none
MiniDump analysis help needed RRS feed

  • Question

  • My Win8.1 x64 Pro machine is used an out HTPC server and has been occasionally crashing as of late. There's been 4 of these thus far with the latest one's Windbg output shown below.

    Seeking help with interpreting these results and possible next steps to take are appreciated. Unfortunately, the Windbg tool is a bit beyond my abilities at this point in time.


    Microsoft (R) Windows Debugger Version 10.0.15063.468 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.

    Loading Dump File [C:\Users\Public\Documents\101017-24031-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available


    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       SRV*https://msdl.microsoft.com/download/symbols
    Symbol search path is: SRV*https://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows 8.1 Kernel Version 9600 MP (8 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 9600.18790.amd64fre.winblue_ltsb.170810-1616
    Machine Name:
    Kernel base = 0xfffff803`9cc0e000 PsLoadedModuleList = 0xfffff803`9cee0650
    Debug session time: Tue Oct 10 22:11:12.579 2017 (UTC - 7:00)
    System Uptime: 5 days 1:28:53.329
    Loading Kernel Symbols
    .

    Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
    Run !sym noisy before .reload to track down problems loading symbols.

    ..............................................................
    ................................................................
    .........................
    Loading User Symbols
    Loading unloaded module list
    ..................................................
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 1E, {ffffffffc0000005, fffff80165dc470b, 1, 38000000d8}

    Probably caused by : Ntfs.sys ( Ntfs!LfsWriteLogRecordIntoLogPage+5eb )

    Followup:     MachineOwner
    ---------

    4: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    KMODE_EXCEPTION_NOT_HANDLED (1e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Arguments:
    Arg1: ffffffffc0000005, The exception code that was not handled
    Arg2: fffff80165dc470b, The address that the exception occurred at
    Arg3: 0000000000000001, Parameter 0 of the exception
    Arg4: 00000038000000d8, Parameter 1 of the exception

    Debugging Details:
    ------------------


    DUMP_CLASS: 1

    DUMP_QUALIFIER: 400

    BUILD_VERSION_STRING:  6.3.9600.18790 (winblue_ltsb.170810-1616)

    SYSTEM_MANUFACTURER:  OEM

    SYSTEM_PRODUCT_NAME:  OEM

    SYSTEM_VERSION:  OEM

    BIOS_VENDOR:  Phoenix Technologies, LTD

    BIOS_VERSION:  6.00 PG

    BIOS_DATE:  08/25/2011

    BASEBOARD_MANUFACTURER:   EVGA

    BASEBOARD_PRODUCT:  X58 SLI Classified

    BASEBOARD_VERSION:  Tylersburg

    DUMP_TYPE:  2

    BUGCHECK_P1: ffffffffc0000005

    BUGCHECK_P2: fffff80165dc470b

    BUGCHECK_P3: 1

    BUGCHECK_P4: 38000000d8

    WRITE_ADDRESS: GetUlongPtrFromAddress: unable to read from fffff8039cf692a8
    GetUlongPtrFromAddress: unable to read from fffff8039cf69520
     00000038000000d8

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    FAULTING_IP:
    Ntfs!LfsWriteLogRecordIntoLogPage+5eb
    fffff801`65dc470b 4183491001      or      dword ptr [r9+10h],1

    EXCEPTION_PARAMETER1:  0000000000000001

    EXCEPTION_PARAMETER2:  00000038000000d8

    BUGCHECK_STR:  0x1E_c0000005_W

    CPU_COUNT: 8

    CPU_MHZ: beb

    CPU_VENDOR:  GenuineIntel

    CPU_FAMILY: 6

    CPU_MODEL: 1a

    CPU_STEPPING: 5

    CPU_MICROCODE: 6,1a,5,0 (F,M,S,R)  SIG: 16'00000000 (cache) 16'00000000 (init)

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  VERIFIER_ENABLED_VISTA_MINIDUMP

    PROCESS_NAME:  TiWorker.exe

    CURRENT_IRQL:  0

    ANALYSIS_SESSION_HOST:  HTPC

    ANALYSIS_SESSION_TIME:  10-11-2017 17:57:44.0291

    ANALYSIS_VERSION: 10.0.15063.468 amd64fre

    EXCEPTION_RECORD:  ffffe000b090d880 -- (.exr 0xffffe000b090d880)
    ExceptionAddress: ffffe000b090d888
       ExceptionCode: 00000006
      ExceptionFlags: 00000000
    NumberParameters: 0

    TRAP_FRAME:  0000000000000001 -- (.trap 0x1)
    Unable to read trap frame at 00000000`00000001

    LAST_CONTROL_TRANSFER:  from fffff8039cd0bd91 to fffff8039cd5bda0

    STACK_TEXT: 
    ffffd001`f3bb1628 fffff803`9cd0bd91 : 00000000`0000001e ffffffff`c0000005 fffff801`65dc470b 00000000`00000001 : nt!KeBugCheckEx
    ffffd001`f3bb1630 fffff803`9cd679ce : ffffe000`b090d880 ffffd001`f3bb1dc0 00000000`00000001 fffff803`9cc53a57 : nt!KiDispatchException+0x1dd
    ffffd001`f3bb1d20 fffff803`9cd66114 : 00000000`00000001 00000001`67149df9 c0019e56`72700400 00000001`a6b9c8c2 : nt!KiExceptionDispatch+0xce
    ffffd001`f3bb1f00 fffff801`65dc470b : 00000000`4accada0 00000000`00000000 00000000`00000fc8 ffffcf81`4accada0 : nt!KiPageFault+0x214
    ffffd001`f3bb2098 ffffcf81`4ace2fc0 : fffff801`00000000 ffffb001`000000a0 ffffcf81`00000020 ffffe000`000000a0 : Ntfs!LfsWriteLogRecordIntoLogPage+0x5eb
    ffffd001`f3bb2138 fffff801`00000000 : ffffb001`000000a0 ffffcf81`00000020 ffffe000`000000a0 00000000`00000008 : 0xffffcf81`4ace2fc0
    ffffd001`f3bb2140 ffffb001`000000a0 : ffffcf81`00000020 ffffe000`000000a0 00000000`00000008 ffffe000`00000001 : 0xfffff801`00000000
    ffffd001`f3bb2148 ffffcf81`00000020 : ffffe000`000000a0 00000000`00000008 ffffe000`00000001 ffffcf81`79958dfc : 0xffffb001`000000a0
    ffffd001`f3bb2150 ffffe000`000000a0 : 00000000`00000008 ffffe000`00000001 ffffcf81`79958dfc 00000001`67149dee : 0xffffcf81`00000020
    ffffd001`f3bb2158 00000000`00000008 : ffffe000`00000001 ffffcf81`79958dfc 00000001`67149dee 00000001`67149dee : 0xffffe000`000000a0
    ffffd001`f3bb2160 ffffe000`00000001 : ffffcf81`79958dfc 00000001`67149dee 00000001`67149dee 00000000`000000c8 : 0x8
    ffffd001`f3bb2168 ffffcf81`79958dfc : 00000001`67149dee 00000001`67149dee 00000000`000000c8 ffffe000`ab140000 : 0xffffe000`00000001
    ffffd001`f3bb2170 00000001`67149dee : 00000001`67149dee 00000000`000000c8 ffffe000`ab140000 ffffd001`f3bb22b8 : 0xffffcf81`79958dfc
    ffffd001`f3bb2178 00000001`67149dee : 00000000`000000c8 ffffe000`ab140000 ffffd001`f3bb22b8 00000000`00000108 : 0x00000001`67149dee
    ffffd001`f3bb2180 00000000`000000c8 : ffffe000`ab140000 ffffd001`f3bb22b8 00000000`00000108 ffffb001`e166bc00 : 0x00000001`67149dee
    ffffd001`f3bb2188 ffffe000`ab140000 : ffffd001`f3bb22b8 00000000`00000108 ffffb001`e166bc00 ffffe000`ab141180 : 0xc8
    ffffd001`f3bb2190 ffffd001`f3bb22b8 : 00000000`00000108 ffffb001`e166bc00 ffffe000`ab141180 ffffe000`ab141101 : 0xffffe000`ab140000
    ffffd001`f3bb2198 00000000`00000108 : ffffb001`e166bc00 ffffe000`ab141180 ffffe000`ab141101 ffffe000`ab141658 : 0xffffd001`f3bb22b8
    ffffd001`f3bb21a0 ffffb001`e166bc00 : ffffe000`ab141180 ffffe000`ab141101 ffffe000`ab141658 ffffcf81`4accada0 : 0x108
    ffffd001`f3bb21a8 ffffe000`ab141180 : ffffe000`ab141101 ffffe000`ab141658 ffffcf81`4accada0 fffff803`9d294791 : 0xffffb001`e166bc00
    ffffd001`f3bb21b0 ffffe000`ab141101 : ffffe000`ab141658 ffffcf81`4accada0 fffff803`9d294791 ffffcf81`4ace2fc0 : 0xffffe000`ab141180
    ffffd001`f3bb21b8 ffffe000`ab141658 : ffffcf81`4accada0 fffff803`9d294791 ffffcf81`4ace2fc0 ffffcf81`79958d00 : 0xffffe000`ab141101
    ffffd001`f3bb21c0 ffffcf81`4accada0 : fffff803`9d294791 ffffcf81`4ace2fc0 ffffcf81`79958d00 ffffb001`e166bd48 : 0xffffe000`ab141658
    ffffd001`f3bb21c8 fffff803`9d294791 : ffffcf81`4ace2fc0 ffffcf81`79958d00 ffffb001`e166bd48 00000000`00000108 : 0xffffcf81`4accada0
    ffffd001`f3bb21d0 fffff801`65dc52b0 : ffffcf81`79958de8 ffffcf81`79958de8 00000000`00000000 ffffd001`f3bb2200 : nt!VerifierExAcquireResourceSharedLite+0x65
    ffffd001`f3bb2210 fffff801`65d7ee54 : ffffcf81`cb95cb80 ffffd001`f3bb2a29 ffffcf81`79958de8 ffffcf81`c1e2cec0 : Ntfs!NtfsWriteLog+0x4d0
    ffffd001`f3bb2460 fffff801`65de11a5 : ffffcf81`79958de8 ffffb001`e166bd08 ffffd001`f3bb2688 ffffb001`e166bc00 : Ntfs!InsertSimpleRoot+0x297
    ffffd001`f3bb2530 fffff801`65de1e43 : 00000000`03f2b000 ffffcf81`cb95cb80 ffffd001`f3bb2688 ffffcf81`c1e2cf30 : Ntfs!AddToIndex+0x11d
    ffffd001`f3bb25f0 fffff801`65dd9239 : ffffd001`f3bb2afe 00000000`00000000 ffffcf81`79958de8 00000000`00000000 : Ntfs!NtfsAddIndexEntry+0x143
    ffffd001`f3bb2840 fffff801`65de03b7 : ffffcf81`d3036b00 ffffcf81`cb95cb80 ffffcf81`79958de8 ffffcf81`d3036e00 : Ntfs!NtfsAddNameToParent+0x418
    ffffd001`f3bb2950 fffff801`65dd34fd : ffffd001`f3bb2ea8 ffffcf81`d3036c30 ffffd000`24635310 00000000`00000000 : Ntfs!NtfsAddLink+0x1d7
    ffffd001`f3bb2a70 fffff801`65db430c : 00000000`00000000 ffffe000`ab141030 ffffcf81`79958de8 ffffd000`24635310 : Ntfs!NtfsCreateNewFile+0x8d5
    ffffd001`f3bb2dc0 fffff801`65db6f2d : ffffcf81`79958de8 ffffe000`ab6f8bd0 ffffd000`24635310 ffffe000`b090d800 : Ntfs!NtfsCommonCreate+0x13bc
    ffffd001`f3bb2f50 fffff803`9cd5f6f7 : ffffd000`246352e0 00000000`00000000 00000000`00000000 00000000`00000000 : Ntfs!NtfsCommonCreateCallout+0x1d
    ffffd001`f3bb2f80 fffff803`9cd5f6bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxSwitchKernelStackCallout+0x27
    ffffd000`24635150 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSwitchKernelStackContinue


    STACK_COMMAND:  kb

    THREAD_SHA1_HASH_MOD_FUNC:  7c17b8dbca6aee61ad514355d228f0ab30ff98fd

    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  0cb68a963ede1623303b869271ea7d41ec44986a

    THREAD_SHA1_HASH_MOD:  643561d0f40b374ad8d0bbccb92dacb783ab8c3f

    FOLLOWUP_IP:
    Ntfs!LfsWriteLogRecordIntoLogPage+5eb
    fffff801`65dc470b 4183491001      or      dword ptr [r9+10h],1

    FAULT_INSTR_CODE:  10498341

    SYMBOL_STACK_INDEX:  4

    SYMBOL_NAME:  Ntfs!LfsWriteLogRecordIntoLogPage+5eb

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: Ntfs

    IMAGE_NAME:  Ntfs.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  59610406

    IMAGE_VERSION:  6.3.9600.18759

    BUCKET_ID_FUNC_OFFSET:  5eb

    FAILURE_BUCKET_ID:  0x1E_c0000005_W_VRF_Ntfs!LfsWriteLogRecordIntoLogPage

    BUCKET_ID:  0x1E_c0000005_W_VRF_Ntfs!LfsWriteLogRecordIntoLogPage

    PRIMARY_PROBLEM_CLASS:  0x1E_c0000005_W_VRF_Ntfs!LfsWriteLogRecordIntoLogPage

    TARGET_TIME:  2017-10-11T05:11:12.000Z

    OSBUILD:  9600

    OSSERVICEPACK:  18790

    SERVICEPACK_NUMBER: 0

    OS_REVISION: 0

    SUITE_MASK:  272

    PRODUCT_TYPE:  1

    OSPLATFORM_TYPE:  x64

    OSNAME:  Windows 8.1

    OSEDITION:  Windows 8.1 WinNt TerminalServer SingleUserTS

    OS_LOCALE: 

    USER_LCID:  0

    OSBUILD_TIMESTAMP:  2017-08-10 18:32:19

    BUILDDATESTAMP_STR:  170810-1616

    BUILDLAB_STR:  winblue_ltsb

    BUILDOSVER_STR:  6.3.9600.18790

    ANALYSIS_SESSION_ELAPSED_TIME:  6f5

    ANALYSIS_SOURCE:  KM

    FAILURE_ID_HASH_STRING:  km:0x1e_c0000005_w_vrf_ntfs!lfswritelogrecordintologpage

    FAILURE_ID_HASH:  {a2b241ee-5682-da03-f7ec-80c3ddb62438}

    Followup:     MachineOwner
    ---------

    Thursday, October 12, 2017 1:29 AM

All replies

  • It looks like a memory corruption problem. This is most often caused by a bad driver, but could be caused by bad memory. The first thing is to check your memory using the built-in memory test, as documented here. If the memory is OK, then you need to find the offending driver. This can be done by either disabling the third-party drivers until you find that your system isn't crashing anymore (which can take a lot of time), or you can use the driver verifier and enable 'special pool' for a few drivers at a time, until you find the culprit (there is a limit on the amount of special pool in the system, so you cannot enable special pool for all drivers - nor would you want to, because it also slows things down, and changing the timing may mask the problem).

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Thursday, October 12, 2017 2:17 AM
    Moderator
  • Hello Brian,

    Memory checks out OK. No errors reported.

    As shown in the minidump, Verifier should be turned on for ntfs.sys (assuming I did it correctly). If no discernible usefulness is present in the above dump, I'll retry Verifier with special pool, pool tracking, and I/O verification enabled.

    Plz advise...

    Thx

    Friday, October 13, 2017 10:36 PM
  • Given the amount of testing that NTFS undergoes, the chances of a bug there is infinitesimal. You need to enable special pool on groups (maybe 3 or 4 at a time) of third-party (non-Microsoft) drivers, and then exercise those drivers

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, October 13, 2017 10:39 PM
    Moderator
  • I double-checked the Verifier settings as shown below. These were in place when the above dump was created. Given this, what does the dump indicate is the most likely culprit at this point in time?

    Verified drivers:
      jraid.sys
      scsiport.sys
      ntfs.sys
      nvlddmkm.sys

    Standard Flags:
      [X] (0x00000001) Special pool
      [X] (0x00000002) Force IRQL checking
      [X] (0x00000008) Pool tracking
      [X] (0x00000020) Deadlock detection
      [X] (0x00000100) Security checks
      [X] (0x00000800) Miscellaneous checks
      [X] (0x00020000) DDI compliance checking

    Bootmode:
      Persistent

    Rules:
      All rules using default settings.

    Monday, October 16, 2017 1:57 AM
  • None of the above. As I wrote earlier, turning on verifier for Microsoft drivers is largely pointless. One of the most important principles to understand regarding troubleshooting, is that the victim is not always the culprit. In this case, NTFS was the victim, but there is a 99.99999% chance that some other driver overwrote its buffer allocation and corrupted one of NTFS' buffers. You might try using the !pool command and look at the pool allocations and see what driver's buffers are on either side of the NTFS buffer.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, October 16, 2017 2:02 AM
    Moderator