NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 001904fb
Arg2: 9ca56998
Arg3: 9ca56570
Arg4: 8a56121c
EXCEPTION_RECORD: 9ca56998 -- (.exr 0xffffffff9ca56998)
ExceptionAddress: 8a56121c (Ntfs!NtfsAcquireResourceExclusive+0x00000015)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 0000003c
Attempt to read from address 0000003c
CONTEXT: 9ca56570 -- (.cxr 0xffffffff9ca56570)
eax=00000000 ebx=c00000d8 ecx=00000702 edx=00000000 esi=b6295270 edi=00000000
eip=8a56121c esp=9ca56a60 ebp=9ca56a60 iopl=0 nv up ei pl nz ac pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010216
Ntfs!NtfsAcquireResourceExclusive+0x15:
8a56121c 8b403c mov eax,dword ptr [eax+3Ch] ds:0023:0000003c=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: [COLOR=#ff0000][U][B]ccsvchst.exe[/B][/U][/COLOR]
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 0000003c
READ_ADDRESS: GetPointerFromAddress: unable to read from 8297e828
Unable to read MiSystemVaType memory at 8295ed80
0000003c
FOLLOWUP_IP:
Ntfs!NtfsAcquireResourceExclusive+15
8a56121c 8b403c mov eax,dword ptr [eax+3Ch]
FAULTING_IP:
Ntfs!NtfsAcquireResourceExclusive+15
8a56121c 8b403c mov eax,dword ptr [eax+3Ch]
BUGCHECK_STR: 0x24
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from 8a5610df to 8a56121c
STACK_TEXT:
9ca56a60 8a5610df 85369c40 b6295270 85369c01 Ntfs!NtfsAcquireResourceExclusive+0x15
9ca56a84 8a5ceb93 85369c40 b6295270 00000000 Ntfs!NtfsAcquireExclusiveFcb+0x42
9ca56b20 8a5d2b3c 85369c40 8595b0d8 00000001 Ntfs!NtfsFlushVolume+0x13e
9ca56ba4 8a5ccd72 85369c40 859438e0 16fdd725 Ntfs!NtfsCommonFlushBuffers+0x1a9
9ca56c0c 8284e032 8595b020 859438e0 859438e0 Ntfs!NtfsFsdFlushBuffers+0xf7
9ca56c24 8a38c20c 85d43408 859438e0 00000000 nt!IofCallDriver+0x63
9ca56c48 8a38c3cb 9ca56c68 85d43408 00000000 [COLOR=#ff0000][U][B]fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x2aa[/B][/U][/COLOR]
9ca56c80 8284e032 85d43408 859438e0 859438e0 [COLOR=#ff0000][U][B]fltmgr!FltpDispatch+0xc5[/B][/U][/COLOR]
9ca56c98 82a23b1d 859438e0 85050f80 00000000 nt!IofCallDriver+0x63
9ca56cb8 82a43dc7 85d43408 85050f80 00000000 nt!IopSynchronousServiceTail+0x1f8
9ca56d24 8285483a 00000000 03a9d848 03a9d850 nt!NtFlushBuffersFile+0x1d7
9ca56d24 76ee7094 00000000 03a9d848 03a9d850 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
03a9d850 00000000 00000000 00000000 00000000 0x76ee7094
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Ntfs!NtfsAcquireResourceExclusive+15
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Ntfs
IMAGE_NAME: Ntfs.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4ce7892c
STACK_COMMAND: .cxr 0xffffffff9ca56570 ; kb
FAILURE_BUCKET_ID: 0x24_Ntfs!NtfsAcquireResourceExclusive+15
BUCKET_ID: 0x24_Ntfs!NtfsAcquireResourceExclusive+15