Ingo Brown
asked on
NtfsCommonCleanup in crash dump analysis ???
Hello I have a mini dump file from a Windows Vista 32bit, Ultimate computer.
Intel Core 2 Duo
8GB RAM
I have never understood debugging properly so hence the reason why I am asking the question.
I did however manage to specify a symbol path and then put the crash dump file thru the preverbial "mincer".
Please can somebody help me explain where to begin.
I installed Microsoft WinDbg : 6.11.0001.404 x86
Version 5.1
Below is a copy from the debugger
...many thanks in advance
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Documents and Settings\User01\Desktop\Ga lilieo\Off ice PC\Mini033011-03.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
WARNING: Whitespace at end of path element
Symbol search path is: http://msdl.microsoft.com/download/symbols
;SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6002.18327.x86fre.vistasp2 _gdr.10101 4-0432
Machine Name:
Kernel base = 0x82402000 PsLoadedModuleList = 0x82519c70
Debug session time: Wed Mar 30 12:05:45.227 2011 (GMT+2)
System Uptime: 0 days 0:05:27.915
Loading Kernel Symbols
.......................... .......... .......... .......... .......
.......................... .......... .......... .......... ........
.......................... .......... ......
Loading User Symbols
Loading unloaded module list
..........
************************** ********** ********** ********** ********** ********** ***
* *
* Bugcheck Analysis *
* *
************************** ********** ********** ********** ********** ********** ***
Use !analyze -v to get detailed debugging information.
BugCheck 24, {1904aa, c3bc7a30, c3bc772c, 8b2a095a}
Probably caused by : Ntfs.sys ( Ntfs!NtfsCommonCleanup+307 f )
Followup: MachineOwner
---------
1: kd> !analyze -v
************************** ********** ********** ********** ********** ********** ***
* *
* Bugcheck Analysis *
* *
************************** ********** ********** ********** ********** ********** ***
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001904aa
Arg2: c3bc7a30
Arg3: c3bc772c
Arg4: 8b2a095a
Debugging Details:
------------------
EXCEPTION_RECORD: c3bc7a30 -- (.exr 0xffffffffc3bc7a30)
ExceptionAddress: 8b2a095a (Ntfs!NtfsCommonCleanup+0x 0000307f)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000440
Attempt to read from address 00000440
CONTEXT: c3bc772c -- (.cxr 0xffffffffc3bc772c)
eax=00000400 ebx=00000000 ecx=00000000 edx=00000000 esi=b0f1d008 edi=b12fa794
eip=8b2a095a esp=c3bc7af8 ebp=c3bc7cf0 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
Ntfs!NtfsCommonCleanup+0x3 07f:
8b2a095a 395840 cmp dword ptr [eax+40h],ebx ds:0023:00000440=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 3
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
PROCESS_NAME: HelpPane.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000440
READ_ADDRESS: GetPointerFromAddress: unable to read from 82539868
Unable to read MiSystemVaType memory at 82519420
00000440
FOLLOWUP_IP:
Ntfs!NtfsCommonCleanup+307 f
8b2a095a 395840 cmp dword ptr [eax+40h],ebx
FAULTING_IP:
Ntfs!NtfsCommonCleanup+307 f
8b2a095a 395840 cmp dword ptr [eax+40h],ebx
BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from 8b21e95a to 8b2a095a
STACK_TEXT:
c3bc7cf0 8b21e95a b12fa794 8579de00 489827bb Ntfs!NtfsCommonCleanup+0x3 07f
c3bc7d2c 824af218 b12fa744 000008ec ffffffff Ntfs!NtfsCommonCleanupCall out+0x1d
c3bc7d2c 824af311 b12fa744 000008ec ffffffff nt!KiSwapKernelStackAndExi t+0x118
b12fa6d4 00000000 00000000 00000000 00000000 nt!KiSwitchKernelStackAndC allout+0x3 1
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Ntfs!NtfsCommonCleanup+307 f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 49e0192a
STACK_COMMAND: .cxr 0xffffffffc3bc772c ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsCommonCleanu p+307f
BUCKET_ID: 0x24_Ntfs!NtfsCommonCleanu p+307f
Followup: MachineOwner
---------
1: kd> !analyze -v
************************** ********** ********** ********** ********** ********** ***
* *
* Bugcheck Analysis *
* *
************************** ********** ********** ********** ********** ********** ***
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001904aa
Arg2: c3bc7a30
Arg3: c3bc772c
Arg4: 8b2a095a
Debugging Details:
------------------
EXCEPTION_RECORD: c3bc7a30 -- (.exr 0xffffffffc3bc7a30)
ExceptionAddress: 8b2a095a (Ntfs!NtfsCommonCleanup+0x 0000307f)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000440
Attempt to read from address 00000440
CONTEXT: c3bc772c -- (.cxr 0xffffffffc3bc772c)
eax=00000400 ebx=00000000 ecx=00000000 edx=00000000 esi=b0f1d008 edi=b12fa794
eip=8b2a095a esp=c3bc7af8 ebp=c3bc7cf0 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
Ntfs!NtfsCommonCleanup+0x3 07f:
8b2a095a 395840 cmp dword ptr [eax+40h],ebx ds:0023:00000440=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 3
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
PROCESS_NAME: HelpPane.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000440
READ_ADDRESS: GetPointerFromAddress: unable to read from 82539868
Unable to read MiSystemVaType memory at 82519420
00000440
FOLLOWUP_IP:
Ntfs!NtfsCommonCleanup+307 f
8b2a095a 395840 cmp dword ptr [eax+40h],ebx
FAULTING_IP:
Ntfs!NtfsCommonCleanup+307 f
8b2a095a 395840 cmp dword ptr [eax+40h],ebx
BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from 8b21e95a to 8b2a095a
STACK_TEXT:
c3bc7cf0 8b21e95a b12fa794 8579de00 489827bb Ntfs!NtfsCommonCleanup+0x3 07f
c3bc7d2c 824af218 b12fa744 000008ec ffffffff Ntfs!NtfsCommonCleanupCall out+0x1d
c3bc7d2c 824af311 b12fa744 000008ec ffffffff nt!KiSwapKernelStackAndExi t+0x118
b12fa6d4 00000000 00000000 00000000 00000000 nt!KiSwitchKernelStackAndC allout+0x3 1
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Ntfs!NtfsCommonCleanup+307 f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 49e0192a
STACK_COMMAND: .cxr 0xffffffffc3bc772c ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsCommonCleanu p+307f
BUCKET_ID: 0x24_Ntfs!NtfsCommonCleanu p+307f
Followup: MachineOwner
---------
Intel Core 2 Duo
8GB RAM
I have never understood debugging properly so hence the reason why I am asking the question.
I did however manage to specify a symbol path and then put the crash dump file thru the preverbial "mincer".
Please can somebody help me explain where to begin.
I installed Microsoft WinDbg : 6.11.0001.404 x86
Version 5.1
Below is a copy from the debugger
...many thanks in advance
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Documents and Settings\User01\Desktop\Ga
Mini Kernel Dump File: Only registers and stack trace are available
WARNING: Whitespace at end of path element
Symbol search path is: http://msdl.microsoft.com/download/symbols
;SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 6002.18327.x86fre.vistasp2
Machine Name:
Kernel base = 0x82402000 PsLoadedModuleList = 0x82519c70
Debug session time: Wed Mar 30 12:05:45.227 2011 (GMT+2)
System Uptime: 0 days 0:05:27.915
Loading Kernel Symbols
..........................
..........................
..........................
Loading User Symbols
Loading unloaded module list
..........
**************************
* *
* Bugcheck Analysis *
* *
**************************
Use !analyze -v to get detailed debugging information.
BugCheck 24, {1904aa, c3bc7a30, c3bc772c, 8b2a095a}
Probably caused by : Ntfs.sys ( Ntfs!NtfsCommonCleanup+307
Followup: MachineOwner
---------
1: kd> !analyze -v
**************************
* *
* Bugcheck Analysis *
* *
**************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001904aa
Arg2: c3bc7a30
Arg3: c3bc772c
Arg4: 8b2a095a
Debugging Details:
------------------
EXCEPTION_RECORD: c3bc7a30 -- (.exr 0xffffffffc3bc7a30)
ExceptionAddress: 8b2a095a (Ntfs!NtfsCommonCleanup+0x
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000440
Attempt to read from address 00000440
CONTEXT: c3bc772c -- (.cxr 0xffffffffc3bc772c)
eax=00000400 ebx=00000000 ecx=00000000 edx=00000000 esi=b0f1d008 edi=b12fa794
eip=8b2a095a esp=c3bc7af8 ebp=c3bc7cf0 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
Ntfs!NtfsCommonCleanup+0x3
8b2a095a 395840 cmp dword ptr [eax+40h],ebx ds:0023:00000440=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 3
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
PROCESS_NAME: HelpPane.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000440
READ_ADDRESS: GetPointerFromAddress: unable to read from 82539868
Unable to read MiSystemVaType memory at 82519420
00000440
FOLLOWUP_IP:
Ntfs!NtfsCommonCleanup+307
8b2a095a 395840 cmp dword ptr [eax+40h],ebx
FAULTING_IP:
Ntfs!NtfsCommonCleanup+307
8b2a095a 395840 cmp dword ptr [eax+40h],ebx
BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from 8b21e95a to 8b2a095a
STACK_TEXT:
c3bc7cf0 8b21e95a b12fa794 8579de00 489827bb Ntfs!NtfsCommonCleanup+0x3
c3bc7d2c 824af218 b12fa744 000008ec ffffffff Ntfs!NtfsCommonCleanupCall
c3bc7d2c 824af311 b12fa744 000008ec ffffffff nt!KiSwapKernelStackAndExi
b12fa6d4 00000000 00000000 00000000 00000000 nt!KiSwitchKernelStackAndC
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Ntfs!NtfsCommonCleanup+307
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP:
STACK_COMMAND: .cxr 0xffffffffc3bc772c ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsCommonCleanu
BUCKET_ID: 0x24_Ntfs!NtfsCommonCleanu
Followup: MachineOwner
---------
1: kd> !analyze -v
**************************
* *
* Bugcheck Analysis *
* *
**************************
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001904aa
Arg2: c3bc7a30
Arg3: c3bc772c
Arg4: 8b2a095a
Debugging Details:
------------------
EXCEPTION_RECORD: c3bc7a30 -- (.exr 0xffffffffc3bc7a30)
ExceptionAddress: 8b2a095a (Ntfs!NtfsCommonCleanup+0x
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000440
Attempt to read from address 00000440
CONTEXT: c3bc772c -- (.cxr 0xffffffffc3bc772c)
eax=00000400 ebx=00000000 ecx=00000000 edx=00000000 esi=b0f1d008 edi=b12fa794
eip=8b2a095a esp=c3bc7af8 ebp=c3bc7cf0 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
Ntfs!NtfsCommonCleanup+0x3
8b2a095a 395840 cmp dword ptr [eax+40h],ebx ds:0023:00000440=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 3
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
PROCESS_NAME: HelpPane.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000440
READ_ADDRESS: GetPointerFromAddress: unable to read from 82539868
Unable to read MiSystemVaType memory at 82519420
00000440
FOLLOWUP_IP:
Ntfs!NtfsCommonCleanup+307
8b2a095a 395840 cmp dword ptr [eax+40h],ebx
FAULTING_IP:
Ntfs!NtfsCommonCleanup+307
8b2a095a 395840 cmp dword ptr [eax+40h],ebx
BUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from 8b21e95a to 8b2a095a
STACK_TEXT:
c3bc7cf0 8b21e95a b12fa794 8579de00 489827bb Ntfs!NtfsCommonCleanup+0x3
c3bc7d2c 824af218 b12fa744 000008ec ffffffff Ntfs!NtfsCommonCleanupCall
c3bc7d2c 824af311 b12fa744 000008ec ffffffff nt!KiSwapKernelStackAndExi
b12fa6d4 00000000 00000000 00000000 00000000 nt!KiSwitchKernelStackAndC
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Ntfs!NtfsCommonCleanup+307
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP:
STACK_COMMAND: .cxr 0xffffffffc3bc772c ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsCommonCleanu
BUCKET_ID: 0x24_Ntfs!NtfsCommonCleanu
Followup: MachineOwner
---------
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Quick response much appreciated
then i don't quite understand the B grade ?
ASKER
I was away for the last few days.
The memtest is one of the things I did and there is faulty memory. Also we have acronis imagages previous stages of the pc which we are able to roll back to.
Thanks for your suggestions