help on ntfs crash

OSR_Community_User · November 15, 2004, 6:48pm

Hello,

Recently I kept running into the same crash on xp and I couldn’t figure
out anything and definitely need help. Here is the crash dump info.

Thanks,

Tom

Use !analyze -v to get detailed debugging information.

BugCheck 50, {f8abb354, 1, bae558df, 0}

*** ERROR: Symbol file could not be found. Defaulted to export symbols
for SYMEVENT.SYS -

Probably caused by : SYMEVENT.SYS ( SYMEVENT!SYMEvent_GetVMDataPtr+67cb
)

Followup: MachineOwner

0: kd> !analyze -v

************************************************************************
*******

*
*

* Bugcheck Analysis
*

*
*

************************************************************************
*******

PAGE_FAULT_IN_NONPAGED_AREA (50)

Invalid system memory was referenced. This cannot be protected by
try-except,

it must be protected by a Probe. Typically the address is just plain
bad or it

is pointing at freed memory.

Arguments:

Arg1: f8abb354, memory referenced.

Arg2: 00000001, value 0 = read operation, 1 = write operation.

Arg3: bae558df, If non-zero, the instruction address which referenced
the bad memory

address.

Arg4: 00000000, (reserved)

Debugging Details:

WRITE_ADDRESS: f8abb354 Nonpaged pool

FAULTING_IP:

Ntfs!NtfsCommonRead+b76

bae558df f3ab rep stosd

MM_INTERNAL_CODE: 0

IMAGE_NAME: SYMEVENT.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 4005f4a5

FAULTING_MODULE: bae4f000 Ntfs

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

TRAP_FRAME: f88ee088 – (.trap fffffffff88ee088)

ErrCode = 00000002

eax=00000000 ebx=f88ee1cc ecx=0000002b edx=000000ac esi=e1273718
edi=f8abb354

eip=bae558df esp=f88ee0fc ebp=f88ee1b8 iopl=0 nv up ei pl nz na
po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000206

Ntfs!NtfsCommonRead+0xb76:

bae558df f3ab rep stosd
es:f8abb354=???

Resetting default scope

LAST_CONTROL_TRANSFER: from bae51fbf to bae558df

STACK_TEXT:

f88ee1b8 bae51fbf f88ee1cc 845dee28 00000001 Ntfs!NtfsCommonRead+0xb76

f88ee368 804e19ee 82ac9020 845dee28 80703428 Ntfs!NtfsFsdRead+0x22d

f88ee378 80674145 8252b630 845dee28 82962e01 nt!IopfCallDriver+0x31

f88ee39c f7156f6b 82524b40 82674ba8 804e19ee nt!IovCallDriver+0xa0

WARNING: Stack unwind information not available. Following frames may be
wrong.

f88ee3dc 804faf40 00000000 82962ec8 82962ed8
SYMEVENT!SYMEvent_GetVMDataPtr+0x67cb

f88ee3f0 804faf67 82524b40 82962f0a 82962ee0 nt!IopPageReadInternal+0xf3

f88ee410 804fac8e 82554810 82962f00 82962ee0 nt!IoPageRead+0x1b

f88ee484 804e9fcb 183f28c0 c6e44000 c031b910 nt!MiDispatchFault+0x280

f88ee4d8 804ff69f 00000000 c6e44000 00000000 nt!MmAccessFault+0x642

f88ee518 804f2c98 c6e44000 00000000 f88ee644
nt!MmCheckCachedPageState+0x476

f88ee560 804f3003 82459a10 f88ee5a0 00001000 nt!CcMapAndRead+0x94

f88ee5f4 805916a1 82554810 f88ee634 0000000c nt!CcPinFileData+0x24a

f88ee668 bae7e21c 82554810 f88ee6a0 0000000c nt!CcPinRead+0xc4

f88ee690 bae908f8 f88ee978 e1273718 00044354 Ntfs!NtfsPinStream+0x71

f88ee740 bae90b52 f88ee978 e1273718 00044354 Ntfs!NtOfsPutData+0x275

f88ee7d0 bae905d8 f88ee978 e13ea210 00000000
Ntfs!GetSecurityIdFromSecurityDescriptorUnsafe+0x17e

f88ee814 bae8ee32 f88ee978 e37dbc60 0000004c
Ntfs!NtfsCacheSharedSecurityByDescriptor+0x70

f88ee8a4 bae8effc f88ee978 e1299a00 831ecfbc
Ntfs!NtfsModifySecurity+0x91

f88ee900 bae8ef22 f88ee978 831ece28 82ac9020
Ntfs!NtfsCommonSetSecurityInfo+0xdf

f88ee964 bae754ed f88ee978 831ece28 00000001
Ntfs!NtfsFsdDispatchSwitch+0x121

f88eea88 804e19ee 82ac9020 831ece28 80703428
Ntfs!NtfsFsdDispatchWait+0x1c

f88eea98 80674145 804eb288 f88eeb04 00000000 nt!IopfCallDriver+0x31

f88eeabc f7156fd4 00000000 f88eeb04 8252b630 nt!IovCallDriver+0xa0

f88eeb54 805dbf67 ffffff00 00000000 00000000
SYMEVENT!SYMEvent_GetVMDataPtr+0x6834

f88eebbc 805dc472 82396510 00000000 f88eebf0
nt!IopGetSetSecurityObject+0x1a6

f88eebe4 805dc425 82396510 00000004 e1bf0370
nt!ObSetSecurityObjectByPointer+0x2b

f88eec14 8063d7f1 82396510 00000004 e1125cb8 nt!NtSetSecurityObject+0xaa

f88eec90 8063daaf 00001a70 e15c5d90 42746e4d
nt!RtlpSysVolCheckOwnerAndSecurity+0x13e

f88eece4 f84b0cbe e1414798 829142f8 82ebae88
nt!RtlCreateSystemVolumeInformationFolder+0x19f

f88eed68 8056f03d 82ebae88 8249f950 8056b4fc
MountMgr!MigrateRemoteDatabaseWorker+0xaa

f88eed7c 804e29d6 829142f8 00000000 82edb8b8 nt!IopProcessWorkItem+0x13

f88eedac 80576b24 829142f8 00000000 00000000 nt!ExpWorkerThread+0xef

f88eeddc 804eed86 804e2912 00000001 00000000
nt!PspSystemThreadStartup+0x34

00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:

SYMEVENT!SYMEvent_GetVMDataPtr+67cb

f7156f6b 5f pop edi

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: SYMEVENT!SYMEvent_GetVMDataPtr+67cb

MODULE_NAME: SYMEVENT

STACK_COMMAND: .trap fffffffff88ee088 ; kb

BUCKET_ID: 0x50_W_SYMEVENT!SYMEvent_GetVMDataPtr+67cb

Followup: MachineOwner

0: kd> .trap fffffffff88ee088

ErrCode = 00000002

eax=00000000 ebx=f88ee1cc ecx=0000002b edx=000000ac esi=e1273718
edi=f8abb354

eip=bae558df esp=f88ee0fc ebp=f88ee1b8 iopl=0 nv up ei pl nz na
po nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00000206

Ntfs!NtfsCommonRead+0xb76:

bae558df f3ab rep stosd
es:f8abb354=???

0: kd> kb

*** Stack trace for last set context - .thread/.cxr resets it

ChildEBP RetAddr Args to Child