BSOD with mrxsmb10.sys and 0x00000027


  • I
    have a problem with a crashing W7 laptop. The BSOD appears regularly when
    opening one particular word document with a large number of linked excel spread
    sheets in it, and occasionally when opening other excel spread sheets (There
    are no problems on any other PC with these particular files.). Using my limited
    windbg experience I can see that mrxsmb10.sys is always pointed at, and I have
    used all the hotfixes form the following page
    that affect mrxsmb10. I have also upgraded all the network drivers, chip set
    drives, BIOS etc on the PC, as well as removing the security software. Can anyone
    give me any more pointers ?


    Wednesday, February 29, 2012 3:36 PM

All replies

  • Hope this works..."



    • Edited by TimFoo Friday, March 02, 2012 3:45 PM
    Friday, March 02, 2012 3:43 PM
  • Hope this works..."



    Warning: 99MB download ;)

    I hope it's a kernel memory dump Tim, not hundreds of minidumps ;) I'll try to debug it once the downloads complete.

    Saturday, March 03, 2012 8:24 AM
  • Ok, a quick look makes me think that McAfee remnants are responsible for this. The McAfee removal tool here should clear any remaining files/drivers from the laptop.

    System Uptime: 0 days 3:42:08.673
    Loading Kernel Symbols
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 7ffd800c).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    Use !analyze -v to get detailed debugging information.
    BugCheck 27, {baad0073, bef4b350, bef4af30, 9a36de13}
    *** ERROR: Module load completed but symbols could not be loaded for hdlpflt.sys
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for mfehidk.sys - 
    Probably caused by : mrxsmb10.sys ( mrxsmb10!MRxSmbQueryFileInformation+5f9 )
    Followup: MachineOwner
    0: kd> !analyze -v
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
        If you see RxExceptionFilter on the stack then the 2nd and 3rd parameters are the
        exception record and context record. Do a .cxr on the 3rd parameter and then kb to
        obtain a more informative stack trace.
        The high 16 bits of the first parameter is the RDBSS bugcheck code, which is defined
        as follows:
         RDBSS_BUG_CHECK_CACHESUP  = 0xca550000,
         RDBSS_BUG_CHECK_CLEANUP   = 0xc1ee0000,
         RDBSS_BUG_CHECK_CLOSE     = 0xc10e0000,
         RDBSS_BUG_CHECK_NTEXCEPT  = 0xbaad0000,
    Arg1: baad0073
    Arg2: bef4b350
    Arg3: bef4af30
    Arg4: 9a36de13
    Debugging Details:
    EXCEPTION_RECORD:  bef4b350 -- (.exr 0xffffffffbef4b350)
    ExceptionAddress: 9a36de13 (mrxsmb10!MRxSmbQueryFileInformation+0x000005f9)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 00000000
       Parameter[1]: 00000008
    Attempt to read from address 00000008
    CONTEXT:  bef4af30 -- (.cxr 0xffffffffbef4af30)
    eax=00000000 ebx=871bc658 ecx=00000000 edx=00000000 esi=871bc748 edi=8a0a6010
    eip=9a36de13 esp=bef4b418 ebp=bef4b4bc iopl=0         nv up ei pl zr na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
    9a36de13 668b4008        mov     ax,word ptr [eax+8]      ds:0023:00000008=????
    Resetting default scope
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
    READ_ADDRESS:  00000008 
    9a36de13 668b4008        mov     ax,word ptr [eax+8]
    9a36de13 668b4008        mov     ax,word ptr [eax+8]
    BUGCHECK_STR:  0x27
    LAST_CONTROL_TRANSFER:  from 9a33aa30 to 9a36de13
    bef4b4bc 9a33aa30 871bc658 bef4b5a4 921c982d mrxsmb10!MRxSmbQueryFileInformation+0x5f9
    bef4b4c8 921c982d 871bc658 871bc6e8 871bc658 mrxsmb!SmbShellQueryFileInformation+0x1b
    bef4b5a4 9213dcd6 011bc658 bef4b868 bef4b5dc csc!CscQueryFileInformation+0x1c0
    bef4b5b4 9215c61b 871bc658 d205c818 00000005 rdbss!RxpQueryInfoMiniRdr+0x53
    bef4b5dc 9215c2c5 871bc658 8648d008 d205c818 rdbss!RxQueryStandardInfo+0xbe
    bef4b63c 92139efc 871bc658 8648d008 2ce0135d rdbss!RxCommonQueryInformation+0x1f5
    bef4b6c4 921502c9 9214a240 8648d008 85ddd470 rdbss!RxFsdCommonDispatch+0x646
    bef4b6f4 9a3466a2 8a1366f8 0548d008 8648d0c0 rdbss!RxFsdDispatch+0x1ab
    bef4b710 8304d58e 8a1366f8 0148d008 8648d0e4 mrxsmb!MRxSmbFsdDispatch+0x9a
    bef4b728 8ceb3bb0 00000103 86392848 85ddd470 nt!IofCallDriver+0x63
    bef4b744 8ceb2b52 86392848 00000000 8648d008 mup!MupiCallUncProvider+0x10f
    bef4b75c 8ceb313e 86392848 00000000 86b1e030 mup!MupStateMachine+0x9b
    bef4b774 8304d58e 86b1e030 86392848 8648d008 mup!MupFsdIrpPassThrough+0x93
    bef4b78c 8c80f20c 00000000 86838328 00000000 nt!IofCallDriver+0x63
    bef4b7b0 8c8100bf bef4b7d0 86b1ebd8 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2aa
    bef4b7e8 8c824fc3 869f0c50 88e356b0 bef4b870 fltmgr!FltPerformSynchronousIo+0xb9
    bef4b7f8 8cfba518 869f0c50 86838328 bef4b850 fltmgr!FltQueryInformationFile+0x4f
    WARNING: Stack unwind information not available. Following frames may be wrong.
    bef4b870 8c8133c0 88e35710 bef4b8dc 00000000 hdlpflt+0x4518
    bef4b890 8cfba3ad 88e35710 bef4b8dc 00000000 fltmgr!FltDoCompletionProcessingWhenSafe+0x88
    bef4b8b8 8c80b324 88e35710 bef4b8dc 00000000 hdlpflt+0x43ad
    bef4b920 8c80e512 00e356b0 88e356b0 10000004 fltmgr!FltpPerformPostCallbacks+0x24a
    bef4b934 8c80eb46 88e356b0 88e13ca8 bef4b98c fltmgr!FltpProcessIoCompletion+0x10
    bef4b944 8308e913 86b1ebd8 88e13ca8 88e356b0 fltmgr!FltpPassThroughCompletion+0x98
    bef4b98c 8ceb2c8f 00000103 8a1745b8 8ceb01f0 nt!IopfCompleteRequest+0x128
    bef4b9a0 8ceb2af3 00000000 85ddd470 88e13ca8 mup!MupiIoPostProcess+0xc1
    bef4b9b8 8ceb3071 8a1745b8 00000000 86b1e030 mup!MupStateMachine+0x3c
    bef4b9d4 8304d58e 86b1e030 00000000 88e13ca8 mup!MupCleanup+0x91
    bef4b9ec 8c80f20c 86b1ebd8 88e13ca8 00000000 nt!IofCallDriver+0x63
    bef4ba10 8c80f3cb bef4ba30 86b1ebd8 00000000 fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2aa
    bef4ba48 8304d58e 86b1ebd8 88e13ca8 bef4bbd0 fltmgr!FltpDispatch+0xc5
    bef4ba60 8c89c161 bef4bb48 86b1f468 bef4bbd0 nt!IofCallDriver+0x63
    bef4baa0 8c85fa85 88e13ca8 85ddd470 86b1f468 mfehidk!DEVICEDISPATCH::LowerDispatchPassThrough+0x71
    bef4bb24 8c86174f bef4bbd0 85ddd470 bef4bb48 mfehidk+0x11a85
    bef4bbb8 8c89c92c bef4bbd0 88e13ca8 86b1f338 mfehidk+0x1374f
    bef4bbf0 8304d58e 01b1f338 88e13ca8 85ddd470 mfehidk!DEVICEDISPATCH::DispatchPassThrough+0x9c
    bef4bc08 83248abe 85cec770 85ddd458 00000001 nt!IofCallDriver+0x63
    bef4bc48 83239f5f 87641d40 85ddd470 00000001 nt!IopCloseFile+0x2f3
    bef4bc94 8325b3ac 87641d40 b478b658 86692130 nt!ObpDecrementHandleCount+0x139
    bef4bcdc 8325b0ec b478b658 c502ef20 87641d40 nt!ObpCloseHandleTableEntry+0x203
    bef4bd0c 8325b486 87641d40 86692101 07ca4278 nt!ObpCloseHandle+0x7f
    bef4bd28 8305421a 00000790 07ca427c 76ed7094 nt!NtClose+0x4e
    bef4bd28 76ed7094 00000790 07ca427c 76ed7094 nt!KiFastCallEntry+0x12a
    07ca427c 00000000 00000000 00000000 00000000 0x76ed7094
    SYMBOL_NAME:  mrxsmb10!MRxSmbQueryFileInformation+5f9
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: mrxsmb10
    IMAGE_NAME:  mrxsmb10.sys
    STACK_COMMAND:  .cxr 0xffffffffbef4af30 ; kb
    FAILURE_BUCKET_ID:  0x27_mrxsmb10!MRxSmbQueryFileInformation+5f9
    BUCKET_ID:  0x27_mrxsmb10!MRxSmbQueryFileInformation+5f9
    Followup: MachineOwner

    There's a very similar problem logged at sevenforums (offline for maintenance as I write) but unsolved, which may have been as a result of an upgrade to W7 from Vista and carrying over older drivers. Note that there are two warnings/errors noted by the debugger there - one of those drivers (RapportPG) is also a security driver.

    STOP 0x00000027: RDR_FILE_SYSTEM
    Usual causes:  Insufficient physical memory, Indexing, Device driver

    Saturday, March 03, 2012 8:55 AM

  •  ... I have ... , as well as removing the security software. Can anyone
    give me any more pointers ?

    @VF: My guess, based on the above by Tim, is that he doesn't even know there's any McAfee still residing in his system. A simple link to Microsoft Security Essentials would have sufficed.

    Saturday, March 03, 2012 1:46 PM


    The mrxsmb10.sys is a SMB related driver. I suggest that you test your problem in Safe Mode with network. Then check whether this problem occurs again.

    Also I suggest that you may take following general steps to prevent an error like this from happening again:

    1. Download and install updates and device drivers for your computer from Windows Update.
    2. Scan your computer for computer viruses.
    3. Check your hard disk for errors.

    Bug Check 0x27: RDR_FILE_SYSTEM. This indicates that a problem occurred in the SMB redirector file system.

    One possible cause of this bug check is depletion of nonpaged pool memory. If the nonpaged pool memory is completely depleted, this error can stop the system. However, during the indexing process, if the amount of available nonpaged pool memory is very low, another kernel-mode driver requiring nonpaged pool memory can also trigger this error.

    William Tan

    TechNet Community Support

    Monday, March 05, 2012 3:43 AM
  • I did know, this is a dump after they all went back on. Mcafee had ruled out by that stage, which sort of suprised me...

    I was rather pinning my hopes on it, after doing the driver upgrades and the MS hotfixes...

    Oh well...

    Monday, March 05, 2012 11:32 AM
  • I guess I'll try safe mode/mcafee removal again :-(

    Monday, March 05, 2012 11:37 AM
  • Any security software needs to be uninstalled fully to test, enable the built-in Windows firewall and use MSE if you must to test.

    Use the McAfee removal tool as well, it's the best way to be reasonably sure it's gone.

    Any security software can cause problems that look like they're network-related, SMB included, it wouldn't be much of a security software if it didn't hook in to networking.

    Monday, March 05, 2012 11:43 AM