Solved

Server Crashed - Memory Dump

Posted on 2014-04-17
8
1,477 Views
Last Modified: 2014-04-24
Hi Guys,

One of my server 2008 R2 had crashed and I believe it is a VMware VM. I downloaded the memory.dmp on my local machine used winDBg to analyse the crash dump, it seems to be telling that it was vsepflt.sys that caused the crash, or is it Adobe reader, please help I am finding it difficult to understand exaclt what had caused it:

Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\kabiru\Desktop\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*C:\Users\kabiru\Desktop\debugginsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: Server, suite: TerminalServer
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`01851000 PsLoadedModuleList = 0xfffff800`01a96670
Debug session time: Tue Apr 15 23:38:51.945 2014 (UTC + 1:00)
System Uptime: 90 days 21:24:12.973
Loading Kernel Symbols
...............................................................
................................................................
......................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`fffdf018).  Type ".hh dbgerr001" for details
Loading unloaded module list
..................................................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffff8a0165a1000, 0, fffff80001892c56, 0}

*** ERROR: Module load completed but symbols could not be loaded for vsepflt.sys
*** ERROR: Module load completed but symbols could not be loaded for NCRecognizer.sys
*** ERROR: Module load completed but symbols could not be loaded for NCFilter.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for mfehidk.sys - 
Probably caused by : vsepflt.sys ( vsepflt+e1ce )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff8a0165a1000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80001892c56, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------


READ_ADDRESS:  fffff8a0165a1000 Paged pool

FAULTING_IP: 
nt!wcsnicmp+1e
fffff800`01892c56 410fb702        movzx   eax,word ptr [r10]

MM_INTERNAL_CODE:  0

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  AcroRd32.exe

CURRENT_IRQL:  0

TRAP_FRAME:  fffff8800d8a5df0 -- (.trap 0xfffff8800d8a5df0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000000002a rbx=0000000000000000 rcx=fffff88001585192
rdx=000000000000005c rsi=0000000000000000 rdi=0000000000000000
rip=fffff80001892c56 rsp=fffff8800d8a5f88 rbp=fffffa8004284e80
 r8=0000000000000009  r9=0000000000000000 r10=fffff8a0165a1000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
nt!wcsnicmp+0x1e:
fffff800`01892c56 410fb702        movzx   eax,word ptr [r10] ds:fffff8a0`165a1000=????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800018799fc to fffff800018cdc40

STACK_TEXT:  
fffff880`0d8a5c88 fffff800`018799fc : 00000000`00000050 fffff8a0`165a1000 00000000`00000000 fffff880`0d8a5df0 : nt!KeBugCheckEx
fffff880`0d8a5c90 fffff800`018cbd6e : 00000000`00000000 fffff8a0`165a1000 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x4611f
fffff880`0d8a5df0 fffff800`01892c56 : fffff880`015741ce 00000000`00000000 fffff800`018d1021 fffffa80`04285bb0 : nt!KiPageFault+0x16e
fffff880`0d8a5f88 fffff880`015741ce : 00000000`00000000 fffff800`018d1021 fffffa80`04285bb0 fffffa80`0e69dcf0 : nt!wcsnicmp+0x1e
fffff880`0d8a5f90 fffff880`00e60067 : fffffa80`0accbc60 fffffa80`0accbd00 fffffa80`0accbbb0 fffff880`00000030 : vsepflt+0xe1ce
fffff880`0d8a5ff0 fffff880`00e629aa : 00000000`00000000 fffffa80`0d9c2f00 fffffa80`04283900 fffffa80`04284000 : fltmgr!FltpPerformPreCallbacks+0x2f7
fffff880`0d8a60f0 fffff880`00e802a3 : fffffa80`0e69dcf0 fffffa80`0e69dcf0 fffffa80`0e69dcf0 fffffa80`042839c0 : fltmgr!FltpPassThroughInternal+0x4a
fffff880`0d8a6120 fffff880`01273ddc : fffffa80`0e69dcf0 00000000`00000000 fffff880`0d8a6280 00000000`00000000 : fltmgr!FltpCreate+0x293
fffff880`0d8a61d0 fffff880`01273f52 : fffffa80`04285e20 fffffa80`0e69dcf0 fffff880`0d8a63b8 fffff880`01651e44 : NCRecognizer+0x5ddc
fffff880`0d8a6230 fffff880`00fb6a8f : fffffa80`04285e20 fffffa80`0e69dcf0 fffffa80`0e69dcf0 00000000`00000000 : NCRecognizer+0x5f52
fffff880`0d8a6290 fffff880`00fb36f1 : fffffa80`04285d00 fffffa80`0e69dcf0 fffffa80`00000397 00000000`00000000 : NCFilter+0x11a8f
fffff880`0d8a62e0 fffff880`0152ce10 : fffffa80`04285bb0 fffffa80`0e69dcf0 00000000`00000002 fffff880`014f29a0 : NCFilter+0xe6f1
fffff880`0d8a6400 fffff880`014e2fac : fffff880`0d8a65f0 fffffa80`04286010 fffffa80`0d9c2f20 00000000`00000060 : mfehidk!DEVICEDISPATCH::LowerDispatchPassThrough+0xa0
fffff880`0d8a6490 fffff880`0152d7b9 : 00000000`55555555 fffffa80`0e69dcf0 fffffa80`04286010 fffffa80`05260c00 : mfehidk+0x17fac
fffff880`0d8a65c0 fffff800`01bcbf95 : 00000000`00000045 fffffa80`05260cc8 fffff880`0d8a69e0 fffffa80`0d9c2fb8 : mfehidk!DEVICEDISPATCH::DispatchPassThrough+0xc9
fffff880`0d8a6640 fffff800`01bc8838 : fffffa80`04283060 fffff800`00000000 fffffa80`05260b10 00000000`00000101 : nt!IopParseDevice+0x5a5
fffff880`0d8a67d0 fffff800`01bc9a56 : 00000000`00000000 fffffa80`05260b10 fffff880`0d8a6ca0 fffffa80`03ced8a0 : nt!ObpLookupObjectName+0x588
fffff880`0d8a68c0 fffff800`01ba99d6 : fffff680`000173a0 00000000`0012de48 fffffa80`0237c501 00000000`000007d1 : nt!ObOpenObjectByName+0x306
fffff880`0d8a6990 fffff800`018cced3 : 00000000`00000001 00000000`02e74000 fffffa80`0be1b880 00000000`001954c0 : nt!NtQueryAttributesFile+0x145
fffff880`0d8a6c20 00000000`778d16ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0012de08 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x778d16ea


STACK_COMMAND:  kb

FOLLOWUP_IP: 
vsepflt+e1ce
fffff880`015741ce 3bc3            cmp     eax,ebx

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  vsepflt+e1ce

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: vsepflt

IMAGE_NAME:  vsepflt.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4e14cce7

FAILURE_BUCKET_ID:  X64_0x50_vsepflt+e1ce

BUCKET_ID:  X64_0x50_vsepflt+e1ce

Followup: MachineOwner
---------

Open in new window

0
Comment
Question by:Kay
8 Comments
 
LVL 117
ID: 40006185
Can you reproduce the crash?
0
 

Author Comment

by:Kay
ID: 40006191
I've opened abode reader and it didn't crash.
0
 

Author Comment

by:Kay
ID: 40006192
I don't know how else I can reproduce it??
0
 
LVL 87

Expert Comment

by:rindi
ID: 40006208
Check for and install the VMware Tools updates. If there are no updates, just re-install VMware tools.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 117
ID: 40006212
If you cannot reproduce the error, that's good news, as it's likely to be a random event.

Ensure, you are fully patched with Windows Updates, VMware Updates, and Adobe Applications and patches. (backup first).

and Test.
0
 

Author Comment

by:Kay
ID: 40006580
Hi guys,

is the crash related to the PAGE_FAULT_IN_NONPAGED_AREA (50) or  AcroRd32.exe or vsepflt.sys ?
0
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 250 total points
ID: 40006590
IMAGE_NAME:  vsepflt.sys

are you using a vshield endpoint driver?

this is what i found on another thread for a user having a stop 0x50 in the same driver:

VMware analysed our crash dumps and reported that this is a known issue regarding the vsepflt.sys driver regarding mailslot detection.

VMware provided the latest latest version of the vShield Endpoint Driver 5.0.0.2 build-813867, which fixes the problem.
0
 
LVL 61

Accepted Solution

by:
gheist earned 250 total points
ID: 40006595
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2034490
vshild filter crashed
either upgrade or disable it

if you have chance consider running memtest for 3 days on that machine
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

HOW TO: Connect to the VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere (HTML5 Web) Host Client 6.5, and perform a simple configuration task of adding a new VMFS 6 datastore.
In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…
This video shows you how to use a vSphere client to connect to your ESX host as the root user. Demonstrates the basic connection of bypassing certification set up. Demonstrates how to access the traditional view to begin managing your virtual mac…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now