Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Win 2k8 server crash

Created: 21 Sep 2012 | 2 comments

I have a 64 bit 2008 Standard Server that appears to crash shortly after a schedule job begins to run.  The bug check revealed the following:

The computer has rebooted from a bugcheck.  
The bugcheck was: 0x0000001e (0xffffffffc0000005, 0xfffff800026fe4de, 0x0000000000000000, 0x0000000000000001). 
A dump was saved in: C:\Windows\MEMORY.DMP.
 
ERROR_READ_FAULT
30 (0x1E)
The system cannot read from the specified device.
 
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
 
 
Loading Dump File [C:\Users\veritas\Documents\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
 
Symbol search path is: srv*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (16 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Built by: 6002.18607.amd64fre.vistasp2_gdr.120402-0336
Machine Name:
Kernel base = 0xfffff800`0241a000 PsLoadedModuleList = 0xfffff800`025dedd0
Debug session time: Thu Sep 20 19:32:12.875 2012 (UTC - 4:00)
System Uptime: 0 days 12:37:45.022
Loading Kernel Symbols
...............................................................
................................................................
.
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffd4018).  Type ".hh dbgerr001" for details
Loading unloaded module list
........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck 1E, {ffffffffc0000005, fffff800026fe4de, 0, 1}
 
Page 4ee52d not present in the dump file. Type ".hh dbgerr004" for details
Page 72566 not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : ntkrnlmp.exe ( nt!PspGetSetContextInternal+396 )
 
Followup: MachineOwner
---------
 
3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff800026fe4de, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 0000000000000001, Parameter 1 of the exception
 
Debugging Details:
------------------
 
Page 4ee52d not present in the dump file. Type ".hh dbgerr004" for details
Page 72566 not present in the dump file. Type ".hh dbgerr004" for details
 
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
 
FAULTING_IP: 
nt!PspGetSetContextInternal+396
fffff800`026fe4de 488b28          mov     rbp,qword ptr [rax]
 
EXCEPTION_PARAMETER1:  0000000000000000
 
EXCEPTION_PARAMETER2:  0000000000000001
 
READ_ADDRESS:  0000000000000001 
 
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
 
BUGCHECK_STR:  0x1E_c0000005
 
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
 
PROCESS_NAME:  WmiPrvSE.exe
 
CURRENT_IRQL:  1
 
TRAP_FRAME:  fffffa600930dd60 -- (.trap 0xfffffa600930dd60)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800026fe4de rsp=fffffa600930def0 rbp=ee65764502060007
 r8=0000000000000000  r9=000000000000000c r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
nt!PspGetSetContextInternal+0x396:
fffff800`026fe4de 488b28          mov     rbp,qword ptr [rax] ds:00000000`00000001=????????????????
Resetting default scope
 
LAST_CONTROL_TRANSFER:  from fffff80002454177 to fffff80002471ad0
 
STACK_TEXT:  
fffffa60`0930d578 fffff800`02454177 : 00000000`0000001e ffffffff`c0000005 fffff800`026fe4de 00000000`00000000 : nt!KeBugCheckEx
fffffa60`0930d580 fffff800`02471929 : fffffa60`0930dcb8 fffffa60`091db570 fffffa60`0930dd60 fffffa60`091dbac8 : nt! ?? ::FNODOBFM::`string'+0x29107
fffffa60`0930db80 fffff800`02470725 : 00000000`00000000 fffffa60`0930e008 fffffa60`0930e100 fffffa60`091db570 : nt!KiExceptionDispatch+0xa9
fffffa60`0930dd60 fffff800`026fe4de : ee657645`02060007 fffffa60`091db570 00000000`00000000 fffffa60`091dbac8 : nt!KiPageFault+0x1e5
fffffa60`0930def0 fffff800`0249ef4d : fffffa80`1349d1e8 fffffa80`154d8060 fffffa60`091db570 00000000`00000000 : nt!PspGetSetContextInternal+0x396
fffffa60`0930e440 fffff800`024931ce : 00000000`00000000 fffffa60`0930e5d0 00000000`00000000 00001f80`004b0008 : nt!PspGetSetContextSpecialApc+0x9d
fffffa60`0930e550 fffff800`02496c23 : fffffa60`0930e670 00000000`00000000 00000000`00000000 fffffa80`154d8060 : nt!KiDeliverApc+0x19e
fffffa60`0930e5f0 ffffffff`ffb4df3e : ffffffff`ff70bb93 00000000`00000010 ffffffff`ffb4cbcd 00000000`00000000 : nt!KiApcInterrupt+0x103
fffffa60`0930e788 ffffffff`ff70bb93 : 00000000`00000010 ffffffff`ffb4cbcd 00000000`00000000 ffffffff`ffb4ca6c : 0xffffffff`ffb4df3e
fffffa60`0930e790 00000000`00000010 : ffffffff`ffb4cbcd 00000000`00000000 ffffffff`ffb4ca6c fffffa60`0930e990 : 0xffffffff`ff70bb93
fffffa60`0930e798 ffffffff`ffb4cbcd : 00000000`00000000 ffffffff`ffb4ca6c fffffa60`0930e990 fffff800`026dccc0 : 0x10
fffffa60`0930e7a0 00000000`00000000 : ffffffff`ffb4ca6c fffffa60`0930e990 fffff800`026dccc0 ffffffff`ff70bb41 : 0xffffffff`ffb4cbcd
 
 
STACK_COMMAND:  kb
 
FOLLOWUP_IP: 
nt!PspGetSetContextInternal+396
fffff800`026fe4de 488b28          mov     rbp,qword ptr [rax]
 
SYMBOL_STACK_INDEX:  4
 
SYMBOL_NAME:  nt!PspGetSetContextInternal+396
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: nt
 
IMAGE_NAME:  ntkrnlmp.exe
 
DEBUG_FLR_IMAGE_TIMESTAMP:  4f79ae26
 
FAILURE_BUCKET_ID:  X64_0x1E_c0000005_nt!PspGetSetContextInternal+396
 
BUCKET_ID:  X64_0x1E_c0000005_nt!PspGetSetContextInternal+396
 
Followup: MachineOwner
---------
 
If there is someone that could give me some direction as to what needs to be done to resolve this, I would appreciate it.

Comments 2 CommentsJump to latest comment

CraigV's picture

...what happens if you run the built-in Windows backup utility? If it crashes again, then the problem lies with WIndows and not BE.

Thanks!

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

eheppel's picture

I have not tried with the Windows Backup yet.  I will try that and report back.