SHOP PRODUCTS
Houzz Logo Print
silvervista

Debugging Memory Dump from BSOD

SilverVista
15 years ago

Many, many thinks to Zep516 for not only answering my question about disabling AVG on a previous post, but for giving me some pointers about what to do next about my BSODs. I started a new thread so the title will reflect the conversation.

I've downloaded the recommended Microsoft debugging tool and followed instructions to analyze my most recent dump (another one this morning!) Transcript is as follows:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86

Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\WINDOWS\Minidump\Mini041709-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:

Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 2600.xpsp_sp3_gdr.090206-1234

Machine Name:

Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0

Debug session time: Fri Apr 17 11:16:01.453 2009 (GMT-7)

System Uptime: 0 days 0:00:30.000

Loading Kernel Symbols

...............................................................

.......................................................

Loading User Symbols

Loading unloaded module list

....

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 24, (1902fe, ef15c5a0, ef15c29c, f76107b6)

Probably caused by : Ntfs.sys ( Ntfs!NtfsPingVolume+d )

Followup: MachineOwner

---------

kd> !analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

NTFS_FILE_SYSTEM (24)

If you see NtfsExceptionFilter on the stack then the 2nd and 3rd

parameters are the exception record and context record. Do a .cxr

on the 3rd parameter and then kb to obtain a more informative stack

trace.

Arguments:

Arg1: 001902fe

Arg2: ef15c5a0

Arg3: ef15c29c

Arg4: f76107b6

Debugging Details:

------------------

EXCEPTION_RECORD: ef15c5a0 -- (.exr 0xffffffffef15c5a0)

ExceptionAddress: f76107b6 (Ntfs!NtfsPingVolume+0x0000000d)

ExceptionCode: c0000005 (Access violation)

ExceptionFlags: 00000000

NumberParameters: 2

Parameter[0]: 00000000

Parameter[1]: 00000004

Attempt to read from address 00000004

CONTEXT: ef15c29c -- (.cxr 0xffffffffef15c29c)

eax=ef15c7e8 ebx=00000000 ecx=85f76100 edx=00000000 esi=85bf11bc edi=00000000

eip=f76107b6 esp=ef15c668 ebp=ef15c674 iopl=0 nv up ei pl zr na pe nc

cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246

Ntfs!NtfsPingVolume+0xd:

f76107b6 f6470404 test byte ptr [edi+4],4 ds:0023:00000004=??

Resetting default scope

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: MsMpEng.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1: 00000000

EXCEPTION_PARAMETER2: 00000004

READ_ADDRESS: 00000004

FOLLOWUP_IP:

Ntfs!NtfsPingVolume+d

f76107b6 f6470404 test byte ptr [edi+4],4

FAULTING_IP:

Ntfs!NtfsPingVolume+d

f76107b6 f6470404 test byte ptr [edi+4],4

BUGCHECK_STR: 0x24

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from f760fd85 to f76107b6

STACK_TEXT:

ef15c674 f760fd85 ef15c7e8 00000000 00000000 Ntfs!NtfsPingVolume+0xd

ef15c7c4 f7611042 ef15c7e8 85bf1008 ef15c918 Ntfs!NtfsCommonCreate+0x2c8

ef15c970 f7697f70 85bf1008 ef15cc00 85f76020 Ntfs!NtfsNetworkOpenCreate+0x8a

ef15c990 f76a50e8 85bf1008 ef15cc00 85f77950 sr!SrFastIoQueryOpen+0x40

ef15c9b0 f76b1c27 000000f2 00000000 ef15c9e8 fltmgr!FltpPerformFastIoCall+0x300

ef15ca08 805743fd 85bf1008 ef15cc00 85b43c58 fltmgr!FltpFastIoQueryOpen+0xa1

ef15caf4 80563fec 85f79e30 00000000 85c00008 nt!IopParseDevice+0x916

ef15cb7c 805684da 00000000 ef15cbbc 00000040 nt!ObpLookupObjectName+0x56a

ef15cbd0 805745a3 00000000 00000000 00000001 nt!ObOpenObjectByName+0xeb

ef15cd54 804de7ec 0085f70c 0085f6e4 0085f738 nt!NtQueryAttributesFile+0xf1

ef15cd54 7c90e514 0085f70c 0085f6e4 0085f738 nt!KiFastCallEntry+0xf8

WARNING: Frame IP not in any known module. Following frames may be wrong.

0085f738 00000000 00000000 00000000 00000000 0x7c90e514

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Ntfs!NtfsPingVolume+d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 48025be5

STACK_COMMAND: .cxr 0xffffffffef15c29c ; kb

FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsPingVolume+d

BUCKET_ID: 0x24_Ntfs!NtfsPingVolume+d

Followup: MachineOwner

---------

I've been googling Ntfs.sys and Ntfs!NtfsPingVolume+d but I'm afraid I'm into very unfamiliar territory. Where to next? Any guidance deeply appreciated.

Susan

Comments (4)

Sponsored
Potomac Shores Cabinetry
Average rating: 5 out of 5 stars10 Reviews
Loudoun County's Well-Designed Spaces and Custom Crafted Cabinetry