Go Premium for a chance to win a PS4. Enter to Win


Server 2008 R2 BSOD

Posted on 2014-12-19
Medium Priority
Last Modified: 2015-06-29
Hello all.  I've got random BSODs with what appear to be similar causes when looking at WinDbg output.  I'm struggling to fully understand the output and what the offending driver/program is though.  Many sites state to use Driver Verify, but I feel like that will only lead to providing another cryptic WinDbg output.
I've pasted the WinDbg output from the most recent BSOD.  Any advice or pointers in understanding it would be greatly appreciated.  Thank you!
Microsoft (R) Windows Debugger Version 6.3.9600.17298 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [\\####\c$\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: Server, suite: TerminalServer
Built by: 7601.18526.amd64fre.win7sp1_gdr.140706-1506
Machine Name:
Kernel base = 0xfffff800`01811000 PsLoadedModuleList = 0xfffff800`01a54890
Debug session time: Fri Dec 19 14:07:11.918 2014 (UTC - 6:00)
System Uptime: 0 days 10:04:44.302
Loading Kernel Symbols
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`7efdf018).  Type ".hh dbgerr001" for details
Loading unloaded module list
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffff680003ba550, 0, fffff800018b9dbc, 2}

Probably caused by : memory_corruption ( nt!MiDeletePageTableHierarchy+9c )

Followup: MachineOwner

3: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arg1: fffff680003ba550, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff800018b9dbc, If non-zero, the instruction address which referenced the bad memory
Arg4: 0000000000000002, (reserved)

Debugging Details:

READ_ADDRESS:  fffff680003ba550

fffff800`018b9dbc 498b06          mov     rax,qword ptr [r14]




PROCESS_NAME:  iexplore.exe


ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

TRAP_FRAME:  fffff88004ff5c50 -- (.trap 0xfffff88004ff5c50)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000ee95400000 rbx=0000000000000000 rcx=0000000fffffffff
rdx=0000058000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800018b9dbc rsp=fffff88004ff5de0 rbp=fffffa800d87a1f0
 r8=0000007ffffffff8  r9=0000098000000000 r10=fffffa8009c04990
r11=fffff88004ff5ec0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po cy
fffff800`018b9dbc 498b06          mov     rax,qword ptr [r14] ds:00000000`00000000=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800019035e4 to fffff80001886bc0

fffff880`04ff5ae8 fffff800`019035e4 : 00000000`00000050 fffff680`003ba550 00000000`00000000 fffff880`04ff5c50 : nt!KeBugCheckEx
fffff880`04ff5af0 fffff800`01884cee : 00000000`00000000 fffff680`003ba550 fffffa80`03db3e00 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x43836
fffff880`04ff5c50 fffff800`018b9dbc : fffffa80`05081820 00000000`00000001 fffffa80`050967f0 fffff6fb`40001000 : nt!KiPageFault+0x16e
fffff880`04ff5de0 fffff800`018568b6 : fffff700`01080a90 fffffa80`0d87a588 fffff700`01080000 fffff8a0`0f3f17a8 : nt!MiDeletePageTableHierarchy+0x9c
fffff880`04ff5ef0 fffff800`01857892 : fffffa80`0d87a1f0 fffffa80`0000000c fffff880`00002371 fffff800`00000000 : nt!MiDeleteAddressesInWorkingSet+0x3fb
fffff880`04ff67a0 fffff800`01b5c05a : fffff8a0`1057b860 fffff880`04ff6ae0 00000000`00000000 fffffa80`11561b00 : nt!MmCleanProcessAddressSpace+0x96
fffff880`04ff67f0 fffff800`01b40b7d : 00000000`c0000005 fffff880`04ff6a01 00000000`7ef44000 fffffa80`18134060 : nt!PspExitThread+0x56a
fffff880`04ff68f0 fffff800`018796fa : 00000000`00000001 fffff880`04ff6a68 00000000`0abfe380 fffff880`04ff6aa0 : nt!PsExitSpecialApc+0x1d
fffff880`04ff6920 fffff800`01879a40 : 00000000`0d95f944 fffff880`04ff69a0 fffff800`01b40af0 00000000`00000001 : nt!KiDeliverApc+0x2ca
fffff880`04ff69a0 fffff800`01885ef7 : fffffa80`11561b00 00000000`7ef44000 fffff880`000000c0 00000000`7ef44000 : nt!KiInitiateUserApc+0x70
fffff880`04ff6ae0 00000000`77302bba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x9c
00000000`0abfe358 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77302bba


fffff800`018b9dbc 498b06          mov     rax,qword ptr [r14]


SYMBOL_NAME:  nt!MiDeletePageTableHierarchy+9c

FOLLOWUP_NAME:  MachineOwner



IMAGE_VERSION:  6.1.7601.18526

IMAGE_NAME:  memory_corruption

FAILURE_BUCKET_ID:  X64_0x50_nt!MiDeletePageTableHierarchy+9c

BUCKET_ID:  X64_0x50_nt!MiDeletePageTableHierarchy+9c


FAILURE_ID_HASH_STRING:  km:x64_0x50_nt!mideletepagetablehierarchy+9c

FAILURE_ID_HASH:  {a5101511-63a3-65ce-1b12-16e97aca479e}

Followup: MachineOwner
Question by:Michael Holmes
  • 2

Expert Comment

ID: 40510321

Based on what I see there are a few possibilities.

1. Bad Memory
- try BurnInTest (http://www.passmark.com/products/bit.htm) to push the system and look for where your errors come from
- try reducing your memory to a single module and testing - if you can recreate the problem consistently then this should be easy

2. Bad PageFile.sys - it does happen sometimes that this file gets corrupted but it's easy to replace - set the system virtual memory to no page file - reboot - re-add it - reboot

3. Bad HDD - check the event system logs for any hints of problems with your disk(s) after running a chkdsk /r
- check your fragmentation level as well - severely fragged drives can cause issues

4. Bad Driver or Extension
- run BlueScreenViewer
http://www.nirsoft.net/utils/blue_screen_view.html  - This is a fantastic tool for making some sense out of the memory dumps
- run ShelExView
http://www.nirsoft.net/utils/shexview.html  - Another great tool that shows you what's in your shell - you can disable things like DropBox interfacing with the shell with bad code that causes your system to crash

The error you displayed also shows that it was triggered by Internet Explorer.  Look to see what add-in's you have active for Internet Explorer such as AV scanners, toolbars, etc.  Disable them and see if you can recreate the problem.

98% of the time I can source out the root of the issue with these tools.  

I also would recommend running an SFC /VERIFYONLY to see if you have a problem with your operating system.

If you're still stuck look for a good root kit detector.  Could be what you're looking for, what's causing the issue, is hiding in plain sight.

Author Comment

by:Michael Holmes
ID: 40513817
Thank you for such a quick and thorough response WiReDWolf.  I apologize, I should have eluded to this in the OP, but this is occurring in a VMware environment on Citrix XenApp servers.  I will get to checking-out each one of these possibilities and report back what I find.  Thank you again!

Accepted Solution

Michael Holmes earned 0 total points
ID: 40654623
Just an update...  This was a known issue with VMware.  Based on our blue screen events and the type of Intel processor we have in our ESX servers, we needed to update to 5.5 u2.  We haven't experienced a BSOD since.  Thank you again for your suggestions.
LVL 36

Expert Comment

by:Seth Simmons
ID: 40856635
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question