Solved

Need help interpreting Crash dump analysis

Posted on 2009-06-30
6
496 Views
Last Modified: 2013-12-01
I have a win2k3 R2 SP2 server that randomly BSODs.  The only hardware I have tried replacing is the RAM chips though that doesn't seem to have made a difference.  I recently ran a crash dump analysis with Microsofts tool.  I have never used it before and am not very familiar with how to read it but my impression is it's a driver issue.  Any additional input would be appreciated, thanks.  Let me know if I need to submit something further to help.
Loading unloaded module list

.................

0: kd> !analyze -v

*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************
 

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high.  This is usually

caused by drivers using improper addresses.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: 00000000, memory referenced

Arg2: d0000002, IRQL

Arg3: 00000008, value 0 = read operation, 1 = write operation

Arg4: 00000000, address which referenced memory
 

Debugging Details:

------------------
 

GetContextState failed, 0x80070026

Unable to read selector for PCR for processor 1

*** WARNING: Unable to verify timestamp for cdrom.sys

*** ERROR: Module load completed but symbols could not be loaded for cdrom.sys

GetContextState failed, 0x80070026

Unable to read selector for PCR for processor 1
 

READ_ADDRESS:  00000000 
 

CURRENT_IRQL:  2
 

FAULTING_IP: 

+1b9952f00e8dfe0

00000000 ??              ???
 

PROCESS_NAME:  Idle
 

DEFAULT_BUCKET_ID:  DRIVER_FAULT
 

BUGCHECK_STR:  0xD1
 

TRAP_FRAME:  8089a538 -- (.trap 0xffffffff8089a538)

ErrCode = 00000010

eax=89ecd000 ebx=00000000 ecx=ffdffa48 edx=ffdffa40 esi=8a544240 edi=ffdffa40

eip=00000000 esp=8089a5ac ebp=8089a600 iopl=0     vif nv up ei pl zr na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00090246

00000000 ??              ???

Resetting default scope
 

LAST_CONTROL_TRANSFER:  from 00000000 to 8088c963
 

FAILED_INSTRUCTION_ADDRESS: 

+1b9952f00e8dfe0

00000000 ??              ???
 

STACK_TEXT:  

8089a538 00000000 badb0d00 ffdffa40 8a5188bc nt!KiTrap0E+0x2a7

WARNING: Frame IP not in any known module. Following frames may be wrong.

8089a5a8 808320f0 8a544240 00000000 b9c9e160 0x0

8089a600 8088de1f 00000000 0000000e 00000000 nt!KiRetireDpcList+0xca

8089a604 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x37
 
 

STACK_COMMAND:  kb
 

FOLLOWUP_IP: 

nt!KiTrap0E+2a7

8088c963 833da0628a8000  cmp     dword ptr [nt!KiFreezeFlag (808a62a0)],0
 

SYMBOL_STACK_INDEX:  0
 

SYMBOL_NAME:  nt!KiTrap0E+2a7
 

FOLLOWUP_NAME:  MachineOwner
 

MODULE_NAME: nt
 

IMAGE_NAME:  ntkrpamp.exe
 

DEBUG_FLR_IMAGE_TIMESTAMP:  45d69710
 

FAILURE_BUCKET_ID:  0xD1_CODE_AV_NULL_IP_nt!KiTrap0E+2a7
 

BUCKET_ID:  0xD1_CODE_AV_NULL_IP_nt!KiTrap0E+2a7
 

Followup: MachineOwner

---------

Open in new window

0
Comment
Question by:CyberDocSupport
  • 4
  • 2
6 Comments
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 250 total points
ID: 24749421
Not very useful, that crash dump. The BSOD is caused by a driver, but as the information is almost completely invalid either the unknown driver corrupts memory (unlikely) or it is a memory failure. As you have exchanged RAM already, I'm stuck. Are you overclocking RAM?

If can get a hand on the next dump, compare it with this one. Should it show a completely different exception as D1, and/or changing module info, this confirms the suspicion. You should run a burn-in memory testing tool like MemTest86+ (http://www.memtest.org/) to make sure RAM and memory bus are ok.
0
 

Author Comment

by:CyberDocSupport
ID: 24750726
No overclocking on the memory.....I'll try something like memtest and keep an eye out for the next dump as well.
0
 

Author Comment

by:CyberDocSupport
ID: 24757175
Ran Memtest for 12+ hours with no errors reported.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 68

Expert Comment

by:Qlemo
ID: 24757345
So we have to wait for the next crash, I reckon ...
0
 

Author Comment

by:CyberDocSupport
ID: 24758166
Seems that way.  The way things are going that won't be very long..........
0
 

Accepted Solution

by:
CyberDocSupport earned 0 total points
ID: 24825595
Turns out it was a motherboard problem.  Replacing it seems to have fixed the issue
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

A while back when OPSMGR 2012 was released we were very excited about getting it into our environment and upgrading our 2007 implementation,  we started our planning and we then proceeded with our implementation. All went as planned & our system …
The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now