Hello.
Recently while installing updates (later discovered that it’s not an update issue) on my test machine I have discovered that system process is writing to sector 15 on windows installed partition (last sector of VBR) some bogus data. And the write operation was not direct one, but a result of page flushing:
FltAcquirePushLockShared + 0x907
FltIsCallbackDataDirty + 0xa39
fltmgr.sys + 0x16c7
IoSynchronousPageWrite + 0x24f
CcFlushCache + 0x2bcb
CcFlushCache + 0x1108
CcFlushCache + 0x5e9
MmSetAddressRangeModified + 0xa86
MmSetAddressRangeModified + 0x1448
KeReleaseInStackQueuedSpinLock + 0x2f1
PsCreateSystemThread + 0x1e6
Data written to disk:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
000101E00 6B 87 08 38 76 C1 48 4E B7 AE 04 04 6E 6C C7 52 k? 8v?HN?? nl?R
000101E10 01 00 00 00 01 00 00 00 00 1E 00 00 00 00 00 00
000101E20 00 1E 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000101E30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000101E40 D4 AB 61 66 BC 2D E4 11 9C 91 80 6E 6F 6E 69 63 ԫaf?-? ???nonic
000101E50 D4 AB 61 66 BC 2D E4 11 9C 91 80 6E 6F 6E 69 63 ԫaf?-? ???nonic
000101E60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000101E70 00 00 00 00 00 00 00 00 00 00 00 00 54 T
Later discovered that it’s not an update issue, it’s just appearing after some time, and system keeps writing it.
Occasionally at some times system is flushing data to sector 0 with size of 4kb and 16kb. It’s not a problem when system is installed with two partitions, where MBR and VBR is on separate partition and is not touched by these operations. But when there is only one partition, MBR and VBR being constantly rewritten on disk! it’s not an issue if data is not modified, but sector 15 is!
The question is: It’s an intentional operation or some bogus operation.
With regards, Ishkarov Andrey.
Does it cause any problems?
Open Policy Editor, go to Local Computer Policy->Computer Configuration->Administrative Templates->System. Set “Activate Shutdown Event Tracker System State Data feature” to disabled, reboot. See if the writes stop.
And before you look any further you should fix your symbols, the call stack
isn’t correct.
-scott
OSR
@OSRDrivers
wrote in message news:xxxxx@ntdev…
Does it cause any problems?
Open Policy Editor, go to Local Computer Policy->Computer
Configuration->Administrative Templates->System. Set “Activate Shutdown
Event Tracker System State Data feature” to disabled, reboot. See if the
writes stop.
@Scott Noone:
Didn’t used symbol server, so correct one looks like (it’s new shot so it’s a bit different even without symbols):
fltmgr.sys FltpPerformPreCallbacks + 0x2f7
fltmgr.sys FltpPassThrough + 0x2d9
fltmgr.sys FltpDispatch + 0xb7
ntoskrnl.exe IoSynchronousPageWrite + 0x24f
ntoskrnl.exe MiFlushSectionInternal + 0xb7b
ntoskrnl.exe MmFlushSection + 0x1f4
ntoskrnl.exe CcFlushCache + 0x5e9
Ntfs.sys NtfsFlushBootCritical + 0x76
Ntfs.sys NtfsCommonFlushBuffers + 0x3e2
Ntfs.sys NtfsFsdFlushBuffers + 0x10d
fltmgr.sys FltpLegacyProcessingAfterPreCallbacksCompleted + 0x24f
fltmgr.sys FltpDispatch + 0xcf
ntoskrnl.exe IopSynchronousServiceTail + 0xfb
ntoskrnl.exe NtFlushBuffersFile + 0x171
ntoskrnl.exe KiSystemServiceCopyEnd + 0x13
ntoskrnl.exe KiServiceLinkage
ntoskrnl.exe CmpFileFlush + 0x3f
ntoskrnl.exe CmpLazyFlushWorker + 0x33
ntoskrnl.exe ExpWorkerThread + 0x111
ntoskrnl.exe PspSystemThreadStartup + 0x5a
ntoskrnl.exe KiStartSystemThread + 0x16
@Alex Grig:
‘Does it cause any problems?’ It’s a very abstract question. For example some driver is leaking about 10mb of paged pool in a day, on my 16gb ram it’s not that much, and probably won’t cause me any trouble as I will reboot in a month to install updates. But let’s look at older laptop / workstation with 1gb of ram. Will that be a trouble? Or take a situation where your car is lighting a warning for it’s engine to indicate that you should visit a service. Will that cause you a trouble in that moment? Nope. But it surely will in the future if you ignore the warning. So don’t ask silly questions like these please 
If something isn’t working as it should it will cause a trouble at some time, somewhere.
And for the policy setting - still writing to sector 15 with disabled.