Our SBS 2011 Blue Screens when logging into Windows

We have a Small Business Server 2011 and the server starts up with no problems and all services (Exchange, Backup Exec, Symantec Endpoint + SEPM) start normally and the server works with no problems. As soon as we try to log into it with any Administrator accounts the server instantly blue screens after we type in the password and hit enter. The blue screen errors are not the same. Sometimes it gives back a 0x00000050 Page_fault_in_nonpaged_area
 and others it gives 0x00000051 REGISTRY_ERROR

windbg output of minidumps are attached


I can get into Safe Mode and Safe Mode with Networking. The last thing(s) installed were Windows Updates and I have removed/roled them all back except for 1 which will not let me . (KB2482017)

I'm really hoping to be able to repair/fix without a reload. This server is only a few months old and is live.

REGISTRY_ERROR (51)
Something has gone badly wrong with the registry.  If a kernel debugger
is available, get a stack trace. It can also indicate that the registry got
an I/O error while trying to read one of its files, so it can be caused by
hardware problems or filesystem corruption.
It may occur due to a failure in a refresh operation, which is used only
in by the security system, and then only when resource limits are encountered.
Arguments:
Arg1: 0000000000000001, (reserved)
Arg2: fffff8a000024010, (reserved)
Arg3: 0000000000ae7000, depends on where Windows bugchecked, may be pointer to hive
Arg4: 0000000000000374, depends on where Windows bugchecked, may be return code of
	HvCheckHive if the hive is corrupt.

Debugging Details:
------------------


CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR:  0x51

PROCESS_NAME:  services.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff80001ba3438 to fffff80001876740

STACK_TEXT:  
fffff880`0a13b3f8 fffff800`01ba3438 : 00000000`00000051 00000000`00000001 fffff8a0`00024010 00000000`00ae7000 : nt!KeBugCheckEx
fffff880`0a13b400 fffff800`01b13754 : 00000000`002daa72 00000000`00005737 fffff8a0`00045000 fffffa80`00000004 : nt! ?? ::NNGAKEGL::`string'+0x9b1a
fffff880`0a13b460 fffff800`01b1296b : fffff8a0`00024010 fffff8a0`00024010 fffff8a0`0002d020 00000000`00001000 : nt!HvMarkDirty+0x125
fffff880`0a13b4c0 fffff800`01ad03a3 : fffff8a0`00024010 00000000`00000000 fffff8a0`030ec67c fffff8a0`0334e184 : nt!HvMarkCellDirty+0x13b
fffff880`0a13b510 fffff800`01ad51f2 : 00000000`00000001 fffff8a0`0337eb14 fffff8a0`02ed8b74 fffff8a0`00024010 : nt! ?? ::NNGAKEGL::`string'+0x12b64
fffff880`0a13b550 fffff800`01ad4f94 : fffff8a0`02ed8b74 00000000`ffffffff fffff8a0`02ed8b74 fffff8a0`00024010 : nt!CmpMarkKeyValuesDirty+0x182
fffff880`0a13b5f0 fffff800`01ad469a : fffff8a0`00024010 00000000`ffffffff fffff8a0`02ed8b74 fffff8a0`00024010 : nt!CmpFreeKeyValues+0x24
fffff880`0a13b620 fffff800`01ad43c8 : fffff8a0`00024010 00000000`009de368 fffff8a0`02ed8b74 00000000`009f1b70 : nt!CmpSyncKeyValues+0x7a
fffff880`0a13b700 fffff800`01ad6c8e : fffff8a0`0e841000 00000000`0039f168 fffffa80`00000000 00000000`00000000 : nt!CmpCopySyncTree2+0x2a8
fffff880`0a13b7b0 fffff800`01ad6ba7 : 00000000`00000000 00000000`00000002 fffff8a0`0df758b0 fffff8a0`079cfe20 : nt!CmpCopySyncTree+0x6e
fffff880`0a13b800 fffff800`01ad6776 : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : nt!CmpSaveBootControlSet+0x307
fffff880`0a13b9e0 fffff800`01875993 : fffffa80`14621760 00000000`01bfbc30 fffff880`0a13bab0 00000000`00000001 : nt!NtInitializeRegistry+0xc6
fffff880`0a13ba30 fffff800`01871f30 : fffff800`01ad671f 00000000`00000220 00000000`0260e8e8 00000000`0260ec18 : nt!KiSystemServiceCopyEnd+0x13
fffff880`0a13bbc8 fffff800`01ad671f : 00000000`00000220 00000000`0260e8e8 00000000`0260ec18 00000000`000a001f : nt!KiServiceLinkage
fffff880`0a13bbd0 fffff800`01875993 : fffffa80`14621760 fffff880`0a13bca0 fffff880`0a13bca0 00000000`00000002 : nt!NtInitializeRegistry+0x6f
fffff880`0a13bc20 00000000`772e045a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0260eb98 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x772e045a


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt! ?? ::NNGAKEGL::`string'+9b1a
fffff800`01ba3438 cc              int     3

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt! ?? ::NNGAKEGL::`string'+9b1a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4cc791bd

FAILURE_BUCKET_ID:  X64_0x51_nt!_??_::NNGAKEGL::_string_+9b1a

BUCKET_ID:  X64_0x51_nt!_??_::NNGAKEGL::_string_+9b1a

Followup: MachineOwner

------------------------------------------------------------------------------------------------------------------------------------------------

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff8a00d8c0000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80001b146ef, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80001aaf0e0
 fffff8a00d8c0000 

FAULTING_IP: 
nt!HvMarkDirty+c0
fffff800`01b146ef 480fa302        bt      qword ptr [rdx],rax

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR:  0x50

PROCESS_NAME:  services.exe

CURRENT_IRQL:  0

TRAP_FRAME:  fffff88007d872d0 -- (.trap 0xfffff88007d872d0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000000d800 rbx=0000000000000000 rcx=0000000000365cc0
rdx=fffff8a00d8be500 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80001b146ef rsp=fffff88007d87460 rbp=0000000000000000
 r8=000000006e696268  r9=00000000003734bf r10=fffff8a000024010
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
nt!HvMarkDirty+0xc0:
fffff800`01b146ef 480fa302        bt      qword ptr [rdx],rax ds:fffff8a0`0d8be500=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800018f7f14 to fffff80001877740

STACK_TEXT:  
fffff880`07d87168 fffff800`018f7f14 : 00000000`00000050 fffff8a0`0d8c0000 00000000`00000000 fffff880`07d872d0 : nt!KeBugCheckEx
fffff880`07d87170 fffff800`0187582e : 00000000`00000000 00000000`00008f42 00000000`00005700 00000000`003734c0 : nt! ?? ::FNODOBFM::`string'+0x42837
fffff880`07d872d0 fffff800`01b146ef : 00000000`00000000 00000000`00000000 fffff8a0`00045000 fffffa80`0caa5080 : nt!KiPageFault+0x16e
fffff880`07d87460 fffff800`01b1396b : fffff8a0`00024010 fffff8a0`00024010 fffff8a0`0002d020 00000000`00001000 : nt!HvMarkDirty+0xc0
fffff880`07d874c0 fffff800`01ad13a3 : fffff8a0`00024010 00000000`00000000 fffff8a0`038f267c fffff8a0`0821c184 : nt!HvMarkCellDirty+0x13b
fffff880`07d87510 fffff800`01ad61f2 : 00000000`00000001 fffff8a0`0824cb14 fffff8a0`0375bb74 fffff8a0`00024010 : nt! ?? ::NNGAKEGL::`string'+0x12b64
fffff880`07d87550 fffff800`01ad5f94 : fffff8a0`0375bb74 00000000`ffffffff fffff8a0`0375bb74 fffff8a0`00024010 : nt!CmpMarkKeyValuesDirty+0x182
fffff880`07d875f0 fffff800`01ad569a : fffff8a0`00024010 00000000`ffffffff fffff8a0`0375bb74 fffff8a0`00024010 : nt!CmpFreeKeyValues+0x24
fffff880`07d87620 fffff800`01ad53c8 : fffff8a0`00024010 00000000`009de368 fffff8a0`0375bb74 fffff8a0`009f1b70 : nt!CmpSyncKeyValues+0x7a
fffff880`07d87700 fffff800`01ad7c8e : fffff8a0`04d2c000 00000000`0039f168 fffffa80`00000000 00000000`00000000 : nt!CmpCopySyncTree2+0x2a8
fffff880`07d877b0 fffff800`01ad7ba7 : 00000000`00000000 00000000`00000002 fffff8a0`05868290 fffff8a0`06b00770 : nt!CmpCopySyncTree+0x6e
fffff880`07d87800 fffff800`01ad7776 : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : nt!CmpSaveBootControlSet+0x307
fffff880`07d879e0 fffff800`01876993 : fffffa80`13d755a0 00000000`01c1e520 fffff880`07d87ab0 00000000`00000001 : nt!NtInitializeRegistry+0xc6
fffff880`07d87a30 fffff800`01872f30 : fffff800`01ad771f 00000000`00000220 00000000`021ee6b8 00000000`021ee9e8 : nt!KiSystemServiceCopyEnd+0x13
fffff880`07d87bc8 fffff800`01ad771f : 00000000`00000220 00000000`021ee6b8 00000000`021ee9e8 00000000`000a001f : nt!KiServiceLinkage
fffff880`07d87bd0 fffff800`01876993 : fffffa80`13d755a0 fffff880`07d87ca0 fffff880`07d87ca0 00000000`00000002 : nt!NtInitializeRegistry+0x6f
fffff880`07d87c20 00000000`7753045a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`021ee968 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7753045a


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!HvMarkDirty+c0
fffff800`01b146ef 480fa302        bt      qword ptr [rdx],rax

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!HvMarkDirty+c0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4cc791bd

FAILURE_BUCKET_ID:  X64_0x50_nt!HvMarkDirty+c0

BUCKET_ID:  X64_0x50_nt!HvMarkDirty+c0

Followup: MachineOwner
---------

Open in new window

hottipsAsked:
Who is Participating?
 
dmeerenCommented:
First do a full hardware test, harddisk, memory, video card. Check in your logs when this problem accours? And maybe windows has pushed a driver update to the machine that is causing this problem.
The error you discribe seams to me a driver problem of some sort. Roll it back to see if the problem stops or not.
GoodLuck!
0
 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
If the server is running stable up to the logon then why logon processes are running?

When in Safe Mode disable the SEP client. In fact we do not rum a client on our servers anymore.

Check the Startup group and registry remotely and export then edit out any logon processes.

Disable any third party monitoring software whether manufacturer or MSP.

Philip
0
 
hottipsAuthor Commented:
Hi Phillip. When I was in safe mode I have already removed SEP Client and also tried booting in normal mode wth all non Microsoft services stopped and Startup items. We found out that a printer driver was installed on the 17th of February (the server hadnt been rebooted til before then) so we are going to look at removing all print drivers. Because this is a live box I have to wait til a scheduled outage before being able to make such changes. will  let you know how we go.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
Philip ElderTechnical Architect - HA/Compute/StorageCommented:
Some HPZ series print drivers set as services can be quite nasty.

What printer was installed?

Philip
0
 
hottipsAuthor Commented:
Thanks for the point in the right direction. Glad it was driver related and not registry corruption!
0
 
dmeerenCommented:
HPZ .... arrgghhh Almost forget that one....
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.