BSOD W2k12 R2

D

dmr

New member
Joined
Feb 18, 2015
Posts
3
Hello dear experts.
I ask your help with the solution of the problem regularly arises BSOD on our two servers running Windows 2012 R2.
Both Hyper-V, one is idle and the other with two productive virtual machines. The system is installed over a month
ago, everything worked fine. Started to reboot a week ago. Now every day at different times.
Server x240 updated, installed in IBM Flex Chassis. I hope very much for your help. If you need additional information - write.
BlueScreenView error on the server are the same. Minidamp folder from one server here
https://onedrive.live.com/redir?resid=D2EE26C3A583E933!148&authkey=!ACRlTHoZAwifAzo&ithint=file,zip
Thank you in advance. Kind regards, Damir.

attached two files with the minidump both servers.
 

Attachments

Both servers are experiencing the same consistent bug check.

It's going to be rather difficult to debug considering we cannot switch processor contexts with a small memory dump.

Code: 
21: kd> .bugcheck
Bugcheck code 00000139
Arguments 00000000`00000003 ffffd001`b30e91b0 ffffd001`b30e9108 00000000`00000000

LIST_ENTRY corruption.

Code: 
21: kd> .trap ffffd001b30e91b0
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffe000370e6ef0 rbx=0000000000000000 rcx=0000000000000003
rdx=ffffe00031e674e0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80130cdf30d rsp=ffffd001b30e9340 rbp=ffffe0002eb73a20
 r8=0000000000000000  r9=0000000000000002 r10=ffffe0002ec95540
r11=ffffe801ce0575c4 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na po cy
NDIS!ndisNsiEnumerateAllInterfaceInformation+0x25c0d:
fffff801`30cdf30d cd29            int     29h

Taking a look at the trap frame regarding the unhandled exception behind the bug check, we can see it was an interrupt instruction (specifically int 29h).

Code: 
21: kd> !idt 29
Cannot get PCR address

Small dump, no dice.

Code: 
21: kd> kn
  *** Stack trace for last set context - .thread/.cxr resets it
 # Child-SP          RetAddr           Call Site
00 ffffd001`b30e9340 fffff801`30c09308 NDIS!ndisNsiEnumerateAllInterfaceInformation+0x25c0d
01 ffffd001`b30e9460 fffff801`31c58fc1 NETIO!NsiEnumerateObjectsAllParametersEx+0x20d
02 ffffd001`b30e9650 fffff801`31c58bea nsiproxy!NsippEnumerateObjectsAllParameters+0x201
03 ffffd001`b30e9840 fffff802`d663c38f nsiproxy!NsippDispatch+0x5a
04 ffffd001`b30e9880 fffff802`d663b92e nt!IopXxxControlFile+0xa4f
05 ffffd001`b30e9a20 fffff802`d63eb1b3 nt!NtDeviceIoControlFile+0x56
06 ffffd001`b30e9a90 00000000`76fb2352 nt!KiSystemServiceCopyEnd+0x13
07 00000000`017bf128 00000000`00000000 0x76fb2352

Code: 
21: kd> u NsiEnumerateObjectsAllParametersEx
NETIO!NsiEnumerateObjectsAllParametersEx:
fffff801`30c09100 48894c2408      mov     qword ptr [rsp+8],rcx
fffff801`30c09105 55              push    rbp
fffff801`30c09106 53              push    rbx
fffff801`30c09107 56              push    rsi
fffff801`30c09108 4155            push    r13
fffff801`30c0910a 488dac2438ffffff lea     rbp,[rsp-0C8h]
fffff801`30c09112 4881ecc8010000  sub     rsp,1C8h
fffff801`30c09119 448b4920        mov     r9d,dword ptr [rcx+20h]

We can see in frame 02, the NsippEnumerateObjectsAllParameters function passes control to the NsiEnumerateObjectsAllParametersEx function. Interestingly enough, as opposed to its prior Nsixxxxx function, this Nsi function is exported instead by the Network I/O Subsystem:

Code: 
[B]NETIO[/B]!NsiEnumerateObjectsAllParametersEx+0x20d

With that said, given we're building descriptors and passing buffers throughout various drivers regarding networking such as nsi, NETIO, ndis, etc... you can imagine this is a driver working with the network causing a conflict.

Code: 
21: kd> !thread
GetPointerFromAddress: unable to read from fffff802d65f2000
THREAD ffffe801cd5d7080  Cid 0768.0790  Teb: 000000007fead000 Win32Thread: 0000000000000000 RUNNING on processor 15
IRP List:
    Unable to read nt!_IRP @ ffffe801cdc52780
Not impersonating
GetUlongFromAddress: unable to read from fffff802d653eac0
Owning Process            ffffe00037a87080       Image:         hasplms.exe
Attached Process          N/A            Image:         N/A
fffff78000000000: Unable to get shared data
Wait Start TickCount      5534093      
Context Switch Count      866833         IdealProcessor: 21             
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x0000000000a814f9
Stack Init ffffd001b30e9c90 Current ffffd001b30e9760
Base ffffd001b30ea000 Limit ffffd001b30e4000 Call 0

Code: 
21: kd> dps ffffd001b30e4000 ffffd001b30ea000

ffffd001`b30e8058  fffff801`32da6fecUnable to load image \SystemRoot\System32\Drivers\dump_LSI_SAS2.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for dump_LSI_SAS2.sys
*** ERROR: Module load completed but symbols could not be loaded for dump_LSI_SAS2.sys
 dump_LSI_SAS2+0x2fec

Code: 
// Aladdin security kernel-mode driver
21: kd> lmvm aksdf
start             end                 module name
fffff801`327c6000 fffff801`327dad00   aksdf      (deferred)             
    Image path: \??\C:\Windows\system32\drivers\aksdf.sys
    Image name: aksdf.sys
    Timestamp:        Mon Jul 22 12:52:38 2013

I am almost willing to bet that if you enable verifier, Aladdin security will likely be the culprit. That's really old for a kernel-mode driver regarding a security product on a corporate scale, possibility of some bugs. I'd remove it for troubleshooting purposes if I were you.
 
Last edited:
Patrick said:
Code: 
// Aladdin security kernel-mode driver
21: kd> lmvm aksdf
start             end                 module name
fffff801`327c6000 fffff801`327dad00   aksdf      (deferred)             
    Image path: \??\C:\Windows\system32\drivers\aksdf.sys
    Image name: aksdf.sys
    Timestamp:        Mon Jul 22 12:52:38 2013

I am almost willing to bet that if you enable verifier, Aladdin security will likely be the culprit. That's really old for a kernel-mode driver regarding a security product on a corporate scale, possibility of some bugs. I'd remove it for troubleshooting purposes if I were you.
Click to expand...
This driver (or at least some versions of it) has a crazy bug, which results in OS leaving closed processes in memory (AKA "zombie processes"), resulting in system slowness/crashes either due to PID (processes have XXXXXX length PIDs) or memory (each "zombie" process takes 4K of memory) exhaustion. The case is extremely difficult to troubleshoot if you're not aware about this and what's even more interesting is that you won't even know about this issue unless you actually have many processes being created-closed on the server or the server running for many months.

It's probably not the case of the BSODs here, but I just wanted to have this documented in case someone will be searching for this.
 
Last edited:
Dear experts, thank you for your answers. The situation is such that a driver aksdf.sys has only one server, but on the other it is not. Please analyze the problem with the second server. If necessary MEMORY.DMP servers let - lay. I hope very much for your help. Sincerely, Damir.
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top