So we have our 0x24 bugcheck.
Code:
NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff88009e0d078
Arg3: fffff88009e0c8d0
Arg4: fffff80003e12aa9
So lets run the command on the 3rd parameter.
Code:
2: kd> .cxr 0xfffff88009e0c8d0;r
rax=0000000000000000 rbx=0000000000000003 rcx=fffffa800547e5f0
rdx=fffff8a00baf54e0 rsi=0000000000000000 rdi=fffff8a016c44450
rip=fffff80003e12aa9 rsp=fffff88009e0d2b0 rbp=0000000000000000
r8=fffff8a01d05d4f0 r9=fffff8a00baf54a0 r10=0000000000000001
r11=fffff8a00baf54b0 r12=fffffa800547e3c0 r13=0000000000000000
r14=0000000000000006 r15=0000000000000001
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!ExDeferredFreePool+0x1ed:
fffff800`03e12aa9 4c3918 cmp qword ptr [rax],r11 ds:002b:00000000`00000000=????????????????
So we have our read instruction performing an illegal.
The instruction was a
cmp which is to compare the contents of the r11 register to the address which a pointer is pointing to which is stored in rax. The address is null meaning something has used a null pointer.
So lets look at the callstack.
Code:
fffff880`09e0d2b0 fffff800`03e114f1 : fffff8a0`004e0000 fffff8a0`2529f4d0 fffff8a0`1dbd7348 fffff8a0`1dbd7348 : nt!ExDeferredFreePool+0x1ed
fffff880`09e0d340 fffff880`0150aea4 : fffff8a0`16bf8b40 00000000`00000000 00000000`6c66744e 00000000`000007fd : nt!ExFreePoolWithTag+0x411
fffff880`09e0d3f0 fffff880`01419279 : fffff8a0`16bf8b40 fffff880`09e0d8b0 fffff880`09e0d501 fffff880`014a0d1e : Ntfs! ?? ::NNGAKEGL::`string'+0xbd24
fffff880`09e0d420 fffff880`0149eb60 : fffffa80`0c4b5010 fffffa80`06722180 fffff8a0`16bf8b40 fffff8a0`2529f4e0 : Ntfs!NtfsTeardownFromLcb+0x129
fffff880`09e0d4b0 fffff880`0148d3b7 : fffffa80`0c4b5010 fffff8a0`16bf8b40 fffffa80`0c4b5010 fffff8a0`16bf8b00 : Ntfs!NtfsTeardownStructures+0x200
fffff880`09e0d530 fffff880`014307c8 : fffffa80`0c4b5010 fffffa80`06722180 fffffa80`05eb7d01 fffff880`09e0d700 : Ntfs!NtfsFlushVolume+0x527
fffff880`09e0d660 fffff880`0141db9f : fffffa80`0c4b5010 fffff880`01379000 fffffa80`065bca60 fffffa80`0c4ed301 : Ntfs!NtfsVolumeDasdIo+0x1b8
fffff880`09e0d710 fffff880`0141f398 : fffffa80`0c4b5010 fffffa80`0c655bd0 fffff880`09e0d801 fffffa80`05eb7c00 : Ntfs!NtfsCommonRead+0x5bf
fffff880`09e0d880 fffff880`01326bcf : fffffa80`0c655fb8 fffffa80`0c655bd0 fffffa80`05eb7cb0 00000000`00000001 : Ntfs!NtfsFsdRead+0x1b8
fffff880`09e0d930 fffff880`013256df : fffffa80`065b78e0 00000000`00000001 fffffa80`065b7800 fffffa80`0c655bd0 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff880`09e0d9c0 fffff880`0138535a : 00000000`00000000 00000000`16f74060 00000000`00000001 fffffa80`065b58b0 : fltmgr!FltpDispatch+0xcf
fffff880`09e0da20 00000000`00000000 : 00000000`16f74060 00000000`00000001 fffffa80`065b58b0 fffffa80`0c4ed380 : AsDsm+0x135a
We have AsDsm calling read I/O operations and removing certain allocations, then it tries to free a pool of memory which is null as we saw with the null pointer and hence our bugcheck.
AsDsm is the ASUS Data Security Manager driver, this is bloatware which should be removed.
Code:
2: kd> lmvm AsDsm
start end module name
fffff880`01384000 fffff880`01391000 AsDsm T (no symbols)
Loaded symbol image file: AsDsm.sys
Image path: \SystemRoot\System32\Drivers\AsDsm.sys
Image name: AsDsm.sys
Timestamp: Fri Feb 13 06:14:26 2009 (49950FC2)
CheckSum: 0001216E
ImageSize: 0000D000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
It's outdated by over
5 years which is why I'm not surprised your system is crashing.
In your other dump file the situation is very similar.
Code:
0: kd> .cxr 0xfffff8800483eb00;r
rax=000000000000ff7b rbx=fffff8a017667a90 rcx=01ca0432200be982
rdx=fffff8a017667a01 rsi=0000000000000000 rdi=0000000000000001
rip=fffff88001618c25 rsp=fffff8800483f4e0 rbp=fffffa80067785a0
r8=0000000000000000 r9=0000000000000001 r10=fffff8800483f5c0
r11=0000000000000000 r12=0000000000000000 r13=00000000c00000d8
r14=0000000000000702 r15=0000000000000705
iopl=0 nv up ei pl nz ac po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010216
Ntfs!NtfsAcquireExclusiveFcb+0x65:
fffff880`01618c25 488b4958 mov rcx,qword ptr [rcx+58h] ds:002b:01ca0432`200be9da=????????????????
So we tried to copy data from an address calculated by adding the value in
rcx + 58 to the
rcx register, so why is this a failing operation?
Code:
0: kd> !pte 01ca0432200be982
VA 01ca0432200be982
PXE at FFFFF6FB7DBED040 PPE at FFFFF6FB7DA08640 PDE at FFFFF6FB410C8800 PTE at FFFFF682191005F0
Unable to get PXE FFFFF6FB7DBED040
WARNING: noncanonical VA, accesses will fault !
Here's our answer, accessing the rcx register is not allowed, if it is accessed then the system will generate an access violation.
It's the same solution as above as it's using bad instruction pointers.