R
RVS_Qin
Hi Team,
We have suffered an unexpected reboot in a machine. That server generated a dump file, I extract this part of the dump file:
SYMBOL_NAME: nt!PspCatchCriticalBreak+73
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
IMAGE_VERSION: 6.0.6003.20512
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: 0xF4_csrss.exe_BUGCHECK_CRITICAL_PROCESS_c0000005_BAD_IP_nt!PspCatchCriticalBreak+73
OS_VERSION: 0.0.6003.20512
BUILDLAB_STR: vistasp2_ldr
OSPLATFORM_TYPE: x86
OSNAME: Windows 7
FAILURE_ID_HASH: {a22740b6-7c71-b7cd-48a5-9ded7f4f9a48}
Followup: MachineOwner
Does it mean the issue comes from the network?
Could you help me?
Thanks in advance,
I leave you the complete dump file:
Microsoft (R) Windows Debugger Version 10.0.19528.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 7 Kernel Version 6003 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
6003.20512.x86fre.vistasp2_ldr.190416-0600
Machine Name:
Kernel base = 0x81a3d000 PsLoadedModuleList = 0x81b5ca70
Debug session time: Sun Feb 2 15:28:28.916 2020 (UTC + 1:00)
System Uptime: 243 days 8:00:43.498
Loading Kernel Symbols
...............................................................
................................................................
....
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for details
Loading unloaded module list
.......
For analysis of this file, run !analyze -v
eax=8187c120 ebx=8531f020 ecx=81b44f9c edx=00003058 esi=8187c13c edi=00000000
eip=81a70810 esp=8c317818 ebp=8c317834 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!KeBugCheckEx+0x1e:
81a70810 8be5 mov esp,ebp
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 8531f020, Terminating object
Arg3: 8531f16c, Process image file name
Arg4: 81cfe190, Explanatory message (ascii)
Debugging Details:
------------------
This command requires a minimum of Win7 on the target.
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Write
Key : Analysis.CPU.Sec
Value: 1
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on QM-22
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 2
Key : Analysis.Memory.CommitPeak.Mb
Value: 51
Key : Analysis.System
Value: CreateObject
ADDITIONAL_XML: 1
BUGCHECK_CODE: f4
BUGCHECK_P1: 3
BUGCHECK_P2: ffffffff8531f020
BUGCHECK_P3: ffffffff8531f16c
BUGCHECK_P4: ffffffff81cfe190
PROCESS_NAME: csrss.exe
CRITICAL_PROCESS: csrss.exe
EXCEPTION_RECORD: 8c317d10 -- (.exr 0xffffffff8c317d10)
ExceptionAddress: 777ca002
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00750ff0
Attempt to write to address 00750ff0
ERROR_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%p hace referencia a la memoria en 0x%p. La memoria no se pudo %s.
WRITE_ADDRESS: Target machine operating system not supported
00750ff0
FAILED_INSTRUCTION_ADDRESS:
+0
777ca002 ?? ???
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 00750ff0
EXCEPTION_STR: 0xc0000005
TRAP_FRAME: 8c317d64 -- (.trap 0xffffffff8c317d64)
ErrCode = 00000006
eax=00000020 ebx=777e5dfd ecx=7ffdb000 edx=777e5ce4 esi=0075110c edi=00000000
eip=777ca002 esp=00750ff4 ebp=00751024 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
001b:777ca002 ?? ???
Resetting default scope
STACK_TEXT:
8c317834 81c6912f 000000f4 00000003 8531f020 nt!KeBugCheckEx+0x1e
8c317858 81c68d46 81cfe190 8531f16c 8531f24c nt!PspCatchCriticalBreak+0x73
8c317888 81c68ced 8531f020 85406968 c0000005 nt!PspTerminateAllThreads+0x2c
8c3178bc 81b18b4a ffffffff c0000005 8c317cf4 nt!NtTerminateProcess+0x1c1
8c3178bc 81b0c109 ffffffff c0000005 8c317cf4 nt!KiSystemServicePostCall
8c31793c 81a792b5 ffffffff c0000005 b48bbf4d nt!ZwTerminateProcess+0x11
8c317cf4 81b1a0d6 8c317d10 00000000 8c317d64 nt!KiDispatchException+0x41f
8c317d5c 81b1a08b 00751024 777ca002 badb0d00 nt!CommonDispatchException+0x4a
8c317d64 777ca002 badb0d00 00000000 00000000 nt!KiExceptionExit+0x24f
WARNING: Frame IP not in any known module. Following frames may be wrong.
8c317d68 badb0d00 00000000 00000000 00000000 0x777ca002
8c317d6c 00000000 00000000 00000000 00000000 0xbadb0d00
SYMBOL_NAME: nt!PspCatchCriticalBreak+73
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
IMAGE_VERSION: 6.0.6003.20512
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: 0xF4_csrss.exe_BUGCHECK_CRITICAL_PROCESS_c0000005_BAD_IP_nt!PspCatchCriticalBreak+73
OS_VERSION: 0.0.6003.20512
BUILDLAB_STR: vistasp2_ldr
OSPLATFORM_TYPE: x86
OSNAME: Windows 7
FAILURE_ID_HASH: {a22740b6-7c71-b7cd-48a5-9ded7f4f9a48}
Followup: MachineOwner
---------
0: kd> lmvm nt
Browse full module list
start end module name
81a3d000 81df4000 nt (pdb symbols) C:\ProgramData\Dbg\sym\ntkrpamp.pdb\5B74AED646EA4D878218680FCF5D32961\ntkrpamp.pdb
Loaded symbol image file: ntkrpamp.exe
Image path: ntkrpamp.exe
Image name: ntkrpamp.exe
Browse all global symbols functions data
Timestamp: Tue Apr 16 16:32:34 2019 (5CB5E782)
CheckSum: 0036ED7A
ImageSize: 003B7000
File version: 6.0.6003.20512
Product version: 6.0.6003.20512
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrpamp.exe
OriginalFilename: ntkrpamp.exe
ProductVersion: 6.0.6003.20512
FileVersion: 6.0.6003.20512 (vistasp2_ldr.190416-0600)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.
Continue reading...
We have suffered an unexpected reboot in a machine. That server generated a dump file, I extract this part of the dump file:
SYMBOL_NAME: nt!PspCatchCriticalBreak+73
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
IMAGE_VERSION: 6.0.6003.20512
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: 0xF4_csrss.exe_BUGCHECK_CRITICAL_PROCESS_c0000005_BAD_IP_nt!PspCatchCriticalBreak+73
OS_VERSION: 0.0.6003.20512
BUILDLAB_STR: vistasp2_ldr
OSPLATFORM_TYPE: x86
OSNAME: Windows 7
FAILURE_ID_HASH: {a22740b6-7c71-b7cd-48a5-9ded7f4f9a48}
Followup: MachineOwner
Does it mean the issue comes from the network?
Could you help me?
Thanks in advance,
I leave you the complete dump file:
Microsoft (R) Windows Debugger Version 10.0.19528.1000 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 7 Kernel Version 6003 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
6003.20512.x86fre.vistasp2_ldr.190416-0600
Machine Name:
Kernel base = 0x81a3d000 PsLoadedModuleList = 0x81b5ca70
Debug session time: Sun Feb 2 15:28:28.916 2020 (UTC + 1:00)
System Uptime: 243 days 8:00:43.498
Loading Kernel Symbols
...............................................................
................................................................
....
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdf00c). Type ".hh dbgerr001" for details
Loading unloaded module list
.......
For analysis of this file, run !analyze -v
eax=8187c120 ebx=8531f020 ecx=81b44f9c edx=00003058 esi=8187c13c edi=00000000
eip=81a70810 esp=8c317818 ebp=8c317834 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
nt!KeBugCheckEx+0x1e:
81a70810 8be5 mov esp,ebp
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 8531f020, Terminating object
Arg3: 8531f16c, Process image file name
Arg4: 81cfe190, Explanatory message (ascii)
Debugging Details:
------------------
This command requires a minimum of Win7 on the target.
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Write
Key : Analysis.CPU.Sec
Value: 1
Key : Analysis.DebugAnalysisProvider.CPP
Value: Create: 8007007e on QM-22
Key : Analysis.DebugData
Value: CreateObject
Key : Analysis.DebugModel
Value: CreateObject
Key : Analysis.Elapsed.Sec
Value: 2
Key : Analysis.Memory.CommitPeak.Mb
Value: 51
Key : Analysis.System
Value: CreateObject
ADDITIONAL_XML: 1
BUGCHECK_CODE: f4
BUGCHECK_P1: 3
BUGCHECK_P2: ffffffff8531f020
BUGCHECK_P3: ffffffff8531f16c
BUGCHECK_P4: ffffffff81cfe190
PROCESS_NAME: csrss.exe
CRITICAL_PROCESS: csrss.exe
EXCEPTION_RECORD: 8c317d10 -- (.exr 0xffffffff8c317d10)
ExceptionAddress: 777ca002
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00750ff0
Attempt to write to address 00750ff0
ERROR_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%p hace referencia a la memoria en 0x%p. La memoria no se pudo %s.
WRITE_ADDRESS: Target machine operating system not supported
00750ff0
FAILED_INSTRUCTION_ADDRESS:
+0
777ca002 ?? ???
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 00750ff0
EXCEPTION_STR: 0xc0000005
TRAP_FRAME: 8c317d64 -- (.trap 0xffffffff8c317d64)
ErrCode = 00000006
eax=00000020 ebx=777e5dfd ecx=7ffdb000 edx=777e5ce4 esi=0075110c edi=00000000
eip=777ca002 esp=00750ff4 ebp=00751024 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
001b:777ca002 ?? ???
Resetting default scope
STACK_TEXT:
8c317834 81c6912f 000000f4 00000003 8531f020 nt!KeBugCheckEx+0x1e
8c317858 81c68d46 81cfe190 8531f16c 8531f24c nt!PspCatchCriticalBreak+0x73
8c317888 81c68ced 8531f020 85406968 c0000005 nt!PspTerminateAllThreads+0x2c
8c3178bc 81b18b4a ffffffff c0000005 8c317cf4 nt!NtTerminateProcess+0x1c1
8c3178bc 81b0c109 ffffffff c0000005 8c317cf4 nt!KiSystemServicePostCall
8c31793c 81a792b5 ffffffff c0000005 b48bbf4d nt!ZwTerminateProcess+0x11
8c317cf4 81b1a0d6 8c317d10 00000000 8c317d64 nt!KiDispatchException+0x41f
8c317d5c 81b1a08b 00751024 777ca002 badb0d00 nt!CommonDispatchException+0x4a
8c317d64 777ca002 badb0d00 00000000 00000000 nt!KiExceptionExit+0x24f
WARNING: Frame IP not in any known module. Following frames may be wrong.
8c317d68 badb0d00 00000000 00000000 00000000 0x777ca002
8c317d6c 00000000 00000000 00000000 00000000 0xbadb0d00
SYMBOL_NAME: nt!PspCatchCriticalBreak+73
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
IMAGE_VERSION: 6.0.6003.20512
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: 0xF4_csrss.exe_BUGCHECK_CRITICAL_PROCESS_c0000005_BAD_IP_nt!PspCatchCriticalBreak+73
OS_VERSION: 0.0.6003.20512
BUILDLAB_STR: vistasp2_ldr
OSPLATFORM_TYPE: x86
OSNAME: Windows 7
FAILURE_ID_HASH: {a22740b6-7c71-b7cd-48a5-9ded7f4f9a48}
Followup: MachineOwner
---------
0: kd> lmvm nt
Browse full module list
start end module name
81a3d000 81df4000 nt (pdb symbols) C:\ProgramData\Dbg\sym\ntkrpamp.pdb\5B74AED646EA4D878218680FCF5D32961\ntkrpamp.pdb
Loaded symbol image file: ntkrpamp.exe
Image path: ntkrpamp.exe
Image name: ntkrpamp.exe
Browse all global symbols functions data
Timestamp: Tue Apr 16 16:32:34 2019 (5CB5E782)
CheckSum: 0036ED7A
ImageSize: 003B7000
File version: 6.0.6003.20512
Product version: 6.0.6003.20512
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrpamp.exe
OriginalFilename: ntkrpamp.exe
ProductVersion: 6.0.6003.20512
FileVersion: 6.0.6003.20512 (vistasp2_ldr.190416-0600)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.
Continue reading...