Windows 2003 Stop-Error: Terminalserver reboots weekly - ntkrpamp.exe

[Andreas.Konrad]

Hi,

one of our terminalserver crashes quite often with BugCheck 100000D1!
Could someone analyse my minidump and tell me what is the faulting module?

Thanks a lot!
Regards
Andi

************************************************************
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\d\Analysedaten\BSOD_NTCL0512\Mini012308-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is:
SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (16 procs) Free
x86 compatible
Product: Server, suite: Enterprise TerminalServer
Built by: 3790.srv03_sp2_gdr.070304-2240
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Wed Jan 23 18:54:02.559 2008 (GMT+1)
System Uptime: 2 days 3:32:48.671
Loading Kernel Symbols
.........................................................................................................................
Loading User Symbols
Loading unloaded module list
............
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 100000D1, {0, d0000002, 8, 0}



Probably caused by : ntkrpamp.exe ( nt!KiIdleLoop+a )

Followup: MachineOwner
---------

14: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 00000000, address which referenced memory

Debugging Details:
------------------




READ_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
+0
00000000 ?? ???

PROCESS_NAME: Idle

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from f779fee0 to 00000000

FAILED_INSTRUCTION_ADDRESS:
+0
00000000 ?? ???

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f7916d30 f779fee0 8086efcf f779f000 a37c2c70 0x0
f7916d50 8088ddf2 00000000 0000000e 00000000 0xf779fee0
f7916d54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiIdleLoop+a
8088ddf2 f390 pause

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: nt!KiIdleLoop+a

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 45ec0a19

FAILURE_BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

Followup: MachineOwner
---------

************************************************************

 

[Thee Chicago Wolf]

>one of our terminalserver crashes quite often with BugCheck 100000D1!
>Could someone analyse my minidump and tell me what is the faulting module?
>
>Thanks a lot!
>Regards
>Andi
>
>************************************************************
>Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
>Copyright (c) Microsoft Corporation. All rights reserved.
>
>
>Loading Dump File [C:\d\Analysedaten\BSOD_NTCL0512\Mini012308-01.dmp]
>Mini Kernel Dump File: Only registers and stack trace are available
>
>Symbol search path is:
>SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
>Executable search path is:
>Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (16 procs) Free
>x86 compatible
>Product: Server, suite: Enterprise TerminalServer
>Built by: 3790.srv03_sp2_gdr.070304-2240
>Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
>Debug session time: Wed Jan 23 18:54:02.559 2008 (GMT+1)
>System Uptime: 2 days 3:32:48.671
>Loading Kernel Symbols
>.........................................................................................................................
>Loading User Symbols
>Loading unloaded module list
>...........
>*******************************************************************************
>*
> *
>* Bugcheck Analysis
> *
>*
> *
>*******************************************************************************
>
>Use !analyze -v to get detailed debugging information.
>
>BugCheck 100000D1, {0, d0000002, 8, 0}
>
>
>
>Probably caused by : ntkrpamp.exe ( nt!KiIdleLoop+a )
>
>Followup: MachineOwner
>---------
>
>14: kd> !analyze -v
>*******************************************************************************
>*
> *
>* Bugcheck Analysis
> *
>*
> *
>*******************************************************************************
>
>DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
>An attempt was made to access a pageable (or completely invalid) address at an
>interrupt request level (IRQL) that is too high. This is usually
>caused by drivers using improper addresses.
>If kernel debugger is available get stack backtrace.
>Arguments:
>Arg1: 00000000, memory referenced
>Arg2: d0000002, IRQL
>Arg3: 00000008, value 0 = read operation, 1 = write operation
>Arg4: 00000000, address which referenced memory
>
>Debugging Details:
>------------------
>
>
>
>
>READ_ADDRESS: 00000000
>
>CURRENT_IRQL: 2
>
>FAULTING_IP:
>+0
>00000000 ?? ???
>
>PROCESS_NAME: Idle
>
>CUSTOMER_CRASH_COUNT: 1
>
>DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
>
>BUGCHECK_STR: 0xD1
>
>LAST_CONTROL_TRANSFER: from f779fee0 to 00000000
>
>FAILED_INSTRUCTION_ADDRESS:
>+0
>00000000 ?? ???
>
>STACK_TEXT:
>WARNING: Frame IP not in any known module. Following frames may be wrong.
>f7916d30 f779fee0 8086efcf f779f000 a37c2c70 0x0
>f7916d50 8088ddf2 00000000 0000000e 00000000 0xf779fee0
>f7916d54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa
>
>
>STACK_COMMAND: kb
>
>FOLLOWUP_IP:
>nt!KiIdleLoop+a
>8088ddf2 f390 pause
>
>SYMBOL_STACK_INDEX: 2
>
>SYMBOL_NAME: nt!KiIdleLoop+a
>
>FOLLOWUP_NAME: MachineOwner
>
>MODULE_NAME: nt
>
>IMAGE_NAME: ntkrpamp.exe
>
>DEBUG_FLR_IMAGE_TIMESTAMP: 45ec0a19
>
>FAILURE_BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a
>
>BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a
>
>Followup: MachineOwner
>---------
>
>************************************************************

Since it seems that ntkrpamp.exe is acting up, try the update from
this KB article: http://support.microsoft.com/kb/938486

- Thee Chicago Wolf

 

[Andreas.Konrad]

Well, downloaded and installed the hotfix. Improvements will be shown within
the next days. I'll keep you posted.
Thanks so far.
Andi


"Thee Chicago Wolf" wrote:

> Since it seems that ntkrpamp.exe is acting up, try the update from
> this KB article: http://support.microsoft.com/kb/938486
>
> - Thee Chicago Wolf
>

 

[Thee Chicago Wolf]

>Well, downloaded and installed the hotfix. Improvements will be shown within
>the next days. I'll keep you posted.
>Thanks so far.

Great. Let the group know if there's been any improvement. It would be
good to know this does address the issues you've been facing and can
be recommended to others.

- Thee Chicago Wolf

 

[Andreas.Konrad]

Sorry, here is the next Minidump after installing the hotfix... :-(



Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\d\Analysedaten\BSOD_NTCL0512\Mini020908-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is:
SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (16 procs) Free
x86 compatible
Product: Server, suite: Enterprise TerminalServer
Built by: 3790.srv03_sp2_qfe.071022-1210
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a8e48
Debug session time: Sat Feb 9 01:45:34.232 2008 (GMT+1)
System Uptime: 0 days 12:29:43.359
Loading Kernel Symbols
..........................................................................................................................
Loading User Symbols
Loading unloaded module list
........
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 100000D1, {0, d0000002, 8, 0}



Probably caused by : ntkrpamp.exe ( nt!KiIdleLoop+a )

Followup: MachineOwner
---------

14: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 00000000, address which referenced memory

Debugging Details:
------------------




READ_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
+0
00000000 ?? ???

PROCESS_NAME: Idle

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from f779fee0 to 00000000

FAILED_INSTRUCTION_ADDRESS:
+0
00000000 ?? ???

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f7916d30 f779fee0 8086feb9 f779f000 a3863af8 0x0
f7916d50 8088f2b2 00000000 0000000e 00000000 0xf779fee0
f7916d54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiIdleLoop+a
8088f2b2 f390 pause

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: nt!KiIdleLoop+a

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 471cab92

FAILURE_BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

Followup: MachineOwner
---------



"Thee Chicago Wolf" wrote:

> >Well, downloaded and installed the hotfix. Improvements will be shown within
> >the next days. I'll keep you posted.
> >Thanks so far.
>
> Great. Let the group know if there's been any improvement. It would be
> good to know this does address the issues you've been facing and can
> be recommended to others.
>
> - Thee Chicago Wolf
>

 

[Andreas.Konrad]

Sorry, here is the next minidump after installing the hotfix... :-(


Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\d\Analysedaten\BSOD_NTCL0512\Mini020908-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is:
SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (16 procs) Free
x86 compatible
Product: Server, suite: Enterprise TerminalServer
Built by: 3790.srv03_sp2_qfe.071022-1210
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a8e48
Debug session time: Sat Feb 9 01:45:34.232 2008 (GMT+1)
System Uptime: 0 days 12:29:43.359
Loading Kernel Symbols
..........................................................................................................................
Loading User Symbols
Loading unloaded module list
........
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 100000D1, {0, d0000002, 8, 0}



Probably caused by : ntkrpamp.exe ( nt!KiIdleLoop+a )

Followup: MachineOwner
---------

14: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000008, value 0 = read operation, 1 = write operation
Arg4: 00000000, address which referenced memory

Debugging Details:
------------------




READ_ADDRESS: 00000000

CURRENT_IRQL: 2

FAULTING_IP:
+0
00000000 ?? ???

PROCESS_NAME: Idle

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR: 0xD1

LAST_CONTROL_TRANSFER: from f779fee0 to 00000000

FAILED_INSTRUCTION_ADDRESS:
+0
00000000 ?? ???

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
f7916d30 f779fee0 8086feb9 f779f000 a3863af8 0x0
f7916d50 8088f2b2 00000000 0000000e 00000000 0xf779fee0
f7916d54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!KiIdleLoop+a
8088f2b2 f390 pause

SYMBOL_STACK_INDEX: 2

SYMBOL_NAME: nt!KiIdleLoop+a

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 471cab92

FAILURE_BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

Followup: MachineOwner
---------



"Thee Chicago Wolf" wrote:

> >Well, downloaded and installed the hotfix. Improvements will be shown within
> >the next days. I'll keep you posted.
> >Thanks so far.
>
> Great. Let the group know if there's been any improvement. It would be
> good to know this does address the issues you've been facing and can
> be recommended to others.
>
> - Thee Chicago Wolf
>

 

[Thee Chicago Wolf]

>Sorry, here is the next Minidump after installing the hotfix... :-(
>
>Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
>Copyright (c) Microsoft Corporation. All rights reserved.
>
>
>Loading Dump File [C:\d\Analysedaten\BSOD_NTCL0512\Mini020908-01.dmp]
>Mini Kernel Dump File: Only registers and stack trace are available
>
>Symbol search path is:
>SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
>Executable search path is:
>Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (16 procs) Free
>x86 compatible
>Product: Server, suite: Enterprise TerminalServer
>Built by: 3790.srv03_sp2_qfe.071022-1210
>Kernel base = 0x80800000 PsLoadedModuleList = 0x808a8e48
>Debug session time: Sat Feb 9 01:45:34.232 2008 (GMT+1)
>System Uptime: 0 days 12:29:43.359
>Loading Kernel Symbols
>..........................................................................................................................
>Loading User Symbols
>Loading unloaded module list
>.......
>*******************************************************************************
>*
> *
>* Bugcheck Analysis
> *
>*
> *
>*******************************************************************************
>
>Use !analyze -v to get detailed debugging information.
>
>BugCheck 100000D1, {0, d0000002, 8, 0}
>
>
>
>Probably caused by : ntkrpamp.exe ( nt!KiIdleLoop+a )
>
>Followup: MachineOwner
>---------
>
>14: kd> !analyze -v
>*******************************************************************************
>*
> *
>* Bugcheck Analysis
> *
>*
> *
>*******************************************************************************
>
>DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
>An attempt was made to access a pageable (or completely invalid) address at an
>interrupt request level (IRQL) that is too high. This is usually
>caused by drivers using improper addresses.
>If kernel debugger is available get stack backtrace.
>Arguments:
>Arg1: 00000000, memory referenced
>Arg2: d0000002, IRQL
>Arg3: 00000008, value 0 = read operation, 1 = write operation
>Arg4: 00000000, address which referenced memory
>
>Debugging Details:
>------------------
>
>READ_ADDRESS: 00000000
>
>CURRENT_IRQL: 2
>
>FAULTING_IP:
>+0
>00000000 ?? ???
>
>PROCESS_NAME: Idle
>
>CUSTOMER_CRASH_COUNT: 1
>
>DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
>
>BUGCHECK_STR: 0xD1
>
>LAST_CONTROL_TRANSFER: from f779fee0 to 00000000
>
>FAILED_INSTRUCTION_ADDRESS:
>+0
>00000000 ?? ???
>
>STACK_TEXT:
>WARNING: Frame IP not in any known module. Following frames may be wrong.
>f7916d30 f779fee0 8086feb9 f779f000 a3863af8 0x0
>f7916d50 8088f2b2 00000000 0000000e 00000000 0xf779fee0
>f7916d54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa
>
>
>STACK_COMMAND: kb
>
>FOLLOWUP_IP:
>nt!KiIdleLoop+a
>8088f2b2 f390 pause
>
>SYMBOL_STACK_INDEX: 2
>
>SYMBOL_NAME: nt!KiIdleLoop+a
>
>FOLLOWUP_NAME: MachineOwner
>
>MODULE_NAME: nt
>
>IMAGE_NAME: ntkrpamp.exe
>
>DEBUG_FLR_IMAGE_TIMESTAMP: 471cab92
>
>FAILURE_BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a
>
>BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a
>
>Followup: MachineOwner
>---------

Andreas,

Damn. Well, it certainly looks like it is still having something to do
with the ntkrpamp failing. You said this was a terminal server right?
Lot of people coming in and out of it? There is an updated set of the
ntkrnl files from Jan 22nd 2008. You might want to try the hotfix from
this KB article: http://support.microsoft.com/kb/944984

Review the event viewer and see if you're also getting those log
messages mentioned in the KB article.

I also don't think it would hurt to apply the patch from this KB as
well: http://support.microsoft.com/kb/936357

What about system BIOS, up to date? NIC driver up to date as well?

- Thee Chicago Wolf

 

[Andreas.Konrad]

hi wolf,

we are using uphclean.exe, so 1517 events shouldn't appear.
right, it is a terminalserver but there is no load on it because it's not in
production, yet.
bios, nic, raid etc. have been updated last week.

i'll try kb936357...
most likely calling ms support would be the best next step?!

regards
andreas

"Thee Chicago Wolf" wrote:
>
> Andreas,
>
> Damn. Well, it certainly looks like it is still having something to do
> with the ntkrpamp failing. You said this was a terminal server right?
> Lot of people coming in and out of it? There is an updated set of the
> ntkrnl files from Jan 22nd 2008. You might want to try the hotfix from
> this KB article: http://support.microsoft.com/kb/944984
>
> Review the event viewer and see if you're also getting those log
> messages mentioned in the KB article.
>
> I also don't think it would hurt to apply the patch from this KB as
> well: http://support.microsoft.com/kb/936357
>
> What about system BIOS, up to date? NIC driver up to date as well?
>
> - Thee Chicago Wolf
>

 

[Thee Chicago Wolf]

>hi wolf,
>
>we are using uphclean.exe, so 1517 events shouldn't appear.
>right, it is a terminalserver but there is no load on it because it's not in
>production, yet.
>bios, nic, raid etc. have been updated last week.
>
>i'll try kb936357...
>most likely calling ms support would be the best next step?!
>
>regards
>andreas

Andreas,

Wow, if it's non-production I can't imagine how it would behave in
production. Yes, definitely give KB936357 a try for sure. At this
point it couldn't hurt the situation. And I guess calling MS if it
doesn't help would be the next option. Let know how things turn out.

- Thee Chicago Wolf