Solved

Windows2003 server kraches, needs help to read dumpfiles to solve it

Posted on 2007-11-25
5
830 Views
Last Modified: 2012-06-27
I have  used "Debugging tools for Windows" to capture the info from the minidump.
Opened log file 'c:\debuglog.txt'

1: kd> .sympath srv*c:\symbols*http://msdl.microsoft.com/download/symbols

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols

1: kd> .reload;!analyze -v;r;kv;lmnt;.logclose;q 

Loading Kernel Symbols

.................................................................................................................

Loading User Symbols

Loading unloaded module list

.........

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************
 

REGISTRY_ERROR (51)

Something has gone badly wrong with the registry.  If a kernel debugger

is available, get a stack trace. It can also indicate that the registry got

an I/O error while trying to read one of its files, so it can be caused by

hardware problems or filesystem corruption.

It may occur due to a failure in a refresh operation, which is used only

in by the security system, and then only when resource limits are encountered.

Arguments:

Arg1: 00000004, (reserved)

Arg2: 00000001, (reserved)

Arg3: e6b975a8, depends on where Windows bugchecked, may be pointer to hive

Arg4: 00000080, depends on where Windows bugchecked, may be return code of

	HvCheckHive if the hive is corrupt.
 

Debugging Details:

------------------
 
 
 
 

CUSTOMER_CRASH_COUNT:  1
 

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP
 

BUGCHECK_STR:  0x51
 

PROCESS_NAME:  winlogon.exe
 

CURRENT_IRQL:  0
 

LAST_CONTROL_TRANSFER:  from 808cfaad to 80827451
 

STACK_TEXT:  

a9d16a48 808cfaad 00000051 00000004 00000001 nt!KeBugCheckEx+0x1b

a9d16a6c 808c8205 00000000 00000080 00000000 nt!CmpAssignSecurityToKcb+0x61

a9d16a9c 808d9a6e e54bf008 00073838 d7cb483c nt!CmpCreateKeyControlBlock+0x285

a9d16b90 8093666b e7755ae8 00000000 89c61be8 nt!CmpParseKey+0x432

a9d16c10 80932de6 00000918 a9d16c50 00000040 nt!ObpLookupObjectName+0x11f

a9d16c64 808bafff 00000000 8b36ce70 0081f101 nt!ObOpenObjectByName+0xea

a9d16d50 80888c6c 0081f260 00020019 0081f1bc nt!NtOpenKey+0x1ad

a9d16d50 7c82ed54 0081f260 00020019 0081f1bc nt!KiFastCallEntry+0xfc

WARNING: Frame IP not in any known module. Following frames may be wrong.

0081f1fc 00000000 00000000 00000000 00000000 0x7c82ed54
 
 

STACK_COMMAND:  kb
 

FOLLOWUP_IP: 

nt!CmpAssignSecurityToKcb+61

808cfaad 807d1000        cmp     byte ptr [ebp+10h],0
 

SYMBOL_STACK_INDEX:  1
 

SYMBOL_NAME:  nt!CmpAssignSecurityToKcb+61
 

FOLLOWUP_NAME:  MachineOwner
 

MODULE_NAME: nt
 

IMAGE_NAME:  ntkrpamp.exe
 

DEBUG_FLR_IMAGE_TIMESTAMP:  42435b14
 

FAILURE_BUCKET_ID:  0x51_nt!CmpAssignSecurityToKcb+61
 

BUCKET_ID:  0x51_nt!CmpAssignSecurityToKcb+61
 

Followup: MachineOwner

---------
 

eax=f773713c ebx=00000001 ecx=00000000 edx=fffa32b0 esi=f7737120 edi=e6b975a8

eip=80827451 esp=a9d16a30 ebp=a9d16a48 iopl=0         nv up ei ng nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000286

nt!KeBugCheckEx+0x1b:

80827451 5d              pop     ebp

ChildEBP RetAddr  Args to Child              

a9d16a48 808cfaad 00000051 00000004 00000001 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])

a9d16a6c 808c8205 00000000 00000080 00000000 nt!CmpAssignSecurityToKcb+0x61 (FPO: [Non-Fpo])

a9d16a9c 808d9a6e e54bf008 00073838 d7cb483c nt!CmpCreateKeyControlBlock+0x285 (FPO: [Non-Fpo])

a9d16b90 8093666b e7755ae8 00000000 89c61be8 nt!CmpParseKey+0x432 (FPO: [Non-Fpo])

a9d16c10 80932de6 00000918 a9d16c50 00000040 nt!ObpLookupObjectName+0x11f (FPO: [Non-Fpo])

a9d16c64 808bafff 00000000 8b36ce70 0081f101 nt!ObOpenObjectByName+0xea (FPO: [Non-Fpo])

a9d16d50 80888c6c 0081f260 00020019 0081f1bc nt!NtOpenKey+0x1ad (FPO: [Non-Fpo])

a9d16d50 7c82ed54 0081f260 00020019 0081f1bc nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ a9d16d64)

WARNING: Frame IP not in any known module. Following frames may be wrong.

0081f1fc 00000000 00000000 00000000 00000000 0x7c82ed54

start    end        module name

80800000 80a53000   nt       ntkrpamp.exe Fri Mar 25 01:28:04 2005 (42435B14)

80a53000 80a7f000   hal      halaacpi.dll Fri Mar 25 01:28:37 2005 (42435B35)

bf800000 bf9d0000   win32k   win32k.sys   Thu Oct 06 02:37:08 2005 (434471B4)

bf9d0000 bf9e6000   dxg      dxg.sys      Fri Mar 25 01:27:25 2005 (42435AED)

bf9e6000 bfa49000   ati2dvag ati2dvag.dll Wed Jan 21 04:48:31 2004 (400DF68F)

bfa49000 bfb1d420   ati3d1ag ati3d1ag.dll Wed Jan 21 04:04:17 2004 (400DEC31)

bfb1e000 bfbc2a00   vdtw30   vdtw30.dll   Fri Feb 02 23:00:41 2007 (45C3B489)

bffa0000 bffea000   ATMFD    ATMFD.DLL    Fri Mar 25 03:30:36 2005 (424377CC)

f458a000 f45b7000   RDPWD    RDPWD.SYS    Wed Jun 15 17:33:14 2005 (42B04A3A)

f45b7000 f45f1180   WDICA    WDICA.SYS    Fri Feb 02 23:01:21 2007 (45C3B4B1)

f4662000 f4665100   icareduc icareduc.sys Fri Feb 02 23:00:59 2007 (45C3B49B)

f49f2000 f49fd000   TDTCP    TDTCP.SYS    Fri Mar 25 01:27:15 2005 (42435AE3)

f4a7a000 f4a7ca00   pdrframe pdrframe.sys Fri Feb 02 23:02:30 2007 (45C3B4F6)

f4ae2000 f4ae5000   lm78_32  lm78_32.sys  Fri Sep 16 17:40:51 2005 (432AE783)

f4af2000 f4b0e900   naiavf5x naiavf5x.sys Fri May 12 00:47:08 2006 (4463BEEC)

f5497000 f5499300   uphcleanhlp uphcleanhlp.sys Wed Apr 27 20:58:56 2005 (426FE0F0)

f5507000 f5573000   srv      srv.sys      Fri Sep 01 16:32:26 2006 (44F8447A)

f561b000 f561e300   pdcrypt1 pdcrypt1.sys Fri Feb 02 23:02:46 2007 (45C3B506)

f577b000 f57c5580   cdm      cdm.sys      Fri Feb 02 22:59:24 2007 (45C3B43C)

f580e000 f5810280   ctxsmcdrv ctxsmcdrv.sys Fri Feb 02 23:03:18 2007 (45C3B526)

f59ce000 f59e7e80   CtxSbx   CtxSbx.sys   Fri Feb 02 23:03:55 2007 (45C3B54B)

f5b00000 f5b03280   ctxpidmn ctxpidmn.sys Fri Feb 02 23:04:01 2007 (45C3B551)

f5b28000 f5c30000   dump_ql2300 dump_ql2300.sys Wed Aug 10 23:33:26 2005 (42FA72A6)

f5e5c000 f5e6d000   Fips     Fips.SYS     Fri Mar 25 01:40:33 2005 (42435E01)

f5e6d000 f5eed000   mrxsmb   mrxsmb.sys   Mon May 08 19:18:45 2006 (445F7D75)

f5f15000 f5f4e000   rdbss    rdbss.sys    Mon May 08 19:18:53 2006 (445F7D7D)

f5fee000 f6018000   afd      afd.sys      Fri Mar 25 01:40:43 2005 (42435E0B)

f6018000 f6049000   netbt    netbt.sys    Fri Mar 25 01:40:31 2005 (42435DFF)

f6049000 f60aa000   tcpip    tcpip.sys    Wed May 24 03:02:22 2006 (4473B09E)

f60aa000 f60c3000   ipsec    ipsec.sys    Fri Mar 25 01:40:49 2005 (42435E11)

f6153000 f6167000   usbhub   usbhub.sys   Fri Mar 25 01:30:46 2005 (42435BB6)

f6287000 f62c7000   update   update.sys   Fri Mar 25 01:40:27 2005 (42435DFB)

f62c7000 f62ef000   ks       ks.sys       Fri Mar 25 01:41:03 2005 (42435E1F)

f6317000 f634e000   rdpdr    rdpdr.sys    Fri Mar 25 01:30:20 2005 (42435B9C)

f634e000 f6361000   raspptp  raspptp.sys  Fri Mar 25 01:40:43 2005 (42435E0B)

f6361000 f637b000   ndiswan  ndiswan.sys  Fri Mar 25 01:40:46 2005 (42435E0E)

f637b000 f6390000   rasl2tp  rasl2tp.sys  Fri Mar 25 01:40:29 2005 (42435DFD)

f6390000 f63a5000   serial   serial.sys   Fri Mar 25 01:28:29 2005 (42435B2D)

f63a5000 f63c0000   VIDEOPRT VIDEOPRT.SYS Fri Mar 25 01:29:53 2005 (42435B81)

f63c0000 f647e000   ati2mtag ati2mtag.sys Wed Jan 21 04:48:06 2004 (400DF676)

f647e000 f64a8000   USBPORT  USBPORT.SYS  Fri Mar 25 01:30:43 2005 (42435BB3)

f64a8000 f64cad80   b57xp32  b57xp32.sys  Tue Oct 18 00:31:57 2005 (4354265D)

f68ac000 f68b9f00   CtxAltStr CtxAltStr.sys Fri Feb 02 23:25:45 2007 (45C3BA69)

f690c000 f691a000   NDProxy  NDProxy.SYS  Fri Mar 25 01:34:13 2005 (42435C85)

f691c000 f6925000   mssmbios mssmbios.sys Fri Mar 25 01:34:14 2005 (42435C86)

f692c000 f6936000   IPMI     IPMI.sys     Mon Jul 05 10:20:23 2004 (40E90F47)

f693c000 f6946000   mouclass mouclass.sys Tue Mar 25 08:03:09 2003 (3E7FFF2D)

f7008000 f709d000   Ntfs     Ntfs.sys     Fri Mar 25 01:40:29 2005 (42435DFD)

f709d000 f70c4000   KSecDD   KSecDD.sys   Fri Mar 25 01:28:53 2005 (42435B45)

f70c4000 f70e9000   fltmgr   fltmgr.sys   Fri Mar 25 01:30:25 2005 (42435BA1)

f70e9000 f70fc000   CLASSPNP CLASSPNP.SYS Fri Mar 25 01:40:23 2005 (42435DF7)

f70fc000 f711b000   SCSIPORT SCSIPORT.SYS Fri Mar 25 01:40:26 2005 (42435DFA)

f711b000 f712c000   symmpi   symmpi.sys   Mon Dec 13 22:03:14 2004 (41BE0392)

f712c000 f7146000   storport storport.sys Fri Mar 25 01:28:57 2005 (42435B49)

f7146000 f724e000   ql2300   ql2300.sys   Wed Aug 10 23:33:26 2005 (42FA72A6)

f724e000 f726a000   atapi    atapi.sys    Fri Mar 25 01:28:49 2005 (42435B41)

f726a000 f72a8000   hdlmdsm  hdlmdsm.sys  Thu Aug 04 04:43:29 2005 (42F180D1)

f72a8000 f72d2000   volsnap  volsnap.sys  Fri Mar 25 01:29:10 2005 (42435B56)

f72d2000 f72fe000   dmio     dmio.sys     Fri Mar 25 01:30:02 2005 (42435B8A)

f72fe000 f7325000   ftdisk   ftdisk.sys   Fri Mar 25 01:29:00 2005 (42435B4C)

f7325000 f733c000   mpio     mpio.sys     Thu Jul 07 10:01:23 2005 (42CCE153)

f733c000 f7352000   pci      pci.sys      Fri Mar 25 01:34:14 2005 (42435C86)

f7352000 f7386000   ACPI     ACPI.sys     Fri Mar 25 01:34:09 2005 (42435C81)

f7487000 f7490000   WMILIB   WMILIB.SYS   Tue Mar 25 08:13:00 2003 (3E80017C)

f7497000 f74a6000   isapnp   isapnp.sys   Tue Mar 25 08:16:35 2003 (3E800253)

f74a7000 f74b4000   PCIIDEX  PCIIDEX.SYS  Fri Mar 25 01:28:48 2005 (42435B40)

f74b7000 f74c7000   MountMgr MountMgr.sys Fri Mar 25 01:27:23 2005 (42435AEB)

f74c7000 f74d2000   PartMgr  PartMgr.sys  Fri Mar 25 01:40:34 2005 (42435E02)

f74d7000 f74e7000   disk     disk.sys     Fri Mar 25 01:28:58 2005 (42435B4A)

f74e7000 f74f3000   Dfs      Dfs.sys      Fri Mar 25 01:30:28 2005 (42435BA4)

f74f7000 f7500000   mpspfltr mpspfltr.sys Thu Jul 07 10:01:23 2005 (42CCE153)

f7507000 f7511000   crcdisk  crcdisk.sys  Fri Mar 25 01:29:40 2005 (42435B74)

f7547000 f7554000   Npfs     Npfs.SYS     Fri Mar 25 01:30:04 2005 (42435B8C)

f7557000 f7561000   Dxapi    Dxapi.sys    Tue Mar 25 08:06:01 2003 (3E7FFFD9)

f7567000 f7574000   wanarp   wanarp.sys   Fri Mar 25 01:34:07 2005 (42435C7F)

f7587000 f7590000   ndistapi ndistapi.sys Fri Mar 25 01:34:11 2005 (42435C83)

f7597000 f75a0000   watchdog watchdog.sys Fri Mar 25 01:30:19 2005 (42435B9B)

f75b7000 f75c2000   Msfs     Msfs.SYS     Fri Mar 25 01:30:04 2005 (42435B8C)

f75c7000 f75d3000   vga      vga.sys      Fri Mar 25 01:29:54 2005 (42435B82)

f75d7000 f75e6000   raspppoe raspppoe.sys Fri Mar 25 01:34:16 2005 (42435C88)

f75e7000 f75f4000   netbios  netbios.sys  Fri Mar 25 01:33:21 2005 (42435C51)

f7607000 f7611000   dump_storport dump_storport.sys Fri Mar 25 01:28:56 2005 (42435B48)

f7617000 f7622000   ptilink  ptilink.sys  Fri Mar 25 01:28:25 2005 (42435B29)

f7627000 f7630000   raspti   raspti.sys   Fri Mar 25 01:34:16 2005 (42435C88)

f7637000 f7641000   kbdclass kbdclass.sys Tue Mar 25 08:03:10 2003 (3E7FFF2E)

f7667000 f7675460   mvstdi5x mvstdi5x.sys Wed Feb 02 20:16:00 2005 (420126F0)

f7677000 f7682000   TDI      TDI.SYS      Fri Mar 25 01:35:34 2005 (42435CD6)

f7687000 f7696000   intelppm intelppm.sys Fri Mar 25 01:28:40 2005 (42435B38)

f7697000 f76a6000   termdd   termdd.sys   Fri Mar 25 01:27:15 2005 (42435AE3)

f76a7000 f76b5000   msgpc    msgpc.sys    Fri Mar 25 01:33:31 2005 (42435C5B)

f76b7000 f76c1000   serenum  serenum.sys  Fri Mar 25 01:28:27 2005 (42435B2B)

f76d1000 f7707000   NDIS     NDIS.sys     Fri Mar 25 01:40:26 2005 (42435DFA)

f7707000 f770f000   kdcom    kdcom.dll    Tue Mar 25 08:08:00 2003 (3E800050)

f770f000 f7717000   BOOTVID  BOOTVID.dll  Tue Mar 25 08:07:58 2003 (3E80004E)

f7717000 f771e000   pciide   pciide.sys   Tue Mar 25 08:04:46 2003 (3E7FFF8E)

f771f000 f7726000   dmload   dmload.sys   Tue Mar 25 08:08:08 2003 (3E800058)

f7727000 f772f000   dlmadrv  dlmadrv.sys  Thu Aug 04 04:43:29 2005 (42F180D1)

f772f000 f7736000   mpdev    mpdev.sys    Thu Jul 07 10:01:23 2005 (42CCE153)

f778f000 f7797000   EntDrv52 EntDrv52.sys Mon Apr 10 23:41:36 2006 (443AD110)

f779f000 f77a4180   usbuhci  usbuhci.sys  Fri Mar 25 01:30:45 2005 (42435BB5)

f77a7000 f77af000   audstub  audstub.sys  Tue Mar 25 08:09:12 2003 (3E800098)

f77af000 f77b7000   Fs_Rec   Fs_Rec.SYS   Tue Mar 25 08:08:36 2003 (3E800074)

f77b7000 f77be000   Null     Null.SYS     Tue Mar 25 08:03:05 2003 (3E7FFF29)

f77bf000 f77c6000   Beep     Beep.SYS     Tue Mar 25 08:03:04 2003 (3E7FFF28)

f77c7000 f77cd300   HIDPARSE HIDPARSE.SYS Fri Mar 25 01:30:36 2005 (42435BAC)

f77cf000 f77d7000   mnmdd    mnmdd.SYS    Tue Mar 25 08:07:53 2003 (3E800049)

f77d7000 f77df000   RDPCDD   RDPCDD.sys   Tue Mar 25 08:03:05 2003 (3E7FFF29)

f77df000 f77e7000   rasacd   rasacd.sys   Tue Mar 25 08:11:50 2003 (3E800136)

f77e7000 f77eb280   cdfdrv   cdfdrv.sys   Fri Feb 02 23:03:23 2007 (45C3B52B)

f77ef000 f77f6000   dxgthk   dxgthk.sys   Tue Mar 25 08:05:52 2003 (3E7FFFD0)

f7878000 f7897000   Mup      Mup.sys      Fri Mar 25 01:40:49 2005 (42435E11)

f799f000 f79a0280   swenum   swenum.sys   Fri Mar 25 01:27:42 2005 (42435AFE)

f79a1000 f79a2580   USBD     USBD.SYS     Tue Mar 25 08:10:39 2003 (3E8000EF)

f7aba000 f7abaf00   icacdd   icacdd.sys   Fri Feb 02 23:00:43 2007 (45C3B48B)
 

Unloaded modules:

f79e9000 f79eb000   pmemnt.sys

    Timestamp: unavailable (00000000)

    Checksum:  00000000

f7997000 f7999000   pmemnt.sys

    Timestamp: unavailable (00000000)

    Checksum:  00000000

f7997000 f7999000   pmemnt.sys

    Timestamp: unavailable (00000000)

    Checksum:  00000000

f7577000 f7585000   imapi.sys

    Timestamp: unavailable (00000000)

    Checksum:  00000000

f5f3a000 f5f4e000   redbook.sys

    Timestamp: unavailable (00000000)

    Checksum:  00000000

f75f7000 f7600000   kbdhid.sys

    Timestamp: unavailable (00000000)

    Checksum:  00000000

f611e000 f6133000   cdrom.sys

    Timestamp: unavailable (00000000)

    Checksum:  00000000

f68ac000 f68b6000   Flpydisk.SYS

    Timestamp: unavailable (00000000)

    Checksum:  00000000

f68bc000 f68c7000   Fdc.SYS 

    Timestamp: unavailable (00000000)

    Checksum:  00000000

Closing open log file c:\debuglog.txt

Open in new window

0
Comment
Question by:frullen
  • 2
5 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 20347405
Hi Frullen,
Full description on what tools to use to analyze the logs files here:
http://support.microsoft.com/kb/315263
0
 

Author Comment

by:frullen
ID: 20348595
OK, Thanks "debuggerau",  
But I have already used tools to open the minidump-file. My concern is to read my attached logfrom the dump  to see what could cause the stop error at the server.
0
 
LVL 23

Accepted Solution

by:
debuggerau earned 250 total points
ID: 20354296
Hi Frullen,

The Dump file does not definitively locate a fault in ones system. It is however a powerful tool to use to help in deducing where the fault may be.

In your case the registry error has occured 51 times..
It has pointed to winlogon.exe as a process that is running at the time.
The rest are the memory location of the applications, current processes and stack.

How well you 'read' this is going to be a linear relationship to how well you understand the underlying hardware and operating system kernel functions and features.
So please understand this sort of diagnostics this is going to be difficult at best and at worst, time consuming...

I would be very hesitant in recommending anything based on a single minidump but if this is the same error for all 51 times, I would suggest checking your registry settings, might even be worth installing a dual boot for testing, or replacing hardware may be the path of least resistance for your particular situation.
Certainly run some registry checks, some performance monitoring and check if there are coincidences time wise when this fault occurs.
Hope that helps,
Regards
Greg

0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Update 11/3/2014 - Although the below article will get you to relocate the WINSXS folder, Microsoft has finally released a utility to reduce the size of the WINSXS folder. For some reason, it's not that straightforward. It only works on Windows 2008…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now