SBS 2003 BSOD Error

[Rowse]

I'm getting a BSOD on my SBS 2003 machine, the dump from the memory.dmp file is below. Can anyone tell me what this means:

----- 32 bit Kernel Summary Dump Analysis

DUMP_HEADER32:
MajorVersion 0000000f
MinorVersion 00000ece
DirectoryTableBase 3db36940
PfnDataBase 81600000
PsLoadedModuleList 808a6ea8
PsActiveProcessHead 808ad0c8
MachineImageType 0000014c
NumberProcessors 00000002
BugCheckCode 00000027
BugCheckParameter1 baad0080
BugCheckParameter2 f3299994
BugCheckParameter3 f3299690
BugCheckParameter4 f6544f8a
PaeEnabled 00000001
KdDebuggerDataBlock 808943e0

SUMMARY_DUMP32:
DumpOptions 504d4453
HeaderSize 00009000
BitmapSize 0003df30
Pages 00007308
Bitmap.SizeOfBitMap 0003df30

KiProcessorBlock at 808a6220
2 KiProcessorBlock entries:
ffdff120 f7727120


Windows XP Kernel Version 3790 (Service Pack 1) MP (2 procs) Free x86 compatible
Built by: 3790.srv03_sp1_rtm.050324-1447
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Fri Nov 18 13:06:43 2005
System Uptime: 0 days 0:39:05
start end module name
80800000 80a53000 nt Checksum: FFFFFFFF Timestamp: unavailable (FFFFFFFE)

Unloaded modules:
f7887000 f788f000 drmkaud.sys Timestamp: Fri Nov 18 12:31:21 2005 (437DC999)
f4398000 f43c8000 kmixer.sys Timestamp: Fri Nov 18 12:31:21 2005 (437DC999)
f43c8000 f43da000 DMusic.sys Timestamp: Fri Nov 18 12:31:21 2005 (437DC999)
f43da000 f43ee000 swmidi.sys Timestamp: Fri Nov 18 12:31:19 2005 (437DC997)
f443e000 f4466000 aec.sys Timestamp: Fri Nov 18 12:31:17 2005 (437DC995)
f5985000 f5987000 splitter.sys Timestamp: Fri Nov 18 12:31:17 2005 (437DC995)
f68d2000 f68e0000 imapi.sys Timestamp: Fri Nov 18 12:27:48 2005 (437DC8C4)
f75f7000 f7603000 vga.sys Timestamp: Fri Nov 18 12:27:48 2005 (437DC8C4)
f77f7000 f77ff000 Sfloppy.SYS Timestamp: Fri Nov 18 12:27:48 2005 (437DC8C4)

Finished dump check

 

[markdmac]

Windows XP Kernel Version 3790 (Service Pack 1) MP (2 procs) Free x86 compatible

Are you getting the BSOD on the server or on an XP workstation?

I hope you find this post helpful.

Regards,

Mark

 

[Rowse]

It's on an sbs 2003 machine.

 

[SgtBeavis]

You dumps says it's from XP

Windows XP Kernel Version 3790

However, you are looking at a Bugcheck 0x027. That is a Redirector issue....

From the Windows Debugger help file:

Bug Check 0x27: RDR_FILE_SYSTEM
The RDR_FILE_SYSTEM bug check has a value of 0x00000027. This indicates that a problem occurred in the SMB redirector file system.

Parameters
The following parameters are displayed on the blue screen.

Parameter Description
1 The high 16 bits (the first four hexadecimal digits after the "0x") identify the type of problem. Possible values include:

0xCA550000 RDBSS_BUG_CHECK_CACHESUP

0xC1EE0000 RDBSS_BUG_CHECK_CLEANUP

0xC10E0000 RDBSS_BUG_CHECK_CLOSE

0xBAAD0000 RDBSS_BUG_CHECK_NTEXCEPT <--this was YOUR parameter.






Cause
One possible cause of this bug check is depletion of nonpaged pool memory. If the nonpaged pool memory is completely depleted, this error can stop the system. However, during the indexing process, if the amount of available nonpaged pool memory is very low, another kernel-mode driver requiring nonpaged pool memory can also trigger this error.

Resolving the Problem
To debug this problem: Use the .cxr (Display Context Record) command with Parameter 3, and then use kb (Display Stack Backtrace).

To resolve a nonpaged pool memory depletion problem: Add new physical memory to the computer. This will increase the quantity of nonpaged pool memory available to the kern

 

[Rowse]

I used xp to view the file, is that where it could have come from?

How do I use the .cxr command?

Am i right in thinking that adding some more memory should cure this problem? or do i need to something to the software?

 

[Rowse]

Had another bsd, but missed the message.

here's the memory.dmp file:

----- 32 bit Kernel Summary Dump Analysis

DUMP_HEADER32:
MajorVersion 0000000f
MinorVersion 00000ece
DirectoryTableBase 003d1000
PfnDataBase 81600000
PsLoadedModuleList 808a6ea8
PsActiveProcessHead 808ad0c8
MachineImageType 0000014c
NumberProcessors 00000002
BugCheckCode 000000d1
BugCheckParameter1 4f43574a
BugCheckParameter2 00000002
BugCheckParameter3 00000000
BugCheckParameter4 f65ceb42
PaeEnabled 00000001
KdDebuggerDataBlock 808943e0

SUMMARY_DUMP32:
DumpOptions 504d4453
HeaderSize 00009000
BitmapSize 0003df30
Pages 00006e9e
Bitmap.SizeOfBitMap 0003df30

KiProcessorBlock at 808a6220
2 KiProcessorBlock entries:
ffdff120 f7727120


Windows XP Kernel Version 3790 (Service Pack 1) MP (2 procs) Free x86 compatible
Built by: 3790.srv03_sp1_rtm.050324-1447
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Fri Nov 18 18:41:24 2005
System Uptime: 0 days 4:50:20
start end module name
80800000 80a53000 nt Checksum: FFFFFFFF Timestamp: unavailable (FFFFFFFE)

Unloaded modules:
f66e5000 f66ed000 drmkaud.sys Timestamp: Fri Nov 18 13:54:40 2005 (437DDD20)
f39a8000 f39d8000 kmixer.sys Timestamp: Fri Nov 18 13:54:40 2005 (437DDD20)
f39d8000 f39ea000 DMusic.sys Timestamp: Fri Nov 18 13:54:40 2005 (437DDD20)
f3ab2000 f3ac6000 swmidi.sys Timestamp: Fri Nov 18 13:54:39 2005 (437DDD1F)
f3ac6000 f3aee000 aec.sys Timestamp: Fri Nov 18 13:54:38 2005 (437DDD1E)
f7a41000 f7a43000 splitter.sys Timestamp: Fri Nov 18 13:54:38 2005 (437DDD1E)
f6842000 f6850000 imapi.sys Timestamp: Fri Nov 18 13:51:13 2005 (437DDC51)
f6970000 f697c000 vga.sys Timestamp: Fri Nov 18 13:51:13 2005 (437DDC51)
f786f000 f7877000 Sfloppy.SYS Timestamp: Fri Nov 18 13:51:13 2005 (437DDC51)

Finished dump check

 

[markdmac]

have you applied the following to this server in the following order?

Windows 2003 SP1
SharePoint SP2
Exchange 2003 SP2
Windows XP SP2 Update
SBS 2003 SP1

If not, I would update the system to these service pack levels before going crazy to troubleshoot what may be fixed by the latest updates.

I hope you find this post helpful.

Regards,

Mark

 

[Rowse]

I've installed all of those, in the hope it would cure these problems, but it didnt.

 

[markdmac]

Anthing in your event logs just prior to the dump? Can you associate the crash with any changes ont he server or with the timing of any user actions?

I'm wondering if the server is trying to push out XP SP1 to a client when this happens based on the fact that it is in the dump. When you upgraded the client install to XP SP2 did you remove the SP1 folder?

I hope you find this post helpful.

Regards,

Mark

 

[Rowse]

I haven't removed anything, and all the machines are running xp sp2.

no crashes though since yesterday.

 

[SgtBeavis]

Call MS support and ask for a patch with the latest version of the redirector. They shouldn't charge you for it.

Without a full memory dump to run through a Windows Debugger I cannot tell you exactly whats happening...

BTW, my bad, I can see the kernel version is for 2k3. Sorry 'bout that.

Built by: 3790.srv03_sp1_rtm.050324-1447

If you get a minidump to send to me, I MIGHT (emphasis on MIGHT) be able to tell you the faulting module. If you are interested, let me know and I'll give you an email address to send the dump file to.

 

[Rowse]

yeah, thanks for that. i've set it to run a complete dump, not just the little one it does. i'll let you know if it goes down again.

Do i just look on the microsoft website for a number?

 

[SgtBeavis]

you can do that for the bugcheck number, but to read the dump, you need to run it through a Windows Debugger.

You sound like a bright guy, so you might be able to figure this out on your own. Here are some links for the debugging tools. Trust me on this. If you can become halfway decent at debugging, you'll be a much better Sys Admin

You can download the Windows Debugging Tools here:

http://www.microsoft.com/whdc/devtools/debugging/default.mspx

Get the 32 bit version (unless your OS is 64bit)

You can learn how to setup Debugging Symbols here:

http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx

Once you load your memory dump, you want to run this command:

!analyze -v

When you run that command you will get a spew of information. There are several websites that can help you interperate it, however, the main thing you are looking for is the "FAULTING MODULE" That is the likely the file that caused the issue. However, that is not guaranteed. Sometimes that Faulting module will fault because of data being passed up from lower down in the stack....

Good luck.



Microsoft Certified Nut.

 

[Rowse]

ok, i've installed it and worked out how to open my memory.dmp file.
but..

it says i need the web sysmbols, so i did the srv thingy and it comes back with an error of "symbol file could not be found"

I aint that bright obviously.

 

[Rowse]

ah, think i've got that bit done.

i've got a minidump which says driver_corrupted_expool(c5) and mentions USBPORT further down, so i assume the error is with my belkin usb adaptor.

let me know if you want to see the minidump.

 

[SgtBeavis]

send the minidump to rboyett@**nospam**onebox.com

No promises but I'll check it out.

Microsoft Certified Nut.

 

[Rowse]

Here is the debug from my last minidump crash file.
Any ideas anyone?

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000000, EXCEPTION_DIVIDED_BY_ZERO
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------

Unable to load image \SystemRoot\System32\Drivers\avg7rsw.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for avg7rsw.sys
*** ERROR: Module load completed but symbols could not be loaded for avg7rsw.sys

BUGCHECK_STR: 0x7f_0

TRAP_FRAME: b7e386e0 -- (.trap ffffffffb7e386e0)
ErrCode = 00000000
eax=88b3d7f0 ebx=89fcdb08 ecx=68250003 edx=68250004 esi=8a1550e8 edi=89fcdd4c
eip=f73060e1 esp=b7e38754 ebp=b7e3876c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
dmio!vol_free_klocks+0x3d:
f73060e1 f775ce div dword ptr [ebp-0x32] ss:0010:b7e3873a=db088a15
Resetting default scope

CUSTOMER_CRASH_COUNT: 4

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

CURRENT_IRQL: 1

MISALIGNED_IP:
dmio!vol_free_klocks+3d
f73060e1 f775ce div dword ptr [ebp-0x32]

LAST_CONTROL_TRANSFER: from f7285bb7 to f73060e1

STACK_TEXT:
b7e38780 f7285bb7 8a155030 89fcdb08 8a198530 dmio!vol_free_klocks+0x3d
b7e38794 8081dce5 8a155030 89fcdb08 89fcdca0 SCSIPORT!ScsiPortGlobalDispatch+0x1d
b7e387a8 f7272a20 89fcdca0 45d76000 b7e387ec nt!IofCallDriver+0x45
b7e387b8 f7272635 89fcdca0 8a10f930 88bb9634 CLASSPNP!SubmitTransferPacket+0xbb
b7e387ec f7272712 00000000 00002000 88bb9510 CLASSPNP!ServiceTransferRequest+0x1e4
b7e38810 8081dce5 8a10f878 00000000 8a1128c0 CLASSPNP!ClassReadWrite+0x159
b7e38824 f74c80cf 8a1560e8 88bb9658 b7e38848 nt!IofCallDriver+0x45
b7e38834 8081dce5 8a10f640 88bb9510 88bb967c PartMgr!PmReadWrite+0x95
b7e38848 f7317053 88bb9510 8a113598 88bb9510 nt!IofCallDriver+0x45
b7e38864 8081dce5 8a156030 88bb9510 88bb96a0 ftdisk!FtDiskReadWrite+0x1a9
b7e38878 f72c0720 8a112da8 e124ca70 8a156720 nt!IofCallDriver+0x45
b7e38890 8081dce5 8a156720 88bb9510 88bb9510 volsnap!VolSnapRead+0x52
b7e388a4 f7b500ce 88e6a420 b7e38a88 f7b4f702 nt!IofCallDriver+0x45
b7e388b0 f7b4f702 88e6a420 8a156720 b6bfd000 Ntfs!NtfsSingleAsync+0x91
b7e38a88 f7b4d75e 88e6a420 88bb9510 e124ca70 Ntfs!NtfsNonCachedIo+0x2db
b7e38b74 f7b508de 88e6a420 88bb9510 00000001 Ntfs!NtfsCommonRead+0xaf5
b7e38c18 8081dce5 8a11d020 88bb9510 8a11c4d8 Ntfs!NtfsFsdRead+0x113
b7e38c2c f7250c53 8a11c4d8 b8e7e9f0 00000100 nt!IofCallDriver+0x45
b7e38c54 8081dce5 8a158b40 88bb9510 88bb9510 fltmgr!FltpDispatch+0x6f
b7e38c68 b8e7e45c 88bb9510 89c4fd50 88e8a5a0 nt!IofCallDriver+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
b7e38c8c 808f4797 88bb96a0 88bb9510 88e8a5a0 avg7rsw+0x45c
b7e38ca0 808f196b 89b9ed10 88bb9510 88e8a5a0 nt!IopSynchronousServiceTail+0x10b
b7e38d38 80888c6c 00000818 00000304 00000000 nt!NtReadFile+0x5cf
b7e38d38 7c82ed54 00000818 00000304 00000000 nt!KiFastCallEntry+0xfc
1153d874 00000000 00000000 00000000 00000000 0x7c82ed54


FOLLOWUP_IP:
dmio!vol_free_klocks+3d
f73060e1 f775ce div dword ptr [ebp-0x32]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: dmio!vol_free_klocks+3d

IMAGE_NAME: hardware

DEBUG_FLR_IMAGE_TIMESTAMP: 0

STACK_COMMAND: .trap ffffffffb7e386e0 ; kb

MODULE_NAME: hardware

FAILURE_BUCKET_ID: IP_MISALIGNED_dmio.sys

BUCKET_ID: IP_MISALIGNED_dmio.sys

Followup: MachineOwner
---------

 

[SgtBeavis]

Bug Check 0x7F: UNEXPECTED_KERNEL_MODE_TRAP
The UNEXPECTED_KERNEL_MODE_TRAP bug check has a value of 0x0000007F. This indicates that a trap was generated by the Intel CPU and the kernel failed to catch this trap.

This could be either a bound trap (a trap the kernel is not permitted to catch) or a double fault (a fault that occurred while processing an earlier fault, which always results in a system crash).


Parameters
The first parameter displayed on the blue screen specifies the trap number.

Here are some of the most common trap codes:

0x00000000, or Divide by Zero Error, is caused when a DIV instruction is executed and the divisor is zero. Memory corruption, other hardware problems, or software failures can cause this error.


A couple of possibilities that I've found:

If you look at the stack you see alot of calls from NTFS.sys and the faulting call is from DMIO.sys. I would need a full dump to be sure, but I'd say you might be looking at a Harddrive or SCSI failure.

Another possibility is if you are running a backup when a virus scan is running, check your scheduling to make sure this isn't the case. If it is, reschedule so they don't happen at the same time and see what happens...

These thoughts are somewhat speculative though because this is just a minidump which only shows the stack of one single thread. While this stack may be the root cause, it could be cause by a call from another stack.

All that said, if you look back, you originally had a stop error 0x27 which is a redirector issue with the file system. If you look here, you have another disk related issue. Where there is smoke there is fire. I'd be looking at the disks and scsi card. See if there are updates for your scsi drivers and firmware. Also look into replacing the harddrive if you can.

Microsoft Certified Nut.

 

[Rowse]

SgtBeavis, many thanks for that. I do have a full memory dump which is 2gb. I'll debug that and post it onto here.

All the problems originated from a power cut we had, usually hard disks cope with that but not this one.

I'll look at getting a new hard disk and replacing it.

 

[Rowse]

here's the latest mini dump:

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: b85372c0, The address that the exception occurred at
Arg3: b81c4b4c, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
afd!AfdExceptionFilter+11
b85372c0 8b00 mov eax,[eax]

TRAP_FRAME: b81c4b4c -- (.trap ffffffffb81c4b4c)
ErrCode = 00000000
eax=0002afd4 ebx=88c231b8 ecx=b81c4c08 edx=9e610003 esi=889e2628 edi=88a34b20
eip=b85372c0 esp=b81c4bc0 ebp=b81c4bc0 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
afd!AfdExceptionFilter+0x11:
b85372c0 8b00 mov eax,[eax] ds:0023:0002afd4=????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR: 0x8E

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from b8547f9d to b85372c0

STACK_TEXT:
b81c4bc0 b8547f9d 89f12820 b81c4c08 b853c679 afd!AfdExceptionFilter+0x11
b81c4bcc b853c679 889e2638 b854152f 889e2628 afd!AfdAddressListChange+0x123
b81c4c28 b853c04c 88a34b20 8992ae00 b81c4c4c afd!AfdPoll+0x49e
b81c4c38 8081dce5 89927468 88a34b20 89b8dc38 afd!AfdDispatchDeviceControl+0x53
b81c4c4c 808f4797 88a34bfc 89e6b550 88a34b20 nt!IofCallDriver+0x45
b81c4c60 808f5515 89927468 88a34b20 89e6b550 nt!IopSynchronousServiceTail+0x10b
b81c4d00 808ee0e4 000001ac 0000022c 00000000 nt!IopXxxControlFile+0x5db
b81c4d34 80888c6c 000001ac 0000022c 00000000 nt!NtDeviceIoControlFile+0x2a
b81c4d34 7c82ed54 000001ac 0000022c 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0133fcd8 00000000 00000000 00000000 00000000 0x7c82ed54


FOLLOWUP_IP:
afd!AfdExceptionFilter+11
b85372c0 8b00 mov eax,[eax]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: afd!AfdExceptionFilter+11

MODULE_NAME: afd

IMAGE_NAME: afd.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 42435e0b

STACK_COMMAND: .trap ffffffffb81c4b4c ; kb

FAILURE_BUCKET_ID: 0x8E_afd!AfdExceptionFilter+11

BUCKET_ID: 0x8E_afd!AfdExceptionFilter+11

Followup: MachineOwner
---------