BSOD on SBS 2008 - KMODE_EXCEPTION_NOT_HANDLED
Hi,
I'm having the following problem on a IBM x3200 M3 machine running SBS 2008 Premium. It will blue screen and restart randomly, but most often during remote desktop logon (mini dump shows winlogon.exe as being the culprit).
SBS was installed via IBM's ServerGuide for the system and has all Windows Updates etc loaded.
Originally I thought this may be a memory problem, as the server had 2 modules of aftermarket memory installed, these were however pulled and it is running its factory hardware configuration plus 2x 1TB WD drives in RAID, however I do not believe this to be hard disk related.
Has anyone else experienced this and how can it be fixed?
An earlier dump shows FAULT_IN_NONPAGED_AREA
I'm having the following problem on a IBM x3200 M3 machine running SBS 2008 Premium. It will blue screen and restart randomly, but most often during remote desktop logon (mini dump shows winlogon.exe as being the culprit).
SBS was installed via IBM's ServerGuide for the system and has all Windows Updates etc loaded.
Originally I thought this may be a memory problem, as the server had 2 modules of aftermarket memory installed, these were however pulled and it is running its factory hardware configuration plus 2x 1TB WD drives in RAID, however I do not believe this to be hard disk related.
Has anyone else experienced this and how can it be fixed?
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\Brady\Desktop\Mini050611-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (4 procs) Free x64
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 6002.18327.amd64fre.vistasp2_gdr.101014-0432
Machine Name:
Kernel base = 0xfffff800`02847000 PsLoadedModuleList = 0xfffff800`02a0bdd0
Debug session time: Fri May 6 18:44:39.947 2011 (UTC + 10:00)
System Uptime: 0 days 0:47:04.074
Loading Kernel Symbols
...............................................................
................................................................
....
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {ffffffffc0000005, fffff80002b2ae8e, 0, ffffffffffffffff}
Probably caused by : ntkrnlmp.exe ( nt!PspGetSetContextInternal+396 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80002b2ae8e, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: ffffffffffffffff, Parameter 1 of the exception
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!PspGetSetContextInternal+396
fffff800`02b2ae8e 488b28 mov rbp,qword ptr [rax]
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffffffffffffff
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002a6e080
ffffffffffffffff
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
BUGCHECK_STR: 0x1E_c0000005
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
PROCESS_NAME: winlogon.exe
CURRENT_IRQL: 1
LAST_CONTROL_TRANSFER: from fffff80002883ac7 to fffff800028a1490
STACK_TEXT:
fffffa60`07984518 fffff800`02883ac7 : 00000000`0000001e ffffffff`c0000005 fffff800`02b2ae8e 00000000`00000000 : nt!KeBugCheckEx
fffffa60`07984520 fffff800`028a12e9 : fffffa60`07984c58 fffffa60`04790570 fffffa60`07984d00 fffffa60`04790ac8 : nt! ?? ::FNODOBFM::`string'+0x29117
fffffa60`07984b20 fffff800`0289fecd : 00000000`00000200 fffff800`0297af28 00000000`8000000b 00000000`00000000 : nt!KiExceptionDispatch+0xa9
fffffa60`07984d00 fffff800`02b2ae8e : 44034388`ec2b4502 fffffa60`04790570 00000000`00000000 fffffa60`04790ac8 : nt!KiGeneralProtectionFault+0xcd
fffffa60`07984e90 fffff800`028ce93d : fffff800`0297aea8 fffffa80`09b12720 fffffa60`04790570 00000000`00000000 : nt!PspGetSetContextInternal+0x396
fffffa60`079853e0 fffff800`028c2bbe : 00000000`00000000 00000000`00000000 00000000`00000000 fffff800`028a3d02 : nt!PspGetSetContextSpecialApc+0x9d
fffffa60`079854f0 fffff800`028c6613 : fffffa60`07985610 00000000`00000000 00000000`00000000 fffffa80`09b12720 : nt!KiDeliverApc+0x19e
fffffa60`07985590 ffffffff`ffb4a8ae : 00000000`c0000000 fffffa60`079858d0 ffffffff`ff70d817 ffffffff`ffb5c028 : nt!KiApcInterrupt+0x103
fffffa60`07985720 00000000`c0000000 : fffffa60`079858d0 ffffffff`ff70d817 ffffffff`ffb5c028 ffffffff`ff7082e6 : 0xffffffff`ffb4a8ae
fffffa60`07985728 fffffa60`079858d0 : ffffffff`ff70d817 ffffffff`ffb5c028 ffffffff`ff7082e6 ffffffff`ffb5c028 : 0xc0000000
fffffa60`07985730 ffffffff`ff70d817 : ffffffff`ffb5c028 ffffffff`ff7082e6 ffffffff`ffb5c028 ffffffff`ff708048 : 0xfffffa60`079858d0
fffffa60`07985738 ffffffff`ffb5c028 : ffffffff`ff7082e6 ffffffff`ffb5c028 ffffffff`ff708048 ffffffff`ffb5c018 : 0xffffffff`ff70d817
fffffa60`07985740 ffffffff`ff7082e6 : ffffffff`ffb5c028 ffffffff`ff708048 ffffffff`ffb5c018 fffffa60`079858c0 : 0xffffffff`ffb5c028
fffffa60`07985748 ffffffff`ffb5c028 : ffffffff`ff708048 ffffffff`ffb5c018 fffffa60`079858c0 00000000`00000000 : 0xffffffff`ff7082e6
fffffa60`07985750 ffffffff`ff708048 : ffffffff`ffb5c018 fffffa60`079858c0 00000000`00000000 00000000`00000000 : 0xffffffff`ffb5c028
fffffa60`07985758 ffffffff`ffb5c018 : fffffa60`079858c0 00000000`00000000 00000000`00000000 00000000`00000002 : 0xffffffff`ff708048
fffffa60`07985760 fffffa60`079858c0 : 00000000`00000000 00000000`00000000 00000000`00000002 00000000`00000000 : 0xffffffff`ffb5c018
fffffa60`07985768 00000000`00000000 : 00000000`00000000 00000000`00000002 00000000`00000000 00000000`00000000 : 0xfffffa60`079858c0
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!PspGetSetContextInternal+396
fffff800`02b2ae8e 488b28 mov rbp,qword ptr [rax]
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: nt!PspGetSetContextInternal+396
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4cb7275f
FAILURE_BUCKET_ID: X64_0x1E_c0000005_nt!PspGetSetContextInternal+396
BUCKET_ID: X64_0x1E_c0000005_nt!PspGetSetContextInternal+396
Followup: MachineOwner
---------An earlier dump shows FAULT_IN_NONPAGED_AREA
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\Brady\Desktop\Mini032111-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (4 procs) Free x64
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 6002.18327.amd64fre.vistasp2_gdr.101014-0432
Machine Name:
Kernel base = 0xfffff800`0240c000 PsLoadedModuleList = 0xfffff800`025d0dd0
Debug session time: Mon Mar 21 09:35:05.320 2011 (UTC + 10:00)
System Uptime: 1 days 15:37:08.913
Loading Kernel Symbols
...............................................................
................................................................
....
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {fffffa60013bf862, 0, fffff8000248df53, 0}
Could not read faulting driver name
Probably caused by : ntkrnlmp.exe ( nt!RtlVirtualUnwind+63 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffffa60013bf862, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8000248df53, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002633080
fffffa60013bf862
FAULTING_IP:
nt!RtlVirtualUnwind+63
fffff800`0248df53 410fb64d00 movzx ecx,byte ptr [r13]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0x50
PROCESS_NAME: winlogon.exe
CURRENT_IRQL: 1
TRAP_FRAME: fffffa6007c8ec50 -- (.trap 0xfffffa6007c8ec50)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8000259fe20 rbx=0000000000000000 rcx=0000000000000001
rdx=fffffa6001385000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8000248df53 rsp=fffffa6007c8ede0 rbp=fffffa6007c8eea0
r8=fffffa60013bf862 r9=fffffa60013948c0 r10=fffffa60013948c0
r11=fffffa6001393000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
nt!RtlVirtualUnwind+0x63:
fffff800`0248df53 410fb64d00 movzx ecx,byte ptr [r13] ds:00000000`00000000=??
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800024c7860 to fffff80002466490
STACK_TEXT:
fffffa60`07c8eb68 fffff800`024c7860 : 00000000`00000050 fffffa60`013bf862 00000000`00000000 fffffa60`07c8ec50 : nt!KeBugCheckEx
fffffa60`07c8eb70 fffff800`02465019 : 00000000`00000000 00000000`00000000 fffffa60`07c8ed00 00000000`00000582 : nt! ?? ::FNODOBFM::`string'+0x2d3dc
fffffa60`07c8ec50 fffff800`0248df53 : 00000000`00000107 fffff800`02491b6e 00000000`00000010 00000000`00010206 : nt!KiPageFault+0x119
fffffa60`07c8ede0 fffff800`026efe62 : fffffa60`00000001 fffffa60`07a9f570 fffffa60`00000000 fffffa60`07a9fac8 : nt!RtlVirtualUnwind+0x63
fffffa60`07c8ee50 fffff800`0249393d : fffff800`0259fe20 fffffa80`0da9b060 fffffa60`07a9f570 fffffa60`01385000 : nt!PspGetSetContextInternal+0x36a
fffffa60`07c8f3a0 fffff800`02487bbe : ffffffff`ff708048 fffffa60`07c8f8c0 fffffa80`0da9b060 fffffa60`005ec180 : nt!PspGetSetContextSpecialApc+0x9d
fffffa60`07c8f4b0 fffff800`0248b613 : fffffa60`07c8f5d0 00000000`00000000 00000000`00000000 fffffa80`0da9b060 : nt!KiDeliverApc+0x19e
fffffa60`07c8f550 ffffffff`ffb4a48f : ffffffff`ffb4a688 00000000`00000010 00000000`00000246 fffffa60`07c8f718 : nt!KiApcInterrupt+0x103
fffffa60`07c8f6e8 ffffffff`ffb4a688 : 00000000`00000010 00000000`00000246 fffffa60`07c8f718 00000000`00000018 : 0xffffffff`ffb4a48f
fffffa60`07c8f6f0 00000000`00000010 : 00000000`00000246 fffffa60`07c8f718 00000000`00000018 fffffa60`07c8f720 : 0xffffffff`ffb4a688
fffffa60`07c8f6f8 00000000`00000246 : fffffa60`07c8f718 00000000`00000018 fffffa60`07c8f720 ffffffff`ffb4a995 : 0x10
fffffa60`07c8f700 fffffa60`07c8f718 : 00000000`00000018 fffffa60`07c8f720 ffffffff`ffb4a995 00000000`00000000 : 0x246
fffffa60`07c8f708 00000000`00000018 : fffffa60`07c8f720 ffffffff`ffb4a995 00000000`00000000 fffffa60`07c8f8d0 : 0xfffffa60`07c8f718
fffffa60`07c8f710 fffffa60`07c8f720 : ffffffff`ffb4a995 00000000`00000000 fffffa60`07c8f8d0 ffffffff`ff70f33b : 0x18
fffffa60`07c8f718 ffffffff`ffb4a995 : 00000000`00000000 fffffa60`07c8f8d0 ffffffff`ff70f33b ffffffff`ffb5c028 : 0xfffffa60`07c8f720
fffffa60`07c8f720 00000000`00000000 : fffffa60`07c8f8d0 ffffffff`ff70f33b ffffffff`ffb5c028 ffffffff`ff709dfd : 0xffffffff`ffb4a995
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!RtlVirtualUnwind+63
fffff800`0248df53 410fb64d00 movzx ecx,byte ptr [r13]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!RtlVirtualUnwind+63
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4cb7275f
FAILURE_BUCKET_ID: X64_0x50_nt!RtlVirtualUnwind+63
BUCKET_ID: X64_0x50_nt!RtlVirtualUnwind+63
Followup: MachineOwner
---------
ajmehta
have you checked the power supply for correct voltage outputs, and motherboard for puffed or leaking capacitors?
ASKER
Yes - nothing out of the ordinary. The server is only 2 months old.
ASKER
Perhaps this http://support.microsoft.com/kb/937455 is related? I get the same reason code (0x805000f) and event ID (1076).
dmp file points to drivers for APC
APC is your UPS? try updating the drivers or remove the app & drivers from your server
APC is your UPS? try updating the drivers or remove the app & drivers from your server
ASKER
Hi,
The UPS is not interacively connected to the system in anyway, and the UPS is not an APC UPS.
The UPS is not interacively connected to the system in anyway, and the UPS is not an APC UPS.
hmm yeah sorry - that was a quick review
you have a driver that is poorly written
the dmp file cannot get the name of the driver that is at issue.
i would start with any changes that occurred around the time this started happening, review event logs for windows updates if you have not recently installed new hardware or software, you can also edit startup items in msconfig to find the offending software/hardware driver
being on server 2008/vista version is something to move away from if you are able to update the OS to 2008R2
the 2008R2/Win7 kernal is more refined and better able to protect itself from drivers
you have a driver that is poorly written
the dmp file cannot get the name of the driver that is at issue.
i would start with any changes that occurred around the time this started happening, review event logs for windows updates if you have not recently installed new hardware or software, you can also edit startup items in msconfig to find the offending software/hardware driver
being on server 2008/vista version is something to move away from if you are able to update the OS to 2008R2
the 2008R2/Win7 kernal is more refined and better able to protect itself from drivers
does safe mode crash at all? If not, enable diagnostic mode from msconfig and restart to start narrowing down the issue.
ASKER
I'm unsure if safe mode crashes - I can only practically access this system by remote. I will be onsite in a week to see the problem in more detail.
The system will sometimes blue screen, crash and reboot when I log in via remote desktop, because after I get the 'loading desktop' message, the screen goes black and wite indicating a connection problem then the VPN is disconnected.
The system will sometimes blue screen, crash and reboot when I log in via remote desktop, because after I get the 'loading desktop' message, the screen goes black and wite indicating a connection problem then the VPN is disconnected.
You can reboot into safe mode with networking with logmeinrescue (free 14 day trial)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
NOD32 was the culprit in this instance. Both servers have been stable since uninstalling NOD32.