NTFS.SYS

WINDBG
1

Hello Everybody,

I am still learning debugging. I cannot analyze this dump
file and need your assistance. I cannot find the root cause of the issue. I
see some exception but cannot really find the root cause. Here is the log
file below

Loading User Symbols

Loading unloaded module list

*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 24, {19033d, fffffadbf241c530, fffffadbf241bf40, fffffadbf13e9ddc}

Probably caused by : Ntfs.sys ( Ntfs!NtfsCalculateNamedBytes+79 )

Followup: MachineOwner

8: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 000000000019033d
Arg2: fffffadbf241c530
Arg3: fffffadbf241bf40
Arg4: fffffadbf13e9ddc

Debugging Details:

EXCEPTION_RECORD: fffffadbf241c530 – (.exr 0xfffffadbf241c530)
ExceptionAddress: fffffadbf13e9ddc
(Ntfs!NtfsCalculateNamedBytes+0x0000000000000079)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000000000000001f
Attempt to read from address 000000000000001f

CONTEXT: fffffadbf241bf40 – (.cxr 0xfffffadbf241bf40)
rax=ffffffffffffffff rbx=0000000000000000 rcx=00000000fffe0019
rdx=fffffadc1877f1c8 rsi=fffffadbf241cb50 rdi=000000000dae421e
rip=fffffadbf13e9ddc rsp=fffffadbf241c758 rbp=fffffadbf1461c50
r8=fffffadc128e3018 r9=0000000000000000 r10=fffffadc1877f1c8
r11=fffffadc128e3000 r12=fffffadc1877f4d0 r13=fffffadc1877f1c8
r14=0000000000000000 r15=fffffadbf241cb50
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
efl=00010246
Ntfs!NtfsCalculateNamedBytes+0x79:
fffffadbf13e9ddc 0fb74820 movzx ecx,word ptr [rax+20h] ds:002b:000000000000001f=???
Resetting default scope

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced
memory at “0x%08lx”. The memory could not be “%s”.

READ_ADDRESS: 000000000000001f

BUGCHECK_STR: 0x24

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from fffffadbf145e995 to fffffadbf13e9ddc

STACK_TEXT:
fffffadbf241c758 fffffadbf145e995 : 0000000000000000 fffffadbf1461c50
fffffadbf241cb50 000000000dae421e : Ntfs!NtfsCalculateNamedBytes+0x79
fffffadbf241c760 fffffadbf1461d7b : fffffadbf241cb20 fffffadbf1461c50
fffffadbf241cb00 fffff800011ce900 : Ntfs!NtfsCheckpointVolume+0x890
fffffadbf241cab0 fffff8000103768a : 000000000000015c fffffadbf142f188
fffffadc18c0b7a0 fffff800011ce980 : Ntfs!NtfsCheckpointAllVolumes+0x127
fffffadbf241cd00 fffff8000124b972 : fffffadc18c0b7a0 0000000000000080
fffffadc18c0b7a0 fffffadbf1fc3680 : nt!ExpWorkerThread+0x13b
fffffadbf241cd70 fffff800010202d6 : fffffadbf1fbb180 fffffadc18c0b7a0
fffffadbf1fc3680 0000000000000000 : nt!PspSystemThreadStartup+0x3e
fffffadbf241cdd0 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!KxStartSystemThread+0x16

FOLLOWUP_IP:
Ntfs!NtfsCalculateNamedBytes+79
fffffadb`f13e9ddc 0fb74820 movzx ecx,word ptr [rax+20h]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Ntfs!NtfsCalculateNamedBytes+79

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45d699ef

STACK_COMMAND: .cxr 0xfffffadbf241bf40 ; kb

FAILURE_BUCKET_ID: X64_0x24_Ntfs!NtfsCalculateNamedBytes+79

BUCKET_ID: X64_0x24_Ntfs!NtfsCalculateNamedBytes+79

Followup: MachineOwner


Syed Khairuddin
MVP Windows-IT PRO Expert
http://www.arabitpro.com

2

Well, it is hard to decode a dump from a module for which you don’t have
source access.

If you look at the dump, you’ll see that the instruction is trying to load
a value relative to rax, and of you look at rax, it is 0xffffffffffffffff.
That’s definitely a Bad Value.

The problem is that some data, somewhere, is corrupted. Sine you didn’t
specify anything about the nature of the driver you are working on, or any
real context about when this occurs, it is hard to offer advice on what to
look for. If you are doing some kind of filter driver, it is indicative
that your code is the problem. Either you have not passed in a correct
value, failed to properly initialize a data strucure, or accidentally
scribbled over something you weren’t supposed to. There is insufficient
information in this post to suggest what should be looked at, and I
suspect that even the ntfsd experts would have difficulty figuring out
what to do, unless this is a patterm from a “well-known” common bug,
stemming from either failure to RTFM or represents a failure of the FM to
have completely described something.

So tell something more; the dump is not quite enough information to
suggest how to look for the root cause.
joe

Hello Everybody,

I am still learning debugging. I cannot analyze this dump
file and need your assistance. I cannot find the root cause of the issue.
I
see some exception but cannot really find the root cause. Here is the log
file below

Loading User Symbols

Loading unloaded module list

*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 24, {19033d, fffffadbf241c530, fffffadbf241bf40,
fffffadbf13e9ddc}

Probably caused by : Ntfs.sys ( Ntfs!NtfsCalculateNamedBytes+79 )

Followup: MachineOwner

8: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 000000000019033d
Arg2: fffffadbf241c530
Arg3: fffffadbf241bf40
Arg4: fffffadbf13e9ddc

Debugging Details:

EXCEPTION_RECORD: fffffadbf241c530 – (.exr 0xfffffadbf241c530)
ExceptionAddress: fffffadbf13e9ddc
(Ntfs!NtfsCalculateNamedBytes+0x0000000000000079)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000000000000001f
Attempt to read from address 000000000000001f

CONTEXT: fffffadbf241bf40 – (.cxr 0xfffffadbf241bf40)
rax=ffffffffffffffff rbx=0000000000000000 rcx=00000000fffe0019
rdx=fffffadc1877f1c8 rsi=fffffadbf241cb50 rdi=000000000dae421e
rip=fffffadbf13e9ddc rsp=fffffadbf241c758 rbp=fffffadbf1461c50
r8=fffffadc128e3018 r9=0000000000000000 r10=fffffadc1877f1c8
r11=fffffadc128e3000 r12=fffffadc1877f4d0 r13=fffffadc1877f1c8
r14=0000000000000000 r15=fffffadbf241cb50
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
efl=00010246
Ntfs!NtfsCalculateNamedBytes+0x79:
fffffadbf13e9ddc 0fb74820 movzx ecx,word ptr [rax+20h] ds:002b:000000000000001f=???
Resetting default scope

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
referenced
memory at “0x%08lx”. The memory could not be “%s”.

READ_ADDRESS: 000000000000001f

BUGCHECK_STR: 0x24

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from fffffadbf145e995 to fffffadbf13e9ddc

STACK_TEXT:
fffffadbf241c758 fffffadbf145e995 : 0000000000000000 fffffadbf1461c50
fffffadbf241cb50 000000000dae421e : Ntfs!NtfsCalculateNamedBytes+0x79
fffffadbf241c760 fffffadbf1461d7b : fffffadbf241cb20 fffffadbf1461c50
fffffadbf241cb00 fffff800011ce900 : Ntfs!NtfsCheckpointVolume+0x890
fffffadbf241cab0 fffff8000103768a : 000000000000015c fffffadbf142f188
fffffadc18c0b7a0 fffff800011ce980 : Ntfs!NtfsCheckpointAllVolumes+0x127
fffffadbf241cd00 fffff8000124b972 : fffffadc18c0b7a0 0000000000000080
fffffadc18c0b7a0 fffffadbf1fc3680 : nt!ExpWorkerThread+0x13b
fffffadbf241cd70 fffff800010202d6 : fffffadbf1fbb180 fffffadc18c0b7a0
fffffadbf1fc3680 0000000000000000 : nt!PspSystemThreadStartup+0x3e
fffffadbf241cdd0 0000000000000000 : 0000000000000000 0000000000000000
0000000000000000 0000000000000000 : nt!KxStartSystemThread+0x16

FOLLOWUP_IP:
Ntfs!NtfsCalculateNamedBytes+79
fffffadb`f13e9ddc 0fb74820 movzx ecx,word ptr [rax+20h]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Ntfs!NtfsCalculateNamedBytes+79

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 45d699ef

STACK_COMMAND: .cxr 0xfffffadbf241bf40 ; kb

FAILURE_BUCKET_ID: X64_0x24_Ntfs!NtfsCalculateNamedBytes+79

BUCKET_ID: X64_0x24_Ntfs!NtfsCalculateNamedBytes+79

Followup: MachineOwner


Syed Khairuddin
MVP Windows-IT PRO Expert
http://www.arabitpro.com

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer