bsod BSOD From covefs.sys

Jonathan Doe · June 19, 2025

0x0000003b (SYSTEM_SERVICE_EXCEPTION), 0x00000000c0000005 (STATUS_ACCESS_VIOLATION)

Looks like it came from the Drive Pool driver covefs.sys
Was not doing anything at the time, just watching YouTube.
Here is the mini dump analysis.

OS Name Microsoft Windows 11 Pro
Version 10.0.26100 Build 26100

Loading Kernel Symbols
...............................................................
................................................................
................................................................
...........................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000000a2`a5d9e018).  Type ".hh dbgerr001" for details
Loading unloaded module list
..................................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the BugCheck
Arg2: fffff8043260ad90, Address of the instruction which caused the BugCheck
Arg3: ffffc00395905e70, Address of the context record for the exception that caused the BugCheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


KEY_VALUES_STRING: 1

    Key  : Analysis.CPU.mSec
    Value: 2828

    Key  : Analysis.Elapsed.mSec
    Value: 14782

    Key  : Analysis.IO.Other.Mb
    Value: 6

    Key  : Analysis.IO.Read.Mb
    Value: 1

    Key  : Analysis.IO.Write.Mb
    Value: 25

    Key  : Analysis.Init.CPU.mSec
    Value: 703

    Key  : Analysis.Init.Elapsed.mSec
    Value: 22700

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 109

    Key  : Analysis.Version.DbgEng
    Value: 10.0.27829.1001

    Key  : Analysis.Version.Description
    Value: 10.2503.24.01 amd64fre

    Key  : Analysis.Version.Ext
    Value: 1.2503.24.1

    Key  : Bugcheck.Code.LegacyAPI
    Value: 0x3b

    Key  : Bugcheck.Code.TargetModel
    Value: 0x3b

    Key  : Dump.Attributes.AsUlong
    Value: 0x31808

    Key  : Dump.Attributes.DiagDataWrittenToHeader
    Value: 1

    Key  : Dump.Attributes.ErrorCode
    Value: 0x0

    Key  : Dump.Attributes.KernelGeneratedTriageDump
    Value: 1

    Key  : Dump.Attributes.LastLine
    Value: Dump completed successfully.

    Key  : Dump.Attributes.ProgressPercentage
    Value: 0

    Key  : Failure.Bucket
    Value: AV_covefs!unknown_function

    Key  : Failure.Exception.IP.Address
    Value: 0xfffff8043260ad90

    Key  : Failure.Exception.IP.Module
    Value: covefs

    Key  : Failure.Exception.IP.Offset
    Value: 0x1ad90

    Key  : Failure.Hash
    Value: {7cad1321-1941-4021-08cd-a07036d91dd0}

    Key  : Hypervisor.Enlightenments.ValueHex
    Value: 0x7497cf94

    Key  : Hypervisor.Flags.AnyHypervisorPresent
    Value: 1

    Key  : Hypervisor.Flags.ApicEnlightened
    Value: 1

    Key  : Hypervisor.Flags.ApicVirtualizationAvailable
    Value: 0

    Key  : Hypervisor.Flags.AsyncMemoryHint
    Value: 0

    Key  : Hypervisor.Flags.CoreSchedulerRequested
    Value: 0

    Key  : Hypervisor.Flags.CpuManager
    Value: 1

    Key  : Hypervisor.Flags.DeprecateAutoEoi
    Value: 0

    Key  : Hypervisor.Flags.DynamicCpuDisabled
    Value: 1

    Key  : Hypervisor.Flags.Epf
    Value: 0

    Key  : Hypervisor.Flags.ExtendedProcessorMasks
    Value: 1

    Key  : Hypervisor.Flags.HardwareMbecAvailable
    Value: 1

    Key  : Hypervisor.Flags.MaxBankNumber
    Value: 0

    Key  : Hypervisor.Flags.MemoryZeroingControl
    Value: 0

    Key  : Hypervisor.Flags.NoExtendedRangeFlush
    Value: 0

    Key  : Hypervisor.Flags.NoNonArchCoreSharing
    Value: 1

    Key  : Hypervisor.Flags.Phase0InitDone
    Value: 1

    Key  : Hypervisor.Flags.PowerSchedulerQos
    Value: 0

    Key  : Hypervisor.Flags.RootScheduler
    Value: 0

    Key  : Hypervisor.Flags.SynicAvailable
    Value: 1

    Key  : Hypervisor.Flags.UseQpcBias
    Value: 0

    Key  : Hypervisor.Flags.Value
    Value: 38408431

    Key  : Hypervisor.Flags.ValueHex
    Value: 0x24a10ef

    Key  : Hypervisor.Flags.VpAssistPage
    Value: 1

    Key  : Hypervisor.Flags.VsmAvailable
    Value: 1

    Key  : Hypervisor.RootFlags.AccessStats
    Value: 1

    Key  : Hypervisor.RootFlags.CrashdumpEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.CreateVirtualProcessor
    Value: 1

    Key  : Hypervisor.RootFlags.DisableHyperthreading
    Value: 0

    Key  : Hypervisor.RootFlags.HostTimelineSync
    Value: 1

    Key  : Hypervisor.RootFlags.HypervisorDebuggingEnabled
    Value: 0

    Key  : Hypervisor.RootFlags.IsHyperV
    Value: 1

    Key  : Hypervisor.RootFlags.LivedumpEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.MapDeviceInterrupt
    Value: 1

    Key  : Hypervisor.RootFlags.MceEnlightened
    Value: 1

    Key  : Hypervisor.RootFlags.Nested
    Value: 0

    Key  : Hypervisor.RootFlags.StartLogicalProcessor
    Value: 1

    Key  : Hypervisor.RootFlags.Value
    Value: 1015

    Key  : Hypervisor.RootFlags.ValueHex
    Value: 0x3f7


BUGCHECK_CODE:  3b

BUGCHECK_P1: c0000005

BUGCHECK_P2: fffff8043260ad90

BUGCHECK_P3: ffffc00395905e70

BUGCHECK_P4: 0

FILE_IN_CAB:  061925-20281-01.dmp

DUMP_FILE_ATTRIBUTES: 0x31808
  Kernel Generated Triage Dump

FAULTING_THREAD:  ffffc10dff4350c0

CONTEXT:  ffffc00395905e70 -- (.cxr 0xffffc00395905e70)
rax=fffff8043260ad90 rbx=0000000000000000 rcx=ffffc00395906940
rdx=205571a7fbe4fe80 rsi=ffffe28f3dd8d660 rdi=0000000000000000
rip=fffff8043260ad90 rsp=ffffc003959068c8 rbp=fffff8043260ad90
 r8=000000000000006d  r9=000000000000006d r10=ffffc10e31ef53ee
r11=fffff4002f180004 r12=ffffc10e0e2bc970 r13=ffffc10e2802a600
r14=ffffe28f3dd8d660 r15=ffffc00395906940
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050202
covefs+0x1ad90:
fffff804`3260ad90 488b9270010000  mov     rdx,qword ptr [rdx+170h] ds:002b:205571a7`fbe4fff0=????????????????
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

PROCESS_NAME:  Duplicati.Serv

STACK_TEXT:  
ffffc003`959068c8 fffff804`325f4a8c     : 00000000`00000000 fffff804`3260ad90 ffffe28f`3dd903b0 ffffc10e`0e2bca30 : covefs+0x1ad90
ffffc003`959068d0 00000000`00000000     : fffff804`3260ad90 ffffe28f`3dd903b0 ffffc10e`0e2bca30 ffffc10e`0e2bca30 : covefs+0x4a8c


SYMBOL_NAME:  covefs+1ad90

MODULE_NAME: covefs

IMAGE_NAME:  covefs.sys

STACK_COMMAND: .cxr 0xffffc00395905e70 ; kb

BUCKET_ID_FUNC_OFFSET:  1ad90

FAILURE_BUCKET_ID:  AV_covefs!unknown_function

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {7cad1321-1941-4021-08cd-a07036d91dd0}

Followup:     MachineOwner
---------

Thronic · June 19, 2025

PROCESS_NAME:  Duplicati.Serv

Was probably doing some reading and/or writing on your pool, and by extension, covefs.sys operations.

c0000005 is covefs.sys+0x1ad90 doing modifications to memory that's either protected or doesn't exist.

Maybe Duplicati is one of them low level doing-special-ntfs-tricks things. I might do a memtest while waiting for official answer.

Jonathan Doe · June 19, 2025

It is a bit odd. Duplicati was doing something at 1:05, according to the event viewer. But it was just logging that a connection attempt failed because the connected party did not properly respond after a period of time. The crash then happened at 1:40:13.

I would think it was doing a backup, however, The only logs suggesting it even considered starting a backup was after the reboot from the crash at 13:40:34. Duplicati is normally quite good with its logging, and if something started and it went south, it should of at least logged that it was starting a backup, then give an error on startup that it was unexpectedly interrupted and do a quick cleanup.

I have not had this problem before and been running fine for the last couple of months, so i don't think it would be some NTFS tricks, as it would of stumbled by now. It would also be showering me with warnings about database/data anomalies.

I did run a quick mem test and got a pass, as i new it was some memory violation and that was my first suspicion. But If memory corruption is the main suspect, i will let it run to get multiple passed tests. If not, it was a Black Swan event, Hopefully caused by a stray cosmic ray, and not some difficult to debug and reproduce Edge case bug.

Christopher (Drashna) · June 20, 2025

Make sure you have the latest version installed:
https://dl.covecube.com/DrivePoolWindows/release/download/StableBit.DrivePool_2.3.12.1683_x64_Release.exe
(There are some memory hardening things in there that may help)

Also, if you're still seeing BSOD's they should be reported to https://stablebit.com/Contact

(Also, you cut off the log right before it shows the memory operations, and are the most important part of the printout).

And the covefs.sys driver is our driver, and the pool driver, specifically.

Jonathan Doe · June 20, 2025

17 hours ago, Christopher (Drashna) said:

(Also, you cut off the log right before it shows the memory operations, and are the most important part of the printout).

That was everything from running !analyze -v on the mini dump... I've updated and If it happens again, I will just send the dump file to you guys via https://stablebit.com/Contact

Christopher (Drashna) · June 20, 2025

Usually the stack text has 10-12 lines, so it not is ... very odd.

And if it does happen again, I do recommend running the StableBit Troubleshooter after opening a ticket (so you can get the ticket ID, or just use 30727). The troubleshooter will compress the crash dumps, and upload them, along with other logs that tend to be useful.

Hopefully, you won't need to do that, but in case you do.

Jonathan Doe · June 21, 2025

Quote

Usually the stack text has 10-12 lines, so it not is ... very odd.

Nope... ran it again and them two lines is all it prints for the STACK_TEXT:
When i click "STACK_COMMAND: .cxr 0xffffc00395905e70 ; kb" This is the output.

0: kd> .cxr 0xffffc00395905e70 ; kb
rax=fffff8043260ad90 rbx=0000000000000000 rcx=ffffc00395906940
rdx=205571a7fbe4fe80 rsi=ffffe28f3dd8d660 rdi=0000000000000000
rip=fffff8043260ad90 rsp=ffffc003959068c8 rbp=fffff8043260ad90
 r8=000000000000006d  r9=000000000000006d r10=ffffc10e31ef53ee
r11=fffff4002f180004 r12=ffffc10e0e2bc970 r13=ffffc10e2802a600
r14=ffffe28f3dd8d660 r15=ffffc00395906940
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050202
covefs+0x1ad90:
fffff804`3260ad90 488b9270010000  mov     rdx,qword ptr [rdx+170h] ds:002b:205571a7`fbe4fff0=????????????????
  *** Stack trace for last set context - .thread/.cxr resets it
 # RetAddr               : Args to Child                                                           : Call Site
00 fffff804`325f4a8c     : 00000000`00000000 fffff804`3260ad90 ffffe28f`3dd903b0 ffffc10e`0e2bca30 : covefs+0x1ad90
01 00000000`00000000     : fffff804`3260ad90 ffffe28f`3dd903b0 ffffc10e`0e2bca30 ffffc10e`0e2bca30 : covefs+0x4a8c

Thanks for the help though. I know what to do if it happens again. 😊

Sign In

bsod BSOD From covefs.sys

Question

Jonathan Doe

6 answers to this question

Recommended Posts

Thronic

Jonathan Doe

Christopher (Drashna)

Jonathan Doe

Christopher (Drashna)

Jonathan Doe

Join the conversation

Browse

Activity