BSOD 0xC4 on Windows 10 - windows

I have a driver built with WDK 8.1 which I'm trying to run on Windows 10 with
the Verifier enabled with Code Integrity check. I receive the following BSOD when the driver is started:
Do I need to rebuild the Driver with changing any settings.
And what is the meaning of "Arg1: 00002000, subclass of driver violation."
Bugcheck Analysis:
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
A device driver attempting to corrupt the system has been caught. This is
because the driver was specified in the registry as being suspect (by the
administrator) and the kernel has enabled substantial checking of this driver.
If the driver attempts to corrupt the system, bugchecks 0xC4, 0xC1 and 0xA will
be among the most commonly seen crashes.
Arguments:
Arg1: 00002000, subclass of driver violation.
Arg2: 93d76b70
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------
Failed calling InternetOpenUrl, GLE=12007
BUGCHECK_STR: 0xc4_2000
IMAGE_NAME: McPvDrv.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5317613a
MODULE_NAME: McPvDrv
FAULTING_MODULE: 93d70000 McPvDrv
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8277336a to 8233bac4
STACK_TEXT:
876c76d8 8277336a 000000c4 00002000 93d76b70 nt!KeBugCheckEx
876c76fc 8241f7ea 93d76b70 00000000 00000000 nt!VerifierBugCheckIfAppropriate+0x36
876c771c 8276c018 93d76b70 00000000 00000000 nt!VfReportIssueWithOptions+0xd3
876c773c 8276a4b7 00000000 00000000 876c77c4 nt!VfCheckPoolType+0x61
876c774c 93d76b70 00000000 00000014 0000002d nt!VerifierExAllocatePool+0x15
WARNING: Stack unwind information not available. Following frames may be wrong.
876c77c4 93d7581d 93d7e14c 00000020 876c79ec McPvDrv+0x6b70
876c7a34 93d75fc1 93d73dba 00000001 71bfe534 McPvDrv+0x581d
876c7ae0 93d7145c b27cef30 860ebbe0 82217938 McPvDrv+0x5fc1
876c7b20 825a2920 b27cef30 b27ef000 ab95fcf0 McPvDrv+0x145c
876c7d00 825bd192 00000000 876c7d1c ab95fcf0 nt!IopLoadDriver+0x62a
876c7d20 82314145 ab95fcf0 00000000 861a8700 nt!IopLoadUnloadDriver+0x42
876c7d70 822a3da1 82487220 71bfe2e4 00000000 nt!ExpWorkerThread+0xd5
876c7db0 8234f2f1 82314070 82487220 00000000 nt!PspSystemThreadStartup+0x5b
876c7dbc 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x15
STACK_COMMAND: kb
FOLLOWUP_IP:
McPvDrv+6b70
93d76b70 8bf0 mov esi,eax
SYMBOL_STACK_INDEX: 5
SYMBOL_NAME: McPvDrv+6b70
FOLLOWUP_NAME: wintriag
FAILURE_BUCKET_ID: 0xc4_2000_VRF_McPvDrv+6b70
BUCKET_ID: 0xc4_2000_VRF_McPvDrv+6b70
Followup: wintriag

according to https://msdn.microsoft.com/en-us/library/windows/hardware/ff560187(v=vs.85).aspx
arg 0x2000 suggests you are calling StorPortInitialize function
please double check that you are using the correct OS symbols otherwise debugger output can be completely wrong! Also include a symbol folder path for your driver (File -> symbol file path).
You have here: https://msdn.microsoft.com/en-us/library/windows/desktop/ms681416(v=vs.85).aspx details on how to use the Microsoft symbols server in order download required OS symbols.
You can add to your symbol path something like srvc:\MyTempSymbolFolderhttp://msdl.microsoft.com/download/symbols but be sure to use ";" do delimit symbol paths
After doing this should be able to do this commands in windbg successfully:
.reload /f nt
.reload /f McPvDrv.sys
and now rerun the !analyze -v command which might show you a modified call stack

Related

How to run GCC for ARM cross compiling in WSL2 via WINE?

I'm trying to pack my Windows Toolchain into a container image. For that, I use WSL2 and Docker. To run Windows binaries, I use Wine. This works for many Windows tools, but unfortunately, gcc does not work:
# in WSL2, Ubuntu 20.04 LTS
jan#host:/mnt/e/gcc-arm-11.2-2022.02-mingw-w64-i686-arm-none-eabi/bin$ wine arm-none-eabi-gcc.exe -v
wine: Unhandled page fault on execute access to 004B3000 at address 004B3000 (thread 0009), starting debugger...
Debug messages:
Unhandled exception: page fault on execute access to 0x004b3000 in 32-bit code (0x004b3000).
Register dump:
CS:0023 SS:002b DS:002b ES:002b FS:006b GS:0063
EIP:004b3000 ESP:012fff24 EBP:012fff48 EFLAGS:00010206( R- -- I - -P- )
EAX:3fff8000 EBX:3ffff000 ECX:012fff74 EDX:012fff74
ESI:00000000 EDI:00000000
Stack dump:
0x012fff24: 004014f2 00000000 c1aacd00 012fff50
0x012fff34: 7b454882 3ffff000 7b454cfc 7b454cfc
0x012fff44: 7b454cfc 012fffd8 7b454cfc 3ffff000
0x012fff54: 004014e0 012fff74 012fff74 00000000
0x012fff64: 00000000 004014e0 3ffff000 00000000
0x012fff74: ffffffff 7b46d850 7b434568 00000000
Backtrace:
=>0 0x004b3000 in arm-none-eabi-gcc (+0xb3000) (0x012fff48)
1 0x7b454cfc in kernel32 (+0x34cfb) (0x012fffd8)
2 0x7b45488e in kernel32 (+0x3488d) (0x012fffec)
0x004b3000: orb 0x0(%eax),%al
Modules:
Module Address Debug info Name (10 modules)
PE 400000- 6fc000 Dwarf arm-none-eabi-gcc
PE 7b020000-7b023000 Deferred kernelbase
PE 7b420000-7b5db000 Export kernel32
PE 7bc30000-7bc34000 Deferred ntdll
PE 7f3e0000-7f3e4000 Deferred imm32
PE 7f610000-7f614000 Deferred version
PE 7f640000-7f644000 Deferred advapi32
PE 7f6d0000-7f6d7000 Deferred gdi32
PE 7f840000-7f928000 Deferred user32
PE 7fa70000-7fa74000 Deferred msvcrt
Threads:
process tid prio (all id:s are in hex)
00000008 (D) Z:\mnt\e\gcc-arm-11.2-2022.02-mingw-w64-i686-arm-none-eabi\bin\arm-none-eabi-gcc.exe
00000029 0
00000009 0 <==
0000000e services.exe
00000023 0
0000001c 0
00000015 0
00000010 0
0000000f 0
00000011 plugplay.exe
00000019 0
00000018 0
00000012 0
00000013 explorer.exe
00000030 0
0000002f 0
0000002c 0
00000014 0
0000001a winedevice.exe
00000020 0
0000001f 0
0000001e 0
0000001d 0
0000001b 0
00000021 winedevice.exe
00000025 0
00000024 0
00000022 0
System information:
Wine build: wine-5.0 (Ubuntu 5.0-3ubuntu1)
Platform: i386
Version: Windows 7
Host system: Linux
Host version: 5.10.60.1-microsoft-standard-WSL2
GCC is from here: https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/downloads-1
Other tools in the directory, like gcov, readelf, etc. don't work either.
Is there anything I can do to track down the issue or is nearly impossible to run a toolchain in Wine?
The reason I have to to use the Windows Version instead the Linux version is that the toolchain is slightly modified by our supplier and Windows only :( But I'd like to avoid to run a Windows Docker Server for one image only, therefore the Wine approach.

Unable to build MIT Kerberos in Windows 2007 (Windows Server Enterprise)

I was trying to build MIT Kerberos In Windows 2007 (Windows Server Enterprise) Service Pack 2 32 bit system. After adding a few flags specific to posix errors I was able to build it in Windows 7 (along with working kinit and klist programs). However in win 2007 all exes generated crash whenever I attempt to execute them. I had used Microsoft visual studio 2008 with Microsoft SDK v6 for both builds.
Crash code in event viewer: Exception code: 0xc000041d and occasionally 0xc00008c
Fault offset: 0x76e011f1
After enabling all possible checks in gflags and running kinit, I noticed a message saying unable to start application due to incorrect security permissions. I changed compatibility mode to xp3 and ran as administrator but no luck.
I then used sxstrace to determine any link time inconsistencies. I didnt find even a single line in my parsed trace file. I then used dependency walker and it wasnt able to find any errors.
I then used procdump and windbg to get the dump of the problem. Unfortunately I havent been able to locate a suitable pdb for nt.dll. This is what i found after attempting to unwind the core dump stack (kp command):-
0018975c 64754d57 user32!GetProcessWindowStation+0x15
0018a8c0 64755d08 msvcr90d!CrtDbgReport+0x437
0018f954 64754992 msvcr90d!VCrtDbgReportA+0x7d8
0018f974 6475494b msvcr90d!CrtDbgReport+0x72
0018f99c 646bc34d msvcr90d!CrtDbgReport+0x2b
0018f9d0 646bc812 msvcr90d!get_pgmptr+0x1bd
0018fa08 646bc711 msvcr90d!_getmainargs+0x182
0018fa1c 76fc99a0 msvcr90d!_getmainargs+0x81
0018fa3c 76fcd939 ntdll!RtlQueryEnvironmentVariable+0x241
0018fb30 76fd686c ntdll!LdrResSearchResource+0xb4d
0018fcb0 76fd5326 ntdll!RtlGetNtVersionNumbers+0x9b
0018fd00 76fc9ef9 ntdll!RtlSetUnhandledExceptionFilter+0x50
0018fd10 00000000 ntdll!LdrInitializeThunk+0x10
I dont quite understand what this means and I have no idea what on earth is going on. I dont have too much proficiency in using windbg
Is there anything else that anyone can suggest me to narrow down the root cause of the issue? Even after I copy the 2k7 built binaries to my local win 7 machine and it still crashes with the same stack.
Edit: after running .symfix, .reload and then analyze -v I got the following output in windbg console:-
*** WARNING: Unable to verify checksum for klist.exe
*** ERROR: Module load completed but symbols could not be loaded for klist.exe
FAULTING_IP:
+0
00000000 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 0
FAULTING_THREAD: 000014bc
PROCESS_NAME: klist.exe
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
APP: klist.exe
BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT_AFTER_CALL
PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT_AFTER_CALL
DEFAULT_BUCKET_ID: STATUS_BREAKPOINT_AFTER_CALL
LAST_CONTROL_TRANSFER: from 6475450f to 74c49eff
STACK_TEXT:
00189718 6475450f 0018973c 0018a8c0 64754cc0 user32!NtUserGetProcessWindowStation+0x15
0018975c 64754d57 001898b0 64696070 00012012 msvcr90d!__crtMessageBoxA+0x14f
0018a8c0 64755d08 00000001 00000000 00000000 msvcr90d!__crtMessageWindowA+0x3b7
0018f954 64754992 00000001 00000000 00000000 msvcr90d!_VCrtDbgReportA+0x7d8
0018f974 6475494b 00000001 00000000 00000000 msvcr90d!_CrtDbgReportV+0x22
0018f99c 646bc34d 00000001 00000000 00000000 msvcr90d!_CrtDbgReport+0x2b
0018f9d0 646bc812 00000022 6e76fe50 0018faec msvcr90d!_NMSG_WRITE+0x6d
0018fa08 646bc711 64680000 00000001 0018fd24 msvcr90d!__CRTDLL_INIT+0xf2
0018fa1c 76fc99a0 64680000 00000001 0018fd24 msvcr90d!_CRTDLL_INIT+0x21
0018fa3c 76fcd939 646bc6f0 64680000 00000001 ntdll!LdrpCallInitRoutine+0x14
0018fb30 76fd686c 0018fd24 7efdd000 7efde000 ntdll!LdrpRunInitializeRoutines+0x26f
0018fcb0 76fd5326 0018fd24 76f90000 734dc02c ntdll!LdrpInitializeProcess+0x1400
0018fd00 76fc9ef9 0018fd24 76f90000 00000000 ntdll!_LdrpInitialize+0x78
0018fd10 00000000 0018fd24 76f90000 00000000 ntdll!LdrInitializeThunk+0x10
FOLLOWUP_IP:
msvcr90d!__crtMessageBoxA+14f [f:\dd\vctools\crt_bld\self_x86\crt\src\crtmbox.c # 121]
6475450f 8945ec mov dword ptr [ebp-14h],eax
FAULTING_SOURCE_LINE: f:\dd\vctools\crt_bld\self_x86\crt\src\crtmbox.c
FAULTING_SOURCE_FILE: f:\dd\vctools\crt_bld\self_x86\crt\src\crtmbox.c
FAULTING_SOURCE_LINE_NUMBER: 121
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: msvcr90d!__crtMessageBoxA+14f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: msvcr90d
IMAGE_NAME: msvcr90d.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 488ef6c7
STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb
FAILURE_BUCKET_ID: STATUS_BREAKPOINT_AFTER_CALL_80000003_msvcr90d.dll!__crtMessageBoxA
BUCKET_ID: APPLICATION_FAULT_STATUS_BREAKPOINT_AFTER_CALL_msvcr90d!__crtMessageBoxA+14f
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/klist_exe/4_0_0_0/533e75fb/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1
Followup: MachineOwner
Edit: After running in Visual Studio I got the following output:-
'klist.exe': Loaded 'C:\WS\TPL\src\MitKerberos\1.11.1\BUILDDEBUG\bin\klist.exe', Symbols loaded.
'klist.exe': Loaded 'C:\Windows\SysWOW64\ntdll.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\kernel32.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\KernelBase.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\sysfer.dll'
'klist.exe': Loaded 'C:\WS\TPL\src\MitKerberos\1.11.1\BUILDDEBUG\bin\k5sprt32.dll', Symbols loaded.
'klist.exe': Loaded 'C:\WS\TPL\src\MitKerberos\1.11.1\BUILDDEBUG\bin\msvcr90d.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\ws2_32.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\msvcrt.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\rpcrt4.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\sspicli.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\cryptbase.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\sechost.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\nsi.dll'
'klist.exe': Loaded 'C:\WS\TPL\src\MitKerberos\1.11.1\BUILDDEBUG\bin\krb5_32.dll', Symbols loaded.
'klist.exe': Loaded 'C:\WS\TPL\src\MitKerberos\1.11.1\BUILDDEBUG\bin\comerr32.dll', Symbols loaded.
'klist.exe': Loaded 'C:\Windows\SysWOW64\user32.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\gdi32.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\lpk.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\usp10.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\advapi32.dll'
'klist.exe': Loaded 'C:\WS\TPL\src\MitKerberos\1.11.1\BUILDDEBUG\bin\wshelp32.dll', Symbols loaded.
'klist.exe': Loaded 'C:\Windows\SysWOW64\dnsapi.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\shell32.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\shlwapi.dll'
First-chance exception at 0x74c49eff in klist.exe: 0xC0000005: Access violation reading location 0x00000250.
*** An Access Violation occurred in "C:\WS\TPL\src\MitKerberos\1.11.1\BUILDDEBUG\bin\klist.exe" :
The instruction at 0000000076E011F1 tried to read from an invalid address, 0000000000000250
*** enter .exr 000000000008E970 for the exception record
*** enter .cxr 000000000008E480 for the context
*** then kb to get the faulting stack
Unhandled exception at 0x74c49eff in klist.exe: 0xC000041D: An unhandled exception was encountered during a user callback.
> kb
Index Function
--------------------------------------------------------------------------------
*1 user32.dll!74c49eff()
2 [Frames below may be incorrect and/or missing, no symbols loaded for user32.dll]
3 user32.dll!74c49eff()
4 msvcr90d.dll!58f8450f()
5 msvcr90d.dll!58f84d57()
I cant get klist or krb5 dlls in the stack at all. Since klist or any other mit kerb dll does not appear in this section, I am unable to load check their symbols. This is very frustrating, I will attempt to build my own sample program and check for issues. Btw did I miss any analysis steps?
Edit : After checking for first argument to crtmessagebox I got :-
001898b0 "Debug Error!..Program: C:\WS\TPL"
001898d0 "\src\MitKerberos\1.11.1\BUILDDEB"
001898f0 "UG\bin\klist.exe..R6034..An appl"
00189910 "ication has made an attempt to l"
00189930 "oad the C runtime library withou"
00189950 "t using a manifest..This is an u"
00189970 "nsupported way to load Visual C+"
00189990 "+ DLLs. You need to modify your "
001899b0 "application to build with a mani"
001899d0 "fest..For more information, see "
001899f0 "the "Visual C++ Libraries as Sha"
00189a10 "red Side-by-Side Assemblies" top"
As far as I understand the program responsible for this is mt.exe and I had run it.

w3wp.exe crashes when calling [System.Data.Odbc]::OdbcConnection.Open()

I am using Microsoft Visual Web Developer 2010 Express to build a webpage that pulls data from a database to populate a drop-down list with relevant options. Everything works just dandy when I debug the page in the developer, but when I test the production page by navigating to it using IE I get a Visual Studio Just-In-Time Debugger window saying "An unhandled win32 exception occurred in w3wp.exe [#####]" where ##### is a number that changes each time the error presents. After some research I discovered that the error occurs when the program tries to call any OdbcConnection.Open() method. Below is some exception information from DebugDiag.
Exception Information:
In w3wp__TTFCUAppPages__PID__1704__Date__04_25_2013__Time_12_37_29PM__536__Second_Chance_Exception_E0434352.dmp the assembly instruction at KERNELBASE!RaiseException+58 in C:\Windows\System32\KERNELBASE.dll from Microsoft Corporation has caused a CLR Exception on thread 23with the following error information:
Type:
System.AccessViolationException
Message:
Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
Here is the call stack:
.NET Call Stack
Function
Full Call Stack
Function
Arg 1
Arg 2
Arg 3
Arg 4
Source
KERNELBASE!RaiseException+58
e0434352
00000001
00000005
058bf568
clr!RaiseTheExceptionInternalOnly+276
181aba38
00000000
00000000
181aba38
clr!RaiseTheException+87
181aba38
00000000
00000004
058bf760
clr!RaiseTheException+fe
00000000
00000004
00000004
5df9e75e
clr!RealCOMPlusThrow+3d
181aba38
00000000
00000004
058bf76c
clr!RealCOMPlusThrow+12
181aba38
00000004
56dd0faf
6d7e95d4
clr!Thread::RaiseCrossContextException+3e0
00000000
058bf7bc
56dd0093
03d1ea38
clr!Thread::DoADCallBack+2f3
00000002
6d98fe4e
058bf878
00000001
clr!UM2MDoADCallBack+c0
00b44760
ffffffff
058bf8e0
00000010
0x00a51ff8
00000000
00ac74a4
00000003
0000000c
webengine4!W3_MGD_HANDLER::ProcessNotification+5b
00ac74a4
69f81398
058bf95c
6d7878af
webengine4!ProcessNotificationCallback+36
00ac74a4
56dd019f
0000ffff
00040004
clr!UnManagedPerAppDomainTPCount::DispatchWorkItem+195
058bf9bf
058bf9be
56dd010f
00000000
clr!ThreadpoolMgr::NewWorkerThreadStart+20b
00000000
56dd02f7
00000000
6d788499
clr!ThreadpoolMgr::WorkerThreadStart+3d1
00000000
76f637fa
76f637b8
00000000
clr!Thread::intermediateThreadProc+4b
00b858b8
058bfd98
76f6377b
00b858b8
kernel32!BaseThreadInitThunk+e
00b858b8
7dd9933f
00000000
00000000
ntdll!__RtlUserThreadStart+70
6d877698
00b858b8
00000000
00000000
ntdll!_RtlUserThreadStart+1b
6d877698
00b858b8
00000000
00000000
The solution was to add the ASPNET built-in user to the local DB2ADMNS and DB2USERS groups. Start Menu Right-click "Computer" Choose "Manage" Expand "Local Users and Groups" Click "Groups" Find the "DB2ADMNS" and "DB2USERS" groups. Add the "ASPNET" user to each of those groups.

How can I work out what events are being waited for with WinDBG in a kernel debug session

I'm a complete WinDbg newbie and I've been trying to debug a WindowsXP problem that a customer has sent me where our software and some third party software prevent windows from logging off. I've reproduced the problem and have verified that only when our software and the customers software are both installed (although not necessarily running at logoff) does the log off problem occur. I've observed that WM_ENDSESSION messages are not reaching the running windows when the user tries to log off and I know that the third party software uses a kernel driver.
I've been looking at the processes in WinDbg and I know that csrss.exe would normally send all the windows a WM_ENDSESSION message. When I ran:
!process 82356020 6
To look at csrss.exe's stack I can see:
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 0x7c90e514
THREAD 8246d998 Cid 0248.02a0 Teb: 7ffd7000 Win32Thread: e1627008 WAIT: (WrUserRequest) UserMode Non-Alertable
8243d9f0 SynchronizationEvent
81fe0390 SynchronizationEvent
Not impersonating
DeviceMap e1004450
Owning Process 82356020 Image: csrss.exe
Attached Process N/A Image: N/A
Wait Start TickCount 1813 Ticks: 20748 (0:00:05:24.187)
Context Switch Count 3 LargeStack
UserTime 00:00:00.000
KernelTime 00:00:00.000
Start Address 0x75b67cdf
Stack Init f80bd000 Current f80bc9c8 Base f80bd000 Limit f80ba000 Call 0
Priority 14 BasePriority 13 PriorityDecrement 0 DecrementCount 0
Kernel stack not resident.
ChildEBP RetAddr Args to Child
f80bc9e0 80500ce6 00000000 8246d998 804f9af2 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f80bc9ec 804f9af2 804f986e e1627008 00000000 nt!KiSwapThread+0x46 (FPO: [0,0,0])
f80bca24 bf80a4a3 00000002 82475218 00000001 nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
f80bca5c bf88c0a6 00000001 82475218 00000000 win32k!xxxMsgWaitForMultipleObjects+0xb0 (FPO: [Non-Fpo])
f80bcd30 bf87507d bf9ac0a0 00000001 f80bcd54 win32k!xxxDesktopThread+0x339 (FPO: [Non-Fpo])
f80bcd40 bf8010fd bf9ac0a0 f80bcd64 00bcfff4 win32k!xxxCreateSystemThreads+0x6a (FPO: [Non-Fpo])
f80bcd54 8053d648 00000000 00000022 00000000 win32k!NtUserCallOneParam+0x23 (FPO: [Non-Fpo])
f80bcd54 7c90e514 00000000 00000022 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame # f80bcd64)
This waitForMultipleObjects looks interesting because I'm wondering if csrss.exe is waiting on some event which isn't arriving to allow the logoff. Can anyone tell me how I might find out what event it's waiting for anything else I might do to further investigate the problem?
The objects being waited on are right there in the output:
THREAD 8246d998 Cid 0248.02a0 Teb: 7ffd7000 Win32Thread: e1627008 WAIT: (WrUserRequest) UserMode Non-Alertable
8243d9f0 SynchronizationEvent
81fe0390 SynchronizationEvent
I'll note though that the thread you're looking at is a common thread, just about every system that you look at will have it (not sure what that thread is for exactly, but I recognize the stack...Sometimes I feel like I've been doing this too long!).
I'll also note that you can't trust the parameters on the stack all of the time. See some details here: http://analyze-v.com/?p=7
-scott
To start off, try !object 82475218 to see if that tells you what the object is.
If that fails to help, try this:
http://blogs.msdn.com/search/SearchResults.aspx?q=KeWaitForMultipleObjects
It's a search for KeWaitForMultipleObjects on the NT Debugging Blog, which is a great blog in for learning about Windows internals.
EDIT:
Here's the documentation for KeWaitForMultipleObjects:
http://msdn.microsoft.com/en-us/library/ff553324.aspx
Cheers.
Jas.

Windows Server Crash Dump Analysis [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I'm not certain that this is the right venue for this question, but a programmer friend of mine said I should try this here.
My company's main application is hosted on a terminal server running Windows Server 2008. Since last Thursday we have seen this server crash and reboot 3 times, and we just went live with this server on the previous Tuesday. I have used the the WinDbg program to analyze the crash dump file, but I'm a little outside by depth at this point and I'm hoping that someone out there can help me get this issue resolved.
The application that appears to me to be at fault is winoac.exe which is the executable for SmartWare 4.5 (www.smartware4.com). This is the platform that our application runs on. If this application is at fault, is there anything that I can do about it, other than complaining to SmartWare?
Thanks a million to anybody that can help.
Here are the results of the analysis.
Microsoft (R) Windows Debugger Version 6.10.0003.233 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\esinnard\Desktop\Windows Dumps\1-29-09\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*C:\ProgramData\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista SP1 Kernel Version 6001 (Service Pack 1) MP (8 procs) Free x86 compatible
Product: Server, suite: TerminalServer
Built by: 6001.18145.x86fre.vistasp1_gdr.080917-1612
Machine Name:
Kernel base = 0x81c41000 PsLoadedModuleList = 0x81d4e930
Debug session time: Thu Jan 29 12:49:43.870 2009 (GMT-6)
System Uptime: 0 days 11:18:08.929
Loading Kernel Symbols
...............................................................
................................................................
..............
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 8E, {c0000005, 81c88043, 9cef0840, 0}
Page bd1f2 not present in the dump file. Type ".hh dbgerr004" for details
Page bc9c3 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
Probably caused by : RDPDD.dll ( RDPDD!OE2_TableEncodeOrderFields+11e )
Followup: MachineOwner
---------
7: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 81c88043, The address that the exception occurred at
Arg3: 9cef0840, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!RtlInitUnicodeString+1b
81c88043 f266af repne scas word ptr es:[edi]
TRAP_FRAME: 9cef0840 -- (.trap 0xffffffff9cef0840)
ErrCode = 00000000
eax=00000000 ebx=fe414fd8 ecx=ffffffec edx=9cef0914 esi=fe40fcf0 edi=fe415000
eip=81c88043 esp=9cef08b4 ebp=9cef0924 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!RtlInitUnicodeString+0x1b:
81c88043 f266af repne scas word ptr es:[edi]
Resetting default scope
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: WINOAC.EXE
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 81c72fbe to 81cfc759
STACK_TEXT:
9cef0400 81c72fbe 0000008e c0000005 81c88043 nt!KeBugCheckEx+0x1e
9cef07d0 81c9953a 9cef07ec 00000000 9cef0840 nt!KiDispatchException+0x1a9
9cef0838 81c994ee 9cef0924 81c88043 badb0d00 nt!CommonDispatchException+0x4a
9cef085c 9976011a 99771680 997708e8 00000000 nt!Kei386EoiHelper+0x186
9cef0924 9959efab 5d0102bb 00000006 00000002 RDPDD!OE2_TableEncodeOrderFields+0x11e
9cef0a0c 995aeaf8 5d0102bb 00000006 00000002 win32k!xxxRealDrawMenuItem+0x80b
9cef0abc 9958455b 5d0102bb 0110007e 9cef0b04 win32k!xxxDrawState+0x1c9
9cef0b2c 995853e1 5d0102bb fe40fc78 00c8d0d4 win32k!xxxDrawMenuItem+0x3f8
9cef0b98 9959f511 5d0102bb 00000000 fe414570 win32k!xxxMenuDraw+0x1f2
9cef0bf0 994ed1d6 00000017 5d0102bb 00000004 win32k!xxxMenuBarDraw+0x1bf
9cef0c38 9950c0f5 fe414570 5d0102bb 00000001 win32k!xxxDrawWindowFrame+0xf7
9cef0cb4 9950d73d fe414570 00000085 090402df win32k!xxxRealDefWindowProc+0x88b
9cef0ccc 994e673d fe414570 00000085 090402df win32k!xxxWrapRealDefWindowProc+0x2b
9cef0ce8 9950d6f4 fe414570 00000085 090402df win32k!NtUserfnNCDESTROY+0x27
9cef0d20 81c9897a 000200ba 00000085 090402df win32k!NtUserMessageCall+0xc6
9cef0d20 77089a94 000200ba 00000085 090402df nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012d7cc 00000000 00000000 00000000 00000000 0x77089a94
STACK_COMMAND: kb
FOLLOWUP_IP:
RDPDD!OE2_TableEncodeOrderFields+11e
9976011a 8b4518 mov eax,dword ptr [ebp+18h]
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: RDPDD!OE2_TableEncodeOrderFields+11e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: RDPDD
IMAGE_NAME: RDPDD.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4791923e
FAILURE_BUCKET_ID: 0x8E_RDPDD!OE2_TableEncodeOrderFields+11e
BUCKET_ID: 0x8E_RDPDD!OE2_TableEncodeOrderFields+11e
Followup: MachineOwner
---------
------------------------------------------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.10.0003.233 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\esinnard\Desktop\Windows Dumps\1-29-09\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*C:\ProgramData\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista SP1 Kernel Version 6001 (Service Pack 1) MP (8 procs) Free x86 compatible
Product: Server, suite: TerminalServer
Built by: 6001.18145.x86fre.vistasp1_gdr.080917-1612
Machine Name:
Kernel base = 0x81c41000 PsLoadedModuleList = 0x81d4e930
Debug session time: Thu Jan 29 12:49:43.870 2009 (GMT-6)
System Uptime: 0 days 11:18:08.929
Loading Kernel Symbols
...............................................................
................................................................
..............
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 8E, {c0000005, 81c88043, 9cef0840, 0}
Page bd1f2 not present in the dump file. Type ".hh dbgerr004" for details
Page bc9c3 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
Probably caused by : RDPDD.dll ( RDPDD!OE2_TableEncodeOrderFields+11e )
Followup: MachineOwner
---------
7: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 81c88043, The address that the exception occurred at
Arg3: 9cef0840, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!RtlInitUnicodeString+1b
81c88043 f266af repne scas word ptr es:[edi]
TRAP_FRAME: 9cef0840 -- (.trap 0xffffffff9cef0840)
ErrCode = 00000000
eax=00000000 ebx=fe414fd8 ecx=ffffffec edx=9cef0914 esi=fe40fcf0 edi=fe415000
eip=81c88043 esp=9cef08b4 ebp=9cef0924 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!RtlInitUnicodeString+0x1b:
81c88043 f266af repne scas word ptr es:[edi]
Resetting default scope
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: WINOAC.EXE
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 81c72fbe to 81cfc759
STACK_TEXT:
9cef0400 81c72fbe 0000008e c0000005 81c88043 nt!KeBugCheckEx+0x1e
9cef07d0 81c9953a 9cef07ec 00000000 9cef0840 nt!KiDispatchException+0x1a9
9cef0838 81c994ee 9cef0924 81c88043 badb0d00 nt!CommonDispatchException+0x4a
9cef085c 9976011a 99771680 997708e8 00000000 nt!Kei386EoiHelper+0x186
9cef0924 9959efab 5d0102bb 00000006 00000002 RDPDD!OE2_TableEncodeOrderFields+0x11e
9cef0a0c 995aeaf8 5d0102bb 00000006 00000002 win32k!xxxRealDrawMenuItem+0x80b
9cef0abc 9958455b 5d0102bb 0110007e 9cef0b04 win32k!xxxDrawState+0x1c9
9cef0b2c 995853e1 5d0102bb fe40fc78 00c8d0d4 win32k!xxxDrawMenuItem+0x3f8
9cef0b98 9959f511 5d0102bb 00000000 fe414570 win32k!xxxMenuDraw+0x1f2
9cef0bf0 994ed1d6 00000017 5d0102bb 00000004 win32k!xxxMenuBarDraw+0x1bf
9cef0c38 9950c0f5 fe414570 5d0102bb 00000001 win32k!xxxDrawWindowFrame+0xf7
9cef0cb4 9950d73d fe414570 00000085 090402df win32k!xxxRealDefWindowProc+0x88b
9cef0ccc 994e673d fe414570 00000085 090402df win32k!xxxWrapRealDefWindowProc+0x2b
9cef0ce8 9950d6f4 fe414570 00000085 090402df win32k!NtUserfnNCDESTROY+0x27
9cef0d20 81c9897a 000200ba 00000085 090402df win32k!NtUserMessageCall+0xc6
9cef0d20 77089a94 000200ba 00000085 090402df nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012d7cc 00000000 00000000 00000000 00000000 0x77089a94
STACK_COMMAND: kb
FOLLOWUP_IP:
RDPDD!OE2_TableEncodeOrderFields+11e
9976011a 8b4518 mov eax,dword ptr [ebp+18h]
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: RDPDD!OE2_TableEncodeOrderFields+11e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: RDPDD
IMAGE_NAME: RDPDD.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4791923e
FAILURE_BUCKET_ID: 0x8E_RDPDD!OE2_TableEncodeOrderFields+11e
BUCKET_ID: 0x8E_RDPDD!OE2_TableEncodeOrderFields+11e
Followup: MachineOwner
---------
------------------------------------------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.10.0003.233 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\esinnard\Desktop\Windows Dumps\2-3-09-2\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*C:\ProgramData\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista SP1 Kernel Version 6001 (Service Pack 1) MP (8 procs) Free x86 compatible
Product: Server, suite: TerminalServer
Built by: 6001.18145.x86fre.vistasp1_gdr.080917-1612
Machine Name:
Kernel base = 0x81c13000 PsLoadedModuleList = 0x81d20930
Debug session time: Tue Feb 3 14:20:03.117 2009 (GMT-6)
System Uptime: 0 days 2:00:33.869
Loading Kernel Symbols
...............................................................
................................................................
.............
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 8E, {c0000005, 81c5a043, d60a5840, 0}
Page bce51 not present in the dump file. Type ".hh dbgerr004" for details
Page bce22 not present in the dump file. Type ".hh dbgerr004" for details
Page bb16b not present in the dump file. Type ".hh dbgerr004" for details
Page bce5a not present in the dump file. Type ".hh dbgerr004" for details
Page bce5a not present in the dump file. Type ".hh dbgerr004" for details
Page bce5a not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
Probably caused by : win32k.sys ( win32k!OffBitBlt+97 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 81c5a043, The address that the exception occurred at
Arg3: d60a5840, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
Page bb16b not present in the dump file. Type ".hh dbgerr004" for details
Page bce5a not present in the dump file. Type ".hh dbgerr004" for details
Page bce5a not present in the dump file. Type ".hh dbgerr004" for details
Page bce5a not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!RtlInitUnicodeString+1b
81c5a043 f266af repne scas word ptr es:[edi]
TRAP_FRAME: d60a5840 -- (.trap 0xffffffffd60a5840)
ErrCode = 00000000
eax=00000000 ebx=fe41afd8 ecx=ffffffec edx=d60a5914 esi=fe40f5e0 edi=fe41b000
eip=81c5a043 esp=d60a58b4 ebp=d60a5924 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!RtlInitUnicodeString+0x1b:
81c5a043 f266af repne scas word ptr es:[edi]
Resetting default scope
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: WINOAC.EXE
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 81c44fbe to 81cce759
STACK_TEXT:
d60a5400 81c44fbe 0000008e c0000005 81c5a043 nt!KeBugCheckEx+0x1e
d60a57d0 81c6b53a d60a57ec 00000000 d60a5840 nt!KiDispatchException+0x1a9
d60a5838 81c6b4ee d60a5924 81c5a043 badb0d00 nt!CommonDispatchException+0x4a
d60a585c 999e2242 ff888010 00000000 00000000 nt!Kei386EoiHelper+0x186
d60a5924 999befab 1401009b 00000006 00000002 win32k!OffBitBlt+0x97
d60a5a0c 999ceaf8 1401009b 00000006 00000002 win32k!xxxRealDrawMenuItem+0x80b
d60a5abc 999a455b 1401009b 0110007e d60a5b04 win32k!xxxDrawState+0x1c9
d60a5b2c 999a53e1 1401009b fe40d168 00c8d0d4 win32k!xxxDrawMenuItem+0x3f8
d60a5b98 999bf511 1401009b 00000000 fe418398 win32k!xxxMenuDraw+0x1f2
d60a5bf0 9990d1d6 00000017 1401009b 00000004 win32k!xxxMenuBarDraw+0x1bf
d60a5c38 9992c0f5 fe418398 1401009b 00000001 win32k!xxxDrawWindowFrame+0xf7
d60a5cb4 9992d73d fe418398 00000085 0904035f win32k!xxxRealDefWindowProc+0x88b
d60a5ccc 9990673d fe418398 00000085 0904035f win32k!xxxWrapRealDefWindowProc+0x2b
d60a5ce8 9992d6f4 fe418398 00000085 0904035f win32k!NtUserfnNCDESTROY+0x27
d60a5d20 81c6a97a 0003001c 00000085 0904035f win32k!NtUserMessageCall+0xc6
d60a5d20 77049a94 0003001c 00000085 0904035f nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012d7cc 00000000 00000000 00000000 00000000 0x77049a94
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k!OffBitBlt+97
999e2242 8b4d20 mov ecx,dword ptr [ebp+20h]
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: win32k!OffBitBlt+97
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 48d1b9ef
FAILURE_BUCKET_ID: 0x8E_win32k!OffBitBlt+97
BUCKET_ID: 0x8E_win32k!OffBitBlt+97
Followup: MachineOwner
---------
You should apply any patches for the OS that might be out there (especially if they mention they are related to Terminal Server or RDP). You should also probably contact Microsoft support.
The crash dump looks like the crash is happening in the RDP driver.
Even if the winoac.exe application is passing bad data to win32k.sys (the display subsystem) that results in the crash, device drivers are never supposed to crash the system - they should detect and handle the problem appropriately, even if it means the application crashes. The driver should never crash, so MS should take an interest in this so they can fix it.
Unless Smartware has developed their own drivers it should never be possible for a user mode application to bluescreen a windows NT server.
So, ignoring all that information, you are either looking at a buggy device driver - step 1 - find and install any updates for drivers on the system, OR the hardware is beginning to fail. even bug free drivers might need to throw a bug check when the actual hardware they depend on is failing.
win32k.sys is the kernel driver side of the win32 subsystem, not specifically a display driver at all. However the call stack does implicate that something related to drawing crashed, so, perhaps starting with updating the systems video drivers - or replacing the video card if its not onboard might help.

Resources