?
Solved

BSOD on SBS 2008 - KMODE_EXCEPTION_NOT_HANDLED

Posted on 2011-05-06
12
Medium Priority
?
1,578 Views
Last Modified: 2012-05-11
Hi,

I'm having the following problem on a IBM x3200 M3 machine running SBS 2008 Premium. It will blue screen and restart randomly, but most often during remote desktop logon (mini dump shows winlogon.exe as being the culprit).

SBS was installed via IBM's ServerGuide for the system and has all Windows Updates etc loaded.

Originally I thought this may be a memory problem, as the server had 2 modules of aftermarket memory installed, these were however pulled and it is running its factory hardware configuration plus 2x 1TB WD drives in RAID, however I do not believe this to be hard disk related.

Has anyone else experienced this and how can it be fixed?

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Brady\Desktop\Mini050611-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (4 procs) Free x64
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 6002.18327.amd64fre.vistasp2_gdr.101014-0432
Machine Name:
Kernel base = 0xfffff800`02847000 PsLoadedModuleList = 0xfffff800`02a0bdd0
Debug session time: Fri May  6 18:44:39.947 2011 (UTC + 10:00)
System Uptime: 0 days 0:47:04.074
Loading Kernel Symbols
...............................................................
................................................................
....
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {ffffffffc0000005, fffff80002b2ae8e, 0, ffffffffffffffff}

Probably caused by : ntkrnlmp.exe ( nt!PspGetSetContextInternal+396 )

Followup: MachineOwner
---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff80002b2ae8e, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: ffffffffffffffff, Parameter 1 of the exception

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
nt!PspGetSetContextInternal+396
fffff800`02b2ae8e 488b28          mov     rbp,qword ptr [rax]

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  ffffffffffffffff

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002a6e080
 ffffffffffffffff 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

BUGCHECK_STR:  0x1E_c0000005

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

PROCESS_NAME:  winlogon.exe

CURRENT_IRQL:  1

LAST_CONTROL_TRANSFER:  from fffff80002883ac7 to fffff800028a1490

STACK_TEXT:  
fffffa60`07984518 fffff800`02883ac7 : 00000000`0000001e ffffffff`c0000005 fffff800`02b2ae8e 00000000`00000000 : nt!KeBugCheckEx
fffffa60`07984520 fffff800`028a12e9 : fffffa60`07984c58 fffffa60`04790570 fffffa60`07984d00 fffffa60`04790ac8 : nt! ?? ::FNODOBFM::`string'+0x29117
fffffa60`07984b20 fffff800`0289fecd : 00000000`00000200 fffff800`0297af28 00000000`8000000b 00000000`00000000 : nt!KiExceptionDispatch+0xa9
fffffa60`07984d00 fffff800`02b2ae8e : 44034388`ec2b4502 fffffa60`04790570 00000000`00000000 fffffa60`04790ac8 : nt!KiGeneralProtectionFault+0xcd
fffffa60`07984e90 fffff800`028ce93d : fffff800`0297aea8 fffffa80`09b12720 fffffa60`04790570 00000000`00000000 : nt!PspGetSetContextInternal+0x396
fffffa60`079853e0 fffff800`028c2bbe : 00000000`00000000 00000000`00000000 00000000`00000000 fffff800`028a3d02 : nt!PspGetSetContextSpecialApc+0x9d
fffffa60`079854f0 fffff800`028c6613 : fffffa60`07985610 00000000`00000000 00000000`00000000 fffffa80`09b12720 : nt!KiDeliverApc+0x19e
fffffa60`07985590 ffffffff`ffb4a8ae : 00000000`c0000000 fffffa60`079858d0 ffffffff`ff70d817 ffffffff`ffb5c028 : nt!KiApcInterrupt+0x103
fffffa60`07985720 00000000`c0000000 : fffffa60`079858d0 ffffffff`ff70d817 ffffffff`ffb5c028 ffffffff`ff7082e6 : 0xffffffff`ffb4a8ae
fffffa60`07985728 fffffa60`079858d0 : ffffffff`ff70d817 ffffffff`ffb5c028 ffffffff`ff7082e6 ffffffff`ffb5c028 : 0xc0000000
fffffa60`07985730 ffffffff`ff70d817 : ffffffff`ffb5c028 ffffffff`ff7082e6 ffffffff`ffb5c028 ffffffff`ff708048 : 0xfffffa60`079858d0
fffffa60`07985738 ffffffff`ffb5c028 : ffffffff`ff7082e6 ffffffff`ffb5c028 ffffffff`ff708048 ffffffff`ffb5c018 : 0xffffffff`ff70d817
fffffa60`07985740 ffffffff`ff7082e6 : ffffffff`ffb5c028 ffffffff`ff708048 ffffffff`ffb5c018 fffffa60`079858c0 : 0xffffffff`ffb5c028
fffffa60`07985748 ffffffff`ffb5c028 : ffffffff`ff708048 ffffffff`ffb5c018 fffffa60`079858c0 00000000`00000000 : 0xffffffff`ff7082e6
fffffa60`07985750 ffffffff`ff708048 : ffffffff`ffb5c018 fffffa60`079858c0 00000000`00000000 00000000`00000000 : 0xffffffff`ffb5c028
fffffa60`07985758 ffffffff`ffb5c018 : fffffa60`079858c0 00000000`00000000 00000000`00000000 00000000`00000002 : 0xffffffff`ff708048
fffffa60`07985760 fffffa60`079858c0 : 00000000`00000000 00000000`00000000 00000000`00000002 00000000`00000000 : 0xffffffff`ffb5c018
fffffa60`07985768 00000000`00000000 : 00000000`00000000 00000000`00000002 00000000`00000000 00000000`00000000 : 0xfffffa60`079858c0


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!PspGetSetContextInternal+396
fffff800`02b2ae8e 488b28          mov     rbp,qword ptr [rax]

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  nt!PspGetSetContextInternal+396

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4cb7275f

FAILURE_BUCKET_ID:  X64_0x1E_c0000005_nt!PspGetSetContextInternal+396

BUCKET_ID:  X64_0x1E_c0000005_nt!PspGetSetContextInternal+396

Followup: MachineOwner
---------

Open in new window


An earlier dump shows FAULT_IN_NONPAGED_AREA

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\Brady\Desktop\Mini032111-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (4 procs) Free x64
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 6002.18327.amd64fre.vistasp2_gdr.101014-0432
Machine Name:
Kernel base = 0xfffff800`0240c000 PsLoadedModuleList = 0xfffff800`025d0dd0
Debug session time: Mon Mar 21 09:35:05.320 2011 (UTC + 10:00)
System Uptime: 1 days 15:37:08.913
Loading Kernel Symbols
...............................................................
................................................................
....
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffffa60013bf862, 0, fffff8000248df53, 0}


Could not read faulting driver name
Probably caused by : ntkrnlmp.exe ( nt!RtlVirtualUnwind+63 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffffa60013bf862, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff8000248df53, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff80002633080
 fffffa60013bf862 

FAULTING_IP: 
nt!RtlVirtualUnwind+63
fffff800`0248df53 410fb64d00      movzx   ecx,byte ptr [r13]

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR:  0x50

PROCESS_NAME:  winlogon.exe

CURRENT_IRQL:  1

TRAP_FRAME:  fffffa6007c8ec50 -- (.trap 0xfffffa6007c8ec50)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff8000259fe20 rbx=0000000000000000 rcx=0000000000000001
rdx=fffffa6001385000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8000248df53 rsp=fffffa6007c8ede0 rbp=fffffa6007c8eea0
 r8=fffffa60013bf862  r9=fffffa60013948c0 r10=fffffa60013948c0
r11=fffffa6001393000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
nt!RtlVirtualUnwind+0x63:
fffff800`0248df53 410fb64d00      movzx   ecx,byte ptr [r13] ds:00000000`00000000=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800024c7860 to fffff80002466490

STACK_TEXT:  
fffffa60`07c8eb68 fffff800`024c7860 : 00000000`00000050 fffffa60`013bf862 00000000`00000000 fffffa60`07c8ec50 : nt!KeBugCheckEx
fffffa60`07c8eb70 fffff800`02465019 : 00000000`00000000 00000000`00000000 fffffa60`07c8ed00 00000000`00000582 : nt! ?? ::FNODOBFM::`string'+0x2d3dc
fffffa60`07c8ec50 fffff800`0248df53 : 00000000`00000107 fffff800`02491b6e 00000000`00000010 00000000`00010206 : nt!KiPageFault+0x119
fffffa60`07c8ede0 fffff800`026efe62 : fffffa60`00000001 fffffa60`07a9f570 fffffa60`00000000 fffffa60`07a9fac8 : nt!RtlVirtualUnwind+0x63
fffffa60`07c8ee50 fffff800`0249393d : fffff800`0259fe20 fffffa80`0da9b060 fffffa60`07a9f570 fffffa60`01385000 : nt!PspGetSetContextInternal+0x36a
fffffa60`07c8f3a0 fffff800`02487bbe : ffffffff`ff708048 fffffa60`07c8f8c0 fffffa80`0da9b060 fffffa60`005ec180 : nt!PspGetSetContextSpecialApc+0x9d
fffffa60`07c8f4b0 fffff800`0248b613 : fffffa60`07c8f5d0 00000000`00000000 00000000`00000000 fffffa80`0da9b060 : nt!KiDeliverApc+0x19e
fffffa60`07c8f550 ffffffff`ffb4a48f : ffffffff`ffb4a688 00000000`00000010 00000000`00000246 fffffa60`07c8f718 : nt!KiApcInterrupt+0x103
fffffa60`07c8f6e8 ffffffff`ffb4a688 : 00000000`00000010 00000000`00000246 fffffa60`07c8f718 00000000`00000018 : 0xffffffff`ffb4a48f
fffffa60`07c8f6f0 00000000`00000010 : 00000000`00000246 fffffa60`07c8f718 00000000`00000018 fffffa60`07c8f720 : 0xffffffff`ffb4a688
fffffa60`07c8f6f8 00000000`00000246 : fffffa60`07c8f718 00000000`00000018 fffffa60`07c8f720 ffffffff`ffb4a995 : 0x10
fffffa60`07c8f700 fffffa60`07c8f718 : 00000000`00000018 fffffa60`07c8f720 ffffffff`ffb4a995 00000000`00000000 : 0x246
fffffa60`07c8f708 00000000`00000018 : fffffa60`07c8f720 ffffffff`ffb4a995 00000000`00000000 fffffa60`07c8f8d0 : 0xfffffa60`07c8f718
fffffa60`07c8f710 fffffa60`07c8f720 : ffffffff`ffb4a995 00000000`00000000 fffffa60`07c8f8d0 ffffffff`ff70f33b : 0x18
fffffa60`07c8f718 ffffffff`ffb4a995 : 00000000`00000000 fffffa60`07c8f8d0 ffffffff`ff70f33b ffffffff`ffb5c028 : 0xfffffa60`07c8f720
fffffa60`07c8f720 00000000`00000000 : fffffa60`07c8f8d0 ffffffff`ff70f33b ffffffff`ffb5c028 ffffffff`ff709dfd : 0xffffffff`ffb4a995


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!RtlVirtualUnwind+63
fffff800`0248df53 410fb64d00      movzx   ecx,byte ptr [r13]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!RtlVirtualUnwind+63

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4cb7275f

FAILURE_BUCKET_ID:  X64_0x50_nt!RtlVirtualUnwind+63

BUCKET_ID:  X64_0x50_nt!RtlVirtualUnwind+63

Followup: MachineOwner
---------

Open in new window

0
Comment
Question by:BradyAU
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 3

Expert Comment

by:ajmehta
ID: 35711051
have you checked the power supply for correct voltage outputs, and motherboard for puffed or leaking capacitors?
0
 

Author Comment

by:BradyAU
ID: 35711265
Yes - nothing out of the ordinary. The server is only 2 months old.
0
 

Author Comment

by:BradyAU
ID: 35711485
Perhaps this http://support.microsoft.com/kb/937455 is related? I get the same reason code (0x805000f) and event ID (1076).
0
Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

 
LVL 13

Expert Comment

by:Greg Hejl
ID: 35711818
dmp file points to drivers for APC

APC is your UPS?  try updating the drivers or remove the app & drivers from your server
0
 

Author Comment

by:BradyAU
ID: 35711821
Hi,

The UPS is not interacively connected to the system in anyway, and the UPS is not an APC UPS.
0
 
LVL 13

Expert Comment

by:Greg Hejl
ID: 35711941
hmm yeah sorry - that was a quick review

you have a driver that is poorly written

the dmp file cannot get the name of the driver that is at issue.

i would start with any changes that occurred around the time this started happening, review event logs for windows updates if you have not recently installed new hardware or software, you can also edit startup items in msconfig to find the offending software/hardware driver  

being on server 2008/vista version is something to move away from if you are able to update the OS to 2008R2  

the 2008R2/Win7 kernal is more refined and better able to protect itself from drivers
0
 
LVL 3

Expert Comment

by:ajmehta
ID: 35712428
does safe mode crash at all?  If not, enable diagnostic mode from msconfig and restart to start narrowing down the issue.
0
 

Author Comment

by:BradyAU
ID: 35712433
I'm unsure if safe mode crashes - I can only practically access this system by remote. I will be onsite in a week to see the problem in more detail.

The system will sometimes blue screen, crash and reboot when I log in via remote desktop, because after I get the 'loading desktop' message, the screen goes black and wite indicating a connection problem then the VPN is disconnected.
0
 
LVL 3

Expert Comment

by:ajmehta
ID: 35712469
You can reboot into safe mode with networking with logmeinrescue (free 14 day trial)
0
 

Assisted Solution

by:BradyAU
BradyAU earned 0 total points
ID: 35718278
After checking the server and having the problem appear on another server, both running NOD32/ESET, I believe that NOD32/ESET are at fault in combination with some Windows Updates that were applied.
0
 
LVL 1

Accepted Solution

by:
internetcreations earned 2000 total points
ID: 35799722
Disable the self defense and anti-stealth modules in NOD32 and that should fix it.  They seem to muck with the thread context asynchronous procedure call delivery causing invalid memory addresses to appear on the stack.
0
 

Author Closing Comment

by:BradyAU
ID: 35829974
NOD32 was the culprit in this instance. Both servers have been stable since uninstalling NOD32.
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
New style of hardware planning for Microsoft Exchange server.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question