Server 2008 R2 BSOD

Hello all.  I've got random BSODs with what appear to be similar causes when looking at WinDbg output.  I'm struggling to fully understand the output and what the offending driver/program is though.  Many sites state to use Driver Verify, but I feel like that will only lead to providing another cryptic WinDbg output.
I've pasted the WinDbg output from the most recent BSOD.  Any advice or pointers in understanding it would be greatly appreciated.  Thank you!
Microsoft (R) Windows Debugger Version 6.3.9600.17298 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [\\####\c$\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       srv*c:\symbols*
Symbol search path is: srv*c:\symbols*
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: Server, suite: TerminalServer
Built by: 7601.18526.amd64fre.win7sp1_gdr.140706-1506
Machine Name:
Kernel base = 0xfffff800`01811000 PsLoadedModuleList = 0xfffff800`01a54890
Debug session time: Fri Dec 19 14:07:11.918 2014 (UTC - 6:00)
System Uptime: 0 days 10:04:44.302
Loading Kernel Symbols
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`7efdf018).  Type ".hh dbgerr001" for details
Loading unloaded module list
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffff680003ba550, 0, fffff800018b9dbc, 2}

Probably caused by : memory_corruption ( nt!MiDeletePageTableHierarchy+9c )

Followup: MachineOwner

3: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arg1: fffff680003ba550, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff800018b9dbc, If non-zero, the instruction address which referenced the bad memory
Arg4: 0000000000000002, (reserved)

Debugging Details:

READ_ADDRESS:  fffff680003ba550

fffff800`018b9dbc 498b06          mov     rax,qword ptr [r14]




PROCESS_NAME:  iexplore.exe


ANALYSIS_VERSION: 6.3.9600.17298 (debuggers(dbg).141024-1500) amd64fre

TRAP_FRAME:  fffff88004ff5c50 -- (.trap 0xfffff88004ff5c50)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000ee95400000 rbx=0000000000000000 rcx=0000000fffffffff
rdx=0000058000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800018b9dbc rsp=fffff88004ff5de0 rbp=fffffa800d87a1f0
 r8=0000007ffffffff8  r9=0000098000000000 r10=fffffa8009c04990
r11=fffff88004ff5ec0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po cy
fffff800`018b9dbc 498b06          mov     rax,qword ptr [r14] ds:00000000`00000000=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff800019035e4 to fffff80001886bc0

fffff880`04ff5ae8 fffff800`019035e4 : 00000000`00000050 fffff680`003ba550 00000000`00000000 fffff880`04ff5c50 : nt!KeBugCheckEx
fffff880`04ff5af0 fffff800`01884cee : 00000000`00000000 fffff680`003ba550 fffffa80`03db3e00 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x43836
fffff880`04ff5c50 fffff800`018b9dbc : fffffa80`05081820 00000000`00000001 fffffa80`050967f0 fffff6fb`40001000 : nt!KiPageFault+0x16e
fffff880`04ff5de0 fffff800`018568b6 : fffff700`01080a90 fffffa80`0d87a588 fffff700`01080000 fffff8a0`0f3f17a8 : nt!MiDeletePageTableHierarchy+0x9c
fffff880`04ff5ef0 fffff800`01857892 : fffffa80`0d87a1f0 fffffa80`0000000c fffff880`00002371 fffff800`00000000 : nt!MiDeleteAddressesInWorkingSet+0x3fb
fffff880`04ff67a0 fffff800`01b5c05a : fffff8a0`1057b860 fffff880`04ff6ae0 00000000`00000000 fffffa80`11561b00 : nt!MmCleanProcessAddressSpace+0x96
fffff880`04ff67f0 fffff800`01b40b7d : 00000000`c0000005 fffff880`04ff6a01 00000000`7ef44000 fffffa80`18134060 : nt!PspExitThread+0x56a
fffff880`04ff68f0 fffff800`018796fa : 00000000`00000001 fffff880`04ff6a68 00000000`0abfe380 fffff880`04ff6aa0 : nt!PsExitSpecialApc+0x1d
fffff880`04ff6920 fffff800`01879a40 : 00000000`0d95f944 fffff880`04ff69a0 fffff800`01b40af0 00000000`00000001 : nt!KiDeliverApc+0x2ca
fffff880`04ff69a0 fffff800`01885ef7 : fffffa80`11561b00 00000000`7ef44000 fffff880`000000c0 00000000`7ef44000 : nt!KiInitiateUserApc+0x70
fffff880`04ff6ae0 00000000`77302bba : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x9c
00000000`0abfe358 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77302bba


fffff800`018b9dbc 498b06          mov     rax,qword ptr [r14]


SYMBOL_NAME:  nt!MiDeletePageTableHierarchy+9c

FOLLOWUP_NAME:  MachineOwner



IMAGE_VERSION:  6.1.7601.18526

IMAGE_NAME:  memory_corruption

FAILURE_BUCKET_ID:  X64_0x50_nt!MiDeletePageTableHierarchy+9c

BUCKET_ID:  X64_0x50_nt!MiDeletePageTableHierarchy+9c


FAILURE_ID_HASH_STRING:  km:x64_0x50_nt!mideletepagetablehierarchy+9c

FAILURE_ID_HASH:  {a5101511-63a3-65ce-1b12-16e97aca479e}

Followup: MachineOwner
Michael HolmesIT SpecialistAsked:
Who is Participating?
Michael HolmesIT SpecialistAuthor Commented:
Just an update...  This was a known issue with VMware.  Based on our blue screen events and the type of Intel processor we have in our ESX servers, we needed to update to 5.5 u2.  We haven't experienced a BSOD since.  Thank you again for your suggestions.

Based on what I see there are a few possibilities.

1. Bad Memory
- try BurnInTest ( to push the system and look for where your errors come from
- try reducing your memory to a single module and testing - if you can recreate the problem consistently then this should be easy

2. Bad PageFile.sys - it does happen sometimes that this file gets corrupted but it's easy to replace - set the system virtual memory to no page file - reboot - re-add it - reboot

3. Bad HDD - check the event system logs for any hints of problems with your disk(s) after running a chkdsk /r
- check your fragmentation level as well - severely fragged drives can cause issues

4. Bad Driver or Extension
- run BlueScreenViewer  - This is a fantastic tool for making some sense out of the memory dumps
- run ShelExView  - Another great tool that shows you what's in your shell - you can disable things like DropBox interfacing with the shell with bad code that causes your system to crash

The error you displayed also shows that it was triggered by Internet Explorer.  Look to see what add-in's you have active for Internet Explorer such as AV scanners, toolbars, etc.  Disable them and see if you can recreate the problem.

98% of the time I can source out the root of the issue with these tools.  

I also would recommend running an SFC /VERIFYONLY to see if you have a problem with your operating system.

If you're still stuck look for a good root kit detector.  Could be what you're looking for, what's causing the issue, is hiding in plain sight.
Michael HolmesIT SpecialistAuthor Commented:
Thank you for such a quick and thorough response WiReDWolf.  I apologize, I should have eluded to this in the OP, but this is occurring in a VMware environment on Citrix XenApp servers.  I will get to checking-out each one of these possibilities and report back what I find.  Thank you again!
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.