[SOLVED] BSOD System Service Exception ntfs.sys

Feb 14, 2020
7
0
10
Hi guys,
I have some problem on 3 computer which are in a domain controller. Every 48 hours I have a BSOD with system service exception. I check the dump file, and here is the content :


Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 18362 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff8076b000000 PsLoadedModuleList = 0xfffff8076b448190
Debug session time: Wed Feb 12 16:00:15.735 2020 (UTC + 1:00)
System Uptime: 0 days 4:47:59.399
Loading Kernel Symbols
...............................................................
................................................................
............................................
Loading User Symbols
Loading unloaded module list
..............................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff8076b1c1510 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff8b0366ff8540=000000000000003b
0: kd> !analyze -v
***
  • *
  • Bugcheck Analysis *
  • *
***

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8076ce187b6, Address of the instruction which caused the bugcheck
Arg3: ffff8b0366ff8e70, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


KEY_VALUES_STRING: 1

Key : Analysis.CPU.Sec
Value: 3

Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on CAM-NOC-IENG02

Key : Analysis.DebugData
Value: CreateObject

Key : Analysis.DebugModel
Value: CreateObject

Key : Analysis.Elapsed.Sec
Value: 53

Key : Analysis.Memory.CommitPeak.Mb
Value: 75

Key : Analysis.System
Value: CreateObject


ADDITIONAL_XML: 1

BUGCHECK_CODE: 3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8076ce187b6

BUGCHECK_P3: ffff8b0366ff8e70

BUGCHECK_P4: 0

CONTEXT: ffff8b0366ff8e70 -- (.cxr 0xffff8b0366ff8e70)
rax=0000000000000702 rbx=0000000000000000 rcx=ffff950c06df0c08
rdx=ffffbd8abfd8f170 rsi=0000000000000001 rdi=0000000000000000
rip=fffff8076ce187b6 rsp=ffff8b0366ff9860 rbp=ffff950c06df0c08
r8=0000000000000001 r9=0000000000000000 r10=fffff8076b1005c0
r11=ffff8b0366ff98f0 r12=0000000000000000 r13=ffff950c06df0c08
r14=0000000000000000 r15=ffff950c0a740810
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050246
Ntfs!NtfsAcquirePagingResourceShared+0x36:
fffff8076ce187b6 8b4710 mov eax,dword ptr [rdi+10h] ds:002b:0000000000000010=????????
Resetting default scope

BLACKBOXBSD: 1 (!blackboxbsd)


BLACKBOXNTFS: 1 (!blackboxntfs)


BLACKBOXPNP: 1 (!blackboxpnp)


BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: SavService.exe

STACK_TEXT:
ffff8b0366ff9860 fffff8076ce16a9f : 0000000000000001 ffff8b0366ff9a90 0000000000000001 0000000000000000 : Ntfs!NtfsAcquirePagingResourceShared+0x36
ffff8b0366ff98a0 fffff8076ce1641c : ffff8b0366ff9aa0 ffff950c0a740810 ffff8b0366ff9aa0 ffff950c06df0c08 : Ntfs!NtfsCommonRead+0x46f
ffff8b0366ff9a60 fffff8076b031f79 : ffff950c0ab2f9a0 ffff950c0a740810 ffff950c0a740bf8 ffff950c04f43010 : Ntfs!NtfsFsdRead+0x20c
ffff8b0366ff9b20 fffff8076c2c55de : 0000000000000000 0000000000000000 ffff950c0ab2fa88 ffff8b0366ff9ec0 : nt!IofCallDriver+0x59
ffff8b0366ff9b60 fffff8076c2c2bee : ffff8b0366ff9c00 ffff950c051d3018 0000000000000001 ffff950c0ab2fa88 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x15e
ffff8b0366ff9be0 fffff8076c2d85fe : ffff950c0ab2f9a0 0000000000000000 ffff8b0366ff9d21 0000000000000000 : FLTMGR!FltPerformSynchronousIo+0x2ee
ffff8b0366ff9c80 fffff8076c2d8151 : 000000283b6a1808 0000000000000000 ffff950c0edf79a0 fffff8076cceffa0 : FLTMGR!FltReadFileEx+0x49e
ffff8b0366ff9d70 fffff8076ccff2f4 : ffff950c15840e20 ffff8b0300000015 ffff8b0366ff9ed0 0000000000000000 : FLTMGR!FltReadFile+0x51
ffff8b0366ff9de0 ffff950c15840e20 : ffff8b0300000015 ffff8b0366ff9ed0 0000000000000000 ffffbd8acb765000 : SophosED+0x7f2f4
ffff8b0366ff9de8 ffff8b0300000015 : ffff8b0366ff9ed0 0000000000000000 ffffbd8acb765000 0000000000000004 : 0xffff950c15840e20 ffff8b0366ff9df0 ffff8b0366ff9ed0 : 0000000000000000 ffffbd8acb765000 0000000000000004 ffff8b0366ff9ec0 : 0xffff8b0300000015
ffff8b0366ff9df8 0000000000000000 : ffffbd8acb765000 0000000000000004 ffff8b0366ff9ec0 0000000000000000 : 0xffff8b0366ff9ed0 SYMBOL_NAME: SophosED+7f2f4 MODULE_NAME: SophosED IMAGE_NAME: SophosED.sys STACK_COMMAND: .cxr 0xffff8b0366ff8e70 ; kb BUCKET_ID_FUNC_OFFSET: 7f2f4 FAILURE_BUCKET_ID: 0x3B_c0000005_SophosED!unknown_function OS_VERSION: 10.0.18362.1 BUILDLAB_STR: 19h1_release OSPLATFORM_TYPE: x64 OSNAME: Windows 10 FAILURE_ID_HASH: {a6767af0-8943-9eec-38e6-4f247945912a} Followup: MachineOwner --------- 0: kd> lmvm SophosED Browse full module list start end module name fffff8076cc80000 fffff8076cd8c000 SophosED T (no symbols) Loaded symbol image file: SophosED.sys Image path: \SystemRoot\system32\DRIVERS\SophosED.sys Image name: SophosED.sys Browse all global symbols functions data Timestamp: Fri Nov 1 01:15:00 2019 (5DBB7904) CheckSum: 0010EBBE ImageSize: 0010C000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 Information from resource tables: 0: kd> !blackboxbsd Stream size mismatch (expected = 176, read = 168) 0: kd> !blackboxntfs NTFS Blackbox Data 0 Slow I/O Timeout Records Found 0 Oplock Break Timeout Records Found 0: kd> !blackboxpnp PnpActivityId : {00000000-0000-0000-0000-000000000000} PnpActivityTime : 132259845026369427 PnpEventInformation: 3 PnpEventInProgress : 0 PnpProblemCode : 24 PnpVetoType : 0 DeviceId : DISPLAY\Default_Monitor\4&206189e&0&UID200747 VetoString : 0: kd> .cxr 0xffff8b0366ff8e70 rax=0000000000000702 rbx=0000000000000000 rcx=ffff950c06df0c08 rdx=ffffbd8abfd8f170 rsi=0000000000000001 rdi=0000000000000000 rip=fffff8076ce187b6 rsp=ffff8b0366ff9860 rbp=ffff950c06df0c08 r8=0000000000000001 r9=0000000000000000 r10=fffff8076b1005c0 r11=ffff8b0366ff98f0 r12=0000000000000000 r13=ffff950c06df0c08 r14=0000000000000000 r15=ffff950c0a740810 iopl=0 nv up ei pl zr na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050246 Ntfs!NtfsAcquirePagingResourceShared+0x36: fffff8076ce187b6 8b4710 mov eax,dword ptr [rdi+10h] ds:002b:00000000`00000010=????????


When I perform the sfc /scannow, it stuck at 59%.
Can you help me.
Thank you.
Best regards.

here is the minidump files: https://1drv.ms/u/s!AtvjYooy6_a_lTvcj2ulQdD7iYMS?e=Bd7Lwx
event viewer: https://1drv.ms/u/s!AtvjYooy6_a_lT2J5gNGGdzTR1Km?e=iIQaFQ
 
Feb 14, 2020
7
0
10
Thanks you for your response.
I did up to date my windows, but i didn't search for driver up to date.
How can I see that in windows.
Best regards.
 

Colif

Win 11 Master
Moderator
Sadly even new drivers can cause BSOD.

Stack text actually mentions SophosED.sys - Sophos Endpoint Defense mini filter driver. So that is what caused crash.

I will get a friend to look at dumps as its possibly a LAN driver behind it.
 
Last edited:

Lutfij

Titan
Moderator
Is all your driver are above 2019 date.
???

@TBS2019 why are you still on 1903? We're already on 1909 and well on our way to a latter revision courtesy of Microsoft. Please disregard Abhinav2005's suggestion to use a third party to tell you if you've got any drivers pending an update. If you must source the latest drivers, source them from manufacturer's site unless you want to end up pulling all your hair.

Mind if I ask you of your specs?
 

Colif

Win 11 Master
Moderator
Its pretty harmless, just shows a list of what is running on PC

for example
9POLlU6.jpg


easiest way I found to get a listing.

Dates can be wrong, so can OP upload an image from Driver view (to an image sharing website and show link here) showing the columns from (and including) Driver name to (and including) Creation date. Alas dates can be lies but driver versions can be used to find real dates. when you run it, go into View and set it to hide all Microsoft drivers, will make list way shorter

MIght need more than 1 lot of dumps as if its 3 computers it would be odd to get same error on 3. Unless its sophos on all 3.
 
Last edited:
Feb 14, 2020
7
0
10
???

@TBS2019 why are you still on 1903? We're already on 1909 and well on our way to a latter revision courtesy of Microsoft. Please disregard Abhinav2005's suggestion to use a third party to tell you if you've got any drivers pending an update. If you must source the latest drivers, source them from manufacturer's site unless you want to end up pulling all your hair.

Mind if I ask you of your specs?

Thanks You for the reply.
My spec is
HP prodesk 400 g4 mt
i7 7700
8GB ram
250 SSD
1TB HDD
intergrated graphic card
Regards.
 
Feb 14, 2020
7
0
10
Its pretty harmless, just shows a list of what is running on PC

for example
9POLlU6.jpg


easiest way I found to get a listing.

Dates can be wrong, so can OP upload an image from Driver view (to an image sharing website and show link here) showing the columns from (and including) Driver name to (and including) Creation date. Alas dates can be lies but driver versions can be used to find real dates. when you run it, go into View and set it to hide all Microsoft drivers, will make list way shorter

MIght need more than 1 lot of dumps as if its 3 computers it would be odd to get same error on 3. Unless its sophos on all 3.

OK I will upload that.
 

Colif

Win 11 Master
Moderator
Solution