Solved

XP Machines BSOD when using RDP

Posted on 2011-03-16
3
976 Views
Last Modified: 2012-05-11
hi all,

what is happening is the following:

basically we have 2 sites:

Site A: Main Server, users RDP into their machines which are all hosted on a hyper-v server
Site B: users either go through the VPN or use domain names to access their machines through RDP

basically the issue occurs in site B. when a user has an open session at site A and then moves to site B to continue the session it causes a BSOD. i have run a winDbg on the mini dumps and i get the attached.

all machines are on XP SP3 and all RDP clients are using the latest updated RDP.software

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\temp\Mini031611-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols;.sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.101209-1647
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Mar 16 14:52:37.309 2011 (UTC + 0:00)
System Uptime: 1 days 0:15:44.683
Loading Kernel Symbols
...............................................................
...........................................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 10000050, {bc5dfff0, 0, bf89c1d5, 0}


Could not read faulting driver name
Probably caused by : RDPDD.dll ( RDPDD!DrvDisableSurface+63 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: bc5dfff0, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf89c1d5, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS:  bc5dfff0 

FAULTING_IP: 
win32k!MultiUserGreTrackRemoveEngResource+17
bf89c1d5 8b01            mov     eax,dword ptr [ecx]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  csrss.exe

LAST_CONTROL_TRANSFER:  from bf89c1ae to bf89c1d5

STACK_TEXT:  
b819aafc bf89c1ae bc5dfff0 e3767018 b819ab20 win32k!MultiUserGreTrackRemoveEngResource+0x17
b819ab0c bff67925 bc5e0000 e13a4028 b819abb8 win32k!EngFreeMem+0x16
b819ab20 bf9629bc e3767018 e13a4028 b819abb8 RDPDD!DrvDisableSurface+0x63
b819ab54 bf8e01f5 e3767018 00000258 b819abb8 win32k!WatchdogDrvDisableSurface+0x2f
b819ab70 bf80d117 00000000 e273ee54 e273ee40 win32k!PDEVOBJ::vDisableSurface+0x7f
b819ab98 bf93f63b 00000000 e21ce420 00000000 win32k!PDEVOBJ::vUnreferencePdev+0x1fb
b819abb0 bf896281 e13a4008 896ef038 00000001 win32k!DrvDestroyMDEV+0x40
b819ac88 bf898a4c 00000001 b819abc8 00000000 win32k!DrvChangeDisplaySettings+0xa5a
b819accc bf91a257 00000000 00000000 00000000 win32k!xxxUserChangeDisplaySettings+0x141
b819ad40 bf80111d 004afdf0 b819ad64 004afde4 win32k!xxxRemoteReconnect+0x1f1
b819ad54 8054167c 004afdf0 00000037 004afea0 win32k!NtUserCallOneParam+0x23
b819ad54 7c90e514 004afdf0 00000037 004afea0 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
004afea0 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP: 
RDPDD!DrvDisableSurface+63
bff67925 897e30          mov     dword ptr [esi+30h],edi

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  RDPDD!DrvDisableSurface+63

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: RDPDD

IMAGE_NAME:  RDPDD.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4802a10b

FAILURE_BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: bc5dfff0, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf89c1d5, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS:  bc5dfff0 

FAULTING_IP: 
win32k!MultiUserGreTrackRemoveEngResource+17
bf89c1d5 8b01            mov     eax,dword ptr [ecx]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  csrss.exe

LAST_CONTROL_TRANSFER:  from bf89c1ae to bf89c1d5

STACK_TEXT:  
b819aafc bf89c1ae bc5dfff0 e3767018 b819ab20 win32k!MultiUserGreTrackRemoveEngResource+0x17
b819ab0c bff67925 bc5e0000 e13a4028 b819abb8 win32k!EngFreeMem+0x16
b819ab20 bf9629bc e3767018 e13a4028 b819abb8 RDPDD!DrvDisableSurface+0x63
b819ab54 bf8e01f5 e3767018 00000258 b819abb8 win32k!WatchdogDrvDisableSurface+0x2f
b819ab70 bf80d117 00000000 e273ee54 e273ee40 win32k!PDEVOBJ::vDisableSurface+0x7f
b819ab98 bf93f63b 00000000 e21ce420 00000000 win32k!PDEVOBJ::vUnreferencePdev+0x1fb
b819abb0 bf896281 e13a4008 896ef038 00000001 win32k!DrvDestroyMDEV+0x40
b819ac88 bf898a4c 00000001 b819abc8 00000000 win32k!DrvChangeDisplaySettings+0xa5a
b819accc bf91a257 00000000 00000000 00000000 win32k!xxxUserChangeDisplaySettings+0x141
b819ad40 bf80111d 004afdf0 b819ad64 004afde4 win32k!xxxRemoteReconnect+0x1f1
b819ad54 8054167c 004afdf0 00000037 004afea0 win32k!NtUserCallOneParam+0x23
b819ad54 7c90e514 004afdf0 00000037 004afea0 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
004afea0 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP: 
RDPDD!DrvDisableSurface+63
bff67925 897e30          mov     dword ptr [esi+30h],edi

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  RDPDD!DrvDisableSurface+63

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: RDPDD

IMAGE_NAME:  RDPDD.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4802a10b

FAILURE_BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: bc5dfff0, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf89c1d5, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS:  bc5dfff0 

FAULTING_IP: 
win32k!MultiUserGreTrackRemoveEngResource+17
bf89c1d5 8b01            mov     eax,dword ptr [ecx]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  csrss.exe

LAST_CONTROL_TRANSFER:  from bf89c1ae to bf89c1d5

STACK_TEXT:  
b819aafc bf89c1ae bc5dfff0 e3767018 b819ab20 win32k!MultiUserGreTrackRemoveEngResource+0x17
b819ab0c bff67925 bc5e0000 e13a4028 b819abb8 win32k!EngFreeMem+0x16
b819ab20 bf9629bc e3767018 e13a4028 b819abb8 RDPDD!DrvDisableSurface+0x63
b819ab54 bf8e01f5 e3767018 00000258 b819abb8 win32k!WatchdogDrvDisableSurface+0x2f
b819ab70 bf80d117 00000000 e273ee54 e273ee40 win32k!PDEVOBJ::vDisableSurface+0x7f
b819ab98 bf93f63b 00000000 e21ce420 00000000 win32k!PDEVOBJ::vUnreferencePdev+0x1fb
b819abb0 bf896281 e13a4008 896ef038 00000001 win32k!DrvDestroyMDEV+0x40
b819ac88 bf898a4c 00000001 b819abc8 00000000 win32k!DrvChangeDisplaySettings+0xa5a
b819accc bf91a257 00000000 00000000 00000000 win32k!xxxUserChangeDisplaySettings+0x141
b819ad40 bf80111d 004afdf0 b819ad64 004afde4 win32k!xxxRemoteReconnect+0x1f1
b819ad54 8054167c 004afdf0 00000037 004afea0 win32k!NtUserCallOneParam+0x23
b819ad54 7c90e514 004afdf0 00000037 004afea0 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
004afea0 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP: 
RDPDD!DrvDisableSurface+63
bff67925 897e30          mov     dword ptr [esi+30h],edi

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  RDPDD!DrvDisableSurface+63

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: RDPDD

IMAGE_NAME:  RDPDD.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4802a10b

FAILURE_BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: bc5dfff0, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf89c1d5, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS:  bc5dfff0 

FAULTING_IP: 
win32k!MultiUserGreTrackRemoveEngResource+17
bf89c1d5 8b01            mov     eax,dword ptr [ecx]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  csrss.exe

LAST_CONTROL_TRANSFER:  from bf89c1ae to bf89c1d5

STACK_TEXT:  
b819aafc bf89c1ae bc5dfff0 e3767018 b819ab20 win32k!MultiUserGreTrackRemoveEngResource+0x17
b819ab0c bff67925 bc5e0000 e13a4028 b819abb8 win32k!EngFreeMem+0x16
b819ab20 bf9629bc e3767018 e13a4028 b819abb8 RDPDD!DrvDisableSurface+0x63
b819ab54 bf8e01f5 e3767018 00000258 b819abb8 win32k!WatchdogDrvDisableSurface+0x2f
b819ab70 bf80d117 00000000 e273ee54 e273ee40 win32k!PDEVOBJ::vDisableSurface+0x7f
b819ab98 bf93f63b 00000000 e21ce420 00000000 win32k!PDEVOBJ::vUnreferencePdev+0x1fb
b819abb0 bf896281 e13a4008 896ef038 00000001 win32k!DrvDestroyMDEV+0x40
b819ac88 bf898a4c 00000001 b819abc8 00000000 win32k!DrvChangeDisplaySettings+0xa5a
b819accc bf91a257 00000000 00000000 00000000 win32k!xxxUserChangeDisplaySettings+0x141
b819ad40 bf80111d 004afdf0 b819ad64 004afde4 win32k!xxxRemoteReconnect+0x1f1
b819ad54 8054167c 004afdf0 00000037 004afea0 win32k!NtUserCallOneParam+0x23
b819ad54 7c90e514 004afdf0 00000037 004afea0 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
004afea0 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP: 
RDPDD!DrvDisableSurface+63
bff67925 897e30          mov     dword ptr [esi+30h],edi

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  RDPDD!DrvDisableSurface+63

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: RDPDD

IMAGE_NAME:  RDPDD.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4802a10b

FAILURE_BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

Followup: MachineOwner
---------

Open in new window

0
Comment
Question by:gaa18
3 Comments
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 500 total points
ID: 35149680
There was a bug I experienced where switching screen resolutions causes XP to crash - example: Site A the user connects at 1680x1050 and Site B the user connects at 1440x900 - that switch kills the box.  There is a Microsoft Hotfix available but a subsequent patch destabilizes it (I don't know which one but it's still less sensitive than before).

http://support.microsoft.com/default.aspx?scid=kb;en-us;963038&sd=rss&spid=3223

Assuming, of course, you're having the same issue.
0
 
LVL 13

Expert Comment

by:BCipollone
ID: 35266690
Does it happen when they log completely out or only when they close the session and try to re-establish the same session elsewhere.

Have you updated their RDP Clients to the newest version? (i think this one: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6e1ec93d-bdbd-4983-92f7-479e088570ad)
0
 

Author Closing Comment

by:gaa18
ID: 35399432
not a complete solution, issue still happening sporadically although isnt as much as before.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

#Citrix #XenApp #Citrix Scout #Citrix Insight Services #Microsoft VMMAP #Microsoft ADEXPLORE #Microsoft RAMMAP #Microsoft TCPVIEW #Microsoft AUTORUNS #Microsoft PROCESS EXPLORER #Microsoft PROCESS MONITOR
VM backup deduplication is a method of reducing the amount of storage space needed to save VM backups. In most organizations, VMs contain many duplicate copies of data, such as VMs deployed from the same template, VMs with the same OS, or VMs that h…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now