BSOD
Hello,
I am getting a BSOD when i load a lot of applications.
Here is the .dmp
https://skydrive.live.com/?cid=5fccfcc000d40513&id=5FCCFCC000D40513%21111#
I ran an !analyze -v on it and here is what I got.
BugCheck 24, {1904fb, fffff8800448f0e8, fffff8800448e940, fffff80003ab23d1}
Probably caused by : Ntfs.sys ( Ntfs!NtfsFlushUserStream+b4 )
Followup: MachineOwner
---------
4: kd> !analyze -v
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff8800448f0e8
Arg3: fffff8800448e940
Arg4: fffff80003ab23d1
Debugging Details:
------------------
EXCEPTION_RECORD: fffff8800448f0e8 -- (.exr 0xfffff8800448f0e8)
ExceptionAddress: fffff80003ab23d1 (nt!CcUnmapVacbArray+0x0000000000000161)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000400000010
Attempt to read from address 0000000400000010
CONTEXT: fffff8800448e940 -- (.cxr 0xfffff8800448e940)
rax=fffffa800da4a700 rbx=00000000014c0000 rcx=0000000000000053
rdx=fffff80003c907f0 rsi=0000000001500000 rdi=0000000001500000
rip=fffff80003ab23d1 rsp=fffff8800448f320 rbp=0000000400000000
r8=0000000018026040 r9=0000000000000000 r10=0000000018010400
r11=fffff8a001311860 r12=00000000014c0000 r13=fffffa800da5be00
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
nt!CcUnmapVacbArray+0x161:
fffff800`03ab23d1 66837d1000 cmp word ptr [rbp+10h],0 ss:0018:00000004`00000010=????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: MsMpEng.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000400000010
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80003cc1100
0000000400000010
FOLLOWUP_IP:
Ntfs!NtfsFlushUserStream+b4
fffff880`014916d4 389c24a0000000 cmp byte ptr [rsp+0A0h],bl
FAULTING_IP:
nt!CcUnmapVacbArray+161
fffff800`03ab23d1 66837d1000 cmp word ptr [rbp+10h],0
BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from fffff80003ad0969 to fffff80003ab23d1
STACK_TEXT:
fffff880`0448f320 fffff800`03ad0969 : fffff8a0`01319101 00000000`00000000 fffff880`0448f4e8 00000000`00000000 : nt!CcUnmapVacbArray+0x161
fffff880`0448f3b0 fffff880`014916d4 : fffffa80`0da4f168 00000000`00000000 fffff8a0`00000000 00000000`00000001 : nt!CcFlushCache+0x8e9
fffff880`0448f4b0 fffff880`014874e3 : 00000000`00000000 fffff8a0`0131a2c0 00000000`00000000 00000000`00000001 : Ntfs!NtfsFlushUserStream+0xb4
fffff880`0448f530 fffff880`01429d7f : fffffa80`0eae5cf0 fffffa80`0c2c5180 00000000`00000001 fffff880`01222200 : Ntfs!NtfsFlushVolume+0x2c7
fffff880`0448f660 fffff880`01418684 : fffffa80`0eae5cf0 fffff880`0120fd01 fffffa80`0b389850 fffff880`0448f700 : Ntfs!NtfsVolumeDasdIo+0x1d3
fffff880`0448f710 fffff880`01418a68 : fffffa80`0eae5cf0 fffffa80`0e67dbd0 fffff880`0448f801 fffffa80`0ec68000 : Ntfs!NtfsCommonRead+0x1e58
fffff880`0448f8b0 fffff880`01202bcf : fffffa80`0e67dfb8 fffffa80`0e67dbd0 fffffa80`0ec68010 00000000`00000000 : Ntfs!NtfsFsdRead+0x1b8
fffff880`0448f960 fffff880`012016df : fffffa80`0b3888f0 00000000`00000001 fffffa80`0b388800 fffffa80`0e67dbd0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff880`0448f9f0 fffff800`03d9721b : 00000000`00000000 fffffa80`0a781dc0 00000000`00000001 fffffa80`0e67dbd0 : fltmgr!FltpDispatch+0xcf
fffff880`0448fa50 fffff800`03d78b63 : fffffa80`0a781dc0 fffffa80`0a781dc0 fffffa80`0a781dc0 fffff880`009b2180 : nt!IopSynchronousServiceTail+0xfb
fffff880`0448fac0 fffff800`03a8ded3 : 00000000`0000053c 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x631
fffff880`0448fbb0 00000000`76d7137a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`00add498 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76d7137a
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: Ntfs!NtfsFlushUserStream+b4
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4d79997b
STACK_COMMAND: .cxr 0xfffff8800448e940 ; kb
FAILURE_BUCKET_ID: X64_0x24_Ntfs!NtfsFlushUserStream+b4
BUCKET_ID: X64_0x24_Ntfs!NtfsFlushUserStream+b4
Followup: MachineOwner
Looks to me like MsMpEng.exe caused the fault, but I am not sure. Any help or guidence would be appreciated, I am going to run a ScnDsk and and sfc /scannow right now and see what happens, but I doubt it will help.Roman
October 24th, 2011 1:10pm
*******************************************************************************
*
*
* Bugcheck Analysis *
*
*
*******************************************************************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff8800448f0e8
Arg3: fffff8800448e940
Arg4: fffff80003ab23d1
Debugging Details:
------------------
EXCEPTION_RECORD: fffff8800448f0e8 -- (.exr 0xfffff8800448f0e8)
ExceptionAddress: fffff80003ab23d1 (nt!CcUnmapVacbArray+0x0000000000000161)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000400000010
Attempt to read from address 0000000400000010
CONTEXT: fffff8800448e940 -- (.cxr 0xfffff8800448e940)
rax=fffffa800da4a700 rbx=00000000014c0000 rcx=0000000000000053
rdx=fffff80003c907f0 rsi=0000000001500000 rdi=0000000001500000
rip=fffff80003ab23d1 rsp=fffff8800448f320 rbp=0000000400000000
r8=0000000018026040 r9=0000000000000000 r10=0000000018010400
r11=fffff8a001311860 r12=00000000014c0000 r13=fffffa800da5be00
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
nt!CcUnmapVacbArray+0x161:
fffff800`03ab23d1 66837d1000 cmp word ptr [rbp+10h],0 ss:0018:00000004`00000010=????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
PROCESS_NAME: MsMpEng.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 0000000400000010
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80003cc1100
0000000400000010
FOLLOWUP_IP:
Ntfs!NtfsFlushUserStream+b4
fffff880`014916d4 389c24a0000000 cmp byte ptr [rsp+0A0h],bl
FAULTING_IP:
nt!CcUnmapVacbArray+161
fffff800`03ab23d1 66837d1000 cmp word ptr [rbp+10h],0
BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from fffff80003ad0969 to fffff80003ab23d1
STACK_TEXT:
fffff880`0448f320 fffff800`03ad0969 : fffff8a0`01319101 00000000`00000000 fffff880`0448f4e8 00000000`00000000 : nt!CcUnmapVacbArray+0x161
fffff880`0448f3b0 fffff880`014916d4 : fffffa80`0da4f168 00000000`00000000 fffff8a0`00000000 00000000`00000001 : nt!CcFlushCache+0x8e9
fffff880`0448f4b0 fffff880`014874e3 : 00000000`00000000 fffff8a0`0131a2c0 00000000`00000000 00000000`00000001 : Ntfs!NtfsFlushUserStream+0xb4
fffff880`0448f530 fffff880`01429d7f : fffffa80`0eae5cf0 fffffa80`0c2c5180 00000000`00000001 fffff880`01222200 : Ntfs!NtfsFlushVolume+0x2c7
fffff880`0448f660 fffff880`01418684 : fffffa80`0eae5cf0 fffff880`0120fd01 fffffa80`0b389850 fffff880`0448f700 : Ntfs!NtfsVolumeDasdIo+0x1d3
fffff880`0448f710 fffff880`01418a68 : fffffa80`0eae5cf0 fffffa80`0e67dbd0 fffff880`0448f801 fffffa80`0ec68000 : Ntfs!NtfsCommonRead+0x1e58
fffff880`0448f8b0 fffff880`01202bcf : fffffa80`0e67dfb8 fffffa80`0e67dbd0 fffffa80`0ec68010 00000000`00000000 : Ntfs!NtfsFsdRead+0x1b8
fffff880`0448f960 fffff880`012016df : fffffa80`0b3888f0 00000000`00000001 fffffa80`0b388800 fffffa80`0e67dbd0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff880`0448f9f0 fffff800`03d9721b : 00000000`00000000 fffffa80`0a781dc0 00000000`00000001 fffffa80`0e67dbd0 : fltmgr!FltpDispatch+0xcf
fffff880`0448fa50 fffff800`03d78b63 : fffffa80`0a781dc0 fffffa80`0a781dc0 fffffa80`0a781dc0 fffff880`009b2180 : nt!IopSynchronousServiceTail+0xfb
fffff880`0448fac0 fffff800`03a8ded3 : 00000000`0000053c 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x631
fffff880`0448fbb0 00000000`76d7137a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`00add498 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x76d7137a
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: Ntfs!NtfsFlushUserStream+b4
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4d79997b
STACK_COMMAND: .cxr 0xfffff8800448e940 ; kb
FAILURE_BUCKET_ID: X64_0x24_Ntfs!NtfsFlushUserStream+b4
BUCKET_ID: X64_0x24_Ntfs!NtfsFlushUserStream+b4
Followup: MachineOwner
---------
4: kd> lmvm Ntfs
start end module name
fffff880`0140c000 fffff880`015af000 Ntfs (pdb symbols) c:\symbols\ntfs.pdb\D51347AE03CB4523A2844EA865BA0BE92\ntfs.pdb
Loaded symbol image file: Ntfs.sys
Mapped memory image file: c:\symbols\Ntfs.sys\4D79997B1a3000\Ntfs.sys
Image path: \SystemRoot\System32\Drivers\Ntfs.sys
Image name: Ntfs.sys
Timestamp: Fri Mar 11 04:39:39 2011 (4D79997B)
CheckSum: 0019968A
ImageSize: 001A3000
File version: 6.1.7601.17577
Product version: 6.1.7601.17577
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntfs.sys
OriginalFilename: ntfs.sys
ProductVersion: 6.1.7601.17577
FileVersion: 6.1.7601.17577 (win7sp1_gdr.110310-1504)
FileDescription: NT File System Driver
LegalCopyright: © Microsoft Corporation. All rights reserved.
------------------------------------------------------------
Bug Check Code 0x24: http://msdn.microsoft.com/en-us/library/ff557433(VS.85).aspx
Please start by running chkdsk /r /f. Please also check your disk cables.
The BSOD occured when MsMpEng.exe was running. It is used by Windows Defender: http://www.processlibrary.com/directory/files/msmpeng/27074/
Disable Windows Defender and check again.
It is also possible that you have hardware problems with your disk.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student
Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator:
Security
Microsoft Certified Systems Engineer:
Security
Microsoft Certified Technology Specialist:
Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows 7, Configuring
Microsoft Certified IT Professional: Enterprise
Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer
Free Windows Admin Tool Kit Click here and download it now
October 24th, 2011 6:17pm
Hi,
Did your issue solved by the suggestion of Mr X? Please feel free to give me any update.
Thanks.
Regards,
Leo Huang
TechNet
Subscriber Support in forum. If you have any feedback on our support, please contact
tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
October 26th, 2011 5:37am
Hi,
As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will
mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the
answer as you wish.
BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help
other community members facing similar problems. Thanks for your understanding and efforts.
Regards,
Leo Huang
TechNet
Subscriber Support in forum. If you have any feedback on our support, please contact
tngfb@microsoft.com
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
October 28th, 2011 5:28am