Windows 7 64 bit dump file analisys points to Ntfs.sys driver
I have a windows 7 machine that crashed over the weekend. I do have a Seagate external hard drive hooked in via usb, for back up. I have installed the bug check application and symbols. The report is point to Ntfs.sys as the problem child.
Below is the first part of the report. Can some one please look at this and tell me what I am to do with the Ntfs.sys driver. How can I update the driver, or is that not what needs to be done?? Please point me in the right direction.
Thanks!!
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff88006ff7588
Arg3: fffff88006ff6df0
Arg4: fffff80002e37a09
Debugging Details:
------------------
EXCEPTION_RECORD: fffff88006ff7588 -- (.exr 0xfffff88006ff7588)
.exr 0xfffff88006ff7588
ExceptionAddress: fffff80002e37a09 (nt!RtlSubtreePredecessor+0x0000000000000009)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
CONTEXT: fffff88006ff6df0 -- (.cxr 0xfffff88006ff6df0)
.cxr 0xfffff88006ff6df0
rax=fa8004cf6e4004c0 rbx=fa8004cf6e4004c0 rcx=fffff8a00f3ea028
rdx=fa8004cf6e4004c0 rsi=ffffffffffffffff rdi=0000000000000000
rip=fffff80002e37a09 rsp=fffff88006ff77c8 rbp=fffffa8007be7170
r8=ffffffffffffffff r9=ffffffffffffffff r10=fffff8a010d847e0
r11=fffff8a00f3ea028 r12=0000000000000705 r13=0000000000000000
r14=fffffa8007be7128 r15=fffff8a010d84b78
iopl=0 nv up ei ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010286
nt!RtlSubtreePredecessor+0x9:
fffff800`02e37a09 488b4810 mov rcx,qword ptr [rax+10h] ds:002b:fa8004cf`6e4004d0=????????????????
.cxr
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffffffffffffff
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800030b80e0
ffffffffffffffff
FOLLOWUP_IP:
Ntfs!NtfsDeleteScb+108
fffff880`012aabcc 488b03 mov rax,qword ptr [rbx]
FAULTING_IP:
nt!RtlSubtreePredecessor+9
fffff800`02e37a09 488b4810 mov rcx,qword ptr [rax+10h]
BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from fffff80002e63ca8 to fffff80002e37a09
STACK_TEXT:
fffff880`06ff77c8 fffff800`02e63ca8 : 00000000`000007ff 00000000`00000150 fffff8a0`10c9f8f0 fffff880`01026633 : nt!RtlSubtreePredecessor+0x9
fffff880`06ff77d0 fffff880`01028373 : fffffa80`05fd1668 fffffa80`07d01b50 fffffa80`07d01bb0 ffffffff`ffffffff : nt!RtlDeleteNoSplay+0x7c
fffff880`06ff7800 fffff880`01024238 : ffffffff`ffffffff fffff8a0`10cc9630 fffffa80`6e664d46 fffff880`0102d66e : fltmgr!TreeUnlinkNoBalance+0x13
fffff880`06ff7830 fffff880`0104235c : 00000000`00000130 fffff8a0`10c53c00 00000000`000007ff 00000000`00000040 : fltmgr!TreeUnlinkMulti+0x148
fffff880`06ff7880 fffff880`01044bc1 : fffffa80`05fd1010 00000000`00000130 fffff8a0`10d84910 fffff8a0`10d84910 : fltmgr!FltpDeleteContextList+0x3c
fffff880`06ff78b0 fffff880`01044b7b : fffffa80`05fd1010 fffff8a0`10d84b78 fffffa80`05fd1010 fffff800`030255a0 : fltmgr!CleanupStreamListCtrl+0x21
fffff880`06ff78e0 fffff800`0316f896 : 00000000`00000001 fffff880`012ab0b8 fffff880`06ff79b0 00000000`00000000 : fltmgr!DeleteStreamListCtrlCallback+0x6b
fffff880`06ff7910 fffff880`012aabcc : fffff8a0`10d84910 fffffa80`08812040 fffff880`06ff79e8 00000000`00000706 : nt!FsRtlTeardownPerStreamContexts+0xe2
fffff880`06ff7960 fffff880`012aa8d5 : 00000000`00000000 00000000`00000000 fffff800`03025500 00000000`00000001 : Ntfs!NtfsDeleteScb+0x108
fffff880`06ff79a0 fffff880`0121dcb4 : fffff8a0`10d84810 fffff8a0`10d84910 fffff800`03025500 fffff880`06ff7b12 : Ntfs!NtfsRemoveScb+0x61
fffff880`06ff79e0 fffff880`012a82dc : fffff8a0`10d847e0 fffff800`030255a0 fffff880`06ff7b12 fffffa80`07c1e010 : Ntfs!NtfsPrepareFcbForRemoval+0x50
fffff880`06ff7a10 fffff880`01226882 : fffffa80`07c1e010 fffffa80`07c1e010 fffff8a0`10d847e0 00000000`00000000 : Ntfs!NtfsTeardownStructures+0xdc
fffff880`06ff7a90 fffff880`012bf813 : fffffa80`07c1e010 fffff800`030255a0 fffff8a0`10d847e0 00000000`00000009 : Ntfs!NtfsDecrementCloseCounts+0xa2
fffff880`06ff7ad0 fffff880`0129938f : fffffa80`07c1e010 fffff8a0`10d84910 fffff8a0`10d847e0 fffffa80`05875180 : Ntfs!NtfsCommonClose+0x353
fffff880`06ff7ba0 fffff800`02e8d961 : 00000000`00000000 fffff880`0116e500 fffffa80`06837901 00000000`00000002 : Ntfs!NtfsFspClose+0x15f
fffff880`06ff7c70 fffff800`03124c06 : 00000000`00000000 fffffa80`08812040 00000000`00000080 fffffa80`039dc040 : nt!ExpWorkerThread+0x111
fffff880`06ff7d00 fffff800`02e5ec26 : fffff880`009ea180 fffffa80`08812040 fffff880`009f4fc0 fffff880`01223534 : nt!PspSystemThreadStartup+0x5a
fffff880`06ff7d40 00000000`00000000 : fffff880`06ff8000 fffff880`06ff2000 fffff880`06ff79b0 00000000`00000000 : nt!KxStartSystemThread+0x16
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: Ntfs!NtfsDeleteScb+108
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bc14f
STACK_COMMAND: .cxr 0xfffff88006ff6df0 ; kb
FAILURE_BUCKET_ID: X64_0x24_Ntfs!NtfsDeleteScb+108
BUCKET_ID: X64_0x24_Ntfs!NtfsDeleteScb+108
Followup: MachineOwner
---------
1: kd> !thread
GetPointerFromAddress: unable to read from fffff800030b8000
THREAD fffffa8008812040 Cid 0004.0b94 Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
GetUlongFromAddress: unable to read from fffff80002ff6b74
Owning Process fffffa80039dc040 Image: System
Attached Process N/A Image: N/A
fffff78000000000: Unable to get shared data
Wait Start TickCount 1144093
Context Switch Count 2119
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address nt!ExpWorkerThread (0xfffff80002e8d850)
Stack Init fffff88006ff7d70 Current fffff88006ff79b0
Base fffff88006ff8000 Limit fffff88006ff2000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP RetAddr : Args to Child
: Call Site
fffff880`06ff65a8 fffff880`012363d8 : 00000000`00000024 00000000`001904fb fffff880`06ff7588 fffff880`06ff6df0 : nt!KeBugCheckEx
fffff880`06ff65b0 fffff880`0130af80 : fffff880`01266fc8 fffff880`06ff7ba0 fffff880`06ff7ba0 00000000`00000000 : Ntfs! ?? ::FNODOBFM::`string'+0x2cc9
fffff880`06ff65f0 fffff800`02eaed1c : 00000000`00000001 fffff880`06ff6700 fffffa80`05dbf180 00000000`00000000 : Ntfs! ?? ::NNGAKEGL::`string'+0x7d3d
fffff880`06ff6640 fffff800`02ea640d : fffff880`01266fbc fffff880`06ff7ba0 00000000`00000000 fffff880`01215000 : nt!_C_specific_handler+0x8c
fffff880`06ff66b0 fffff800`02eada90 : fffff880`01266fbc fffff880`06ff6728 fffff880`06ff7588 fffff880`01215000 : nt!RtlpExecuteHandlerForException+0xd
fffff880`06ff66e0 fffff800`02eba9ef : fffff880`06ff7588 fffff880`06ff6df0 fffff880`00000000 00000000`00000000 : nt!RtlDispatchException+0x410
fffff880`06ff6dc0 fffff800`02e7fd82 : fffff880`06ff7588 fa8004cf`6e4004c0 fffff880`06ff7630 ffffffff`ffffffff : nt!KiDispatchException+0x16f
fffff880`06ff7450 fffff800`02e7e68a : f8a010c9`21900400 00000000`00000000 fffffa80`07d01b58 00000000`00000004 : nt!KiExceptionDispatch+0xc2
fffff880`06ff7630 fffff800`02e37a09 : fffff800`02e63ca8 00000000`000007ff 00000000`00000150 fffff8a0`10c9f8f0 : nt!KiGeneralProtectionFault+0x10a (TrapFrame @ fffff880`06ff7630)
fffff880`06ff77c8 fffff800`02e63ca8 : 00000000`000007ff 00000000`00000150 fffff8a0`10c9f8f0 fffff880`01026633 : nt!RtlSubtreePredecessor+0x9
fffff880`06ff77d0 fffff880`01028373 : fffffa80`05fd1668 fffffa80`07d01b50 fffffa80`07d01bb0 ffffffff`ffffffff : nt!RtlDeleteNoSplay+0x7c
fffff880`06ff7800 fffff880`01024238 : ffffffff`ffffffff fffff8a0`10cc9630 fffffa80`6e664d46 fffff880`0102d66e : fltmgr!TreeUnlinkNoBalance+0x13
fffff880`06ff7830 fffff880`0104235c : 00000000`00000130 fffff8a0`10c53c00 00000000`000007ff 00000000`00000040 : fltmgr!TreeUnlinkMulti+0x148
fffff880`06ff7880 fffff880`01044bc1 : fffffa80`05fd1010 00000000`00000130 fffff8a0`10d84910 fffff8a0`10d84910 : fltmgr!FltpDeleteContextList+0x3c
fffff880`06ff78b0 fffff880`01044b7b : fffffa80`05fd1010 fffff8a0`10d84b78 fffffa80`05fd1010 fffff800`030255a0 : fltmgr!CleanupStreamListCtrl+0x21
fffff880`06ff78e0 fffff800`0316f896 : 00000000`00000001 fffff880`012ab0b8 fffff880`06ff79b0 00000000`00000000 : fltmgr!DeleteStreamListCtrlCallback+0x6b
fffff880`06ff7910 fffff880`012aabcc : fffff8a0`10d84910 fffffa80`08812040 fffff880`06ff79e8 00000000`00000706 : nt!FsRtlTeardownPerStreamContexts+0xe2
fffff880`06ff7960 fffff880`012aa8d5 : 00000000`00000000 00000000`00000000 fffff800`03025500 00000000`00000001 : Ntfs!NtfsDeleteScb+0x108
fffff880`06ff79a0 fffff880`0121dcb4 : fffff8a0`10d84810 fffff8a0`10d84910 fffff800`03025500 fffff880`06ff7b12 : Ntfs!NtfsRemoveScb+0x61
fffff880`06ff79e0 fffff880`012a82dc : fffff8a0`10d847e0 fffff800`030255a0 fffff880`06ff7b12 fffffa80`07c1e010 : Ntfs!NtfsPrepareFcbForRemoval+0x50
fffff880`06ff7a10 fffff880`01226882 : fffffa80`07c1e010 fffffa80`07c1e010 fffff8a0`10d847e0 00000000`00000000 : Ntfs!NtfsTeardownStructures+0xdc
fffff880`06ff7a90 fffff880`012bf813 : fffffa80`07c1e010 fffff800`030255a0 fffff8a0`10d847e0 00000000`00000009 : Ntfs!NtfsDecrementCloseCounts+0xa2
fffff880`06ff7ad0 fffff880`0129938f : fffffa80`07c1e010 fffff8a0`10d84910 fffff8a0`10d847e0 fffffa80`05875180 : Ntfs!NtfsCommonClose+0x353
fffff880`06ff7ba0 fffff800`02e8d961 : 00000000`00000000 fffff880`0116e500 fffffa80`06837901 00000000`00000002 : Ntfs!NtfsFspClose+0x15f
fffff880`06ff7c70 fffff800`03124c06 : 00000000`00000000 fffffa80`08812040 00000000`00000080 fffffa80`039dc040 : nt!ExpWorkerThread+0x111
fffff880`06ff7d00 fffff800`02e5ec26 : fffff880`009ea180 fffffa80`08812040 fffff880`009f4fc0 fffff880`01223534 : nt!PspSystemThreadStartup+0x5a
fffff880`06ff7d40 00000000`00000000 : fffff880`06ff8000 fffff880`06ff2000 fffff880`06ff79b0 00000000`00000000 : nt!KxStartSystemThread+0x16HhTech
November 15th, 2010 9:58am
Please run chkdsk C: /r /f."A programmer is just a tool which converts caffeine into code" CLIP- Stellvertreter http://www.winvistaside.de/
Free Windows Admin Tool Kit Click here and download it now
November 15th, 2010 2:18pm
You may troubleshoot in Clean Boot Mode.
Perform a clean startup to determine whether background programs are interfering with your game or program
Please be assure that the antivirus is not enabled in Clean Boot Mode.
If the issue persists in Clean Boot Mode, please try to download firmware updates for your BIOS and hard drive.
If the issue remains, please check driver signature, rename all unsigned drivers and check the result. To do so, in Start Search box enter sigverif.exe. Then click the start button in “File Signature Verification”. In the result list, please
pick up *.sys files, rename one of them and then shut down or restart to check if the issue still occurs. If the issue persists, rename another *.sys file listed in the result of driver signature verifying, and check result again. By doing so we can determine
which un-singed driver is the root cause.
Arthur Xie
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
November 16th, 2010 12:17am
Thanks for the input! I have run the chkdsk command on all internal drives. I have not yet completed the chkdsk on the external drive. I looked in the event veiwer and their was an error message 'Kernal Power' Error 41 - which pointed to drive 8, whick is
the external backup drive.
I am running a chkdsk on the external drive now. I'll update whaen it finishes.
Could the external drive throw this error and make the system crash, or possibly the RAM memory?
HhTech
Free Windows Admin Tool Kit Click here and download it now
November 16th, 2010 10:40am
Have you tried to upgrade firmware for your BIOS and hard drive?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
November 19th, 2010 2:46am
Hi,
I just would like to confirm if you have got the issue resolved.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
November 25th, 2010 1:52am
The issue is still happening. I have updated the firmware on the drives and the BIOS. I have run numorus chkdsk scans and sfc /scannow scans. This seems to fix the problem only for a day or 2 then the BSOD comes back again. I have examined the dump files
and each time it points to the driver NTSF.sys.
Could this be caused by RAM? I have run a memory test and all seems to be ok, but I suspect the RAM because I have used this memory in other servers and had similar issues. Could failing RAM cause this type of action?
Thanks!HhTech
December 1st, 2010 1:57pm
test the RAM and also check the HDD with a diagnsotic toolkit from your HDD manufacture."A programmer is just a tool which converts caffeine into code" CLIP- Stellvertreter http://www.winvistaside.de/
Free Windows Admin Tool Kit Click here and download it now
December 1st, 2010 3:03pm