BSOD with mrxsmb10.sys and 0x00000027
-
Wednesday, February 29, 2012 3:36 PM
I
have a problem with a crashing W7 laptop. The BSOD appears regularly when
opening one particular word document with a large number of linked excel spread
sheets in it, and occasionally when opening other excel spread sheets (There
are no problems on any other PC with these particular files.). Using my limited
windbg experience I can see that mrxsmb10.sys is always pointed at, and I have
used all the hotfixes form the following page http://support.microsoft.com/kb/2473205
that affect mrxsmb10. I have also upgraded all the network drivers, chip set
drives, BIOS etc on the PC, as well as removing the security software. Can anyone
give me any more pointers ?Thanks
Tim
All Replies
-
Wednesday, February 29, 2012 10:12 PM
upload your /windows/minidump files to skydrive.live.com and post the link here
make sure its publicly available
Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc.
Hardcore Games, Legendary is the only Way to Play
Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
-
Friday, March 02, 2012 3:43 PM
Hope this works...
https://skydrive.live.com/embed?cid=9CBAF3C34BE7E7C5&resid=9CBAF3C34BE7E7C5%21164&authkey=ABmFNrU1VC-QDfk"
Thanks
Tim
- Edited by TimFoo Friday, March 02, 2012 3:45 PM
-
Saturday, March 03, 2012 8:24 AM
Hope this works...
https://skydrive.live.com/embed?cid=9CBAF3C34BE7E7C5&resid=9CBAF3C34BE7E7C5%21164&authkey=ABmFNrU1VC-QDfk"
Thanks
Tim
Warning: 99MB download ;)
I hope it's a kernel memory dump Tim, not hundreds of minidumps ;) I'll try to debug it once the downloads complete.
-
Saturday, March 03, 2012 8:55 AM
Ok, a quick look makes me think that McAfee remnants are responsible for this. The McAfee removal tool here should clear any remaining files/drivers from the laptop.
System Uptime: 0 days 3:42:08.673 Loading Kernel Symbols ............................................................... ................................................................ .......................................................... Loading User Symbols PEB is paged out (Peb.Ldr = 7ffd800c). Type ".hh dbgerr001" for details Loading unloaded module list ............ ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 27, {baad0073, bef4b350, bef4af30, 9a36de13} *** ERROR: Module load completed but symbols could not be loaded for hdlpflt.sys *** ERROR: Symbol file could not be found. Defaulted to export symbols for mfehidk.sys - Probably caused by : mrxsmb10.sys ( mrxsmb10!MRxSmbQueryFileInformation+5f9 ) Followup: MachineOwner --------- 0: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* RDR_FILE_SYSTEM (27) If you see RxExceptionFilter on the stack then the 2nd and 3rd parameters are the exception record and context record. Do a .cxr on the 3rd parameter and then kb to obtain a more informative stack trace. The high 16 bits of the first parameter is the RDBSS bugcheck code, which is defined as follows: RDBSS_BUG_CHECK_CACHESUP = 0xca550000, RDBSS_BUG_CHECK_CLEANUP = 0xc1ee0000, RDBSS_BUG_CHECK_CLOSE = 0xc10e0000, RDBSS_BUG_CHECK_NTEXCEPT = 0xbaad0000, Arguments: Arg1: baad0073 Arg2: bef4b350 Arg3: bef4af30 Arg4: 9a36de13 Debugging Details: ------------------ EXCEPTION_RECORD: bef4b350 -- (.exr 0xffffffffbef4b350) ExceptionAddress: 9a36de13 (mrxsmb10!MRxSmbQueryFileInformation+0x000005f9) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000008 Attempt to read from address 00000008 CONTEXT: bef4af30 -- (.cxr 0xffffffffbef4af30) eax=00000000 ebx=871bc658 ecx=00000000 edx=00000000 esi=871bc748 edi=8a0a6010 eip=9a36de13 esp=bef4b418 ebp=bef4b4bc iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 mrxsmb10!MRxSmbQueryFileInformation+0x5f9: 9a36de13 668b4008 mov ax,word ptr [eax+8] ds:0023:00000008=???? Resetting default scope PROCESS_NAME: EXCEL.EXE CURRENT_IRQL: 0 ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000008 READ_ADDRESS: 00000008 FOLLOWUP_IP: mrxsmb10!MRxSmbQueryFileInformation+5f9 9a36de13 668b4008 mov ax,word ptr [eax+8] FAULTING_IP: mrxsmb10!MRxSmbQueryFileInformation+5f9 9a36de13 668b4008 mov ax,word ptr [eax+8] BUGCHECK_STR: 0x27 DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE LAST_CONTROL_TRANSFER: from 9a33aa30 to 9a36de13 STACK_TEXT: bef4b4bc 9a33aa30 871bc658 bef4b5a4 921c982d mrxsmb10!MRxSmbQueryFileInformation+0x5f9 bef4b4c8 921c982d 871bc658 871bc6e8 871bc658 mrxsmb!SmbShellQueryFileInformation+0x1b bef4b5a4 9213dcd6 011bc658 bef4b868 bef4b5dc csc!CscQueryFileInformation+0x1c0 bef4b5b4 9215c61b 871bc658 d205c818 00000005 rdbss!RxpQueryInfoMiniRdr+0x53 bef4b5dc 9215c2c5 871bc658 8648d008 d205c818 rdbss!RxQueryStandardInfo+0xbe bef4b63c 92139efc 871bc658 8648d008 2ce0135d rdbss!RxCommonQueryInformation+0x1f5 bef4b6c4 921502c9 9214a240 8648d008 85ddd470 rdbss!RxFsdCommonDispatch+0x646 bef4b6f4 9a3466a2 8a1366f8 0548d008 8648d0c0 rdbss!RxFsdDispatch+0x1ab bef4b710 8304d58e 8a1366f8 0148d008 8648d0e4 mrxsmb!MRxSmbFsdDispatch+0x9a bef4b728 8ceb3bb0 00000103 86392848 85ddd470 nt!IofCallDriver+0x63 bef4b744 8ceb2b52 86392848 00000000 8648d008 mup!MupiCallUncProvider+0x10f bef4b75c 8ceb313e 86392848 00000000 86b1e030 mup!MupStateMachine+0x9b bef4b774 8304d58e 86b1e030 86392848 8648d008 mup!MupFsdIrpPassThrough+0x93 bef4b78c 8c80f20c 00000000 86838328 00000000 nt!IofCallDriver+0x63 bef4b7b0 8c8100bf bef4b7d0 86b1ebd8 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2aa bef4b7e8 8c824fc3 869f0c50 88e356b0 bef4b870 fltmgr!FltPerformSynchronousIo+0xb9 bef4b7f8 8cfba518 869f0c50 86838328 bef4b850 fltmgr!FltQueryInformationFile+0x4f WARNING: Stack unwind information not available. Following frames may be wrong. bef4b870 8c8133c0 88e35710 bef4b8dc 00000000 hdlpflt+0x4518 bef4b890 8cfba3ad 88e35710 bef4b8dc 00000000 fltmgr!FltDoCompletionProcessingWhenSafe+0x88 bef4b8b8 8c80b324 88e35710 bef4b8dc 00000000 hdlpflt+0x43ad bef4b920 8c80e512 00e356b0 88e356b0 10000004 fltmgr!FltpPerformPostCallbacks+0x24a bef4b934 8c80eb46 88e356b0 88e13ca8 bef4b98c fltmgr!FltpProcessIoCompletion+0x10 bef4b944 8308e913 86b1ebd8 88e13ca8 88e356b0 fltmgr!FltpPassThroughCompletion+0x98 bef4b98c 8ceb2c8f 00000103 8a1745b8 8ceb01f0 nt!IopfCompleteRequest+0x128 bef4b9a0 8ceb2af3 00000000 85ddd470 88e13ca8 mup!MupiIoPostProcess+0xc1 bef4b9b8 8ceb3071 8a1745b8 00000000 86b1e030 mup!MupStateMachine+0x3c bef4b9d4 8304d58e 86b1e030 00000000 88e13ca8 mup!MupCleanup+0x91 bef4b9ec 8c80f20c 86b1ebd8 88e13ca8 00000000 nt!IofCallDriver+0x63 bef4ba10 8c80f3cb bef4ba30 86b1ebd8 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2aa bef4ba48 8304d58e 86b1ebd8 88e13ca8 bef4bbd0 fltmgr!FltpDispatch+0xc5 bef4ba60 8c89c161 bef4bb48 86b1f468 bef4bbd0 nt!IofCallDriver+0x63 bef4baa0 8c85fa85 88e13ca8 85ddd470 86b1f468 mfehidk!DEVICEDISPATCH::LowerDispatchPassThrough+0x71 bef4bb24 8c86174f bef4bbd0 85ddd470 bef4bb48 mfehidk+0x11a85 bef4bbb8 8c89c92c bef4bbd0 88e13ca8 86b1f338 mfehidk+0x1374f bef4bbf0 8304d58e 01b1f338 88e13ca8 85ddd470 mfehidk!DEVICEDISPATCH::DispatchPassThrough+0x9c bef4bc08 83248abe 85cec770 85ddd458 00000001 nt!IofCallDriver+0x63 bef4bc48 83239f5f 87641d40 85ddd470 00000001 nt!IopCloseFile+0x2f3 bef4bc94 8325b3ac 87641d40 b478b658 86692130 nt!ObpDecrementHandleCount+0x139 bef4bcdc 8325b0ec b478b658 c502ef20 87641d40 nt!ObpCloseHandleTableEntry+0x203 bef4bd0c 8325b486 87641d40 86692101 07ca4278 nt!ObpCloseHandle+0x7f bef4bd28 8305421a 00000790 07ca427c 76ed7094 nt!NtClose+0x4e bef4bd28 76ed7094 00000790 07ca427c 76ed7094 nt!KiFastCallEntry+0x12a 07ca427c 00000000 00000000 00000000 00000000 0x76ed7094 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: mrxsmb10!MRxSmbQueryFileInformation+5f9 FOLLOWUP_NAME: MachineOwner MODULE_NAME: mrxsmb10 IMAGE_NAME: mrxsmb10.sys DEBUG_FLR_IMAGE_TIMESTAMP: 4e717315 STACK_COMMAND: .cxr 0xffffffffbef4af30 ; kb FAILURE_BUCKET_ID: 0x27_mrxsmb10!MRxSmbQueryFileInformation+5f9 BUCKET_ID: 0x27_mrxsmb10!MRxSmbQueryFileInformation+5f9 Followup: MachineOwnerThere's a very similar problem logged at sevenforums (offline for maintenance as I write) but unsolved, which may have been as a result of an upgrade to W7 from Vista and carrying over older drivers. Note that there are two warnings/errors noted by the debugger there - one of those drivers (RapportPG) is also a security driver.
STOP 0x00000027: RDR_FILE_SYSTEM
Usual causes: Insufficient physical memory, Indexing, Device driver -
Saturday, March 03, 2012 1:34 PM
I would suggest dumping McAfee and use Microsoft Security Essentials which does not seem to be a problem with XP and up.
see my IT site for links galore
Windows MVP 2010-11, XP, Vista, 7. Expanding into Windows Server 2008 R2, SQL Server, SharePoint, Cloud, Virtualization etc. etc.
Hardcore Games, Legendary is the only Way to Play
Developer | Windows IT | Chess | Economics | Vegan Advocate | PC Reviews
-
Saturday, March 03, 2012 1:46 PM
... I have ... , as well as removing the security software. Can anyone
give me any more pointers ?@VF: My guess, based on the above by Tim, is that he doesn't even know there's any McAfee still residing in his system. A simple link to Microsoft Security Essentials would have sufficed.
-
Monday, March 05, 2012 3:43 AM
Hi,
The mrxsmb10.sys is a SMB related driver. I suggest that you test your problem in Safe Mode with network. Then check whether this problem occurs again.
Also I suggest that you may take following general steps to prevent an error like this from happening again:
- Download and install updates and device drivers for your computer from Windows Update.
- Scan your computer for computer viruses.
- Check your hard disk for errors.
Bug Check 0x27: RDR_FILE_SYSTEM. This indicates that a problem occurred in the SMB redirector file system.
One possible cause of this bug check is depletion of nonpaged pool memory. If the nonpaged pool memory is completely depleted, this error can stop the system. However, during the indexing process, if the amount of available nonpaged pool memory is very low, another kernel-mode driver requiring nonpaged pool memory can also trigger this error.
William Tan
TechNet Community Support
-
Monday, March 05, 2012 11:32 AM
I did know, this is a dump after they all went back on. Mcafee had ruled out by that stage, which sort of suprised me...
I was rather pinning my hopes on it, after doing the driver upgrades and the MS hotfixes...
Oh well...
-
Monday, March 05, 2012 11:37 AM
I guess I'll try safe mode/mcafee removal again :-(
-
Monday, March 05, 2012 11:43 AM
Any security software needs to be uninstalled fully to test, enable the built-in Windows firewall and use MSE if you must to test.
Use the McAfee removal tool as well, it's the best way to be reasonably sure it's gone.
Any security software can cause problems that look like they're network-related, SMB included, it wouldn't be much of a security software if it didn't hook in to networking.
.png)
