Remove From My Forums

Random BSOD Defilter.sys

Question
0

Sign in to vote
I recently put WHS on a homebuilt PC. All components are less than a month old except for a DVD drive and a firewire PCI card. I've ran chkdsk on both HDD and let memtest run for about 5 hours on my RAM. Everything reported back fine.

I opened the dump in WinDGB and ran !analyze -v. Here's what it came back with. Demigator.exe and Defilter.sys aren't very helpful errors. Can anyone shed some insight?
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f720eb4c, The address that the exception occurred at
Arg3: aba7e9e8, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%
08lx". The memory could not be "%s".
FAULTING_IP:
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+232
f720eb4c 8b4364 mov eax,dword ptr [ebx+64h]

TRAP_FRAME: aba7e9e8 -- (.trap 0xffffffffaba7e9e8)
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=00000000 edx=00000000 esi=8844b7c8 edi=882ee5b0
eip=f720eb4c esp=aba7ea5c ebp=aba7ea78 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
fltMgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x232:
f720eb4c 8b4364 mov eax,dword ptr [ebx+64h] ds:0023:00000064=????????
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

PROCESS_NAME: demigrator.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 8082d920 to 80827d69

STACK_TEXT:

STACK_COMMAND: kb

FOLLOWUP_IP:
DEfilter+3015
f76ef015 8b4dfc mov ecx,dword ptr [ebp-4]

SYMBOL_STACK_INDEX: 7

SYMBOL_NAME: DEfilter+3015

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: DEfilter

IMAGE_NAME: DEfilter.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 49b73aa4

FAILURE_BUCKET_ID: 0x8E_DEfilter+3015

BUCKET_ID: 0x8E_DEfilter+3015

Followup: MachineOwner
---------
- Edited by JayHeavner Saturday, May 23, 2009 1:58 PM
Saturday, May 23, 2009 1:55 PM

Answers

0

Sign in to vote
I've never used Driver Detective; what does their web site say about Windows Server 2003?

In general, taking a methodical approach to computer diagnosis and repair will get you farther, and with less risk, than a scattershot approach. So I would try one thing at a time, and see what the results are, then move on to the next thing if the first isn't proving useful. It probably doesn't matter too much what you try first, though, so if you have a hunch you can go with it. :)
I'm not on the WHS team, I just post a lot. :)
- Marked as answer by Lara JonesModerator Saturday, June 13, 2009 5:40 PM
Sunday, May 24, 2009 9:36 PM

Moderator

All replies

0

Sign in to vote

Probably this indicates something wrong on your particular server (if it were a problem with the software in general, it would be reported much more frequently). This could be a buggy driver, hardware issue, etc. The fist thing I would try is checking all the drives in your server with chkdsk .
I'm not on the WHS team, I just post a lot. :)

Saturday, May 23, 2009 2:06 PM

Moderator
0

Sign in to vote

I recently put WHS on a homebuilt PC. All components are less than a month old except for a DVD drive and a firewire PCI card. I've ran chkdsk on both HDD and let memtest run for about 5 hours on my RAM. Everything reported back fine.
---------

Did you run chkdsk with /f /r? Also, please double check that the storage drivers are the most current versions available.

Thanks
Lara Jones [MSFT] | Program Manager
Community Support and Beta | Windows Home Server Team
Windows Home Server Team Blog
Connect Windows Home Server
Windows Home Server

Saturday, May 23, 2009 4:32 PM

Moderator
0

Sign in to vote

I ran the chkdsk command again and it reported no errors. The server crashed several times last night. I've attached the last dump below but it still doesn't point to a useful driver. Is there anything more I can do to further troubleshoot this issue? Lara, you mentioned storage drivers. Would those be chipset drivers or something from the actual drive manufacturers? I have the latest drivers from the Gigabyte website but I could see if AMD has anything newer.

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

NTFS_FILE_SYSTEM (24)
    If you see NtfsExceptionFilter on the stack then the 2nd and 3rd
    parameters are the exception record and context record. Do a .cxr
    on the 3rd parameter and then kb to obtain a more informative stack
    trace.
Arguments:
Arg1: 0019033d
Arg2: abc744e8
Arg3: abc741e4
Arg4: f7b51da3

Debugging Details:
------------------

EXCEPTION_RECORD: abc744e8 -- (.exr 0xffffffffabc744e8)
ExceptionAddress: f7b51da3 (Ntfs!NtfsDecrementCloseCounts+0x00000071)
   ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00002d39
Attempt to write to address 00002d39

CONTEXT: abc741e4 -- (.cxr 0xffffffffabc741e4)
eax=00002d39 ebx=00000000 ecx=89780178 edx=e2f92d84 esi=e2f92c60 edi=000000f9
eip=f7b51da3 esp=abc745b0 ebp=abc746bb iopl=0         nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000             efl=00010206
Ntfs!NtfsDecrementCloseCounts+0x71:
f7b51da3 8800            mov     byte ptr [eax],al          ds:0023:00002d39=??
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1: 00000001

EXCEPTION_PARAMETER2: 00002d39

WRITE_ADDRESS: 00002d39

FOLLOWUP_IP:
Ntfs!NtfsDecrementCloseCounts+71
f7b51da3 8800            mov     byte ptr [eax],al

FAULTING_IP:
Ntfs!NtfsDecrementCloseCounts+71
f7b51da3 8800            mov     byte ptr [eax],al

BUGCHECK_STR: 0x24

MISALIGNED_IP:
Ntfs!NtfsDecrementCloseCounts+71
f7b51da3 8800            mov     byte ptr [eax],al

LAST_CONTROL_TRANSFER: from 00000000 to f7b51da3

STACK_TEXT:

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: Ntfs!NtfsDecrementCloseCounts+71

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: hardware

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: .cxr 0xffffffffabc741e4 ; kb

MODULE_NAME: hardware

FAILURE_BUCKET_ID: IP_MISALIGNED_Ntfs.sys

BUCKET_ID: IP_MISALIGNED_Ntfs.sys

Followup: MachineOwner
---------

Sunday, May 24, 2009 1:42 PM
0

Sign in to vote

Bluescreens in various modules, on the same hardware, suggest a problem other than with the drives. Try running an extended test of your system memory, using e.g. memtest86+ . Let it run for at least 8 hours and preferably longer (24 hours would not be out of line).
I'm not on the WHS team, I just post a lot. :)

Sunday, May 24, 2009 2:22 PM

Moderator
0

Sign in to vote

I'll give it a shot. I've also pulled the PCI firewire card from the machine. I found an updated driver from Realtek for my network card and I've applied it. I have a license for Driver Detective, would it be worth running it or is it going to choke because it's WHS and not XP/Vista?

Sunday, May 24, 2009 6:10 PM
0

Sign in to vote
I've never used Driver Detective; what does their web site say about Windows Server 2003?

In general, taking a methodical approach to computer diagnosis and repair will get you farther, and with less risk, than a scattershot approach. So I would try one thing at a time, and see what the results are, then move on to the next thing if the first isn't proving useful. It probably doesn't matter too much what you try first, though, so if you have a hunch you can go with it. :)
I'm not on the WHS team, I just post a lot. :)
- Marked as answer by Lara JonesModerator Saturday, June 13, 2009 5:40 PM
Sunday, May 24, 2009 9:36 PM

Moderator
0

Sign in to vote

None of these driver tools seem to really be geared towards server platforms and the only reason I have a copy is my dad bought it after trying to downgrade to x64 XP. I'm a little sketchy about using it.

I've tested each stick of RAM for 10-12 hours and they seem fine. I tested each in the slot it was originally in. I guess I could test each stick in each slot. I even tested both sticks together (although I'm not sure why).

I've ran chkdsk /f /r on both drives with no errors. I could test each drive with HDD Regenerator but that would take several days to complete.

I agree with you about taking a methodical approach so I've started over. I pulled my second drive from the system (to retain my files) and did a new install of WHS. I set my mobo to use IDE mode for my SATA port (I've had no luck getting my SATA drivers installed during setup). I brought the system up, installed the drivers from my mobo manufacturer, and let it download all the patches. Then I turned it on and let it sit. It ran 48 hours with no problems. That's not surprising since my errors seem to deal with multidisk/SATA configuration.

Here's where I could use some help. I have 6 SATA ports. Ports 0-3 support IDE, AHCI, or RAID mode. Ports 4, 5 support IDE or can mirror ports 0-3. Currently my single drive is plugged into port 4, which is set to IDE. Ports 0-3 are configured AHCI. I plan to have a total of 5 drives in the system and one of the drives will be ESATA and I'd like it to be hot-swappable. I'd like to move my current drives to slots 0, 1 configured as AHCI. In theory it seems like that should work. The problem is I'm not sure which to do first, add the second drive as IDE or move the first drive to AHCI. Thoughts?

I kind of wonder if my problems could be solved/simplified by installing on an actual IDE HDD and then just adding the additional SATA drives as storage only. The only challenge is my mobo has one physical IDE connection and the case is configured such that one IDE cable can't handle both my optical drive and a HDD. There's probably 12" of space between the optical drive bay and the top of the HDD cage and I don't have a cable that has that kind of spacing. I suppose I could do the same thing by leaving all my SATA ports in IDE mode but then I'd lose the ability to hotswap.

Wednesday, May 27, 2009 6:54 PM

Answered by:

Random BSOD Defilter.sys

Question

Answers

All replies