L lifewithloki Member Joined Jun 16, 2023 Posts 8 Jun 16, 2023 #1 Hello, I have a windows server 2022 that went down. I attached a link the the latest memory dump however I am not sure I am reading it correctly. I think the exception has something to do with Core Message DLL. Any help would be great. I also added a cross link to my DISM issue and missing CBS packages. I would like to think they are related. Thank you. https://lstacktech-my.sharepoint.co...hDrLFiBor4VfkB9K3awG1PT32YJjwmVIcq1Q?e=obgrku Windows Server 2022 DISM missing cbs packages
Hello, I have a windows server 2022 that went down. I attached a link the the latest memory dump however I am not sure I am reading it correctly. I think the exception has something to do with Core Message DLL. Any help would be great. I also added a cross link to my DISM issue and missing CBS packages. I would like to think they are related. Thank you. https://lstacktech-my.sharepoint.co...hDrLFiBor4VfkB9K3awG1PT32YJjwmVIcq1Q?e=obgrku Windows Server 2022 DISM missing cbs packages
x BlueRobot Administrator Staff member Joined May 7, 2013 Posts 10,234 Location %systemroot% Jun 16, 2023 #2 Please make sure that you .zip all large memory dump files before uploading them especially as they can approach 1-2GB quite easily. It looks like one of your Kerberos services is possibly crashing and then terminating afterwards due to some unrecoverable error. Rich (BB code): 7: kd> .exr ffff9e8cd1cbca00 ExceptionAddress: 00007ffe3c87d497 (coremessaging!Microsoft::CoreUI::Registrar::AlpcServerAdapter::GetPortSecurityDescriptor+0x000000000001c7e3) ExceptionCode: e0464645 ExceptionFlags: 00000001 NumberParameters: 2 Parameter[0]: ffffffffd0000034 Parameter[1]: 0000000000000000 Rich (BB code): 7: kd> !error d0000034 Error code: (NTSTATUS) 0xd0000034 (3489660980) - Object Name not found. I assume that GetPortSecurityDescriptor returns a security descriptor object for the given ALPC port. However, either a bad name is being passed or the name was completely null. This issue appears to be completely unrelated to your Windows Update issue. Rich (BB code): [...] 0xffff9e8cd1cbcc18 : 0xfffff80575033185 : nt!KiSystemServiceCopyEnd+0x25 0xffff9e8cd1cbcc20 : 0xffffb40538bb1080 : Trap @ ffff9e8cd1cbcc20 0xffff9e8cd1cbccf0 : 0x00007ffe43ba2204 : ntdll!NtRaiseException+0x14 0xffff9e8cd1cbcd80 : 0x00007ffe41336130 : KERNELBASE!RaiseFailFastException 0xffff9e8cd1cbcd88 : 0x00007ffe41336282 : KERNELBASE!RaiseFailFastException+0x152 0xffff9e8cd1cbcdb8 : 0xffff9e8cd1cb7000 : !du "Kerberos" 0xffff9e8cd1cbceb8 : 0x00007ff60bbb5320 : svchost!wmainCRTStartup Just some additional background information: Spoiler Rich (BB code): 7: kd> !alpc /lpp ffffb40538a42300 Ports created by the process ffffb40538a42300: <none> Ports the process ffffb40538a42300 is connected to: ffffb40538a35d20 0 -> ffffb40536ac5090 ('ApiPort') 0 ffffb40536a0e080 ('csrss.exe') ffffb40538a61a80 0 -> ffffb40536d61aa0 ('epmapper') 2 ffffb40537ec2300 ('svchost.exe') ffffb40538a51d90 0 -> ffffb40536c15d20 ('lsapolicylookup') 0 ffffb4053745f080 ('lsass.exe') ffffb40538af8ce0 0 -> ffffb40536c16db0 ('ntsvcs') 64 ffffb405374630c0 ('services.exe') In your other thread, by recovery environment, I assume you're referring to Safe Mode? If so, then this issue probably isn't hardware-related. Have you got any security programs which run at boot?
Please make sure that you .zip all large memory dump files before uploading them especially as they can approach 1-2GB quite easily. It looks like one of your Kerberos services is possibly crashing and then terminating afterwards due to some unrecoverable error. Rich (BB code): 7: kd> .exr ffff9e8cd1cbca00 ExceptionAddress: 00007ffe3c87d497 (coremessaging!Microsoft::CoreUI::Registrar::AlpcServerAdapter::GetPortSecurityDescriptor+0x000000000001c7e3) ExceptionCode: e0464645 ExceptionFlags: 00000001 NumberParameters: 2 Parameter[0]: ffffffffd0000034 Parameter[1]: 0000000000000000 Rich (BB code): 7: kd> !error d0000034 Error code: (NTSTATUS) 0xd0000034 (3489660980) - Object Name not found. I assume that GetPortSecurityDescriptor returns a security descriptor object for the given ALPC port. However, either a bad name is being passed or the name was completely null. This issue appears to be completely unrelated to your Windows Update issue. Rich (BB code): [...] 0xffff9e8cd1cbcc18 : 0xfffff80575033185 : nt!KiSystemServiceCopyEnd+0x25 0xffff9e8cd1cbcc20 : 0xffffb40538bb1080 : Trap @ ffff9e8cd1cbcc20 0xffff9e8cd1cbccf0 : 0x00007ffe43ba2204 : ntdll!NtRaiseException+0x14 0xffff9e8cd1cbcd80 : 0x00007ffe41336130 : KERNELBASE!RaiseFailFastException 0xffff9e8cd1cbcd88 : 0x00007ffe41336282 : KERNELBASE!RaiseFailFastException+0x152 0xffff9e8cd1cbcdb8 : 0xffff9e8cd1cb7000 : !du "Kerberos" 0xffff9e8cd1cbceb8 : 0x00007ff60bbb5320 : svchost!wmainCRTStartup Just some additional background information: Spoiler Rich (BB code): 7: kd> !alpc /lpp ffffb40538a42300 Ports created by the process ffffb40538a42300: <none> Ports the process ffffb40538a42300 is connected to: ffffb40538a35d20 0 -> ffffb40536ac5090 ('ApiPort') 0 ffffb40536a0e080 ('csrss.exe') ffffb40538a61a80 0 -> ffffb40536d61aa0 ('epmapper') 2 ffffb40537ec2300 ('svchost.exe') ffffb40538a51d90 0 -> ffffb40536c15d20 ('lsapolicylookup') 0 ffffb4053745f080 ('lsass.exe') ffffb40538af8ce0 0 -> ffffb40536c16db0 ('ntsvcs') 64 ffffb405374630c0 ('services.exe') In your other thread, by recovery environment, I assume you're referring to Safe Mode? If so, then this issue probably isn't hardware-related. Have you got any security programs which run at boot?
L lifewithloki Member Joined Jun 16, 2023 Posts 8 Jun 16, 2023 #3 Not safe mode. I can't boot into safe mode either. I have to go into advance startup settings, repair computer, then command prompt No, no security programs I believe. Having missing/corrupt packages wouldn't cause this? If a bad name or null is being return maybe it is one of those packages?
Not safe mode. I can't boot into safe mode either. I have to go into advance startup settings, repair computer, then command prompt No, no security programs I believe. Having missing/corrupt packages wouldn't cause this? If a bad name or null is being return maybe it is one of those packages?
x BlueRobot Administrator Staff member Joined May 7, 2013 Posts 10,234 Location %systemroot% Jun 16, 2023 #4 lifewithloki said: Having missing/corrupt packages wouldn't cause this? If a bad name or null is being return maybe it is one of those packages? Click to expand... No it wouldn't, those packages are just .mum and .cat files, both of which are used by the servicing stack which is the part of Windows Update. They're both part of %systemroot%\servicing\Packages which is then hardlinked to a couple of directories. I would see if you can clone server and then see if you're able to disable Kerberos, at least we'll be able to see if you're able to boot the system normally.
lifewithloki said: Having missing/corrupt packages wouldn't cause this? If a bad name or null is being return maybe it is one of those packages? Click to expand... No it wouldn't, those packages are just .mum and .cat files, both of which are used by the servicing stack which is the part of Windows Update. They're both part of %systemroot%\servicing\Packages which is then hardlinked to a couple of directories. I would see if you can clone server and then see if you're able to disable Kerberos, at least we'll be able to see if you're able to boot the system normally.
L lifewithloki Member Joined Jun 16, 2023 Posts 8 Jun 16, 2023 #5 Okay. How would I disable Kerberos? I've read a few links and haven't found a way to disable Kerberos and Kerberos can't be disabled
Okay. How would I disable Kerberos? I've read a few links and haven't found a way to disable Kerberos and Kerberos can't be disabled
x BlueRobot Administrator Staff member Joined May 7, 2013 Posts 10,234 Location %systemroot% Jun 17, 2023 #6 You should be able to change the authentication method used by Active Directory. I assume that this server is a domain controller? It might not be possible to disable it outside of Windows itself unfortunately, you could try opening RegEdit from Command Prompt by entering regedit.exe and then going to: Code: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos And then check for any values which allow you to configure it to be disabled. Otherwise, you might want to consider running MemTest86 for at least 8 passes to reduce the likelihood of any RAM issues as this can cause Stop 0xEF bugchecks: Test RAM with PassMark MemTest86 (version 7.4 was used) Is there any other dump files apart from the one you uploaded? Have you checked under %systemroot%\Minidump?
You should be able to change the authentication method used by Active Directory. I assume that this server is a domain controller? It might not be possible to disable it outside of Windows itself unfortunately, you could try opening RegEdit from Command Prompt by entering regedit.exe and then going to: Code: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos And then check for any values which allow you to configure it to be disabled. Otherwise, you might want to consider running MemTest86 for at least 8 passes to reduce the likelihood of any RAM issues as this can cause Stop 0xEF bugchecks: Test RAM with PassMark MemTest86 (version 7.4 was used) Is there any other dump files apart from the one you uploaded? Have you checked under %systemroot%\Minidump?
L lifewithloki Member Joined Jun 16, 2023 Posts 8 Jun 17, 2023 #7 I will try that. These are all the dump files I have. I did look at minidump but they had no file size. https://lstacktech-my.sharepoint.co...VEjf6OEYa3WtUBQYXiVwzhu2vkYKsdN_QNww?e=D2gJ4f
I will try that. These are all the dump files I have. I did look at minidump but they had no file size. https://lstacktech-my.sharepoint.co...VEjf6OEYa3WtUBQYXiVwzhu2vkYKsdN_QNww?e=D2gJ4f
L lifewithloki Member Joined Jun 16, 2023 Posts 8 Jun 17, 2023 #8 Okay. I used these 2 articles to try and disable Kerberos. Disabling Kerberos Disallow Kerberos authentication In the dump file, memory-dk1 is after link #1. memory-dk12 is after link 2 but with link 1 still in the registry. memory-dk2 is after link 2 without link 1 registry keys. memory and memory-2 might be a duplicate from previous files. https://lstacktech-my.sharepoint.co...pPleCBh0EYTrcB25XdRSaO-QY6eEm7htpKeg?e=nwUaCM
Okay. I used these 2 articles to try and disable Kerberos. Disabling Kerberos Disallow Kerberos authentication In the dump file, memory-dk1 is after link #1. memory-dk12 is after link 2 but with link 1 still in the registry. memory-dk2 is after link 2 without link 1 registry keys. memory and memory-2 might be a duplicate from previous files. https://lstacktech-my.sharepoint.co...pPleCBh0EYTrcB25XdRSaO-QY6eEm7htpKeg?e=nwUaCM
x BlueRobot Administrator Staff member Joined May 7, 2013 Posts 10,234 Location %systemroot% Jun 19, 2023 #9 All your crashes appear to be consistent with each other so I doubt that this is a hardware issue. Every crash is because of the GetPortSecurityDescriptor function. You may want to run the following command to get an ideal of which driver-related services are starting and which ones aren't essential. Code: sc query type=driver | find /i "DISPLAY_NAME:" Do you have any recent backups which you can restore from?
All your crashes appear to be consistent with each other so I doubt that this is a hardware issue. Every crash is because of the GetPortSecurityDescriptor function. You may want to run the following command to get an ideal of which driver-related services are starting and which ones aren't essential. Code: sc query type=driver | find /i "DISPLAY_NAME:" Do you have any recent backups which you can restore from?
L lifewithloki Member Joined Jun 16, 2023 Posts 8 Jul 4, 2023 #10 No, no backups. Luckily they had an old DC which was decommissioned not too long ago so I was able to configure a new DC with minimal issues.
No, no backups. Luckily they had an old DC which was decommissioned not too long ago so I was able to configure a new DC with minimal issues.
x BlueRobot Administrator Staff member Joined May 7, 2013 Posts 10,234 Location %systemroot% Jul 4, 2023 #11 I'm glad you managed to resolve the issue at least.