Martin Ehrhard
asked on
Windows 2008 R2 SP1 Hyper-V BSOD (0x00000050 PAGE_FAULT_IN_NONPAGED_AREA win32k.sys)
We have a Windows 2008 R2 SP1 host Hyper-V Server that has a BSOD issue on one of the VM guest instances. The VM instance is running Windows 2008 R2 SP1 as a Terminal Server. The Terminal server is running the Microsoft Dynamics SL 2011 client.
Not sure if it is related but it started the day after a restore of the environment. Everything is working fine on the server it just seems to encounter a stop error once a day. The other VM guest instance is running with no issues.
I know BSOD are in many cases hardware related. Especially with it being a "PAGE_FAULT_IN_NONPAGED_AR
Any advise would be awesome. Not sure what further analysis I could be doing.
Here is the analysis from the latest mini dump:
Product: Server, suite: TerminalServer
Built by: 7601.18409.amd64fre.win7sp
Machine Name:
Kernel base = 0xfffff800`01605000 PsLoadedModuleList = 0xfffff800`01848890
Debug session time: Tue Jun 17 10:56:57.942 2014 (UTC - 4:00)
System Uptime: 0 days 23:09:19.462
**************************
* *
* Bugcheck Analysis *
* *
**************************
PAGE_FAULT_IN_NONPAGED_ARE
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff960000f1e68, memory referenced.
Arg2: 0000000000000008, value 0 = read operation, 1 = write operation.
Arg3: fffff960000f1e68, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000007, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
TRIAGER: Could not open triage file : e:\dump_analysis\program\t
WRITE_ADDRESS: GetPointerFromAddress: unable to read from fffff800018b2100
GetUlongFromAddress: unable to read from fffff800018b21c0
fffff960000f1e68
FAULTING_IP:
win32k+b1e68
fffff960`000f1e68 ?? ???
MM_INTERNAL_CODE: 7
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT_SERVER
BUGCHECK_STR: 0x50
PROCESS_NAME: 0152000.exe
CURRENT_IRQL: 0
TRAP_FRAME: fffff8800d0f5140 -- (.trap 0xfffff8800d0f5140)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff900c2320010 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff960000f1e68 rsp=fffff8800d0f52d0 rbp=fffff8800d0f5440
r8=fffff80001605000 r9=0000000000000000 r10=fffffffffffffffe
r11=fffff8800d0f5000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
win32k+0xb1e68:
fffff960`000f1e68 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800016f753b to fffff8000167abc0
STACK_TEXT:
fffff880`0d0f4fd8 fffff800`016f753b : 00000000`00000050 fffff960`000f1e68 00000000`00000008 fffff880`0d0f5140 : nt!KeBugCheckEx
fffff880`0d0f4fe0 fffff800`01678cee : 00000000`00000008 fffff960`000f1e68 fffff880`0d0f5200 00000000`0029100e : nt! ?? ::FNODOBFM::`string'+0x437
fffff880`0d0f5140 fffff960`000f1e68 : fffffa80`0d7c8b90 fffff800`01683aba 00000000`0000003b fffff960`000f3eef : nt!KiPageFault+0x16e
fffff880`0d0f52d0 fffffa80`0d7c8b90 : fffff800`01683aba 00000000`0000003b fffff960`000f3eef fffffa80`05b64911 : win32k+0xb1e68
fffff880`0d0f52d8 fffff800`01683aba : 00000000`0000003b fffff960`000f3eef fffffa80`05b64911 fffffa80`05b649a0 : 0xfffffa80`0d7c8b90
fffff880`0d0f52e0 00000000`00000000 : fffffa80`03576210 fffff800`016acbd7 00000000`00000000 fffff680`00025e80 : nt!ExReleaseResourceAndLea
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k+b1e68
fffff960`000f1e68 ?? ???
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: win32k+b1e68
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP:
FAILURE_BUCKET_ID: X64_0x50_win32k+b1e68
BUCKET_ID: X64_0x50_win32k+b1e68
Followup: MachineOwner
Not sure if it is related but it started the day after a restore of the environment. Everything is working fine on the server it just seems to encounter a stop error once a day. The other VM guest instance is running with no issues.
I know BSOD are in many cases hardware related. Especially with it being a "PAGE_FAULT_IN_NONPAGED_AR
Any advise would be awesome. Not sure what further analysis I could be doing.
Here is the analysis from the latest mini dump:
Product: Server, suite: TerminalServer
Built by: 7601.18409.amd64fre.win7sp
Machine Name:
Kernel base = 0xfffff800`01605000 PsLoadedModuleList = 0xfffff800`01848890
Debug session time: Tue Jun 17 10:56:57.942 2014 (UTC - 4:00)
System Uptime: 0 days 23:09:19.462
**************************
* *
* Bugcheck Analysis *
* *
**************************
PAGE_FAULT_IN_NONPAGED_ARE
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff960000f1e68, memory referenced.
Arg2: 0000000000000008, value 0 = read operation, 1 = write operation.
Arg3: fffff960000f1e68, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000007, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
TRIAGER: Could not open triage file : e:\dump_analysis\program\t
WRITE_ADDRESS: GetPointerFromAddress: unable to read from fffff800018b2100
GetUlongFromAddress: unable to read from fffff800018b21c0
fffff960000f1e68
FAULTING_IP:
win32k+b1e68
fffff960`000f1e68 ?? ???
MM_INTERNAL_CODE: 7
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT_SERVER
BUGCHECK_STR: 0x50
PROCESS_NAME: 0152000.exe
CURRENT_IRQL: 0
TRAP_FRAME: fffff8800d0f5140 -- (.trap 0xfffff8800d0f5140)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff900c2320010 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff960000f1e68 rsp=fffff8800d0f52d0 rbp=fffff8800d0f5440
r8=fffff80001605000 r9=0000000000000000 r10=fffffffffffffffe
r11=fffff8800d0f5000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
win32k+0xb1e68:
fffff960`000f1e68 ?? ???
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800016f753b to fffff8000167abc0
STACK_TEXT:
fffff880`0d0f4fd8 fffff800`016f753b : 00000000`00000050 fffff960`000f1e68 00000000`00000008 fffff880`0d0f5140 : nt!KeBugCheckEx
fffff880`0d0f4fe0 fffff800`01678cee : 00000000`00000008 fffff960`000f1e68 fffff880`0d0f5200 00000000`0029100e : nt! ?? ::FNODOBFM::`string'+0x437
fffff880`0d0f5140 fffff960`000f1e68 : fffffa80`0d7c8b90 fffff800`01683aba 00000000`0000003b fffff960`000f3eef : nt!KiPageFault+0x16e
fffff880`0d0f52d0 fffffa80`0d7c8b90 : fffff800`01683aba 00000000`0000003b fffff960`000f3eef fffffa80`05b64911 : win32k+0xb1e68
fffff880`0d0f52d8 fffff800`01683aba : 00000000`0000003b fffff960`000f3eef fffffa80`05b64911 fffffa80`05b649a0 : 0xfffffa80`0d7c8b90
fffff880`0d0f52e0 00000000`00000000 : fffffa80`03576210 fffff800`016acbd7 00000000`00000000 fffff680`00025e80 : nt!ExReleaseResourceAndLea
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k+b1e68
fffff960`000f1e68 ?? ???
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: win32k+b1e68
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP:
FAILURE_BUCKET_ID: X64_0x50_win32k+b1e68
BUCKET_ID: X64_0x50_win32k+b1e68
Followup: MachineOwner
ASKER
That is one of the SL payment screens. The SL application is broken up into many .exe for each screen. I probably should have included that.
There were 3 different minidumps each one referencing a different SL screen .exe. Which makes sense considering that is the app they are using on the terminal server.
Thanks!
There were 3 different minidumps each one referencing a different SL screen .exe. Which makes sense considering that is the app they are using on the terminal server.
Thanks!
That would make that tool suspect. Maybe it is the cause of the crash and you should contact it's maintainers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Update: Going on day 2 with no BSOD. Seems odd that a USB drive would cause an issue like this.
Also correction from above there is no SP2 for Windows 2008 R2 only for Windows 2008.
Also correction from above there is no SP2 for Windows 2008 R2 only for Windows 2008.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0152000.exe
If you know what that program is, check if the file is still the original. If you don't know what it is, chances are that it belongs to malware. Scan the system for malware using malwarebytes:
http://malwarebytes.org