Question BSOD System Service Exception ntfs.sys

Feb 14, 2020
7
0
10
0
Hi guys,
I have some problem on 3 computer which are in a domain controller. Every 48 hours I have a BSOD with system service exception. I check the dump file, and here is the content :


Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 18362 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff8076b000000 PsLoadedModuleList = 0xfffff8076b448190
Debug session time: Wed Feb 12 16:00:15.735 2020 (UTC + 1:00)
System Uptime: 0 days 4:47:59.399
Loading Kernel Symbols
...............................................................
................................................................
............................................
Loading User Symbols
Loading unloaded module list
..............................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff8076b1c1510 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff8b0366ff8540=000000000000003b
0: kd> !analyze -v
***
  • *
  • Bugcheck Analysis *
  • *
***

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8076ce187b6, Address of the instruction which caused the bugcheck
Arg3: ffff8b0366ff8e70, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.Sec
Value: 3

Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on CAM-NOC-IENG02

Key : Analysis.DebugData
Value: CreateObject

Key : Analysis.DebugModel
Value: CreateObject

Key : Analysis.Elapsed.Sec
Value: 53

Key : Analysis.Memory.CommitPeak.Mb
Value: 75

Key : Analysis.System
Value: CreateObject


ADDITIONAL_XML: 1

BUGCHECK_CODE: 3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8076ce187b6

BUGCHECK_P3: ffff8b0366ff8e70

BUGCHECK_P4: 0

CONTEXT: ffff8b0366ff8e70 -- (.cxr 0xffff8b0366ff8e70)
rax=0000000000000702 rbx=0000000000000000 rcx=ffff950c06df0c08
rdx=ffffbd8abfd8f170 rsi=0000000000000001 rdi=0000000000000000
rip=fffff8076ce187b6 rsp=ffff8b0366ff9860 rbp=ffff950c06df0c08
r8=0000000000000001 r9=0000000000000000 r10=fffff8076b1005c0
r11=ffff8b0366ff98f0 r12=0000000000000000 r13=ffff950c06df0c08
r14=0000000000000000 r15=ffff950c0a740810
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050246
Ntfs!NtfsAcquirePagingResourceShared+0x36:
fffff8076ce187b6 8b4710 mov eax,dword ptr [rdi+10h] ds:002b:0000000000000010=????????
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: SavService.exe

STACK_TEXT:
ffff8b0366ff9860 fffff8076ce16a9f : 0000000000000001 ffff8b0366ff9a90 0000000000000001 0000000000000000 : Ntfs!NtfsAcquirePagingResourceShared+0x36
ffff8b0366ff98a0 fffff8076ce1641c : ffff8b0366ff9aa0 ffff950c0a740810 ffff8b0366ff9aa0 ffff950c06df0c08 : Ntfs!NtfsCommonRead+0x46f
ffff8b0366ff9a60 fffff8076b031f79 : ffff950c0ab2f9a0 ffff950c0a740810 ffff950c0a740bf8 ffff950c04f43010 : Ntfs!NtfsFsdRead+0x20c
ffff8b0366ff9b20 fffff8076c2c55de : 0000000000000000 0000000000000000 ffff950c0ab2fa88 ffff8b0366ff9ec0 : nt!IofCallDriver+0x59
ffff8b0366ff9b60 fffff8076c2c2bee : ffff8b0366ff9c00 ffff950c051d3018 0000000000000001 ffff950c0ab2fa88 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x15e
ffff8b0366ff9be0 fffff8076c2d85fe : ffff950c0ab2f9a0 0000000000000000 ffff8b0366ff9d21 0000000000000000 : FLTMGR!FltPerformSynchronousIo+0x2ee
ffff8b0366ff9c80 fffff8076c2d8151 : 000000283b6a1808 0000000000000000 ffff950c0edf79a0 fffff8076cceffa0 : FLTMGR!FltReadFileEx+0x49e
ffff8b0366ff9d70 fffff8076ccff2f4 : ffff950c15840e20 ffff8b0300000015 ffff8b0366ff9ed0 0000000000000000 : FLTMGR!FltReadFile+0x51
ffff8b0366ff9de0 ffff950c15840e20 : ffff8b0300000015 ffff8b0366ff9ed0 0000000000000000 ffffbd8acb765000 : SophosED+0x7f2f4
ffff8b0366ff9de8 ffff8b0300000015 : ffff8b0366ff9ed0 0000000000000000 ffffbd8acb765000 0000000000000004 : 0xffff950c15840e20
ffff8b03
66ff9df0 ffff8b0366ff9ed0 : 0000000000000000 ffffbd8acb765000 0000000000000004 ffff8b0366ff9ec0 : 0xffff8b0300000015
ffff8b0366ff9df8 0000000000000000 : ffffbd8acb765000 0000000000000004 ffff8b0366ff9ec0 0000000000000000 : 0xffff8b0366ff9ed0


SYMBOL_NAME: SophosED+7f2f4

MODULE_NAME: SophosED

IMAGE_NAME: SophosED.sys

STACK_COMMAND: .cxr 0xffff8b0366ff8e70 ; kb

BUCKET_ID_FUNC_OFFSET: 7f2f4

FAILURE_BUCKET_ID: 0x3B_c0000005_SophosED!unknown_function

OS_VERSION: 10.0.18362.1

BUILDLAB_STR: 19h1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {a6767af0-8943-9eec-38e6-4f247945912a}

Followup: MachineOwner
---------

0: kd> lmvm SophosED
Browse full module list
start end module name
fffff807
6cc80000 fffff8076cd8c000 SophosED T (no symbols)
Loaded symbol image file: SophosED.sys
Image path: \SystemRoot\system32\DRIVERS\SophosED.sys
Image name: SophosED.sys
Browse all global symbols functions data
Timestamp: Fri Nov 1 01:15:00 2019 (5DBB7904)
CheckSum: 0010EBBE
ImageSize: 0010C000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
0: kd> !blackboxbsd
Stream size mismatch (expected = 176, read = 168)
0: kd> !blackboxntfs

NTFS Blackbox Data

0 Slow I/O Timeout Records Found
0 Oplock Break Timeout Records Found
0: kd> !blackboxpnp
PnpActivityId : {00000000-0000-0000-0000-000000000000}
PnpActivityTime : 132259845026369427
PnpEventInformation: 3
PnpEventInProgress : 0
PnpProblemCode : 24
PnpVetoType : 0
DeviceId : DISPLAY\Default_Monitor\4&206189e&0&UID200747
VetoString :

0: kd> .cxr 0xffff8b0366ff8e70
rax=0000000000000702 rbx=0000000000000000 rcx=ffff950c06df0c08
rdx=ffffbd8abfd8f170 rsi=0000000000000001 rdi=0000000000000000
rip=fffff8076ce187b6 rsp=ffff8b0366ff9860 rbp=ffff950c06df0c08
r8=0000000000000001 r9=0000000000000000 r10=fffff8076b1005c0
r11=ffff8b0366ff98f0 r12=0000000000000000 r13=ffff950c06df0c08
r14=0000000000000000 r15=ffff950c0a740810
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050246
Ntfs!NtfsAcquirePagingResourceShared+0x36:
fffff807
6ce187b6 8b4710 mov eax,dword ptr [rdi+10h] ds:002b:00000000`00000010=????????


When I perform the sfc /scannow, it stuck at 59%.
Can you help me.
Thank you.
Best regards.

here is the minidump files: https://1drv.ms/u/s!AtvjYooy6_a_lTvcj2ulQdD7iYMS?e=Bd7Lwx
event viewer: https://1drv.ms/u/s!AtvjYooy6_a_lT2J5gNGGdzTR1Km?e=iIQaFQ
 
Feb 14, 2020
7
0
10
0
Thanks you for your response.
I did up to date my windows, but i didn't search for driver up to date.
How can I see that in windows.
Best regards.
 

Abhinav2005

Upstanding
Jan 1, 2020
392
104
370
3
Thanks you for your response.
I did up to date my windows, but i didn't search for driver up to date.
How can I see that in windows.
Best regards.
Download DriverView and check weather all the driver are of 2019 or later version.

And also check your motherboard manufacturer's page and see that all the driver are up to date.
 

Colif

Win 10 Master
Moderator
Sadly even new drivers can cause BSOD.

Stack text actually mentions SophosED.sys - Sophos Endpoint Defense mini filter driver. So that is what caused crash.

I will get a friend to look at dumps as its possibly a LAN driver behind it.
 
Last edited:

Lutfij

Titan
Moderator
Is all your driver are above 2019 date.
???

@TBS2019 why are you still on 1903? We're already on 1909 and well on our way to a latter revision courtesy of Microsoft. Please disregard Abhinav2005's suggestion to use a third party to tell you if you've got any drivers pending an update. If you must source the latest drivers, source them from manufacturer's site unless you want to end up pulling all your hair.

Mind if I ask you of your specs?
 

Colif

Win 10 Master
Moderator
@lutfi I use that program to look at what drivers are currently running on PC. It doesn't download any for you, it just shows you what is there now.

rest of your advice is what I would suggest as well. Based on what info is on Driver view.
 

Lutfij

Titan
Moderator
I don't use that app either, neither going to suggest to a novice who is clueless, sorry OP :p

Best is to start fresh when in doubt since finding hay in a needle stack is worse than just not dealing with a needle stack :D
 

Colif

Win 10 Master
Moderator
Its pretty harmless, just shows a list of what is running on PC

for example


easiest way I found to get a listing.

Dates can be wrong, so can OP upload an image from Driver view (to an image sharing website and show link here) showing the columns from (and including) Driver name to (and including) Creation date. Alas dates can be lies but driver versions can be used to find real dates. when you run it, go into View and set it to hide all Microsoft drivers, will make list way shorter

MIght need more than 1 lot of dumps as if its 3 computers it would be odd to get same error on 3. Unless its sophos on all 3.
 
Last edited:
Feb 14, 2020
7
0
10
0
???

@TBS2019 why are you still on 1903? We're already on 1909 and well on our way to a latter revision courtesy of Microsoft. Please disregard Abhinav2005's suggestion to use a third party to tell you if you've got any drivers pending an update. If you must source the latest drivers, source them from manufacturer's site unless you want to end up pulling all your hair.

Mind if I ask you of your specs?
Thanks You for the reply.
My spec is
HP prodesk 400 g4 mt
i7 7700
8GB ram
250 SSD
1TB HDD
intergrated graphic card
Regards.
 
Feb 14, 2020
7
0
10
0
Its pretty harmless, just shows a list of what is running on PC

for example


easiest way I found to get a listing.

Dates can be wrong, so can OP upload an image from Driver view (to an image sharing website and show link here) showing the columns from (and including) Driver name to (and including) Creation date. Alas dates can be lies but driver versions can be used to find real dates. when you run it, go into View and set it to hide all Microsoft drivers, will make list way shorter

MIght need more than 1 lot of dumps as if its 3 computers it would be odd to get same error on 3. Unless its sophos on all 3.
OK I will upload that.
 

Colif

Win 10 Master
Moderator

ASK THE COMMUNITY

TRENDING THREADS