Solved

Server 2008 R2 BSOD

Posted on 2014-12-19
5
366 Views
Last Modified: 2015-06-29
Hello all.  I've got random BSODs with what appear to be similar causes when looking at WinDbg output.  I'm struggling to fully understand the output and what the offending driver/program is though.  Many sites state to use Driver Verify, but I feel like that will only lead to providing another cryptic WinDbg output.
I've pasted the WinDbg output from the most recent BSOD.  Any advice or pointers in understanding it would be greatly appreciated.  Thank you!
-----------
Microsoft (R) Windows Debugger Version 6.3.9600.17298 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [\\####\c$\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: Server, suite: TerminalServer
Built by: 7601.18526.amd64fre.win7sp1_gdr.140706-1506
Machine Name:
Kernel base = 0xfffff800`01811000 PsLoadedModuleList = 0xfffff800`01a54890
Debug session time: Fri Dec 19 14:07:11.918 2014 (UTC - 6:00)
System Uptime: 0 days 10:04:44.302
Loading Kernel Symbols
...............................................................
................................................................
.......................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`7efdf018).  Type ".hh dbgerr001" for details
Loading unloaded module list
.....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffff680003ba550, 0, fffff800018b9dbc, 2}

Probably caused by : memory_corruption ( nt!MiDeletePageTableHierarchy+9c )

Followup: MachineOwner
---------

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff680003ba550, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff800018b9dbc, If non-zero, the instruction address which referenced the bad memory
      address.
Arg4: 0000000000000002, (reserved)

Debugging Details:
------------------


READ_ADDRESS:  fffff680003ba550

FAULTING_IP:
nt!MiDeletePageTableHierarchy+9c
fffff800`018b9dbc 498b06          mov     rax,qword ptr [r14]

MM_INTERNAL_CODE:  2

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  iexplore.exe

CURRENT_IRQL:  0

ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

TRAP_FRAME:  fffff88004ff5c50 -- (.trap 0xfffff88004ff5c50)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000ee95400000 rbx=0000000000000000 rcx=0000000fffffffff
rdx=0000058000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800018b9dbc rsp=fffff88004ff5de0 rbp=fffffa800d87a1f0
 r8=0000007ffffffff8  r9=0000098000000000 r10=fffffa8009c04990
r11=fffff88004ff5ec0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po cy
nt!MiDeletePageTableHierarchy+0x9c:
fffff800`018b9dbc 498b06          mov     rax,qword ptr [r14] ds:00000000`00000000=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800019035e4 to fffff80001886bc0

STACK_TEXT:  
fffff880`04ff5ae8 fffff800`019035e4 : 00000000`00000050 fffff680`003ba550 00000000`00000000 fffff880`04ff5c50 : nt!KeBugCheckEx
fffff880`04ff5af0 fffff800`01884cee : 00000000`00000000 fffff680`003ba550 fffffa80`03db3e00 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x43836
fffff880`04ff5c50 fffff800`018b9dbc : fffffa80`05081820 00000000`00000001 fffffa80`050967f0 fffff6fb`40001000 : nt!KiPageFault+0x16e
fffff880`04ff5de0 fffff800`018568b6 : fffff700`01080a90 fffffa80`0d87a588 fffff700`01080000 fffff8a0`0f3f17a8 : nt!MiDeletePageTableHierarchy+0x9c
fffff880`04ff5ef0 fffff800`01857892 : fffffa80`0d87a1f0 fffffa80`0000000c fffff880`00002371 fffff800`00000000 : nt!MiDeleteAddressesInWorkingSet+0x3fb
fffff880`04ff67a0 fffff800`01b5c05a : fffff8a0`1057b860 fffff880`04ff6ae0 00000000`00000000 fffffa80`11561b00 : nt!MmCleanProcessAddressSpace+0x96
fffff880`04ff67f0 fffff800`01b40b7d : 00000000`c0000005 fffff880`04ff6a01 00000000`7ef44000 fffffa80`18134060 : nt!PspExitThread+0x56a
fffff880`04ff68f0 fffff800`018796fa : 00000000`00000001 fffff880`04ff6a68 00000000`0abfe380 fffff880`04ff6aa0 : nt!PsExitSpecialApc+0x1d
fffff880`04ff6920 fffff800`01879a40 : 00000000`0d95f944 fffff880`04ff69a0 fffff800`01b40af0 00000000`00000001 : nt!KiDeliverApc+0x2ca
fffff880`04ff69a0 fffff800`01885ef7 : fffffa80`11561b00 00000000`7ef44000 fffff880`000000c0 00000000`7ef44000 : nt!KiInitiateUserApc+0x70
fffff880`04ff6ae0 00000000`77302bba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x9c
00000000`0abfe358 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77302bba


STACK_COMMAND:  kb

FOLLOWUP_IP:
nt!MiDeletePageTableHierarchy+9c
fffff800`018b9dbc 498b06          mov     rax,qword ptr [r14]

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  nt!MiDeletePageTableHierarchy+9c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP:  53b9f073

IMAGE_VERSION:  6.1.7601.18526

IMAGE_NAME:  memory_corruption

FAILURE_BUCKET_ID:  X64_0x50_nt!MiDeletePageTableHierarchy+9c

BUCKET_ID:  X64_0x50_nt!MiDeletePageTableHierarchy+9c

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:x64_0x50_nt!mideletepagetablehierarchy+9c

FAILURE_ID_HASH:  {a5101511-63a3-65ce-1b12-16e97aca479e}

Followup: MachineOwner
---------
0
Comment
Question by:Michael Holmes
  • 2
5 Comments
 
LVL 3

Expert Comment

by:WiReDWolf
ID: 40510321
Hello,

Based on what I see there are a few possibilities.

1. Bad Memory
- try BurnInTest (http://www.passmark.com/products/bit.htm) to push the system and look for where your errors come from
- try reducing your memory to a single module and testing - if you can recreate the problem consistently then this should be easy

2. Bad PageFile.sys - it does happen sometimes that this file gets corrupted but it's easy to replace - set the system virtual memory to no page file - reboot - re-add it - reboot

3. Bad HDD - check the event system logs for any hints of problems with your disk(s) after running a chkdsk /r
- check your fragmentation level as well - severely fragged drives can cause issues

4. Bad Driver or Extension
- run BlueScreenViewer
http://www.nirsoft.net/utils/blue_screen_view.html  - This is a fantastic tool for making some sense out of the memory dumps
- run ShelExView
http://www.nirsoft.net/utils/shexview.html  - Another great tool that shows you what's in your shell - you can disable things like DropBox interfacing with the shell with bad code that causes your system to crash

The error you displayed also shows that it was triggered by Internet Explorer.  Look to see what add-in's you have active for Internet Explorer such as AV scanners, toolbars, etc.  Disable them and see if you can recreate the problem.

98% of the time I can source out the root of the issue with these tools.  

I also would recommend running an SFC /VERIFYONLY to see if you have a problem with your operating system.

If you're still stuck look for a good root kit detector.  Could be what you're looking for, what's causing the issue, is hiding in plain sight.
0
 

Author Comment

by:Michael Holmes
ID: 40513817
Thank you for such a quick and thorough response WiReDWolf.  I apologize, I should have eluded to this in the OP, but this is occurring in a VMware environment on Citrix XenApp servers.  I will get to checking-out each one of these possibilities and report back what I find.  Thank you again!
0
 

Accepted Solution

by:
Michael Holmes earned 0 total points
ID: 40654623
Just an update...  This was a known issue with VMware.  Based on our blue screen events and the type of Intel processor we have in our ESX servers, we needed to update to 5.5 u2.  We haven't experienced a BSOD since.  Thank you again for your suggestions.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40856635
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now