Memory.DMP and Reboot in Windows Server 2003
Hello, Can someone help me.. Our Server Shutdown and Rebboted twice in the last 36hrs...
Here is the contence of the Memory.dpm file from the second crash..
------------------------
WARNING: Whitespace at end of path element
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [\\PRDEFS01\C$\Windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
WARNING: Whitespace at end of path element
Symbol search path is: C:\websymbols ;SRV*C:\websymbols *http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.080813-1204
Machine Name:
Kernel base = 0xe0600000 PsLoadedModuleList = 0xe06a6ea8
Debug session time: Thu Apr 9 12:26:18.968 2009 (GMT-7)
System Uptime: 0 days 12:34:32.218
Loading Kernel Symbols
...............................................................
..............................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffff00c). Type ".hh dbgerr001" for details
Loading unloaded module list
...
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {4, d000001b, 1, e0632a3e}
Page 39c8f1 not present in the dump file. Type ".hh dbgerr004" for details
Page 39c9c5 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffff00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffff00c). Type ".hh dbgerr001" for details
Probably caused by : ntkrpamp.exe ( nt!KiFindReadyThread+6a )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: d000001b, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: e0632a3e, address which referenced memory
Debugging Details:
------------------
Page 39c8f1 not present in the dump file. Type ".hh dbgerr004" for details
Page 39c9c5 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffff00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffff00c). Type ".hh dbgerr001" for details
WRITE_ADDRESS: 00000004
CURRENT_IRQL: 1b
FAULTING_IP:
nt!KiFindReadyThread+6a
e0632a3e 895f04 mov dword ptr [edi+4],ebx
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: sddsrv.exe
TRAP_FRAME: ef55bb60 -- (.trap 0xffffffffef55bb60)
ErrCode = 00000002
eax=00000008 ebx=f1157b50 ecx=00000002 edx=f1157120 esi=feb376c8 edi=00000000
eip=e0632a3e esp=ef55bbd4 ebp=ef55bbec iopl=0 nv up ei pl nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203
nt!KiFindReadyThread+0x6a:
e0632a3e 895f04 mov dword ptr [edi+4],ebx ds:0023:00000004=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from e0632a3e to e068c993
STACK_TEXT:
ef55bb60 e0632a3e badb0d00 f1157120 00000000 nt!KiTrap0E+0x2a7
ef55bbec e0633324 febec398 febec320 febec3c8 nt!KiFindReadyThread+0x6a
ef55bc1c e0629a82 febec47c febec320 e085e530 nt!KiSwapThread+0x184
ef55bc64 e0633198 febec4b0 00000005 00000000 nt!KeWaitForSingleObject+0x346
ef55bc7c e062e03f 00000000 00000000 00000000 nt!KiSuspendThread+0x18
ef55bcc4 e0860199 00000000 00000000 00000000 nt!KiDeliverApc+0x117
ef55bce4 e08603d9 00000001 00000000 00000000 hal!HalpDispatchSoftwareInterrupt+0x49
ef55bd00 e0860456 00000000 00000000 ef55bd50 hal!HalpCheckForSoftwareInterrupt+0x81
ef55bd10 e07499f0 00000000 00000000 00000000 hal!KfLowerIrql+0x62
ef55bd50 e068e092 00000000 77e617ec 00000001 nt!PspUserThreadStartup+0x14
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiFindReadyThread+6a
e0632a3e 895f04 mov dword ptr [edi+4],ebx
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!KiFindReadyThread+6a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 48a2ac75
FAILURE_BUCKET_ID: 0xA_nt!KiFindReadyThread+6a
BUCKET_ID: 0xA_nt!KiFindReadyThread+6a
Followup: MachineOwner
---------
1: kd> .trap 0xffffffffef55bb60
ErrCode = 00000002
eax=00000008 ebx=f1157b50 ecx=00000002 edx=f1157120 esi=feb376c8 edi=00000000
eip=e0632a3e esp=ef55bbd4 ebp=ef55bbec iopl=0 nv up ei pl nz na po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203
nt!KiFindReadyThread+0x6a:
e0632a3e 895f04 mov dword ptr [edi+4],ebx ds:0023:00000004=????????
1: kd> lmvm nt
start end module name
e0600000 e085a000 nt (pdb symbols) c:\websymbols\ntkrpamp.pdb\95CD524842DA459FB71F87FF5E1F69EA1\ntkrpamp.pdb
Loaded symbol image file: ntkrpamp.exe
Image path: ntkrpamp.exe
Image name: ntkrpamp.exe
Timestamp: Wed Aug 13 02:42:13 2008 (48A2AC75)
CheckSum: 00247DB0
ImageSize: 0025A000
File version: 5.2.3790.4354
Product version: 5.2.3790.4354
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: ntkrpamp.exe
OriginalFilename: ntkrpamp.exe
ProductVersion: 5.2.3790.4354
FileVersion: 5.2.3790.4354 (srv03_sp2_gdr.080813-1204)
FileDescription: NT Kernel & System
LegalCopyright: © Microsoft Corporation. All rights reserved.
---------------------------
Re: Memory.DMP and Reboot in Windows Server 2003
To resolve system crashes through the inspection of memory dumps, set your servers and PCs to automatically save them with these steps:
1. Right-click on My Computer
2. Select Properties
3. Select Advanced
4. In the Start up and Recovery section, select Settings; this displays the Startup and Recovery dialog box
5. In the Write debugging information section, select kernel memory dump
While still in the Start up and Recovery dialog box, ensure that the following options are checked in the System failure section:
- Write an event to the system log
- Send an administrative alert
- Automatically restart
In the Write debugging information, you have the option to save only the most recent dump file or to have the system rename the existing dump file before it creates a new one. We prefer saving the dump files because previous dump files may provide additional or different information - however, space can be an issue, so set this option according to your needs.
Re: Memory.DMP and Reboot in Windows Server 2003
Two possibilities; software or hardware (that's a loaded statement)
On the software side
--------------------
Do you have the server autoreboot on stop error? Try disabling that first to see if the server is bluescreening. Also have u checked the system event log for any similar events that occur prior to each reboot?
As for hardware
---------------
Check for issues related to power/overheating of CPU (check your BIOS logs)
Re: Memory.DMP and Reboot in Windows Server 2003
Hi,
You can't schedule a bugcheck or BSOD.You can use the Windows Debugging Tools to analyse the memory.dmp file that should be in your C:\windows or c:\winnt folder. Copy this to a workstation and install the debugging tools and then use Windbg to analyse the dump file to try to help figure it out.
Install Debugging Tools for Windows 32-bit Version
Re: Memory.DMP and Reboot in Windows Server 2003
Thanks for the replies...
SOLOMON: The settings you mentioned were already set, except for the don't over write, which I have now set to NOT over write. Also I have set the Auto Restart option to NOT... This is because it was set to reboot, and i'm finding some are saying set it to NOT. like Vitus: to see if it blue screens.
VITUS: I have looked through the system/App logs with nothing jumping at me... I will look again. I will also look at the BIOS Logs and try to post my findings...
MrChris: My post is a Cut/Paste from Windbg. You mention to Analyse with Windbg, is there anything else I need to do? I Just pointed Windbg from my PC to Open the MEMORY.DMP file on our Server: "Loading Dump File [\\PRDEFS01\C$\Windows\MEMORY.DMP]"
Thanks for your help..
