The computer has rebooted from a bugcheck. The bugcheck was: 0x00000050


Our newly installed Windows Server 2003 R2 automatically "rebooted" last night because of an error.

Event Type:        Information
Event Source:    Save Dump
Event Category:                None
Event ID:              1001
Date:                     4/21/2010
Time:                     12:08:23 AM
User:                     N/A
Computer:          VAN-EDI02
The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000050 (0xbcdf0b78, 0x00000000, 0xbf8b8451, 0x00000000). A dump was saved in: C:\WINDOWS\MEMORY.DMP.

For more information, see Help and Support Center at

The OS is running on a VM (same h/w that other 10+ production machines run on that have no errors) so I don't think this could be a hardware issue.

It is running on a INtel Xeon 2.66Ghz with 4GB of ram.

The only software installed is...

FTP Voyager
EDI Software

Anyway I can find out why this actually rebooted?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can run a program called Windbg. This will tell you exactly which driver caused the reboot. You can download it here:

If you do a search on the internet you will find plenty of tutorials but it is quite easy to use. Just load the symbols file, point it at c:\windows\memory.dmp and it will tell you which driver caused the reboot, then just see if there is an updated version of that programme/driver.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mirdeAuthor Commented:
I followed your advice, and got this far:

* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
Probably caused by : win32k.sys ( win32k!STROBJ_vEnumStart+33c8 )

DO I need to have the Symbols package installed to get the result or is the end result (win32k.sys) the cause?

Yup you need the symbols. Following the following article for the symbols:
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

mirdeAuthor Commented:
This is the output of windbg:

Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arg1: bcdf0b78, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf8b8451, If non-zero, the instruction address which referenced the bad memory
Arg4: 00000000, (reserved)

Debugging Details:

Page 13ccde not present in the dump file. Type ".hh dbgerr004" for details
Page bcf0c not present in the dump file. Type ".hh dbgerr004" for details
Page bcf0c not present in the dump file. Type ".hh dbgerr004" for details
Page bcf0c not present in the dump file. Type ".hh dbgerr004" for details
Page bcf0c not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd800c).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd800c).  Type ".hh dbgerr001" for details

READ_ADDRESS:  bcdf0b78

bf8b8451 8b01            mov     eax,dword ptr [ecx]


IMAGE_NAME:  win32k.sys



FAULTING_MODULE: bf800000 win32k



PROCESS_NAME:  McScript_InUse.


TRAP_FRAME:  b973cba4 -- (.trap 0xffffffffb973cba4)
ErrCode = 00000000
eax=bcdf0b48 ebx=00000509 ecx=bcdf0b78 edx=bc510002 esi=e87fcb78 edi=00003c6c
eip=bf8b8451 esp=b973cc18 ebp=b973cc64 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
bf8b8451 8b01            mov     eax,dword ptr [ecx]  ds:0023:bcdf0b78=bcdf09b8
Resetting default scope

LAST_CONTROL_TRANSFER:  from 8085ed19 to 80827c83

b973cb14 8085ed19 00000050 bcdf0b78 00000000 nt!KeBugCheckEx+0x1b
b973cb8c 8088c7c8 00000000 bcdf0b78 00000000 nt!MmAccessFault+0xb25
b973cb8c bf8b8451 00000000 bcdf0b78 00000000 nt!KiTrap0E+0xdc
b973cc20 bf8b879e 897044f8 00000000 00000000 win32k!DestroyThreadsObjects+0x4f
b973cc64 bf8b7043 00000001 b973cc8c bf8b7ea0 win32k!xxxDestroyThreadInfo+0x206
b973cc70 bf8b7ea0 897044f8 00000001 00000000 win32k!UserThreadCallout+0x4b
b973cc8c 8094c2ac 897044f8 00000001 897044f8 win32k!W32pThreadCallout+0x3a
b973cd18 8094c63f 00000000 00000000 897044f8 nt!PspExitThread+0x3b2
b973cd30 8094c991 897044f8 00000000 00000001 nt!PspTerminateThreadByPointer+0x4b
b973cd54 808897bc 00000000 00000000 0152ff90 nt!NtTerminateThread+0x71
b973cd54 7c82860c 00000000 00000000 0152ff90 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0152ff90 00000000 00000000 00000000 00000000 0x7c82860c


bf8b8451 8b01            mov     eax,dword ptr [ecx]


SYMBOL_NAME:  win32k!DestroyThreadsObjects+4f

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  0x50_win32k!DestroyThreadsObjects+4f

BUCKET_ID:  0x50_win32k!DestroyThreadsObjects+4f

Followup: MachineOwner

Any idea as to what this could indicate?
mirdeAuthor Commented:
Does this indicate that it was caused by "PROCESS_NAME:  McScript_InUse"? Because this belongs to McAfee, I would not be surprised.
It could be although it is just saying that McAfee was being referenced at the time of the crash, but McAfee is constantly referenced by the OS. Since the driver that caused the crahs was win32k.sys its quite hard to track the problem down.

How many times has it happened? The only thing i can advise it to make sure that all drivers & patches are up to date and that McAfee is also up to date. If it continues to blue screen then try removing McAfee and see if it stops it.
mirdeAuthor Commented:
So what your saying is that the process "McScript_InUse" was being referenced by win32k.sys at the time of the crash?

It does not necessarily have to mean that the process was the root cause of why win32k.sys failed?

Also, what is win32k.sys responsive for?

Thanks for your help.
mirdeAuthor Commented:
This worked to identify the causing app/driver.
I have the same problem with similar bug check analyzes output. Did you find out the root cause, what app/file or driver that caused the reboots?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.