Need help

I’am on a driver file system and i have BSOD on createfile on my volume.
Can you help please ?

Microsoft (R) Windows Debugger Version 10.0.15063.468 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\sys\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

Symbol search path is: srv*
Executable search path is:
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Windows 10 Kernel Version 10240 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10240.16384.amd64fre.th1.150709-1700
Machine Name:
Kernel base = 0xfffff8036e079000 PsLoadedModuleList = 0xfffff8036e39df30
Debug session time: Fri Jul 14 18:20:17.259 2017 (UTC + 2:00)
System Uptime: 0 days 0:09:34.605
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntkrnlmp.exe -
Loading Kernel Symbols

…Page c71f not present in the dump file. Type “.hh dbgerr004” for details
.Page 4442 not present in the dump file. Type “.hh dbgerr004” for details


Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`7e7ef018). Type “.hh dbgerr001” for details

************* Symbol Loading Error Summary **************
Module name Error
ntkrnlmp The system cannot find the file specified

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {4c, 2, 1, fffff8036e13f7d4}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
Probably caused by : ntoskrnl.wrong.symbols.exe ( nt_wrong_symbols!559F3C1A852000 )

Followup: MachineOwner

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 000000000000004c, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff8036e13f7d4, address which referenced memory

Debugging Details:

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_EPROCESS ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPCR ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KTHREAD ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_KPRCB ***
*** ***
*************************************************************************

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 10240.16384.amd64fre.th1.150709-1700

SYSTEM_MANUFACTURER: innotek GmbH

VIRTUAL_MACHINE: VirtualBox

SYSTEM_PRODUCT_NAME: VirtualBox

SYSTEM_VERSION: 1.2

BIOS_VENDOR: innotek GmbH

BIOS_VERSION: VirtualBox

BIOS_DATE: 12/01/2006

BASEBOARD_MANUFACTURER: Oracle Corporation

BASEBOARD_PRODUCT: VirtualBox

BASEBOARD_VERSION: 1.2

ADDITIONAL_DEBUG_TEXT:
You can run ‘.symfix; .reload’ to try to fix the symbol path and load symbols.

WRONG_SYMBOLS_TIMESTAMP: 559f3c1a

WRONG_SYMBOLS_SIZE: 852000

FAULTING_MODULE: fffff8036e079000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 559f3c1a

DUMP_TYPE: 1

BUGCHECK_P1: 4c

BUGCHECK_P2: 2

BUGCHECK_P3: 1

BUGCHECK_P4: fffff8036e13f7d4

WRITE_ADDRESS: *************************************************************************
*** ***
*** ***
*** Either you specified an unqualified symbol, or your debugger ***
*** doesn’t have full symbol information. Unqualified symbol ***
*** resolution is turned off by default. Please either specify a ***
*** fully qualified symbol module!symbolname, or enable resolution ***
*** of unqualified symbols by typing “.symopt- 100”. Note that ***
*** enabling unqualified symbol resolution with network symbol ***
*** server shares in the symbol path may cause the debugger to ***
*** appear to hang for long periods of time when an incorrect ***
*** symbol name is typed or the network symbol server is down. ***
*** ***
*** For some commands to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: nt!_MMPTE ***
*** ***
*************************************************************************
Unable to get size of nt!_MMPTE - probably bad symbols
000000000000004c

CURRENT_IRQL: 0

FAULTING_IP:
nt!RtlCompressBuffer+cf8
fffff803`6e13f7d4 88514c mov byte ptr [rcx+4Ch],dl

CPU_COUNT: 2

CPU_MHZ: fa0

CPU_VENDOR: AuthenticAMD

CPU_FAMILY: 15

CPU_MODEL: 2

CPU_STEPPING: 0

ANALYSIS_SESSION_HOST: DESKTOP-J0KVJ3N

ANALYSIS_SESSION_TIME: 07-14-2017 18:21:32.0901

ANALYSIS_VERSION: 10.0.15063.468 amd64fre

LAST_CONTROL_TRANSFER: from fffff8036e1d05a9 to fffff8036e1c5c20

STACK_TEXT:
ffffd0005a962ea8 fffff8036e1d05a9 : 000000000000000a 000000000000004c 0000000000000002 0000000000000001 : nt!KeBugCheckEx
ffffd0005a962eb0 fffff8036e1cedc8 : 0000000000000000 ffffe000c6e2ada0 ffffe000c872d780 fffff800b732f34b : nt!setjmpex+0x3b19
ffffd0005a962ff0 fffff8036e13f7d4 : ffffe000c820e5f0 0000000000000000 ffffe000c700d000 ffffe000c700d070 : nt!setjmpex+0x2338
ffffd0005a963180 fffff8036e55cbf3 : fffff8036e3b8440 0000000000000000 ffffe000c6efb340 ffffe000c700d000 : nt!RtlCompressBuffer+0xcf8
ffffd0005a9631b0 fffff8036e13f974 : ffffe000c700d070 ffffe000c948eb10 ffffe000c700d070 fffff8036e51ba66 : nt!MmGetPhysicalMemoryRanges+0x48c7
ffffd0005a963430 fffff8036e4a5367 : 0000000000000025 0000000000000000 ffffd0005a963790 0000000000000000 : nt!RtlCompressBuffer+0xe98
ffffd0005a963480 fffff8036e4a09d1 : ffffc0008b22a638 ffffc0008b22a638 ffffd0005a963790 ffffe000c700d040 : nt!NtSetEvent+0xf57
ffffd0005a963690 fffff8036e4ff38c : ffffe000c7d36001 ffffd0005a9638b8 ffffe00000000040 ffffe000c66a2f20 : nt!ObReferenceObjectByHandleWithTag+0x2d01
ffffd0005a963830 fffff8036e4fb69c : 08090a0b00000001 ffffe000c948eb10 00000000006be990 00000000006be0e0 : nt!ObOpenObjectByName+0x1ec
ffffd0005a963960 fffff8036e4fb2e9 : 00000000006be0c8 0000000000000000 00000000006be990 00000000006be0e0 : nt!NtCreateFile+0x42c
ffffd0005a963a00 fffff8036e1d0263 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!NtCreateFile+0x79
ffffd0005a963a90 00007ffa93233a9a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!setjmpex+0x37d3
00000000006be058 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ffa`93233a9a

STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: 354994796ebabcea95158de413e9fe959ee04a0d

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 8ca9079c6090e66caa0852c99e03b54762c6d4e3

THREAD_SHA1_HASH_MOD: dc844b1b94baa204d070855e43bbbd27eee98b94

FOLLOWUP_IP:
nt!RtlCompressBuffer+cf8
fffff803`6e13f7d4 88514c mov byte ptr [rcx+4Ch],dl

FAULT_INSTR_CODE: 484c5188

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: nt_wrong_symbols!559F3C1A852000

FOLLOWUP_NAME: MachineOwner

BUGCHECK_STR: 559F3C1A

EXCEPTION_CODE: (NTSTATUS) 0x559f3c1a -

EXCEPTION_CODE_STR: 559F3C1A

EXCEPTION_STR: WRONG_SYMBOLS

PROCESS_NAME: ntoskrnl.wrong.symbols.exe

IMAGE_NAME: ntoskrnl.wrong.symbols.exe

MODULE_NAME: nt_wrong_symbols

BUCKET_ID: WRONG_SYMBOLS_X64_10240.16384.amd64fre.th1.150709-1700_TIMESTAMP_150710-032930

DEFAULT_BUCKET_ID: WRONG_SYMBOLS_X64_10240.16384.amd64fre.th1.150709-1700_TIMESTAMP_150710-032930

PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS

FAILURE_BUCKET_ID: WRONG_SYMBOLS_X64_10240.16384.amd64fre.th1.150709-1700_TIMESTAMP_150710-032930_559F3C1A_nt_wrong_symbols!559F3C1A852000

TARGET_TIME: 2017-07-14T16:20:17.000Z

OSBUILD: 10240

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2015-07-10 05:29:30

BUILDDATESTAMP_STR: 150709-1700

BUILDLAB_STR: th1

BUILDOSVER_STR: 10.0.10240.16384.amd64fre.th1.150709-1700

ANALYSIS_SESSION_ELAPSED_TIME: 4f

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:wrong_symbols_x64_10240.16384.amd64fre.th1.150709-1700_timestamp_150710-032930_559f3c1a_nt_wrong_symbols!559f3c1a852000

FAILURE_ID_HASH: {eb71b7c5-5d3e-8b28-668b-123d807c7ae7}

Followup: MachineOwner
---------

0: kd>

Thank You

To fix the symbols enter the following commands in WinDBG
.sympath srv*
.reload

More about this

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg--kernel-mode-

Then provide the call stack with correct symbols.

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 000000000000004c, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff801becd07d4, address which referenced memory

Debugging Details:

DUMP_CLASS: 1

DUMP_QUALIFIER: 401

BUILD_VERSION_STRING: 10240.16384.amd64fre.th1.150709-1700

SYSTEM_MANUFACTURER: innotek GmbH

VIRTUAL_MACHINE: VirtualBox

SYSTEM_PRODUCT_NAME: VirtualBox

SYSTEM_VERSION: 1.2

BIOS_VENDOR: innotek GmbH

BIOS_VERSION: VirtualBox

BIOS_DATE: 12/01/2006

BASEBOARD_MANUFACTURER: Oracle Corporation

BASEBOARD_PRODUCT: VirtualBox

BASEBOARD_VERSION: 1.2

DUMP_TYPE: 1

BUGCHECK_P1: 4c

BUGCHECK_P2: 2

BUGCHECK_P3: 1

BUGCHECK_P4: fffff801becd07d4

WRITE_ADDRESS: 000000000000004c

CURRENT_IRQL: 2

FAULTING_IP:
nt!IopMountInitializeVpb+54
fffff801`becd07d4 88514c mov byte ptr [rcx+4Ch],dl

CPU_COUNT: 2

CPU_MHZ: fa0

CPU_VENDOR: AuthenticAMD

CPU_FAMILY: 15

CPU_MODEL: 2

CPU_STEPPING: 0

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

BUGCHECK_STR: AV

PROCESS_NAME: samplefatfilesystem.exe

ANALYSIS_SESSION_HOST: DESKTOP-J0KVJ3N

ANALYSIS_SESSION_TIME: 07-17-2017 19:49:26.0617

ANALYSIS_VERSION: 10.0.15063.468 amd64fre

TRAP_FRAME: ffffd00140995ff0 – (.trap 0xffffd00140995ff0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000002 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801becd07d4 rsp=ffffd00140996180 rbp=ffffe000722a2070
r8=0000000000000000 r9=fffff801bef6d880 r10=fffff801f0c15b80
r11=ffffd00140996180 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nt!IopMountInitializeVpb+0x54:
fffff801becd07d4 88514c mov byte ptr [rcx+4Ch],dl ds:000000000000004c=??
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff801bed615a9 to fffff801bed56c20

STACK_TEXT:
ffffd00140995ea8 fffff801bed615a9 : 000000000000000a 000000000000004c 0000000000000002 0000000000000001 : nt!KeBugCheckEx
ffffd00140995eb0 fffff801bed5fdc8 : 0000000000000000 ffffe0007131ddf0 ffffe000710e9780 fffff801f0c1f34b : nt!KiBugCheckDispatch+0x69
ffffd00140995ff0 fffff801becd07d4 : ffffe00070deb3f0 0000000000000000 ffffe000722a2000 ffffe000722a2070 : nt!KiPageFault+0x248
ffffd00140996180 fffff801bf0edbf3 : fffff801bef49440 0000000000000000 ffffe00071254840 ffffe000722a2000 : nt!IopMountInitializeVpb+0x54
ffffd001409961b0 fffff801becd0974 : ffffe000722a2070 ffffe0006fd90b10 ffffe000722a2070 fffff801bf0aca66 : nt!IopMountVolume+0x46b
ffffd00140996430 fffff801bf036367 : 0000000000000025 0000000000000000 ffffd00140996790 0000000000000000 : nt!IopCheckVpbMounted+0x154
ffffd00140996480 fffff801bf0319d1 : ffffc000d4a2a638 ffffc000d4a2a638 ffffd00140996790 ffffe000722a2040 : nt!IopParseDevice+0x4a7
ffffd00140996690 fffff801bf09038c : ffffe00070b15b01 ffffd001409968b8 ffffe00000000040 ffffe0006f46ff20 : nt!ObpLookupObjectName+0x711
ffffd00140996830 fffff801bf08c69c : ffffe00000000001 ffffe0006fd90b10 000000000075eb80 000000000075e2d0 : nt!ObOpenObjectByName+0x1ec
ffffd00140996960 fffff801bf08c2e9 : 000000000075e2b8 0000000000000000 000000000075eb80 000000000075e2d0 : nt!IopCreateFile+0x38c
ffffd00140996a00 fffff801bed61263 : fffff6fb40001b00 0000000000000000 0000000000000000 0000000000000000 : nt!NtCreateFile+0x79
ffffd00140996a90 00007ff955663a9a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
000000000075e248 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x00007ff9`55663a9a

STACK_COMMAND: kb

THREAD_SHA1_HASH_MOD_FUNC: b137d77bc1f8deefd04b4562dfe551e52af3da5a

THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 27ae7d2d2794d88ca82b2572a447cec3b99430b0

THREAD_SHA1_HASH_MOD: dc844b1b94baa204d070855e43bbbd27eee98b94

FOLLOWUP_IP:
nt!IopMountInitializeVpb+54
fffff801`becd07d4 88514c mov byte ptr [rcx+4Ch],dl

FAULT_INSTR_CODE: 484c5188

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: nt!IopMountInitializeVpb+54

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 559f3c1a

BUCKET_ID_FUNC_OFFSET: 54

FAILURE_BUCKET_ID: AV_nt!IopMountInitializeVpb

BUCKET_ID: AV_nt!IopMountInitializeVpb

PRIMARY_PROBLEM_CLASS: AV_nt!IopMountInitializeVpb

TARGET_TIME: 2017-07-17T17:40:39.000Z

OSBUILD: 10240

OSSERVICEPACK: 0

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK: 272

PRODUCT_TYPE: 1

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS

OS_LOCALE:

USER_LCID: 0

OSBUILD_TIMESTAMP: 2015-07-10 05:29:30

BUILDDATESTAMP_STR: 150709-1700

BUILDLAB_STR: th1

BUILDOSVER_STR: 10.0.10240.16384.amd64fre.th1.150709-1700

ANALYSIS_SESSION_ELAPSED_TIME: be5

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:av_nt!iopmountinitializevpb

FAILURE_ID_HASH: {b00a9f3a-eb89-6a85-c75f-b86adbc50a6f}

Followup: MachineOwner

On Jul 17, 2017, at 10:51 AM, xxxxx@gmail.com xxxxx@lists.osr.com wrote:

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 000000000000004c, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff801becd07d4, address which referenced memory

This is a null pointer dereference. The likely cause here is that you have supplied a null pointer in a structure field or parameter where you are not allowed to supply a null pointer.

Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.