FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsFsdDeviceControl+5f

fhpcis
fhpcis used Ask the Experts™
on
I have a win2000 terminal server that keeps randomly bluescreening and then rebooting.  Attached is the memory dump debugged by windbg.  

I have yet to run a mem test on it, but will be doing so around lunchtime today.  I have run a chkdsk /f with errorless results.  

Can anyone make heads or tails of it?  Thx in advance.

- Mike
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
 
 
Loading Dump File [C:\Documents and Settings\mcostello\Desktop\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available
 
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 2000 Kernel Version 2195 (Service Pack 4) MP (4 procs) Free x86 compatible
Product: Server, suite: TerminalServer
Machine Name:
Kernel base = 0x80400000 PsLoadedModuleList = 0x80485b80
Debug session time: Fri Oct 23 02:39:16.226 2009 (GMT-4)
System Uptime: 1 days 0:43:37.005
Loading Kernel Symbols
...............................................................
....................................
Loading User Symbols
 
Loading unloaded module list
..................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck 24, {190219, eb46f888, eb46f4e0, 8041fb04}
 
*** ERROR: Module load completed but symbols could not be loaded for tmactmon.sys
Probably caused by : Ntfs.sys ( Ntfs!NtfsFsdDeviceControl+5f )
 
Followup: MachineOwner
---------
 
2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
NTFS_FILE_SYSTEM (24)
    If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
    parameters are the exception record and context record. Do a .cxr
    on the 3rd parameter and then kb to obtain a more informative stack
    trace.
Arguments:
Arg1: 00190219
Arg2: eb46f888
Arg3: eb46f4e0
Arg4: 8041fb04
 
Debugging Details:
------------------
 
 
EXCEPTION_RECORD:  eb46f888 -- (.exr 0xffffffffeb46f888)
ExceptionAddress: 8041fb04 (nt!IoIsOperationSynchronous+0x0000000a)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 0000002c
Attempt to read from address 0000002c
 
CONTEXT:  eb46f4e0 -- (.cxr 0xffffffffeb46f4e0)
eax=86f2ee48 ebx=87225008 ecx=00000000 edx=86f2ee48 esi=eb46f970 edi=00000000
eip=8041fb04 esp=eb46f950 ebp=eb46f9b0 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
nt!IoIsOperationSynchronous+0xa:
8041fb04 f6412c02        test    byte ptr [ecx+2Ch],2       ds:0023:0000002c=??
Resetting default scope
 
PROCESS_NAME:  System
 
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
 
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
 
EXCEPTION_PARAMETER1:  00000000
 
EXCEPTION_PARAMETER2:  0000002c
 
READ_ADDRESS:  0000002c 
 
FOLLOWUP_IP: 
Ntfs!NtfsFsdDeviceControl+5f
bfe9c78b 50              push    eax
 
FAULTING_IP: 
nt!IoIsOperationSynchronous+a
8041fb04 f6412c02        test    byte ptr [ecx+2Ch],2
 
BUGCHECK_STR:  0x24
 
DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE
 
LAST_CONTROL_TRANSFER:  from bfe9c78b to 8041fb04
 
STACK_TEXT:  
eb46f94c bfe9c78b 86f2ee48 eb46f990 88ee6020 nt!IoIsOperationSynchronous+0xa
eb46f9b0 8041eecb 88ee6020 86f2ee48 872266e0 Ntfs!NtfsFsdDeviceControl+0x5f
eb46f9c4 bff52816 872266e0 86f2ee48 00000000 nt!IopfCallDriver+0x35
eb46f9f0 8041eecb 872266e0 86f2ee48 872266e0 fltmgr!FltpDispatch+0x142
eb46fa04 b59433c6 00000001 80462fb4 00040000 nt!IopfCallDriver+0x35
WARNING: Stack unwind information not available. Following frames may be wrong.
eb46fa64 b5943ba9 872266e0 0000005a 86ee29b0 tmactmon+0x13c6
eb46fc48 b5943d8e eb46fc78 875dfcfa e5bbbd1a tmactmon+0x1ba9
eb46fc90 804b1e9e 86ee29b0 860ec000 bd1aad08 tmactmon+0x1d8e
eb46fd58 804b20df 0000040c 860ec000 bd1aad08 nt!IopLoadDriver+0x672
eb46fd78 80417b49 bd1aad08 00000000 00000000 nt!IopLoadUnloadDriver+0x3f
eb46fda8 804578c2 bd1aad08 00000000 00000000 nt!ExpWorkerThread+0xaf
eb46fddc 8046c966 80417a9a 00000001 00000000 nt!PspSystemThreadStartup+0x54
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
 
 
SYMBOL_STACK_INDEX:  1
 
SYMBOL_NAME:  Ntfs!NtfsFsdDeviceControl+5f
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: Ntfs
 
IMAGE_NAME:  Ntfs.sys
 
DEBUG_FLR_IMAGE_TIMESTAMP:  42807cdd
 
STACK_COMMAND:  .cxr 0xffffffffeb46f4e0 ; kb
 
FAILURE_BUCKET_ID:  0x24_Ntfs!NtfsFsdDeviceControl+5f
 
BUCKET_ID:  0x24_Ntfs!NtfsFsdDeviceControl+5f
 
Followup: MachineOwner
---------

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Network Operations Manager
Top Expert 2009
Commented:
You seem to be having a problem with Ntfs.sys and tmactmon.sys.
Do you have Trend Micro products installed? Scan for malware......

 

Author

Commented:
thx, BBandM.  

I do have OfficeScan installed and a support case has been submitted with trendmicro.  Our weekly scan would've caught any malware by now.  the restarting problem has been happening since the first of the month.

HP diagnostics tests via their SmartStart 8.0 software came back errorless.
BitsBytesandMoreNetwork Operations Manager
Top Expert 2009

Commented:
Take a look at this tutorial .... it will help you nail it.
How-to-solve-Windows-system-cras.pdf
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

BitsBytesandMoreNetwork Operations Manager
Top Expert 2009

Commented:
It could be a memory problem... I would test it... it won't hurt. Try MemTest from http://www.memtest.org/#downiso
BitsBytesandMoreNetwork Operations Manager
Top Expert 2009

Commented:
I would still download and scan with Malwarebytes' Anti-Malware..... for me.... it's picked up some many things that others miss... just my 2 cents...
http://www.malwarebytes.org/mbam.php
 

Author

Commented:
I surely will run the malwarebytes scan.  Any other suggestions

It seems the server has not bluescreened / rebooted in about 48 hours, so we're pretty stumped on this.

Thanks again.
BitsBytesandMoreNetwork Operations Manager
Top Expert 2009

Commented:
Intermittent faults are a headache. They are hard to deal with because of their nature, you never know until after a few days if the steps you have taken to address the faults have been successful or not.
After the malware scan, if malware is found, clear your event logs and monitor the computer. If no malware is found.....  do not clear the event logs because we will need to address the errors contained in these logs one by one until you have none.

Author

Commented:
it looks like TM officescan was causing the problem.  It was recently upgraded from v8 to 10.  I removed it completely and re-installed it from the officescan console.  Thanks, BB&M.
BitsBytesandMoreNetwork Operations Manager
Top Expert 2009

Commented:
Thank you so much for the feedback..... If it weren't for the points... I think this is the part that I enjoy the most...... knowing exactly what fixed the problem. Glad I was able to help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial