Windows 7 BSOD ntfs.sys help

wmcinnes · Jan 5, 2016

Hi,
BSOD on a Dell Precision T3800. Just switched the boot hd to SSD. The computer also has 2 5TB drives in raid 1.

The BSOD happens intermittently, no apparent trigger, and shows KERNEL_DATA_INPAGE_ERROR on ntfs.sys.

I have run chkdsk on all drives, memory diagnostics, malwarebytes scan, and no issues found.

Here is the minidump, please help!

johnbl · Jan 5, 2016

your bugcheck shows an IO error reading the file system driver binary from disk.
it resulted in 4096 bytes of ntfs.sys being corrupted.
you will want to check the cables to the device, confirm the files are not corrupted on disk.

the inpage error just indicates that the system could not read from the drive.

the actual binary ntfs.sys (the file system driver) was corrupted in memory of your machine.

it can also be corrupted by malware, viruses, memory problems but with a IO error reported you want to first make sure the copy on disk is ok.

if you can boot, start cmd.exe as an admin then run
sfc.exe /scannow

on windows 7 you might have to boot a repair disk.

junkeymonkey · Jan 5, 2016

may not be of issue but does your bios give settings fro ide and ahci ??

its a shame theres no link to any support page or nothing just a ad page telling you it not available anymore

http://www.dell.com/us/business/p/precision-t3500/pd

wondering if it older to where the ssd firmware may not be compatible as well ??

all I can find at dell is the t3600 I guess the t3800 just disappeared [was it that bad ??]

[View a different product = no t3800?? ]

http://www.dell.com/support/home/us/en/19/product-support/product/precision-t3600/research

johnbl · Jan 5, 2016

4096 byte corruption is pretty big but is small in comparison to the errors you would get if the sata controller changed modes. It is also suspect when the debugger shows that is the only file modified in the memory dump.
malware can attach to and modify the filesystem or it can be hardware problem, just hard to tell without looking at what was changed to see if it was intentional. For example a firmware bug in a SSD can make a mistake an remap a sector incorrectly. I would just run a binary file compare between the copy of ntfs.sys on my drive with a known good version.

start cmd.exe as an admin then run
fc.exe /b c:\windows\system32\drivers\ntfs.sys d:\ntfs.sys
where d:\ntfs.sys it the path to your second copy that you know is good and make sure they are the same binary.
If they compare the same then you know the binary was modified as it was copied to memory and you might want to run memtest or look for something that make the change in the binary in memory.

junkeymonkey :

junkeymonkey · Jan 5, 2016

true memory fault/misconfigured /or just went bad can do things memtest cant hurt - like changing hardware with out being fully discharged [static] or any stand by power zapped a ic or any thing you may of touched ??

are you sure this is a t3800 ? something aint right there with that ??

looking around at t3600 with ssd I do see a lot of guys talking up the controller ??

http://en.community.dell.com/support-forums/storage/f/3412/t/19467165

http://forums.anandtech.com/showthread.php?t=2302103

I know its not you exact issue but found that dell thread somre interest

basically, the SSD was handling the system paging file as well as temporary files being generated by VS2010 (during my build there were nearly a hundred temp files which were being created/destroyed at a rate of about 20 per second). i moved TMP to my raided harddrives and tried rebuilding again. this time the build went fine. i moved TMP back to the SSD and rebuilt and again got the BSOD. so obviously the h310 cannot handle extensive parallel reading/writing to an SSD.

http://en.community.dell.com/techcenter/enterprise-client/f/4448/t/19467923

http://en.community.dell.com/techcenter/p/searchresults#q=%20T3600%20&pi20913=3

anyway looks like controller issues with it ??

johnbl · Jan 5, 2016

your machine has a BIOS date
BIOS Release Date 09/29/2014
but you have very old USB 3 binaries. Many device drivers are tied to the BIOS version you are using, you can get data corruptions if you use these old binaries with the new BIOS, IE you should update the drivers or disable the device in BIOS.

you should get rid of the old logmein software.

it could also be just corruption from some of your other drivers you have installed also.
Image path: \SystemRoot\system32\DRIVERS\hamachi.sys
Timestamp: Thu Feb 19 02:36:41 2009

RemotelyAnywhere Mirror Miniport Driver or LogMeIn Mirror Miniport Driver
Image path: \SystemRoot\system32\DRIVERS\lmimirr.sys
Timestamp: Tue Apr 10 15:32:45 2007
And \??\C:\Windows\system32\drivers\LMIRfsDriver.sys Mon Jul 14 09:26:56 2008
mixed with C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys Fri Jan 11 04:19:28 2013

old scary usb 3 binary from 2010
Image path: \SystemRoot\system32\DRIVERS\nusb3xhc.sys
Timestamp: Thu Nov 18 17:34:25 2010
old pcdoctor binaries:
c:\program files\dell\supportassist\pcdsrvc_x64.pkms
Timestamp: Mon May 09 17:20:44 2011

your network driver is pretty old also:
Intel(R) 82579V Gigabit Network Connection driver
Image path: \SystemRoot\system32\DRIVERS\e1c62x64.sys
Fri Aug 10 15:44:15 2012

you also have some custom dell drivers installed:
Dell Diags Device Driver. This is installed with Dell Client System Analyzer.
Image path: \SystemRoot\system32\drivers\DDDriver64Dcsa.sys

junkeymonkey · Jan 6, 2016

thing is your dealing with dell - there btx proprietary board dell proprietary bios with that in mind adding aftermarket parts may not work out too well . its not like you got a aftermarket board with in atx standard or a open free bios as you get with aftermarket boards

just like with hp dell and whoever prebuilts cant get video cards to work on the properly if at all ?/

dells bios may not fully support you hard drive true it may seem to work but not fully or correctly

now I hope its not the case cause johnbl is pretty sharp on these things and can get you going if all works out ..

when you get a system like this dell dictates it all they only guarantee it to work as you bought it out of the box as is anything you do or add after that is your own risk

then I showed how guys adding drives run into there own issues as well [maybe why there discontinued now ??]

good luck

wmcinnes · Jan 6, 2016

Thanks for all the replies! I am just going through all of the different answers now. It's actually a T3600, I apologize for the mistake.
It could be a problem of adding drives as some folks say. The computer came stock with a 2TB main drive and a 3TB secondary drive connected to the H310 PERC adapter. I changed it so that there is a 500gb SSD as the boot drive, and 2 5TB drives in raid, all connected through the PERC adapter - so @junkeymonkey I don't thing that the ide or ahci settings would make a difference.

I ran sfc.exe /scannow and got a blue screen part way through. I have run a few different malware programs (malwarebytes and security essentials) and found nothing.

@johnbl I am about to try your suggestion of comparing binaries, and next I will go through and clean up the driver issues you suggest.

Next I will go through

junkeymonkey · Jan 6, 2016

I was just helping a guy that seem to be looking to replace his board in one

http://www.tomshardware.com/answers/id-2927691/motherboard-atx-extended-atx.html

never know ?

wmcinnes · Jan 6, 2016

I have removed all of the offensive drivers, now to run another hard drive stress test and see if I get a BSOD. Next I will try going back to the HDD and removing the SSD.

@johnbl - where do I get a clean ntfs.sys file to compare?

johnbl · Jan 6, 2016

from another machine, just find a the same file with the same filesize and date time stamp.
you can also extract it from the windows 7 disks but they were probably already updated by windows update.
there is a backup copy in the windows driverstore on your machine but when you run
sfc.exe /scannow
it should have compared your current copy with the backup copy already and replaced it if it was corrupted.
besides, malware is smart enough to modify both copies anyway.

winodows 8 and above added features to the dism.exe command to get trusted versions from the microsoft update server because of malware hacking the backup copies. Windows 7 you have to use the windows CD. don't just replace the file if it is corrupted, you have to add the fixed file to the driver store or the driverstore will replace the file on the next system boot.

wmcinnes :

wmcinnes · Jan 6, 2016

Thanks johnbl, I successfully ran scannow, so I guess that would have fixed it.

If I were to upgrade this machine to Windows 10, would it replace these files and potentially resolve this problem?

johnbl · Jan 6, 2016

it would replace all of the files, the problem is you don't know the cause of the corruption. I can be in the hardware, in which case you would still have problems. Also, windows 8 and above will turn on all the low power states for all of your hardware. Windows 7 have these off by default so bad power saving/sleep circuits and drivers were not discovered until people upgraded. hardware that came out in the windows 7 timeframe tend to have a lot of these problems, vendors provided drivers that just disabled the functions but with windows 10 the generic drivers that windows provides turns them back on and you have to disable bad hardware sleep functions in device manager or load custom drivers from the motherboard vendor.

you will want to see if your drive has any firmware updates that can be installed. use crystaldiskinfo.exe and read the firmware version and google to see if it can be updated.

wmcinnes :

wmcinnes · Jan 7, 2016

CrystalDiskInfo won't work unfortunately since the drive is connected to the PERC controller and cannot be accessed by the software. I just got another BSOD, here is the latest dump: https://drive.google.com/file/d/0B2UGXrmwnj6ZZC1KcjM2bjBIbkRzSFhLSWlJQ19aUDgza2Jj/view?usp=sharing Hopefully there is some new info in there that might help.

johnbl · Jan 7, 2016

system reported error Error code: (NTSTATUS) 0xc0000185 (3221225861) - The I/O device reported an I/O error.
the ntfs.sys driver shows
4074 errors : Ntfs (fffff88001308000-fffff88001308fff)

I would think it is corrupted on disk. I would rename the file to ntfs.old and copy a new clean copy to a different location on the disk.
The system was up 1 hour 51 mins. It could be that something modified the binary in memory.

you might google "how to force a memory dump with a keyboard"
set the registry keys, reboot and force a memory dump. I can check to see if the file is corrupted right after you boot.

if the memory image is ok after a reboot, then something is corrupting it.
you could turn on verifier functions to check for corruption.

start cmd.exe as an admin, then run
verifier.exe /standard /all
and reboot

Note: make sure you know how to boot into safe mode so you can turn off verifier if you get a bugcheck druing boot. use the following command to clear the verifier flags.
verifier.exe /reset

You have a bunch of very old drivers, there is a high chance that this will bugcheck during the next boot and the memory dump will name the bad driver.

wmcinnes · Jan 7, 2016

Here is the post startup memorydump: https://drive.google.com/file/d/0B2UGXrmwnj6ZYUxzVEtCLXpXRE5XQThkc01FREx6Rk84UzVF/view?usp=sharing

I'll do the verifier now.

johnbl · Jan 7, 2016

0 errors : Ntfs
no errors in the filesystem driver after a reboot. System Uptime: 0 days 0:02:17.988

something is making changes after the file system is loaded into memory.

wmcinnes :

wmcinnes · Jan 7, 2016

Just ran the verifier and it causes a BSOD on startup. Here is the dump from that one: https://drive.google.com/file/d/0B2UGXrmwnj6ZbC1HRW80WGFfTnMyaE5IaFlkaEJwa29CMUZV/view?usp=sharing

Again, thanks!

johnbl · Jan 7, 2016

looks like dell has some updates:

http://www.dell.com/support/home/us/en/19/product-support/product/precision-t3600/drivers/advanced
I would look to see if one of the firmware updates for the raid controller for this machine could be applied and update the raid driver.

-----------
at face value, I would say your raid controller is reporting a error, But you really can not trust that error code in light of the fact that the ntfs.sys (file system driver has been modified by something)
patching a core windows file would generate a bugcheck on windows 8 and above. Windows 7 just does a lot less checks.

here are some of your third party drivers.
raid driver (update if you can)
\SystemRoot\system32\drivers\percsas2.sys Wed Nov 14 13:29:01 2012

Intel(R) 82579V Gigabit Network Connection driver(you should update this driver)
\SystemRoot\system32\DRIVERS\e1c62x64.sys Wed Feb 20 21:14:02 2013

EaseUS Todo Backup driver(s)
\SystemRoot\system32\drivers\eubakup.sys Wed Dec 09 13:51:48 2015
\SystemRoot\system32\drivers\EUBKMON.sys Wed Dec 09 13:52:08 2015
C:\Windows\system32\drivers\eudskacs.sys Wed Dec 09 13:51:42 2015
C:\Windows\system32\drivers\EuFdDisk.sys Wed Dec 09 13:52:13 2015

RemotelyAnywhere Mirror Miniport Driver or LogMeIn Mirror Miniport Driver( i would remove this)
C:\Windows\system32\drivers\LMIRfsDriver.sys Mon Jul 14 09:26:56 2008

NEC Electronics USB 3.0 Host Controller Driver (this driver causes bugchecks on windows 7)
remove and disable the USB 3 ports in BIOS or update the BIOS and driver if you can find a version dated after 2013.
\SystemRoot\system32\DRIVERS\nusb3hub.sys Thu Nov 18 17:34:24 2010
\SystemRoot\system32\DRIVERS\nusb3xhc.sys Thu Nov 18 17:34:25 2010

Web Services Print Device Driver
\SystemRoot\system32\DRIVERS\WSDPrint.sys Mon Jul 13 17:39:20 2009
\SystemRoot\system32\DRIVERS\WSDScan.sys Mon Jul 13 17:35:37 2009

You can look some of them up for common problems and to locate updates from here:
http://www.sysnative.com/drivers/driver.php?id=percsas2.sys

wmcinnes · Jan 7, 2016

I tried to remove as many drivers as I could, and I ran the verifier again and got a bsod with this dump:https://drive.google.com/file/d/0B2UGXrmwnj6ZTkJDbEV5UG9ZQlA0X1VHblFzNFdpWG1YeXBj/view?usp=sharing

The BIOS is the latest version (A14 from 2013), I updated the network card driver, got rid of that old one, got rid of easeUS, I can't update the RAID driver, it's the latest.

Is it possible as was suggested earlier, that the SSD and controller just don't get along and I should go back to an HDD boot drive?

johnbl · Jan 8, 2016

the verify problem listed below will lead to corruption of data stored in memory as the network driver is being used. It could have caused the corruption in the running file system driver that we saw in the previous memory dumps. I would update the driver and the netcard firmware and reboot and see if verifier still flags the buffer allocation.

Also it did not name this driver, it named a network componet that was reading settings from the registry. So this can be a bogus registry setting. In this case you would want to download the update network driver, turn off the plug and play service, uninstall the current network driver, remove the software from your machine, install the updated driver, and turn the plug and play service back on.

(or use the pnputil.exe to remove the old install pacakge so plug and play will not reinstall the driver a few seconds after you remove it, often with network drivers you have to actually activate(explicitly select it) the new driver as it will not automatically be selected as the default right after the install) and the windows control panel interface before widows 10 does not show the date/time stamp or the build number for the network driver during the install.

anyway, install the driver/firmware updates reboot and see if verifier finds a problem on the next boot.
----------
the most current bugcheck was in networking code.
it looks like you have a Intel(R) 82579V Gigabit Network Connection driver
\SystemRoot\system32\DRIVERS\e1c62x64.sys Wed Aug 12 15:27:36 2015
your driver is pretty current but here is the most current version from intel:
https://downloadcenter.intel.com/download/18713/Network-Adapter-Driver-for-Windows-7-
also look for a firmware update for your network card. google "82579V nvm firmware update"
here is the one listed at the last one (10/26/2012)
https://downloadcenter.intel.com/download/22026/NVM-Update-Utility-for-Intel-82579V-Gigabit-Ethernet-PHY-Network-Connection
(sometimes a vendor will get custom fixes that will only be on the vendor web site, look for NVM (non volitile memory)/firmware update)

Looks like the system was trying to start the network, read some values from the registry and then attempted to allocate some memory but verifier did a "sanity" check on the allocation, found something it did not like and called a bugcheck. verifier indicates that the driver attempted to allocate a buffer that was zero bytes. This would often just be a programming mistake that would lead to corruption of the system if the driver actually attempted to use the buffer. I would install the updated driver and see if there is a firmware update for the actual network card on the machine.

get rid of this file: (old piece of a remote networking driver written way too long ago)
C:\Windows\system32\drivers\LMIRfsDriver.sys Mon Jul 14 09:26:56 2008
it is listed as a logmein driver but is still installed on your system

use this method to remove the driver:
https://technet.microsoft.com/en-us/library/cc730875.aspx

wmcinnes · Jan 11, 2016

I went through all of the network driver suggestions, and after running the verifier I didn't get a BSOD! Thanks johnbl and junkeymonkey, let's hope this thing is all fixed.

Windows 7 BSOD ntfs.sys help

Reputable

Polypheme

Polypheme

Polypheme

Polypheme

Polypheme

Polypheme

Reputable

Polypheme

Reputable

Polypheme

Reputable

Polypheme

Reputable

Polypheme

Reputable

Polypheme

Reputable

Polypheme

Reputable

Polypheme

Reputable

Share this page