Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,726 questions
In a windows dump that shows that NTFS received an invalid pointer for a delete, I need to see which piece of code issued the delete, and would like to see what filesystem filters are running, can someone point me at some documentation for this?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 41%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENA%3C/text%3E%3C/svg%3E)
Nichols, Alan
0
Reputation points
It is a full memory dump and there is NOTHING TO SEE AT ALL IN THE WINDOWS EVENT LOG , only the restart is visible in the event log.
How, in a windows dump do I follow the chain of events leading up to the illegal NTFS delete (the supplied pointer was invalid)
The operating system is windows server 2022.
Filesystem "filters" are active and a couple of applications, but this system was hardly being used at all, I need to eliminate my application ;-) ...
Is there some self training available for windows dump reading ? How would you proceed ?
{count} votes
-
Nichols, Alan 0 Reputation points
2024-03-07T10:45:23.09+00:00 I would also like to understand a lot more about how NTFS with filters actually works, is some higher level putting requests on a queue that is worked through by the various filters and then finally the filesystem - how does this bit of windows actually work (just a pointer to such docs would be really appreciated).
-
Gary Nebbett 6,196 Reputation points2024-03-07T11:55:50.4866667+00:00 Hello Alan,
If your "application" is a user-mode application with no kernel components, then it is unlikely to be responsible for the problem.
The easiest way to see which filters are active is to use the "fltmc instances" command when the system is running; gathering the information from the dump is possible but more difficult.
You can create a mini/triage dump from your full dump and share that. There probably won't be enough information in the small dump to resolve the problem, but it would help others to better understand the problem that you are facing.
A dump is just a snapshot of the system state at a point in time - it is difficult to draw interferences about "the chain of events leading up to" anything. If the problem is reproducible then a combination of ETW (Event Tracing for Windows) tracing to see events prior to a crash combined with the full crash dump might be the easiest way to investigate what is happening.
Gary
-
Nichols, Alan 0 Reputation points
2024-03-07T14:16:42.38+00:00 Thanks Gary, I do understand what a dump is and have experience in reading dumps on other platforms. On other platforms, I can use the various registers to examine the call chain, or find pointers to system areas that I can decode. I know what filters are running and I suspect that one of them caused the issue, I need help to find the culprit.
Sign in to comment
Sign in to answer