Question BSOD 0xEF(ntdll.dll)-> If somebody can help to check my analysis is correct or not?

Jan 30, 2019
4
0
10
Hi guys,

I try to analyze below dump and cannot make sure if the root cause correct or not? If you can kindly to check this answer? Thank you.

This is a laptop, DIS SKU, Win10 RS5, and I suspect that it is related to SSD.

Dump file:

==============================

Microsoft (R) Windows Debugger Version 10.0.16299.91 AMD64

Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\99041911\Desktop\part1\MEMORY\MEMORY.DMP]

Kernel Bitmap Dump File: Full address space is available



WARNING: Whitespace at end of path element

WARNING: Whitespace at end of path element

Error: Empty Path.

WARNING: Whitespace at end of path element

WARNING: Whitespace at end of path element

Symbol search path is: SRVc:\symbolshttp://msdl.microsoft.com/download/symbols ;SRVC:\websymbols


Executable search path is:

WARNING: Whitespace at end of path element

WARNING: Whitespace at end of path element

Windows 10 Kernel Version 17763 MP (4 procs) Free x64

Product: WinNt, suite: TerminalServer SingleUserTS

Built by: 17763.1.amd64fre.rs5_release.180914-1434

Machine Name:

Kernel base = 0xfffff80219ca7000 PsLoadedModuleList = 0xfffff8021a0c2ad0

Debug session time: Sun Feb 3 12:43:38.098 2019 (UTC + 8:00)

System Uptime: 3 days 6:13:32.031

Loading Kernel Symbols

...............................................................

................................................................

................................................................

...........

Loading User Symbols

....................

Loading unloaded module list

..................................................

***

* *

* Bugcheck Analysis *

* *

***



Use !analyze -v to get detailed debugging information.



BugCheck EF, {ffff8f82affa0080, 0, 0, 0}



Probably caused by : ntdll.dll ( ntdll!NtTerminateProcess+14 )



Followup: MachineOwner

---------



1: kd> !analyze -v

***

* *

* Bugcheck Analysis *

* *

***



CRITICAL_PROCESS_DIED (ef)

A critical system process died

Arguments:

Arg1: ffff8f82affa0080, Process object or thread object

Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died.

Arg3: 0000000000000000

Arg4: 0000000000000000



Debugging Details:

------------------





DUMP_CLASS: 1



DUMP_QUALIFIER: 402



BUILD_VERSION_STRING: 17763.1.amd64fre.rs5_release.180914-1434



SYSTEM_MANUFACTURER: HUAWEI



SYSTEM_PRODUCT_NAME: VLR-WX9



SYSTEM_SKU: C233



SYSTEM_VERSION: D1050



BIOS_VENDOR: HUAWEI



BIOS_VERSION: 0.52



BIOS_DATE: 01/29/2019



BASEBOARD_MANUFACTURER: HUAWEI



BASEBOARD_PRODUCT: VLR-WX9-PCB



BASEBOARD_VERSION: D1050



DUMP_TYPE: 0



BUGCHECK_P1: ffff8f82affa0080



BUGCHECK_P2: 0



BUGCHECK_P3: 0



BUGCHECK_P4: 0



PROCESS_NAME: csrss.exe



CRITICAL_PROCESS: csrss.exe



EXCEPTION_CODE: (HRESULT) 0x82ed5080 (2196590720) - <Unable to get error code text>



ERROR_CODE: (NTSTATUS) 0x82ed5080 - <Unable to get error code text>



CPU_COUNT: 4



CPU_MHZ: 900



CPU_VENDOR: GenuineIntel



CPU_FAMILY: 6



CPU_MODEL: 8e



CPU_STEPPING: b



CPU_MICROCODE: 6,8e,b,0 (F,M,S,R) SIG: 9A'00000000 (cache) 9A'00000000 (init)



DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT



BUGCHECK_STR: 0xEF



CURRENT_IRQL: 0



ANALYSIS_SESSION_HOST: AN990118808



ANALYSIS_SESSION_TIME: 02-14-2019 18:44:49.0917



ANALYSIS_VERSION: 10.0.16299.91 amd64fre



LAST_CONTROL_TRANSFER: from fffff8021a532cbd to fffff80219e5a440



STACK_TEXT:

ffff81010311d838 fffff8021a532cbd : 00000000000000ef ffff8f82affa0080 0000000000000000 0000000000000000 : nt!KeBugCheckEx

ffff81010311d840 fffff8021a42c403 : 0000000000000000 fffff80219ce5c65 ffff8f82affa0080 fffff80219ce5b64 : nt!PspCatchCriticalBreak+0xfd

ffff81010311d8e0 fffff8021a28974c : ffff8f8200000000 0000000000000000 ffff8f82affa0080 ffff8f82affa0358 : nt!PspTerminateAllThreads+0x1a3e2f

ffff81010311d950 fffff8021a28b289 : ffffffffffffffff ffff81010311da80 ffff8f8277f46400 ffff81010311d901 : nt!PspTerminateProcess+0xe0

ffff81010311d990 fffff80219e6b685 : ffff8f8200013660 ffff8f8282ed5080 ffff8f82affa0080 0000000000000000 : nt!NtTerminateProcess+0xa9

ffff81010311da00 00007ffa4b37fbf4 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25

00000045724ff198 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!NtTerminateProcess+0x14





THREAD_SHA1_HASH_MOD_FUNC: 1ee16e27f2a3bf32487936ba1484cfcaf564e2dc



THREAD_SHA1_HASH_MOD_FUNC_OFFSET: d6007b5b4e393f926801e43b9064214961c3c762



THREAD_SHA1_HASH_MOD: fce38ccd7b727228240c1b437cae1484437f51f9



FOLLOWUP_IP:

ntdll!NtTerminateProcess+14

00007ffa4b37fbf4 c3 ret FAULT_INSTR_CODE: c32ecdc3 SYMBOL_STACK_INDEX: 6 SYMBOL_NAME: ntdll!NtTerminateProcess+14 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ntdll IMAGE_NAME: ntdll.dll DEBUG_FLR_IMAGE_TIMESTAMP: 7ded7809 STACK_COMMAND: .thread ; .cxr ; kb BUCKET_ID_FUNC_OFFSET: 14 FAILURE_BUCKET_ID: 0xEF_csrss.exe_BUGCHECK_CRITICAL_PROCESS_82ed5080_ntdll!NtTerminateProcess BUCKET_ID: 0xEF_csrss.exe_BUGCHECK_CRITICAL_PROCESS_82ed5080_ntdll!NtTerminateProcess PRIMARY_PROBLEM_CLASS: 0xEF_csrss.exe_BUGCHECK_CRITICAL_PROCESS_82ed5080_ntdll!NtTerminateProcess TARGET_TIME: 2019-02-03T04:43:38.000Z OSBUILD: 17763 OSSERVICEPACK: 0 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 272 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: unknown_date BUILDDATESTAMP_STR: 180914-1434 BUILDLAB_STR: rs5_release BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434 ANALYSIS_SESSION_ELAPSED_TIME: f39 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0xef_csrss.exe_bugcheck_critical_process_82ed5080_ntdll!ntterminateprocess FAILURE_ID_HASH: {50859ed8-e1d4-235c-9af9-b48e640397f1} Followup: MachineOwner --------- 1: kd> !locks **** DUMP OF ALL RESOURCE OBJECTS **** KD: Scanning for held locks.. Resource @ nt!IopDeviceTreeLock (0xfffff8021a0dcd80) Shared 1 owning threads Threads: ffff8f82779b7040-01<*> KD: Scanning for held locks. Resource @ nt!PiEngineLock (0xfffff8021a0dce00) Exclusively owned Contention Count = 7018 Threads: ffff8f82779b7040-01<*> KD: Scanning for held locks........................................................................ Resource @ 0xffff8f827cb59f80 Shared 1 owning threads Contention Count = 112 Threads: ffff8f82b1335080-01<*> KD: Scanning for held locks..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... Resource @ 0xffff8f82b2448190 Exclusively owned Contention Count = 16058 NumberOfExclusiveWaiters = 2 Threads: ffff8f82b10c0080-01<*> Threads Waiting On Exclusive Access: ffff8f82b210d080 ffff8f82b1f5c080 KD: Scanning for held locks......................... Resource @ 0xffff8f82b2d3f590 Exclusively owned Threads: ffff8f82b1b24080-01<*> KD: Scanning for held locks............. 52865 total locks, 5 locks currently held 1: kd> !thread ffff8f82b1b24080 THREAD ffff8f82b1b24080 Cid 14e0c.128a0 Teb: 000000ad237f2000 Win32Thread: ffff8f82a1b0c2c0 WAIT: (UserRequest) KernelMode Alertable ffff8f82b2d3f660 NotificationEvent Not impersonating DeviceMap ffffcb0e734da3c0 Owning Process ffff8f82b21a1180 Image: dwm.exe Attached Process N/A Image: N/A Wait Start TickCount 18023169 Ticks: 0 Context Switch Count 143 IdealProcessor: 3 UserTime 00:00:00.000 KernelTime 00:00:00.078 Win32 Start Address 0x00007ffa4189b610 Stack Init ffff8101117e5b90 Current ffff8101117e55d0 Base ffff8101117e6000 Limit ffff8101117df000 Call 0000000000000000 Priority 15 BasePriority 15 PriorityDecrement 0 IoPriority 2 PagePriority 5 Child-SP RetAddr : Args to Child : Call Site ffff8101117e5610 fffff80219dc0567 : 0000000000000001 ffff8f82b1b24080 fffff1c844c51b10 fffff19d260da76d : nt!KiSwapContext+0x76 ffff8101117e5750 fffff80219dc00d9 : 000000000000000f 0000000000000000 0000000000000005 ffff8f82b1b24080 : nt!KiSwapThread+0x297 ffff8101117e5810 fffff80219dbee60 : 0000000000000000 ffff8f8200000000 0000000000000000 ffff8101117e5921 : nt!KiCommitThreadWait+0x549 ffff8101117e58b0 fffff19d263e714b : ffff8f82b2d3f660 0000000000000006 0000000000000000 fffff19d263e4201 : nt!KeWaitForSingleObject+0x520 ffff8101117e5980 fffff19d263e7089 : fffff1c840724050 0000000000000001 0000000000000001 0000000000000000 : win32kbase!DirectComposition::CApplicationChannel::WaitForPendingAndProcessReturnedBatches+0x8b ffff8101117e59d0 fffff80219e6b685 : ffff8f82b1b24080 ffff8101117e5a80 00000245044cdfe8 fffff1c840724050 : win32kbase!NtDCompositionWaitForChannel+0x49 ffff8101117e5a00 00007ffa484f3a04 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffff8101117e5a00)

000000ad2399f618 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : win32u!NtDCompositionWaitForChannel+0x14



1: kd> !scsikd.classext



IMPORTANT NOTE: Please consider using StorageKD instead of scsikd for your debugging needs for win8 and above targets

Storage class devices:



* !classext ffff8f827a372060 [1,2] WDC PC SN720 SDAPNTW-256G-1027 Paging Disk



Usage: !classext <class device> <level [0-2]>



Optical devices, such as DVD drives, can be listed with !wdfkd.wdfdriverinfo cdrom, and further explored

using the "!wdfkd.wdfdevice <device_handle>" and "!wdfkd.wdfdevicequeues <device_handle>" commands.



1: kd> !scsikd.classext ffff8f827a372060

Storage class device ffff8f827a372060 with extension at ffff8f827a3721b0



Classpnp Internal Information at ffff8f827a386040



Failed Requests:



Srb Scsi

Opcode Status Status Sense Code Sector/ListId Time Stamp

------ ------ ------ ---------- --------------- ------------

1b 06 02 05 24 00 04:07:29.536

1b 06 02 05 24 00 04:08:08.551

1b 06 02 05 24 00 04:08:48.520

1b 06 02 05 24 00 04:09:27.473

1b 06 02 05 24 00 04:10:06.551

1b 06 02 05 24 00 04:10:45.489

1b 06 02 05 24 00 04:11:24.442

1b 06 02 05 24 00 04:12:03.708

1b 06 02 05 24 00 04:12:42.833

1b 06 02 05 24 00 04:13:22.708

1b 06 02 05 24 00 04:14:01.567

1b 06 02 05 24 00 04:14:40.708

1b 06 02 05 24 00 04:15:19.708

1b 06 02 05 24 00 04:15:59.442

1b 06 02 05 24 00 04:16:38.520

1b 06 02 05 24 00 04:17:17.520



-- dt classpnp!_CLASS_PRIVATE_FDO_DATA ffff8f827a386040 --



Classpnp External Information at ffff8f827a3721b0



WDC PC SN720 SDAPNTW-256G-1027 10126000 1845_AB80_4379_0001_001B_448B_4484_9B02.



Minidriver information at ffff8f827a372670

Attached device object at ffff8f827a1b6de0

Physical device object at ffff8f827a022060



Media Geometry:



Bytes in a Sector = 512

Sectors per Track = 63

Tracks / Cylinder = 255

Media Length = 256060514304 bytes = ~238 GB



-- dt classpnp!_FUNCTIONAL_DEVICE_EXTENSION ffff8f827a3721b0 --



1: kd> !devstack ffff8f827a372060

!DevObj !DrvObj !DevExt ObjectName

ffff8f827a1ba8d0 \Driver\partmgr ffff8f827a1baa20

ffff8f827a372060 \Driver\Disk ffff8f827a3721b0 DR0

ffff8f827a1b6de0 \Driver\EhStorClassffff8f827a1b6ba0

ffff8f827a022060 \Driver\stornvme ffff8f827a0221b0 0000003c

!DevNode ffff8f827a117370 :

DeviceInst is "SCSI\Disk&Ven_NVMe&Prod_WDC_PC_SN720_SDA\5&2cf988ea&0&000000"

ServiceName is "disk"
 
CRITICAL_PROCESS: csrss.exe

this is the client service for windows. if it doesn't load, windows can't start so its one of the few processes that when missing or corrupt, breaks windows.

it may even stop you getting into safe mode as without it, login process also can't function.

its hard to say if its caused by a ssd though, it could just be a corrupted windows. Try running chkdsk c: /f in command prompt - as I assume it doesn't boot, try using a win 10 installer. If you don't have one, on another PC, , download the Windows 10 media creation tool and use it to make a win 10 installer on USB

change boot order so USB is first, hdd second
boot from installer
on screen after languages, choose repair this pc, not install.
choose troubleshoot
choose advanced
choose command prompt
type chkdsk c: /f and press enter

that fixes the file system but you may need to clean install win 10 to fix it

is there anything on PC you want to rescue?
boot from installer
on screen after languages, choose repair this pc, not install.
choose troubleshoot
choose advanced
choose command prompt
type notepad and press enter
in notepad, select file>open
Use file explorer to copy any files you need to save to USB or hdd

once you have everything you want off laptop, try a clean install and see if it fixes it
boot from installer
follow this guide: http://www.tenforums.com/tutorials/1950-windows-10-clean-install.html
when you reach the screen asking for licence, click "I don't have a key" and win 10 will continue to install and reactivate once finished
 
Thanks Colif, actually it just BSOD 1 time and I don't repro it after re-install Win10.
It always hard to find the real root cause(I mean which one 3th party driver to cause BSOD), however thanks for your great help.
 
if windows is working now,
Can you follow option one on the following link - here

and then do this step below: Small memory dumps - Have Windows Create a Small Memory Dump (Minidump) on BSOD


that creates a file in c windows/minidump after the next BSOD
copy that file to documents
upload the copy from documents to a file sharing web site, and share the link here and I will get someone to convert file into a format I can read