Solved

NTOSKRNL.exe driver failing

Posted on 2015-02-11
6
268 Views
Last Modified: 2015-03-07
Hi Experts,

 I am trying to troubleshoot a BSOD. I have copied the memory.dmp from the server 2012R2 .

 When I run the Windows debugging tool, I get the output (See attachment). Please advise me the best way to analyse the file.

 I am not sure why I can't get the whole dump info.
 I am also getting a Symbol Loading Error Summary report while running the Windows Debug tool(*64 & *32)

This is the error from the application log
011615-65218-01.dmp      16/01/2015 14:58:56      PAGE_FAULT_IN_NONPAGED_AREA      0x00000050      fffff6fb`40000000      00000000`00000000      00000000`00000000      00000000`00000006      ntoskrnl.exe      ntoskrnl.exe+150aa0                              x64      ntoskrnl.exe+150aa0                              C:\Windows\Minidump\011615-65218-01.dmp      1      15      9600      294,296      16/01/2015 15:00:38      

PS: Please see the attached Memory.DMP info as well

---------------------------------------------------------------------------------------------------------------------------------------
This is what MSDN reckons.

Bug Check 0x50: PAGE_FAULT_IN_NONPAGED_AREA
The PAGE_FAULT_IN_NONPAGED_AREA bug check has a value of 0x00000050. This indicates that invalid system memory has been referenced.
Parameters
The following parameters are displayed on the blue screen.
Parameter
Description
1
Memory address referenced
2
0: Read operation
1: Write operation
3
Address that referenced memory (if known)
4
Reserved
 
If the driver responsible for the error can be identified, its name is printed on the blue screen and stored in memory at the location (PUNICODE_STRING) KiBugCheckDriver.
Cause
Bug check 0x50 usually occurs after the installation of faulty hardware or in the event of failure of installed hardware (usually related to defective RAM, be it main memory, L2 RAM cache, or video RAM).
Another common cause is the installation of a faulty system service.
Antivirus software can also trigger this error, as can a corrupted NTFS volume.
Resolution
Resolving a faulty hardware problem: If hardware has been added to the system recently, remove it to see if the error recurs. If existing hardware has failed, remove or replace the faulty component. You should run hardware diagnostics supplied by the system manufacturer. For details on these procedures, see the owner's manual for your computer.
Resolving a faulty system service problem: Disable the service and confirm that this resolves the error. If so, contact the manufacturer of the system service about a possible update. If the error occurs during system startup, restart your computer, and press F8 at the character-mode menu that displays the operating system choices. At the resulting Windows Advanced Options menu, choose the Last Known Good Configuration option. This option is most effective when only one driver or service is added at a time.
Resolving an antivirus software problem: Disable the program and confirm that this resolves the error. If it does, contact the manufacturer of the program about a possible update.
Resolving a corrupted NTFS volume problem: Run Chkdsk /f /r to detect and repair disk errors. You must restart the system before the disk scan begins on a system partition. If the hard disk is SCSI, check for problems between the SCSI controller and the disk.
Finally, check the System Log in Event Viewer for additional error messages that might help pinpoint the device or driver that is causing the error. Disabling memory caching of the BIOS might also resolve it.
Remarks
Typically, this address is in freed memory or is simply invalid.
This cannot be protected by a try - except handler -- it can only be protected by a probe.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------


 Many Thanks,

la
Memory-DMP--test.docx
0
Comment
Question by:la-tempestad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 1

Author Comment

by:la-tempestad
ID: 40603500
One more thing I suspect this crash/restart of the server started after we installed the Tiger Communication service(Tiger 2020 Pro), but before going back to the vendor, I need to make sure it is not the Server 2012 issue. Since the installation of this application, we were getting "Application Hang" errors for all Tiger related exe's.

------------------------------------------application log --------------------------------------------------------------------------------------------------------------
The program Tigersys.exe version 4.7.15.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: d78
Start Time: 01cfb15fb4c4651c
Termination Time: 3
Application Path: D:\tig2020\Tigersys.exe
Report Id: 0084c44d-1d53-11e4-80c6-0050568a4b56
Faulting package full name:
 Faulting package-relative application ID:
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------

The program TigBackup.exe version 4.8.5.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 2f8
Start Time: 01cfb162530089c7
Termination Time: 4294967295
Application Path: D:\tig2020\Utility\TigBackup.exe
Report Id: c7ae4ae7-1d55-11e4-80c7-0050568a4b56
Faulting package full name:
 Faulting package-relative application ID:

----------------------------------------------------------------------------------------------------------------------------------------------------------------

Faulting application name: install_reader10_en_air_gtbp_chra_aih.exe, version: 3.2.1.3, time stamp: 0x4e8ced69
Faulting module name: install_reader10_en_air_gtbp_chra_aih.exe, version: 3.2.1.3, time stamp: 0x4e8ced69
Exception code: 0xc0000005
Fault offset: 0x0000435b
Faulting process id: 0x360
Faulting application start time: 0x01cfb175f42eca5b
Faulting application path: C:\Users\SA_Tiger-Avaya\AppData\Local\Temp\install_reader10_en_air_gtbp_chra_aih.exe
Faulting module path: C:\Users\SA_Tiger-Avaya\AppData\Local\Temp\install_reader10_en_air_gtbp_chra_aih.exe
Report Id: 67a7b32a-1d69-11e4-80c8-0050568a4b56
Faulting package full name:
Faulting package-relative application ID:
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

thanks again
la
0
 
LVL 62

Expert Comment

by:gheist
ID: 40605033
How userland process could even remotely cause page fault in the very core of system kernel?

I dont see memory dump attached. Make the short 64k minidump and attach that here.
0
 
LVL 1

Author Comment

by:la-tempestad
ID: 40605196
Actually that is the memory dump(C:\Windows\MEMORY.DMP) which I have extracted by using Windows Debug Tool.
How do you want the minidump to be extracted/attached here?

Regards
la
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 40605372
backtrace would be nice.
try nirsoft bluescreenview - maybe it makes one from your dmp, so you can skip the step of making another crash...
0
 
LVL 1

Author Comment

by:la-tempestad
ID: 40650688
I have found out the problem with the crash,it was due to one of the windows updates.
The vendor re-installed the software with the latest version and since then there isn't any crash at all.

thanks for all your inputs anyway.

la
0
 
LVL 1

Author Closing Comment

by:la-tempestad
ID: 40650689
Its a good tool for finding memory dumps.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question