BSOD SYSTEM_SERVICE_EXCEPTION (3b)

NTFSD
1

Hi guys,

I have FS filter driver BSOD on Windows 10.
Few words about environment: all I know about the scenario and environment that leads to the crash is almost nothing. The customer gets BSOD on Windows 10x64 (don’t know about Win7). BSOD occurs randomly (as per the customer). Also, as I found from !analyze -v:

SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware7,1
SYSTEM_VERSION: None
BIOS_VENDOR: VMware, Inc.
BIOS_VERSION: VMW71.00V.0.B64.1507021939

That makes me think, that OS is run on virtual machine.
I analyzed memory dump in WinDbg and looks like I found a place where driver is crashed.
Here is call stack:
nt!KiPageFault+0x221
MYDRV!IsShadow+0xcd
MYDRV!ControlMount+0x38
MYDRV!Control+0x77
nt!IopMountVolume+0x2e5
nt!IopCheckVpbMounted+0x10a
nt!IopParseDevice+0xbc7
nt!ObpLookupObjectName+0x8b2
nt!ObOpenObjectByNameEx+0x1dd
nt!IopCreateFile+0x3d9
nt!NtOpenFile+0x58
nt!KiSystemServiceCopyEnd+0x13
0x00007ffc`5e2f6734

What is happened in MYDRV!Control:
PIO_STACK_LOCATION irps = IoGetCurrentIrpStackLocation( Irp ); // Irp is IN parameter of the function
switch (irps->MinorFunction) {

case IRP_MN_MOUNT_VOLUME:

return ControlMount( DeviceObject, Irp );

So here we see, that ControlMount is called. Lets look inside:

PIO_STACK_LOCATION irps = IoGetCurrentIrpStackLocation( Irp );
PDEVICE_OBJECT storageStackDeviceObject;
BOOLEAN isShadowCopy;
storageStackDeviceObject = irps->Parameters.MountVolume.Vpb->RealDevice;
status = IsShadow( storageStackDeviceObject, &isShadowCopy);

He we call IsShadow and pass there storageStackDeviceObject. Inside of IsShadow after some code (that doesn’t change storageStackDeviceObject):
if (FILE_DEVICE_VIRTUAL_DISK != StorageStackDeviceObject->DeviceType)

And here is the place where crash is happened.

Looking what is inside of MountVolume.Vpd->RealDevice I see:

+0x000 MountVolume :
+0x000 Vpb : 0xffffa5895eb42a90 _VPB<br> +0x000 Type : 0n0<br> +0x002 Size : 0n0<br> +0x004 Flags : 0<br> +0x006 VolumeLabelLength : 0<br> +0x008 DeviceObject : (null) <br> +0x010 RealDevice : 0x0000000000008000 _DEVICE_OBJECT
+0x018 SerialNumber : 1
+0x01c ReferenceCount : 0xffffffff
+0x020 VolumeLabel : [32] “”

RealDevice has invalid address…moreover Vpb seems to be corrupted or invalid.

From what I found on MSDN (https://msdn.microsoft.com/en-us/library/windows/hardware/ff548670(v=vs.85).aspx):
IrpSp->Parameters.MountVolume.Vpb
Pointer to the volume parameter block (VPB) for the volume to be mounted. File systems that support removable media might substitute a previously used VPB for the one passed in this parameter. On such file systems, after the volume is mounted, this pointer can no longer be assumed to be valid. File system filter drivers that filter these file systems should use this parameter as follows: Before sending the IRP down to lower-level drivers, the filter should save the value of IrpSp->Parameters.MountVolume.Vpb->RealDevice. After the volume is successfully mounted, the filter can use this pointer to the storage device object to obtain the correct VPB pointer.

So my questions are:
1) Might it be the reason (as said in MSDN)? However, it seems to me that MYDRV doesn’t send this IRP to lower-lever driver before it handles the IRP.
2) If the reason is in that, why don’t we see the issue on Windows7 (I don’t sure if we really do not see it).
3) What other possible reasons of such behavior?

Thanks.

2

Legacy filter…*gag*…

VPB definitely looks busted, though there isn’t much else I can tell you
based on the information provided. I suspect that it’s been freed already
though that doesn’t really help you at this point.

Have you tried enabling Driver Verifier? It might get you a crash earlier
when the VPB was first freed. I would recommend enabling Verifier for your
driver AND ntoskrnl.exe. This should cause the VPB to be allocated from
special pool which might help you narrow this down.

Other than that I would recommend:

  1. Getting a copy of the Vista SP1 WDK and carefully looking over the legacy
    samples and how they handle mount/dismount/detach

  2. Porting this driver to a minifilter ASAP

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntfsd…

Hi guys,

I have FS filter driver BSOD on Windows 10.
Few words about environment: all I know about the scenario and environment
that leads to the crash is almost nothing. The customer gets BSOD on Windows
10x64 (don’t know about Win7). BSOD occurs randomly (as per the customer).
Also, as I found from !analyze -v:

SYSTEM_MANUFACTURER: VMware, Inc.
VIRTUAL_MACHINE: VMware
SYSTEM_PRODUCT_NAME: VMware7,1
SYSTEM_VERSION: None
BIOS_VENDOR: VMware, Inc.
BIOS_VERSION: VMW71.00V.0.B64.1507021939

That makes me think, that OS is run on virtual machine.
I analyzed memory dump in WinDbg and looks like I found a place where driver
is crashed.
Here is call stack:
nt!KiPageFault+0x221
MYDRV!IsShadow+0xcd
MYDRV!ControlMount+0x38
MYDRV!Control+0x77
nt!IopMountVolume+0x2e5
nt!IopCheckVpbMounted+0x10a
nt!IopParseDevice+0xbc7
nt!ObpLookupObjectName+0x8b2
nt!ObOpenObjectByNameEx+0x1dd
nt!IopCreateFile+0x3d9
nt!NtOpenFile+0x58
nt!KiSystemServiceCopyEnd+0x13
0x00007ffc`5e2f6734

What is happened in MYDRV!Control:
PIO_STACK_LOCATION irps = IoGetCurrentIrpStackLocation( Irp ); // Irp is IN
parameter of the function
switch (irps->MinorFunction) {

case IRP_MN_MOUNT_VOLUME:

return ControlMount( DeviceObject, Irp );

So here we see, that ControlMount is called. Lets look inside:

PIO_STACK_LOCATION irps = IoGetCurrentIrpStackLocation( Irp );
PDEVICE_OBJECT storageStackDeviceObject;
BOOLEAN isShadowCopy;
storageStackDeviceObject = irps->Parameters.MountVolume.Vpb->RealDevice;
status = IsShadow( storageStackDeviceObject, &isShadowCopy);

He we call IsShadow and pass there storageStackDeviceObject. Inside of
IsShadow after some code (that doesn’t change storageStackDeviceObject):
if (FILE_DEVICE_VIRTUAL_DISK != StorageStackDeviceObject->DeviceType)

And here is the place where crash is happened.

Looking what is inside of MountVolume.Vpd->RealDevice I see:

+0x000 MountVolume :
+0x000 Vpb : 0xffffa5895eb42a90 _VPB<br> +0x000 Type : 0n0<br> +0x002 Size : 0n0<br> +0x004 Flags : 0<br> +0x006 VolumeLabelLength : 0<br> +0x008 DeviceObject : (null)<br> +0x010 RealDevice : 0x0000000000008000 _DEVICE_OBJECT
+0x018 SerialNumber : 1
+0x01c ReferenceCount : 0xffffffff
+0x020 VolumeLabel : [32] “”

RealDevice has invalid address…moreover Vpb seems to be corrupted or
invalid.

From what I found on MSDN
(https://msdn.microsoft.com/en-us/library/windows/hardware/ff548670(v=vs.85).aspx):
IrpSp->Parameters.MountVolume.Vpb
Pointer to the volume parameter block (VPB) for the volume to be mounted.
File systems that support removable media might substitute a previously used
VPB for the one passed in this parameter. On such file systems, after the
volume is mounted, this pointer can no longer be assumed to be valid. File
system filter drivers that filter these file systems should use this
parameter as follows: Before sending the IRP down to lower-level drivers,
the filter should save the value of
IrpSp->Parameters.MountVolume.Vpb->RealDevice. After the volume is
successfully mounted, the filter can use this pointer to the storage device
object to obtain the correct VPB pointer.

So my questions are:
1) Might it be the reason (as said in MSDN)? However, it seems to me that
MYDRV doesn’t send this IRP to lower-lever driver before it handles the IRP.
2) If the reason is in that, why don’t we see the issue on Windows7 (I don’t
sure if we really do not see it).
3) What other possible reasons of such behavior?

Thanks.

3

Thanks for the reply.
I’ll check it with Driver Verifier.
Also the customer said, that BSOD fails on system reboot/shutdown.
Here is full output of !analyze -v

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff8071552ed19, ffffd0001ab97700, 0}

Page 2369fa not present in the dump file. Type “.hh dbgerr004” for details
Page 2369fa not present in the dump file. Type “.hh dbgerr004” for details
Page 1a63e9 not present in the dump file. Type “.hh dbgerr004” for details
Page 1a63e9 not present in the dump file. Type “.hh dbgerr004” for details
Page 1a79b2 not present in the dump file. Type “.hh dbgerr004” for details
Page 1a79b2 not present in the dump file. Type “.hh dbgerr004” for details
*** ERROR: Module load completed but symbols could not be loaded for MYDRV.sys
Page 940 not present in the dump file. Type “.hh dbgerr004” for details
Page 940 not present in the dump file. Type “.hh dbgerr004” for details
Page 940 not present in the dump file. Type “.hh dbgerr004” for details
Probably caused by : MYDRV.sys ( MYDRV+ed19 )

Followup: MachineOwner

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8071552ed19, Address of the instruction which caused the bugcheck
Arg3: ffffd0001ab97700, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

Page 940 not present in the dump file. Type “.hh dbgerr004” for details
Page 940 not present in the dump file. Type “.hh dbgerr004” for details
Page 940 not present in the dump file. Type “.hh dbgerr004” for details

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 14393.953.amd64fre.rs1_release_inmarket.170303-1614

SYSTEM_MANUFACTURER: VMware, Inc.

VIRTUAL_MACHINE: VMware

SYSTEM_PRODUCT_NAME: VMware7,1

SYSTEM_VERSION: None

BIOS_VENDOR: VMware, Inc.

BIOS_VERSION: VMW71.00V.0.B64.1507021939

BIOS_DATE: 07/02/2015

BASEBOARD_MANUFACTURER: Intel Corporation

BASEBOARD_PRODUCT: 440BX Desktop Reference Platform

BASEBOARD_VERSION: None

DUMP_TYPE: 1

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8071552ed19

BUGCHECK_P3: ffffd0001ab97700

BUGCHECK_P4: 0

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
MYDRV+ed19
fffff807`1552ed19 83794824 cmp dword ptr [rcx+48h],24h

CONTEXT: ffffd0001ab97700 – (.cxr 0xffffd0001ab97700)
rax=ffff28070feb3151 rbx=0000000000008000 rcx=0000000000008000
rdx=ffffd0001ab982b0 rsi=0000000000000000 rdi=ffffd0001ab982b0
rip=fffff8071552ed19 rsp=ffffd0001ab98110 rbp=0000000000008000
r8=ffffa5895eb42a90 r9=000000000000000d r10=0000000000000000
r11=ffffd0001ab982a8 r12=ffffa5894bda5c80 r13=00000000ffffffff
r14=ffffa5895e0f3080 r15=ffffa5894bf9cbc0
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
MYDRV+0xed19:
fffff8071552ed19 83794824 cmp dword ptr [rcx+48h],24h ds:002b:0000000000008048=???
Resetting default scope

CPU_COUNT: 2

CPU_MHZ: c1c

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3d

CPU_STEPPING: 4

CPU_MICROCODE: 6,3d,4,0 (F,M,S,R) SIG: 21’00000000 (cache) 21’00000000 (init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: powershell.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: MICHAELSE-7470

ANALYSIS_SESSION_TIME: 04-12-2017 16:28:30.0556

ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

LAST_CONTROL_TRANSFER: from fffff8071552d528 to fffff8071552ed19

STACK_TEXT:
nt!KiPageFault+0x221
MYDRV!IsShadow+0xcd
MYDRV!ControlMount+0x38
MYDRV!Control+0x77
nt!IopMountVolume+0x2e5
nt!IopCheckVpbMounted+0x10a
nt!IopParseDevice+0xbc7
nt!ObpLookupObjectName+0x8b2
nt!ObOpenObjectByNameEx+0x1dd
nt!IopCreateFile+0x3d9
nt!NtOpenFile+0x58
nt!KiSystemServiceCopyEnd+0x13
0x00007ffc`5e2f6734

THREAD_SHA1_HASH_MOD_FUNC: ea11d36a9c18fc1d9906d89606fd78e4d9342c86

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 0f139b73b7745f3a8b3d9fc861a58716c0de60b3

THREAD_SHA1_HASH_MOD: 7832792a7785d26981708423d4b795ca3e09efb8

FOLLOWUP_IP:
MYDRV+ed19
fffff807`1552ed19 83794824 cmp dword ptr [rcx+48h],24h

FAULT_INSTR_CODE: 24487983

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: MYDRV+ed19

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: MYDRV

IMAGE_NAME: MYDRV.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5762b3a9

IMAGE_VERSION: 8.60.0.1929

STACK_COMMAND: .cxr 0xffffd0001ab97700 ; kb

BUCKET_ID_FUNC_OFFSET: ed19

FAILURE_BUCKET_ID: 0x3B_MYDRV!unknown_function

BUCKET_ID: 0x3B_MYDRV!unknown_function

PRIMARY_PROBLEM_CLASS: 0x3B_MYDRV!unknown_function

TARGET_TIME: 2017-04-09T19:12:14.000Z

OSBUILD: 14393

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2017-03-04 08:09:56

BUILDDATESTAMP_STR: 170303-1614

BUILDLAB_STR: rs1_release_inmarket

BUILDOSVER_STR: 10.0.14393.953.amd64fre.rs1_release_inmarket.170303-1614

ANALYSIS_SESSION_ELAPSED_TIME: 1741

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x3b_mydrv!unknown_function

FAILURE_ID_HASH: {c58ddb32-754c-d643-b29b-6f6398f528a5}

Followup: MachineOwner

One more question:

PROCESS_NAME: powershell.exe - does it mean that the BSOD caused when powershell indirectly generated FS event for the driver?

4

Powershell tried to open a file on what appeared to be an unmounted volume.
This caused the I/O Manager to perform mount processing, which resulted in
your driver tripping over an invalid VPB. This doesn’t really provide much
more interesting detail, you need to figure out why the VPB is bad.

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntfsd…

Thanks for the reply.
I’ll check it with Driver Verifier.
Also the customer said, that BSOD fails on system reboot/shutdown.
Here is full output of !analyze -v

*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff8071552ed19, ffffd0001ab97700, 0}

Page 2369fa not present in the dump file. Type “.hh dbgerr004” for details
Page 2369fa not present in the dump file. Type “.hh dbgerr004” for details
Page 1a63e9 not present in the dump file. Type “.hh dbgerr004” for details
Page 1a63e9 not present in the dump file. Type “.hh dbgerr004” for details
Page 1a79b2 not present in the dump file. Type “.hh dbgerr004” for details
Page 1a79b2 not present in the dump file. Type “.hh dbgerr004” for details
*** ERROR: Module load completed but symbols could not be loaded for
MYDRV.sys
Page 940 not present in the dump file. Type “.hh dbgerr004” for details
Page 940 not present in the dump file. Type “.hh dbgerr004” for details
Page 940 not present in the dump file. Type “.hh dbgerr004” for details
Probably caused by : MYDRV.sys ( MYDRV+ed19 )

Followup: MachineOwner

0: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8071552ed19, Address of the instruction which caused the bugcheck
Arg3: ffffd0001ab97700, Address of the context record for the exception that
caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

Page 940 not present in the dump file. Type “.hh dbgerr004” for details
Page 940 not present in the dump file. Type “.hh dbgerr004” for details
Page 940 not present in the dump file. Type “.hh dbgerr004” for details

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 14393.953.amd64fre.rs1_release_inmarket.170303-1614

SYSTEM_MANUFACTURER: VMware, Inc.

VIRTUAL_MACHINE: VMware

SYSTEM_PRODUCT_NAME: VMware7,1

SYSTEM_VERSION: None

BIOS_VENDOR: VMware, Inc.

BIOS_VERSION: VMW71.00V.0.B64.1507021939

BIOS_DATE: 07/02/2015

BASEBOARD_MANUFACTURER: Intel Corporation

BASEBOARD_PRODUCT: 440BX Desktop Reference Platform

BASEBOARD_VERSION: None

DUMP_TYPE: 1

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8071552ed19

BUGCHECK_P3: ffffd0001ab97700

BUGCHECK_P4: 0

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx
referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
MYDRV+ed19
fffff807`1552ed19 83794824 cmp dword ptr [rcx+48h],24h

CONTEXT: ffffd0001ab97700 – (.cxr 0xffffd0001ab97700)
rax=ffff28070feb3151 rbx=0000000000008000 rcx=0000000000008000
rdx=ffffd0001ab982b0 rsi=0000000000000000 rdi=ffffd0001ab982b0
rip=fffff8071552ed19 rsp=ffffd0001ab98110 rbp=0000000000008000
r8=ffffa5895eb42a90 r9=000000000000000d r10=0000000000000000
r11=ffffd0001ab982a8 r12=ffffa5894bda5c80 r13=00000000ffffffff
r14=ffffa5895e0f3080 r15=ffffa5894bf9cbc0
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
efl=00010206
MYDRV+0xed19:
fffff8071552ed19 83794824 cmp dword ptr [rcx+48h],24h ds:002b:0000000000008048=???
Resetting default scope

CPU_COUNT: 2

CPU_MHZ: c1c

CPU_VENDOR: GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3d

CPU_STEPPING: 4

CPU_MICROCODE: 6,3d,4,0 (F,M,S,R) SIG: 21’00000000 (cache) 21’00000000
(init)

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: powershell.exe

CURRENT_IRQL: 0

ANALYSIS_SESSION_HOST: MICHAELSE-7470

ANALYSIS_SESSION_TIME: 04-12-2017 16:28:30.0556

ANALYSIS_VERSION: 10.0.14321.1024 amd64fre

LAST_CONTROL_TRANSFER: from fffff8071552d528 to fffff8071552ed19

STACK_TEXT:
nt!KiPageFault+0x221
MYDRV!IsShadow+0xcd
MYDRV!ControlMount+0x38
MYDRV!Control+0x77
nt!IopMountVolume+0x2e5
nt!IopCheckVpbMounted+0x10a
nt!IopParseDevice+0xbc7
nt!ObpLookupObjectName+0x8b2
nt!ObOpenObjectByNameEx+0x1dd
nt!IopCreateFile+0x3d9
nt!NtOpenFile+0x58
nt!KiSystemServiceCopyEnd+0x13
0x00007ffc`5e2f6734

THREAD_SHA1_HASH_MOD_FUNC: ea11d36a9c18fc1d9906d89606fd78e4d9342c86

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 0f139b73b7745f3a8b3d9fc861a58716c0de60b3

THREAD_SHA1_HASH_MOD: 7832792a7785d26981708423d4b795ca3e09efb8

FOLLOWUP_IP:
MYDRV+ed19
fffff807`1552ed19 83794824 cmp dword ptr [rcx+48h],24h

FAULT_INSTR_CODE: 24487983

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: MYDRV+ed19

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: MYDRV

IMAGE_NAME: MYDRV.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5762b3a9

IMAGE_VERSION: 8.60.0.1929

STACK_COMMAND: .cxr 0xffffd0001ab97700 ; kb

BUCKET_ID_FUNC_OFFSET: ed19

FAILURE_BUCKET_ID: 0x3B_MYDRV!unknown_function

BUCKET_ID: 0x3B_MYDRV!unknown_function

PRIMARY_PROBLEM_CLASS: 0x3B_MYDRV!unknown_function

TARGET_TIME: 2017-04-09T19:12:14.000Z

OSBUILD: 14393

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2017-03-04 08:09:56

BUILDDATESTAMP_STR: 170303-1614

BUILDLAB_STR: rs1_release_inmarket

BUILDOSVER_STR: 10.0.14393.953.amd64fre.rs1_release_inmarket.170303-1614

ANALYSIS_SESSION_ELAPSED_TIME: 1741

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:0x3b_mydrv!unknown_function

FAILURE_ID_HASH: {c58ddb32-754c-d643-b29b-6f6398f528a5}

Followup: MachineOwner

One more question:

PROCESS_NAME: powershell.exe - does it mean that the BSOD caused when
powershell indirectly generated FS event for the driver?