Windows server 2003 R2 Standard giving frequent BSOD with ntfs.sys as probable cause
-
Friday, March 22, 2013 3:26 AM
I have recently upgraded a Virtual Machine from Windows 2000 SP4 to Windows 2003 R2 STD 32bit x86. This was a inplace upgrade.
After doing the upgrade I am randomly getting BSOD on the server.
Here is the result of the outcome for the latest minidumps from the server.
I have updated the vmtools and they are current.
Here is the output from minidump :
-----
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Mini032113-03.dmp]
Mini Kernel Dump File: Only registers and stack trace are availableSymbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.101019-0340
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Thu Mar 21 20:24:39.284 2013 (GMT-5)
System Uptime: 0 days 8:19:31.453
Loading Kernel Symbols
...............................................................
................................................................Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************Use !analyze -v to get detailed debugging information.
BugCheck 24, {19033d, f78f6024, f78f5d20, 8080f721}
Unable to load image stcp2v30.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for stcp2v30.sys
*** ERROR: Module load completed but symbols could not be loaded for stcp2v30.sys
Unable to load image SRTSP.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SRTSP.SYS
*** ERROR: Module load completed but symbols could not be loaded for SRTSP.SYS
Unable to load image RepliStor.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for RepliStor.sys
*** ERROR: Module load completed but symbols could not be loaded for RepliStor.sys
Probably caused by : Ntfs.sys ( Ntfs!NtfsFlushAndPurgeScb+7a )Followup: MachineOwner
---------0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 0019033d
Arg2: f78f6024
Arg3: f78f5d20
Arg4: 8080f721Debugging Details:
------------------
EXCEPTION_RECORD: f78f6024 -- (.exr 0xfffffffff78f6024)
ExceptionAddress: 8080f721 (nt!CcFlushCache+0x000001c9)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000004
Attempt to read from address 00000004CONTEXT: f78f5d20 -- (.cxr 0xfffffffff78f5d20)
eax=00000000 ebx=00000000 ecx=808b4000 edx=00000000 esi=875808b8 edi=00000000
eip=8080f721 esp=f78f60ec ebp=f78f6158 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
nt!CcFlushCache+0x1c9:
8080f721 f6400420 test byte ptr [eax+4],20h ds:0023:00000004=??
Resetting default scopeCUSTOMER_CRASH_COUNT: 3
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000004
READ_ADDRESS: 00000004
FOLLOWUP_IP:
Ntfs!NtfsFlushAndPurgeScb+7a
f7b7a687 8b4728 mov eax,dword ptr [edi+28h]FAULTING_IP:
nt!CcFlushCache+1c9
8080f721 f6400420 test byte ptr [eax+4],20hBUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from f7b7a687 to 8080f721
STACK_TEXT:
f78f6158 f7b7a687 8775d9ac 00000000 00000000 nt!CcFlushCache+0x1c9
f78f61a0 f7b7d277 f78f63c0 e617c7a0 00000000 Ntfs!NtfsFlushAndPurgeScb+0x7a
f78f63a4 f7b928d9 f78f63c0 8755e778 8b22a828 Ntfs!NtfsCommonCleanup+0x1ca8
f78f6514 8081df85 8b3b74a8 8755e778 8755e778 Ntfs!NtfsFsdCleanup+0xcf
f78f6528 f7224d28 8755e778 8b3bf030 00000000 nt!IofCallDriver+0x45
f78f6554 8081df85 8b22a828 8755e778 8755e778 fltmgr!FltpDispatch+0x152
f78f6568 f7539891 8755e924 8755e948 00040700 nt!IofCallDriver+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
f78f6588 f753b133 8b22a828 8755e778 8b392e08 stcp2v30+0x2891
f78f65ac f753cfa5 8b392e08 8b392ec0 8a454f10 stcp2v30+0x4133
f78f65d4 808f980e 8a454ef8 8b743040 8a454f10 stcp2v30+0x5fa5
f78f6604 80934caa 8b77f2a8 8b392e08 00120089 nt!IopCloseFile+0x2ae
f78f6634 809345ab 8b77f2a8 00000001 8b743040 nt!ObpDecrementHandleCount+0xcc
f78f665c 80934644 e1002df0 8a454f10 0000433c nt!ObpCloseHandleTableEntry+0x131
f78f66a0 80934761 0000433c 00000000 f78f66bc nt!ObpCloseHandle+0x82
f78f66b0 808897ec 8000433c f78f676c 8082e831 nt!NtClose+0x1b
f78f66b0 8082e831 8000433c f78f676c 8082e831 nt!KiFastCallEntry+0xfc
f78f672c f7238960 8000433c 00000000 f722c780 nt!ZwClose+0x11
f78f676c f7239260 00000000 8b56d380 f78f6798 fltmgr!FltpGetFileNameOpenById+0x196
f78f677c f7236a93 8b56d380 00000000 8b56d380 fltmgr!FltpGetOpenedFileName+0x40
f78f6798 f72370b4 8b56d380 00000000 8b56d380 fltmgr!FltpCallOpenedFileNameHandler+0x7f
f78f67b0 f723717f 8089c180 8b56d380 f78f67ec fltmgr!FltpCreateFileNameInformation+0x7c
f78f67c0 f7226736 8b56d380 87691834 00000000 fltmgr!CreateTemporaryFileNameInformation+0xf
f78f67ec f7226c94 8b56d380 00000000 87691834 fltmgr!FltpGetFileNameInformation+0xaa
f78f6814 b9d57190 00691834 00000402 f78f6844 fltmgr!FltGetFileNameInformation+0x114
f78f6860 b9d49184 8a40314c 8a403008 f78f68d0 SRTSP+0x1f190
f78f6870 f72224ca 87691834 f78f6890 f78f68ac SRTSP+0x11184
f78f68d0 f7223f2a 008f6914 876917d8 89c325c4 fltmgr!FltpPerformPreCallbacks+0x2d4
f78f68e4 f72320ad f78f6914 f7230540 00000000 fltmgr!FltpPassThroughInternal+0x32
f78f68fc f72325cc f78f6914 89c323c8 8b002ee8 fltmgr!FltpCreateInternal+0x63
f78f6930 8081df85 8b002ee8 89c323c8 89c323c8 fltmgr!FltpCreate+0x258
f78f6944 ba1e1f2a 89c325c4 00000000 ba1db3e2 nt!IofCallDriver+0x45
f78f69b8 ba1e205e 8a52d490 00000001 f78f69dc RepliStor+0x8f2a
f78f69c8 8081df85 8a52d490 89c323c8 89c323c8 RepliStor+0x905e
f78f69dc 808f904d 87558428 89dc0070 00000000 nt!IofCallDriver+0x45
f78f6ac4 808f9494 8a52d490 00000000 89ca3b08 nt!IopParseDevice+0xa35
f78f6afc 809375af 87558428 00000000 89ca3b08 nt!IopParseFile+0x46
f78f6b7c 80933b74 800042f4 f78f6bbc 00000240 nt!ObpLookupObjectName+0x11f
f78f6bd0 808eaee7 00000000 00000000 93474600 nt!ObOpenObjectByName+0xea
f78f6c4c 808ec181 f78f6d2c 80100080 f78f6d0c nt!IopCreateFile+0x447
f78f6ca8 b9d4bb15 f78f6d2c 80100080 f78f6d0c nt!IoCreateFile+0xa3
f78f6d68 f7239fe8 8af78a08 8b0784d8 89ded0a8 SRTSP+0x13b15
f78f6d80 80880499 8af78a08 00000000 8b77b660 fltmgr!FltpProcessGenericWorkItem+0x14
f78f6dac 80949c88 8af78a08 00000000 00000000 nt!ExpWorkerThread+0xeb
f78f6ddc 8088e0e2 808803ae 00000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
SYMBOL_STACK_INDEX: 1SYMBOL_NAME: Ntfs!NtfsFlushAndPurgeScb+7a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45d6a04b
STACK_COMMAND: .cxr 0xfffffffff78f5d20 ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsFlushAndPurgeScb+7a
BUCKET_ID: 0x24_Ntfs!NtfsFlushAndPurgeScb+7a
Followup: MachineOwner
---------
All Replies
-
Friday, March 22, 2013 10:42 AM
Hi,
After navigating your post we found that BUGCHECK_STR: 0x24 has been recorded for this BSOD.
Seems your server got shutdown because of corrupted file system.I suggest you check file system status using commands chkntfs <drive name> or run chkdsk utility to fix the file system errors
Also I recommend check this link and trouble shoot accordingly.:http://msdn.microsoft.com/en-us/library/windows/hardware/ff557433(v=vs.85).aspx
Still the issue persists, you may contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request. To troubleshoot this kind of kernel crash issue, we need to debug the crashed system dump. Unfortunately, debugging is beyond what we can do in the forum. Please be advised that contacting phone support will be a charged call.
To obtain the phone numbers for specific technology request please take a look at the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607Thank you for understanding.
Regards, Ravikumar P
-
Friday, March 22, 2013 3:08 PM
Thanks Ravi for the response.
I have already ran chkdsk with /f and /r switches and both came back as clean. Also I have tried to repair the OS using the Windows 2003 ISO but the problem still persists. There was vmware convertor installed on the system and I uninstalled it yesterday. Here are the latest dumps
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Mini032213-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are availableSymbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.101019-0340
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Fri Mar 22 05:12:41.093 2013 (GMT-5)
System Uptime: 0 days 6:46:19.994
Loading Kernel Symbols
...............................................................
..............................................................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************Use !analyze -v to get detailed debugging information.
BugCheck 24, {19033d, b8a1a090, b8a19d8c, 8080f721}
Unable to load image SRTSP.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SRTSP.SYS
*** ERROR: Module load completed but symbols could not be loaded for SRTSP.SYS
Unable to load image RepliStor.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for RepliStor.sys
*** ERROR: Module load completed but symbols could not be loaded for RepliStor.sys
Probably caused by : Ntfs.sys ( Ntfs!NtfsFlushAndPurgeScb+7a )Followup: MachineOwner
---------1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 0019033d
Arg2: b8a1a090
Arg3: b8a19d8c
Arg4: 8080f721Debugging Details:
------------------
EXCEPTION_RECORD: b8a1a090 -- (.exr 0xffffffffb8a1a090)
ExceptionAddress: 8080f721 (nt!CcFlushCache+0x000001c9)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000004
Attempt to read from address 00000004CONTEXT: b8a19d8c -- (.cxr 0xffffffffb8a19d8c)
eax=00000000 ebx=00000000 ecx=808b4000 edx=00000000 esi=87a4a748 edi=00000000
eip=8080f721 esp=b8a1a158 ebp=b8a1a1c4 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
nt!CcFlushCache+0x1c9:
8080f721 f6400420 test byte ptr [eax+4],20h ds:0023:00000004=??
Resetting default scopeCUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000004
READ_ADDRESS: 00000004
FOLLOWUP_IP:
Ntfs!NtfsFlushAndPurgeScb+7a
f7b7a687 8b4728 mov eax,dword ptr [edi+28h]FAULTING_IP:
nt!CcFlushCache+1c9
8080f721 f6400420 test byte ptr [eax+4],20hBUGCHECK_STR: 0x24
LAST_CONTROL_TRANSFER: from f7b7a687 to 8080f721
STACK_TEXT:
b8a1a1c4 f7b7a687 8a20b1a4 00000000 00000000 nt!CcFlushCache+0x1c9
b8a1a20c f7b7d277 b8a1a42c e6208da0 00000000 Ntfs!NtfsFlushAndPurgeScb+0x7a
b8a1a410 f7b928d9 b8a1a42c 8ac78838 8b682228 Ntfs!NtfsCommonCleanup+0x1ca8
b8a1a580 8081df85 8b29c718 8ac78838 8ac78838 Ntfs!NtfsFsdCleanup+0xcf
b8a1a594 f7224d28 8ac78848 8b371b88 879236c0 nt!IofCallDriver+0x45
b8a1a5c0 8081df85 8b682228 8ac78838 8ac78838 fltmgr!FltpDispatch+0x152
b8a1a5d4 808f980e 879236a8 8b778560 879236c0 nt!IofCallDriver+0x45
b8a1a604 80934caa 8b77f2a8 8b682228 00120089 nt!IopCloseFile+0x2ae
b8a1a634 809345ab 8b77f2a8 00000001 8b778560 nt!ObpDecrementHandleCount+0xcc
b8a1a65c 80934644 e1001d50 879236c0 00003de0 nt!ObpCloseHandleTableEntry+0x131
b8a1a6a0 80934761 00003de0 00000000 b8a1a6bc nt!ObpCloseHandle+0x82
b8a1a6b0 808897ec 80003de0 b8a1a76c 8082e831 nt!NtClose+0x1b
b8a1a6b0 8082e831 80003de0 b8a1a76c 8082e831 nt!KiFastCallEntry+0xfc
b8a1a72c f7238960 80003de0 00000000 f722c780 nt!ZwClose+0x11
b8a1a76c f7239260 00000000 8aa78090 b8a1a798 fltmgr!FltpGetFileNameOpenById+0x196
b8a1a77c f7236a93 8aa78090 00000000 8aa78090 fltmgr!FltpGetOpenedFileName+0x40
b8a1a798 f72370b4 8aa78090 00000000 8aa78090 fltmgr!FltpCallOpenedFileNameHandler+0x7f
b8a1a7b0 f723717f 8089c180 8aa78090 b8a1a7ec fltmgr!FltpCreateFileNameInformation+0x7c
b8a1a7c0 f7226736 8aa78090 8788f18c 00000000 fltmgr!CreateTemporaryFileNameInformation+0xf
b8a1a7ec f7226c94 8aa78090 00000000 8788f18c fltmgr!FltpGetFileNameInformation+0xaa
b8a1a814 b9f5a190 0088f18c 00000402 b8a1a844 fltmgr!FltGetFileNameInformation+0x114
WARNING: Stack unwind information not available. Following frames may be wrong.
b8a1a860 b9f4c184 8ac6947c 8ac69338 b8a1a8d0 SRTSP+0x1f190
b8a1a870 f72224ca 8788f18c b8a1a890 b8a1a8ac SRTSP+0x11184
b8a1a8d0 f7223f2a 00a1a914 8788f130 8aca15ec fltmgr!FltpPerformPreCallbacks+0x2d4
b8a1a8e4 f72320ad b8a1a914 f7230540 00000000 fltmgr!FltpPassThroughInternal+0x32
b8a1a8fc f72325cc b8a1a914 8aca1438 8acbb1b0 fltmgr!FltpCreateInternal+0x63
b8a1a930 8081df85 8acbb1b0 8aca1438 8aca1438 fltmgr!FltpCreate+0x258
b8a1a944 b9733f2a 8aca15ec 00000000 b972d3e2 nt!IofCallDriver+0x45
b8a1a9b8 b973405e 8b61f800 00000001 b8a1a9dc RepliStor+0x8f2a
b8a1a9c8 8081df85 8b61f800 8aca1438 8aca1438 RepliStor+0x905e
b8a1a9dc 808f904d 8a07d070 8787c348 00000000 nt!IofCallDriver+0x45
b8a1aac4 808f9494 8b61f800 00000000 87926ca0 nt!IopParseDevice+0xa35
b8a1aafc 809375af 8a07d070 00000000 87926ca0 nt!IopParseFile+0x46
b8a1ab7c 80933b74 8000004c b8a1abbc 00000240 nt!ObpLookupObjectName+0x11f
b8a1abd0 808eaee7 00000000 00000000 93474600 nt!ObOpenObjectByName+0xea
b8a1ac4c 808ec181 b8a1ad2c 80100080 b8a1ad0c nt!IopCreateFile+0x447
b8a1aca8 b9f4eb15 b8a1ad2c 80100080 b8a1ad0c nt!IoCreateFile+0xa3
b8a1ad68 f7239fe8 8aa82f50 8acbbba8 8a0ac6c8 SRTSP+0x13b15
b8a1ad80 80880499 8aa82f50 00000000 878bd9f0 fltmgr!FltpProcessGenericWorkItem+0x14
b8a1adac 80949c88 8aa82f50 00000000 00000000 nt!ExpWorkerThread+0xeb
b8a1addc 8088e0e2 808803ae 80000001 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
SYMBOL_STACK_INDEX: 1SYMBOL_NAME: Ntfs!NtfsFlushAndPurgeScb+7a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45d6a04b
STACK_COMMAND: .cxr 0xffffffffb8a19d8c ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsFlushAndPurgeScb+7a
BUCKET_ID: 0x24_Ntfs!NtfsFlushAndPurgeScb+7a
Followup: MachineOwner
--------- -
Monday, March 25, 2013 5:36 AMModerator
Hi parmarnandish1,
What is the Virtualization platform? Have you updated the related drivers and something like Microsoft Hyper-V Integration Services?
Also, as Ravikumar suggested, for BSOD issues, it is recommended to contact Microsoft Technical Support directly for help.
Hope this helps.
Jeremy Wu
TechNet Community Support
-
Tuesday, March 26, 2013 10:34 AM
Hello Parmarnandish,
We never have simple solution to fix BSOD issue. We have to troubleshoot it in stage by stage.
According to your dump analysis BUGCHECK_STR: 0x24 is recorded for this. So, follow the steps inhttp://msdn.microsoft.com/en-us/library/windows/hardware/ff557433(v=vs.85).aspx.
If the above link does not helps you do a final try and contact Microsoft Customer Service and Support (CSS).
Regards, Ravikumar P
-
Tuesday, March 26, 2013 1:01 PM
BSOD mainly caused by faulty memory or device drivers.
Boot the server in safe mode and perform the clean boot and check.
Troubleshooting the BSOD issues please contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
To obtain the phone numbers, check this web site.
http://support.microsoft.com/common/international.aspxThanks
-
Tuesday, March 26, 2013 2:52 PM
Thanks everyone. I have tried all the steps mentioned above, have also tried to reinstall the scsi drivers.
Jeremy,
The virtualization platform is Vmware, and the vmware tools are up to date.
I will try to contact Microsoft CSS for further troubleshooting. Thanks.
- Marked As Answer by Jeremy_WuMicrosoft Contingent Staff, Moderator Wednesday, March 27, 2013 2:49 AM
.png)
