Status: Unresolved, workaround provided.
Update 121122: Closing the loop... this was never actually resolved, and our customer agreed to use the workaround of disabling scardhook.dll.
Update 110818: Citrix found that it's likely that a cryptographic service provider (CSP) installed on the machine is not functioning as it should. We have asked the customer to engage the developer of the CSP.
Update 110705: After disabling scardhook.dll (Citrix) we did not see the problem anymore. The customer has a case open with Citrix now, and we're further working on this together.
Update 110522: End of last week I've opened a Request For Collaboration (RFC) with our Sustained Engineering (SE) team, in order to get further assistance on this issue. Stay tuned for updates to this post!
Update 110518: Researching a new memory dump shows the identical issue, also after removing ForeFront. We did this because a similar problem was resolved in the ForeFront Client update of October 2010. If you are running ForeFront, please ensure this update (and later updates) are applied on all your machines. Further research on the dump(s) is needed to find the root cause. Also, turns out this is not only related to index.dat, although redirecting this file and similar files may increase the frequency of the hang. Stay tuned! :)
Today my colleague Sonny and I had a look at a memory dump of a freezing machine. The root cause of this looks to be in rdbss.sys, but it's triggered because the Internet Explorer cache index.dat is redirected. This is causing "stress" on the Redirector, thus eventually hanging the machine.
Looking at the various stacks, the most significant one to indicate this issue is:
0: kd> knL e # Child-SP RetAddr Call Site00 fffff880`24c341f0 fffff800`01693992 nt!KiSwapContext+0x7a01 fffff880`24c34330 fffff800`016961af nt!KiCommitThreadWait+0x1d202 fffff880`24c343c0 fffff880`02626bcb nt!KeWaitForSingleObject+0x19f03 fffff880`24c34460 fffff880`0263599b rdbss!RxLowIoSubmit+0x2c304 fffff880`24c344c0 fffff880`0260d46d rdbss!RxLowIoWriteShell+0x7f05 fffff880`24c344f0 fffff880`026358ce rdbss!RxCommonFileWrite+0x1be906 fffff880`24c34660 fffff880`02604684 rdbss!RxCommonWrite+0xe607 fffff880`24c34690 fffff880`02621b44 rdbss!RxFsdCommonDispatch+0x87008 fffff880`24c34780 fffff880`031ce2cc rdbss!RxFsdDispatch+0x22409 fffff880`24c347f0 fffff880`0190b271 mrxsmb!MRxSmbFsdDispatch+0xc00a fffff880`24c34830 fffff880`01909138 mup!MupiCallUncProvider+0x1610b fffff880`24c348a0 fffff880`01909b0d mup!MupStateMachine+0x1280c fffff880`24c348f0 fffff880`01287bcf mup!MupFsdIrpPassThrough+0x12d0d fffff880`24c34940 fffff880`012866df fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
To get to this stack, use !locks command and look for output similar to:
Resource @ 0xfffffa800a99b360 Exclusively owned Contention Count = 4 NumberOfSharedWaiters = 2 NumberOfExclusiveWaiters = 2 Threads: fffffa800ae33060-02<*> fffffa800a98f060-01 fffffa800a9c65c0-01 Threads Waiting On Exclusive Access: fffffa800a7ea900 fffffa800a9f3b60
The thread marked with the asterisk (*) is the owner of the resource, and the thread of which the stack is above.
If you look at the IRPs related to the above thread using the !irp and the !fileobj extensions, you will see a FileObject similar to:
We are currently further investigating this. Expect an update shortly. Please mail me when you think you have this issue.