Open system recovery causes bluescreen 0x00000050 with ntfs.sys

Question

Open system recovery causes bluescreen 0x00000050 with ntfs.sys

Since yesterday my computer crashes with a bluescreen 0x00000050 as soon as I do something with the system restore. For example (tried to translate from german to english so the exact programname could be different):

Windows system settings/System and Safety/System/Computersafety and when I try to change to the tab Computersafety it gives me the bluescreen.
CCleaner->Tools/Systemrestore - shows me the new tab short but
without a restore point but results after 1-2 seconds in the same
bluescreen
Cobian Backup Boletus-> Start a backup task with the enabled option
"Use Volume Shadow Copy" results with this bluescreen.
Leaving the computer for some minutes in idle results in a bluescreen (maybe the system tries to create a resore point or the cobian
backup starts or something like this)
Installing a new driver results in a bluescreen because it tries to
create a new restore point before installing the driver

The harddisk is checked with chkdsk and it found no errors. Ram is checked with Memtest+ without any error.

Minidump result:

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff981155026a8, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8800121a460, If non-zero, the instruction address which referenced the bad memory address.
Arg4: 0000000000000005, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002eba100
 fffff981155026a8 

FAULTING_IP: 
Ntfs!memmove+250
fffff880`0121a460 488b440af8      mov     rax,qword ptr [rdx+rcx-8]

MM_INTERNAL_CODE:  5

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  System

CURRENT_IRQL:  0

TRAP_FRAME:  fffff88002fa3d60 -- (.trap 0xfffff88002fa3d60)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000020 rbx=0000000000000000 rcx=fffff981155026d8
rdx=ffffffffffffffd8 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8800121a460 rsp=fffff88002fa3ef8 rbp=fffff98015502728
 r8=00000000ffffff68  r9=0000000007fffffb r10=0000000000000001
r11=fffff98015502770 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
Ntfs!memmove+0x250:
fffff880`0121a460 488b440af8      mov     rax,qword ptr [rdx+rcx-8] ds:fffff981`155026a8=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80002c323bf to fffff80002c87c40

STACK_TEXT:  
fffff880`02fa3bf8 fffff800`02c323bf : 00000000`00000050 fffff981`155026a8 00000000`00000000 fffff880`02fa3d60 : nt!KeBugCheckEx
fffff880`02fa3c00 fffff800`02c85d6e : 00000000`00000000 fffff981`155026a8 00000000`00000000 00000000`00000028 : nt! ?? ::FNODOBFM::`string'+0x44791
fffff880`02fa3d60 fffff880`0121a460 : fffff880`012a65a8 00000000`00000028 fffff880`02fa3f50 fffff8a0`00000400 : nt!KiPageFault+0x16e
fffff880`02fa3ef8 fffff880`012a65a8 : 00000000`00000028 fffff880`02fa3f50 fffff8a0`00000400 00000000`00000001 : Ntfs!memmove+0x250
fffff880`02fa3f00 fffff880`012a6740 : fffff8a0`03103070 fffff800`02e28260 fffff8a0`03103070 fffff980`15502400 : Ntfs!NtfsRestartInsertSimpleRoot+0x50
fffff880`02fa3f40 fffff880`012caa2f : fffffa80`01b4fd40 fffffa80`025f3180 fffff880`02fa40d8 fffff880`02fa4110 : Ntfs!InsertSimpleRoot+0xb8
fffff880`02fa4010 fffff880`01281d3b : 00000000`00000000 fffff8a0`03103070 fffff880`02fa40d8 fffff880`02fa4168 : Ntfs!AddToIndex+0xcf
fffff880`02fa4090 fffff880`0129dda5 : fffffa80`01b4fd40 fffff8a0`03103070 fffff8a0`0d7e8518 fffffa80`00000000 : Ntfs!NtOfsAddRecords+0x167
fffff880`02fa4270 fffff880`012ce520 : fffffa80`01b4fd40 fffff8a0`0d7e8510 00000000`0008a0fc 00000000`0008a100 : Ntfs!GetSecurityIdFromSecurityDescriptorUnsafe+0x1fd
fffff880`02fa4320 fffff880`0127d532 : fffffa80`01b4fd40 fffffa80`025f3180 00000000`00000000 fffff980`15502d00 : Ntfs!NtfsCacheSharedSecurityByDescriptor+0xa0
fffff880`02fa4370 fffff880`012955ed : fffffa80`01b4fd40 fffffa80`025f3180 fffff800`02e28260 00000000`00000000 : Ntfs! ?? ::NNGAKEGL::`string'+0x11530
fffff880`02fa43f0 fffff880`01228b0c : fffffa80`01b4fd40 fffff880`01252a00 fffffa80`01b4fd40 fffff8a0`0a0c1010 : Ntfs!NtfsUpdateFcbInfoFromDisk+0x4fe
fffff880`02fa4540 fffff880`012f3592 : fffffa80`01b4fd40 00000000`00000000 00000000`00000000 fffff8a0`0a0c1010 : Ntfs!NtfsInitializeDirectory+0x254
fffff880`02fa4650 fffff880`012ed3fa : fffffa80`01b4fd40 fffffa80`025f3180 00000000`00000000 fffffa80`025f3180 : Ntfs!NtfsInitializeExtendDirectory+0x3d6
fffff880`02fa4810 fffff880`0128880d : 00000000`00000000 fffffa80`024e4010 00000000`00000001 00000000`00000000 : Ntfs!NtfsMountVolume+0x1691
fffff880`02fa4b50 fffff880`0120f985 : 00000000`00000000 00000000`00000000 fffffa80`01b4fd40 fffff800`02c8ff93 : Ntfs!NtfsCommonFileSystemControl+0x59
fffff880`02fa4b90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : Ntfs!NtfsFspDispatch+0x2ad


STACK_COMMAND:  kb

FOLLOWUP_IP: 
Ntfs!memmove+250
fffff880`0121a460 488b440af8      mov     rax,qword ptr [rdx+rcx-8]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  Ntfs!memmove+250

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Ntfs

IMAGE_NAME:  Ntfs.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4d79997b

FAILURE_BUCKET_ID:  X64_0x50_Ntfs!memmove+250

BUCKET_ID:  X64_0x50_Ntfs!memmove+250

Followup: MachineOwner
---------

I disabled the Cobian backup program and disabled the system restore with the help of Windows PowerShell (disable-computerrestore -drive "C:\") and everything works fine for now. But I want the system restore/volume shadow copy back. What can I do?

Operating system is Windows 7 Professional 64bit.

Screenshot of NirSoft BlueScreenView:

NirSoft BlueScreenView

I managed to solve this question myself.

windows-7

system-restore

volume-shadow-copy

asked on Super User Aug 18, 2011 by

hitzi • edited Mar 20, 2017 by

Community

2 Answers

In a similar situation, I solved the problem by doing a clean reinstallation of Win 7:

I downloaded the Knoppix CD (not the DVD version, as I just wanted to boot to Linux) and deleted the SYSTEM VOLUME INFORMATION directory.

I recreated the same volume, so it was present in Windows after the reboot. I then rebooted WIN 7 and created a new restore point. As a test, I restored to this point and it all worked fine.

answered on Super User Jan 22, 2013 by

Richard Drygas • edited Jan 22, 2013 by

Jonathan Garber

It looks like there was a problem with some of the automatic created restore point files. I booted with Knoppix and removed everything from "System Volume Information" to a backup directory so I had a empty "System Volume Information" folder. Reboot to Windows and everything is working fine again with the System Volume Shadow service and the system restore.

answered on Super User Jan 25, 2013 by

hitzi

User contributions licensed under CC BY-SA 3.0