BSOD NTFS.sys (MEMORY.dmp analysis included)

M

MatthiasKunnen

I've been getting crashes seemingly at random. I've found no pattern yet.


I've tried both dism /online /cleanup-image /restorehealth and chkdsk c: /f


I've found no errors related to this in the event viewer.

My system is a dual boot system and in Linux (Ubuntu) I have yet to see any crashes/problems.


MEMORY.dmp analysis:



Microsoft (R) Windows Debugger Version 10.0.20153.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 19041 MP (24 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff807`66400000 PsLoadedModuleList = 0xfffff807`6702a310
Debug session time: Tue Jul 28 22:08:32.252 2020 (UTC + 2:00)
System Uptime: 1 days 0:31:32.886
Loading Kernel Symbols
...............................................................
................................................................
.............................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000007`52db9018). Type ".hh dbgerr001" for details
Loading unloaded module list
.........................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff807`667ddb60 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff858b`b80c2e00=0000000000000109
15: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

CRITICAL_STRUCTURE_CORRUPTION (109)
This bugcheck is generated when the kernel detects that critical kernel code or
data have been corrupted. There are generally three causes for a corruption:
1) A driver has inadvertently or deliberately modified critical kernel code
or data. See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
2) A developer attempted to set a normal kernel breakpoint using a kernel
debugger that was not attached when the system was booted. Normal breakpoints,
"bp", can only be set if the debugger is attached at boot time. Hardware
breakpoints, "ba", can be set at any time.
3) A hardware corruption occurred, e.g. failing RAM holding kernel code or data.
Arguments:
Arg1: a3a01be719e0658e, Reserved
Arg2: b3b7286d6c61e3ca, Reserved
Arg3: fffff80768a00000, Failure type dependent information
Arg4: 000000000000002c, Type of corrupted region, can be
0 : A generic data region
1 : Modification of a function or .pdata
2 : A processor IDT
3 : A processor GDT
4 : Type 1 process list corruption
5 : Type 2 process list corruption
6 : Debug routine modification
7 : Critical MSR modification
8 : Object type
9 : A processor IVT
a : Modification of a system service function
b : A generic session data region
c : Modification of a session function or .pdata
d : Modification of an import table
e : Modification of a session import table
f : Ps Win32 callout modification
10 : Debug switch routine modification
11 : IRP allocator modification
12 : Driver call dispatcher modification
13 : IRP completion dispatcher modification
14 : IRP deallocator modification
15 : A processor control register
16 : Critical floating point control register modification
17 : Local APIC modification
18 : Kernel notification callout modification
19 : Loaded module list modification
1a : Type 3 process list corruption
1b : Type 4 process list corruption
1c : Driver object corruption
1d : Executive callback object modification
1e : Modification of module padding
1f : Modification of a protected process
20 : A generic data region
21 : A page hash mismatch
22 : A session page hash mismatch
23 : Load config directory modification
24 : Inverted function table modification
25 : Session configuration modification
26 : An extended processor control register
27 : Type 1 pool corruption
28 : Type 2 pool corruption
29 : Type 3 pool corruption
2a : Type 4 pool corruption
2b : Modification of a function or .pdata
2c : Image integrity corruption
2d : Processor misconfiguration
2e : Type 5 process list corruption
2f : Process shadow corruption
30 : Retpoline code page corruption
101 : General pool corruption
102 : Modification of win32k.sys

Debugging Details:
------------------

Unable to load image \SystemRoot\System32\Drivers\Ntfs.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Ntfs.sys

KEY_VALUES_STRING: 1

Key : Analysis.CPU.mSec
Value: 2625

Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on MATTHIAS-DESKTO

Key : Analysis.DebugData
Value: CreateObject

Key : Analysis.DebugModel
Value: CreateObject

Key : Analysis.Elapsed.mSec
Value: 3353

Key : Analysis.Memory.CommitPeak.Mb
Value: 89

Key : Analysis.System
Value: CreateObject

Key : WER.OS.Branch
Value: vb_release

Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key : WER.OS.Version
Value: 10.0.19041.1


ADDITIONAL_XML: 1

OS_BUILD_LAYERS: 1

BUGCHECK_CODE: 109

BUGCHECK_P1: a3a01be719e0658e

BUGCHECK_P2: b3b7286d6c61e3ca

BUGCHECK_P3: fffff80768a00000

BUGCHECK_P4: 2c

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

PROCESS_NAME: csrss.exe

STACK_TEXT:
ffff858b`b80c2df8 00000000`00000000 : 00000000`00000109 a3a01be7`19e0658e b3b7286d`6c61e3ca fffff807`68a00000 : nt!KeBugCheckEx


MODULE_NAME: Ntfs

IMAGE_NAME: Ntfs.sys

STACK_COMMAND: .thread ; .cxr ; kb

FAILURE_BUCKET_ID: 0x109_2c_IMAGE_Ntfs.sys

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {1ac1cef4-57d0-75db-be0a-7f8b6ff55cb8}

Followup: MachineOwner
---------


Boot drive status (NVME drive)


C:\Program Files\smartmontools\bin>smartctl.exe -A /dev/sdf -H
smartctl 7.1 2019-12-30 r5022 [x86_64-w64-mingw32-w10-b19041] (sf-7.1-1)
Copyright (C) 2002-19, Bruce Allen, Christian Franke, www.smartmontools.org

=== START OF SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

SMART/Health Information (NVMe Log 0x02)
Critical Warning: 0x00
Temperature: 68 Celsius
Available Spare: 100%
Available Spare Threshold: 10%
Percentage Used: 1%
Data Units Read: 10 605 657 [5.43 TB]
Data Units Written: 55 245 869 [28.2 TB]
Host Read Commands: 375 597 942
Host Write Commands: 344 010 063
Controller Busy Time: 1 593
Power Cycles: 635
Power On Hours: 1 662
Unsafe Shutdowns: 49
Media and Data Integrity Errors: 0
Error Information Log Entries: 802
Warning Comp. Temperature Time: 0
Critical Comp. Temperature Time: 0
Temperature Sensor 1: 68 Celsius
Temperature Sensor 2: 76 Celsius

Continue reading...
 
Back
Top Bottom