4 Replies Latest reply on Aug 30, 2010 12:36 PM by noor

    mfetdik crashing windows 2003 x64

      Hi,

       

      We have windows 2003 x64 R2 Standard Edition, which keep on crashing after every few days.

      Analyzing memory dump revel that every time there is a crash the cause is mfetdik.

      VirusScan Enterprise 8.7.0i

      Capture.JPG

       

      Server has the latest service pack and all the Microsoft updates.

       

      Here is the crash dump (see below)

       

      Any help will be greatly appreciated.

       

      Thanks

       

      Noor

       

       

      Copyright (c) Microsoft Corporation. All rights reserved.

       

       

      Loading Dump File [C:\WINDOWS\MEMORY.DMP]

      Kernel Summary Dump File: Only kernel address space is available

       

      Symbol search path is: SRV*c:\windows\symbols*http://msdl.microsoft.com/download/symbols

      Executable search path is:

      Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x64

      Product: Server, suite: TerminalServer SingleUserTS

      Built by: 3790.srv03_sp2_gdr.100216-1301

      Machine Name:

      Kernel base = 0xfffff800`01000000 PsLoadedModuleList = 0xfffff800`011d4140

      Debug session time: Thu Aug 26 12:08:50.421 2010 (UTC - 5:00)

      System Uptime: 16 days 2:59:02.940

      Loading Kernel Symbols

      ...............................................................

      ................................................................

      .........

      Loading User Symbols

       

      Loading unloaded module list

      ........

      *******************************************************************************

      *                                                                             *

      *                        Bugcheck Analysis                                    *

      *                                                                             *

      *******************************************************************************

       

      Use !analyze -v to get detailed debugging information.

       

      BugCheck 7E, {ffffffffc0000005, fffffadf27ae8f7a, fffffadf29eef910, fffffadf29eef320}

       

      *** ERROR: Symbol file could not be found.  Defaulted to export symbols for mfetdik.sys -

      *** ERROR: Module load completed but symbols could not be loaded for ts_lb.sys

      Probably caused by : mfetdik.sys ( mfetdik!DEVICEDISPATCH::DispatchPassThrough+81 )

       

      Followup: MachineOwner

      ---------

       

      2: kd> !analyze -v

      *******************************************************************************

      *                                                                             *

      *                        Bugcheck Analysis                                    *

      *                                                                             *

      *******************************************************************************

       

      SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)

      This is a very common bugcheck.  Usually the exception address pinpoints

      the driver/function that caused the problem.  Always note this address

      as well as the link date of the driver/image that contains this address.

      Arguments:

      Arg1: ffffffffc0000005, The exception code that was not handled

      Arg2: fffffadf27ae8f7a, The address that the exception occurred at

      Arg3: fffffadf29eef910, Exception Record Address

      Arg4: fffffadf29eef320, Context Record Address

       

      Debugging Details:

      ------------------

       

       

      EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

       

      FAULTING_IP:

      tcpip!TCPQueryInformation+118

      fffffadf`27ae8f7a 498b01          mov     rax,qword ptr [r9]

       

      EXCEPTION_RECORD:  fffffadf29eef910 -- (.exr 0xfffffadf29eef910)

      ExceptionAddress: fffffadf27ae8f7a (tcpip!TCPQueryInformation+0x0000000000000118)

         ExceptionCode: c0000005 (Access violation)

        ExceptionFlags: 00000000

      NumberParameters: 2

         Parameter[0]: 0000000000000000

         Parameter[1]: 0000000000000000

      Attempt to read from address 0000000000000000

       

      CONTEXT:  fffffadf29eef320 -- (.cxr 0xfffffadf29eef320)

      rax=0000000000000002 rbx=0000000000000000 rcx=fffffadf27ae8f6f

      rdx=fffffadf27ad3000 rsi=fffffadfbf2a4680 rdi=0000000000000000

      rip=fffffadf27ae8f7a rsp=fffffadf29eefb30 rbp=fffffadf358407d0

      r8=fffffadf32f1d330  r9=0000000000000000 r10=fffffadf393fb780

      r11=fffffadf29eefba8 r12=fffffadfbf2a47e0 r13=fffffadf393fb780

      r14=0000000000000000 r15=0000000000000000

      iopl=0         nv up ei ng nz ac pe cy

      cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010293

      tcpip!TCPQueryInformation+0x118:

      fffffadf`27ae8f7a 498b01          mov     rax,qword ptr [r9] ds:002b:00000000`00000000=????????????????

      Resetting default scope

       

      PROCESS_NAME:  System

       

      CURRENT_IRQL:  0

       

      ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

       

      EXCEPTION_PARAMETER1:  0000000000000000

       

      EXCEPTION_PARAMETER2:  0000000000000000

       

      READ_ADDRESS:  0000000000000000

       

      FOLLOWUP_IP:

      mfetdik!DEVICEDISPATCH::DispatchPassThrough+81

      fffffadf`2971eb59 eb1f            jmp     mfetdik!DEVICEDISPATCH::DispatchPassThrough+0xa2 (fffffadf`2971eb7a)

       

      BUGCHECK_STR:  0x7E

       

      DEFAULT_BUCKET_ID:  NULL_DEREFERENCE

       

      LAST_CONTROL_TRANSFER:  from fffffadf27af61a8 to fffffadf27ae8f7a

       

      STACK_TEXT:

      fffffadf`29eefb30 fffffadf`27af61a8 : fffffa80`0eeeee38 fffffadf`277f4ab5 fffffadf`bf2a47e0 fffffadf`358407d0 : tcpip!TCPQueryInformation+0x118

      fffffadf`29eefbb0 fffffadf`2971eb59 : fffffadf`bf2a4680 fffffadf`bf2a4680 fffffadf`c00c6db0 fffffadf`bf2a4680 : tcpip!TCPDispatchInternalDeviceControl+0x31b

      fffffadf`29eefc00 fffffadf`27937b92 : 00000000`00000000 fffffadf`bf2a4680 00000000`00000000 00000000`00000000 : mfetdik!DEVICEDISPATCH::DispatchPassThrough+0x81

      fffffadf`29eefc60 fffffadf`279373b6 : fffffadf`f1b8a4c0 fffffadf`279373a0 fffffadf`38bfdbf0 fffff800`011cda18 : ts_lb+0x4b92

      fffffadf`29eefcd0 fffff800`010375ca : 00000000`00000000 fffffadf`346c3301 00000000`00000000 fffffadf`32a73380 : ts_lb+0x43b6

      fffffadf`29eefd00 fffff800`0124a972 : fffffadf`38bfdbf0 00000000`00000080 fffffadf`38bfdbf0 fffffadf`29ab3680 : nt!ExpWorkerThread+0x13b

      fffffadf`29eefd70 fffff800`01020226 : fffffadf`29aab180 fffffadf`38bfdbf0 fffffadf`29ab3680 fffff800`011b4dc0 : nt!PspSystemThreadStartup+0x3e

      fffffadf`29eefdd0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16

       

       

      SYMBOL_STACK_INDEX:  2

       

      SYMBOL_NAME:  mfetdik!DEVICEDISPATCH::DispatchPassThrough+81

       

      FOLLOWUP_NAME:  MachineOwner

       

      MODULE_NAME: mfetdik

       

      IMAGE_NAME:  mfetdik.sys

       

      DEBUG_FLR_IMAGE_TIMESTAMP:  48d2dee6

       

      STACK_COMMAND:  .cxr 0xfffffadf29eef320 ; kb

       

      FAILURE_BUCKET_ID:  X64_0x7E_mfetdik!DEVICEDISPATCH::DispatchPassThrough+81

       

      BUCKET_ID:  X64_0x7E_mfetdik!DEVICEDISPATCH::DispatchPassThrough+81

       

      Followup: MachineOwner

      ---------

       

      2: kd> lmvm mfetdik

      start             end                 module name

      fffffadf`29719000 fffffadf`2972b600   mfetdik    (export symbols)       mfetdik.sys

          Loaded symbol image file: mfetdik.sys

          Image path: \SystemRoot\system32\drivers\mfetdik.sys

          Image name: mfetdik.sys

          Timestamp:        Thu Sep 18 18:06:14 2008 (48D2DEE6)

          CheckSum:         0001F32F

          ImageSize:        00012600

          Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

       

       

      Message was edited by: noor on 8/26/10 1:38:02 PM CDT