Hi guys,
I have some problem on 3 computer which are in a domain controller. Every 48 hours I have a BSOD with system service exception. I check the dump file, and here is the content :
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 18362 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff807
Debug session time: Wed Feb 12 16:00:15.735 2020 (UTC + 1:00)
System Uptime: 0 days 4:47:59.399
Loading Kernel Symbols
...............................................................
................................................................
............................................
Loading User Symbols
Loading unloaded module list
..............................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff807
0: kd> !analyze -v
***
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8076ce187b6, Address of the instruction which caused the bugcheck
Arg3: ffff8b0366ff8e70, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on CAM-NOC-IENG02
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 53
Key : Analysis.Memory.CommitPeak.Mb
Value: 75
Key : Analysis.System
Value: CreateObject
ADDITIONAL_XML: 1
BUGCHECK_CODE: 3b
BUGCHECK_P1: c0000005
BUGCHECK_P2: fffff8076ce187b6
BUGCHECK_P3: ffff8b0366ff8e70
BUGCHECK_P4: 0
CONTEXT: ffff8b0366ff8e70 -- (.cxr 0xffff8b0366ff8e70)
rax=0000000000000702 rbx=0000000000000000 rcx=ffff950c06df0c08
rdx=ffffbd8abfd8f170 rsi=0000000000000001 rdi=0000000000000000
rip=fffff8076ce187b6 rsp=ffff8b0366ff9860 rbp=ffff950c06df0c08
r8=0000000000000001 r9=0000000000000000 r10=fffff8076b1005c0
r11=ffff8b0366ff98f0 r12=0000000000000000 r13=ffff950c06df0c08
r14=0000000000000000 r15=ffff950c0a740810
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050246
Ntfs!NtfsAcquirePagingResourceShared+0x36:
fffff807
Resetting default scope
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: SavService.exe
STACK_TEXT:
ffff8b03
ffff8b03
ffff8b03
ffff8b03
ffff8b03
ffff8b03
ffff8b03
ffff8b03
ffff8b03
ffff8b03
ffff8b03
When I perform the sfc /scannow, it stuck at 59%.
Can you help me.
Thank you.
Best regards.
here is the minidump files: https://1drv.ms/u/s!AtvjYooy6_a_lTvcj2ulQdD7iYMS?e=Bd7Lwx
event viewer: https://1drv.ms/u/s!AtvjYooy6_a_lT2J5gNGGdzTR1Km?e=iIQaFQ
I have some problem on 3 computer which are in a domain controller. Every 48 hours I have a BSOD with system service exception. I check the dump file, and here is the content :
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 18362 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff807
6b000000 PsLoadedModuleList = 0xfffff807
6b448190Debug session time: Wed Feb 12 16:00:15.735 2020 (UTC + 1:00)
System Uptime: 0 days 4:47:59.399
Loading Kernel Symbols
...............................................................
................................................................
............................................
Loading User Symbols
Loading unloaded module list
..............................
For analysis of this file, run !analyze -v
nt!KeBugCheckEx:
fffff807
6b1c1510 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffff8b03
66ff8540=000000000000003b0: kd> !analyze -v
***
- *
- Bugcheck Analysis *
- *
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8076ce187b6, Address of the instruction which caused the bugcheck
Arg3: ffff8b0366ff8e70, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
KEY_VALUES_STRING: 1
Key : Analysis.CPU.Sec
Value: 3
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on CAM-NOC-IENG02
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 53
Key : Analysis.Memory.CommitPeak.Mb
Value: 75
Key : Analysis.System
Value: CreateObject
ADDITIONAL_XML: 1
BUGCHECK_CODE: 3b
BUGCHECK_P1: c0000005
BUGCHECK_P2: fffff8076ce187b6
BUGCHECK_P3: ffff8b0366ff8e70
BUGCHECK_P4: 0
CONTEXT: ffff8b0366ff8e70 -- (.cxr 0xffff8b0366ff8e70)
rax=0000000000000702 rbx=0000000000000000 rcx=ffff950c06df0c08
rdx=ffffbd8abfd8f170 rsi=0000000000000001 rdi=0000000000000000
rip=fffff8076ce187b6 rsp=ffff8b0366ff9860 rbp=ffff950c06df0c08
r8=0000000000000001 r9=0000000000000000 r10=fffff8076b1005c0
r11=ffff8b0366ff98f0 r12=0000000000000000 r13=ffff950c06df0c08
r14=0000000000000000 r15=ffff950c0a740810
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050246
Ntfs!NtfsAcquirePagingResourceShared+0x36:
fffff807
6ce187b6 8b4710 mov eax,dword ptr [rdi+10h] ds:002b:00000000
00000010=????????Resetting default scope
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: SavService.exe
STACK_TEXT:
ffff8b03
66ff9860 fffff807
6ce16a9f : 0000000000000001 ffff8b03
66ff9a90 0000000000000001 00000000
00000000 : Ntfs!NtfsAcquirePagingResourceShared+0x36ffff8b03
66ff98a0 fffff807
6ce1641c : ffff8b0366ff9aa0 ffff950c
0a740810 ffff8b0366ff9aa0 ffff950c
06df0c08 : Ntfs!NtfsCommonRead+0x46fffff8b03
66ff9a60 fffff807
6b031f79 : ffff950c0ab2f9a0 ffff950c
0a740810 ffff950c0a740bf8 ffff950c
04f43010 : Ntfs!NtfsFsdRead+0x20cffff8b03
66ff9b20 fffff807
6c2c55de : 0000000000000000 00000000
00000000 ffff950c0ab2fa88 ffff8b03
66ff9ec0 : nt!IofCallDriver+0x59ffff8b03
66ff9b60 fffff807
6c2c2bee : ffff8b0366ff9c00 ffff950c
051d3018 0000000000000001 ffff950c
0ab2fa88 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x15effff8b03
66ff9be0 fffff807
6c2d85fe : ffff950c0ab2f9a0 00000000
00000000 ffff8b0366ff9d21 00000000
00000000 : FLTMGR!FltPerformSynchronousIo+0x2eeffff8b03
66ff9c80 fffff807
6c2d8151 : 000000283b6a1808 00000000
00000000 ffff950c0edf79a0 fffff807
6cceffa0 : FLTMGR!FltReadFileEx+0x49effff8b03
66ff9d70 fffff807
6ccff2f4 : ffff950c15840e20 ffff8b03
00000015 ffff8b0366ff9ed0 00000000
00000000 : FLTMGR!FltReadFile+0x51ffff8b03
66ff9de0 ffff950c
15840e20 : ffff8b0300000015 ffff8b03
66ff9ed0 0000000000000000 ffffbd8a
cb765000 : SophosED+0x7f2f4ffff8b03
66ff9de8 ffff8b03
00000015 : ffff8b0366ff9ed0 00000000
00000000 ffffbd8acb765000 00000000
00000004 : 0xffff950c15840e20
ffff8b03
66ff9df0 ffff8b0366ff9ed0 : 00000000
00000000 ffffbd8acb765000 00000000
00000004 ffff8b0366ff9ec0 : 0xffff8b03
00000015ffff8b03
66ff9df8 00000000
00000000 : ffffbd8acb765000 00000000
00000004 ffff8b0366ff9ec0 00000000
00000000 : 0xffff8b0366ff9ed0
SYMBOL_NAME: SophosED+7f2f4
MODULE_NAME: SophosED
IMAGE_NAME: SophosED.sys
STACK_COMMAND: .cxr 0xffff8b0366ff8e70 ; kb
BUCKET_ID_FUNC_OFFSET: 7f2f4
FAILURE_BUCKET_ID: 0x3B_c0000005_SophosED!unknown_function
OS_VERSION: 10.0.18362.1
BUILDLAB_STR: 19h1_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {a6767af0-8943-9eec-38e6-4f247945912a}
Followup: MachineOwner
---------
0: kd> lmvm SophosED
Browse full module list
start end module name
fffff807
6cc80000 fffff8076cd8c000 SophosED T (no symbols)
Loaded symbol image file: SophosED.sys
Image path: \SystemRoot\system32\DRIVERS\SophosED.sys
Image name: SophosED.sys
Browse all global symbols functions data
Timestamp: Fri Nov 1 01:15:00 2019 (5DBB7904)
CheckSum: 0010EBBE
ImageSize: 0010C000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
Information from resource tables:
0: kd> !blackboxbsd
Stream size mismatch (expected = 176, read = 168)
0: kd> !blackboxntfs
NTFS Blackbox Data
0 Slow I/O Timeout Records Found
0 Oplock Break Timeout Records Found
0: kd> !blackboxpnp
PnpActivityId : {00000000-0000-0000-0000-000000000000}
PnpActivityTime : 132259845026369427
PnpEventInformation: 3
PnpEventInProgress : 0
PnpProblemCode : 24
PnpVetoType : 0
DeviceId : DISPLAY\Default_Monitor\4&206189e&0&UID200747
VetoString :
0: kd> .cxr 0xffff8b0366ff8e70
rax=0000000000000702 rbx=0000000000000000 rcx=ffff950c06df0c08
rdx=ffffbd8abfd8f170 rsi=0000000000000001 rdi=0000000000000000
rip=fffff8076ce187b6 rsp=ffff8b0366ff9860 rbp=ffff950c06df0c08
r8=0000000000000001 r9=0000000000000000 r10=fffff8076b1005c0
r11=ffff8b0366ff98f0 r12=0000000000000000 r13=ffff950c06df0c08
r14=0000000000000000 r15=ffff950c0a740810
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050246
Ntfs!NtfsAcquirePagingResourceShared+0x36:
fffff807
6ce187b6 8b4710 mov eax,dword ptr [rdi+10h] ds:002b:00000000`00000010=????????When I perform the sfc /scannow, it stuck at 59%.
Can you help me.
Thank you.
Best regards.
here is the minidump files: https://1drv.ms/u/s!AtvjYooy6_a_lTvcj2ulQdD7iYMS?e=Bd7Lwx
event viewer: https://1drv.ms/u/s!AtvjYooy6_a_lT2J5gNGGdzTR1Km?e=iIQaFQ