[SOLVED] BSOD 0x24 problem while under Windows and MMC is executing. - Windows 8.1 x64

liannfs23

liannfs23

Contributor
Joined
Nov 27, 2014
Posts
16
Location
Taiwan
Hi,

I've encountered a 0x24 BSOD issue while under Window and MMC is executing. The fail rate is sporadic and pretty hard to duplicate it again.
I also read this article "https://www.sysnative.com/forums/bsod-kernel-dump-analysis-debugging-information/11626-%5Bquestion%5Dhow-to-proceed-debugging-a-ntfs_file_system-24-bugcheck.html" but I couldn't find what might cause this issue. Any help would be appreciated. Thanks!

The dump file is too big in zip format so I opted 7zip format and uploaded to Google Drive. I'm sorry for the inconvenience.
https://drive.google.com/file/d/0B69Ifobh2w7XeFdoeDQtYk9mSU0/view?usp=sharing

Here are the basic info:
· OS - Windows 8.1 with August update.
· x86 (32-bit) or x64 ? X64
· Is the OS an OEM version (came pre-installed on system) or full retail version (YOU purchased it from retailer)? OEM version.
· Age of system (hardware): In 3 months.
· Age of OS installation - have you re-installed the OS? In 3 months.

· CPU: Intel i7-5500U
· Video Card: UMA
· MotherBoard: NEC
· System Manufacturer: NEC
· Laptop or Desktop?: AIO with Intel Mobile solution.
 

Attachments

Here is the basic walk through of the dump.

1: kd> .exr 0xffffd000276ad8a8
ExceptionAddress: fffff8038e17196c (nt!RtlAreNamesEqual+0x000000000000006c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000000000065
Attempt to write to address 0000000000000065
1: kd> .cxr 0xffffd000276ad0b0;r
rax=000000000000001c rbx=ffffc0005375c012 rcx=0000000000000045
rdx=0000000000000045 rsi=0000000000000044 rdi=ffffc000587fa100
rip=fffff8038e17196c rsp=ffffd000276adae0 rbp=ffffd000276adc09
r8=0000000000000065 r9=000000000000001c r10=ffffc0004f2a5000
r11=ffffc000587b6a52 r12=ffffc0005375c012 r13=ffffc0004ef87390
r14=0000000000000003 r15=0000000000000319
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!RtlAreNamesEqual+0x6c:
fffff803`8e17196c b001 mov al,1
Last set context:
rax=000000000000001c rbx=ffffc0005375c012 rcx=0000000000000045
rdx=0000000000000045 rsi=0000000000000044 rdi=ffffc000587fa100
rip=fffff8038e17196c rsp=ffffd000276adae0 rbp=ffffd000276adc09
r8=0000000000000065 r9=000000000000001c r10=ffffc0004f2a5000
r11=ffffc000587b6a52 r12=ffffc0005375c012 r13=ffffc0004ef87390
r14=0000000000000003 r15=0000000000000319
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!RtlAreNamesEqual+0x6c:
fffff803`8e17196c b001 mov al,1
1: kd> k
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP RetAddr Call Site
ffffd000`276adae0 fffff800`90196bd6 nt!RtlAreNamesEqual+0x6c
ffffd000`276adb30 fffff800`90178a99 Ntfs!NtfsFindPrefixHashEntry+0x337
ffffd000`276adc60 fffff800`90174e22 Ntfs!NtfsFindStartingNode+0x2fd
ffffd000`276add30 fffff800`9019757d Ntfs!NtfsCommonCreate+0x402
ffffd000`276adf50 fffff803`8e1db5f7 Ntfs!NtfsCommonCreateCallout+0x1d
ffffd000`276adf80 fffff803`8e1db5bd nt!KxSwitchKernelStackCallout+0x27
ffffd000`22555060 fffff803`8e150ad8 nt!KiSwitchKernelStackContinue
ffffd000`22555080 fffff800`90195e5f nt!KeExpandKernelStackAndCalloutInternal+0x218
ffffd000`22555170 fffff800`8f8e5cf8 Ntfs!NtfsFsdCreate+0x1cf
ffffd000`22555360 fffff800`8f90e341 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x258
ffffd000`22555400 fffff803`8e45a513 fltmgr!FltpCreate+0x342
ffffd000`225554b0 fffff803`8e460478 nt!IopParseDevice+0x7b3
ffffd000`225556b0 fffff803`8e45ddd3 nt!ObpLookupObjectName+0x6d8
ffffd000`22555830 fffff803`8e426b52 nt!ObOpenObjectByName+0x1e3
ffffd000`22555960 fffff803`8e426758 nt!IopCreateFile+0x372
ffffd000`22555a00 fffff803`8e1e34b3 nt!NtOpenFile+0x58
ffffd000`22555a90 00007fff`7cac19aa nt!KiSystemServiceCopyEnd+0x13
00000000`0097d1a8 00007fff`79e86a98 ntdll!NtOpenFile+0xa
00000000`0097d1b0 00007fff`79e86e54 KERNELBASE!FindFirstFileExW+0x1a8
00000000`0097d580 00007fff`7a274e85 KERNELBASE!FindFirstFileW+0x1c
00000000`0097d5c0 00007fff`7a274d9e CFGMGR32!StringIndirectionFileExists+0x45
00000000`0097d850 00007fff`7a2747ed CFGMGR32!SpInfLoadInfFile+0xe2
00000000`0097e2a0 00007fff`7a27451d CFGMGR32!LoadIndirectInfString+0x24d
00000000`0097e7f0 00007fff`7a27eb6e CFGMGR32!StringIndirectionResolveIndirection+0xbd
00000000`0097e860 00007fff`7a27ead3 CFGMGR32!StringIndirectionGetString+0x4e
00000000`0097e8a0 00007fff`7a27335c CFGMGR32!GetObjectProperty+0x372
00000000`0097e9a0 00007fff`7a2731f8 CFGMGR32!CM_Get_DevNode_PropertyW+0x12c
00000000`0097ec00 00007fff`78c3496a CFGMGR32!CM_Get_DevNode_Property_ExW+0x84
00000000`0097ee40 00007fff`78c34868 DEVOBJ!_DevObjGetDeviceProperty+0x9a
00000000`0097eeb0 00007fff`7a48573e DEVOBJ!DevObjGetDeviceProperty+0xb0
00000000`0097ef20 00007fff`6089bcfa SETUPAPI!SetupDiGetDevicePropertyW+0xea
00000000`0097efa0 00007fff`60898b61 devmgr!CMachine::CmGetDescriptionString+0x6a
00000000`0097eff0 00007fff`6089c51e devmgr!CDevice::CDevice+0xb1
00000000`0097f060 00007fff`6089d8b6 devmgr!CMachine::CreateClassesAndDevices+0x4ce
00000000`0097f790 00007fff`6089db98 devmgr!CMachine::Refresh+0x96
00000000`0097f7f0 00007fff`7a8f2434 devmgr!dmNotifyWndProc+0x44
00000000`0097f820 00007fff`7a8f4e83 USER32!UserCallWinProcCheckWow+0x140
00000000`0097f8e0 00007fff`606b68f6 USER32!CallWindowProcW+0x93
00000000`0097f940 00007fff`7a8f2434 MFC42u!_AfxActivationWndProc+0x9a
00000000`0097fa30 00007fff`7a8f2297 USER32!UserCallWinProcCheckWow+0x140
00000000`0097faf0 00007fff`606b6724 USER32!DispatchMessageWorker+0x1a7
00000000`0097fb70 00007ff7`2c95149f MFC42u!CWinThread::PumpMessage+0x54
00000000`0097fba0 00007fff`606b64ec mmc!CAMCApp::PumpMessage+0x3b
00000000`0097fc10 00007fff`606b9695 MFC42u!CWinThread::Run+0x6c
00000000`0097fc50 00007ff7`2c95da95 MFC42u!AfxWinMain+0x89
00000000`0097fc90 00007fff`7bf316ad mmc!__wmainCRTStartup+0x1b8
00000000`0097fd50 00007fff`7ca84409 KERNEL32!BaseThreadInitThunk+0xd
00000000`0097fd80 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
 
Hi,

I'll post back with an analysis later when I get a chance. I don't have the time at the moment. I'm just posting to give you a heads up to expect a reply soon.

Regards,

Patrick
 
I understand why your file is so large, it's because you've uploaded a Complete Memory Dump.
 
Code: 
[COLOR=#ff0000]BugCheck 24[/COLOR], {b500190637, [COLOR=#008000]ffffd000276ad8a8[/COLOR], [COLOR=#0000cd]ffffd000276ad0b0[/COLOR], [COLOR=#ff8c00]fffff8038e17196c[/COLOR]}

Probably caused by : ntkrnlmp.exe ( nt!RtlAreNamesEqual+6c )

The second parameter contains the address of the exception record, the third parameter is the address is the context record, and the fourth parameter is the exception address.

The bugcheck indicates that a problem has occurred with the NTFS file system, from looking into the thread stack, I now understand why the NTFS is blamed, the problem seems to be happened because of a Volume Filter driver named Saibad64.sys. I would suggest looking for a driver update from the support page - Flight Simulator and Licensed Cessna Pro Flight Sim Products | Saitek.com

Code: 
1: kd> [COLOR=#008000]lmvm Saibad64[/COLOR]

start             end                 module name
fffff800`90bf7000 fffff800`90c00000   Saibad64   (no symbols)           
    Loaded symbol image file: Saibad64.sys
    Image path: \SystemRoot\System32\Drivers\Saibad64.sys
    Image name: Saibad64.sys
    Timestamp:        [COLOR=#ff0000]Sat Jun 02 01:57:13 2012[/COLOR] (4FC964E9)
    CheckSum:         00012B11
    ImageSize:        00009000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

There is some interesting strings in the stack too, for example:

Code: 
1: kd> [COLOR=#008000]!procdumpext.du ffffe000570686c0[/COLOR]
\Device\HarddiskVolume4\WINDOWS\System32\DriverStore\ja-JP\

I assume this is the Volume which the Volume Filter driver was written for, since under closer inspection:

Code: 
1: kd> [COLOR=#008000]!driveinfo c:[/COLOR]
Drive c:, DriveObject ffffc0004ef76b50
    Directory Object: ffffc0004ee0a1b0  Name: C:
        Target String is '[COLOR=#ff0000]\Device\HarddiskVolume4[/COLOR]'
        Drive Letter Index is 3 (C:)
    Volume DevObj: ffffe00059a89060
    Vpb: ffffe00059a887f0  DeviceObject: ffffe00055c09030
    FileSystem: [COLOR=#ff0000]\FileSystem\Ntfs[/COLOR]
Cannot get  ntfs!VOLUME_DEVICE_OBJECT.Vcb @ ffffe00055c09030

However, it doesn't appear in the device objects associated with the Saibad64.sys, but is part of a device stack with a device called Saibad64 (likely a FDO).

Code: 
1: kd> [COLOR=#008000]!devstack ffffe00059a89060[/COLOR]
  !DevObj   !DrvObj            !DevExt   ObjectName
  [COLOR=#0000cd]ffffe00059830a50[/COLOR]  [COLOR=#ff0000]\Driver\Saibad64[/COLOR]   ffffe00059830ba0  
  ffffe00059c1e040  \Driver\volsnap    ffffe00059c1e190  
  ffffe00059832400  \Driver\rdyboost   ffffe00059832550  
  ffffe0005982f030  \Driver\fvevol     ffffe0005982f180  
> [COLOR=#ff0000]ffffe00059a89060 [/COLOR] \Driver\volmgr     ffffe00059a891b0  [COLOR=#0000ff]HarddiskVolume4[/COLOR]
!DevNode ffffe00059a89770 :
  DeviceInst is "STORAGE\Volume\{b35f3bed-6e59-11e4-8254-806e6f6e6963}#0000000076100000"
  ServiceName is "volsnap"

Code: 
1: kd> [COLOR=#008000]!drvobj Saibad64[/COLOR]
Driver object (ffffe000598a8060) is for:
 \Driver\Saibad64
Driver Extension List: (id , addr)

Device Object list:
ffffe00059c1c040  ffffe00059830460  [COLOR=#ff0000]ffffe00059830a50[/COLOR]  ffffe00059832a50
ffffe00059834a50  ffffe00059c21040

I wanted to try the !fltkd.volume extension simply for curiosity, but it doesn't seem to want to work properly tonight.
 
Alright.

NTFS_FILE_SYSTEM (24)

This indicates a problem occurred in ntfs.sys, the driver file that allows the system to read and write to NTFS drives.

Code: 
{b500190637, [COLOR=#0000ff]ffffd000276ad8a8[/COLOR], [COLOR=#008000]ffffd000276ad0b0[/COLOR], fffff8038e17196c}

Code: 
ExceptionAddress: fffff8038e17196c ([COLOR=#800080]nt!RtlAreNamesEqual+0x000000000000006c[/COLOR])
   ExceptionCode: [COLOR=#ff0000]c0000005 (Access violation)[/COLOR]

Access violation was thrown by nt!RtlAreNamesEqual.

Code: 
rax=000000000000001c rbx=ffffc0005375c012 rcx=0000000000000045
rdx=0000000000000045 rsi=0000000000000044 rdi=ffffc000587fa100
rip=fffff8038e17196c rsp=ffffd000276adae0 rbp=ffffd000276adc09
 r8=0000000000000065  r9=000000000000001c r10=ffffc0004f2a5000
r11=ffffc000587b6a52 r12=ffffc0005375c012 r13=ffffc0004ef87390
r14=0000000000000003 r15=0000000000000319
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
[COLOR=#800080]nt!RtlAreNamesEqual+0x6c[/COLOR]:
fffff803`8e17196c b001            [COLOR=#ff0000]mov     [/COLOR][COLOR=#008000]al[/COLOR],[COLOR=#0000ff]1[/COLOR]

So the violation was caused due to mov instruction, specifically setting the lower byte(s) of the AX register to 1.

Code: 
                                           VA 000000000000001c
PXE at FFFFF6FB7DBED000    PPE at FFFFF6FB7DA00000    PDE at FFFFF6FB40000000    PTE at FFFFF68000000000
contains 03B000014BEC4867  contains 01500001348C5867  contains 0000000000000000
pfn 14bec4    ---DA--UWEV  pfn 1348c5    ---DA--UWEV  [COLOR=#ff0000]not valid[/COLOR]

As it is a CMD, we can dump the contents of the AX register and see its contents are invalid. This is why the access violation was thrown and the instruction failed.

So why were the contents invalid? Well, now we need to sift through the stack one call at a time and see what's going on.

Code: 
ffffd000`276adae0 fffff800`90196bd6 nt!RtlAreNamesEqual+0x6c [COLOR=#800080]// Access violation thrown here.[/COLOR]
ffffd000`276adb30 fffff800`90178a99 Ntfs!NtfsFindPrefixHashEntry+0x337
ffffd000`276adc60 fffff800`90174e22 Ntfs!NtfsFindStartingNode+0x2fd
ffffd000`276add30 fffff800`9019757d Ntfs!NtfsCommonCreate+0x402
ffffd000`276adf50 fffff803`8e1db5f7 Ntfs!NtfsCommonCreateCallout+0x1d
ffffd000`276adf80 fffff803`8e1db5bd nt!KxSwitchKernelStackCallout+0x27
ffffd000`22555060 fffff803`8e150ad8 nt!KiSwitchKernelStackContinue
ffffd000`22555080 fffff800`90195e5f nt!KeExpandKernelStackAndCalloutInternal+0x218
ffffd000`22555170 fffff800`8f8e5cf8 Ntfs!NtfsFsdCreate+0x1cf
ffffd000`22555360 fffff800`8f90e341 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x258
ffffd000`22555400 fffff803`8e45a513 fltmgr!FltpCreate+0x342
ffffd000`225554b0 fffff803`8e460478 nt!IopParseDevice+0x7b3
ffffd000`225556b0 fffff803`8e45ddd3 nt!ObpLookupObjectName+0x6d8
ffffd000`22555830 fffff803`8e426b52 nt!ObOpenObjectByName+0x1e3
ffffd000`22555960 fffff803`8e426758 nt!IopCreateFile+0x372
ffffd000`22555a00 fffff803`8e1e34b3 nt!NtOpenFile+0x58 [COLOR=#800080]// Opening the file, directory, etc and return the file object (?) handler.[/COLOR]
ffffd000`22555a90 00007fff`7cac19aa nt!KiSystemServiceCopyEnd+0x13
00000000`0097d1a8 00007fff`79e86a98 ntdll!NtOpenFile+0xa [COLOR=#800080]// Transition to kernel-mode to open the file, directory, etc.[/COLOR]
00000000`0097d1b0 00007fff`79e86e54 KERNELBASE!FindFirstFileExW+0x1a8 [COLOR=#800080]// Similiar to below call, but instead of specific, we're searching for a name and attributes that match those      specified.[/COLOR]
00000000`0097d580 00007fff`7a274e85 KERNELBASE!FindFirstFileW+0x1c [COLOR=#800080]// Getting ready to transition to kernel-mode, using the function to search a directory for a file or subdirectory that matches a specific name.[/COLOR]
00000000`0097d5c0 00007fff`7a274d9e CFGMGR32!StringIndirectionFileExists+0x45
00000000`0097d850 00007fff`7a2747ed CFGMGR32!SpInfLoadInfFile+0xe2
00000000`0097e2a0 00007fff`7a27451d CFGMGR32!LoadIndirectInfString+0x24d
00000000`0097e7f0 00007fff`7a27eb6e CFGMGR32!StringIndirectionResolveIndirection+0xbd
00000000`0097e860 00007fff`7a27ead3 CFGMGR32!StringIndirectionGetString+0x4e
00000000`0097e8a0 00007fff`7a27335c CFGMGR32!GetObjectProperty+0x372
00000000`0097e9a0 00007fff`7a2731f8 CFGMGR32!CM_Get_DevNode_PropertyW+0x12c
00000000`0097ec00 00007fff`78c3496a CFGMGR32!CM_Get_DevNode_Property_ExW+0x84 [COLOR=#800080]// Call into Configuration Manager Forwarder DLL.[/COLOR]
00000000`0097ee40 00007fff`78c34868 DEVOBJ!DevObjGetDeviceProperty+0x9a[COLOR=#800080] // It looks like we may be dealing with a file object?[/COLOR]
00000000`0097eeb0 00007fff`7a48573e DEVOBJ!DevObjGetDeviceProperty+0xb0
00000000`0097ef20 00007fff`6089bcfa SETUPAPI!SetupDiGetDevicePropertyW+0xea
00000000`0097efa0 00007fff`60898b61 devmgr!CMachine::CmGetDescriptionString+0x6a
00000000`0097eff0 00007fff`6089c51e devmgr!CDevice::CDevice+0xb1
00000000`0097f060 00007fff`6089d8b6 devmgr!CMachine::CreateClassesAndDevices+0x4ce
00000000`0097f790 00007fff`6089db98 devmgr!CMachine::Refresh+0x96
00000000`0097f7f0 00007fff`7a8f2434 devmgr!dmNotifyWndProc+0x44 [COLOR=#800080]// Call into Device Manager.[/COLOR]
00000000`0097f820 00007fff`7a8f4e83 USER32!UserCallWinProcCheckWow+0x140
00000000`0097f8e0 00007fff`606b68f6 USER32!CallWindowProcW+0x93
00000000`0097f940 00007fff`7a8f2434 MFC42u!_AfxActivationWndProc+0x9a
00000000`0097fa30 00007fff`7a8f2297 USER32!UserCallWinProcCheckWow+0x140
00000000`0097faf0 00007fff`606b6724 USER32!DispatchMessageWorker+0x1a7 [COLOR=#800080]// GDI function dispatching message worker.[/COLOR]
00000000`0097fb70 00007ff7`2c95149f MFC42u!CWinThread::PumpMessage+0x54[COLOR=#800080] // MFCDLL call.[/COLOR]
00000000`0097fba0 00007fff`606b64ec mmc!CAMCApp::PumpMessage+0x3b
00000000`0097fc10 00007fff`606b9695 MFC42u!CWinThread::Run+0x6c [COLOR=#800080]// MFCDLL call.[/COLOR]
00000000`0097fc50 00007ff7`2c95da95 MFC42u!AfxWinMain+0x89 [COLOR=#800080]// MFCDLL call.[/COLOR]
00000000`0097fc90 00007fff`7bf316ad mmc!std::_String_base::_Xran+0x358
00000000`0097fd50 00007fff`7ca84409 KERNEL32!BaseThreadInitThunk+0xd
00000000`0097fd80 00000000`00000000 ntdll!RtlUserThreadStart+0x1d [COLOR=#800080]// Starting a thread within user-mode.[/COLOR]

Ultimately it looks like something 3rd party is throwing Ntfs off the rails by causing an access violation. If I had to make an educated guess, I'd blame McAfee. Either that, or your Saitek virtual disk (as I can now see Harry pointed out). Take care off the Saitek device first, and if it continues to crash afterwards, I'd remove McAfee.


Remove and replace McAfee with Windows 8's built-in Windows Defender for temporary troubleshooting purposes:

McAfee removal - How to uninstall or reinstall supported McAfee products using the Consumer Products Removal tool (MCPR)

Windows Defender (how to turn on after removal)

A.Navigate to Control Panel (with icons). You can do this by hitting Start > Search > Control Panel. Once in Control Panel, change the drop-down from Category to Large and/or Small icons.

B.Among the list of icons, find and click Action Center.

C.Assuming the removal of your prior antivirus software went properly, you will notice for both Spyware and unwated software protection (important) and Virus protection (important), it'll have a button labeled Turn on now. Click this button (it doesn't matter which, as Windows Defender serves as both in Windows 8/8.1).

Regards,

Patrick
 
Hi,

Thank you guys all!
I thought the full dump would be more helpful. I'm sorry that I didn't mention it earlier. :|
The Saibad64.sys is a Disk Filter Driver that come from Roxio burning software.
roxio.jpg

McAfee also has bad reputation from my working experience either.
I'll try to remove the Roxio software first then duplicate it again.
Thanks again!
 
Ah yes, I remember seeing Roxio before; it's not that common from what I've seen.
Roxio has been known to cause various problems, including blue screens, I've seen it personally.
So, as Patrick has said, get rid of it.
 
Roxio is generally these days only bundled with bloatware in prebuilt systems. If it's installed deliberately, well then it's a only a matter of time until it's deliberately uninstalled.
 
Hi,

Base on current results of the experiment(remove Roxio and McAfee), the BSOD is no longer exist.
I think this problem is solved even the fail rate is low.
Thank you guys! :D
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top