Solved

Help reading memory.dmp from Windows 2003 crash.

Posted on 2010-11-16
4
1,070 Views
Last Modified: 2012-05-10
As it says in the Bugcheck Analysis, "Usually the exception address pinpoints
the driver/function that caused the problem". How can i find the driver/function with the exception address?

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows Server 2003 Kernel Version 3790 (Service Pack 2) UP Free x86 compatible
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 3790.srv03_sp2_gdr.070304-2240
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Tue Nov 16 09:10:08.531 2010 (UTC + 1:00)
System Uptime: 0 days 0:06:33.142
Loading Kernel Symbols
...............................................................
..................................................
Loading User Symbols

Loading unloaded module list
......
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {c0000005, 8087be35, f78daa38, f78da734}

Probably caused by : srv.sys ( srv!SrvDereferenceLfcb+1e )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8087be35, The address that the exception occurred at
Arg3: f78daa38, Exception Record Address
Arg4: f78da734, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
nt!ExAcquireFastMutex+13
8087be35 f00fc106        lock xadd dword ptr [esi],eax

EXCEPTION_RECORD:  f78daa38 -- (.exr 0xfffffffff78daa38)
ExceptionAddress: 8087be35 (nt!ExAcquireFastMutex+0x00000013)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 6921052c
Attempt to write to address 6921052c

CONTEXT:  f78da734 -- (.cxr 0xfffffffff78da734)
eax=ffffffff ebx=f78dab00 ecx=69210501 edx=89e6b008 esi=6921052c edi=89b15cf8
eip=8087be35 esp=f78dab00 ebp=f78dab18 iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
nt!ExAcquireFastMutex+0x13:
8087be35 f00fc106        lock xadd dword ptr [esi],eax ds:0023:6921052c=????????
Resetting default scope

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  System

CURRENT_IRQL:  1

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  6921052c

WRITE_ADDRESS:  6921052c 

FOLLOWUP_IP: 
srv!SrvDereferenceLfcb+1e
b9cf8449 8b4620          mov     eax,dword ptr [esi+20h]

BUGCHECK_STR:  0x7E

LAST_CONTROL_TRANSFER:  from 80819f91 to 8087be35

STACK_TEXT:  
f78dab04 80819f91 89b15cf8 00000000 f78dabcc nt!ExAcquireFastMutex+0x13
f78dab18 f76e9884 89e6dcd0 89e6b008 00000000 nt!FsRtlLookupPerStreamContextInternal+0x13
f78dab7c f76fbf43 89e6b008 89b15cf8 00000000 fltMgr!FltpGetStreamListCtrl+0x5a
f78dab98 f76e67a3 89e6b008 89b15cf8 89ee58f8 fltMgr!FltpCleanupStreamListCtrlForFileObjectClose+0x17
f78dabb4 f76e6ce3 f78dabcc 89b15cf8 8af8c888 fltMgr!FltpPassThrough+0x93
f78dabe4 8081df65 89ee58f8 89f10288 89f10298 fltMgr!FltpDispatch+0x10d
f78dabf8 808f98e0 00000000 00000000 00000000 nt!IofCallDriver+0x45
f78dac30 80933914 00b15cf8 80a5bf00 89b15ce0 nt!IopDeleteFile+0x13a
f78dac4c 8086c955 89b15cf8 00000000 e3675e20 nt!ObpRemoveObjectRoutine+0xdc
f78dac6c b9cf8449 e3675e20 89bb1d58 f78dac94 nt!ObfDereferenceObject+0x67
f78dac7c b9cd968a e3675e18 80a5a3c0 8aeea2f0 srv!SrvDereferenceLfcb+0x1e
f78dac94 b9d28925 8ab647a0 89bb1d00 80a5a3c0 srv!DereferenceRfcbInternal+0x90
f78dacb4 b9d289da 89bb1d00 80a5a3c0 8aeea2f0 srv!SrvCompleteRfcbClose+0x1f0
f78dacd4 b9cdbcae 89bb1d58 e11de900 8aeea2f0 srv!CloseRfcbInternal+0xb6
f78dacf8 b9cfc1ec e11de900 00000000 e11de900 srv!SrvCloseRfcbsOnSessionOrPid+0x74
f78dad14 b9d04878 8aeea43c b9ce9f2c 8aeea2f0 srv!SrvCloseSession+0xb0
f78dad38 b9cd98ae 00000001 00000000 b9cea11c srv!SrvCloseSessionsOnConnection+0xa9
f78dad54 b9cd9f87 00eea2f0 00000001 8af7f3f0 srv!SrvCloseConnection+0x143
f78dad6c b9cda293 808ae5c0 b9cea140 01000000 srv!ProcessConnectionDisconnects+0x7c
f78dad80 8088043d 00000000 00000000 8af7f3f0 srv!SrvResourceThread+0x26
f78dadac 80949b7c 00000000 00000000 00000000 nt!ExpWorkerThread+0xeb
f78daddc 8088e062 80880352 00000000 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


SYMBOL_STACK_INDEX:  a

SYMBOL_NAME:  srv!SrvDereferenceLfcb+1e

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: srv

IMAGE_NAME:  srv.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  45d6a048

STACK_COMMAND:  .cxr 0xfffffffff78da734 ; kb

FAILURE_BUCKET_ID:  0x7E_srv!SrvDereferenceLfcb+1e

BUCKET_ID:  0x7E_srv!SrvDereferenceLfcb+1e

Followup: MachineOwner

Open in new window


Thanks!
0
Comment
Question by:Spanjis
  • 2
  • 2
4 Comments
 
LVL 22

Accepted Solution

by:
BitsBytesandMore earned 500 total points
ID: 34145057
One of the easiest and fastest ways to analyze a "Blue Screen" dump is to download Blue Screen View for Nirsoft (it is a free application) from : http://www.nirsoft.net/utils/blue_screen_view.html .

The point here is to find what is causing the BSOD: either a driver or the memory (these are the usual suspects).

In your case the problem maker seems to be srv.sys. Srv.sys is the Server service driver, which supports file, print, and named-pipe sharing over a network.Microsoft has a patch for it which may solve your problem:

http://www.microsoft.com/technet/security/bulletin/MS02-045.mspx

I hope it helps....

Bits ...
0
 

Author Comment

by:Spanjis
ID: 34147093
Thanks for the quick reply BitsBytesandMore, Blue Screen View was very helpful, it told me the problem was "Microsoft Filesystem Filter Manager" and "NT Kernel & System", not sure why.

Windows 2003 is not affected by "Unchecked Buffer in Network Share Provider Can Lead to Denial of Service", thanks anyhow!
0
 
LVL 22

Expert Comment

by:BitsBytesandMore
ID: 34147965
Your welcome. I use Blue Screen View for everything related to BSOD's and it has never failed me.

You may want to track down the events that led to the BSOD appearance. Hopefully it's a faulty driver but it could be a virus/trojan/spyware as well. It won't hurt to scan even if you already have protection in place.

I would be to scan for malware:

Follow this procedure to the letter....it will prevent further frustrations if you do have malware:


1.Go into Safe Mode with networking by pressing F8 while booting your computer.
2.Then go to this website and download this program: MalwareBytes Anti Malware: http://www.malwarebytes.org/mbam.php
3.Before download..Important: Rename MalwareBytes before saving its files to the desktop as malware can recognize the name and block it unless renamed.
4.While still in Safe Mode, Go to Start-Run and type: Msconfig
5.Once in the Msconfig application, go to the "Services Tab" and select:"hide all Microsoft services" select the remaining and disable".
6.Then go to the Startup Tab and disable ALL entries there as well. Close the window. You will get a prompt to Reboot..allow it.
7.After the system boots go into NORMAL MODE.......it will give you a warning regarding the changes made by msconfig: Select do not warn me again.
8. Now you can run the anti-Malware application your renamed and saved on your desktop above.
9.If viruses, spyware, malware, etc. are found allow the program to clean them.

 
If the problem persists...go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix  and follow the instructions.


YOu should also run a scan with Hitman Pro http://www.surfright.nl/en/hitmanpro . It may detect the precence of a rootkit or  rogue proxy setting ...

Lastly... you can run the "System File Checker" to make sure that your Windows files are not damaged. From a command prompt type:

SFC /scannow (notice the space between the C and the / )

Make sure you have a OS disk handy (it may ask you for it if it needs it). This utility from Microsoft will check all the critical OS files to make sure they are ok.

Keep me posted on your progress.....



Bits ...
0
 

Author Comment

by:Spanjis
ID: 34149312
Thanks again Bits!

I'm starting with win update, 120 updates missing, I'll keep you posted.
Well deserved points!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now