My operations group, and the devs are clueless to why this happens. Basically the server-side service of a client/server application hangs. We have been pushing new bugfixed versions and providing all kinds of logs to the devs, but they can't figure it out. To make it even harder to figure out, this is an application that works very closely with another application on the client side.
I have no idea if I'm onto something here, as I have limited windbg experience, but this seems worth checking out. Google comes up pretty promising, but with mostly gamers having BSODs not providing much more info...
I found this bit at the start of the dump:
WARNING: odbccp32 overlaps comctl32 .
WARNING: odbc32 overlaps odbccp32
WARNING: odbc32 overlaps comctl32 .............
WARNING: mswsock overlaps FWPUCLNT .......
WARNING: winsta overlaps winnsi .
WARNING: ntlanman overlaps drprov .... ...
WARNING: srvcli overlaps netapi32
WARNING: wkscli overlaps srvcli ..........
WARNING: ncrypt overlaps schannel .
WARNING: nlaapi overlaps ncrypt .
WARNING: NapiNSP overlaps nlaapi ....
WARNING: rsaenh overlaps cryptsp
and a bit lower:
OVERLAPPED_MODULE: Address regions for 'odbc32' and 'odbccp32' overlap
Here is the complete !analyze -v dump:
Microsoft (R) Windows Debugger Version 6.2.8400.0 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\debug\MES\PLSMES.dmp]
User Mini Dump File: Only registers, stack and portions of memory are available
Symbol search path is: srv*c:\symbols*c:\windows\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Version 7601 (Service Pack 1) MP (16 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Machine Name:
Debug session time: Thu Jun 14 10:37:01.000 2012 (UTC + 2:00)
System Uptime: not available
Process Uptime: 0 days 6:36:13.000
......................................WARNING: odbccp32 overlaps comctl32
.WARNING: odbc32 overlaps odbccp32
WARNING: odbc32 overlaps comctl32
.............WARNING: mswsock overlaps FWPUCLNT
.......WARNING: winsta overlaps winnsi
.WARNING: ntlanman overlaps drprov
....
...WARNING: srvcli overlaps netapi32
.WARNING: wkscli overlaps srvcli
..........WARNING: ncrypt overlaps schannel
.WARNING: nlaapi overlaps ncrypt
.WARNING: NapiNSP overlaps nlaapi
....WARNING: rsaenh overlaps cryptsp
Cannot read PEB32 from WOW64 TEB32 7efdd000 - Win32 error 0n30
wow64cpu!CpupSyscallStub+0x9:
00000000`741f2e09 c3 ret
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify timestamp for PLSMES.exe
*** ERROR: Module load completed but symbols could not be loaded for PLSMES.exe
FAULTING_IP:
+0
00000000`00000000 ?? ???
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0000000000000000
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 0
FAULTING_THREAD: 0000000000001364
DEFAULT_BUCKET_ID: BAD_DUMP_MISSING_MEMORY
PROCESS_NAME: PLSMES.exe
OVERLAPPED_MODULE: Address regions for 'odbc32' and 'odbccp32' overlap
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
APP: plsmes.exe
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
LAST_CONTROL_TRANSFER: from 0000000000000000 to 00000000741f2e09
PRIMARY_PROBLEM_CLASS: BAD_DUMP_MISSING_MEMORY
BUGCHECK_STR: APPLICATION_FAULT_BAD_DUMP_MISSING_MEMORY
STACK_TEXT:
00000000`00000000 00000000`00000000 bad_dump!missing_stack+0x0
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: bad_dump!missing_stack
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: bad_dump
IMAGE_NAME: bad_dump
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: ** Pseudo Context ** ; kb
FAILURE_BUCKET_ID: BAD_DUMP_MISSING_MEMORY_80000003_bad_dump!missing_stack
BUCKET_ID: X64_APPLICATION_FAULT_BAD_DUMP_MISSING_MEMORY_bad_dump!missing_stack
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/PLSMES_exe/4_4_3_2582/4f8ac8f6/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1
Followup: MachineOwner
---------
Could this be related to the application hangs? Overlapping memory doesn't seem good.
Note: The same server runs other instances of the same application without error.
Any pointers to further debugging would also be nice.
(Moved from ServerFault, I guess this is better asked here.)
I've seen this happen when a 64 bit version of task manager is used to create a dump of a 32 bit process. If this is your case, then use the 32 bit version of task manager which can be found in the SysWOW64 folder. This link describes the problem:
http://blogs.msdn.com/b/tess/archive/2010/09/29/capturing-memory-dumps-for-32-bit-processes-on-an-x64-machine.aspx
Related
The situation
At work, we use Solidworks to develop 3d models of products we make. Besides Solidworks we use the addin SolidCAM to calculate machine times that will be sent to production.
The problem
When loading the SolidCAM files (.PRZ and .PRT) the program will crash every now and then (approx. every half hour). Resulting in reopening everything in the state it was last saved. So in total this will happen around 10-15 times each day with all users that work with these files.
What i've done so far
I sat with one of the users that experiences these crashes and found that with each crash it generates a .log and .dmp file. The .log file isn't telling me much, but the .dmp file at least shows me something is going wrong with SLDWORKS.exe. Any idea what is causing this crash? If you need any information, feel free to ask away. Here is the content of the file
FAULTING_IP:
HostLibSW!OnSWHRTBUpdate_ShowToolTbl+14318
00000000`03195298 488b4840 mov rcx,qword ptr [rax+40h]
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0000000003195298 (HostLibSW!OnSWHRTBUpdate_ShowToolTbl+0x0000000000014318)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 000000000fab6870
Attempt to read from address 000000000fab6870
PROCESS_NAME: SLDWORKS.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - De instructie op 0x%08lx verwijst naar geheugen op 0x%08lx. Een lees- of schrijfbewerking op het geheugen is mislukt: %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - De instructie op 0x%08lx verwijst naar geheugen op 0x%08lx. Een lees- of schrijfbewerking op het geheugen is mislukt: %s.
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 000000000fab6870
READ_ADDRESS: 000000000fab6870
FOLLOWUP_IP:
HostLibSW!OnSWHRTBUpdate_ShowToolTbl+14318
00000000`03195298 488b4840 mov rcx,qword ptr [rax+40h]
MOD_LIST: <ANALYSIS/>
MANAGED_STACK: !dumpstack -EE
No export dumpstack found
MANAGED_BITNESS_MISMATCH:
Managed code needs matching platform of sos.dll for proper analysis. Use 'x64' debugger.
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
LAST_CONTROL_TRANSFER: from 0000000003193e77 to 0000000003195298
FAULTING_THREAD: ffffffffffffffff
DEFAULT_BUCKET_ID: STACKIMMUNE
PRIMARY_PROBLEM_CLASS: STACKIMMUNE
BUGCHECK_STR: APPLICATION_FAULT_STACKIMMUNE_NOSOS_INVALID_POINTER_READ
STACK_TEXT:
00000000`00000000 00000000`00000000 sldworks.exe+0x0
SYMBOL_NAME: sldworks.exe
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: sldworks
IMAGE_NAME: SLDWORKS.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4e86dbff
STACK_COMMAND: ** Pseudo Context ** ; kb
FAILURE_BUCKET_ID: STACKIMMUNE_c0000005_SLDWORKS.exe!Unknown
BUCKET_ID: X64_APPLICATION_FAULT_STACKIMMUNE_NOSOS_INVALID_POINTER_READ_sldworks.exe
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/SLDWORKS_exe/19_5_0_91/4e86dbff/HostLibSW_dll/1_0_0_1/4cc4d6dd/c0000005/00125298.htm?Retriage=1
Check the graphics card is using the correct certified driver
Untick the SolidCAM addin, do you still get crashes?If the crashes only occur when SolidCAM is added in then you are best contacting SolidCAM, it could be a servicepack issu
Rename the registry key current user\software\solidworks and also \solidcam if there is one and restart SW
I have a problem installing VS Professional 2012 and VS Community 2013 on Windows 8.1. The installation app crashes right after I open it.
Following installation tips I disabled anti-virus and firewall software and I installed all the available Windows updates, but nothing has changed.
Furthermore, I disabled .NET 3.5 and enabled all features for .NET 4.5 following these tips. Also, I downloaded and installed .NET 4.5.2 and DirectX, but it didn't help either.
Do you have any advice of what to do next?
ok, according to the dump, the setup crashes because of the Intel HD graphic driver:
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00000000
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000008
Parameter[1]: 00000000
Attempt to execute non-executable address 00000000
PROCESS_NAME: vs_professional.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 00000000
WRITE_ADDRESS: 00000000
FOLLOWUP_IP:
igdumdim32!OpenAdapter+c5e27
071b6e27 8bd0 mov edx,eax
FAILED_INSTRUCTION_ADDRESS:
+0
00000000 ?? ???
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
APP: vs_professional.exe
ANALYSIS_VERSION: 10.0.10075.9 x86fre
MANAGED_CODE: 1
MANAGED_ENGINE_MODULE: clr
MANAGED_ANALYSIS_PROVIDER: SOS
BUGCHECK_STR: SOFTWARE_NX_FAULT_SEHOP_NULL
DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT_SEHOP_NULL
LAST_CONTROL_TRANSFER: from 071b6e27 to 00000000
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
0x0
igdumdim32!OpenAdapter+0xc5e27
igdumdim32!OpenAdapter+0xce83a
igdumdim32!OpenAdapter+0xa8661
d3d9!CD3DDDIDX10::TexBlt+0x94
d3d9!CD3DBase::TexBlt+0x5a
d3d9!CMipMap::UpdateDirtyPortion+0xa5
d3d9!CResourceManager::UpdateVideoInternal+0x12b
d3d9!CD3DBase::UpdateTextures+0x652
d3d9!CD3DBase::DrawPrimitive+0x21d
wpfgfx_v0400!CD3DDeviceLevel1::DrawPrimitiveUP+0x3ae
wpfgfx_v0400!CD3DDeviceLevel1::FlushBufferFan+0x27
wpfgfx_v0400!CD3DDeviceLevel1::RenderTexture+0x203
wpfgfx_v0400!CD3DDeviceLevel1::TestRenderTargetFormat+0x243
wpfgfx_v0400!CD3DDeviceLevel1::CheckRenderTargetFormat+0x5b
wpfgfx_v0400!CHwTextureRenderTarget::Create+0x1e
wpfgfx_v0400!CHwSurfaceRenderTarget::CreateRenderTargetBitmap+0x73
wpfgfx_v0400!CBrushIntermediateRealizer::CreateSurfaceAndContext+0x5f
wpfgfx_v0400!CDeviceAlignedIntermediateRealizer::Realize+0x1bd
wpfgfx_v0400!CTileBrushUtils::CreateTileBrushIntermediate+0x4e
wpfgfx_v0400!CTileBrushUtils::GetIntermediateBaseTile+0x6e
wpfgfx_v0400!CMilTileBrushDuce::GetBrushRealizationInternal+0x42d
wpfgfx_v0400!CMilBrushDuce::GetBrushRealizationNoRef+0x2d
wpfgfx_v0400!CBrushResourceRealizer::EnsureRealization+0x73
wpfgfx_v0400!CHwSurfaceRenderTarget::DrawPathInternal+0xb2
wpfgfx_v0400!CHwSurfaceRenderTarget::DrawPath+0x25
wpfgfx_v0400!CHwDisplayRenderTarget::DrawPath+0x29
wpfgfx_v0400!CMetaRenderTarget::DrawPath+0xff
wpfgfx_v0400!CDrawingContext::FillOrStrokeShape+0x9c
wpfgfx_v0400!CDrawingContext::DrawShape+0x126
wpfgfx_v0400!CDrawingContext::DrawRoundedRectangle+0x126
wpfgfx_v0400!CMilSlaveRenderData::Draw+0x1d8
wpfgfx_v0400!CMilVisual::RenderContent+0x26
wpfgfx_v0400!CDrawingContext::PreSubgraph+0x6d9
wpfgfx_v0400!CGraphIterator::Walk+0x37
wpfgfx_v0400!CDrawingContext::DrawVisualTree+0x230
wpfgfx_v0400!CDrawingContext::Render+0x37f
wpfgfx_v0400!CSlaveHWndRenderTarget::Render+0x1a0
wpfgfx_v0400!CRenderTargetManager::Render+0x34
wpfgfx_v0400!CComposition::Render+0x1f
wpfgfx_v0400!CComposition::ProcessComposition+0x12c
wpfgfx_v0400!CComposition::Compose+0x3e
wpfgfx_v0400!CPartitionThread::RenderPartition+0x1b
wpfgfx_v0400!CPartitionThread::Run+0x48
wpfgfx_v0400!CPartitionThread::ThreadMain+0x1c
kernel32!BaseThreadInitThunk+0x24
ntdll!__RtlUserThreadStart+0x2f
ntdll!_RtlUserThreadStart+0x1b
FAILURE_SYMBOL_NAME: igdumdim32.dll!OpenAdapter
FAILURE_ID_HASH_STRING: um:software_nx_fault_sehop_null_c0000005_igdumdim32.dll!openadapter
Loaded symbol image file: igdumdim32.dll
Image path: C:\Windows\System32\igdumdim32.dll
Image name: igdumdim32.dll
Browse all global symbols functions data
Timestamp: Mon Jun 24 17:46:07 2013 (51C869BF)
CheckSum: 00000000
ImageSize: 0078D000
File version: 9.18.10.3220
Product version: 9.18.10.3220
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 2.8 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Intel Corporation
ProductName: Intel HD Graphics Drivers for Windows 8(R)
InternalName: igdumdim32.dll
OriginalFilename: igdumdim32.dll
ProductVersion: 9.18.10.3220
FileVersion: 9.18.10.3220
FileDescription: User Mode Driver for Intel(R) Graphics Technology
LegalCopyright: Copyright (c) 1998-2012 Intel Corporation.
Your driver is a bit old. Go to Intel.com, download the latest driver and install it.
I was trying to build MIT Kerberos In Windows 2007 (Windows Server Enterprise) Service Pack 2 32 bit system. After adding a few flags specific to posix errors I was able to build it in Windows 7 (along with working kinit and klist programs). However in win 2007 all exes generated crash whenever I attempt to execute them. I had used Microsoft visual studio 2008 with Microsoft SDK v6 for both builds.
Crash code in event viewer: Exception code: 0xc000041d and occasionally 0xc00008c
Fault offset: 0x76e011f1
After enabling all possible checks in gflags and running kinit, I noticed a message saying unable to start application due to incorrect security permissions. I changed compatibility mode to xp3 and ran as administrator but no luck.
I then used sxstrace to determine any link time inconsistencies. I didnt find even a single line in my parsed trace file. I then used dependency walker and it wasnt able to find any errors.
I then used procdump and windbg to get the dump of the problem. Unfortunately I havent been able to locate a suitable pdb for nt.dll. This is what i found after attempting to unwind the core dump stack (kp command):-
0018975c 64754d57 user32!GetProcessWindowStation+0x15
0018a8c0 64755d08 msvcr90d!CrtDbgReport+0x437
0018f954 64754992 msvcr90d!VCrtDbgReportA+0x7d8
0018f974 6475494b msvcr90d!CrtDbgReport+0x72
0018f99c 646bc34d msvcr90d!CrtDbgReport+0x2b
0018f9d0 646bc812 msvcr90d!get_pgmptr+0x1bd
0018fa08 646bc711 msvcr90d!_getmainargs+0x182
0018fa1c 76fc99a0 msvcr90d!_getmainargs+0x81
0018fa3c 76fcd939 ntdll!RtlQueryEnvironmentVariable+0x241
0018fb30 76fd686c ntdll!LdrResSearchResource+0xb4d
0018fcb0 76fd5326 ntdll!RtlGetNtVersionNumbers+0x9b
0018fd00 76fc9ef9 ntdll!RtlSetUnhandledExceptionFilter+0x50
0018fd10 00000000 ntdll!LdrInitializeThunk+0x10
I dont quite understand what this means and I have no idea what on earth is going on. I dont have too much proficiency in using windbg
Is there anything else that anyone can suggest me to narrow down the root cause of the issue? Even after I copy the 2k7 built binaries to my local win 7 machine and it still crashes with the same stack.
Edit: after running .symfix, .reload and then analyze -v I got the following output in windbg console:-
*** WARNING: Unable to verify checksum for klist.exe
*** ERROR: Module load completed but symbols could not be loaded for klist.exe
FAULTING_IP:
+0
00000000 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 0
FAULTING_THREAD: 000014bc
PROCESS_NAME: klist.exe
ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached.
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
APP: klist.exe
BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT_AFTER_CALL
PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT_AFTER_CALL
DEFAULT_BUCKET_ID: STATUS_BREAKPOINT_AFTER_CALL
LAST_CONTROL_TRANSFER: from 6475450f to 74c49eff
STACK_TEXT:
00189718 6475450f 0018973c 0018a8c0 64754cc0 user32!NtUserGetProcessWindowStation+0x15
0018975c 64754d57 001898b0 64696070 00012012 msvcr90d!__crtMessageBoxA+0x14f
0018a8c0 64755d08 00000001 00000000 00000000 msvcr90d!__crtMessageWindowA+0x3b7
0018f954 64754992 00000001 00000000 00000000 msvcr90d!_VCrtDbgReportA+0x7d8
0018f974 6475494b 00000001 00000000 00000000 msvcr90d!_CrtDbgReportV+0x22
0018f99c 646bc34d 00000001 00000000 00000000 msvcr90d!_CrtDbgReport+0x2b
0018f9d0 646bc812 00000022 6e76fe50 0018faec msvcr90d!_NMSG_WRITE+0x6d
0018fa08 646bc711 64680000 00000001 0018fd24 msvcr90d!__CRTDLL_INIT+0xf2
0018fa1c 76fc99a0 64680000 00000001 0018fd24 msvcr90d!_CRTDLL_INIT+0x21
0018fa3c 76fcd939 646bc6f0 64680000 00000001 ntdll!LdrpCallInitRoutine+0x14
0018fb30 76fd686c 0018fd24 7efdd000 7efde000 ntdll!LdrpRunInitializeRoutines+0x26f
0018fcb0 76fd5326 0018fd24 76f90000 734dc02c ntdll!LdrpInitializeProcess+0x1400
0018fd00 76fc9ef9 0018fd24 76f90000 00000000 ntdll!_LdrpInitialize+0x78
0018fd10 00000000 0018fd24 76f90000 00000000 ntdll!LdrInitializeThunk+0x10
FOLLOWUP_IP:
msvcr90d!__crtMessageBoxA+14f [f:\dd\vctools\crt_bld\self_x86\crt\src\crtmbox.c # 121]
6475450f 8945ec mov dword ptr [ebp-14h],eax
FAULTING_SOURCE_LINE: f:\dd\vctools\crt_bld\self_x86\crt\src\crtmbox.c
FAULTING_SOURCE_FILE: f:\dd\vctools\crt_bld\self_x86\crt\src\crtmbox.c
FAULTING_SOURCE_LINE_NUMBER: 121
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: msvcr90d!__crtMessageBoxA+14f
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: msvcr90d
IMAGE_NAME: msvcr90d.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 488ef6c7
STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ~0s; .ecxr ; kb
FAILURE_BUCKET_ID: STATUS_BREAKPOINT_AFTER_CALL_80000003_msvcr90d.dll!__crtMessageBoxA
BUCKET_ID: APPLICATION_FAULT_STATUS_BREAKPOINT_AFTER_CALL_msvcr90d!__crtMessageBoxA+14f
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/klist_exe/4_0_0_0/533e75fb/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1
Followup: MachineOwner
Edit: After running in Visual Studio I got the following output:-
'klist.exe': Loaded 'C:\WS\TPL\src\MitKerberos\1.11.1\BUILDDEBUG\bin\klist.exe', Symbols loaded.
'klist.exe': Loaded 'C:\Windows\SysWOW64\ntdll.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\kernel32.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\KernelBase.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\sysfer.dll'
'klist.exe': Loaded 'C:\WS\TPL\src\MitKerberos\1.11.1\BUILDDEBUG\bin\k5sprt32.dll', Symbols loaded.
'klist.exe': Loaded 'C:\WS\TPL\src\MitKerberos\1.11.1\BUILDDEBUG\bin\msvcr90d.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\ws2_32.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\msvcrt.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\rpcrt4.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\sspicli.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\cryptbase.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\sechost.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\nsi.dll'
'klist.exe': Loaded 'C:\WS\TPL\src\MitKerberos\1.11.1\BUILDDEBUG\bin\krb5_32.dll', Symbols loaded.
'klist.exe': Loaded 'C:\WS\TPL\src\MitKerberos\1.11.1\BUILDDEBUG\bin\comerr32.dll', Symbols loaded.
'klist.exe': Loaded 'C:\Windows\SysWOW64\user32.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\gdi32.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\lpk.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\usp10.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\advapi32.dll'
'klist.exe': Loaded 'C:\WS\TPL\src\MitKerberos\1.11.1\BUILDDEBUG\bin\wshelp32.dll', Symbols loaded.
'klist.exe': Loaded 'C:\Windows\SysWOW64\dnsapi.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\shell32.dll'
'klist.exe': Loaded 'C:\Windows\SysWOW64\shlwapi.dll'
First-chance exception at 0x74c49eff in klist.exe: 0xC0000005: Access violation reading location 0x00000250.
*** An Access Violation occurred in "C:\WS\TPL\src\MitKerberos\1.11.1\BUILDDEBUG\bin\klist.exe" :
The instruction at 0000000076E011F1 tried to read from an invalid address, 0000000000000250
*** enter .exr 000000000008E970 for the exception record
*** enter .cxr 000000000008E480 for the context
*** then kb to get the faulting stack
Unhandled exception at 0x74c49eff in klist.exe: 0xC000041D: An unhandled exception was encountered during a user callback.
> kb
Index Function
--------------------------------------------------------------------------------
*1 user32.dll!74c49eff()
2 [Frames below may be incorrect and/or missing, no symbols loaded for user32.dll]
3 user32.dll!74c49eff()
4 msvcr90d.dll!58f8450f()
5 msvcr90d.dll!58f84d57()
I cant get klist or krb5 dlls in the stack at all. Since klist or any other mit kerb dll does not appear in this section, I am unable to load check their symbols. This is very frustrating, I will attempt to build my own sample program and check for issues. Btw did I miss any analysis steps?
Edit : After checking for first argument to crtmessagebox I got :-
001898b0 "Debug Error!..Program: C:\WS\TPL"
001898d0 "\src\MitKerberos\1.11.1\BUILDDEB"
001898f0 "UG\bin\klist.exe..R6034..An appl"
00189910 "ication has made an attempt to l"
00189930 "oad the C runtime library withou"
00189950 "t using a manifest..This is an u"
00189970 "nsupported way to load Visual C+"
00189990 "+ DLLs. You need to modify your "
001899b0 "application to build with a mani"
001899d0 "fest..For more information, see "
001899f0 "the "Visual C++ Libraries as Sha"
00189a10 "red Side-by-Side Assemblies" top"
As far as I understand the program responsible for this is mt.exe and I had run it.
I am unable to figure this problem out. Symbol is not being resolved
Deployment
There are number of exes of my system deployed on a network path. All users run those exes from that shared network path. This was working fine two weeks ago but now some of those exes have started crashing. There is no fix pattern of being crashed, it happens to any user, anytime during any activity.
Troubleshooting
I have got the dump of one of them, i tried WinDbg and got following
Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\crash\RNS1000.exe.mdmp]
User Mini Dump File: Only registers, stack and portions of memory are available
Symbol search path is: SRV*c:\crash*http://msdl.microsoft.com/download/symbols;c:\crash
Executable search path is:
Windows XP Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: SingleUserTS
Machine Name:
Debug session time: Wed Oct 10 15:36:36.000 2012 (UTC + 5:00)
System Uptime: not available
Process Uptime: 0 days 7:12:54.000
................................................................
.........................................................
Loading unloaded module list
.......
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(924.85c): In-page I/O error ffffffffc000020c - code c0000006 (first/second chance not available)
eax=02060000 ebx=7c90fe01 ecx=00001000 edx=7c90e4f4 esi=000003a0 edi=00000000
eip=7c90e4f4 esp=0013afdc ebp=0013b040 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200297
ntdll!KiFastSystemCallRet:
7c90e4f4 c3 ret
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
GetUrlPageData2 (WinHttp) failed: 12007.
FAULTING_IP:
RNS1000+55f610
0095f610 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0095f610 (RNS1000+0x0055f610)
ExceptionCode: c0000006 (In-page I/O error)
ExceptionFlags: 00000000
NumberParameters: 3
Parameter[0]: 00000008
Parameter[1]: 0095f610
Parameter[2]: c000020c
Inpage operation failed at 0095f610, due to I/O error c000020c
DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT
PROCESS_NAME: RNS1000.exe
ERROR_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".
EXCEPTION_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".
EXCEPTION_PARAMETER1: 00000008
EXCEPTION_PARAMETER2: 0095f610
EXCEPTION_PARAMETER3: c000020c
IO_ERROR: (NTSTATUS) 0xc000020c - The transport connection is now disconnected.
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
LAST_CONTROL_TRANSFER: from 00000000 to 00000000
APP: rns1000.exe
FAULTING_THREAD: ffffffff
PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT
BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT
STACK_TEXT:
00000000 00000000 hardware_disk!Unknown+0x0
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: hardware_disk!Unknown
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: hardware_disk
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: ** Pseudo Context ** ; kb
FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_c0000006_hardware_disk!Unknown
BUCKET_ID: APPLICATION_FAULT_SOFTWARE_NX_FAULT_hardware_disk!Unknown
IMAGE_NAME: hardware_disk
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/RNS1000_exe/2_0_0_5/4f17b9d2/RNS1000_exe/2_0_0_5/4f17b9d2/c0000006/0055f610.htm?Retriage=1
Followup: MachineOwner
---------
I am expecting RNS1000+55f610 to be resolved to one of my programs function but it has not been resolved. The sysmbol path contains exe, pdb and mdmp.
Please tell me why has it not been resolved? what wrong am i doing?
The key part here is the In-page I/O error. The underlying disk/network drive disappeared.
The crash occurs some time later when it tries to page back in part of the executable, but it no longer has a valid file handle/connection.
The only fix is to run it locally or make sure the disk doesn't disappear while they're running.
More generally, you can get VB to create the info files for native debugging using the "Create symbolic debug info" option in the project's Compile settings. This can only be done before the fact though and won't help with debugging an existing build.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I'm not certain that this is the right venue for this question, but a programmer friend of mine said I should try this here.
My company's main application is hosted on a terminal server running Windows Server 2008. Since last Thursday we have seen this server crash and reboot 3 times, and we just went live with this server on the previous Tuesday. I have used the the WinDbg program to analyze the crash dump file, but I'm a little outside by depth at this point and I'm hoping that someone out there can help me get this issue resolved.
The application that appears to me to be at fault is winoac.exe which is the executable for SmartWare 4.5 (www.smartware4.com). This is the platform that our application runs on. If this application is at fault, is there anything that I can do about it, other than complaining to SmartWare?
Thanks a million to anybody that can help.
Here are the results of the analysis.
Microsoft (R) Windows Debugger Version 6.10.0003.233 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\esinnard\Desktop\Windows Dumps\1-29-09\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*C:\ProgramData\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista SP1 Kernel Version 6001 (Service Pack 1) MP (8 procs) Free x86 compatible
Product: Server, suite: TerminalServer
Built by: 6001.18145.x86fre.vistasp1_gdr.080917-1612
Machine Name:
Kernel base = 0x81c41000 PsLoadedModuleList = 0x81d4e930
Debug session time: Thu Jan 29 12:49:43.870 2009 (GMT-6)
System Uptime: 0 days 11:18:08.929
Loading Kernel Symbols
...............................................................
................................................................
..............
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 8E, {c0000005, 81c88043, 9cef0840, 0}
Page bd1f2 not present in the dump file. Type ".hh dbgerr004" for details
Page bc9c3 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
Probably caused by : RDPDD.dll ( RDPDD!OE2_TableEncodeOrderFields+11e )
Followup: MachineOwner
---------
7: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 81c88043, The address that the exception occurred at
Arg3: 9cef0840, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!RtlInitUnicodeString+1b
81c88043 f266af repne scas word ptr es:[edi]
TRAP_FRAME: 9cef0840 -- (.trap 0xffffffff9cef0840)
ErrCode = 00000000
eax=00000000 ebx=fe414fd8 ecx=ffffffec edx=9cef0914 esi=fe40fcf0 edi=fe415000
eip=81c88043 esp=9cef08b4 ebp=9cef0924 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!RtlInitUnicodeString+0x1b:
81c88043 f266af repne scas word ptr es:[edi]
Resetting default scope
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: WINOAC.EXE
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 81c72fbe to 81cfc759
STACK_TEXT:
9cef0400 81c72fbe 0000008e c0000005 81c88043 nt!KeBugCheckEx+0x1e
9cef07d0 81c9953a 9cef07ec 00000000 9cef0840 nt!KiDispatchException+0x1a9
9cef0838 81c994ee 9cef0924 81c88043 badb0d00 nt!CommonDispatchException+0x4a
9cef085c 9976011a 99771680 997708e8 00000000 nt!Kei386EoiHelper+0x186
9cef0924 9959efab 5d0102bb 00000006 00000002 RDPDD!OE2_TableEncodeOrderFields+0x11e
9cef0a0c 995aeaf8 5d0102bb 00000006 00000002 win32k!xxxRealDrawMenuItem+0x80b
9cef0abc 9958455b 5d0102bb 0110007e 9cef0b04 win32k!xxxDrawState+0x1c9
9cef0b2c 995853e1 5d0102bb fe40fc78 00c8d0d4 win32k!xxxDrawMenuItem+0x3f8
9cef0b98 9959f511 5d0102bb 00000000 fe414570 win32k!xxxMenuDraw+0x1f2
9cef0bf0 994ed1d6 00000017 5d0102bb 00000004 win32k!xxxMenuBarDraw+0x1bf
9cef0c38 9950c0f5 fe414570 5d0102bb 00000001 win32k!xxxDrawWindowFrame+0xf7
9cef0cb4 9950d73d fe414570 00000085 090402df win32k!xxxRealDefWindowProc+0x88b
9cef0ccc 994e673d fe414570 00000085 090402df win32k!xxxWrapRealDefWindowProc+0x2b
9cef0ce8 9950d6f4 fe414570 00000085 090402df win32k!NtUserfnNCDESTROY+0x27
9cef0d20 81c9897a 000200ba 00000085 090402df win32k!NtUserMessageCall+0xc6
9cef0d20 77089a94 000200ba 00000085 090402df nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012d7cc 00000000 00000000 00000000 00000000 0x77089a94
STACK_COMMAND: kb
FOLLOWUP_IP:
RDPDD!OE2_TableEncodeOrderFields+11e
9976011a 8b4518 mov eax,dword ptr [ebp+18h]
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: RDPDD!OE2_TableEncodeOrderFields+11e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: RDPDD
IMAGE_NAME: RDPDD.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4791923e
FAILURE_BUCKET_ID: 0x8E_RDPDD!OE2_TableEncodeOrderFields+11e
BUCKET_ID: 0x8E_RDPDD!OE2_TableEncodeOrderFields+11e
Followup: MachineOwner
---------
------------------------------------------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.10.0003.233 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\esinnard\Desktop\Windows Dumps\1-29-09\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*C:\ProgramData\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista SP1 Kernel Version 6001 (Service Pack 1) MP (8 procs) Free x86 compatible
Product: Server, suite: TerminalServer
Built by: 6001.18145.x86fre.vistasp1_gdr.080917-1612
Machine Name:
Kernel base = 0x81c41000 PsLoadedModuleList = 0x81d4e930
Debug session time: Thu Jan 29 12:49:43.870 2009 (GMT-6)
System Uptime: 0 days 11:18:08.929
Loading Kernel Symbols
...............................................................
................................................................
..............
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 8E, {c0000005, 81c88043, 9cef0840, 0}
Page bd1f2 not present in the dump file. Type ".hh dbgerr004" for details
Page bc9c3 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
Probably caused by : RDPDD.dll ( RDPDD!OE2_TableEncodeOrderFields+11e )
Followup: MachineOwner
---------
7: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 81c88043, The address that the exception occurred at
Arg3: 9cef0840, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd400c). Type ".hh dbgerr001" for details
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!RtlInitUnicodeString+1b
81c88043 f266af repne scas word ptr es:[edi]
TRAP_FRAME: 9cef0840 -- (.trap 0xffffffff9cef0840)
ErrCode = 00000000
eax=00000000 ebx=fe414fd8 ecx=ffffffec edx=9cef0914 esi=fe40fcf0 edi=fe415000
eip=81c88043 esp=9cef08b4 ebp=9cef0924 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!RtlInitUnicodeString+0x1b:
81c88043 f266af repne scas word ptr es:[edi]
Resetting default scope
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: WINOAC.EXE
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 81c72fbe to 81cfc759
STACK_TEXT:
9cef0400 81c72fbe 0000008e c0000005 81c88043 nt!KeBugCheckEx+0x1e
9cef07d0 81c9953a 9cef07ec 00000000 9cef0840 nt!KiDispatchException+0x1a9
9cef0838 81c994ee 9cef0924 81c88043 badb0d00 nt!CommonDispatchException+0x4a
9cef085c 9976011a 99771680 997708e8 00000000 nt!Kei386EoiHelper+0x186
9cef0924 9959efab 5d0102bb 00000006 00000002 RDPDD!OE2_TableEncodeOrderFields+0x11e
9cef0a0c 995aeaf8 5d0102bb 00000006 00000002 win32k!xxxRealDrawMenuItem+0x80b
9cef0abc 9958455b 5d0102bb 0110007e 9cef0b04 win32k!xxxDrawState+0x1c9
9cef0b2c 995853e1 5d0102bb fe40fc78 00c8d0d4 win32k!xxxDrawMenuItem+0x3f8
9cef0b98 9959f511 5d0102bb 00000000 fe414570 win32k!xxxMenuDraw+0x1f2
9cef0bf0 994ed1d6 00000017 5d0102bb 00000004 win32k!xxxMenuBarDraw+0x1bf
9cef0c38 9950c0f5 fe414570 5d0102bb 00000001 win32k!xxxDrawWindowFrame+0xf7
9cef0cb4 9950d73d fe414570 00000085 090402df win32k!xxxRealDefWindowProc+0x88b
9cef0ccc 994e673d fe414570 00000085 090402df win32k!xxxWrapRealDefWindowProc+0x2b
9cef0ce8 9950d6f4 fe414570 00000085 090402df win32k!NtUserfnNCDESTROY+0x27
9cef0d20 81c9897a 000200ba 00000085 090402df win32k!NtUserMessageCall+0xc6
9cef0d20 77089a94 000200ba 00000085 090402df nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012d7cc 00000000 00000000 00000000 00000000 0x77089a94
STACK_COMMAND: kb
FOLLOWUP_IP:
RDPDD!OE2_TableEncodeOrderFields+11e
9976011a 8b4518 mov eax,dword ptr [ebp+18h]
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: RDPDD!OE2_TableEncodeOrderFields+11e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: RDPDD
IMAGE_NAME: RDPDD.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 4791923e
FAILURE_BUCKET_ID: 0x8E_RDPDD!OE2_TableEncodeOrderFields+11e
BUCKET_ID: 0x8E_RDPDD!OE2_TableEncodeOrderFields+11e
Followup: MachineOwner
---------
------------------------------------------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.10.0003.233 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\esinnard\Desktop\Windows Dumps\2-3-09-2\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*C:\ProgramData\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista SP1 Kernel Version 6001 (Service Pack 1) MP (8 procs) Free x86 compatible
Product: Server, suite: TerminalServer
Built by: 6001.18145.x86fre.vistasp1_gdr.080917-1612
Machine Name:
Kernel base = 0x81c13000 PsLoadedModuleList = 0x81d20930
Debug session time: Tue Feb 3 14:20:03.117 2009 (GMT-6)
System Uptime: 0 days 2:00:33.869
Loading Kernel Symbols
...............................................................
................................................................
.............
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 8E, {c0000005, 81c5a043, d60a5840, 0}
Page bce51 not present in the dump file. Type ".hh dbgerr004" for details
Page bce22 not present in the dump file. Type ".hh dbgerr004" for details
Page bb16b not present in the dump file. Type ".hh dbgerr004" for details
Page bce5a not present in the dump file. Type ".hh dbgerr004" for details
Page bce5a not present in the dump file. Type ".hh dbgerr004" for details
Page bce5a not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
Probably caused by : win32k.sys ( win32k!OffBitBlt+97 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 81c5a043, The address that the exception occurred at
Arg3: d60a5840, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
Page bb16b not present in the dump file. Type ".hh dbgerr004" for details
Page bce5a not present in the dump file. Type ".hh dbgerr004" for details
Page bce5a not present in the dump file. Type ".hh dbgerr004" for details
Page bce5a not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!RtlInitUnicodeString+1b
81c5a043 f266af repne scas word ptr es:[edi]
TRAP_FRAME: d60a5840 -- (.trap 0xffffffffd60a5840)
ErrCode = 00000000
eax=00000000 ebx=fe41afd8 ecx=ffffffec edx=d60a5914 esi=fe40f5e0 edi=fe41b000
eip=81c5a043 esp=d60a58b4 ebp=d60a5924 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!RtlInitUnicodeString+0x1b:
81c5a043 f266af repne scas word ptr es:[edi]
Resetting default scope
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: WINOAC.EXE
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 81c44fbe to 81cce759
STACK_TEXT:
d60a5400 81c44fbe 0000008e c0000005 81c5a043 nt!KeBugCheckEx+0x1e
d60a57d0 81c6b53a d60a57ec 00000000 d60a5840 nt!KiDispatchException+0x1a9
d60a5838 81c6b4ee d60a5924 81c5a043 badb0d00 nt!CommonDispatchException+0x4a
d60a585c 999e2242 ff888010 00000000 00000000 nt!Kei386EoiHelper+0x186
d60a5924 999befab 1401009b 00000006 00000002 win32k!OffBitBlt+0x97
d60a5a0c 999ceaf8 1401009b 00000006 00000002 win32k!xxxRealDrawMenuItem+0x80b
d60a5abc 999a455b 1401009b 0110007e d60a5b04 win32k!xxxDrawState+0x1c9
d60a5b2c 999a53e1 1401009b fe40d168 00c8d0d4 win32k!xxxDrawMenuItem+0x3f8
d60a5b98 999bf511 1401009b 00000000 fe418398 win32k!xxxMenuDraw+0x1f2
d60a5bf0 9990d1d6 00000017 1401009b 00000004 win32k!xxxMenuBarDraw+0x1bf
d60a5c38 9992c0f5 fe418398 1401009b 00000001 win32k!xxxDrawWindowFrame+0xf7
d60a5cb4 9992d73d fe418398 00000085 0904035f win32k!xxxRealDefWindowProc+0x88b
d60a5ccc 9990673d fe418398 00000085 0904035f win32k!xxxWrapRealDefWindowProc+0x2b
d60a5ce8 9992d6f4 fe418398 00000085 0904035f win32k!NtUserfnNCDESTROY+0x27
d60a5d20 81c6a97a 0003001c 00000085 0904035f win32k!NtUserMessageCall+0xc6
d60a5d20 77049a94 0003001c 00000085 0904035f nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012d7cc 00000000 00000000 00000000 00000000 0x77049a94
STACK_COMMAND: kb
FOLLOWUP_IP:
win32k!OffBitBlt+97
999e2242 8b4d20 mov ecx,dword ptr [ebp+20h]
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: win32k!OffBitBlt+97
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 48d1b9ef
FAILURE_BUCKET_ID: 0x8E_win32k!OffBitBlt+97
BUCKET_ID: 0x8E_win32k!OffBitBlt+97
Followup: MachineOwner
---------
You should apply any patches for the OS that might be out there (especially if they mention they are related to Terminal Server or RDP). You should also probably contact Microsoft support.
The crash dump looks like the crash is happening in the RDP driver.
Even if the winoac.exe application is passing bad data to win32k.sys (the display subsystem) that results in the crash, device drivers are never supposed to crash the system - they should detect and handle the problem appropriately, even if it means the application crashes. The driver should never crash, so MS should take an interest in this so they can fix it.
Unless Smartware has developed their own drivers it should never be possible for a user mode application to bluescreen a windows NT server.
So, ignoring all that information, you are either looking at a buggy device driver - step 1 - find and install any updates for drivers on the system, OR the hardware is beginning to fail. even bug free drivers might need to throw a bug check when the actual hardware they depend on is failing.
win32k.sys is the kernel driver side of the win32 subsystem, not specifically a display driver at all. However the call stack does implicate that something related to drawing crashed, so, perhaps starting with updating the systems video drivers - or replacing the video card if its not onboard might help.