Windows 2003 Server 2003 SP2 0x00000050 BSOD

  • Thread starter Thread starter ronf@gbftech.com
  • Start date Start date
R

ronf@gbftech.com

Can someone help me read this "analyze -v" from a memory dump file.

I have a Windows 2003 terminal server, SP2, Dell Poweredge 1800, Dual
3.2 xeon hyperthreaded, 4gb RAM.

Every night BSOD 0x00000050. Below is System eventlog entry and the
result file of a memory.dmp file, read with the Microsoft debugger.

Can anyone tell me why the server is abending? Thank you very much in
advance.

Ron Floyd
Ronf@gbftech.com

Event Type: Warning
Event Source: USER32
Event Category: None
Event ID: 1076
Date: 4/30/2008
Time: 10:50:43 PM
User: EOASGA\administrator
Computer: EOATS01
Description:
The reason supplied by user EOASGA\Administrator for the last
unexpected shutdown of this computer is: System Failure: Stop error
Reason Code: 0x805000f
Bug ID:
Bugcheck String: 0x00000050 (0xc48e2000, 0x00000001, 0x808dea34,
0x00000000)
Comment: 0x00000050 (0xc48e2000, 0x00000001, 0x808dea34, 0x00000000)

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0f 00 05 08 ....




Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/
download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs)
Free x86 compatible
Product: Server, suite: TerminalServer
Built by: 3790.srv03_sp2_gdr.070304-2240
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Wed Apr 30 18:01:05.668 2008 (GMT-4)
System Uptime: 0 days 17:40:15.568
Loading Kernel Symbols
.......................................................................................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for
details
Loading unloaded module list
...
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {c48e2000, 1, 808dea34, 0}

Page 11a472 not present in the dump file. Type ".hh dbgerr004" for
details
Page 11a4e1 not present in the dump file. Type ".hh dbgerr004" for
details
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for
details
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for
details
Probably caused by : ntkrpamp.exe ( nt!HvpRecoverData+4a0 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck
Analysis *
*
*
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-
except,
it must be protected by a Probe. Typically the address is just plain
bad or it
is pointing at freed memory.
Arguments:
Arg1: c48e2000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 808dea34, If non-zero, the instruction address which referenced
the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

Page 11a472 not present in the dump file. Type ".hh dbgerr004" for
details
Page 11a4e1 not present in the dump file. Type ".hh dbgerr004" for
details
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for
details
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for
details

WRITE_ADDRESS: c48e2000

FAULTING_IP:
nt!HvpRecoverData+4a0
808dea34 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE: 0

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: wmiprvse.exe

CURRENT_IRQL: 1

TRAP_FRAME: f4b7e9dc -- (.trap 0xfffffffff4b7e9dc)
ErrCode = 00000002
eax=00004000 ebx=e480b000 ecx=00001000 edx=00000000 esi=e480b000
edi=c48e2000
eip=808dea34 esp=f4b7ea50 ebp=f4b7ea98 iopl=0 nv up ei pl nz
na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010206
nt!HvpRecoverData+0x4a0:
808dea34 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

LAST_CONTROL_TRANSFER: from 8085eced to 80827c63

STACK_TEXT:
f4b7e94c 8085eced 00000050 c48e2000 00000001 nt!KeBugCheckEx+0x1b
f4b7e9c4 8088c798 00000001 c48e2000 00000000 nt!MmAccessFault+0xb25
f4b7e9c4 808dea34 00000001 c48e2000 00000000 nt!KiTrap0E+0xdc
f4b7ea98 808deeb4 e62afa80 00000000 00000000 nt!HvpRecoverData+0x4a0
f4b7eae8 808df719 e62afa80 00000000 e62affec nt!HvMapHive+0x188
f4b7eb00 808d7523 e62afc01 00000005 00000000 nt!HvInitializeHive+0x42d
f4b7eb6c 808c8cf3 f4b7eba8 00000005 00000000 nt!CmpInitializeHive
+0x203
f4b7ebc4 808ca7c0 f4b7ecf4 00000000 f4b7ec54 nt!CmpInitHiveFromFile
+0x91
f4b7ebe8 808c4757 f4b7ecbc f4b7ec58 f4b7ec4c nt!CmpCmdHiveOpen+0x1e
f4b7ec98 808bc1e5 f4b7ecd4 f4b7ecbc 00000000 nt!CmLoadKey+0xcf
f4b7ed3c 808bc3fc 00e7d9ec 00e7da04 00000000 nt!NtLoadKeyEx+0x25b
f4b7ed54 8088978c 00e7d9ec 00e7da04 00e7da34 nt!NtLoadKey+0x14
f4b7ed54 7c8285ec 00e7d9ec 00e7da04 00e7da34 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be
wrong.
00e7da34 00000000 00000000 00000000 00000000 0x7c8285ec


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!HvpRecoverData+4a0
808dea34 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: nt!HvpRecoverData+4a0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 45ec0a19

FAILURE_BUCKET_ID: 0x50_W_nt!HvpRecoverData+4a0

BUCKET_ID: 0x50_W_nt!HvpRecoverData+4a0

Followup: MachineOwner
 
<ronf@gbftech.com> wrote in message
news:7d10c215-8f89-41d8-a59d-3bd020a8b69f@56g2000hsm.googlegroups.com...
> Can someone help me read this "analyze -v" from a memory dump file.
>
> I have a Windows 2003 terminal server, SP2, Dell Poweredge 1800, Dual
> 3.2 xeon hyperthreaded, 4gb RAM.
>
> Every night BSOD 0x00000050. Below is System eventlog entry and the
> result file of a memory.dmp file, read with the Microsoft debugger.
>
> Can anyone tell me why the server is abending? Thank you very much in
> advance.
>

Here you go:
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-
except, it must be protected by a Probe. Typically the address is just
plain
bad or it is pointing at freed memory.

It's likely some BAD service or driver (although I didn't see the name or
what caused it if it was in your dump).

Look first at these kinds of things:

1) Services and drivers you added just prior to first such dump

2) Non-Microsoft services and drivers (could be MS but then
more people would likely find it too and it would get fixed
faster)

3) Any service or driver that is at all unusually

4) Any service or driver that you can do without, esp. if it is
in one of the categories above.

5) critical services and drivers that you cannot do without, try
testing them a few at a time to see if you can isolate the
problem (i.e., modified binary search by disabling/enabling
them)

You might also want to post this (or reasoanably crosspost) to
one of the [System] Programming groups also -- since the
percentage of system programmers on the "General" list is fairly
small, or [like me] they aren't terribly active right now at System
Programming.
 
>Can someone help me read this "analyze -v" from a memory dump file.
>
>I have a Windows 2003 terminal server, SP2, Dell Poweredge 1800, Dual
>3.2 xeon hyperthreaded, 4gb RAM.
>
>Every night BSOD 0x00000050. Below is System eventlog entry and the
>result file of a memory.dmp file, read with the Microsoft debugger.
>
>Can anyone tell me why the server is abending? Thank you very much in
>advance.
>
>Ron Floyd
>Ronf@gbftech.com
>
>Event Type: Warning
>Event Source: USER32
>Event Category: None
>Event ID: 1076
>Date: 4/30/2008
>Time: 10:50:43 PM
>User: EOASGA\administrator
>Computer: EOATS01
>Description:
>The reason supplied by user EOASGA\Administrator for the last
>unexpected shutdown of this computer is: System Failure: Stop error
> Reason Code: 0x805000f
> Bug ID:
> Bugcheck String: 0x00000050 (0xc48e2000, 0x00000001, 0x808dea34,
>0x00000000)
> Comment: 0x00000050 (0xc48e2000, 0x00000001, 0x808dea34, 0x00000000)
>
>For more information, see Help and Support Center at
>http://go.microsoft.com/fwlink/events.asp.
>Data:
>0000: 0f 00 05 08 ....
>
>
>
>
>Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
>Copyright (c) Microsoft Corporation. All rights reserved.
>
>
>Loading Dump File [C:\WINDOWS\MEMORY.DMP]
>Kernel Summary Dump File: Only kernel address space is available
>
>Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/
>download/symbols
>Executable search path is:
>Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs)
>Free x86 compatible
>Product: Server, suite: TerminalServer
>Built by: 3790.srv03_sp2_gdr.070304-2240
>Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
>Debug session time: Wed Apr 30 18:01:05.668 2008 (GMT-4)
>System Uptime: 0 days 17:40:15.568
>Loading Kernel Symbols
>......................................................................................................
>Loading User Symbols
>PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for
>details
>Loading unloaded module list
>..
>*******************************************************************************
>*
>*
>* Bugcheck
>Analysis *
>*
>*
>*******************************************************************************
>
>Use !analyze -v to get detailed debugging information.
>
>BugCheck 50, {c48e2000, 1, 808dea34, 0}
>
>Page 11a472 not present in the dump file. Type ".hh dbgerr004" for
>details
>Page 11a4e1 not present in the dump file. Type ".hh dbgerr004" for
>details
>PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for
>details
>PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for
>details
>Probably caused by : ntkrpamp.exe ( nt!HvpRecoverData+4a0 )
>
>Followup: MachineOwner
>---------
>
>1: kd> !analyze -v
>*******************************************************************************
>*
>*
>* Bugcheck
>Analysis *
>*
>*
>*******************************************************************************
>
>PAGE_FAULT_IN_NONPAGED_AREA (50)
>Invalid system memory was referenced. This cannot be protected by try-
>except,
>it must be protected by a Probe. Typically the address is just plain
>bad or it
>is pointing at freed memory.
>Arguments:
>Arg1: c48e2000, memory referenced.
>Arg2: 00000001, value 0 = read operation, 1 = write operation.
>Arg3: 808dea34, If non-zero, the instruction address which referenced
>the bad memory
> address.
>Arg4: 00000000, (reserved)
>
>Debugging Details:
>------------------
>
>Page 11a472 not present in the dump file. Type ".hh dbgerr004" for
>details
>Page 11a4e1 not present in the dump file. Type ".hh dbgerr004" for
>details
>PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for
>details
>PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for
>details
>
>WRITE_ADDRESS: c48e2000
>
>FAULTING_IP:
>nt!HvpRecoverData+4a0
>808dea34 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
>
>MM_INTERNAL_CODE: 0
>
>DEFAULT_BUCKET_ID: DRIVER_FAULT
>
>BUGCHECK_STR: 0x50
>
>PROCESS_NAME: wmiprvse.exe
>
>CURRENT_IRQL: 1
>
>TRAP_FRAME: f4b7e9dc -- (.trap 0xfffffffff4b7e9dc)
>ErrCode = 00000002
>eax=00004000 ebx=e480b000 ecx=00001000 edx=00000000 esi=e480b000
>edi=c48e2000
>eip=808dea34 esp=f4b7ea50 ebp=f4b7ea98 iopl=0 nv up ei pl nz
>na pe nc
>cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
>efl=00010206
>nt!HvpRecoverData+0x4a0:
>808dea34 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
>Resetting default scope
>
>LAST_CONTROL_TRANSFER: from 8085eced to 80827c63
>
>STACK_TEXT:
>f4b7e94c 8085eced 00000050 c48e2000 00000001 nt!KeBugCheckEx+0x1b
>f4b7e9c4 8088c798 00000001 c48e2000 00000000 nt!MmAccessFault+0xb25
>f4b7e9c4 808dea34 00000001 c48e2000 00000000 nt!KiTrap0E+0xdc
>f4b7ea98 808deeb4 e62afa80 00000000 00000000 nt!HvpRecoverData+0x4a0
>f4b7eae8 808df719 e62afa80 00000000 e62affec nt!HvMapHive+0x188
>f4b7eb00 808d7523 e62afc01 00000005 00000000 nt!HvInitializeHive+0x42d
>f4b7eb6c 808c8cf3 f4b7eba8 00000005 00000000 nt!CmpInitializeHive
>+0x203
>f4b7ebc4 808ca7c0 f4b7ecf4 00000000 f4b7ec54 nt!CmpInitHiveFromFile
>+0x91
>f4b7ebe8 808c4757 f4b7ecbc f4b7ec58 f4b7ec4c nt!CmpCmdHiveOpen+0x1e
>f4b7ec98 808bc1e5 f4b7ecd4 f4b7ecbc 00000000 nt!CmLoadKey+0xcf
>f4b7ed3c 808bc3fc 00e7d9ec 00e7da04 00000000 nt!NtLoadKeyEx+0x25b
>f4b7ed54 8088978c 00e7d9ec 00e7da04 00e7da34 nt!NtLoadKey+0x14
>f4b7ed54 7c8285ec 00e7d9ec 00e7da04 00e7da34 nt!KiFastCallEntry+0xfc
>WARNING: Frame IP not in any known module. Following frames may be
>wrong.
>00e7da34 00000000 00000000 00000000 00000000 0x7c8285ec
>
>
>STACK_COMMAND: kb
>
>FOLLOWUP_IP:
>nt!HvpRecoverData+4a0
>808dea34 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
>
>SYMBOL_STACK_INDEX: 3
>
>SYMBOL_NAME: nt!HvpRecoverData+4a0
>
>FOLLOWUP_NAME: MachineOwner
>
>MODULE_NAME: nt
>
>IMAGE_NAME: ntkrpamp.exe
>
>DEBUG_FLR_IMAGE_TIMESTAMP: 45ec0a19
>
>FAILURE_BUCKET_ID: 0x50_W_nt!HvpRecoverData+4a0
>
>BUCKET_ID: 0x50_W_nt!HvpRecoverData+4a0
>
>Followup: MachineOwner

That Event ID is indicative of an ntfs.sys error but the bugcheck
string isn't so it's kind of odd. You could try this hotfix for that
event ID: http://support.microsoft.com/kb/937455

Is it also showing PAGE_FAULT_IN_NONPAGED_AREA in the stop error
message? If so, I remember seeing a hotfix to address it.
Have a look at this KB article and make sure it is not what is
affecting you: http://support.microsoft.com/kb/903251

- Thee Chicago Wolf
 
On May 1, 8:31 am, Thee Chicago Wolf <.@.> wrote:
> >Can someone help me read this "analyze -v" from a memory dump file.
>
> >I have a Windows 2003 terminal server, SP2, Dell Poweredge 1800, Dual
> >3.2 xeon hyperthreaded, 4gb RAM.
>
> >Every night BSOD 0x00000050.  Below is System eventlog entry and the
> >result file of a memory.dmp file, read with the Microsoft debugger.
>
> >Can anyone tell me why the server is abending?  Thank you very much in
> >advance.
>
> >Ron Floyd
> >R...@gbftech.com
>
> >Event Type:     Warning
> >Event Source:  USER32
> >Event Category:          None
> >Event ID:        1076
> >Date:               4/30/2008
> >Time:               10:50:43 PM
> >User:                EOASGA\administrator
> >Computer:       EOATS01
> >Description:
> >The reason supplied by user EOASGA\Administrator for the last
> >unexpected shutdown of this computer is: System Failure: Stop error
> > Reason Code: 0x805000f
> > Bug ID:
> > Bugcheck String: 0x00000050 (0xc48e2000, 0x00000001, 0x808dea34,
> >0x00000000)
> > Comment: 0x00000050 (0xc48e2000, 0x00000001, 0x808dea34, 0x00000000)
>
> >For more information, see Help and Support Center at
> >http://go.microsoft.com/fwlink/events.asp.
> >Data:
> >0000: 0f 00 05 08               ....
>
> >Microsoft (R) Windows Debugger Version 6.9.0003.113 X86
> >Copyright (c) Microsoft Corporation. All rights reserved.
>
> >Loading Dump File [C:\WINDOWS\MEMORY.DMP]
> >Kernel Summary Dump File: Only kernel address space is available
>
> >Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/
> >download/symbols
> >Executable search path is:
> >Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs)
> >Free x86 compatible
> >Product: Server, suite: TerminalServer
> >Built by: 3790.srv03_sp2_gdr.070304-2240
> >Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
> >Debug session time: Wed Apr 30 18:01:05.668 2008 (GMT-4)
> >System Uptime: 0 days 17:40:15.568
> >Loading Kernel Symbols
> >...........................................................................­............................
> >Loading User Symbols
> >PEB is paged out (Peb.Ldr = 7ffd900c).  Type ".hh dbgerr001" for
> >details
> >Loading unloaded module list
> >..
> >**************************************************************************­*****
> >*
> >*
> >*                        Bugcheck
> >Analysis                                    *
> >*
> >*
> >**************************************************************************­*****
>
> >Use !analyze -v to get detailed debugging information.
>
> >BugCheck 50, {c48e2000, 1, 808dea34, 0}
>
> >Page 11a472 not present in the dump file. Type ".hh dbgerr004" for
> >details
> >Page 11a4e1 not present in the dump file. Type ".hh dbgerr004" for
> >details
> >PEB is paged out (Peb.Ldr = 7ffd900c).  Type ".hh dbgerr001" for
> >details
> >PEB is paged out (Peb.Ldr = 7ffd900c).  Type ".hh dbgerr001" for
> >details
> >Probably caused by : ntkrpamp.exe ( nt!HvpRecoverData+4a0 )
>
> >Followup: MachineOwner
> >---------
>
> >1: kd> !analyze -v
> >**************************************************************************­*****
> >*
> >*
> >*                        Bugcheck
> >Analysis                                    *
> >*
> >*
> >**************************************************************************­*****
>
> >PAGE_FAULT_IN_NONPAGED_AREA (50)
> >Invalid system memory was referenced.  This cannot be protected by try-
> >except,
> >it must be protected by a Probe.  Typically the address is just plain
> >bad or it
> >is pointing at freed memory.
> >Arguments:
> >Arg1: c48e2000, memory referenced.
> >Arg2: 00000001, value 0 = read operation, 1 = write operation.
> >Arg3: 808dea34, If non-zero, the instruction address which referenced
> >the bad memory
> >            address.
> >Arg4: 00000000, (reserved)
>
> >Debugging Details:
> >------------------
>
> >Page 11a472 not present in the dump file. Type ".hh dbgerr004" for
> >details
> >Page 11a4e1 not present in the dump file. Type ".hh dbgerr004" for
> >details
> >PEB is paged out (Peb.Ldr = 7ffd900c).  Type ".hh dbgerr001" for
> >details
> >PEB is paged out (Peb.Ldr = 7ffd900c).  Type ".hh dbgerr001" for
> >details
>
> >WRITE_ADDRESS:  c48e2000
>
> >FAULTING_IP:
> >nt!HvpRecoverData+4a0
> >808dea34 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
>
> >MM_INTERNAL_CODE:  0
>
> >DEFAULT_BUCKET_ID:  DRIVER_FAULT
>
> >BUGCHECK_STR:  0x50
>
> >PROCESS_NAME:  wmiprvse.exe
>
> >CURRENT_IRQL:  1
>
> >TRAP_FRAME:  f4b7e9dc -- (.trap 0xfffffffff4b7e9dc)
> >ErrCode = 00000002
> >eax=00004000 ebx=e480b000 ecx=00001000 edx=00000000 esi=e480b000
> >edi=c48e2000
> >eip=808dea34 esp=f4b7ea50 ebp=f4b7ea98 iopl=0         nv up ei pl nz
> >na pe nc
> >cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000
> >efl=00010206
> >nt!HvpRecoverData+0x4a0:
> >808dea34 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
> >Resetting default scope
>
> >LAST_CONTROL_TRANSFER:  from 8085eced to 80827c63
>
> >STACK_TEXT:
> >f4b7e94c 8085eced 00000050 c48e2000 00000001 nt!KeBugCheckEx+0x1b
> >f4b7e9c4 8088c798 00000001 c48e2000 00000000 nt!MmAccessFault+0xb25
> >f4b7e9c4 808dea34 00000001 c48e2000 00000000 nt!KiTrap0E+0xdc
> >f4b7ea98 808deeb4 e62afa80 00000000 00000000 nt!HvpRecoverData+0x4a0
> >f4b7eae8 808df719 e62afa80 00000000 e62affec nt!HvMapHive+0x188
> >f4b7eb00 808d7523 e62afc01 00000005 00000000 nt!HvInitializeHive+0x42d
> >f4b7eb6c 808c8cf3 f4b7eba8 00000005 00000000 nt!CmpInitializeHive
> >+0x203
> >f4b7ebc4 808ca7c0 f4b7ecf4 00000000 f4b7ec54 nt!CmpInitHiveFromFile
> >+0x91
> >f4b7ebe8 808c4757 f4b7ecbc f4b7ec58 f4b7ec4c nt!CmpCmdHiveOpen+0x1e
> >f4b7ec98 808bc1e5 f4b7ecd4 f4b7ecbc 00000000 nt!CmLoadKey+0xcf
> >f4b7ed3c 808bc3fc 00e7d9ec 00e7da04 00000000 nt!NtLoadKeyEx+0x25b
> >f4b7ed54 8088978c 00e7d9ec 00e7da04 00e7da34 nt!NtLoadKey+0x14
> >f4b7ed54 7c8285ec 00e7d9ec 00e7da04 00e7da34 nt!KiFastCallEntry+0xfc
> >WARNING: Frame IP not in any known module. Following frames may be
> >wrong.
> >00e7da34 00000000 00000000 00000000 00000000 0x7c8285ec
>
> >STACK_COMMAND:  kb
>
> >FOLLOWUP_IP:
> >nt!HvpRecoverData+4a0
> >808dea34 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
>
> >SYMBOL_STACK_INDEX:  3
>
> >SYMBOL_NAME:  nt!HvpRecoverData+4a0
>
> >FOLLOWUP_NAME:  MachineOwner
>
> >MODULE_NAME: nt
>
> >IMAGE_NAME:  ntkrpamp.exe
>
> >DEBUG_FLR_IMAGE_TIMESTAMP:  45ec0a19
>
> >FAILURE_BUCKET_ID:  0x50_W_nt!HvpRecoverData+4a0
>
> >BUCKET_ID:  0x50_W_nt!HvpRecoverData+4a0
>
> >Followup: MachineOwner
>
> That Event ID is indicative of an ntfs.sys error but the bugcheck
> string isn't so it's kind of odd. You could try this hotfix for that
> event ID:http://support.microsoft.com/kb/937455
>
> Is it also showing PAGE_FAULT_IN_NONPAGED_AREA in the stop error
> message? If so, I remember seeing a hotfix to address it.
> Have a look at this KB article and make sure it is not what is
> affecting you:http://support.microsoft.com/kb/903251
>
> - Thee Chicago Wolf- Hide quoted text -
>
> - Show quoted text -



Thanks for the replies.

No hackdoor virus, already checked on that. I apprecaite you guys
taking time to look.

No new services added. I was thinking maybe printer driver as some
users have off the wall printers like Brother's multifunction, best
buy purchased...But no indication of that being a problem.

I'm working with Dell on this and they read from one of the first
memory dumps that it was the Symantec Corp Edtion anti virus 10.1. I
manually removed from the system going through the registry per
Symantec's documentation (backed up registry first of course) and it
ran from 12:30am to 10:30pm the next evening.

Microsoft has an article with a hotfix for the server abending when
sessions are "logging off" but since all users have logged off by that
time, it does not seem to be the answer.

The only thing I see that has changed is that Windows updates for .net
2.0 frame work SP1 was installed on the 12th of April and a few other
fixes, some of which cannot be removed. I began to back these out but
got messages of some programs may not work if I continue so I did
not.

The updates will be the only changes before the BSOD started. Once
the BS's started, I updated from SP1 to SP2.

I'll cross post and clear out the memory dump file and post a fresh
one from today because it will stop soon.

Thanks again for the help.
 
>No hackdoor virus, already checked on that. I apprecaite you guys
>taking time to look.
>
>No new services added. I was thinking maybe printer driver as some
>users have off the wall printers like Brother's multifunction, best
>buy purchased...But no indication of that being a problem.
>
>I'm working with Dell on this and they read from one of the first
>memory dumps that it was the Symantec Corp Edtion anti virus 10.1. I
>manually removed from the system going through the registry per
>Symantec's documentation (backed up registry first of course) and it
>ran from 12:30am to 10:30pm the next evening.
>
>Microsoft has an article with a hotfix for the server abending when
>sessions are "logging off" but since all users have logged off by that
>time, it does not seem to be the answer.
>
>The only thing I see that has changed is that Windows updates for .net
>2.0 frame work SP1 was installed on the 12th of April and a few other
>fixes, some of which cannot be removed. I began to back these out but
>got messages of some programs may not work if I continue so I did
>not.
>
>The updates will be the only changes before the BSOD started. Once
>the BS's started, I updated from SP1 to SP2.
>
>I'll cross post and clear out the memory dump file and post a fresh
>one from today because it will stop soon.
>
>Thanks again for the help.

No problem. If you have not already, take a peek at some of the other
0x00000050 errors related to Server 2003 in the KB as it may give you
something to go on or patches / hotfixes / workarounds you may want to
investiagte. If you get your issue fixed, do post back so we can pass
on the knowledge.

http://support.microsoft.com/search...ID=1033&pd=&spid=3198&mode=r&lsc=0&range=1-22

- Thee Chicago Wolf
 
<ronf@gbftech.com> wrote in message
news:a54ad2ad-5f74-43ca-8fd8-9511aa08c095@34g2000hsf.googlegroups.com...
On May 1, 8:31 am, Thee Chicago Wolf <.@.> wrote:


>I'm working with Dell on this and they read from one of the first
>memory dumps that it was the Symantec Corp Edtion anti virus 10.1. I
>manually removed from the system going through the registry per
>Symantec's documentation (backed up registry first of course) and it
>ran from 12:30am to 10:30pm the next evening.

I would be totally unsuprised if the AV was the issue -- I have had
more system problems due to AV (esp Norton/Symantec), and
more serious problems, than due to viruses.

> Microsoft has an article with a hotfix for the server abending when
> sessions are "logging off" but since all users have logged off by that
> time, it does not seem to be the answer.

Logging off? Are we talking Terminal Service sessions?

> The only thing I see that has changed is that Windows updates for .net
>2.0 frame work SP1 was installed on the 12th of April and a few other
>fixes, some of which cannot be removed. I began to back these out but
> got messages of some programs may not work if I continue so I did
> not.

One thing I have notice -- I do NOT believe it to be superstition as it
has happened some dozen or more time, even though it may not make
perfect sense on first review: Incrementally installed updates (which
is my practice) may crash a machine when jumping to the last Service
Pack and applying subsequent patches is fine.

Try this: REPAIR install, followed by update to LAST Service Pack
and later hotfixes.

Also, don't overlook doing a FULL CHKDSK (before the REPAIR
install) -- a bad spot on the disk can translate into such errors.
 
On May 1, 1:18 pm, "Herb Martin" <n...@learnquick.com> wrote:
> <r...@gbftech.com> wrote in message
>
> news:a54ad2ad-5f74-43ca-8fd8-9511aa08c095@34g2000hsf.googlegroups.com...
> On May 1, 8:31 am, Thee Chicago Wolf <.@.> wrote:
>
> >I'm working with Dell on this and they read from one of the first
> >memory dumps that it was the Symantec Corp Edtion anti virus 10.1.  I
> >manually removed from the system going through the registry per
> >Symantec's documentation (backed up registry first of course) and it
> >ran from 12:30am to 10:30pm the next evening.
>
> I would be totally unsuprised if the AV was the issue -- I have had
> more system problems due to AV (esp Norton/Symantec), and
> more serious problems, than due to viruses.
>
> > Microsoft has an article with a hotfix for the server abending when
> > sessions are "logging off" but since all users have logged off by that
> > time, it does not seem to be the answer.
>
> Logging off?  Are we talking Terminal Service sessions?
>
> > The only thing I see that has changed is that Windows updates for .net
> >2.0 frame work SP1 was installed on the 12th of April and a few other
> >fixes, some of which cannot be removed.  I began to back these out but
> > got messages of some programs may not work if I continue so I did
> > not.
>
> One thing I have notice -- I do NOT believe it to be superstition as it
> has happened some dozen or more time, even though it may not make
> perfect sense on first review:  Incrementally installed updates (which
> is my practice) may crash a machine when jumping to the last Service
> Pack and applying subsequent patches is fine.
>
> Try this:  REPAIR install, followed by update to LAST Service Pack
> and later hotfixes.
>
> Also, don't overlook doing a FULL CHKDSK (before the REPAIR
> install) -- a bad spot on the disk can translate into such errors.




Thanks again for the replies.

Nice link. I've been through most of these but nice to have them
listed in order to review once more.

I applied hotfix http://support.microsoft.com/kb/837583/en-us and then
installed SP2. I am going to reapply hotfix.

I also remember seeing something about WMI in the dump so I may try
hotfix http://support.microsoft.com/kb/921306/en-us.

I also agree on the incremental hotfix install. I'm an IT person for
many companies and I work for myself. Someone onsite turned on
Automatic updates and I did not see until about 3 days into the
troubleshooting. Thus I suspected the installs because nothing else
has been changed, including drivers.

I also like the repair option should nothing else fixes. I'm doing
everything one step at a time.

But, so far since last BSOD, its run for almost 24 hours straight.
The last thing was removal of the AV system.

Thanks again.
 
<ronf@gbftech.com> wrote in message
news:19c557d0-64c3-4f2a-91d2-e0109d95c69f@w7g2000hsa.googlegroups.com...
On May 1, 1:18 pm, "Herb Martin" <n...@learnquick.com> wrote:
> <r...@gbftech.com> wrote in message
>
> One thing I have notice -- I do NOT believe it to be superstition as it
> has happened some dozen or more time, even though it may not make
> perfect sense on first review: Incrementally installed updates (which
> is my practice) may crash a machine when jumping to the last Service
> Pack and applying subsequent patches is fine.
>
> Try this: REPAIR install, followed by update to LAST Service Pack
> and later hotfixes.
>
> Also, don't overlook doing a FULL CHKDSK (before the REPAIR
> install) -- a bad spot on the disk can translate into such errors.


As weird as it sounds -- doing the REPAIR install (puts you back
to the SP level of the install CD/source) and then you of course
add the latest updates -- this actually works in MANY cases
even though in theory the "same stuff" goes right back on the
machine.

Also, doing the CHKDSK is a VERY strong idea and I do this
before the repair install in case some driver is sitting on bad
disk space.

Your stuff follows....:


Thanks again for the replies.

Nice link. I've been through most of these but nice to have them
listed in order to review once more.

I applied hotfix http://support.microsoft.com/kb/837583/en-us and then
installed SP2. I am going to reapply hotfix.

I also remember seeing something about WMI in the dump so I may try
hotfix http://support.microsoft.com/kb/921306/en-us.

I also agree on the incremental hotfix install. I'm an IT person for
many companies and I work for myself. Someone onsite turned on
Automatic updates and I did not see until about 3 days into the
troubleshooting. Thus I suspected the installs because nothing else
has been changed, including drivers.

I also like the repair option should nothing else fixes. I'm doing
everything one step at a time.

But, so far since last BSOD, its run for almost 24 hours straight.
The last thing was removal of the AV system.

Thanks again.
 
Back
Top