Server Crashed - Memory Dump

Posted on 2014-04-17
Last Modified: 2014-04-24
Hi Guys,

One of my server 2008 R2 had crashed and I believe it is a VMware VM. I downloaded the memory.dmp on my local machine used winDBg to analyse the crash dump, it seems to be telling that it was vsepflt.sys that caused the crash, or is it Adobe reader, please help I am finding it difficult to understand exaclt what had caused it:

Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\kabiru\Desktop\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*C:\Users\kabiru\Desktop\debugginsymbols*
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: Server, suite: TerminalServer
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`01851000 PsLoadedModuleList = 0xfffff800`01a96670
Debug session time: Tue Apr 15 23:38:51.945 2014 (UTC + 1:00)
System Uptime: 90 days 21:24:12.973
Loading Kernel Symbols
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`fffdf018).  Type ".hh dbgerr001" for details
Loading unloaded module list
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffff8a0165a1000, 0, fffff80001892c56, 0}

*** ERROR: Module load completed but symbols could not be loaded for vsepflt.sys
*** ERROR: Module load completed but symbols could not be loaded for NCRecognizer.sys
*** ERROR: Module load completed but symbols could not be loaded for NCFilter.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for mfehidk.sys - 
Probably caused by : vsepflt.sys ( vsepflt+e1ce )

Followup: MachineOwner

0: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arg1: fffff8a0165a1000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80001892c56, If non-zero, the instruction address which referenced the bad memory
Arg4: 0000000000000000, (reserved)

Debugging Details:

READ_ADDRESS:  fffff8a0165a1000 Paged pool

fffff800`01892c56 410fb702        movzx   eax,word ptr [r10]




PROCESS_NAME:  AcroRd32.exe


TRAP_FRAME:  fffff8800d8a5df0 -- (.trap 0xfffff8800d8a5df0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000000002a rbx=0000000000000000 rcx=fffff88001585192
rdx=000000000000005c rsi=0000000000000000 rdi=0000000000000000
rip=fffff80001892c56 rsp=fffff8800d8a5f88 rbp=fffffa8004284e80
 r8=0000000000000009  r9=0000000000000000 r10=fffff8a0165a1000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
fffff800`01892c56 410fb702        movzx   eax,word ptr [r10] ds:fffff8a0`165a1000=????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800018799fc to fffff800018cdc40

fffff880`0d8a5c88 fffff800`018799fc : 00000000`00000050 fffff8a0`165a1000 00000000`00000000 fffff880`0d8a5df0 : nt!KeBugCheckEx
fffff880`0d8a5c90 fffff800`018cbd6e : 00000000`00000000 fffff8a0`165a1000 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x4611f
fffff880`0d8a5df0 fffff800`01892c56 : fffff880`015741ce 00000000`00000000 fffff800`018d1021 fffffa80`04285bb0 : nt!KiPageFault+0x16e
fffff880`0d8a5f88 fffff880`015741ce : 00000000`00000000 fffff800`018d1021 fffffa80`04285bb0 fffffa80`0e69dcf0 : nt!wcsnicmp+0x1e
fffff880`0d8a5f90 fffff880`00e60067 : fffffa80`0accbc60 fffffa80`0accbd00 fffffa80`0accbbb0 fffff880`00000030 : vsepflt+0xe1ce
fffff880`0d8a5ff0 fffff880`00e629aa : 00000000`00000000 fffffa80`0d9c2f00 fffffa80`04283900 fffffa80`04284000 : fltmgr!FltpPerformPreCallbacks+0x2f7
fffff880`0d8a60f0 fffff880`00e802a3 : fffffa80`0e69dcf0 fffffa80`0e69dcf0 fffffa80`0e69dcf0 fffffa80`042839c0 : fltmgr!FltpPassThroughInternal+0x4a
fffff880`0d8a6120 fffff880`01273ddc : fffffa80`0e69dcf0 00000000`00000000 fffff880`0d8a6280 00000000`00000000 : fltmgr!FltpCreate+0x293
fffff880`0d8a61d0 fffff880`01273f52 : fffffa80`04285e20 fffffa80`0e69dcf0 fffff880`0d8a63b8 fffff880`01651e44 : NCRecognizer+0x5ddc
fffff880`0d8a6230 fffff880`00fb6a8f : fffffa80`04285e20 fffffa80`0e69dcf0 fffffa80`0e69dcf0 00000000`00000000 : NCRecognizer+0x5f52
fffff880`0d8a6290 fffff880`00fb36f1 : fffffa80`04285d00 fffffa80`0e69dcf0 fffffa80`00000397 00000000`00000000 : NCFilter+0x11a8f
fffff880`0d8a62e0 fffff880`0152ce10 : fffffa80`04285bb0 fffffa80`0e69dcf0 00000000`00000002 fffff880`014f29a0 : NCFilter+0xe6f1
fffff880`0d8a6400 fffff880`014e2fac : fffff880`0d8a65f0 fffffa80`04286010 fffffa80`0d9c2f20 00000000`00000060 : mfehidk!DEVICEDISPATCH::LowerDispatchPassThrough+0xa0
fffff880`0d8a6490 fffff880`0152d7b9 : 00000000`55555555 fffffa80`0e69dcf0 fffffa80`04286010 fffffa80`05260c00 : mfehidk+0x17fac
fffff880`0d8a65c0 fffff800`01bcbf95 : 00000000`00000045 fffffa80`05260cc8 fffff880`0d8a69e0 fffffa80`0d9c2fb8 : mfehidk!DEVICEDISPATCH::DispatchPassThrough+0xc9
fffff880`0d8a6640 fffff800`01bc8838 : fffffa80`04283060 fffff800`00000000 fffffa80`05260b10 00000000`00000101 : nt!IopParseDevice+0x5a5
fffff880`0d8a67d0 fffff800`01bc9a56 : 00000000`00000000 fffffa80`05260b10 fffff880`0d8a6ca0 fffffa80`03ced8a0 : nt!ObpLookupObjectName+0x588
fffff880`0d8a68c0 fffff800`01ba99d6 : fffff680`000173a0 00000000`0012de48 fffffa80`0237c501 00000000`000007d1 : nt!ObOpenObjectByName+0x306
fffff880`0d8a6990 fffff800`018cced3 : 00000000`00000001 00000000`02e74000 fffffa80`0be1b880 00000000`001954c0 : nt!NtQueryAttributesFile+0x145
fffff880`0d8a6c20 00000000`778d16ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0012de08 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x778d16ea


fffff880`015741ce 3bc3            cmp     eax,ebx


SYMBOL_NAME:  vsepflt+e1ce

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: vsepflt

IMAGE_NAME:  vsepflt.sys


FAILURE_BUCKET_ID:  X64_0x50_vsepflt+e1ce

BUCKET_ID:  X64_0x50_vsepflt+e1ce

Followup: MachineOwner

Open in new window

Question by:Kay
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 120
ID: 40006185
Can you reproduce the crash?

Author Comment

ID: 40006191
I've opened abode reader and it didn't crash.

Author Comment

ID: 40006192
I don't know how else I can reproduce it??
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 88

Expert Comment

ID: 40006208
Check for and install the VMware Tools updates. If there are no updates, just re-install VMware tools.
LVL 120
ID: 40006212
If you cannot reproduce the error, that's good news, as it's likely to be a random event.

Ensure, you are fully patched with Windows Updates, VMware Updates, and Adobe Applications and patches. (backup first).

and Test.

Author Comment

ID: 40006580
Hi guys,

is the crash related to the PAGE_FAULT_IN_NONPAGED_AREA (50) or  AcroRd32.exe or vsepflt.sys ?
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 250 total points
ID: 40006590
IMAGE_NAME:  vsepflt.sys

are you using a vshield endpoint driver?

this is what i found on another thread for a user having a stop 0x50 in the same driver:

VMware analysed our crash dumps and reported that this is a known issue regarding the vsepflt.sys driver regarding mailslot detection.

VMware provided the latest latest version of the vShield Endpoint Driver build-813867, which fixes the problem.
LVL 62

Accepted Solution

gheist earned 250 total points
ID: 40006595
vshild filter crashed
either upgrade or disable it

if you have chance consider running memtest for 3 days on that machine

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When converting a physical machine to a virtual machine using VMware vCenter Converter Standalone or vCenter Converter Enterprise, if an adapter type is not selected during the initial customization the resulting virtual machine may contain an IDE d…
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question