Blue Screen of Death (BSOD) pointing to ntfs.sys as the cultprit on a PGP Whole Disk Encryption volume

book

Article ID: 157937

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

Customer is seeing an BSOD error on Windows 7 64-bit

Ntfs.sys - Address FFFFF880018DB07 base at FFFFF88001832000, DateStamp 4d7999d6

Following is the stack trace
fffff880`0c23cf78 fffff800`03767bc2 nt!DbgBreakPointWithStatus
        fffff880`0c23cf80 fffff800`037689ae nt!KiBugCheckDebugBreak+0x12
        fffff880`0c23cfe0 fffff800`036716c4 nt!KeBugCheck2+0x71e
        fffff880`0c23d6b0 fffff880`0182cb68 nt!KeBugCheckEx+0x104
        fffff880`0c23d6f0 fffff880`0182b247 Ntfs! ?? ::FNODOBFM::`string'+0x2b19
        fffff880`0c23d730 fffff800`0369f59c Ntfs! ?? ::FNODOBFM::`string'+0xfd8
        fffff880`0c23d760 fffff800`03696cad nt!_C_specific_handler+0x8c
        fffff880`0c23d7d0 fffff800`0369e310 nt!
RtlpExecuteHandlerForException+0xd
        fffff880`0c23d800 fffff800`036ab36f nt!RtlDispatchException+0x410
        fffff880`0c23dee0 fffff800`03670c02 nt!KiDispatchException+0x16f
        fffff880`0c23e570 fffff800`0366f77a nt!KiExceptionDispatch+0xc2
        fffff880`0c23e750 fffff880`018c782c nt!KiPageFault+0x23a (TrapFrame @
fffff880`0c23e750)
        fffff880`0c23e8e0 fffff880`01838829 Ntfs!NtfsCommonCleanup+0x111c
        fffff880`0c23ecf0 fffff800`03669447 Ntfs!NtfsCommonCleanupCallout+0x19
        fffff880`0c23ed20 fffff800`03669401 nt!KySwitchKernelStackCallout+0x27
(TrapFrame @ fffff880`0c23ebe0)
        fffff880`037a81b0 fffff800`03680eba nt!KiSwitchKernelStackContinue
        fffff880`037a81d0 fffff880`018383e2 nt!
KeExpandKernelStackAndCalloutEx+0x29a
        fffff880`037a82b0 fffff880`018d7324 Ntfs!
NtfsCommonCleanupOnNewStack+0x42
        fffff880`037a8320 fffff880`04861792 Ntfs!NtfsFsdCleanup+0x144
        fffff880`037a8590 fffff880`010016af dgfsmon+0xe792
        fffff880`037a85e0 fffff800`039832ef fltmgr!FltpDispatch+0x9f
        fffff880`037a8640 fffff800`03969194 nt!IopCloseFile+0x11f
        fffff880`037a86d0 fffff800`03982de1 nt!ObpDecrementHandleCount+0xb4
        fffff880`037a8750 fffff800`03982cf4 nt!ObpCloseHandleTableEntry+0xb1
        fffff880`037a87e0 fffff800`03670813 nt!ObpCloseHandle+0x94
        fffff880`037a8830 fffff800`0366cdb0 nt!KiSystemServiceCopyEnd+0x13
(TrapFrame @ fffff880`037a8830)
        fffff880`037a89c8 fffff880`01024153 nt!KiServiceLinkage
        fffff880`037a89d0 fffff880`01025361 fltmgr!FltpExpandShortNames+0x283
        fffff880`037a8a30 fffff880`0102513e fltmgr!
FltpGetNormalizedFileNameWorker+0xc1
        fffff880`037a8a70 fffff880`0100654b fltmgr!
FltpCreateFileNameInformation+0xee
        fffff880`037a8ad0 fffff880`010235ef fltmgr!
FltpGetFileNameInformation+0x26b
        fffff880`037a8b50 fffff880`015c2962 fltmgr!
FltGetFileNameInformationUnsafe+0x7f
        fffff880`037a8bc0 fffff880`01030f13 fileinfo!FIStreamQueryWorker+0x9e
        fffff880`037a8c30 fffff800`0367e801 fltmgr!
FltpProcessGenericWorkItem+0x43
        fffff880`037a8c70 fffff800`0391096a nt!ExpWorkerThread+0x111
        fffff880`037a8d00 fffff800`0364fac6 nt!PspSystemThreadStartup+0x5a
        fffff880`037a8d40 00000000`00000000 nt!KxStartSystemThread+0x16

Cause

It appears to be an issue related to Verdasys Digital Guardian Endpoint software - dgfsmon.sys and fltmgr.sys. Symantec Enginering is still investigating the issue to see if we are related to the issue. Customer reported when the drive was not encrypted the problem goes away.

It could possibly be related to our Netshare driver. But there is no confirmation on this yet.

Resolution

 

Symantec Corporation is committed to product quality and satisfied customers. This issue is currently being considered by Symantec Corporation to be addressed in a forthcoming version or Maintenance Pack of the product. Please be sure to refer back to this document periodically as any changes to the status of the issue will be reflected here.

The following is a known temporary workaround for the issue until the version/maintenance pack is released:

Decrypt the volume using the PGP Whole Disk Encryption recovery image recorded to a CD-R. Reboot into safe mode after decryption. Run chkdsk c: /f. Reboot boot into safe mode again and run sfc /scannow. Reboot the machine. Now the system should be operable again.

 

Or another option is to reimage the machine


Applies To

Windows 7 64-bit Enterprise Edition

Lenovo T400, T410, and T420 models