Posted on 2009-04-17
Last Modified: 2012-05-06
I have an SBS 2003 server that is blue screening (seemingly randomly).  Here is the dump file:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\websymbols*
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 3790.srv03_sp2_gdr.080813-1204
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Wed Apr  1 09:16:35.796 2009 (GMT-7)
System Uptime: 0 days 10:51:21.218
Loading Kernel Symbols
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details
Loading unloaded module list
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

Use !analyze -v to get detailed debugging information.

BugCheck 27, {baad0080, b5fcf8e8, b5fcf5e4, 80959d1f}

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for TmPreFlt.sys -
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details
Probably caused by : mrxdav.sys ( mrxdav!MRxDAVOuterStop+92 )

Followup: MachineOwner

3: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

    If you see RxExceptionFilter on the stack then the 2nd and 3rd parameters are the
    exception record and context record. Do a .cxr on the 3rd parameter and then kb to
    obtain a more informative stack trace.
    The high 16 bits of the first parameter is the RDBSS bugcheck code, which is defined
    as follows:
     RDBSS_BUG_CHECK_CACHESUP  = 0xca550000,
     RDBSS_BUG_CHECK_CLEANUP   = 0xc1ee0000,
     RDBSS_BUG_CHECK_CLOSE     = 0xc10e0000,
     RDBSS_BUG_CHECK_NTEXCEPT  = 0xbaad0000,
Arg1: baad0080
Arg2: b5fcf8e8
Arg3: b5fcf5e4
Arg4: 80959d1f

Debugging Details:

PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd500c).  Type ".hh dbgerr001" for details

EXCEPTION_RECORD:  b5fcf8e8 -- (.exr 0xffffffffb5fcf8e8)
ExceptionAddress: 80959d1f (nt!RtlDestroyHeap+0x00000023)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00e70050
Attempt to read from address 00e70050

CONTEXT:  b5fcf5e4 -- (.cxr 0xffffffffb5fcf5e4)
eax=8a4b7404 ebx=00e70050 ecx=b9646f00 edx=00000000 esi=8a4b7404 edi=00e70000
eip=80959d1f esp=b5fcf9b0 ebp=b5fcf9c0 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
80959d1f 8b33            mov     esi,dword ptr [ebx]  ds:0023:00e70050=????????
Resetting default scope


PROCESS_NAME:  svchost.exe


ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".



READ_ADDRESS:  00e70050

b96483dc 6800800000      push    8000h

80959d1f 8b33            mov     esi,dword ptr [ebx]


LAST_CONTROL_TRANSFER:  from b96483dc to 80959d1f

b5fcf9c0 b96483dc 00e70000 00000000 87c5e5a0 nt!RtlDestroyHeap+0x23
b5fcf9f8 b964866c 87c5e5a0 00000000 87c5e5a0 mrxdav!MRxDAVOuterStop+0x92
b5fcfa38 b9652bd7 01c5e5a0 b964eb9a 88983120 mrxdav!MRxDAVDevFcbXXXControlFile+0x204
b5fcfa50 b9652f83 87c5e5a0 88983120 889831fc mrxdav!RxXXXControlFileCallthru+0x67
b5fcfa74 b963ef72 87c5e5a0 00000000 8b084398 mrxdav!RxCommonDevFCBFsCtl+0x8d
b5fcfb04 b9652852 b96460f0 88983120 8b084398 mrxdav!RxFsdCommonDispatch+0x320
b5fcfb24 b964bfc4 8a4b7030 88983120 8a4f1020 mrxdav!RxFsdDispatch+0xd4
b5fcfb98 8081df85 8a4b7030 88983120 88983120 mrxdav!MRxDAVFsdDispatch+0x1f0
b5fcfbac f76f46c1 00000000 8a999d88 8b60ab50 nt!IofCallDriver+0x45
b5fcfbd8 8081df85 8a4f1020 88983120 88983120 fltmgr!FltpFsControl+0xd7
b5fcfbec b9e30070 8a549578 8a5041f0 b5fcfc10 nt!IofCallDriver+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
b5fcfbfc 8081df85 8a999d88 88983120 88983120 TmPreFlt!TmpQueryFullName+0x6376
b5fcfc10 f76f46c1 88983120 88983120 8b60ab50 nt!IofCallDriver+0x45
b5fcfc3c 8081df85 8a549578 88983120 8b084398 fltmgr!FltpFsControl+0xd7
b5fcfc50 808f5437 889831fc 8b084398 88983120 nt!IofCallDriver+0x45
b5fcfc64 808f61bf 8a549578 88983120 8b084398 nt!IopSynchronousServiceTail+0x10b
b5fcfd00 808eed3c 000002c8 00000000 00000000 nt!IopXxxControlFile+0x5e5
b5fcfd34 808897bc 000002c8 00000000 00000000 nt!NtFsControlFile+0x2a
b5fcfd34 7c8285ec 000002c8 00000000 00000000 nt!KiFastCallEntry+0xfc
00cfff20 00000000 00000000 00000000 00000000 0x7c8285ec


SYMBOL_NAME:  mrxdav!MRxDAVOuterStop+92

FOLLOWUP_NAME:  MachineOwner


IMAGE_NAME:  mrxdav.sys


STACK_COMMAND:  .cxr 0xffffffffb5fcf5e4 ; kb

FAILURE_BUCKET_ID:  0x27_mrxdav!MRxDAVOuterStop+92

BUCKET_ID:  0x27_mrxdav!MRxDAVOuterStop+92

Followup: MachineOwner

It seems to be a problem with the mrxdav.sys file.  We are using Sharepoint 2.0 extensively and hhave a desktop application (eCopy Desktop) that accesses the Sharepoint site using WebDav folders.  Any help is appreciated.
Question by:pgerard
    LVL 23

    Expert Comment

    i would disable the eCopy Desktop and see if there is an update for it.
    LVL 3

    Author Comment

    eCopy is on the latest version.  They use eCopy Desktop too extensively to disable it.
    LVL 23

    Expert Comment

    are you running current on service packs?
    LVL 3

    Author Comment

    Yes.  The server is monitored and updated as soon as we have tested available updates.  It is on Server 2003 SP2 and the SBS Server has all available updates and SPs installed.
    LVL 23

    Expert Comment

    I would contact eCopy Desktop support and see if they can give some insight.
    LVL 6

    Expert Comment

    Are you getting any 2020 or 2019 events from the SRV service in the System event log?

    Since you have figured out how to open the dump in a debugger, can you post the output of !vm?

    Brian Desmond
    Active Directory MVP
    LVL 3

    Accepted Solution

    It seems that the dump file is older that I origially thought and the BSOD issue is resolved.  The server was still rebooting, but I believe it was due to a faulty UPS.  I've plugged the server into a secondary power source and have had no down time since.  Thanks for taking a look at this post.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    26 Experts available now in Live!

    Get 1:1 Help Now