NTFS_FILE_SYSTEM (24)
If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
parameters are the exception record and context record. Do a .cxr
on the 3rd parameter and then kb to obtain a more informative stack
trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff8800a1c1928
Arg3: fffff8800a1c1180
Arg4: fffff880012f17d7
Debugging Details:
------------------
EXCEPTION_RECORD: fffff8800a1c1928 -- (.exr 0xfffff8800a1c1928)
[COLOR="#FF0000"]ExceptionAddress: fffff880012f17d7 (Ntfs!NtfsFindPrefixHashEntry+0x00000000000001fe)[/COLOR]
[COLOR="#FF0000"]ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000[/COLOR]
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
[COLOR="#008000"]Der Exceptionrecord weist den Verursacher aus und mit 0xc0000005 (Zugriffsverletzung)
den Grund der Exception.[/COLOR]
CONTEXT: fffff8800a1c1180 -- (.cxr 0xfffff8800a1c1180;r)
rax=fffff8a000240000 rbx=fa800ac4fe9004c0 rcx=0000000000000488
rdx=0000000000000003 rsi=fffff8a00017dbc0 rdi=fffffa800a44f358
rip=fffff880012f17d7 rsp=fffff8800a1c1b60 rbp=0000000000001c80
r8=0000000021720244 r9=0000000000000000 r10=0000000000000000
r11=fffff8800a1c1ba8 r12=fffff8800a1c1e70 r13=fffff88007a193d0
r14=0000000000000244 r15=0000000000000244
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
Ntfs!NtfsFindPrefixHashEntry+0x1fe:
fffff880`012f17d7 44394310 cmp dword ptr [rbx+10h],r8d ds:002b:fa800ac4`fe9004d0=????????
Last set context:
rax=fffff8a000240000 rbx=fa800ac4fe9004c0 rcx=0000000000000488
rdx=0000000000000003 rsi=fffff8a00017dbc0 rdi=fffffa800a44f358
rip=fffff880012f17d7 rsp=fffff8800a1c1b60 rbp=0000000000001c80
r8=0000000021720244 r9=0000000000000000 r10=0000000000000000
r11=fffff8800a1c1ba8 r12=fffff8800a1c1e70 r13=fffff88007a193d0
r14=0000000000000244 r15=0000000000000244
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
[COLOR="#FF0000"]Ntfs!NtfsFindPrefixHashEntry+0x1fe:
fffff880`012f17d7 44394310 cmp dword ptr [rbx+10h],r8d ds:002b:fa800ac4`fe9004d0=????????[/COLOR]
[COLOR="#008000"]Auch im Context-Record wird der gleiche Verursacher benannt.[/COLOR]
.....
ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
.....
STACK_TEXT:
[COLOR="#FF0000"]fffff880`0a1c1b60 fffff880`012f0282 : fffffa80`0c82ca90 fffffa80`0a44f358 fffff8a0`0017dbc0 fffff8a0`0c251e01 : Ntfs!NtfsFindPrefixHashEntry+0x1fe[/COLOR]
fffff880`0a1c1c90 fffff880`012edbf3 : fffffa80`0c82ca90 fffffa80`11c06430 fffff880`0a1c1e70 fffff880`0a1c1ea8 : Ntfs!NtfsFindStartingNode+0x452
fffff880`0a1c1d60 fffff880`012583fd : fffffa80`0c82ca90 fffffa80`11c06430 fffff880`07a193d0 fffffa80`0a27b700 : Ntfs!NtfsCommonCreate+0x3d3
fffff880`0a1c1f30 fffff800`02ecbef7 : fffff880`07a19340 00000000`00000000 00000000`00000000 00000000`00000000 : Ntfs!NtfsCommonCreateCallout+0x1d
fffff880`0a1c1f60 fffff800`02ecbeb8 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxSwitchKernelStackCallout+0x27
fffff880`07a19210 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSwitchKernelStackContinue