f6efb144 00000000 00000001 nt!KeWaitForSingleObject+0x346 (FPO: [Non-Fpo])
f6efb0a8 f724f9ad 852a3568 f6efb140 00000000 Ntfs!NtfsWaitForCreateEvent+0x5e (FPO: [Non-Fpo])
f6efb1a8 8083f9d0 85cae718 852a3568 852a3568 Ntfs!NtfsFsdCreate+0x197 (FPO: [Non-Fpo])
f6efb1bc f7316b43 00000000 852a3568 852a36b0 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])
f6efb1e0 f73245af f6efb200 85d37020 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b (FPO: [Non-Fpo])
f6efb21c 8083f9d0 85d37020 852a3568 852a3568 fltmgr!FltpCreate+0x23b (FPO: [Non-Fpo])
f6efb230 8092e269 f6efb3d8 85c89a18 00000000 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])
f6efb318 80936caa 85c89a30 00000000 84bf2478 nt!IopParseDevice+0xa35 (FPO: [Non-Fpo])
f6efb398 80936aa5 00000000 f6efb3d8 00000240 nt!ObpLookupObjectName+0x5a9 (FPO: [Non-Fpo])
f6efb3ec 80936f27 00000000 00000000 89b69f00 nt!ObOpenObjectByName+0xea (FPO: [Non-Fpo])
f6efb468 808f536c f6efb6d0 80000000 f6efb62c nt!IopCreateFile+0x447 (FPO: [Non-Fpo])
f6efb4b0 f73266ae f6efb6d0 80000000 f6efb62c nt!IoCreateFileSpecifyDeviceObjectHint+0x52 (FPO: [Non-Fpo])
f6efb55c f7326828 85e419e8 85cf4dd8 f6efb6d0 fltmgr!FltCreateFileEx+0x114 (FPO: [Non-Fpo])
f6efb5a0 f7520e2d 85e419e8 85cf4dd8 f6efb6d0 fltmgr!FltCreateFile+0x36 (FPO: [Non-Fpo])
f6efb644 f751d210 85cf4dd8 f6efb6bc f6efb6d0 pntvolflt!PntOpenFile+0x26d (FPO: [Non-Fpo]) (CONV: stdcall) [c:\source\pnthsmfilter\kernel\pntfltsup.c @ 1191]
f6efb6e8 f751b978 84bc2334 f6efb728 f6efb6fc pntvolflt!PntProcessCreate+0xf0 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\source\pnthsmfilter\kernel\pntfltfunc.c @ 1755]
f6efb708 f73144e8 84bc2334 f6efb728 f6efb744 pntvolflt!PntPreCreate+0xe8 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\source\pnthsmfilter\kernel\pntfltfunc.c @ 156]
f6efb768 f7315f48 00efb7ac 84bc22d8 85930150 fltmgr!FltpPerformPreCallbacks+0x2d4 (FPO: [Non-Fpo])
f6efb77c f73240ad f6efb7ac f7322540 00000000 fltmgr!FltpPassThroughInternal+0x32 (FPO: [Non-Fpo])
f6efb794 f732459d f6efb7ac 85930008 85930174 fltmgr!FltpCreateInternal+0x63 (FPO: [Non-Fpo])
f6efb7c8 8083f9d0 85d37020 85930008 85930198 fltmgr!FltpCreate+0x229 (FPO: [Non-Fpo])
f6efb7dc f5e3de7e 02000039 00000000 00000001 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
f6efb808 f5e443a0 85930008 f6efb8b4 85930008 naiavf5x+0x1e7e
f6efb87c f5e44834 85930008 85930174 848275e0 naiavf5x+0x83a0
f6efb8c0 f5e3e930 848275e0 848275e0 85701d80 naiavf5x+0x8834
f6efb8d4 8083f9d0 85728020 85930008 85930008 naiavf5x+0x2930
f6efb8e8 8092e269 84d3bf50 84df9b40 00000000 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])
f6efb9d0 8093a934 85728020 00000000 849c7008 nt!IopParseDevice+0xa35 (FPO: [Non-Fpo])
f6efba08 80936848 84d3bf50 00000000 849c7008 nt!IopParseFile+0x46 (FPO: [Non-Fpo])
f6efba88 80936aa5 00000730 f6efbac8 00000040 nt!ObpLookupObjectName+0x11f (FPO: [Non-Fpo])
f6efbadc 80936f27 00000000 00000000 d1f2c800 nt!ObOpenObjectByName+0xea (FPO: [Non-Fpo])
f6efbb58 80936ff8 f6efbcc8 0002019f f6efbc90 nt!IopCreateFile+0x447 (FPO: [Non-Fpo])
f6efbbb4 f650aefd f6efbcc8 0002019f f6efbc90 nt!IoCreateFile+0xa3 (FPO: [Non-Fpo])
f6efbc24 f650bf29 855e52a8 f6efbcc8 0002019f srv!SrvIoCreateFile+0x36d (FPO: [Non-Fpo])
f6efbcf0 f650c5e4 84b78520 e5c9a820 0002019f srv!SrvNtCreateFile+0x5cc (FPO: [Non-Fpo])
f6efbd78 f64efbc6 855e52b0 85cbf540 f6505451 srv!SrvSmbNtCreateAndX+0x15c (FPO: [Non-Fpo])
f6efbd84 f6505451 00000000 84f37400 00000000 srv!SrvProcessSmb+0xb7 (FPO: [0,0,0])
f6efbdac 8092ccff 00cbf540 00000000 00000000 srv!WorkerThread+0x138 (FPO: [Non-Fpo])
THREAD 84a6a6a0 Cid 0004.0534 Teb: 00000000 Win32Thread: 00000000 WAIT: (Unknown) UserMode Non-Alertable
f5a9d144 NotificationEvent
IRP List:
848ba008: (0006,01b4) Flags: 00000884 Mdl: 00000000
848e8938: (0006,01b4) Flags: 00000884 Mdl: 00000000
Impersonation token: e5a96d10 (Level Impersonation)
DeviceMap e4de74b0
Owning Process 85fa2648 Image: System
Wait Start TickCount 28573434 Ticks: 3410641 (0:14:48:11.265)
Context Switch Count 2333 NoStackSwap
UserTime 00:00:00.0000
KernelTime 00:00:00.0343
Start Address srv!WorkerThread (0xf6505394)
Stack Init f5a9e000 Current f5a9cfec Base f5a9e000 Limit f5a9b000 Call 0
Priority 9 BasePriority 9 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f5a9d004 8083e6a2 84a6a718 84a6a6a0 84a6a748 nt!KiSwapContext+0x26 (FPO: [EBP 0xf5a9d030] [0,0,4])
f5a9d030 8083f164 f5a9d144 8083ef56 00000000 nt!KiSwapThread+0x284 (FPO: [Non-Fpo])
f5a9d078 f724fb4d f5a9d144 00000000 00000001 nt!KeWaitForSingleObject+0x346 (FPO: [Non-Fpo])
f5a9d0a8 f724f9ad 848ba008 f5a9d140 00000000 Ntfs!NtfsWaitForCreateEvent+0x5e (FPO: [Non-Fpo])
f5a9d1a8 8083f9d0 85cae718 848ba008 848ba008 Ntfs!NtfsFsdCreate+0x197 (FPO: [Non-Fpo])
f5a9d1bc f7316b43 00000000 848ba008 848ba150 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])
f5a9d1e0 f73245af f5a9d200 85d37020 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x20b (FPO: [Non-Fpo])
f5a9d21c 8083f9d0 85d37020 848ba008 848ba008 fltmgr!FltpCreate+0x23b (FPO: [Non-Fpo])
f5a9d230 8092e269 f5a9d3d8 85c89a18 00000000 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])
f5a9d318 80936caa 85c89a30 00000000 85d34928 nt!IopParseDevice+0xa35 (FPO: [Non-Fpo])
f5a9d398 80936aa5 00000000 f5a9d3d8 00000240 nt!ObpLookupObjectName+0x5a9 (FPO: [Non-Fpo])
f5a9d3ec 80936f27 00000000 00000000 a9d47c00 nt!ObOpenObjectByName+0xea (FPO: [Non-Fpo])
f5a9d468 808f536c f5a9d6d0 80000000 f5a9d62c nt!IopCreateFile+0x447 (FPO: [Non-Fpo])
f5a9d4b0 f73266ae f5a9d6d0 80000000 f5a9d62c nt!IoCreateFileSpecifyDeviceObjectHint+0x52 (FPO: [Non-Fpo])
f5a9d55c f7326828 85e419e8 85cf4dd8 f5a9d6d0 fltmgr!FltCreateFileEx+0x114 (FPO: [Non-Fpo])
f5a9d5a0 f7520e2d 85e419e8 85cf4dd8 f5a9d6d0 fltmgr!FltCreateFile+0x36 (FPO: [Non-Fpo])
f5a9d644 f751d210 85cf4dd8 f5a9d6bc f5a9d6d0 pntvolflt!PntOpenFile+0x26d (FPO: [Non-Fpo]) (CONV: stdcall) [c:\source\pnthsmfilter\kernel\pntfltsup.c @ 1191]
f5a9d6e8 f751b978 8482eadc f5a9d728 f5a9d6fc pntvolflt!PntProcessCreate+0xf0 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\source\pnthsmfilter\kernel\pntfltfunc.c @ 1755]
f5a9d708 f73144e8 8482eadc f5a9d728 f5a9d744 pntvolflt!PntPreCreate+0xe8 (FPO: [Non-Fpo]) (CONV: stdcall) [c:\source\pnthsmfilter\kernel\pntfltfunc.c @ 156]
f5a9d768 f7315f48 00a9d7ac 8482ea80 848e8a80 fltmgr!FltpPerformPreCallbacks+0x2d4 (FPO: [Non-Fpo])
f5a9d77c f73240ad f5a9d7ac f7322540 00000000 fltmgr!FltpPassThroughInternal+0x32 (FPO: [Non-Fpo])
f5a9d794 f732459d f5a9d7ac 848e8938 848e8aa4 fltmgr!FltpCreateInternal+0x63 (FPO: [Non-Fpo])
f5a9d7c8 8083f9d0 85d37020 848e8938 848e8ac8 fltmgr!FltpCreate+0x229 (FPO: [Non-Fpo])
f5a9d7dc f5e3de7e 02000039 00000000 00000001 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
f5a9d808 f5e443a0 848e8938 f5a9d8b4 848e8938 naiavf5x+0x1e7e
f5a9d87c f5e44834 848e8938 848e8aa4 8467e260 naiavf5x+0x83a0
f5a9d8c0 f5e3e930 8467e260 8467e260 85701d80 naiavf5x+0x8834
f5a9d8d4 8083f9d0 85728020 848e8938 848e8938 naiavf5x+0x2930
f5a9d8e8 8092e269 84d3bf50 85cce538 00000000 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])
f5a9d9d0 8093a934 85728020 00000000 84e1c640 nt!IopParseDevice+0xa35 (FPO: [Non-Fpo])
f5a9da08 80936848 84d3bf50 00000000 84e1c640 nt!IopParseFile+0x46 (FPO: [Non-Fpo])
f5a9da88 80936aa5 00000730 f5a9dac8 00000040 nt!ObpLookupObjectName+0x11f (FPO: [Non-Fpo])
f5a9dadc 80936f27 00000000 00000000 d1f2c800 nt!ObOpenObjectByName+0xea (FPO: [Non-Fpo])
f5a9db58 80936ff8 f5a9dcc8 0002019f f5a9dc90 nt!IopCreateFile+0x447 (FPO: [Non-Fpo])
f5a9dbb4 f650aefd f5a9dcc8 0002019f f5a9dc90 nt!IoCreateFile+0xa3 (FPO: [Non-Fpo])
f5a9dc24 f650bf29 8561bbc0 f5a9dcc8 0002019f srv!SrvIoCreateFile+0x36d (FPO: [Non-Fpo])
f5a9dcf0 f650c5e4 8494ee58 e51d7e28 0002019f srv!SrvNtCreateFile+0x5cc (FPO: [Non-Fpo])
f5a9dd78 f64efbc6 8561bbc8 85cbf300 f6505451 srv!SrvSmbNtCreateAndX+0x15c (FPO: [Non-Fpo])
f5a9dd84 f6505451 00000000 84a6a6a0 00000000 srv!SrvProcessSmb+0xb7 (FPO: [0,0,0])
f5a9ddac 8092ccff 00cbf300 00000000 00000000 srv!WorkerThread+0x138 (FPO: [Non-Fpo])
–
Psssst! Schon vom neuen GMX MultiMessenger gehört?
Der kanns mit allen: http://www.gmx.net/de/go/multimessenger