Windows 7 Multiple 0x00000027 RDR_FILE_SYSTEM BSOD HELP!!!!

timkl25

New Member
I am having some serious issues with the 000000x27 BSOD. We have about 100 systems and about 10 or so systems throw this code inconsistantly but every day or so. Some users reported the code when using Outlook or Word, others just had on the destop. Same systems have reoccuring BSOD and all the same 0x0000027 RDR_FILE_SYSTEM. I do not have Win Debugging tools and we have ran the latest updates, reinstalled the drives for the audio, video and network. I have the dumps and can email or post the links. I am running out of things to try, please advise. We have swapped the system and reimaged it with the same image and issue is still there, so it is software replated. Clean install is not an option as the users are runing specific software. PLEASE HELP!!!!
 
Last edited:
Hello Tim and welcome to the forums.
First make sure your machine is configured properly to facilitate the collection of .dmp files.
Go to Start and type in sysdm.cpl and press Enter
Click on the Advanced tab
Click on the Startup and Recovery Settings button
Ensure that Automatically restart is unchecked
Under the Write Debugging Information header select Small memory dump (256 kB) in the dropdown box
Ensure that the Small Dump Directory is listed as %systemroot%\Minidump << where your .dmp files can be found later
Click OK twice to exit the dialogs, then reboot for the changes to take effect.
Then:
Please read the first post in this sticky thread here How to ask for help with a BSOD problem
Do your best to accumulate the data required.
Run the SF Diagnostic tool (download and right click the executable and choose run as administrator)
Download and run CPUz. Use the Windows snipping tool to gather images from all tabs including all slots populated with memory under the SPD tab.
Likewise RAMMon. Export the html report, put everything into a desktop folder that you've created for this purpose, zip it up and attach it to your next post (right click it and choose send to, compressed (zipped) folder.
Additionally, if you haven’t already, please take some time and fill out your system specs in your forum profile area http://windows7forums.com/windows-7...you-filling-your-system-specs.html#post235529 .
Good luck
Randy
 
Today same issue happend again exactly when one user was coping file (60mb) form his system to the another user's C: drive. Recieving system bluescreened. Sender system did not. So could be related to network?
 
Last edited:
At first glance, at your single dump file, it would suggest a problem with
proxyclientflt32.sys normally associated with Blue Coat Systems Blue Coat
I would also suggest addressing these three older drivers
SonMirrorftas.sys 3/14/2006
SonVMDas.sys 3/14/2006 both apparently associated with Sonexis Link Removed - Invalid URL
and
dne2000.sys 11/10/2008 Citrix Deterministic Network Enhancer Miniport or Cisco Systems VPN Client
If Blue Screens persist, uninstall Norton/Symantec through the control panel and follow that up by running the vendor specific proprietary removal tool here https://www-secure.symantec.com/nor...10133834EN&product=home&version=1&pvid=f-home
Consider replacing with Microsoft Security Essentials here Link Removed due to 404 Error
 
Thank you very much, thats a great start, I will try to update all the listed drivers. Attached are a few more dumps form one of the users. These were recorded as a kernel dumps, before I changed the settings to capture memory dumps. Also what software do you use to decode the dumps. I have tried Bluescreen Analyzer and Windows Debuging tools and did not get nearly anythingclose to what you suggested. This is a great forum.
 
Last edited:
Your most recent 5 dump files are all identical.
WinDbg.exe (Windows Debugger)
EXAMPLE:
Code:
RDR_FILE_SYSTEM (27)
    If you see RxExceptionFilter on the stack then the 2nd and 3rd parameters are the
    exception record and context record. Do a .cxr on the 3rd parameter and then kb to
    obtain a more informative stack trace.
    The high 16 bits of the first parameter is the RDBSS bugcheck code, which is defined
    as follows:
     RDBSS_BUG_CHECK_CACHESUP  = 0xca550000,
     RDBSS_BUG_CHECK_CLEANUP   = 0xc1ee0000,
     RDBSS_BUG_CHECK_CLOSE     = 0xc10e0000,
     RDBSS_BUG_CHECK_NTEXCEPT  = 0xbaad0000,
Arguments:
Arg1: baad0073
Arg2: a3d336a8
Arg3: a3d33280
Arg4: 911e1c82
*** WARNING: Unable to verify timestamp for[COLOR=#ff0000][U][B] proxyclientflt32.sys[/B][/U][/COLOR]
*** ERROR: Module load completed but symbols could not be loaded for[COLOR=#ff0000][U][B] proxyclientflt32.sys[/B][/U][/COLOR]
*** WARNING: Unable to verify timestamp for [COLOR=#ff0000][U][B]proxyclientwebfilter32.sys[/B][/U][/COLOR]
*** ERROR: Module load completed but symbols could not be loaded for [COLOR=#ff0000][U][B]proxyclientwebfilter32.sys
[/B][/U][/COLOR]
EXCEPTION_RECORD:  a3d336a8 -- (.exr 0xffffffffa3d336a8)
ExceptionAddress: 911e1c82 (tdx!TdxCreateControlChannel+0x00000070)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 0000000c
Attempt to write to address 0000000c

CONTEXT:  a3d33280 -- (.cxr 0xffffffffa3d33280)
eax=00000000 ebx=00000000 ecx=00000002 edx=00000000 esi=86445cf8 edi=00000003
eip=911e1c82 esp=a3d33770 ebp=a3d33778 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
tdx!TdxCreateControlChannel+0x70:
911e1c82 89700c          mov     dword ptr [eax+0Ch],esi ds:0023:0000000c=????????
Resetting default scope
CUSTOMER_CRASH_COUNT:  1
PROCESS_NAME:  System
CURRENT_IRQL:  0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1:  00000001
EXCEPTION_PARAMETER2:  0000000c
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 82d77848
Unable to read MiSystemVaType memory at 82d56e20
 0000000c 
FOLLOWUP_IP: 
tdx!TdxCreateControlChannel+70
911e1c82 89700c          mov     dword ptr [eax+0Ch],esi
FAULTING_IP: 
tdx!TdxCreateControlChannel+70
911e1c82 89700c          mov     dword ptr [eax+0Ch],esi
BUGCHECK_STR:  0x27
DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER:  from 911e9009 to 911e1c82
STACK_TEXT:  
a3d33778 911e9009 884d5c90 00000000 00000000 tdx!TdxCreateControlChannel+0x70
a3d337b0 82c4558e 880a5be8 89c5bd98 89c5bd98 tdx!TdxTdiDispatchCreate+0x5f
a3d337c8 910027b2 a3d337e8 91003501 880a5be8 nt!IofCallDriver+0x63
WARNING: Stack unwind information not available. Following frames may be wrong.
a3d337d0 91003501 880a5be8 89c5bd98 886410d0 [COLOR=#ff0000][U][B]proxyclientflt32[/B][/U][/COLOR]+0x27b2
a3d337e8 91001753 88633e40 89c5bd98 88633e40 [COLOR=#ff0000][U][B]proxyclientflt32[/B][/U][/COLOR]+0x3501
a3d337fc 82c4558e 88633e40 89c5bd98 8a0c8904 [COLOR=#ff0000][U][B]proxyclientflt32[/B][/U][/COLOR]+0x1753
a3d33814 91011627 886410d0 8a0c8904 89545430 nt!IofCallDriver+0x63
a3d33828 9100d7ab 886410d0 8a0c8904 89545430 [COLOR=#ff0000][U][B]proxyclientwebfilter32[/B][/U][/COLOR]+0x6627
a3d33860 9101241e 89545430 8b13e458 89545430 [COLOR=#ff0000][U][B]proxyclientwebfilter32[/B][/U][/COLOR]+0x27ab
a3d33880 910148c6 89545430 8a0c8904 89545430 [COLOR=#ff0000][U][B]proxyclientwebfilter32[/B][/U][/COLOR]+0x741e
a3d33898 910131e1 00000000 89545430 886410d0 [COLOR=#ff0000][U][B]proxyclientwebfilter32[/B][/U][/COLOR]+0x98c6
a3d338b4 91011635 0f6410d0 8a0c8904 00000000 [COLOR=#ff0000][U][B]proxyclientwebfilter32[/B][/U][/COLOR]+0x81e1
a3d338d0 91011836 886410d0 00000103 89c5bd98 [COLOR=#ff0000][U][B]proxyclientwebfilter32[/B][/U][/COLOR]+0x6635
a3d3391c 91011eac 8a0c8904 0000009f 00000001 [COLOR=#ff0000][U][B]proxyclientwebfilter32[/B][/U][/COLOR]+0x6836
a3d33930 9100de1c 8a0c8904 89c5bf28 886410d0 [COLOR=#ff0000][U][B]proxyclientwebfilter32[/B][/U][/COLOR]+0x6eac
a3d3395c 9101241e 85b0f1d0 00000104 89c5bd98 [COLOR=#ff0000][U][B]proxyclientwebfilter32[/B][/U][/COLOR]+0x2e1c
a3d3397c 910148c6 89c5bd98 89c5bd98 88641018 [COLOR=#ff0000][U][B]proxyclientwebfilter32[/B][/U][/COLOR]+0x741e
a3d33994 82c4558e 00000000 89c5bd98 a3d339e0 [COLOR=#ff0000][U][B]proxyclientwebfilter32[/B][/U][/COLOR]+0x98c6
a3d339ac 9166fced 85f24798 85fb2fa0 85fb2f68 nt!IofCallDriver+0x63
a3d339c4 91632e50 8a3bf2c8 85fb2fd8 00000000 afd!WskTdiTLRequestSend+0x12f
a3d33a00 9163185a a3d33a20 82c4558e 885fa868 afd!WskProIRPSend+0xc2
a3d33a08 82c4558e 885fa868 85fb2f68 8af0fa40 afd!AfdWskDispatchInternalDeviceControl+0x21
a3d33a20 91632fa8 a3d33a7c 911146b0 85f247ac nt!IofCallDriver+0x63
a3d33a28 911146b0 85f247ac a3d33a64 00000002 afd!WskProAPISend+0x67
a3d33a7c 911290d8 89cd3010 9163fe30 8ab30258 mrxsmb!SmbWskSend+0x12f
a3d33acc 9112919a 89cd3010 00000000 8ab30258 mrxsmb!RxCeSend+0x4a
a3d33af4 911165a6 89cd3010 00000000 8ab30258 mrxsmb!VctSend+0x24
a3d33b28 9111a2fc 00000000 0000009b 00000000 mrxsmb!SmbCseSubmitBufferContext+0x208
a3d33b4c 911170d8 00000000 89cd3010 00000000 mrxsmb!SmbNegotiate_Start+0x138
a3d33b7c 9111a0bb 00bc1c00 87c19828 8abc1c00 mrxsmb!SmbCeInitiateExchange+0x347
a3d33b90 9111b7ae 8a8f1768 89cd3010 87c19828 mrxsmb!MRxSmbInitialNegotiate+0x70
a3d33bbc 9111b86b 8a8f1768 8a65ba68 8a8998c8 mrxsmb!SmbCeCompleteTransportConnectionEstablishment+0xfa
a3d33bd4 9111a893 00000000 92246cc8 a3d33c40 mrxsmb!VctCompleteConnectRequest+0x6f
a3d33be4 92234143 8a8998c8 31f75b05 00000000 mrxsmb!RxCeInitiateConnection+0x1bd
a3d33c40 92249d32 92246cc8 92247108 a3d33c90 rdbss!RxpWorkerThreadDispatcher+0x13e
a3d33c50 82e16fda 92246cc8 84778901 00000000 rdbss!RxWorkerThreadDispatcher+0x1a
a3d33c90 82cbf1f9 92249d18 92246cc8 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  tdx!TdxCreateControlChannel+70
Additional Resource: Bug Check 0x27: RDR_FILE_SYSTEM
 
I have been trying to get the WinBG to read my dumps, followed the instctuctions and even downloaded the symbols on to the computer and extracted to the C:\ Drive. I am getting the error and it gets stck on that loading symbols page.
 
Last edited:
Back
Top