Solved

Windows 7 64 bit machine Crash Analisys Ntfs.sys issue

Posted on 2010-11-15
6
939 Views
Last Modified: 2012-05-10
I have a windows 7 machine that crashed over the weekend. I do have a Seagate external hard drive hooked in via usb, for back up. I have installed the bug check application and symbols. The report is point to Ntfs.sys as the problem child.

Below is the first part of the report. Can some one please look at this and tell me what I am to do with the Ntfs.sys driver. How can I update the driver, or is that not what needs to be done?? Please point me in the right direction.

Thanks!!

 

NTFS_FILE_SYSTEM (24)
    If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
    parameters are the exception record and context record. Do a .cxr
    on the 3rd parameter and then kb to obtain a more informative stack
    trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff88006ff7588
Arg3: fffff88006ff6df0
Arg4: fffff80002e37a09

Debugging Details:
------------------


EXCEPTION_RECORD:  fffff88006ff7588 -- (.exr 0xfffff88006ff7588)
.exr 0xfffff88006ff7588
ExceptionAddress: fffff80002e37a09 (nt!RtlSubtreePredecessor+0x0000000000000009)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT:  fffff88006ff6df0 -- (.cxr 0xfffff88006ff6df0)
.cxr 0xfffff88006ff6df0
rax=fa8004cf6e4004c0 rbx=fa8004cf6e4004c0 rcx=fffff8a00f3ea028
rdx=fa8004cf6e4004c0 rsi=ffffffffffffffff rdi=0000000000000000
rip=fffff80002e37a09 rsp=fffff88006ff77c8 rbp=fffffa8007be7170
 r8=ffffffffffffffff  r9=ffffffffffffffff r10=fffff8a010d847e0
r11=fffff8a00f3ea028 r12=0000000000000705 r13=0000000000000000
r14=fffffa8007be7128 r15=fffff8a010d84b78
iopl=0         nv up ei ng nz na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
nt!RtlSubtreePredecessor+0x9:
fffff800`02e37a09 488b4810        mov     rcx,qword ptr [rax+10h] ds:002b:fa8004cf`6e4004d0=????????????????
.cxr
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  ffffffffffffffff

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800030b80e0
 ffffffffffffffff

FOLLOWUP_IP:
Ntfs!NtfsDeleteScb+108
fffff880`012aabcc 488b03          mov     rax,qword ptr [rbx]

FAULTING_IP:
nt!RtlSubtreePredecessor+9
fffff800`02e37a09 488b4810        mov     rcx,qword ptr [rax+10h]

BUGCHECK_STR:  0x24

LAST_CONTROL_TRANSFER:  from fffff80002e63ca8 to fffff80002e37a09

STACK_TEXT:  
fffff880`06ff77c8 fffff800`02e63ca8 : 00000000`000007ff 00000000`00000150 fffff8a0`10c9f8f0 fffff880`01026633 : nt!RtlSubtreePredecessor+0x9
fffff880`06ff77d0 fffff880`01028373 : fffffa80`05fd1668 fffffa80`07d01b50 fffffa80`07d01bb0 ffffffff`ffffffff : nt!RtlDeleteNoSplay+0x7c
fffff880`06ff7800 fffff880`01024238 : ffffffff`ffffffff fffff8a0`10cc9630 fffffa80`6e664d46 fffff880`0102d66e : fltmgr!TreeUnlinkNoBalance+0x13
fffff880`06ff7830 fffff880`0104235c : 00000000`00000130 fffff8a0`10c53c00 00000000`000007ff 00000000`00000040 : fltmgr!TreeUnlinkMulti+0x148
fffff880`06ff7880 fffff880`01044bc1 : fffffa80`05fd1010 00000000`00000130 fffff8a0`10d84910 fffff8a0`10d84910 : fltmgr!FltpDeleteContextList+0x3c
fffff880`06ff78b0 fffff880`01044b7b : fffffa80`05fd1010 fffff8a0`10d84b78 fffffa80`05fd1010 fffff800`030255a0 : fltmgr!CleanupStreamListCtrl+0x21
fffff880`06ff78e0 fffff800`0316f896 : 00000000`00000001 fffff880`012ab0b8 fffff880`06ff79b0 00000000`00000000 : fltmgr!DeleteStreamListCtrlCallback+0x6b
fffff880`06ff7910 fffff880`012aabcc : fffff8a0`10d84910 fffffa80`08812040 fffff880`06ff79e8 00000000`00000706 : nt!FsRtlTeardownPerStreamContexts+0xe2
fffff880`06ff7960 fffff880`012aa8d5 : 00000000`00000000 00000000`00000000 fffff800`03025500 00000000`00000001 : Ntfs!NtfsDeleteScb+0x108
fffff880`06ff79a0 fffff880`0121dcb4 : fffff8a0`10d84810 fffff8a0`10d84910 fffff800`03025500 fffff880`06ff7b12 : Ntfs!NtfsRemoveScb+0x61
fffff880`06ff79e0 fffff880`012a82dc : fffff8a0`10d847e0 fffff800`030255a0 fffff880`06ff7b12 fffffa80`07c1e010 : Ntfs!NtfsPrepareFcbForRemoval+0x50
fffff880`06ff7a10 fffff880`01226882 : fffffa80`07c1e010 fffffa80`07c1e010 fffff8a0`10d847e0 00000000`00000000 : Ntfs!NtfsTeardownStructures+0xdc
fffff880`06ff7a90 fffff880`012bf813 : fffffa80`07c1e010 fffff800`030255a0 fffff8a0`10d847e0 00000000`00000009 : Ntfs!NtfsDecrementCloseCounts+0xa2
fffff880`06ff7ad0 fffff880`0129938f : fffffa80`07c1e010 fffff8a0`10d84910 fffff8a0`10d847e0 fffffa80`05875180 : Ntfs!NtfsCommonClose+0x353
fffff880`06ff7ba0 fffff800`02e8d961 : 00000000`00000000 fffff880`0116e500 fffffa80`06837901 00000000`00000002 : Ntfs!NtfsFspClose+0x15f
fffff880`06ff7c70 fffff800`03124c06 : 00000000`00000000 fffffa80`08812040 00000000`00000080 fffffa80`039dc040 : nt!ExpWorkerThread+0x111
fffff880`06ff7d00 fffff800`02e5ec26 : fffff880`009ea180 fffffa80`08812040 fffff880`009f4fc0 fffff880`01223534 : nt!PspSystemThreadStartup+0x5a
fffff880`06ff7d40 00000000`00000000 : fffff880`06ff8000 fffff880`06ff2000 fffff880`06ff79b0 00000000`00000000 : nt!KxStartSystemThread+0x16


SYMBOL_STACK_INDEX:  8

SYMBOL_NAME:  Ntfs!NtfsDeleteScb+108

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME:  Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4a5bc14f

STACK_COMMAND:  .cxr 0xfffff88006ff6df0 ; kb

FAILURE_BUCKET_ID:  X64_0x24_Ntfs!NtfsDeleteScb+108

BUCKET_ID:  X64_0x24_Ntfs!NtfsDeleteScb+108

Followup: MachineOwner
---------

1: kd> !thread
GetPointerFromAddress: unable to read from fffff800030b8000
THREAD fffffa8008812040  Cid 0004.0b94  Teb: 0000000000000000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
GetUlongFromAddress: unable to read from fffff80002ff6b74
Owning Process            fffffa80039dc040       Image:         System
Attached Process          N/A            Image:         N/A
fffff78000000000: Unable to get shared data
Wait Start TickCount      1144093      
Context Switch Count      2119            
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address nt!ExpWorkerThread (0xfffff80002e8d850)
Stack Init fffff88006ff7d70 Current fffff88006ff79b0
Base fffff88006ff8000 Limit fffff88006ff2000 Call 0
Priority 13 BasePriority 13 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`06ff65a8 fffff880`012363d8 : 00000000`00000024 00000000`001904fb fffff880`06ff7588 fffff880`06ff6df0 : nt!KeBugCheckEx
fffff880`06ff65b0 fffff880`0130af80 : fffff880`01266fc8 fffff880`06ff7ba0 fffff880`06ff7ba0 00000000`00000000 : Ntfs! ?? ::FNODOBFM::`string'+0x2cc9
fffff880`06ff65f0 fffff800`02eaed1c : 00000000`00000001 fffff880`06ff6700 fffffa80`05dbf180 00000000`00000000 : Ntfs! ?? ::NNGAKEGL::`string'+0x7d3d
fffff880`06ff6640 fffff800`02ea640d : fffff880`01266fbc fffff880`06ff7ba0 00000000`00000000 fffff880`01215000 : nt!_C_specific_handler+0x8c
fffff880`06ff66b0 fffff800`02eada90 : fffff880`01266fbc fffff880`06ff6728 fffff880`06ff7588 fffff880`01215000 : nt!RtlpExecuteHandlerForException+0xd
fffff880`06ff66e0 fffff800`02eba9ef : fffff880`06ff7588 fffff880`06ff6df0 fffff880`00000000 00000000`00000000 : nt!RtlDispatchException+0x410
fffff880`06ff6dc0 fffff800`02e7fd82 : fffff880`06ff7588 fa8004cf`6e4004c0 fffff880`06ff7630 ffffffff`ffffffff : nt!KiDispatchException+0x16f
fffff880`06ff7450 fffff800`02e7e68a : f8a010c9`21900400 00000000`00000000 fffffa80`07d01b58 00000000`00000004 : nt!KiExceptionDispatch+0xc2
fffff880`06ff7630 fffff800`02e37a09 : fffff800`02e63ca8 00000000`000007ff 00000000`00000150 fffff8a0`10c9f8f0 : nt!KiGeneralProtectionFault+0x10a (TrapFrame @ fffff880`06ff7630)
fffff880`06ff77c8 fffff800`02e63ca8 : 00000000`000007ff 00000000`00000150 fffff8a0`10c9f8f0 fffff880`01026633 : nt!RtlSubtreePredecessor+0x9
fffff880`06ff77d0 fffff880`01028373 : fffffa80`05fd1668 fffffa80`07d01b50 fffffa80`07d01bb0 ffffffff`ffffffff : nt!RtlDeleteNoSplay+0x7c
fffff880`06ff7800 fffff880`01024238 : ffffffff`ffffffff fffff8a0`10cc9630 fffffa80`6e664d46 fffff880`0102d66e : fltmgr!TreeUnlinkNoBalance+0x13
fffff880`06ff7830 fffff880`0104235c : 00000000`00000130 fffff8a0`10c53c00 00000000`000007ff 00000000`00000040 : fltmgr!TreeUnlinkMulti+0x148
fffff880`06ff7880 fffff880`01044bc1 : fffffa80`05fd1010 00000000`00000130 fffff8a0`10d84910 fffff8a0`10d84910 : fltmgr!FltpDeleteContextList+0x3c
fffff880`06ff78b0 fffff880`01044b7b : fffffa80`05fd1010 fffff8a0`10d84b78 fffffa80`05fd1010 fffff800`030255a0 : fltmgr!CleanupStreamListCtrl+0x21
fffff880`06ff78e0 fffff800`0316f896 : 00000000`00000001 fffff880`012ab0b8 fffff880`06ff79b0 00000000`00000000 : fltmgr!DeleteStreamListCtrlCallback+0x6b
fffff880`06ff7910 fffff880`012aabcc : fffff8a0`10d84910 fffffa80`08812040 fffff880`06ff79e8 00000000`00000706 : nt!FsRtlTeardownPerStreamContexts+0xe2
fffff880`06ff7960 fffff880`012aa8d5 : 00000000`00000000 00000000`00000000 fffff800`03025500 00000000`00000001 : Ntfs!NtfsDeleteScb+0x108
fffff880`06ff79a0 fffff880`0121dcb4 : fffff8a0`10d84810 fffff8a0`10d84910 fffff800`03025500 fffff880`06ff7b12 : Ntfs!NtfsRemoveScb+0x61
fffff880`06ff79e0 fffff880`012a82dc : fffff8a0`10d847e0 fffff800`030255a0 fffff880`06ff7b12 fffffa80`07c1e010 : Ntfs!NtfsPrepareFcbForRemoval+0x50
fffff880`06ff7a10 fffff880`01226882 : fffffa80`07c1e010 fffffa80`07c1e010 fffff8a0`10d847e0 00000000`00000000 : Ntfs!NtfsTeardownStructures+0xdc
fffff880`06ff7a90 fffff880`012bf813 : fffffa80`07c1e010 fffff800`030255a0 fffff8a0`10d847e0 00000000`00000009 : Ntfs!NtfsDecrementCloseCounts+0xa2
fffff880`06ff7ad0 fffff880`0129938f : fffffa80`07c1e010 fffff8a0`10d84910 fffff8a0`10d847e0 fffffa80`05875180 : Ntfs!NtfsCommonClose+0x353
fffff880`06ff7ba0 fffff800`02e8d961 : 00000000`00000000 fffff880`0116e500 fffffa80`06837901 00000000`00000002 : Ntfs!NtfsFspClose+0x15f
fffff880`06ff7c70 fffff800`03124c06 : 00000000`00000000 fffffa80`08812040 00000000`00000080 fffffa80`039dc040 : nt!ExpWorkerThread+0x111
fffff880`06ff7d00 fffff800`02e5ec26 : fffff880`009ea180 fffffa80`08812040 fffff880`009f4fc0 fffff880`01223534 : nt!PspSystemThreadStartup+0x5a
fffff880`06ff7d40 00000000`00000000 : fffff880`06ff8000 fffff880`06ff2000 fffff880`06ff79b0 00000000`00000000 : nt!KxStartSystemThread+0x16
 Full debug Analisys AnalysisMiniDump.log
0
Comment
Question by:HHTech1
  • 3
  • 3
6 Comments
 
LVL 34

Accepted Solution

by:
jamietoner earned 500 total points
Comment Utility
This usually indicates a problem with the file system or a failing hardrive that's causing problems with the file system. First make sure all important data is backed up, if the drive is failing or the file system is too messed up trying to fix it can make it worse. Next run diagnostics on the hard drive(s) that the OS is installed on, the diag can be downloaded from the drive manufacture or you can just download the UBCD. If the drive(s) passes diagnostics run a chkdsk from the os. To do this open my computer->right click the C: drive-> choose properties-> click the tools tab-> click the check now button and let the scan run, the larger the hard drive the longer it will take.
0
 
LVL 1

Author Closing Comment

by:HHTech1
Comment Utility
The problem was an external hard drive. The chkdsk found and repaired the issue
0
 
LVL 1

Author Comment

by:HHTech1
Comment Utility
The BSOD is back again. I ran the dump file and got the same results. NTSF.sys is the problem driver.

How do I fix this for good? Can I copy this driver from another 64 bit machine and replace the current one that is failing??? What is the best way to fix this for good??

Thanks for the help!
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 34

Expert Comment

by:jamietoner
Comment Utility
Have you ran diagnostics on the drives?
0
 
LVL 1

Author Comment

by:HHTech1
Comment Utility
Yes, I ran them a few weeks ago when all of this started, but I will go back and run them again tonight.

Could failing RAM be causing this?
0
 
LVL 34

Expert Comment

by:jamietoner
Comment Utility
Yes, I just fixed a laptop that was throwing NTFS and registry bsods. HDD passed diags but mem failed turned out to be a bad stick.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This Micro Tutorial will give you basic overview of the control panel section on Windows 7. It will depth in Network and Internet, Hardware and Sound, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now