Solved

Windbg Output Memory.DMP file - Unexpected Shutdown DC 2003 OS

Posted on 2013-12-30
2
727 Views
Last Modified: 2014-01-02
Can someone please shed some light as to what this means? Thanks!


*******************************************************************************

*                                                                             *

*                        Bugcheck Analysis                                    *

*                                                                             *

*******************************************************************************

 

SYSTEM_SERVICE_EXCEPTION (3b)

An exception happened while executing a system service routine.

Arguments:

Arg1: 00000000c0000005, Exception code that caused the bugcheck

Arg2: fffff80001257a6f, Address of the instruction which caused the bugcheck

Arg3: fffffadf8f839260, Address of the context record for the exception that caused the bugcheck

Arg4: 0000000000000000, zero.

 

Debugging Details:

------------------

 

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

 

*************************************************************************

***                                                                   ***

***                                                                   ***

***    Your debugger is not using the correct symbols                 ***

***                                                                   ***

***    In order for this command to work properly, your symbol path   ***

***    must point to .pdb files that have full type information.      ***

***                                                                   ***

***    Certain .pdb files (such as the public OS symbols) do not      ***

***    contain the required information.  Contact the group that      ***

***    provided you with these symbols if you need this command to    ***

***    work.                                                          ***

***                                                                   ***

***    Type referenced: nt!_KPRCB                                     ***

***                                                                   ***

*************************************************************************

*************************************************************************

***                                                                   ***

***                                                                   ***

***    Your debugger is not using the correct symbols                 ***

***                                                                   ***

***    In order for this command to work properly, your symbol path   ***

***    must point to .pdb files that have full type information.      ***

***                                                                   ***

***    Certain .pdb files (such as the public OS symbols) do not      ***

***    contain the required information.  Contact the group that      ***

***    provided you with these symbols if you need this command to    ***

***    work.                                                          ***

***                                                                   ***

***    Type referenced: nt!_KPRCB                                     ***

***                                                                   ***

*************************************************************************

*************************************************************************

***                                                                   ***

***                                                                   ***

***    Your debugger is not using the correct symbols                 ***

***                                                                   ***

***    In order for this command to work properly, your symbol path   ***

***    must point to .pdb files that have full type information.      ***

***                                                                   ***

***    Certain .pdb files (such as the public OS symbols) do not      ***

***    contain the required information.  Contact the group that      ***

***    provided you with these symbols if you need this command to    ***

***    work.                                                          ***

***                                                                   ***

***    Type referenced: nt!_KPRCB                                     ***

***                                                                   ***

*************************************************************************

 

ADDITIONAL_DEBUG_TEXT:

Use '!findthebuild' command to search for the target build information.

If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

 

MODULE_NAME: nt

 

FAULTING_MODULE: fffff80001000000 nt

 

DEBUG_FLR_IMAGE_TIMESTAMP:  5138536e

 

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

 

FAULTING_IP:

nt!ObCheckCreateObjectAccess+186f

fffff800`01257a6f f0480fba2900    lock bts qword ptr [rcx],0

 

CONTEXT:  fffffadf8f839260 -- (.cxr 0xfffffadf8f839260)

rax=fffffadf98aab040 rbx=fffffa800389a8f0 rcx=a079654b0607022f

rdx=0000000000000001 rsi=a079654b06070107 rdi=fffffa800389a990

rip=fffff80001257a6f rsp=fffffadf8f839a70 rbp=fffffa800389a9a0

r8=0000000000020019  r9=0000000000000000 r10=fffffa80007b9940

r11=fffffadf98aab040 r12=fffffadf9ccb3080 r13=fffffa800389a9c0

r14=0000000000000000 r15=fffffa800389a9c0

iopl=0         nv up ei ng nz na pe nc

cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010282

nt!ObCheckCreateObjectAccess+0x186f:

fffff800`01257a6f f0480fba2900    lock bts qword ptr [rcx],0 ds:002b:a079654b`0607022f=????????????????

Resetting default scope

 

DEFAULT_BUCKET_ID:  DRIVER_FAULT

 

BUGCHECK_STR:  0x3B

 

CURRENT_IRQL:  0

 

LAST_CONTROL_TRANSFER:  from fffff8000128cd77 to fffff80001257a6f

 

STACK_TEXT:

fffffadf`8f839a70 fffff800`0128cd77 : fffffa80`013d1e60 fffffadf`98d87c20 fffffadf`9ccb3080 00000000`00000000 : nt!ObCheckCreateObjectAccess+0x186f

fffffadf`8f839af0 fffff800`0128ce7e : fffffa80`013d1e60 00000000`00000798 fffffa80`007b9940 00000000`00000000 : nt!PsLookupProcessByProcessId+0x247

fffffadf`8f839b50 fffff800`01289a44 : fffffadf`98aab040 00000000`00000798 fffffadf`98d87c20 fffffadf`98aab040 : nt!NtClose+0xce

fffffadf`8f839bf0 fffff800`0102e5bd : fffffadf`98aab040 fffffadf`8f839cf0 00000000`00f8f100 00000000`00000000 : nt!ObOpenObjectByName+0x3b4

fffffadf`8f839c70 00000000`77ef039a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!ZwUnloadKey+0x20ad

00000000`00f8f018 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77ef039a

 

 

FOLLOWUP_IP:

nt!ObCheckCreateObjectAccess+186f

fffff800`01257a6f f0480fba2900    lock bts qword ptr [rcx],0

 

SYMBOL_STACK_INDEX:  0

 

SYMBOL_NAME:  nt!ObCheckCreateObjectAccess+186f

 

FOLLOWUP_NAME:  MachineOwner

 

IMAGE_NAME:  ntkrnlmp.exe

 

STACK_COMMAND:  .cxr 0xfffffadf8f839260 ; kb

 

BUCKET_ID:  WRONG_SYMBOLS

 

Followup: MachineOwner
0
Comment
Question by:syseng007
2 Comments
 
LVL 14

Accepted Solution

by:
Rob Miners earned 500 total points
ID: 39747045
If you have an Internet Connection, Symbol search path is: SRV*Downstream_store*http://msdl.microsoft.com/download/symbols

Symbol files
All system applications, drivers, and DLLs are built such that their debugging information resides in separate files known as symbol files.

Instructions on using WinDBG.

Open WinDBG and select File, Symbol file path and paste this line

SRV*Downstream_store*http://msdl.microsoft.com/download/symbols
or
You can create a Folder on a Drive that has free space and set the environment.eg:

SRV*C:\symbols*http://msdl.microsoft.com/download/symbols
SRV*D:\symbols*http://msdl.microsoft.com/download/symbols
SRV*E:\symbols*http://msdl.microsoft.com/download/symbols
select OK.

Close the workpage and save the Workspace information. This should lock in the Symbol path.

Open WinDBG and select file and select Open Crash Dump then navigate to the minidump, highlight it and select Open.

There are two ways to use !analyze -v the easiest is to click on !analyze -v under Bugcheck Analysis.

When you have ran the initial dump if you look to the bottom of the screen you will see kd> to the right of that type in !analyze -v and press the Enter key.
or
you can add to the command like this !analyze -v;r;lmntsm;

Ctrl + a will let you select the information to Ctrl + C to copy and Ctrl + v paste into notepad.

http://blogs.technet.com/askcore/archive/2008/11/01/how-to-debug-kernel-mode-blue-screen-crashes-for-beginners.aspx

If the debugger output references the NT kernel (ntoskrnl.exe, ntkrnlpa.exe, ntkrnlmp.exe, and ntkrnlpamp.exe), the driver verifier may be necessary to further pinpoint the problem.

The dates of all of the drivers loaded at the time of the crash can be determined using the lm n t debugger command. More information about a specific driver can be gained using the lm vm drivername command. This can be helpful to identify whether an older driver might be contributing to the crash.

Enable Driver Verifier, to get a more informative dump.

To configure Driver Verifier

Press the WinKey + r type verifier /standard /all
Restart the machine.
You may or may not Blue screen, if not you can also create a log file by following this procedure:
Once you're up and running press the WinKey + r type verifier /log drvchk.txt and press Enter.
This will open a blank command window while it is doing the check. Let it run for at least 4 minutes, then close the window, you may get an error message, but you can ignore it.
Press the WinKey + r type verifier /reset and press Enter.
Press the WinKey + r type %userprofile%\drvchk.txt
if it's not there
Press the WinKey + r type %windir%\System32\drvchk.txt
 Look for any errors...

Note:
If the computer fails to boot because of the verifier.
Restart in Safe Mode by repeatedly pressing the function key F8 during startup.
Click Start, type verifier /reset in the Start Search box, and then press Enter.
Click OK or Yes to the UAC prompt.
Restart the machine.
Post the next dump for analysis.
0
 
LVL 8

Expert Comment

by:Ratnesh Mishra
ID: 39748128
Sorry , however I didn't understand what you want us to do with the information pasted in your query .
If you are willing to know about the symbol path [the reason for the error showing in the log whle you open it in windbg].

Or you want to know the reason for the Bugcheck[BSOD] .

For the first above it has been explained in its full.

But for the second one , its C5 exception [we call it in general] which means that the virtual memory of 2 application conicides and Operating system was unable to understand which memory location belongs to whom and did Bugcheck.
So once you get the symbol path fixed , rerun " !analyse -v " which will give you more idea . don't forget to check the stack which will provide you which thread or process was running while this happens so reinstallation/ update of that application will fix the issue.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now