Solved

how to interpret a dump file

Posted on 2012-03-30
1
496 Views
Last Modified: 2012-04-16
I had a server 2008 blue screen. the event logs said it rebooted from a debug check. I was able to get into the dump file and this is what it says, can someone help me determine the cause? thanks

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\debug\it\Debuggers\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7600 MP (6 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 7600.16917.amd64fre.win7_gdr.111118-2330
Machine Name:
Kernel base = 0xfffff800`01863000 PsLoadedModuleList = 0xfffff800`01a9fe70
Debug session time: Fri Mar 30 12:02:16.904 2012 (UTC - 4:00)
System Uptime: 5 days 14:15:02.097
Loading Kernel Symbols
...............................................................
................................................................
................................
Loading User Symbols

Loading unloaded module list
....................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {0, 2, 0, fffff800018d7636}

Probably caused by : ntkrnlmp.exe ( nt!KeSetEvent+226 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
      bit 0 : value 0 = read operation, 1 = write operation
      bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff800018d7636, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS:  0000000000000000

CURRENT_IRQL:  2

FAULTING_IP:
nt!KeSetEvent+226
fffff800`018d7636 488b09          mov     rcx,qword ptr [rcx]

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  System

TRAP_FRAME:  fffff880023c4a70 -- (.trap 0xfffff880023c4a70)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa803b02f880 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800018d7636 rsp=fffff880023c4c00 rbp=0000000000000000
 r8=0000000000000000  r9=0000000000000070 r10=0000000000000000
r11=fffffa8036eee140 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe cy
nt!KeSetEvent+0x226:
fffff800`018d7636 488b09          mov     rcx,qword ptr [rcx] ds:d0d0:0000=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800018d2aa9 to fffff800018d3540

STACK_TEXT:  
fffff880`023c4928 fffff800`018d2aa9 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff880`023c4930 fffff800`018d1720 : 000067f0`a0184b96 fffffa80`3b02f878 fffff880`013cae00 00000000`ffffffff : nt!KiBugCheckDispatch+0x69
fffff880`023c4a70 fffff800`018d7636 : fffff880`013b77c0 fffff880`013a1633 fffffa80`36eee148 fffffa80`313ec800 : nt!KiPageFault+0x260
fffff880`023c4c00 fffff880`013caf13 : 00000000`00000000 00000000`00000000 fffffa80`313ec800 fffffa80`323c7618 : nt!KeSetEvent+0x226
fffff880`023c4c70 fffff800`018e06e1 : fffff880`013caed0 fffff800`01a775f8 fffffa80`3100a040 00000000`00000000 : fltmgr!FltpProcessGenericWorkItem+0x43
fffff880`023c4cb0 fffff800`01b72726 : 00000000`00000000 fffffa80`3100a040 00000000`00000080 fffffa80`30ffe890 : nt!ExpWorkerThread+0x111
fffff880`023c4d40 fffff800`018b1ac6 : fffff880`0205d180 fffffa80`3100a040 fffff880`02068040 00000000`00000000 : nt!PspSystemThreadStartup+0x5a
fffff880`023c4d80 00000000`00000000 : fffff880`023c5000 fffff880`023bf000 fffff880`023c49f0 00000000`00000000 : nt!KxStartSystemThread+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!KeSetEvent+226
fffff800`018d7636 488b09          mov     rcx,qword ptr [rcx]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!KeSetEvent+226

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  4ec7a284

FAILURE_BUCKET_ID:  X64_0xA_nt!KeSetEvent+226

BUCKET_ID:  X64_0xA_nt!KeSetEvent+226

Followup: MachineOwner
---------

0: kd> .trap 0xfffff880023c4a70
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffa803b02f880 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800018d7636 rsp=fffff880023c4c00 rbp=0000000000000000
 r8=0000000000000000  r9=0000000000000070 r10=0000000000000000
r11=fffffa8036eee140 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe cy
nt!KeSetEvent+0x226:
fffff800`018d7636 488b09          mov     rcx,qword ptr [rcx] ds:d0d0:0000=????????????????
0
Comment
Question by:knfitz
1 Comment
 
LVL 2

Accepted Solution

by:
Kubejunkie earned 500 total points
ID: 37789039
this looks like a BSOD related to a Driver. doing a search i found a link

http://forums.pcper.com/showthread.php?t=447852

you should try some of the steps listed in that thread and see if that helps you out. The DEBUG is not giving you a specific driver listed. Could be several things. best to start doing some of those steps and let me know how it turns out. also if you updated or installed any drivers recently you could try rolling them back and see if you still have the problem.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have found over the years that without a basic policy in place, that is backed up with consistently enforced consequences, there is no hope of keeping your network even close to malware free.  At my job we have several tiers of policies, each buil…
This is a based on my experience in IT role and also my role before that, a builder. These 1st contact rules have helped me and more importantly help past, present and hopefully future client/people I get to work/assist. Via Telephone: 1.      Answ…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now