Hi Pranav,
Code:
BugCheck 24, {b500190637, ffffd0002040eae8, ffffd0002040e2f0, fffff801541540bb}
2nd argument is exception record address, 3rd argument is the context record address.
Code:
2: kd> .exr ffffd0002040eae8
ExceptionAddress: fffff801541540bb (fltmgr!FltpSetUpIrpCallControl+0x000000000000005b)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000040000028
Attempt to read from address 0000000040000028
We can see first of all the crash occurred because we hit an access violation regarding
FltpSetUpIrpCallControl, likely an undocumented function of the Windows file system filter manager.
Code:
2: kd> .cxr ffffd0002040e2f0
rax=ffffe0000f4887f0 rbx=ffffe000114efdb8 rcx=0000000000000000
rdx=ffffe000098a2770 rsi=ffffe000098a2770 rdi=0000000040000000
rip=fffff801541540bb rsp=ffffd0002040ed20 rbp=ffffd0002040ed00
r8=ffffd0002040edd8 r9=00000000000000fb r10=ffffe0000fd1c270
r11=7ffffffffffffffc r12=00000000000000fb r13=ffffe00010187a80
r14=ffffd0002040edd8 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
fltmgr!FltpSetUpIrpCallControl+0x5b:
fffff801`541540bb 488b4f28 mov rcx,qword ptr [rdi+28h] ds:002b:00000000`40000028=????????????????
By running the
.cxr command (display context record) followed by the 3rd argument address, we instruct the debugger to use the specified context record as the register context.
We can see that the immediate cause of the access violation within the instruction regarding
FltpSetUpIrpCallControl was the attempt to move value stored at memory address contained in the rdi register + 28h to the rcx register.
The rcx register is null which is actually
ok considering this is an x64 box, and rcx is a volatile register. This quite simply means that it's most likely going to be destroyed across a call, given its a scratch register. We're more interested in rdi's address contents:
Code:
2: kd> !pte 0000000040000000
VA 0000000040000000
PXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00008 PDE at FFFFF6FB40001000 PTE at FFFFF68000200000
contains 0180000129047867 contains 02C00001A18DB867 contains 0000000000000000
pfn 129047 ---DA--UWEV pfn 1a18db ---DA--UWEV not valid
So we can see that rdi was completely invalid (if 0000000040000000 wasn't obvious enough as invalid).
Code:
2: kd> .formats 0000000040000000
Evaluate expression:
Hex: 00000000`40000000
Decimal: 1073741824
Octal: 0000000000010000000000
Binary: 00000000 00000000 00000000 00000000 01000000 00000000 00000000 00000000
Have the user test their hard disk with Chkdsk/Seatools, or update the firmware if it's an SSD.
Regards,
Patrick