Windows 2003 Server Blue Screen - 0x0000007A

Hi there,

I have recently started getting some blue screen errors on my Windows 2003 server.  The relevant details of the blue screen are as follows:

A problem has been detected and windows has been shut down to prevent damage to your computer.

KERNEL_DATA-INPAGE-ERROR

***STOP: 0x0000007A (0xC03859D8, 0xC000009A, 0xE167E64, 0x659A880)

Dumping physical memory to disk 35

I was wondering whether anybody had any ideas where I might start looking to solve this problem.  According to Microsoft, they say that:

"STOP Messages 0x00000077 and 0x0000007A are related kernel traps that are caused when the operating system tries to load a page into memory from the paging file on the hard disk, but cannot access the page because of either a software or hardware failure.

If you experience this issue more than one time, contact your computer or hard disk vendor. "

and, more specifically:

"0xC000009C   STATUS_DEVICE_DATA_ERROR, generally due to bad block on the drive."

I am running two 250gb SATA disks in a RAID1 format, with 50gb allocated to the C: (system) partition and the rest for our data.

- Should I run disk diagnostics over this to see if it can find the bad block?  If so, what utility do you recommend?
- Is there a problem with my Pagefile or RAM?

Thanks in advance!

Pete
LVL 1
peterkennedyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ded9Commented:
Hi,

Install the software
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx

and click on the file --> open crash dump and go to windows folder -->open minidump folder and open the log and check whether any file name is listed over there.

If yes then that software or driver is creating a problem.

Also can try clean boot

http://support.microsoft.com/kb/310353
and restart the computer.


Ded9
0
brent_caskeyCommented:
Generally you see these with bad hard drives, controller, or cabling. It is happening on the drive that has your pagefile. Could it be RAM - not likely but, run diags on the memory to be on the safe side if everything else comes back clean.

I would run chkdsk on the hard drives.

If chkdsk comes back clean set the page file down to 0MB for one boot and set back to the originial size on the next boot to see if that fixes anything (or move it to a different partition temporarily). That will force the OS to make a new page file.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
peterkennedyAuthor Commented:
Thanks for that.  I will attempt to analyse the files now and run a CHKDSK.  I have attached *.dmp file from the latest blue screen if that helps...

I have had to rename it do *.txt so that it would ulpoad, but just rename it to *.dmp if you want to have a look at it.
Mini012008-01.txt
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

ded9Commented:
Hi,

Please do not change the file extension.

I have less bandwidth option first do this


Click on the file --> open crash dump and go to windows folder -->open minidump folder and open the log .dmp  and check whether any file name is listed over there.


After you open the .dmp file copy the text inside it and paste it in notepad and upload it.


Ded9

0
ded9Commented:
Hi,

i  read the dmp file some how and it says bad ntoskrnl.exe. try copying a good version of ntoskrnl from cd.

Before you copy the ntoskrnl from O.S cd just rename the old file because if something goes wrong you can get the old file working.


Ded9
0
honmapogCommented:
The minidump points to insufficient resources.
Does the event log show events 2019 or 2020 from source srv? In that case you have a memory leak and the most likely candidate in that case would be the AntiVirus software.



*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_STACK_INPAGE_ERROR (77)
The requested page of kernel data could not be read in.  Caused by
bad block in paging file or disk controller error.
In the case when the first arguments is 0 or 1, the stack signature
in the kernel stack was not found.  Again, bad hardware.
An I/O status of c000009c (STATUS_DEVICE_DATA_ERROR) or
C000016AL (STATUS_DISK_OPERATION_FAILED)  normally indicates
the data could not be read from the disk due to a bad
block.  Upon reboot autocheck will run and attempt to map out the bad
sector.  If the status is C0000185 (STATUS_IO_DEVICE_ERROR) and the paging
file is on a SCSI disk device, then the cabling and termination should be
checked.  See the knowledge base article on SCSI termination.
Arguments:
Arg1: c000009a, status code
Arg2: c000009a, i/o status code
Arg3: 00000000, page file number
Arg4: 04f8c000, offset into page file

Debugging Details:
------------------




ERROR_CODE: (NTSTATUS) 0xc000009a - Insufficient system resources exist to complete the API.

BUGCHECK_STR:  0x77_c000009a

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

PROCESS_NAME:  System

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 00000000 to 80876ae0

STACK_TEXT:  
f7906cc8 00000000 00000000 00000000 00000000 nt!KeBugCheckEx+0x1b


STACK_COMMAND:  kb

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

BUCKET_ID:  ZEROED_STACK

Followup: MachineOwner
---------
0
ded9Commented:
Hi,

Do not change ntosrnl.exe i was wrong. my debugger is not working.there is no symbols.


Ded9


0
peterkennedyAuthor Commented:
Hi again,

Upon checking the server I noticed that the pagefile was set so that it could not exceed a particular size (800mb) .  I have since set a "System Managed" size on both the C: and D: partition and the server is now using about 3gb for it's pagefile.  I will wait to see whether this improves things at all...
0
cpc2004Commented:
The most useful debugging for your problem is  NT Status code 9A and 9C.  They are related to software error.  Your windows install AV E-Trust. Can you recall when do you install E-Trust at your server? Maybe it is related to software error of E-Trust. BTW a minidump is insufficient to find out the culprit. Can you provide 3 to 4 minidumps here.

The load module list of E-Trust do not have the timestamp and it is unusual.
baca8000 bacc0000   VETEBOOT VETEBOOT.SYS unavailable (00000000)
bace8000 badac000   VETEFILE VETEFILE.SYS unavailable (00000000)
badcc000 badd2000   VETMONNT VETMONNT.SYS unavailable (00000000)
bade4000 bade9000   VET_FILT VET-FILT.SYS unavailable (00000000)
0
peterkennedyAuthor Commented:
Thanks for your help.  After modifying the pagefile.sys to use "System Managed Size" I have not had a problem since.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.