Link to home
Start Free TrialLog in
Avatar of gaa18
gaa18

asked on

XP Machines BSOD when using RDP

hi all,

what is happening is the following:

basically we have 2 sites:

Site A: Main Server, users RDP into their machines which are all hosted on a hyper-v server
Site B: users either go through the VPN or use domain names to access their machines through RDP

basically the issue occurs in site B. when a user has an open session at site A and then moves to site B to continue the session it causes a BSOD. i have run a winDbg on the mini dumps and i get the attached.

all machines are on XP SP3 and all RDP clients are using the latest updated RDP.software

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\temp\Mini031611-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols;.sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.101209-1647
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Mar 16 14:52:37.309 2011 (UTC + 0:00)
System Uptime: 1 days 0:15:44.683
Loading Kernel Symbols
...............................................................
...........................................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 10000050, {bc5dfff0, 0, bf89c1d5, 0}


Could not read faulting driver name
Probably caused by : RDPDD.dll ( RDPDD!DrvDisableSurface+63 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: bc5dfff0, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf89c1d5, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS:  bc5dfff0 

FAULTING_IP: 
win32k!MultiUserGreTrackRemoveEngResource+17
bf89c1d5 8b01            mov     eax,dword ptr [ecx]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  csrss.exe

LAST_CONTROL_TRANSFER:  from bf89c1ae to bf89c1d5

STACK_TEXT:  
b819aafc bf89c1ae bc5dfff0 e3767018 b819ab20 win32k!MultiUserGreTrackRemoveEngResource+0x17
b819ab0c bff67925 bc5e0000 e13a4028 b819abb8 win32k!EngFreeMem+0x16
b819ab20 bf9629bc e3767018 e13a4028 b819abb8 RDPDD!DrvDisableSurface+0x63
b819ab54 bf8e01f5 e3767018 00000258 b819abb8 win32k!WatchdogDrvDisableSurface+0x2f
b819ab70 bf80d117 00000000 e273ee54 e273ee40 win32k!PDEVOBJ::vDisableSurface+0x7f
b819ab98 bf93f63b 00000000 e21ce420 00000000 win32k!PDEVOBJ::vUnreferencePdev+0x1fb
b819abb0 bf896281 e13a4008 896ef038 00000001 win32k!DrvDestroyMDEV+0x40
b819ac88 bf898a4c 00000001 b819abc8 00000000 win32k!DrvChangeDisplaySettings+0xa5a
b819accc bf91a257 00000000 00000000 00000000 win32k!xxxUserChangeDisplaySettings+0x141
b819ad40 bf80111d 004afdf0 b819ad64 004afde4 win32k!xxxRemoteReconnect+0x1f1
b819ad54 8054167c 004afdf0 00000037 004afea0 win32k!NtUserCallOneParam+0x23
b819ad54 7c90e514 004afdf0 00000037 004afea0 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
004afea0 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP: 
RDPDD!DrvDisableSurface+63
bff67925 897e30          mov     dword ptr [esi+30h],edi

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  RDPDD!DrvDisableSurface+63

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: RDPDD

IMAGE_NAME:  RDPDD.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4802a10b

FAILURE_BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: bc5dfff0, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf89c1d5, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS:  bc5dfff0 

FAULTING_IP: 
win32k!MultiUserGreTrackRemoveEngResource+17
bf89c1d5 8b01            mov     eax,dword ptr [ecx]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  csrss.exe

LAST_CONTROL_TRANSFER:  from bf89c1ae to bf89c1d5

STACK_TEXT:  
b819aafc bf89c1ae bc5dfff0 e3767018 b819ab20 win32k!MultiUserGreTrackRemoveEngResource+0x17
b819ab0c bff67925 bc5e0000 e13a4028 b819abb8 win32k!EngFreeMem+0x16
b819ab20 bf9629bc e3767018 e13a4028 b819abb8 RDPDD!DrvDisableSurface+0x63
b819ab54 bf8e01f5 e3767018 00000258 b819abb8 win32k!WatchdogDrvDisableSurface+0x2f
b819ab70 bf80d117 00000000 e273ee54 e273ee40 win32k!PDEVOBJ::vDisableSurface+0x7f
b819ab98 bf93f63b 00000000 e21ce420 00000000 win32k!PDEVOBJ::vUnreferencePdev+0x1fb
b819abb0 bf896281 e13a4008 896ef038 00000001 win32k!DrvDestroyMDEV+0x40
b819ac88 bf898a4c 00000001 b819abc8 00000000 win32k!DrvChangeDisplaySettings+0xa5a
b819accc bf91a257 00000000 00000000 00000000 win32k!xxxUserChangeDisplaySettings+0x141
b819ad40 bf80111d 004afdf0 b819ad64 004afde4 win32k!xxxRemoteReconnect+0x1f1
b819ad54 8054167c 004afdf0 00000037 004afea0 win32k!NtUserCallOneParam+0x23
b819ad54 7c90e514 004afdf0 00000037 004afea0 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
004afea0 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP: 
RDPDD!DrvDisableSurface+63
bff67925 897e30          mov     dword ptr [esi+30h],edi

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  RDPDD!DrvDisableSurface+63

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: RDPDD

IMAGE_NAME:  RDPDD.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4802a10b

FAILURE_BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: bc5dfff0, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf89c1d5, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS:  bc5dfff0 

FAULTING_IP: 
win32k!MultiUserGreTrackRemoveEngResource+17
bf89c1d5 8b01            mov     eax,dword ptr [ecx]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  csrss.exe

LAST_CONTROL_TRANSFER:  from bf89c1ae to bf89c1d5

STACK_TEXT:  
b819aafc bf89c1ae bc5dfff0 e3767018 b819ab20 win32k!MultiUserGreTrackRemoveEngResource+0x17
b819ab0c bff67925 bc5e0000 e13a4028 b819abb8 win32k!EngFreeMem+0x16
b819ab20 bf9629bc e3767018 e13a4028 b819abb8 RDPDD!DrvDisableSurface+0x63
b819ab54 bf8e01f5 e3767018 00000258 b819abb8 win32k!WatchdogDrvDisableSurface+0x2f
b819ab70 bf80d117 00000000 e273ee54 e273ee40 win32k!PDEVOBJ::vDisableSurface+0x7f
b819ab98 bf93f63b 00000000 e21ce420 00000000 win32k!PDEVOBJ::vUnreferencePdev+0x1fb
b819abb0 bf896281 e13a4008 896ef038 00000001 win32k!DrvDestroyMDEV+0x40
b819ac88 bf898a4c 00000001 b819abc8 00000000 win32k!DrvChangeDisplaySettings+0xa5a
b819accc bf91a257 00000000 00000000 00000000 win32k!xxxUserChangeDisplaySettings+0x141
b819ad40 bf80111d 004afdf0 b819ad64 004afde4 win32k!xxxRemoteReconnect+0x1f1
b819ad54 8054167c 004afdf0 00000037 004afea0 win32k!NtUserCallOneParam+0x23
b819ad54 7c90e514 004afdf0 00000037 004afea0 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
004afea0 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP: 
RDPDD!DrvDisableSurface+63
bff67925 897e30          mov     dword ptr [esi+30h],edi

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  RDPDD!DrvDisableSurface+63

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: RDPDD

IMAGE_NAME:  RDPDD.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4802a10b

FAILURE_BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: bc5dfff0, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf89c1d5, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS:  bc5dfff0 

FAULTING_IP: 
win32k!MultiUserGreTrackRemoveEngResource+17
bf89c1d5 8b01            mov     eax,dword ptr [ecx]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  csrss.exe

LAST_CONTROL_TRANSFER:  from bf89c1ae to bf89c1d5

STACK_TEXT:  
b819aafc bf89c1ae bc5dfff0 e3767018 b819ab20 win32k!MultiUserGreTrackRemoveEngResource+0x17
b819ab0c bff67925 bc5e0000 e13a4028 b819abb8 win32k!EngFreeMem+0x16
b819ab20 bf9629bc e3767018 e13a4028 b819abb8 RDPDD!DrvDisableSurface+0x63
b819ab54 bf8e01f5 e3767018 00000258 b819abb8 win32k!WatchdogDrvDisableSurface+0x2f
b819ab70 bf80d117 00000000 e273ee54 e273ee40 win32k!PDEVOBJ::vDisableSurface+0x7f
b819ab98 bf93f63b 00000000 e21ce420 00000000 win32k!PDEVOBJ::vUnreferencePdev+0x1fb
b819abb0 bf896281 e13a4008 896ef038 00000001 win32k!DrvDestroyMDEV+0x40
b819ac88 bf898a4c 00000001 b819abc8 00000000 win32k!DrvChangeDisplaySettings+0xa5a
b819accc bf91a257 00000000 00000000 00000000 win32k!xxxUserChangeDisplaySettings+0x141
b819ad40 bf80111d 004afdf0 b819ad64 004afde4 win32k!xxxRemoteReconnect+0x1f1
b819ad54 8054167c 004afdf0 00000037 004afea0 win32k!NtUserCallOneParam+0x23
b819ad54 7c90e514 004afdf0 00000037 004afea0 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
004afea0 00000000 00000000 00000000 00000000 0x7c90e514


STACK_COMMAND:  kb

FOLLOWUP_IP: 
RDPDD!DrvDisableSurface+63
bff67925 897e30          mov     dword ptr [esi+30h],edi

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  RDPDD!DrvDisableSurface+63

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: RDPDD

IMAGE_NAME:  RDPDD.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4802a10b

FAILURE_BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

BUCKET_ID:  0x50_RDPDD!DrvDisableSurface+63

Followup: MachineOwner
---------

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of BCipollone
BCipollone
Flag of United States of America image
Does it happen when they log completely out or only when they close the session and try to re-establish the same session elsewhere.

Have you updated their RDP Clients to the newest version? (i think this one: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6e1ec93d-bdbd-4983-92f7-479e088570ad)
Avatar of gaa18
gaa18

ASKER

not a complete solution, issue still happening sporadically although isnt as much as before.