asked on

System Error - Error code 000000d1, parameter1 00000000, parameter2 d0000002, parameter3 00000001, parameter4 b9915650.

We are getting the following errors on our Exchange 2003 server. We feel that they may be related to corrupt memory. We have new modules on the way and will be installing next week. It is causing the server to blue screen and restart randomly. Has anyone seen this before?

Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 4/24/2009
Time: 8:36:20 AM
User: N/A
Computer: EXCHANGE
Description:
Error code 000000d1, parameter1 00000000, parameter2 d0000002, parameter3 00000001, parameter4 b9915650.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 30 30 30 30 30 30 64 000000d
0020: 31 20 20 50 61 72 61 6d 1 Param
0028: 65 74 65 72 73 20 30 30 eters 00
0030: 30 30 30 30 30 30 2c 20 000000,
0038: 64 30 30 30 30 30 30 32 d0000002
0040: 2c 20 30 30 30 30 30 30 , 000000
0048: 30 31 2c 20 62 39 39 31 01, b991
0050: 35 36 35 30 5650

Event Type: Warning
Event Source: USER32
Event Category: None
Event ID: 1076
Date: 4/24/2009
Time: 8:36:12 AM
User: CAPEFEARCOM\administrator
Computer: EXCHANGE
Description:
The reason supplied by user CAPEFEARCOM\Administrator for the last unexpected shutdown of this computer is: Other (Unplanned)
Reason Code: 0xa000000
Bug ID:
Bugcheck String:
Comment: frozen screen

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 0a

NaturaTek

It would be super if you could save and post the dump file to debug it. You can attempt to view it on your own. Simple instructions are here: http://blogs.technet.com/petergal/archive/2006/03/23/422993.aspx

My prediagnosis opinion, don't think it's ram. I seen the 0000..d1 error before and it always related to a driver/service that's crashing. Notorious ones are the symantec services (antivirus), raid controller drivers, like intel raid, etc. Some type of backup service like veritas..again from symantec..and others.

You can view the dump file, and you'll usually see the offending file/service in there. Once I learned to use the debugging tools, the basics..it has been a godsend to help analyze.

My personal opinion for future disaster prevention: Once a pc/server is running, leave automatic updates OFF. Windows want to update drivers for known items and at times it can just cause things to go haywire. I always do updates manually and I read each update to see what it does/fixes. Something crashes, you know the last thing done.

I would browse thru event viewer, see if any logs hints toward the problems. Try to remember anything that was done/installed and problem started happening. If new driver, roll back. New software, uninstall it and/or go back to previous version see if it remedies problem. If so, check with manufacturer for any hotfixes/updates.

Do standard quick maintenance on your own..chkdsk /f, oh and delete the pagefile.sys, some corrupted pagefiles causes havoc, especially when they are set static. Boot into some type of dos environment, attrib -h -s -r pagefile.sys, then del pagefile.sys. Booting back in windows creates a new one.

See if you can post debug from dump file.

infranetsupport

ASKER

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Documents and Settings\dbickel\Desktop\Mini042609-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

WARNING: Whitespace at end of path element
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 3790.srv03_sp2_gdr.090319-1204
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Sun Apr 26 08:27:07.625 2009 (GMT-4)
System Uptime: 0 days 23:57:16.671
Loading Kernel Symbols
...............................................................
..............................................................
Loading User Symbols
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {0, d0000002, 1, b9706650}

Unable to load image \SystemRoot\system32\DRIVERS\tmtdi.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for tmtdi.sys
*** ERROR: Module load completed but symbols could not be loaded for tmtdi.sys
Probably caused by : tmtdi.sys ( tmtdi+1650 )

Followup: MachineOwner
---------

ASKER CERTIFIED SOLUTION

NaturaTek

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

NaturaTek

Seems this issue came about december 2008, due to some servicepack/update, you'll find truth to that when you read the link.

I would update using the patch from TrendMicro. Worst case scenario I would completely uninstall Trendmicro, download the latest uptodate version, reinstall it, and use the existing key.

For a server, I would stick with Symantec Endpoint protection.

Keep us posted.

infranetsupport

ASKER

That seemed to work! Thank you for the insight to the windbg program!

NaturaTek

Glad you got it under controlled...I hate those darn updates/patches that load automatically, something goes haywire and we panic not knowing why :( I like to shut automatic updates off and do on my own, so I can backtrack in times of pc sickness. Take care!