Thanks!
It's of the
SYSTEM_SERVICE_EXCEPTION (3b)bug check.
This indicates that an exception happened while executing a routine that transitions from non-privileged code to privileged code.
This error has been linked to excessive paged pool usage and may occur due to user-mode graphics drivers crossing over and passing bad data to the kernel code.
-- FAILURE_BUCKET_ID: 0x3B_VRF_
fltmgr!FltpPassThrough
^^ First thing to notice is that Driver Verifier is enabled and failed to detect a 3rd party driver in violation. Instead, fltmgr.sys was flagged which is the Microsoft Filesystem Filter Manager driver.
Let's take a look at the call stack:
Code:
2: kd> kv
Child-SP RetAddr : Args to Child : Call Site
ffffd000`2c6ae3f8 fffff802`6ebe17e9 : 00000000`0000003b 00000000`c0000005 fffff800`00801187 ffffd000`2c6aece0 : nt!KeBugCheckEx
ffffd000`2c6ae400 fffff802`6ebe10fc : ffffd000`2c6ae650 fffff802`6ebd2526 fffff802`6ecc27fc ffffd000`2c6af4d8 : nt!KiBugCheckDispatch+0x69
ffffd000`2c6ae540 fffff802`6ebdd1ed : fffff802`6ed8b000 fffff802`6ea88000 0003ece8`00781000 fffff802`6eda6dd4 : nt!KiSystemServiceHandler+0x7c
ffffd000`2c6ae580 fffff802`6eb63595 : 00000000`00000003 ffffd000`2c6ae6b0 fffff802`6edaa218 ffffcf80`11decc70 : nt!RtlpExecuteHandlerForException+0xd
ffffd000`2c6ae5b0 fffff802`6eb6445b : ffffd000`2c6af4d8 ffffd000`2c6af1e0 ffffd000`2c6af4d8 ffffe000`39c0ba20 : nt!RtlDispatchException+0x455
ffffd000`2c6aecb0 fffff802`6ebe18c2 : ffffd000`2c6af580 ffffd000`2c6af5f0 ffffd000`2c6af3d8 00000000`00000000 : nt!KiDispatchException+0x61f
ffffd000`2c6af3a0 fffff802`6ebdfdfe : 00000000`00000000 ffffd000`2c6af7e0 fffff780`00001000 ffffd000`2c6af580 : nt!KiExceptionDispatch+0xc2
ffffd000`2c6af580 fffff800`00801187 : ffffd000`2c6af7e0 ffffd000`2c6af760 ffffe000`40ccda08 00000000`00000000 : nt!KiGeneralProtectionFault+0xfe (TrapFrame @ ffffd000`2c6af580)
ffffd000`2c6af710 fffff800`0082b810 : ffffe000`0c00bdf0 ffffe000`40ccda08 ffffe000`40ccd8f0 ffffe000`0c00bdf0 : fltmgr!FltpPassThrough+0x177
ffffd000`2c6af7c0 fffff802`6f0e8911 : ffffe000`40ccd8f0 ffffe000`0c00bdf0 00000000`00000002 fffff802`6eaca643 : fltmgr!FltpFsControl+0xd0
ffffd000`2c6af820 fffff802`6ee333e5 : ffffe000`40ccd8f0 ffffd000`2c6afb80 00000000`00000001 ffffe000`0e2f1f40 : nt!IovCallDriver+0x3cd
ffffd000`2c6af870 fffff802`6eea3a22 : ffffd000`2c6afa38 0000000f`001f0003 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x845
ffffd000`2c6afa20 fffff802`6ebe14b3 : ffffe000`3a696880 ffffd000`001f0003 00000000`0013e2b8 00000000`00000000 : nt!NtFsControlFile+0x56
ffffd000`2c6afa90 00000000`777e2772 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000`2c6afb00)
00000000`0013ebb8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x777e2772
Let's take the TrapFrame from nt!KiGeneralProtectionFault so we can look into what happened with fltmgr!FltpPassThrough:
Code:
2: kd> .trap ffffd000`2c6af580
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000000
rdx=000000000000000d rsi=0000000000000000 rdi=0000000000000000
rip=fffff80000801187 rsp=ffffd0002c6af710 rbp=ffffd0002c6af760
r8=0000000000000000 r9=0000000000000000 r10=000000000000000d
r11=ffffe0000c12b010 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
fltmgr!FltpPassThrough+0x177:
fffff800`00801187 ff15a36e0100 call qword ptr [fltmgr!_imp_KeGetCurrentProcessorNumberEx (fffff800`00818030)] ds:fffff800`00818030={nt!KeGetCurrentProcessorNumberEx (fffff802`6eb657c0)}
Code:
2: kd> u @rip
fltmgr!FltpPassThrough+0x177:
fffff800`00801187 ff15a36e0100 call qword ptr [fltmgr!_imp_KeGetCurrentProcessorNumberEx (fffff800`00818030)]
fffff800`0080118d 33d2 xor edx,edx
fffff800`0080118f 41bd78010000 mov r13d,178h
fffff800`00801195 f73505420200 div eax,dword ptr [fltmgr!FltGlobals+0x20 (fffff800`008253a0)]
fffff800`0080119b 448bc2 mov r8d,edx
fffff800`0080119e 49c1e006 shl r8,6
fffff800`008011a2 4d0386a8020000 add r8,qword ptr [r14+2A8h]
fffff800`008011a9 4c894508 mov qword ptr [rbp+8],r8
^^ The
KeGetCurrentProcessorNumberEx routine gets the processor number of the logical processor that the caller is running on.
-------------------
Given we're now seeing mention of file system faults, let's go ahead and do some HDD diagnostics (start with chkdsk and paste log after, and then move to Seatools):
Chkdsk:
There are various ways to run Chkdsk~
Method 1:
Start > Search bar > Type cmd (right click run as admin to execute Elevated CMD)
Elevated CMD should now be opened, type the following:
chkdsk x: /r
x implies your drive letter, so if your hard drive in question is letter c, it would be:
chkdsk c: /r
Restart system and let chkdsk run.
Method 2:
Open the "Computer" window
Right-click on the drive in question
Select the "Tools" tab
In the Error-checking area, click <Check Now>.
If you'd like to get a log file that contains the chkdsk results, do the following:
Press Windows Key + R and type powershell.exe in the run box
Paste the following command and press enter afterwards:
get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername –match "wininit"} | fl timecreated, message | out-file Desktop\CHKDSKResults.txt
This will output a .txt file on your Desktop containing the results of the chkdsk.
If chkdsk turns out okay, run Seatools -
SeaTools | Seagate
You can run it via Windows or DOS. Do note that the only difference is simply the environment you're running it in. In Windows, if you are having what you believe to be device driver related issues that may cause conflicts or false positive, it may be a wise decision to choose the most minimal testing environment (DOS).
Run all tests
EXCEPT: Fix All and anything Advanced.
Regards,
Patrick