Server Crashed - Memory Dump

Hi Guys,

One of my server 2008 R2 had crashed and I believe it is a VMware VM. I downloaded the memory.dmp on my local machine used winDBg to analyse the crash dump, it seems to be telling that it was vsepflt.sys that caused the crash, or is it Adobe reader, please help I am finding it difficult to understand exaclt what had caused it:

Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [C:\Users\kabiru\Desktop\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*C:\Users\kabiru\Desktop\debugginsymbols*
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (2 procs) Free x64
Product: Server, suite: TerminalServer
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`01851000 PsLoadedModuleList = 0xfffff800`01a96670
Debug session time: Tue Apr 15 23:38:51.945 2014 (UTC + 1:00)
System Uptime: 90 days 21:24:12.973
Loading Kernel Symbols
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`fffdf018).  Type ".hh dbgerr001" for details
Loading unloaded module list
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffff8a0165a1000, 0, fffff80001892c56, 0}

*** ERROR: Module load completed but symbols could not be loaded for vsepflt.sys
*** ERROR: Module load completed but symbols could not be loaded for NCRecognizer.sys
*** ERROR: Module load completed but symbols could not be loaded for NCFilter.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for mfehidk.sys - 
Probably caused by : vsepflt.sys ( vsepflt+e1ce )

Followup: MachineOwner

0: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arg1: fffff8a0165a1000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80001892c56, If non-zero, the instruction address which referenced the bad memory
Arg4: 0000000000000000, (reserved)

Debugging Details:

READ_ADDRESS:  fffff8a0165a1000 Paged pool

fffff800`01892c56 410fb702        movzx   eax,word ptr [r10]




PROCESS_NAME:  AcroRd32.exe


TRAP_FRAME:  fffff8800d8a5df0 -- (.trap 0xfffff8800d8a5df0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000000002a rbx=0000000000000000 rcx=fffff88001585192
rdx=000000000000005c rsi=0000000000000000 rdi=0000000000000000
rip=fffff80001892c56 rsp=fffff8800d8a5f88 rbp=fffffa8004284e80
 r8=0000000000000009  r9=0000000000000000 r10=fffff8a0165a1000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
fffff800`01892c56 410fb702        movzx   eax,word ptr [r10] ds:fffff8a0`165a1000=????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800018799fc to fffff800018cdc40

fffff880`0d8a5c88 fffff800`018799fc : 00000000`00000050 fffff8a0`165a1000 00000000`00000000 fffff880`0d8a5df0 : nt!KeBugCheckEx
fffff880`0d8a5c90 fffff800`018cbd6e : 00000000`00000000 fffff8a0`165a1000 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x4611f
fffff880`0d8a5df0 fffff800`01892c56 : fffff880`015741ce 00000000`00000000 fffff800`018d1021 fffffa80`04285bb0 : nt!KiPageFault+0x16e
fffff880`0d8a5f88 fffff880`015741ce : 00000000`00000000 fffff800`018d1021 fffffa80`04285bb0 fffffa80`0e69dcf0 : nt!wcsnicmp+0x1e
fffff880`0d8a5f90 fffff880`00e60067 : fffffa80`0accbc60 fffffa80`0accbd00 fffffa80`0accbbb0 fffff880`00000030 : vsepflt+0xe1ce
fffff880`0d8a5ff0 fffff880`00e629aa : 00000000`00000000 fffffa80`0d9c2f00 fffffa80`04283900 fffffa80`04284000 : fltmgr!FltpPerformPreCallbacks+0x2f7
fffff880`0d8a60f0 fffff880`00e802a3 : fffffa80`0e69dcf0 fffffa80`0e69dcf0 fffffa80`0e69dcf0 fffffa80`042839c0 : fltmgr!FltpPassThroughInternal+0x4a
fffff880`0d8a6120 fffff880`01273ddc : fffffa80`0e69dcf0 00000000`00000000 fffff880`0d8a6280 00000000`00000000 : fltmgr!FltpCreate+0x293
fffff880`0d8a61d0 fffff880`01273f52 : fffffa80`04285e20 fffffa80`0e69dcf0 fffff880`0d8a63b8 fffff880`01651e44 : NCRecognizer+0x5ddc
fffff880`0d8a6230 fffff880`00fb6a8f : fffffa80`04285e20 fffffa80`0e69dcf0 fffffa80`0e69dcf0 00000000`00000000 : NCRecognizer+0x5f52
fffff880`0d8a6290 fffff880`00fb36f1 : fffffa80`04285d00 fffffa80`0e69dcf0 fffffa80`00000397 00000000`00000000 : NCFilter+0x11a8f
fffff880`0d8a62e0 fffff880`0152ce10 : fffffa80`04285bb0 fffffa80`0e69dcf0 00000000`00000002 fffff880`014f29a0 : NCFilter+0xe6f1
fffff880`0d8a6400 fffff880`014e2fac : fffff880`0d8a65f0 fffffa80`04286010 fffffa80`0d9c2f20 00000000`00000060 : mfehidk!DEVICEDISPATCH::LowerDispatchPassThrough+0xa0
fffff880`0d8a6490 fffff880`0152d7b9 : 00000000`55555555 fffffa80`0e69dcf0 fffffa80`04286010 fffffa80`05260c00 : mfehidk+0x17fac
fffff880`0d8a65c0 fffff800`01bcbf95 : 00000000`00000045 fffffa80`05260cc8 fffff880`0d8a69e0 fffffa80`0d9c2fb8 : mfehidk!DEVICEDISPATCH::DispatchPassThrough+0xc9
fffff880`0d8a6640 fffff800`01bc8838 : fffffa80`04283060 fffff800`00000000 fffffa80`05260b10 00000000`00000101 : nt!IopParseDevice+0x5a5
fffff880`0d8a67d0 fffff800`01bc9a56 : 00000000`00000000 fffffa80`05260b10 fffff880`0d8a6ca0 fffffa80`03ced8a0 : nt!ObpLookupObjectName+0x588
fffff880`0d8a68c0 fffff800`01ba99d6 : fffff680`000173a0 00000000`0012de48 fffffa80`0237c501 00000000`000007d1 : nt!ObOpenObjectByName+0x306
fffff880`0d8a6990 fffff800`018cced3 : 00000000`00000001 00000000`02e74000 fffffa80`0be1b880 00000000`001954c0 : nt!NtQueryAttributesFile+0x145
fffff880`0d8a6c20 00000000`778d16ea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0012de08 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x778d16ea


fffff880`015741ce 3bc3            cmp     eax,ebx


SYMBOL_NAME:  vsepflt+e1ce

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: vsepflt

IMAGE_NAME:  vsepflt.sys


FAILURE_BUCKET_ID:  X64_0x50_vsepflt+e1ce

BUCKET_ID:  X64_0x50_vsepflt+e1ce

Followup: MachineOwner

Open in new window

Kelly GarciaSenior Systems AdministratorAsked:
Who is Participating?
vshild filter crashed
either upgrade or disable it

if you have chance consider running memtest for 3 days on that machine
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Can you reproduce the crash?
Kelly GarciaSenior Systems AdministratorAuthor Commented:
I've opened abode reader and it didn't crash.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Kelly GarciaSenior Systems AdministratorAuthor Commented:
I don't know how else I can reproduce it??
Check for and install the VMware Tools updates. If there are no updates, just re-install VMware tools.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
If you cannot reproduce the error, that's good news, as it's likely to be a random event.

Ensure, you are fully patched with Windows Updates, VMware Updates, and Adobe Applications and patches. (backup first).

and Test.
Kelly GarciaSenior Systems AdministratorAuthor Commented:
Hi guys,

is the crash related to the PAGE_FAULT_IN_NONPAGED_AREA (50) or  AcroRd32.exe or vsepflt.sys ?
Seth SimmonsSr. Systems AdministratorCommented:
IMAGE_NAME:  vsepflt.sys

are you using a vshield endpoint driver?

this is what i found on another thread for a user having a stop 0x50 in the same driver:

VMware analysed our crash dumps and reported that this is a known issue regarding the vsepflt.sys driver regarding mailslot detection.

VMware provided the latest latest version of the vShield Endpoint Driver build-813867, which fixes the problem.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.