locked
windows 7 Enterprise Edition BLUE screen issue RRS feed

  • Question

  • Hi ,

    Please let me help out on facing  below blue screen error for no of machines .

    NTFS_FILE_SYSTEM (24)
        If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
        parameters are the exception record and context record. Do a .cxr
        on the 3rd parameter and then kb to obtain a more informative stack
        trace.
    Arguments:
    Arg1: 00000000001904fb
    Arg2: fffff8800319a798
    Arg3: fffff88003199ff0
    Arg4: fffff880012cdeaf

    Debugging Details:
    ------------------


    EXCEPTION_RECORD:  fffff8800319a798 -- (.exr 0xfffff8800319a798)
    ExceptionAddress: fffff880012cdeaf (Ntfs!NtfsCommonClose+0x000000000000026f)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000000
       Parameter[1]: ffffffffffffffff
    Attempt to read from address ffffffffffffffff

    CONTEXT:  fffff88003199ff0 -- (.cxr 0xfffff88003199ff0)
    rax=ffff00a003111358 rbx=fffffa800751a9e0 rcx=fffff8a0031112c0
    rdx=0000000000000000 rsi=fffff8a003111010 rdi=fffff8800319aaf8
    rip=fffff880012cdeaf rsp=fffff8800319a9d0 rbp=fffff8000346c280
     r8=fffffa80067f2b58  r9=0000000000000009 r10=0000000000000004
    r11=fffff8a00ffe5210 r12=fffffa80047ef180 r13=0000000000000000
    r14=ffff00a0031113a8 r15=0000000000000001
    iopl=0         nv up ei ng nz na po nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
    Ntfs!NtfsCommonClose+0x26f:
    fffff880`012cdeaf 488908          mov     qword ptr [rax],rcx ds:002b:ffff00a0`03111358=????????????????
    Resetting default scope

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    PROCESS_NAME:  System

    CURRENT_IRQL:  1

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    EXCEPTION_PARAMETER1:  0000000000000000

    EXCEPTION_PARAMETER2:  ffffffffffffffff

    READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800034fe100
     ffffffffffffffff

    FOLLOWUP_IP:
    Ntfs!NtfsCommonClose+26f
    fffff880`012cdeaf 488908          mov     qword ptr [rax],rcx

    FAULTING_IP:
    Ntfs!NtfsCommonClose+26f
    fffff880`012cdeaf 488908          mov     qword ptr [rax],rcx

    BUGCHECK_STR:  0x24

    LAST_CONTROL_TRANSFER:  from fffff880012bd32b to fffff880012cdeaf

    STACK_TEXT: 
    fffff880`0319a9d0 fffff880`012bd32b : fffffa80`0751a9e0 fffff8a0`03111140 fffff8a0`03111010 fffffa80`047ef180 : Ntfs!NtfsCommonClose+0x26f
    fffff880`0319aaa0 fffff800`032d0261 : 00000000`00000000 fffff800`035bea00 fffff800`034cd901 fffffa80`00000002 : Ntfs!NtfsFspClose+0x15f
    fffff880`0319ab70 fffff800`03564bae : a7266181`7d08dbb4 fffffa80`036f7b50 00000000`00000080 fffffa80`03632b30 : nt!ExpWorkerThread+0x111
    fffff880`0319ac00 fffff800`032b78c6 : fffff880`02f65180 fffffa80`036f7b50 fffff880`02f6ffc0 9fab5991`2c817a79 : nt!PspSystemThreadStartup+0x5a
    fffff880`0319ac40 00000000`00000000 : fffff880`0319b000 fffff880`03195000 fffff880`0319a8a0 00000000`00000000 : nt!KiStartSystemThread+0x16


    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  Ntfs!NtfsCommonClose+26f

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: Ntfs

    IMAGE_NAME:  Ntfs.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  5167f5fc

    STACK_COMMAND:  .cxr 0xfffff88003199ff0 ; kb

    FAILURE_BUCKET_ID:  X64_0x24_Ntfs!NtfsCommonClose+26f

    BUCKET_ID:  X64_0x24_Ntfs!NtfsCommonClose+26f

    Followup: MachineOwner

    And also few machines getting :

    NTSOSKRNL.EXE

    SFTFSWIN7.SYS

    Tuesday, July 29, 2014 7:51 PM

All replies

  • Problem signature:
      Problem Event Name: BlueScreen
      OS Version: 6.1.7601.2.1.0.256.4
      Locale ID: 1033

    Additional information about the problem:
      BCCode: 19
      BCP1: 0000000000000003
      BCP2: FFFFF8A0116D5340
      BCP3: FFFFFAA0116D5340
      BCP4: FFFFF8A0116D5340
      OS Version: 6_1_7601
      Service Pack: 1_0
      Product: 256_1

    Files that help describe the problem:
      C:\Windows\Minidump\072114-13852-01.dmp..

    And also i m getting

    IMAGE_NAME:  Sftfswin7.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  4e371785

    FAILURE_BUCKET_ID:  X64_0xc9_224_VRF_Sftfswin7+bdf8

    BUCKET_ID:  X64_0xc9_224_VRF_Sftfswin7+bdf8...

    • Merged by ZigZag3143x Tuesday, July 29, 2014 8:09 PM Dupicate threads
    Wednesday, July 23, 2014 6:57 PM
  • Hi,

    In order to assist you, we will need the .DMP files to analyze what exactly occurred at the time of the crash, etc.

    If you don't know where .DMP files are located, here's how to get to them:

    1. Navigate to the %systemroot%\Minidump folder.

    2. Copy any and all DMP files in the Minidump folder to your Desktop and then zip up these files.

    3. Upload the zip containing the .DMP files to Onedrive or a hosting site of your choice and paste in your reply. Preferred sites: Onedrive, Mediafire, Dropbox, etc. Nothing with wait-timers, download managers, etc.

    4 (optional): The type of .DMP files located in the Minidump folder are known as Small Memory Dumps. In %systemroot% there will be what is known as a Kernel-Dump (if your system is set to generate). It is labeled MEMORY.DMP. The difference between Small Memory Dumps and Kernel-Dumps in the simplest definition is a Kernel-Dump contains much more information at the time of the crash, therefore allowing further debugging of your issue. If your upload speed permits it, and you aren't going against any strict bandwidth and/or usage caps, etc, the Kernel-Dump is the best choice. Do note that Kernel-Dumps are much larger in size due to containing much more info, which is why I mentioned upload speed, etc.

    If you are going to use Onedrive but don't know how to upload to it, please visit the following:

    Upload photos and files to Onedrive.

    After doing that, to learn how to share the link to the file if you are unaware, please visit the following link - Share files and folders and change permissions and view 'Get a link'.

    Please note that any "cleaner" programs such as TuneUpUtilities, CCleaner, etc, by default will delete .DMP files upon use. With this said, if you've run such software, you will need to allow the system to crash once again to generate a crash dump.

    If your computer is not generating .DMP files, please do the following:

    1. Start > type %systemroot% which should show the Windows folder, click on it. Once inside that folder, ensure there is a Minidump folder created. If not, CTRL-SHIFT-N to make a New Folder and name it Minidump.

    2. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Performance > Settings > Advanced > Ensure there's a check-mark for 'Automatically manage paging file size for all drives'.

    3. Windows key + Pause key. This should bring up System. Click Advanced System Settings on the left > Advanced > Startup and Recovery > Settings > System Failure > ensure there is a check mark next to 'Write an event to the system log'.

    Ensure Small Memory Dump is selected and ensure the path is %systemroot%\Minidump.

    4. Double check that the WERS is ENABLED:

    Start > Search > type services.msc > Under the name tab, find Windows Error Reporting Service > If the status of the service is not Started then right click it and select Start. Also ensure that under Startup Type it is set to Automatic rather than Manual. You can do this by right clicking it, selecting properties, and under General selecting startup type to 'Automatic', and then click Apply.

    If you cannot get into normal mode to do any of this, please do this via Safe Mode.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Wednesday, July 23, 2014 7:00 PM
  • Thanks for your repoonse : Is that fine to copy the dump file here below to verify for your ref :

    ymbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols

    Executable search path is:

    Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64

    Product: WinNt, suite: TerminalServer SingleUserTS

    Built by: 7601.18229.amd64fre.win7sp1_gdr.130801-1533

    Machine Name:

    Kernel base = 0xfffff800`0325f000 PsLoadedModuleList = 0xfffff800`034a26d0

    Debug session time: Mon Jul 21 13:16:59.341 2014 (UTC - 4:00)

    System Uptime: 0 days 8:10:27.634

    Loading Kernel Symbols

    ...............................................................

    ................................................................

    ..........................................

    Loading User Symbols

    Loading unloaded module list

    .........

    *******************************************************************************

    *                                                                             *

    *                        Bugcheck Analysis                                    *

    *                                                                             *

    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 19, {3, fffff8a0116d5340, fffffaa0116d5340, fffff8a0116d5340}

    Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+cbb )

    Followup: Pool_corruption

    ---------

    3: kd> !analyze -v

    *******************************************************************************

    *                                                                             *

    *                        Bugcheck Analysis                                    *

    *                                                                             *

    *******************************************************************************

    BAD_POOL_HEADER (19)

    The pool is already corrupt at the time of the current request.

    This may or may not be due to the caller.

    The internal pool links must be walked to figure out a possible cause of

    the problem, and then special pool applied to the suspect tags or the driver

    verifier to a suspect driver.

    Arguments:

    Arg1: 0000000000000003, the pool freelist is corrupt.

    Arg2: fffff8a0116d5340, the pool entry being checked.

    Arg3: fffffaa0116d5340, the read back flink freelist value (should be the same as 2).

    Arg4: fffff8a0116d5340, the read back blink freelist value (should be the same as 2).

    Debugging Details:

    ------------------

     

    BUGCHECK_STR:  0x19_3

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    PROCESS_NAME:  java.exe

    CURRENT_IRQL:  0

    LAST_CONTROL_TRANSFER:  from fffff8000340770f to fffff800032d4b80

    STACK_TEXT: 

    fffff880`0768f788 fffff800`0340770f : 00000000`00000019 00000000`00000003 fffff8a0`116d5340 fffffaa0`116d5340 : nt!KeBugCheckEx

    fffff880`0768f790 fffff800`034084f1 : fffff800`03462940 fffff8a0`031bac80 fffff8a0`02660110 00000000`00000705 : nt!ExDeferredFreePool+0xcbb

    fffff880`0768f820 fffff880`01bac4fb : 00000000`00000000 fffff800`032e8cb6 fffff8a0`4666704e fffffa80`0000037f : nt!ExFreePoolWithTag+0x411

    fffff880`0768f8d0 fffff800`035d322e : fffffa80`073764d0 fffffa80`03e2f6c0 fffffa80`03e2f6c0 00000000`00000000 : Npfs!NpFsdClose+0x17f

    fffff880`0768f910 fffff800`032dde54 : fffffa80`06677ef0 fffffa80`03868b30 fffffa80`0370c8a0 fffff880`0768fa80 : nt!IopDeleteFile+0x11e

    fffff880`0768f9a0 fffff800`035cd054 : fffffa80`03868b30 00000000`00000000 fffffa80`038ec060 00000000`00000000 : nt!ObfDereferenceObject+0xd4

    fffff880`0768fa00 fffff800`035cd604 : 00000000`00000e9c fffffa80`03868b30 fffff8a0`02660110 00000000`00000e9c : nt!ObpCloseHandleTableEntry+0xc4

    fffff880`0768fa90 fffff800`032d3e13 : fffffa80`038ec060 fffff880`0768fb60 00000000`7efaa000 00000000`0123b50d : nt!ObpCloseHandle+0x94

    fffff880`0768fae0 00000000`771713aa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13

    00000000`0349e808 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x771713aa

     

    STACK_COMMAND:  kb

    FOLLOWUP_IP:

    nt!ExDeferredFreePool+cbb

    fffff800`0340770f cc              int     3

    SYMBOL_STACK_INDEX:  1

    SYMBOL_NAME:  nt!ExDeferredFreePool+cbb

    FOLLOWUP_NAME:  Pool_corruption

    IMAGE_NAME:  Pool_Corruption

    DEBUG_FLR_IMAGE_TIMESTAMP:  0

    MODULE_NAME: Pool_Corruption

    FAILURE_BUCKET_ID:  X64_0x19_3_nt!ExDeferredFreePool+cbb

    BUCKET_ID:  X64_0x19_3_nt!ExDeferredFreePool+cbb

    Followup: Pool_corruption

    ---------

    3: kd> !analyze -v

    *******************************************************************************

    *                                                                             *

    *                        Bugcheck Analysis                                    *

    *                                                                             *

    *******************************************************************************

    BAD_POOL_HEADER (19)

    The pool is already corrupt at the time of the current request.

    This may or may not be due to the caller.

    The internal pool links must be walked to figure out a possible cause of

    the problem, and then special pool applied to the suspect tags or the driver

    verifier to a suspect driver.

    Arguments:

    Arg1: 0000000000000003, the pool freelist is corrupt.

    Arg2: fffff8a0116d5340, the pool entry being checked.

    Arg3: fffffaa0116d5340, the read back flink freelist value (should be the same as 2).

    Arg4: fffff8a0116d5340, the read back blink freelist value (should be the same as 2).

    Debugging Details:

    ------------------

     

    BUGCHECK_STR:  0x19_3

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

    PROCESS_NAME:  java.exe

    CURRENT_IRQL:  0

    LAST_CONTROL_TRANSFER:  from fffff8000340770f to fffff800032d4b80

    STACK_TEXT: 

    fffff880`0768f788 fffff800`0340770f : 00000000`00000019 00000000`00000003 fffff8a0`116d5340 fffffaa0`116d5340 : nt!KeBugCheckEx

    fffff880`0768f790 fffff800`034084f1 : fffff800`03462940 fffff8a0`031bac80 fffff8a0`02660110 00000000`00000705 : nt!ExDeferredFreePool+0xcbb

    fffff880`0768f820 fffff880`01bac4fb : 00000000`00000000 fffff800`032e8cb6 fffff8a0`4666704e fffffa80`0000037f : nt!ExFreePoolWithTag+0x411

    fffff880`0768f8d0 fffff800`035d322e : fffffa80`073764d0 fffffa80`03e2f6c0 fffffa80`03e2f6c0 00000000`00000000 : Npfs!NpFsdClose+0x17f

    fffff880`0768f910 fffff800`032dde54 : fffffa80`06677ef0 fffffa80`03868b30 fffffa80`0370c8a0 fffff880`0768fa80 : nt!IopDeleteFile+0x11e

    fffff880`0768f9a0 fffff800`035cd054 : fffffa80`03868b30 00000000`00000000 fffffa80`038ec060 00000000`00000000 : nt!ObfDereferenceObject+0xd4

    fffff880`0768fa00 fffff800`035cd604 : 00000000`00000e9c fffffa80`03868b30 fffff8a0`02660110 00000000`00000e9c : nt!ObpCloseHandleTableEntry+0xc4

    fffff880`0768fa90 fffff800`032d3e13 : fffffa80`038ec060 fffff880`0768fb60 00000000`7efaa000 00000000`0123b50d : nt!ObpCloseHandle+0x94

    fffff880`0768fae0 00000000`771713aa : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13

    00000000`0349e808 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x771713aa

     

    STACK_COMMAND:  kb

    FOLLOWUP_IP:

    nt!ExDeferredFreePool+cbb

    fffff800`0340770f cc              int     3

    SYMBOL_STACK_INDEX:  1

    SYMBOL_NAME:  nt!ExDeferredFreePool+cbb

    FOLLOWUP_NAME:  Pool_corruption

    IMAGE_NAME:  Pool_Corruption

    DEBUG_FLR_IMAGE_TIMESTAMP:  0

    MODULE_NAME: Pool_Corruption

    FAILURE_BUCKET_ID:  X64_0x19_3_nt!ExDeferredFreePool+cbb

    BUCKET_ID:  X64_0x19_3_nt!ExDeferredFreePool+cbb

    Followup: Pool_corruption

    ---------

     

    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck C9, {224, fffff8800660bdf8, fffff9802906ae50, 0}

    Unable to load image \SystemRoot\system32\drivers\mfehidk.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for mfehidk.sys
    *** ERROR: Module load completed but symbols could not be loaded for mfehidk.sys
    Unable to load image \SystemRoot\system32\DRIVERS\Sftfswin7.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for Sftfswin7.sys
    *** ERROR: Module load completed but symbols could not be loaded for Sftfswin7.sys
    Probably caused by : Sftfswin7.sys ( Sftfswin7+bdf8 )

    Followup: MachineOwner
    ---------

    0: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)
    The IO manager has caught a misbehaving driver.
    Arguments:
    Arg1: 0000000000000224, An IRP dispatch handler has returned a status that is inconsistent with the
     IRP's IoStatus.Status field.
    Arg2: fffff8800660bdf8, The address in the driver's code where the error was detected.
    Arg3: fffff9802906ae50, IRP address.
    Arg4: 0000000000000000, Expected status code.

    Debugging Details:
    ------------------


    BUGCHECK_STR:  0xc9_224

    DRIVER_VERIFIER_IO_VIOLATION_TYPE:  224

    FAULTING_IP:
    Sftfswin7+bdf8
    fffff880`0660bdf8 488bc4          mov     rax,rsp

    FOLLOWUP_IP:
    Sftfswin7+bdf8
    fffff880`0660bdf8 488bc4          mov     rax,rsp

    IRP_ADDRESS:  fffff9802906ae50

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  VERIFIER_ENABLED_VISTA_MINIDUMP

    PROCESS_NAME:  sftlist.exe

    CURRENT_IRQL:  2

    LAST_CONTROL_TRANSFER:  from fffff800035134ec to fffff80003085b80

    STACK_TEXT: 
    fffff880`074c6be8 fffff800`035134ec : 00000000`000000c9 00000000`00000224 fffff880`0660bdf8 fffff980`2906ae50 : nt!KeBugCheckEx
    fffff880`074c6bf0 fffff800`0351d58a : fffff800`03511b00 fffff880`0660bdf8 fffff980`2906ae50 00000000`00000000 : nt!VerifierBugCheckIfAppropriate+0x3c
    fffff880`074c6c30 fffff800`0351e503 : fffff880`0660bdf8 fffffa80`058cea48 00000000`00000000 00000000`fffffff8 : nt!ViErrorFinishReport+0xda
    fffff880`074c6c80 fffff800`03529869 : fffff980`29ea2c30 fffffa80`058ce990 fffffa80`058cea48 fffffa80`072be610 : nt!VfErrorReport4+0x83
    fffff880`074c6d70 fffff800`03529c73 : fffffa80`058ce990 00000000`00000002 fffffa80`0627e050 fffff800`0351c3b7 : nt!IovpCallDriver2+0x179
    fffff880`074c6dd0 fffff800`0352fd3e : fffff980`2906ae01 fffff980`2906ae50 00000000`00000002 fffffa80`0627e050 : nt!VfAfterCallDriver+0x353
    fffff880`074c6e20 fffff880`01175bcf : fffff980`2906afb0 fffff880`074c6ec0 fffff980`29ea2c30 fffffa80`058ce990 : nt!IovCallDriver+0x57e
    fffff880`074c6e80 fffff880`011746df : fffffa80`072be610 fffffa80`072be610 fffffa80`072be600 fffff980`2906ae50 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
    fffff880`074c6f10 fffff800`0352fd26 : fffff980`2906ae50 00000000`00000002 fffffa80`072be610 fffff800`03521e1a : fltmgr!FltpDispatch+0xcf
    fffff880`074c6f70 fffff880`012b7e1f : fffff980`2a8b0c28 fffff880`074c7240 fffff980`26e4c050 fffffa80`0567f160 : nt!IovCallDriver+0x566
    fffff880`074c6fd0 fffff980`2a8b0c28 : fffff880`074c7240 fffff980`26e4c050 fffffa80`0567f160 fffff880`074c7020 : mfehidk+0x11e1f
    fffff880`074c6fd8 fffff880`074c7240 : fffff980`26e4c050 fffffa80`0567f160 fffff880`074c7020 fffff880`074c7010 : 0xfffff980`2a8b0c28
    fffff880`074c6fe0 fffff980`26e4c050 : fffffa80`0567f160 fffff880`074c7020 fffff880`074c7010 fffff880`074c70d0 : 0xfffff880`074c7240
    fffff880`074c6fe8 fffffa80`0567f160 : fffff880`074c7020 fffff880`074c7010 fffff880`074c70d0 00000000`00000000 : 0xfffff980`26e4c050
    fffff880`074c6ff0 fffff880`074c7020 : fffff880`074c7010 fffff880`074c70d0 00000000`00000000 00000000`00000000 : 0xfffffa80`0567f160
    fffff880`074c6ff8 fffff880`074c7010 : fffff880`074c70d0 00000000`00000000 00000000`00000000 00000000`00000000 : 0xfffff880`074c7020
    fffff880`074c7000 fffff880`074c70d0 : 00000000`00000000 00000000`00000000 00000000`00000000 00000001`00060000 : 0xfffff880`074c7010
    fffff880`074c7008 00000000`00000000 : 00000000`00000000 00000000`00000000 00000001`00060000 fffff880`074c7028 : 0xfffff880`074c70d0


    STACK_COMMAND:  .bugcheck ; kb

    SYMBOL_NAME:  Sftfswin7+bdf8

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: Sftfswin7

    IMAGE_NAME:  Sftfswin7.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  4e371785

    FAILURE_BUCKET_ID:  X64_0xc9_224_VRF_Sftfswin7+bdf8

    BUCKET_ID:  X64_0xc9_224_VRF_Sftfswin7+bdf8

    Wednesday, July 23, 2014 7:18 PM
  • SS

    Patrick needs the actual DMP file not a copy paste of the windbg output.


    Wanikiya and Dyami--Team Zigzag

    Wednesday, July 23, 2014 7:27 PM
  • Thanks for your quick repsonse . But i am not able upload those Dump file .. but i m getting error like :

    sftfswin7.sys

    Thursday, July 24, 2014 8:06 PM
  • Can you please elaborate on why you cannot upload the dump files? Are you getting an error?

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Thursday, July 24, 2014 8:15 PM
  • Thanks for your reponse .. I dont rights to do in my concern and i m getting those BSOD errors for no of systems .. And we did not predict that cause for that ...

    Please help me to move forward .

    Friday, July 25, 2014 4:13 PM
  • Unable to load image \SystemRoot\system32\drivers\mfehidk.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for mfehidk.sys
    *** ERROR: Module load completed but symbols could not be loaded for mfehidk.sys
    Unable to load image \SystemRoot\system32\DRIVERS\Sftfswin7.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for Sftfswin7.sys
    *** ERROR: Module load completed but symbols could not be loaded for Sftfswin7.sys
    Probably caused by : Sftfswin7.sys ( Sftfswin7+bdf8 )

    mfehidk.sys points to McAfee. Are you running this software? If so, make sure it's up to date

    sftfswin7.sys: Are you using App-V?

    Friday, July 25, 2014 4:26 PM
  • Hi,

    After analyzing the dump file you posted, I want to confirm one thing with you, have you installed the Application Virtualization 4.6 for Terminal Services Service Pack 1 on your computer? Because your post indicates sftfswin7.sys is responsible for this issue, I suggest to run the hotfix below to fix the problem:

    http://support.microsoft.com/kb/2744141

    Besides, I want to know if the result from the dump file you posted is a complete one? I suggest to upload the whole dump file for us to analyze by OneDrive, this will show a full log of the blue screen.

    For uploading a file with OneDrive:

    1.Browse to the location where you want to add the files.

    2.Tap or click Upload.

    3.You might be prompted to install Microsoft Silverlight. After you install it, you can:

    Drag your files into the Drop files here area, staying on the page until they finish uploading, and you're done.

    Details as below:

    http://windows.microsoft.com/en-hk/onedrive/add-photos-files

    Regards


    Wade Liu
    TechNet Community Support

    Monday, July 28, 2014 11:07 AM
  • SS

    Threads merged same topic.


    Wanikiya and Dyami--Team Zigzag

    Tuesday, July 29, 2014 8:07 PM
  • Most of the crash dumps point to NTSOSKRNL.EXE, CSRSS.EXE  in those Win 7 Machines.

    Tuesday, July 29, 2014 8:24 PM
  • yes . but i dont have  rights to upload the dump file in my concern . so i just copied the content of the error above

    Please help me out on this.

    Tuesday, July 29, 2014 8:38 PM
  • As I said above, please elaborate on what you mean by 'I don't have rights'. Are you getting a permissions error, etc?

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Tuesday, July 29, 2014 8:46 PM
  • Its related to internal access issue  allocated to my  system .
    Wednesday, July 30, 2014 12:38 AM
  • This still doesn't answer my question.

    What is an 'internal access issue allocated to your system' mean? Are you working for a company that is not allowing you to provide the crash dumps?

    Are you getting a permissions error when trying to copy the crash dumps from the Minidump folder?

    Are you getting an error at any point in trying to provide us the crash dumps? If so, what's the exact error?

    For future references, when asking for help, please provide as much info as possible/as in-depth as possible. We'd all love to help you, but our abilities to do so are severely limited with such short responses and lack of information. Since we likely won't get the dumps in your scenario, although I normally don't do this as I like to see what's going on in the dumps, from what you pasted above:

    STACK_TEXT: 
    fffff880`074c6be8 fffff800`035134ec : 00000000`000000c9 00000000`00000224 fffff880`0660bdf8 fffff980`2906ae50 : nt!KeBugCheckEx
    fffff880`074c6bf0 fffff800`0351d58a : fffff800`03511b00 fffff880`0660bdf8 fffff980`2906ae50 00000000`00000000 : nt!VerifierBugCheckIfAppropriate+0x3c
    fffff880`074c6c30 fffff800`0351e503 : fffff880`0660bdf8 fffffa80`058cea48 00000000`00000000 00000000`fffffff8 : nt!ViErrorFinishReport+0xda
    fffff880`074c6c80 fffff800`03529869 : fffff980`29ea2c30 fffffa80`058ce990 fffffa80`058cea48 fffffa80`072be610 : nt!VfErrorReport4+0x83
    fffff880`074c6d70 fffff800`03529c73 : fffffa80`058ce990 00000000`00000002 fffffa80`0627e050 fffff800`0351c3b7 : nt!IovpCallDriver2+0x179
    fffff880`074c6dd0 fffff800`0352fd3e : fffff980`2906ae01 fffff980`2906ae50 00000000`00000002 fffffa80`0627e050 : nt!VfAfterCallDriver+0x353
    fffff880`074c6e20 fffff880`01175bcf : fffff980`2906afb0 fffff880`074c6ec0 fffff980`29ea2c30 fffffa80`058ce990 : nt!IovCallDriver+0x57e
    fffff880`074c6e80 fffff880`011746df : fffffa80`072be610 fffffa80`072be610 fffffa80`072be600 fffff980`2906ae50 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
    fffff880`074c6f10 fffff800`0352fd26 : fffff980`2906ae50 00000000`00000002 fffffa80`072be610 fffff800`03521e1a : fltmgr!FltpDispatch+0xcf
    fffff880`074c6f70 fffff880`012b7e1f : fffff980`2a8b0c28 fffff880`074c7240 fffff980`26e4c050 fffffa80`0567f160 : nt!IovCallDriver+0x566
    fffff880`074c6fd0 fffff980`2a8b0c28 : fffff880`074c7240 fffff980`26e4c050 fffffa80`0567f160 fffff880`074c7020 : mfehidk+0x11e1f
    fffff880`074c6fd8 fffff880`074c7240 : fffff980`26e4c050 fffffa80`0567f160 fffff880`074c7020 fffff880`074c7010 : 0xfffff980`2a8b0c28
    fffff880`074c6fe0 fffff980`26e4c050 : fffffa80`0567f160 fffff880`074c7020 fffff880`074c7010 fffff880`074c70d0 : 0xfffff880`074c7240
    fffff880`074c6fe8 fffffa80`0567f160 : fffff880`074c7020 fffff880`074c7010 fffff880`074c70d0 00000000`00000000 : 0xfffff980`26e4c050
    fffff880`074c6ff0 fffff880`074c7020 : fffff880`074c7010 fffff880`074c70d0 00000000`00000000 00000000`00000000 : 0xfffffa80`0567f160
    fffff880`074c6ff8 fffff880`074c7010 : fffff880`074c70d0 00000000`00000000 00000000`00000000 00000000`00000000 : 0xfffff880`074c7020
    fffff880`074c7000 fffff880`074c70d0 : 00000000`00000000 00000000`00000000 00000000`00000000 00000001`00060000 : 0xfffff880`074c7010
    fffff880`074c7008 00000000`00000000 : 00000000`00000000 00000000`00000000 00000001`00060000 fffff880`074c7028 : 0xfffff880`074c70d0

    The McAfee Host Intrusion Detection Link driver caused an inconsistent status return.

    Remove and replace McAfee with Microsoft Security Essentials for temporary troubleshooting purposes:

    McAfee removal - http://service.mcafee.com/FAQDocument.aspx?id=TS101331

    MSE -  http://windows.microsoft.com/en-us/windows/security-essentials-download

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Wednesday, July 30, 2014 12:50 AM
  • Thanks . Yes I'm working in a company and dont have access for few sites (eg Cloud drive ) and also certain restriction to access those sites . But i have collection of   dump files which i  earlier posted to  you  .

    Wednesday, July 30, 2014 12:59 AM
  • Understood, thanks for the clarification!

    Refer to my recommendation above and keep us updated.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Wednesday, July 30, 2014 1:06 AM
  • Thanks . Will keep you posted.

    Wednesday, July 30, 2014 1:09 AM
  • My pleasure, I look forward to your update.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Wednesday, July 30, 2014 1:11 AM
  • Instead of uninstalling ,Could you please provide me any Updated Link Driver  version for MacAfee HIP.

    Thursday, July 31, 2014 3:06 PM
  • SS

    You need to un-install NOT update.  http://www.mcafee.com/us/


    Wanikiya and Dyami--Team Zigzag

    Thursday, July 31, 2014 3:19 PM
  • sorry for delay response .. But i dont privilages to uninstall the Mcafee fin the  production environment machine . Instead of that, I am looking here any Latest version available for Mcafee Host Intrusion Link Drivers ... . .

    Please let me know ... Thanks in Advance

    Friday, August 1, 2014 3:23 AM
  • Contact McAfee - http://home.mcafee.com/root/support.aspx

    Or tell your supervisor/IT for the company you work for to give you a break so you can solve the issue.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Friday, August 1, 2014 3:37 AM
  • Thanks .. I' m trying to understood here that Host Intrusion Detection Link driver is nothing but Mfehidk.sys  which cause an inconsistent return.

    As you mentioned that i will try uninstall and will back you . Meanwhile can you let me know whether we have any  latest driver version available in mcafee to avoid to unistall the Mcafee ..

    I really  appreciated ,if you would  have explain more this .. Thanks

    Friday, August 1, 2014 3:54 AM
  • You cannot update standalone drivers part of a package, and even if you could, it'll have to be under McAfee's orders/files as we cannot provide you with such given none of us are affiliated with McAfee.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama


    Friday, August 1, 2014 4:12 AM
  • Hi Patrick ,

    Good Noon .. Is there any alternate way to upload the dump files to you except cloud drive ? So that will upload the same to resolve this issue . thanks

    Monday, August 4, 2014 5:30 PM
  • Any website works, so long as I can download them.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Monday, August 4, 2014 8:25 PM
  • Hi Patrick

    Very Good Evening !!

    As you referred above, We did not unistall the mcafee instead of we Disabled the HIPS services & unistall the HIPS . And please confirm did you refer below stack text for this solution :


    STACK_TEXT: 
    fffff880`028136e8 fffff800`03303d40 : 00000000`0000001a 00000000`00041790 fffffa80`01641a80 00000000`0000ffff : nt!KeBugCheckEx
    fffff880`028136f0 fffff800`032c57f9 : 00000000`00000000 00000000`015c2fff 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x35084
    fffff880`028138b0 fffff800`035acf51 : fffffa80`03be56b0 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MiRemoveMappedView+0xd9
    fffff880`028139d0 fffff800`035ad353 : 00000000`00000000 00000000`010c0000 fffffa80`00000001 00000000`00000001 : nt!MiUnmapViewOfSection+0x1b1
    fffff880`02813a90 fffff800`03291e13 : 00000000`00000001 00000000`0158e600 fffffa80`05a792e0 00000000`00faf2c0 : nt!NtUnmapViewOfSection+0x5f
    fffff880`02813ae0 00000000`773e155a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    00000000`00faf998 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x773e155a

    Wednesday, September 3, 2014 9:24 PM
  • Missing copy file :

    STACK_COMMAND:  kb

    FOLLOWUP_IP:
    nt! ?? ::FNODOBFM::`string'+35084
    fffff800`03303d40 cc              int     3

    SYMBOL_STACK_INDEX:  1

    SYMBOL_NAME:  nt! ?? ::FNODOBFM::`string'+35084

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: nt

    IMAGE_NAME:  ntkrnlmp.exe

    DEBUG_FLR_IMAGE_TIMESTAMP:  51fb06cd

    FAILURE_BUCKET_ID:  X64_0x1a_41790_nt!_??_::FNODOBFM::_string_+35084

    BUCKET_ID:  X64_0x1a_41790_nt!_??_::FNODOBFM::_string_+35084

     

    Wednesday, September 3, 2014 9:28 PM
  • Hello, good evening to you as well. I hope you're well.

    Forgive me, but I am confused by your post. Did disabling/uninstalling HIPS solve the problem instead of removing McAfee?

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Wednesday, September 3, 2014 11:53 PM
  • NO.. still its in under observation and we disabled HIPS three days back ... So its not related to

    IMAGE_NAME: ntkrnlmp.exe

    DEBUG_FLR_IMAGE_TIMESTAMP: 51fb06cd

    FAILURE_BUCKET_ID: X64_0x1a_41790_nt!_??_::

    Please let me know

    Thursday, September 4, 2014 3:31 AM
  • Sathishkumar, if you're still crashing after disabling HIPS, your company needs to uninstall McAfee for troubleshooting purposes as I have said many times now. I don't know how else to say this.

    Regards,

    Patrick

    “Be kind whenever possible. It is always possible.” - Dalai Lama

    Thursday, September 4, 2014 7:46 AM
  • Go to Bios and Set as Default for all settings.

    Then Login to machine and Run sfc /scannow to remove bad sectors from your machine.

    Then visit Services.msc and start Disk Defragment service. Visit Diskmgmt.msc and defragment disks partitions created on your HDD.

    Thursday, September 11, 2014 11:32 AM