Kesimpulan apa yang dapat saya ambil dari STOP c5 BSOD dengan metode NTFS di stack?

0

Seorang kolega saya baru saja mendapatkan BSOD berikut (analisis dump WinDbg):

Microsoft (R) Windows Debugger Version 10.0.14321.1024 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Moser.jun\Desktop\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is: 
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.18821.amd64fre.winblue_ltsb.170914-0600
Machine Name:
Kernel base = 0xfffff801`20085000 PsLoadedModuleList = 0xfffff801`20357650
Debug session time: Wed Jan  3 09:45:46.515 2018 (UTC + 1:00)
System Uptime: 19 days 23:37:19.924
Loading Kernel Symbols
...............................................................
................................................................
........................
Loading User Symbols

Loading unloaded module list
..................................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C5, {8, 2, 0, fffff80120321210}

Probably caused by : Pool_Corruption ( nt!ExDeferredFreePool+210 )

Followup:     Pool_corruption
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is
caused by drivers that have corrupted the system pool.  Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 0000000000000008, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffff80120321210, address which referenced memory

Debugging Details:
------------------


DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING:  9600.18821.amd64fre.winblue_ltsb.170914-0600

SYSTEM_MANUFACTURER:  System manufacturer

SYSTEM_PRODUCT_NAME:  System Product Name

SYSTEM_SKU:  SKU

SYSTEM_VERSION:  System Version

BIOS_VENDOR:  American Megatrends Inc.

BIOS_VERSION:  3404

BIOS_DATE:  07/10/2017

BASEBOARD_MANUFACTURER:  ASUSTeK COMPUTER INC.

BASEBOARD_PRODUCT:  H170M-PLUS

BASEBOARD_VERSION:  Rev X.0x

DUMP_TYPE:  1

BUGCHECK_P1: 8

BUGCHECK_P2: 2

BUGCHECK_P3: 0

BUGCHECK_P4: fffff80120321210

BUGCHECK_STR:  0xC5_2

CURRENT_IRQL:  2

FAULTING_IP: 
nt!ExDeferredFreePool+210
fffff801`20321210 49394208        cmp     qword ptr [r10+8],rax

CPU_COUNT: 4

CPU_MHZ: e70

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 5e

CPU_STEPPING: 3

CPU_MICROCODE: 6,5e,3,0 (F,M,S,R)  SIG: BA'00000000 (cache) BA'00000000 (init)

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT

PROCESS_NAME:  System

ANALYSIS_SESSION_HOST:  ENTENHAUSEN

ANALYSIS_SESSION_TIME:  01-03-2018 10:39:38.0787

ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

TRAP_FRAME:  ffffd0013b971260 -- (.trap 0xffffd0013b971260)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe00011451010 rbx=0000000000000000 rcx=ffffe00011451000
rdx=ffffe0000e488cc0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80120321210 rsp=ffffd0013b9713f0 rbp=0000000000000006
 r8=ffffe00011451110  r9=0000000000000000 r10=0000000000000000
r11=0000000000000001 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz ac po cy
nt!ExDeferredFreePool+0x210:
fffff801`20321210 49394208        cmp     qword ptr [r10+8],rax ds:00000000`00000008=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff801201de6e9 to fffff801201d2ba0

STACK_TEXT:  
ffffd001`3b971118 fffff801`201de6e9 : 00000000`0000000a 00000000`00000008 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
ffffd001`3b971120 fffff801`201dcf3a : 00000000`00000000 00000000`00000000 ffffd001`3b971300 ffffd001`3b971480 : nt!KiBugCheckDispatch+0x69
ffffd001`3b971260 fffff801`20321210 : ffffe000`0971fe50 00000000`00000000 fffff800`1c8b8010 fffff800`1c8b8010 : nt!KiPageFault+0x23a
ffffd001`3b9713f0 fffff801`20321cde : ffffe000`0f6116b0 ffffe000`0db07ee0 00000000`00000000 00000000`00000002 : nt!ExDeferredFreePool+0x210
ffffd001`3b971470 fffff800`1c899ec7 : 00000000`00000000 00000000`00000705 00000000`00000000 ffffe000`00000012 : nt!ExFreePoolWithTag+0x84e
ffffd001`3b971560 fffff801`204e28ab : 00000000`00000000 fffff801`20171950 00000000`00000001 00000000`00000705 : fltmgr!ExFreeToNPagedLookasideList+0x3f
ffffd001`3b971590 fffff800`1d1b4fc9 : ffffc001`ff6dbc30 ffffe000`0db07ef8 ffffe000`05e6b180 00000000`00000706 : nt!FsRtlTeardownPerStreamContexts+0x53
ffffd001`3b971600 fffff800`1d1aa359 : ffffc001`f95b0705 ffffc001`f95be9b0 00000000`01010000 ffffe000`0af92d00 : Ntfs!NtfsDeleteScb+0x399
ffffd001`3b9716b0 fffff800`1d1047ff : ffffe000`0af92e68 ffffc001`ff6dbc30 ffffe000`06d7cbc0 ffffc001`ff6dbc30 : Ntfs!NtfsRemoveScb+0x99
ffffd001`3b9716f0 fffff800`1d1ad880 : ffffc001`ff6dbb00 ffffd001`3b971940 ffffc001`ff6dbb00 ffffc001`f95bed80 : Ntfs!NtfsPrepareFcbForRemoval+0xd0
ffffd001`3b971730 fffff800`1d10b680 : ffffe000`1141d708 ffffc001`ff6dbb00 ffffc001`ff6dbed0 ffffc001`ff6dbb00 : Ntfs!NtfsTeardownStructures+0x90
ffffd001`3b9717b0 fffff800`1d1cab24 : ffffd001`3b971978 ffffd001`3b971940 ffffc001`ff6dbb00 ffffc001`00000009 : Ntfs!NtfsDecrementCloseCounts+0xd4
ffffd001`3b9717f0 fffff800`1d1b587d : ffffe000`1141d708 ffffc001`ff6dbc30 ffffc001`ff6dbb00 ffffe000`05e6b180 : Ntfs!NtfsCommonClose+0x3a4
ffffd001`3b9718c0 fffff801`200b916f : fffff800`1d0f6d00 fffff800`1d1b5af0 fffff801`20366810 00000000`00000000 : Ntfs!NtfsFspCloseInternal+0x1bd
ffffd001`3b971a50 fffff801`2017f0ec : 00000000`00000000 ffffe000`11a8c880 00000000`00000080 ffffe000`11a8c880 : nt!ExpWorkerThread+0x69f
ffffd001`3b971b00 fffff801`201d91c6 : ffffd001`38bdc180 ffffe000`11a8c880 ffffe000`1042c080 ffffc001`ded34b00 : nt!PspSystemThreadStartup+0x58
ffffd001`3b971b60 00000000`00000000 : ffffd001`3b972000 ffffd001`3b96b000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16


STACK_COMMAND:  kb

THREAD_SHA1_HASH_MOD_FUNC:  91bc5dcc2f28788287498b51b1431a5b38f43a69

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  e412af08c052f9f9f437c10866c305ce52bc5b31

THREAD_SHA1_HASH_MOD:  e60d1a6255db43ff4391f6046183a99a712d0945

FOLLOWUP_IP: 
nt!ExDeferredFreePool+210
fffff801`20321210 49394208        cmp     qword ptr [r10+8],rax

FAULT_INSTR_CODE:  8423949

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!ExDeferredFreePool+210

FOLLOWUP_NAME:  Pool_corruption

IMAGE_NAME:  Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: Pool_Corruption

BUCKET_ID_FUNC_OFFSET:  210

FAILURE_BUCKET_ID:  0xC5_2_nt!ExDeferredFreePool

BUCKET_ID:  0xC5_2_nt!ExDeferredFreePool

PRIMARY_PROBLEM_CLASS:  0xC5_2_nt!ExDeferredFreePool

TARGET_TIME:  2018-01-03T08:45:46.000Z

OSBUILD:  9600

OSSERVICEPACK:  0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  272

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 8.1

OSEDITION:  Windows 8.1 WinNt TerminalServer SingleUserTS

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2017-09-14 15:34:00

BUILDDATESTAMP_STR:  170914-0600

BUILDLAB_STR:  winblue_ltsb

BUILDOSVER_STR:  6.3.9600.18821.amd64fre.winblue_ltsb.170914-0600

ANALYSIS_SESSION_ELAPSED_TIME: 53f

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0xc5_2_nt!exdeferredfreepool

FAILURE_ID_HASH:  {0e971f5b-bd0d-a80e-a2c0-cd331176cf49}

Followup:     Pool_corruption
---------

Biasanya, saya berharap jejak stack mengandung beberapa driver pihak ketiga, mengarahkan saya ke sumber masalah (baik driver atau perangkat keras yang dikendalikan oleh driver). Namun dalam kasus ini, saya hanya melihat metode sistem file (diulangi di sini untuk kenyamanan):

nt!KeBugCheckEx
nt!KiBugCheckDispatch+0x69
nt!KiPageFault+0x23a
nt!ExDeferredFreePool+0x210
nt!ExFreePoolWithTag+0x84e
fltmgr!ExFreeToNPagedLookasideList+0x3f
nt!FsRtlTeardownPerStreamContexts+0x53
Ntfs!NtfsDeleteScb+0x399
Ntfs!NtfsRemoveScb+0x99
Ntfs!NtfsPrepareFcbForRemoval+0xd0
Ntfs!NtfsTeardownStructures+0x90
Ntfs!NtfsDecrementCloseCounts+0xd4
Ntfs!NtfsCommonClose+0x3a4
Ntfs!NtfsFspCloseInternal+0x1bd
nt!ExpWorkerThread+0x69f
nt!PspSystemThreadStartup+0x58
nt!KiStartSystemThread+0x16

Dapatkah informasi tentang penyebab masalah disimpulkan dari ini (misalnya, masalah dengan SSD, karena NTFS terlibat)?

(Untuk mengesampingkan tersangka yang biasa: Tidak ada perubahan perangkat keras, perangkat lunak atau driver yang dilakukan baru-baru ini. Juga tidak ada pembaruan Windows yang diinstal dalam dua minggu terakhir, kecuali untuk pembaruan definisi Windows Defender.)

Heinzi
sumber
Hanya untuk penunjuk cepat sesuai answer.microsoft.com/en-us/windows/forum/windows_7-performance/ ... .... orang ini menyatakan " Korupsi Pool disebabkan karena Registry Leak Handle. Kebocoran ini terjadi karena aplikasi terus membuka kembali kunci registri tetapi tidak pernah menutupnya. ".... mungkin ini adalah masalah dengan aplikasi jadi periksa apa yang mungkin baru saja diubah, telah dipasang, dll. Lihat apakah ada sesuatu dalam log Peraga Peristiwa yang memberikan petunjuk kapan saja. tepat sebelum BSOD berkorelasi terbaru
Pimp Juice IT
Jangan lupa kemungkinan RAM buruk.
Peniru Twisty
Saya akan menyarankan untuk menjalankan verifier.exe. Pengaturan Standar -> pilih nama driver dari daftar -> periksa semua yang bukan Microsoft. Mulai ulang. Lain kali Anda mendapatkan masalah, mudah-mudahan dump akan menunjuk pada driver yang memiliki memori kumpulan rusak.
HelpingHand