• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3040
  • Last Modified:

System Error - Error code 000000d1, parameter1 00000000, parameter2 d0000002, parameter3 00000001, parameter4 b9915650.

We are getting the following errors on  our Exchange 2003 server.  We feel that they may be related to corrupt memory.  We have new modules on the way and will be installing next week. It is causing the server to blue screen and restart randomly.   Has anyone seen this before?  

Event Type:     Error
Event Source:   System Error
Event Category: (102)
Event ID:       1003
Date:           4/24/2009
Time:           8:36:20 AM
User:           N/A
Computer:       EXCHANGE
Description:
Error code 000000d1, parameter1 00000000, parameter2 d0000002, parameter3 00000001, parameter4 b9915650.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45   System E
0008: 72 72 6f 72 20 20 45 72   rror  Er
0010: 72 6f 72 20 63 6f 64 65   ror code
0018: 20 30 30 30 30 30 30 64    000000d
0020: 31 20 20 50 61 72 61 6d   1  Param
0028: 65 74 65 72 73 20 30 30   eters 00
0030: 30 30 30 30 30 30 2c 20   000000,
0038: 64 30 30 30 30 30 30 32   d0000002
0040: 2c 20 30 30 30 30 30 30   , 000000
0048: 30 31 2c 20 62 39 39 31   01, b991
0050: 35 36 35 30               5650    

Event Type:     Warning
Event Source:   USER32
Event Category: None
Event ID:       1076
Date:           4/24/2009
Time:           8:36:12 AM
User:           CAPEFEARCOM\administrator
Computer:       EXCHANGE
Description:
The reason supplied by user CAPEFEARCOM\Administrator for the last unexpected shutdown of this computer is: Other (Unplanned)
 Reason Code: 0xa000000
 Bug ID:
 Bugcheck String:
 Comment: frozen screen

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 0a        
0
infranetsupport
Asked:
infranetsupport
  • 4
  • 2
1 Solution
 
NaturaTekCommented:
It would be super if you could save and post the dump file to debug it. You can attempt to view it on your own. Simple instructions are here:  http://blogs.technet.com/petergal/archive/2006/03/23/422993.aspx

My prediagnosis opinion, don't think it's ram. I seen the 0000..d1 error before and it always related to a driver/service that's crashing. Notorious ones are the symantec services (antivirus), raid controller drivers, like intel raid, etc. Some type of backup service like veritas..again from symantec..and others.

You can view the dump file, and you'll usually see the offending file/service in there. Once I learned to use the debugging tools, the basics..it has been a godsend to help analyze.

My personal opinion for future disaster prevention: Once a pc/server is running, leave automatic updates OFF. Windows want to update drivers for known items and at times it can just cause things to go haywire. I always do updates manually and I read each update to see what it does/fixes. Something crashes, you know the last thing done.

I would browse thru event viewer, see if any logs hints toward the problems. Try to remember anything that was done/installed and problem started happening. If new driver, roll back. New software, uninstall it and/or go back to previous version see if it remedies problem. If so, check with manufacturer for any hotfixes/updates.

Do standard quick maintenance on your own..chkdsk /f, oh and delete the pagefile.sys, some corrupted pagefiles causes havoc, especially when they are set static.  Boot into some type of dos environment, attrib -h -s -r pagefile.sys, then del pagefile.sys. Booting back in windows creates a new one.

See if you can post debug from dump file.
0
 
infranetsupportAuthor Commented:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\dbickel\Desktop\Mini042609-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

WARNING: Whitespace at end of path element
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 3790.srv03_sp2_gdr.090319-1204
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Sun Apr 26 08:27:07.625 2009 (GMT-4)
System Uptime: 0 days 23:57:16.671
Loading Kernel Symbols
...............................................................
..............................................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {0, d0000002, 1, b9706650}

Unable to load image \SystemRoot\system32\DRIVERS\tmtdi.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for tmtdi.sys
*** ERROR: Module load completed but symbols could not be loaded for tmtdi.sys
Probably caused by : tmtdi.sys ( tmtdi+1650 )

Followup: MachineOwner
---------
0
 
NaturaTekCommented:
Whats causing you to crash is that tmtdi.sys file, which seems to be related to Trend Micro, perhaps you using trendmicro antivirus?

Here's a quick link on how to resolve it direct from TrendMicro:
http://esupport.trendmicro.com/9/TMTDISYS-causes-Memory-Leak-BSOD-in-OSCE-80-after-Patch-11-Build-1122.aspx

0
Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

 
NaturaTekCommented:
Seems this issue came about december 2008, due to some servicepack/update, you'll find truth to that when you read the link.

I would update using the patch from TrendMicro. Worst case scenario I would completely uninstall Trendmicro, download the latest uptodate version, reinstall it, and use the existing key.

For a server, I would stick with Symantec Endpoint protection.

Keep us posted.
0
 
infranetsupportAuthor Commented:
That seemed to work!  Thank you for the insight to the windbg program!
0
 
NaturaTekCommented:
Glad you got it under controlled...I hate those darn updates/patches that load automatically, something goes haywire and we panic not knowing why :( I like to shut automatic updates off and do on my own, so I can backtrack in times of pc sickness. Take care!
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now