For what it’s worth, if this is the IBM Guardium product, there is a KB article detailing a system stability issue between nptrc.sys and Mcafee
http://www-01.ibm.com/support/docview.wss?uid=swg21971076 Sending those memory dumps you have to Guardium support may allow them to confirm whether or not your issue is what’s described in the KB article. ~Dave From: [email protected] [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Thursday, December 15, 2016 2:41 PM To: [email protected] Subject: RE: [NTSysADM] Analyzing Minidumps Sorry, clfs.sys is correct. I had already gotten the page you reference when I searched REFERENCE_BY_POINTER but I’m not sure it gives me something to look for. What is it that makes you think broken AV? I will try to pursue that. We use VirusScan Enterprise 8.8 and I can look at the logs from it, which I hadn’t thought of trying. Thanks for the help. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Michael B. Smith Sent: Thursday, December 15, 2016 5:10 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Analyzing Minidumps After a few minutes of reading around – sounds like a broken AV to me. You wrote below CLFSYS.SYS – did you mean clfs.sys? Because I don’t think there is a CLFSYS.SYS, which would lead me to think “virus”. This is also a worthwhile read: https://msdn.microsoft.com/en-us/library/windows/hardware/ff557386(v=vs.85).aspx From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Charles F Sullivan Sent: Thursday, December 15, 2016 3:45 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Analyzing Minidumps This is something I find myself needing to do only occasionally. I usually use BlueScreenView to read minidumps after a crash because it’s quicker and easier than windbg. Regardless of the tool, when multiple crashes are caused by the same device driver, it’s pretty straightforward as to the culprit. In the case of system drivers along with ntoskrnl.exe being listed as the cause, it’s not so apparent, so I’m not really sure what I’m seeing. We had a Windows 2012 R2 VMware VM that suddenly began crashing on a Sunday night when nothing such as a backup or other intense operation was happening. The server kept crashing after the initial time and the only way to stop it was to boot into Safe Mode and we ended up rebuilding the server. Along with ntoskrnl.exe on each crash, each of the 12 minidumps lists one of these as the cause. This is from the first crash and happened only once: Fs_Rec.sys (File System Recognizer Driver) This was listed as the cause on 9 of the subsequent crashes. I believe it’s from the Guardium application, which is used for monitoring of database servers. Nptrc.sys This one twice: CLFSYS.SYS (Common Log File System Driver) The Bug Check String for all of them is REFERENCE_BY_POINTER and the Bug Check Code is 0x00000018. Is this enough information for someone to give an opinion as to what is the likely root cause, or maybe what else to look for? It’s hard for me to blame the Guardium application since it wasn’t shown as the cause on all of the crashes. CONFIDENTIALITY NOTICE: This communication and its attachments may contain non-public, confidential, or legally privileged information including HIPAA-protected PHI. The interception, use or disclosure of such information is prohibited. If you are not the intended recipient, or have received this information in error, please notify the sender immediately by reply email and delete all copies of this message and attachments without reading, saving, or further distributing them.
