Solved

Windbg Output Memory.DMP file - Unexpected Shutdown DC 2003 OS

Posted on 2013-12-30
2
747 Views
Last Modified: 2014-01-02
Can someone please shed some light as to what this means? Thanks!


*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

 

SYSTEM_SERVICE_EXCEPTION (3b)

An exception happened while executing a system service routine.

Arguments:

Arg1: 00000000c0000005, Exception code that caused the bugcheck

Arg2: fffff80001257a6f, Address of the instruction which caused the bugcheck

Arg3: fffffadf8f839260, Address of the context record for the exception that caused the bugcheck

Arg4: 0000000000000000, zero.

 

Debugging Details:

------------------

 

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

 

*************************************************************************

***                                                                   ***

***                                                                   ***

***    Your debugger is not using the correct symbols                 ***

***                                                                   ***

***    In order for this command to work properly, your symbol path   ***

***    must point to .pdb files that have full type information.      ***

***                                                                   ***

***    Certain .pdb files (such as the public OS symbols) do not      ***

***    contain the required information.  Contact the group that      ***

***    provided you with these symbols if you need this command to    ***

***    work.                                                          ***

***                                                                   ***

***    Type referenced: nt!_KPRCB                                     ***

***                                                                   ***

*************************************************************************

*************************************************************************

***                                                                   ***

***                                                                   ***

***    Your debugger is not using the correct symbols                 ***

***                                                                   ***

***    In order for this command to work properly, your symbol path   ***

***    must point to .pdb files that have full type information.      ***

***                                                                   ***

***    Certain .pdb files (such as the public OS symbols) do not      ***

***    contain the required information.  Contact the group that      ***

***    provided you with these symbols if you need this command to    ***

***    work.                                                          ***

***                                                                   ***

***    Type referenced: nt!_KPRCB                                     ***

***                                                                   ***

*************************************************************************

*************************************************************************

***                                                                   ***

***                                                                   ***

***    Your debugger is not using the correct symbols                 ***

***                                                                   ***

***    In order for this command to work properly, your symbol path   ***

***    must point to .pdb files that have full type information.      ***

***                                                                   ***

***    Certain .pdb files (such as the public OS symbols) do not      ***

***    contain the required information.  Contact the group that      ***

***    provided you with these symbols if you need this command to    ***

***    work.                                                          ***

***                                                                   ***

***    Type referenced: nt!_KPRCB                                     ***

***                                                                   ***

*************************************************************************

 

ADDITIONAL_DEBUG_TEXT:

Use '!findthebuild' command to search for the target build information.

If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

 

MODULE_NAME: nt

 

FAULTING_MODULE: fffff80001000000 nt

 

DEBUG_FLR_IMAGE_TIMESTAMP:  5138536e

 

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

 

FAULTING_IP:

nt!ObCheckCreateObjectAccess+186f

fffff800`01257a6f f0480fba2900    lock bts qword ptr [rcx],0

 

CONTEXT:  fffffadf8f839260 -- (.cxr 0xfffffadf8f839260)

rax=fffffadf98aab040 rbx=fffffa800389a8f0 rcx=a079654b0607022f

rdx=0000000000000001 rsi=a079654b06070107 rdi=fffffa800389a990

rip=fffff80001257a6f rsp=fffffadf8f839a70 rbp=fffffa800389a9a0

r8=0000000000020019  r9=0000000000000000 r10=fffffa80007b9940

r11=fffffadf98aab040 r12=fffffadf9ccb3080 r13=fffffa800389a9c0

r14=0000000000000000 r15=fffffa800389a9c0

iopl=0         nv up ei ng nz na pe nc

cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282

nt!ObCheckCreateObjectAccess+0x186f:

fffff800`01257a6f f0480fba2900    lock bts qword ptr [rcx],0 ds:002b:a079654b`0607022f=????????????????

Resetting default scope

 

DEFAULT_BUCKET_ID:  DRIVER_FAULT

 

BUGCHECK_STR:  0x3B

 

CURRENT_IRQL:  0

 

LAST_CONTROL_TRANSFER:  from fffff8000128cd77 to fffff80001257a6f

 

STACK_TEXT:

fffffadf`8f839a70 fffff800`0128cd77 : fffffa80`013d1e60 fffffadf`98d87c20 fffffadf`9ccb3080 00000000`00000000 : nt!ObCheckCreateObjectAccess+0x186f

fffffadf`8f839af0 fffff800`0128ce7e : fffffa80`013d1e60 00000000`00000798 fffffa80`007b9940 00000000`00000000 : nt!PsLookupProcessByProcessId+0x247

fffffadf`8f839b50 fffff800`01289a44 : fffffadf`98aab040 00000000`00000798 fffffadf`98d87c20 fffffadf`98aab040 : nt!NtClose+0xce

fffffadf`8f839bf0 fffff800`0102e5bd : fffffadf`98aab040 fffffadf`8f839cf0 00000000`00f8f100 00000000`00000000 : nt!ObOpenObjectByName+0x3b4

fffffadf`8f839c70 00000000`77ef039a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!ZwUnloadKey+0x20ad

00000000`00f8f018 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77ef039a

 

 

FOLLOWUP_IP:

nt!ObCheckCreateObjectAccess+186f

fffff800`01257a6f f0480fba2900    lock bts qword ptr [rcx],0

 

SYMBOL_STACK_INDEX:  0

 

SYMBOL_NAME:  nt!ObCheckCreateObjectAccess+186f

 

FOLLOWUP_NAME:  MachineOwner

 

IMAGE_NAME:  ntkrnlmp.exe

 

STACK_COMMAND:  .cxr 0xfffffadf8f839260 ; kb

 

BUCKET_ID:  WRONG_SYMBOLS

 

Followup: MachineOwner
0
Comment
Question by:syseng007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 14

Accepted Solution

by:
Rob Miners earned 500 total points
ID: 39747045
If you have an Internet Connection, Symbol search path is: SRV*Downstream_store*http://msdl.microsoft.com/download/symbols

Symbol files
All system applications, drivers, and DLLs are built such that their debugging information resides in separate files known as symbol files.

Instructions on using WinDBG.

Open WinDBG and select File, Symbol file path and paste this line

SRV*Downstream_store*http://msdl.microsoft.com/download/symbols
or
You can create a Folder on a Drive that has free space and set the environment.eg:

SRV*C:\symbols*http://msdl.microsoft.com/download/symbols
SRV*D:\symbols*http://msdl.microsoft.com/download/symbols
SRV*E:\symbols*http://msdl.microsoft.com/download/symbols
select OK.

Close the workpage and save the Workspace information. This should lock in the Symbol path.

Open WinDBG and select file and select Open Crash Dump then navigate to the minidump, highlight it and select Open.

There are two ways to use !analyze -v the easiest is to click on !analyze -v under Bugcheck Analysis.

When you have ran the initial dump if you look to the bottom of the screen you will see kd> to the right of that type in !analyze -v and press the Enter key.
or
you can add to the command like this !analyze -v;r;lmntsm;

Ctrl + a will let you select the information to Ctrl + C to copy and Ctrl + v paste into notepad.

http://blogs.technet.com/askcore/archive/2008/11/01/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners.aspx

If the debugger output references the NT kernel (ntoskrnl.exe, ntkrnlpa.exe, ntkrnlmp.exe, and ntkrnlpamp.exe), the driver verifier may be necessary to further pinpoint the problem.

The dates of all of the drivers loaded at the time of the crash can be determined using the lm n t debugger command. More information about a specific driver can be gained using the lm vm drivername command. This can be helpful to identify whether an older driver might be contributing to the crash.

Enable Driver Verifier, to get a more informative dump.

To configure Driver Verifier

Press the WinKey + r type verifier /standard /all
Restart the machine.
You may or may not Blue screen, if not you can also create a log file by following this procedure:
Once you're up and running press the WinKey + r type verifier /log drvchk.txt and press Enter.
This will open a blank command window while it is doing the check. Let it run for at least 4 minutes, then close the window, you may get an error message, but you can ignore it.
Press the WinKey + r type verifier /reset and press Enter.
Press the WinKey + r type %userprofile%\drvchk.txt
if it's not there
Press the WinKey + r type %windir%\System32\drvchk.txt
 Look for any errors...

Note:
If the computer fails to boot because of the verifier.
Restart in Safe Mode by repeatedly pressing the function key F8 during startup.
Click Start, type verifier /reset in the Start Search box, and then press Enter.
Click OK or Yes to the UAC prompt.
Restart the machine.
Post the next dump for analysis.
0
 
LVL 8

Expert Comment

by:Ratnesh Mishra
ID: 39748128
Sorry , however I didn't understand what you want us to do with the information pasted in your query .
If you are willing to know about the symbol path [the reason for the error showing in the log whle you open it in windbg].

Or you want to know the reason for the Bugcheck[BSOD] .

For the first above it has been explained in its full.

But for the second one , its C5 exception [we call it in general] which means that the virtual memory of 2 application conicides and Operating system was unable to understand which memory location belongs to whom and did Bugcheck.
So once you get the symbol path fixed , rerun " !analyse -v " which will give you more idea . don't forget to check the stack which will provide you which thread or process was running while this happens so reinstallation/ update of that application will fix the issue.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question