BSOD on Windows Server 2008 R2 SP1

[PatD]

We have a file server that has been running for several years under Hyper-V. It has the latest integration tools for Hyper-V. In the past month, it has blue screened three times; never had a blue screen previously.

No recent changes to the machine, other than the usual Microsoft Security Patches (First BSOD happened on 8/9/2017; KB4025252 was installed on 7/30/2017.)

I have two minidumps and two full memory.dmp files. I can send via PM the BSOD file created by the Sysnative file. After looking through the data it puts together, would rather not put on a public forum.

Not sure if you guys work on servers, but hoping you can help. As this is virtual, most of the questions requested to be answered in the opening thread don't count. However, this machine was built with Server 2008 R2 SP1 and has never been "upgraded" from a previous OS. It is not from any kind of image but installed with original ISO from Microsoft.

Let me know if any other question, appreciate it!

 

[Sysnative Windows Update]

Send me the dumps to analyze and I'll see what I can make out of them :)

 

[jcgriff2]

Hi. . .

Servers aren't all that different from stand alone systems from the few that I've seen over the years.

I do need the Sysnative app output zip file containing the dumps + system information - Blue Screen of Death (BSOD) Posting Instructions - Windows 10, 8.1, 8, 7 & Vista

The full kernel dumps are not needed at this time, but may be later.

Regards. . .

jcgriff2

 

[Sysnative Windows Update]

Could you check for driver updates for the driver in red?

Also, if you can, please follow these instructions: Driver Verifier - BSOD related - Windows 10, 8.1, 8, 7 & Vista

Make sure you create a restore point prior to running this and leave it running for at least 24h or until a new crash.

[COLOR=red][B]lsi_sas.sys Tue May 19 02:20:23 2009  (4A11FB47)[/B][/COLOR] 
LSI SAS driver http://www.lsi.com/support/ 
[URL="http://www.carrona.org/drivers/driver.php?id=lsi_sas.sys"]http://www.carrona.org/drivers/driver.php?id=[B][COLOR=blue]lsi_sas.sys[/COLOR][/B][/URL] 

intelppm.sys Tue Jul 14 01:19:25  2009 (4A5BC0FD) 
Intel Processor driver  [url=http://downloadcenter.intel.com/Default.aspx]Drivers & Software[/url] also at 
[URL="http://www.carrona.org/drivers/driver.php?id=intelppm.sys"]http://www.carrona.org/drivers/driver.php?id=[B][COLOR=blue]intelppm.sys[/COLOR][/B][/URL] 

intelide.sys Tue Jul 14 01:19:48  2009 (4A5BC114) 
Intel IDE storage driver  [url=http://downloadcenter.intel.com/Default.aspx]Drivers & Software[/url] also at 
[URL="http://www.carrona.org/drivers/driver.php?id=intelide.sys"]http://www.carrona.org/drivers/driver.php?id=[B][COLOR=blue]intelide.sys[/COLOR][/B][/URL] 

NirSoftOpenedFilesDriver.sys Fri  Jan 8 22:23:21 2010 (4B47A249) 

[COLOR=#777777][COLOR=#4b0082]NirSoftOpenedFilesDriver.sys[/COLOR] - this driver hasn't been  added to the DRT as of this run. Please search Google/Bing for the driver if  additional information is needed.[/COLOR] 

amdxata.sys Fri Mar 19 17:18:18  2010 (4BA3A3CA) 
AMD storage controller driver - usually from the Windows 7  DVD Windows Update 
[URL="http://www.carrona.org/drivers/driver.php?id=amdxata.sys"]http://www.carrona.org/drivers/driver.php?id=[B][COLOR=blue]amdxata.sys[/COLOR][/B][/URL] 

dfsrro.sys Tue May 21 05:03:34  2013 (519AE406) 

[COLOR=#777777][COLOR=#4b0082]dfsrro.sys[/COLOR] - this driver hasn't been added to the DRT as of  this run. Please search Google/Bing for the driver if additional information is  needed.[/COLOR] 

stcvsm.sys Mon Jun 10 22:05:39 2013 (51B63193)  
StorageCraft driver [url]http://www.storagecraft.com/software_update.php[/url] 
[URL="http://www.carrona.org/drivers/driver.php?id=stcvsm.sys"]http://www.carrona.org/drivers/driver.php?id=[B][COLOR=blue]stcvsm.sys[/COLOR][/B][/URL] 

em015_64.dat Tue Feb 23 10:07:44  2016 (56CC2160) 
ESET File Security Driver Download -  [url]http://www.eset.com/us/products/file-security-microsoft-server/[/url][br]Support -  [url]http://support.eset.com/[/url] 
[URL="http://www.carrona.org/drivers/driver.php?id=em015_64.dat"]http://www.carrona.org/drivers/driver.php?id=[B][COLOR=blue]em015_64.dat[/COLOR][/B][/URL] 

sbmount.SYS Thu May 19 00:15:30  2016 (573CE982) 
StorageCraft Driver  [url]http://www.storagecraft.com/software_update.php[/url] 
[URL="http://www.carrona.org/drivers/driver.php?id=sbmount.SYS"]http://www.carrona.org/drivers/driver.php?id=[B][COLOR=blue]sbmount.SYS[/COLOR][/B][/URL] 

netvsc60.sys Wed Jun 22 21:59:36  2016 (576AEE28) 

[COLOR=#777777][COLOR=#4b0082]netvsc60.sys[/COLOR] - this driver hasn't been added to the DRT as  of this run. Please search Google/Bing for the driver if additional information  is needed.[/COLOR] 

VMBusVideoM.sys Wed Jun 22 22:03:16 2016 (576AEF04)  

[COLOR=#777777][COLOR=#4b0082]VMBusVideoM.sys[/COLOR] - this  driver hasn't been added to the DRT as of this run. Please search Google/Bing  for the driver if additional information is needed.[/COLOR] 

eamonm.sys  Tue Oct 4 13:03:09 2016 (57F38C6D) 
ESET Amon driver Support:  [url]http://kb.eset.com/[/url][br]Downloads: [url]http://www.eset.com/int/download/home/[/url] 
[URL="http://www.carrona.org/drivers/driver.php?id=eamonm.sys"]http://www.carrona.org/drivers/driver.php?id=[B][COLOR=blue]eamonm.sys[/COLOR][/B][/URL] 

ehdrv.sys Tue Oct 4 13:03:44 2016  (57F38C90) 
ESET Support: [url]http://kb.eset.com/[/url][br]Downloads:  [url]http://www.eset.com/int/download/home/[/url] 
[URL="http://www.carrona.org/drivers/driver.php?id=ehdrv.sys"]http://www.carrona.org/drivers/driver.php?id=[B][COLOR=blue]ehdrv.sys[/COLOR][/B][/URL] 

PROCMON23.SYS Mon May 1 01:04:30  2017 (59066D7E) 

[COLOR=#777777][COLOR=#4b0082]PROCMON23.SYS[/COLOR] - this driver hasn't been added to the DRT as  of this run. Please search Google/Bing for the driver if additional information  is needed.[/COLOR] 

em018_64.dat Mon Jun 26 19:48:26 2017 (595148EA)  
ESET Smart Security Support: [url]http://kb.eset.com/[/url][br]Downloads:  [url]http://www.eset.com/int/download/home/[/url] 
[URL="http://www.carrona.org/drivers/driver.php?id=em018_64.dat"]http://www.carrona.org/drivers/driver.php?id=[B][COLOR=blue]em018_64.dat[/COLOR][/B][/URL] 

em006_64.dat Thu Aug 10 16:15:48  2017 (598C6A94) 
ESET Smart Security Support: [url]http://kb.eset.com/[/url] [br]  Downloads: [url]http://www.eset.com/int/download/home/[/url] 
[URL="http://www.carrona.org/drivers/driver.php?id=em006_64.dat"]http://www.carrona.org/drivers/driver.php?id=[B][COLOR=blue]em006_64.dat[/COLOR][/B][/URL] 


Code:

Debug session time: Mon Aug 21 15:43:40.443 2017 (UTC + 2:00)

Loading Dump File [D:\SysnativeBSODApps\082117-39593-01.dmp]

Built by: 7601.23864.amd64fre.win7sp1_ldr.170707-0600

System Uptime: 1 days 8:54:33.200

Probably caused by : ntkrnlmp.exe ( nt!KiSystemServiceExit+245 )

BugCheck 1, {7772bdaa, 0, ffff, fffff880065efb60}

BugCheck Info: [URL="http://www.carrona.org/bsodindx.html#0x00000001"]APC_INDEX_MISMATCH (1)[/URL]

Bugcheck code 00000001

Arguments: 

Arg1: 000000007772bdaa, Address of system call function or worker routine

Arg2: 0000000000000000, Thread->ApcStateIndex

Arg3: 000000000000ffff, (Thread->SpecialApcDisable << 16) | Thread->KernelApcDisable

Arg4: fffff880065efb60, Call type (0 - system call, 1 - worker routine)

BUGCHECK_STR:  0x1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT_SERVER

PROCESS_NAME:  OpenedFilesVie

FAILURE_BUCKET_ID:  X64_0x1_SysCallNum_4_nt!KiSystemServiceExit+245

MaxSpeed:     2200

CurrentSpeed: 2194

BiosVersion = 090006 

BiosReleaseDate = 05/23/2012

BaseBoardManufacturer = Microsoft Corporation

BaseBoardProduct = Virtual Machine

SystemManufacturer = Microsoft Corporation

SystemProductName = Virtual Machine

¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``

Debug session time: Wed Aug  9 16:58:28.401 2017 (UTC + 2:00)

Loading Dump File [D:\SysnativeBSODApps\080917-38296-01.dmp]

Built by: 7601.23807.amd64fre.win7sp1_ldr.170512-0600

System Uptime: 10 days 8:54:26.106

Probably caused by : ntkrnlmp.exe ( nt!KiSystemServiceExit+245 )

BugCheck 1, {7725bdaa, 0, ffff, fffff88007eb5b60}

BugCheck Info: [URL="http://www.carrona.org/bsodindx.html#0x00000001"]APC_INDEX_MISMATCH (1)[/URL]

Bugcheck code 00000001

Arguments: 

Arg1: 000000007725bdaa, Address of system call function or worker routine

Arg2: 0000000000000000, Thread->ApcStateIndex

Arg3: 000000000000ffff, (Thread->SpecialApcDisable << 16) | Thread->KernelApcDisable

Arg4: fffff88007eb5b60, Call type (0 - system call, 1 - worker routine)

BUGCHECK_STR:  0x1

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT_SERVER

PROCESS_NAME:  OpenedFilesVie

FAILURE_BUCKET_ID:  X64_0x1_SysCallNum_4_nt!KiSystemServiceExit+245

MaxSpeed:     2200

CurrentSpeed: 2194

BiosVersion = 090006 

BiosReleaseDate = 05/23/2012

BaseBoardManufacturer = Microsoft Corporation

BaseBoardProduct = Virtual Machine

SystemManufacturer = Microsoft Corporation

SystemProductName = Virtual Machine

¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``





--- E O J --- 2017 Aug 22 19:41:21 PM _88-dbug  Copyright 2017 Sysnative Forums 
--- E O J --- 2017 Aug 22 19:41:21 PM  _88-dbug Copyright 2017 Sysnative Forums 
--- E O J --- 2017 Aug 22 19:41:21  PM _88-dbug Copyright 2017 Sysnative Forums

 

[jcgriff2]

The bugchecks on both dumps were the same - 0x1 - APC mismatch. This is a very uncommon, very rare bugcheck and basically means that there is a mismatch within the kernel. The dumps therefore list the kernel as the probable cause. But that really is a default of sorts.

In the unloaded module section of the dumps, part of a Nirsoft app appears at least 20x -

Unloaded modules:
fffff880`06c46000 fffff880`06c4d000   [COLOR="#FF0000"]NirSoftOpene[/COLOR]
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00007000
fffff880`06c3f000 fffff880`06c46000   [COLOR="#FF0000"]NirSoftOpene[/COLOR]
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00007000

Any idea what app that is?

What I mean by unloaded module is that this app is constantly put into memory (RAM - not pagefile), then is taken out again to make room for another module - then is put back into RAM and on it goes..... It is very suspicious to see it 20+ times.

If you absolutely don't need it, I would remove the app for now until the BSOD epidemic is over.

It is essential to now run Driver Verifier.

Regards. . .

jcgriff2

 

[Sysnative Windows Update]

It's probably NirSoft's OpenedFilesView.

 

[PatD]

The LSI drive is odd to me. Looking through some other drivers in the report, I'm wondering if the information I have that this was built from an ISO is really correct. It almost feels like a P2V machine as I look deeper. I'll check out this driver.

However, the NirSoft is most likely the problem, I agree. This was put in to place a few days before the BSOD started as a vendor is trying to find an issue with some open files that users are complaining about, and we have a batch file running it throughout the day. I'm going to kill this for now and monitor.

Thanks for your help gang. I'm hoping this is resolved, but will report back if not.

 

[x BlueRobot]

It's probably NirSoft's OpenedFilesView.

It appears to be that way, the dump file has OpenedFilesVie in the image name:

0: kd> [COLOR=#008000]!process[/COLOR]
GetPointerFromAddress: unable to read from fffff80001cc1000
PROCESS fffffa800d90c270
    SessionId: none  Cid: 15a8    Peb: 7fffffde000  ParentCid: 14ac
    DirBase: 160ec8000  ObjectTable: fffff8a0018aa840  HandleCount: <Data Not Accessible>
    Image: [COLOR=#ff0000]OpenedFilesVie[/COLOR]
    VadRoot fffffa800d002260 Vads 44 Clone 0 Private 745. Modified 4. Locked 0.
    DeviceMap fffff8a0019f0a60
    Token                             fffff8a040e647c0
    ReadMemory error: Cannot get nt!KeMaximumIncrement value.
fffff78000000000: Unable to get shared data
    ElapsedTime                       00:00:00.000
    UserTime                          00:00:00.000
    KernelTime                        00:00:00.000
    QuotaPoolUsage[PagedPool]         70040
    QuotaPoolUsage[NonPagedPool]      5288
    Working Set Sizes (now,min,max)  (1409, 50, 345) (5636KB, 200KB, 1380KB)
    PeakWorkingSetSize                1409
    VirtualSize                       36 Mb
    PeakVirtualSize                   36 Mb
    PageFaultCount                    1499
    MemoryPriority                    BACKGROUND
    BasePriority                      6
    CommitCharge                      852

        THREAD fffffa800e8c62a0  Cid 15a8.13a4  Teb: 000007fffffdc000 Win32Thread: fffff900c239d5e0 RUNNING on processor 0
        *** Error in reading nt!_ETHREAD @ fffffa8006e79060

As others have suggested, if the issue still occurs, then it would be best to run Driver Verifier with the Critical Region logging option set.

 

[x BlueRobot]

In case anyone is wondering how to obtain the parameter values, these are all found within the _KTHREAD structure:

0: kd> [COLOR=#008000]dt nt!_KTHREAD -y SpecialApcDisable[/COLOR]
   +0x1c6 SpecialApcDisable : Int2B

0: kd> [COLOR=#008000]dt nt!_KTHREAD -y KernelApcDisable[/COLOR]
   +0x1c4 KernelApcDisable : Int2B

0: kd> [COLOR=#008000]dt nt!_KTHREAD CombinedApcDisable[/COLOR]
   +0x1c4 CombinedApcDisable : Uint4B

APCs are used for I/O operations and setting the thread context, which is evident from the crash dump, when the process receives a request from user-mode.

0: kd> [COLOR=#008000]knL[/COLOR]
 # Child-SP          RetAddr           Call Site
00 fffff880`065ef928 fffff800`01a83f29 nt!KeBugCheckEx
01 fffff880`065ef930 fffff800`01a83e60 nt!KiBugCheckDispatch+0x69
02 fffff880`065efa70 00000000`7772bdaa nt!KiSystemServiceExit+0x245
03 00000000`0012d7c8 00000000`00000000 [COLOR=#ff0000]0x7772bdaa[/COLOR]