Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Win 2k8 server crash

Created: 21 Sep 2012 | 2 comments

I have a 64 bit 2008 Standard Server that appears to crash shortly after a schedule job begins to run.  The bug check revealed the following:

The computer has rebooted from a bugcheck.  
The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800026fe4de, 0x0000000000000000, 0x0000000000000001). 
A dump was saved in: C:\Windows\MEMORY.DMP.
 
ERROR_READ_FAULT
30 (0x1E)
The system cannot read from the specified device.
 
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
 
 
Loading Dump File [C:\Users\veritas\Documents\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
 
Symbol search path is: srv*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (16 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Built by: 6002.18607.amd64fre.vistasp2_gdr.120402-0336
Machine Name:
Kernel base = 0xfffff800`0241a000 PsLoadedModuleList = 0xfffff800`025dedd0
Debug session time: Thu Sep 20 19:32:12.875 2012 (UTC - 4:00)
System Uptime: 0 days 12:37:45.022
Loading Kernel Symbols
...............................................................
................................................................
.
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffd4018).  Type ".hh dbgerr001" for details
Loading unloaded module list
........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck 1E, {ffffffffc0000005, fffff800026fe4de, 0, 1}
 
Page 4ee52d not present in the dump file. Type ".hh dbgerr004" for details
Page 72566 not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : ntkrnlmp.exe ( nt!PspGetSetContextInternal+396 )
 
Followup: MachineOwner
---------
 
3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff800026fe4de, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000000000000001, Parameter 1 of the exception
 
Debugging Details:
------------------
 
Page 4ee52d not present in the dump file. Type ".hh dbgerr004" for details
Page 72566 not present in the dump file. Type ".hh dbgerr004" for details
 
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
 
FAULTING_IP: 
nt!PspGetSetContextInternal+396
fffff800`026fe4de 488b28          mov     rbp,qword ptr [rax]
 
EXCEPTION_PARAMETER1:  0000000000000000
 
EXCEPTION_PARAMETER2:  0000000000000001
 
READ_ADDRESS:  0000000000000001 
 
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
 
BUGCHECK_STR:  0x1E_c0000005
 
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
 
PROCESS_NAME:  WmiPrvSE.exe
 
CURRENT_IRQL:  1
 
TRAP_FRAME:  fffffa600930dd60 -- (.trap 0xfffffa600930dd60)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800026fe4de rsp=fffffa600930def0 rbp=ee65764502060007
 r8=0000000000000000  r9=000000000000000c r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
nt!PspGetSetContextInternal+0x396:
fffff800`026fe4de 488b28          mov     rbp,qword ptr [rax] ds:00000000`00000001=????????????????
Resetting default scope
 
LAST_CONTROL_TRANSFER:  from fffff80002454177 to fffff80002471ad0
 
STACK_TEXT:  
fffffa60`0930d578 fffff800`02454177 : 00000000`0000001e ffffffff`c0000005 fffff800`026fe4de 00000000`00000000 : nt!KeBugCheckEx
fffffa60`0930d580 fffff800`02471929 : fffffa60`0930dcb8 fffffa60`091db570 fffffa60`0930dd60 fffffa60`091dbac8 : nt! ?? ::FNODOBFM::`string'+0x29107
fffffa60`0930db80 fffff800`02470725 : 00000000`00000000 fffffa60`0930e008 fffffa60`0930e100 fffffa60`091db570 : nt!KiExceptionDispatch+0xa9
fffffa60`0930dd60 fffff800`026fe4de : ee657645`02060007 fffffa60`091db570 00000000`00000000 fffffa60`091dbac8 : nt!KiPageFault+0x1e5
fffffa60`0930def0 fffff800`0249ef4d : fffffa80`1349d1e8 fffffa80`154d8060 fffffa60`091db570 00000000`00000000 : nt!PspGetSetContextInternal+0x396
fffffa60`0930e440 fffff800`024931ce : 00000000`00000000 fffffa60`0930e5d0 00000000`00000000 00001f80`004b0008 : nt!PspGetSetContextSpecialApc+0x9d
fffffa60`0930e550 fffff800`02496c23 : fffffa60`0930e670 00000000`00000000 00000000`00000000 fffffa80`154d8060 : nt!KiDeliverApc+0x19e
fffffa60`0930e5f0 ffffffff`ffb4df3e : ffffffff`ff70bb93 00000000`00000010 ffffffff`ffb4cbcd 00000000`00000000 : nt!KiApcInterrupt+0x103
fffffa60`0930e788 ffffffff`ff70bb93 : 00000000`00000010 ffffffff`ffb4cbcd 00000000`00000000 ffffffff`ffb4ca6c : 0xffffffff`ffb4df3e
fffffa60`0930e790 00000000`00000010 : ffffffff`ffb4cbcd 00000000`00000000 ffffffff`ffb4ca6c fffffa60`0930e990 : 0xffffffff`ff70bb93
fffffa60`0930e798 ffffffff`ffb4cbcd : 00000000`00000000 ffffffff`ffb4ca6c fffffa60`0930e990 fffff800`026dccc0 : 0x10
fffffa60`0930e7a0 00000000`00000000 : ffffffff`ffb4ca6c fffffa60`0930e990 fffff800`026dccc0 ffffffff`ff70bb41 : 0xffffffff`ffb4cbcd
 
 
STACK_COMMAND:  kb
 
FOLLOWUP_IP: 
nt!PspGetSetContextInternal+396
fffff800`026fe4de 488b28          mov     rbp,qword ptr [rax]
 
SYMBOL_STACK_INDEX:  4
 
SYMBOL_NAME:  nt!PspGetSetContextInternal+396
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: nt
 
IMAGE_NAME:  ntkrnlmp.exe
 
DEBUG_FLR_IMAGE_TIMESTAMP:  4f79ae26
 
FAILURE_BUCKET_ID:  X64_0x1E_c0000005_nt!PspGetSetContextInternal+396
 
BUCKET_ID:  X64_0x1E_c0000005_nt!PspGetSetContextInternal+396
 
Followup: MachineOwner
---------
 
If there is someone that could give me some direction as to what needs to be done to resolve this, I would appreciate it.

Comments 2 CommentsJump to latest comment

CraigV's picture

...what happens if you run the built-in Windows backup utility? If it crashes again, then the problem lies with WIndows and not BE.

Thanks!

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

eheppel's picture

I have not tried with the Windows Backup yet.  I will try that and report back.