Learning BSODs; Have a BSOD with adm.exe process.

D

denixx

New member
Local time
4:08 PM
Messages
4
Hi guys!
I have started learning BSODs, and my first catch was a friend's laptop, here was one interesting minidump yesterday.
I've asked for a minidump file, and executed "!analyze -v"
PROCESS_NAME: adm.exe
Should I complain Acronis Drive Monitor, which I installed myself to her laptop? I've already opened a topic at Acronis forum, which refers ADM: https://forum.acronis.com/forum/85802 .
So, just asking if I can get some more info from minidump. Need assistance :)
A minidump itself is in attachment. UPD1: attached a zip, missed it when created a post :)
Thanks.
Code: 
3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

NTFS_FILE_SYSTEM (24)
    If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
    parameters are the exception record and context record. Do a .cxr
    on the 3rd parameter and then kb to obtain a more informative stack
    trace.
Arguments:
Arg1: 00000000001904fb
Arg2: fffff8800da2b328
Arg3: fffff8800da2ab80
Arg4: fffff880016ca2da

Debugging Details:
------------------


EXCEPTION_RECORD:  fffff8800da2b328 -- (.exr 0xfffff8800da2b328)
ExceptionAddress: fffff880016ca2da (Ntfs!NtfsFlushVolume+0x000000000000044a)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT:  fffff8800da2ab80 -- (.cxr 0xfffff8800da2ab80;r)
rax=fffef8a003585010 rbx=fffff8a005376040 rcx=fffff8a00267b910
rdx=fffff8a004451710 rsi=fffffa80064783b0 rdi=fffff8a005376010
rip=fffff880016ca2da rsp=fffff8800da2b560 rbp=fffff8800da2b8e0
 r8=fffff8a00267b910  r9=fffff8a00267b930 r10=fffff8800da2b5f0
r11=fffff8800da2b510 r12=0000000000000000 r13=fffffa8008966180
r14=0000000000000702 r15=0000000000000705
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
Ntfs!NtfsFlushVolume+0x44a:
fffff880`016ca2da f083401401      lock add dword ptr [rax+14h],1 ds:002b:fffef8a0`03585024=????????
Last set context:
rax=fffef8a003585010 rbx=fffff8a005376040 rcx=fffff8a00267b910
rdx=fffff8a004451710 rsi=fffffa80064783b0 rdi=fffff8a005376010
rip=fffff880016ca2da rsp=fffff8800da2b560 rbp=fffff8800da2b8e0
 r8=fffff8a00267b910  r9=fffff8a00267b930 r10=fffff8800da2b5f0
r11=fffff8800da2b510 r12=0000000000000000 r13=fffffa8008966180
r14=0000000000000702 r15=0000000000000705
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282
Ntfs!NtfsFlushVolume+0x44a:
fffff880`016ca2da f083401401      lock add dword ptr [rax+14h],1 ds:002b:fffef8a0`03585024=????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

PROCESS_NAME:  adm.exe

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  ffffffffffffffff

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff800032f8100
GetUlongFromAddress: unable to read from fffff800032f81c0
 ffffffffffffffff 

FOLLOWUP_IP: 
Ntfs!NtfsFlushVolume+44a
fffff880`016ca2da f083401401      lock add dword ptr [rax+14h],1

FAULTING_IP: 
Ntfs!NtfsFlushVolume+44a
fffff880`016ca2da f083401401      lock add dword ptr [rax+14h],1

BUGCHECK_STR:  0x24

ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

LAST_CONTROL_TRANSFER:  from fffff8800166d7c8 to fffff880016ca2da

STACK_TEXT:  
fffff880`0da2b560 fffff880`0166d7c8 : fffffa80`064783b0 fffffa80`08966180 fffffa80`08f37a01 fffff880`0da2b700 : Ntfs!NtfsFlushVolume+0x44a
fffff880`0da2b690 fffff880`0165ab9f : fffffa80`064783b0 fffff880`014cd000 fffffa80`06a5c840 fffffa80`0a407001 : Ntfs!NtfsVolumeDasdIo+0x1b8
fffff880`0da2b740 fffff880`0165c398 : fffffa80`064783b0 fffffa80`0aabd710 fffff880`0da2b801 fffffa80`08f37900 : Ntfs!NtfsCommonRead+0x5bf
fffff880`0da2b8b0 fffff880`0147abcf : fffffa80`0aabdab0 fffffa80`0aabd710 fffffa80`08f37990 00000000`00000000 : Ntfs!NtfsFsdRead+0x1b8
fffff880`0da2b960 fffff880`014796df : fffffa80`06a56de0 00000000`00000001 fffffa80`06a56d00 fffffa80`0aabd710 : fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
fffff880`0da2b9f0 fffff800`033caecb : 00000000`00000000 fffffa80`0a407070 00000000`00000001 fffffa80`0aabd710 : fltmgr!FltpDispatch+0xcf
fffff880`0da2ba50 fffff800`033aafe3 : fffffa80`0a407070 fffffa80`0a407070 fffffa80`0a407070 fffff800`0323be80 : nt!IopSynchronousServiceTail+0xfb
fffff880`0da2bac0 fffff800`030c1113 : ffffffff`ffffffff 00000000`00000364 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x631
fffff880`0da2bbb0 00000000`73d02e09 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0008ec08 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x73d02e09


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  Ntfs!NtfsFlushVolume+44a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME:  Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  52e1be8a

IMAGE_VERSION:  6.1.7601.18378

STACK_COMMAND:  .cxr 0xfffff8800da2ab80 ; kb

FAILURE_BUCKET_ID:  X64_0x24_Ntfs!NtfsFlushVolume+44a

BUCKET_ID:  X64_0x24_Ntfs!NtfsFlushVolume+44a

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:x64_0x24_ntfs!ntfsflushvolume+44a

FAILURE_ID_HASH:  {cb5a5752-c266-1f6d-f1c4-60df87156d60}

Followup: MachineOwner
 

My Computer My Computer

Computer type
PC/Desktop
OS
Windows 7 Ultimate x64
Welcome
Maybe I can help. One dmp is not enough to assume anything. Sometimes several dmps will agree indicating that you have the true cause. Usually the more dmps that you have the more causes you will see. You have to know a bit about reading the dmps to ascertain the correct cause. In your situation and the process indicating Acronis, there is a good chance that the true cause may lie elsewhere. Follow our posting instructions, give us your dmps, hopefully more than one and we can discuss. You can take the lead if that is your wish.
http://www.sevenforums.com/bsod-help-support/96879-blue-screen-death-bsod-posting-instructions.html
Bottom line do not assume that you know the actual cause based upon one dmp.
 

My Computer My Computer

Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell XPS 420
OS
Windows 10, Home Clean Install
CPU
Intel Core2 processsor Q8200(2.33Ghz 1333FSB) Quad Core Tech
Motherboard
Dell
Memory
6 gb
Graphics Card(s)
ATI Radeon 256MB HD3650
Sound Card
Intergrated 7.1 Channel Audio
Monitor(s) Displays
Dell SP2009W 20"
Hard Drives
640 GB Serial ATA Hard drive
Cooling
Fan
Keyboard
Dell USB Keyboard
Mouse
Dell Premium Optical USB
Internet Speed
DSL 2.85
richc46 said:
Welcome
One dmp is not enough to assume anything. Sometimes several dmps will agree indicating that you have the true cause. Usually the more dmps that you have the more causes you will see. You have to know a bit about reading the dmps to ascertain the correct cause. In your situation and the process indicating Acronis, there is a good chance that the true cause may lie elsewhere. Follow our posting instructions, give us your dmps, hopefully more than one and we can discuss. You can take the lead if that is your wish.
http://www.sevenforums.com/bsod-help-support/96879-blue-screen-death-bsod-posting-instructions.html
Bottom line do not assume that you know the actual cause based upon one dmp.
Click to expand...

Yeah, I agree with you.
I've updated my post and attached a dmp. (at this time I have only this one)
Here is a thread at Acronis forum, which says ADM might be a reason: https://forum.acronis.com/forum/41439

Also I will try to get archive with all needed information collected by dm log collector.
At this time I've asked my friend to remove ADM, waiting for response from her.

(And here is a small issue with dm log collector - it creates file in current user's profile folder in Desktop directory, but I have cut my Desktop folder to another disk drive, so it's path oficially "D:\Docs\Desktop" and Windows knows it. But log collector created a file in "C:\Users\denixx\Desktop")
 

My Computer My Computer

Computer type
PC/Desktop
OS
Windows 7 Ultimate x64
Possibly ADM might be the cause. Make a system restore point and remove the problem software, and then see if you continue to get BSODs, if not you lucked out. If ADM is not the cause then restore everything with S Restore.
 

My Computer My Computer

Computer type
PC/Desktop
Computer Manufacturer/Model Number
Dell XPS 420
OS
Windows 10, Home Clean Install
CPU
Intel Core2 processsor Q8200(2.33Ghz 1333FSB) Quad Core Tech
Motherboard
Dell
Memory
6 gb
Graphics Card(s)
ATI Radeon 256MB HD3650
Sound Card
Intergrated 7.1 Channel Audio
Monitor(s) Displays
Dell SP2009W 20"
Hard Drives
640 GB Serial ATA Hard drive
Cooling
Fan
Keyboard
Dell USB Keyboard
Mouse
Dell Premium Optical USB
Internet Speed
DSL 2.85
About Desktop folder - I've looked right values in registry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
Can't say exact one - they have the same value in my case.
 

My Computer My Computer

Computer type
PC/Desktop
OS
Windows 7 Ultimate x64
If it is still needed, I've attached collected info. I think ADM was removed today at 18:59 GMT+2 (Event[58465]).
Will look how it will behave.
 

My Computer My Computer

Computer type
PC/Desktop
OS
Windows 7 Ultimate x64
You must log in or register to reply here.
Back
Top