Need help to analyze th memory dump

Microsoft (R) Windows Debugger Version 10.0.10240.9 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [D:\kiran\CAFRFD1BSWSTD01\Memory.dmp]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.


************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred http://msdl.microsoft.com/download/symbols
Symbol search path is: http://msdl.microsoft.com/download/symbols
Executable search path is:
No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers.
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Built by: 9600.18066.amd64fre.winblue_ltsb.150928-1002
Machine Name:
Kernel base = 0xfffff801`3ec7d000 PsLoadedModuleList = 0xfffff801`3ef52630
Debug session time: Fri Oct 23 10:08:59.792 2015 (UTC + 5:30)
System Uptime: 4 days 8:19:54.879
Loading Kernel Symbols
...............................................................
................................................................
............
Loading User Symbols
............................
Loading unloaded module list
.........................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck C000021A, {ffffc001dab984f0, 0, 0, 0}

Probably caused by : ntkrnlmp.exe ( nt! ?? ::OKHAJAOM::`string'+269a )

Followup: MachineOwner
---------


This is a STATUS_SYSTEM_PROCESS_TERMINATED bugcheck.
It signals that the system is rebooting due to a critical service termination.
The bugcheck is not very useful for debugging. To investigate the root cause
find the related svchost.exe crashes that happened on the same machine
around the time of this dump.
 
3: kd> .bugcheck
Bugcheck code C000021A
Arguments ffffc001`dab984f0 00000000`00000000 00000000`00000000 00000000`00000000
3: kd> k
# Child-SP RetAddr Call Site
00 ffffd000`270f56b8 fffff801`3f003991 nt!KeBugCheckEx
01 ffffd000`270f56c0 fffff801`3effd4ea nt!PopGracefulShutdown+0x2c9
02 ffffd000`270f5700 fffff801`3edd80b3 nt! ?? ::OKHAJAOM::`string'+0x269a
03 ffffd000`270f5840 fffff801`3edd0520 nt!KiSystemServiceCopyEnd+0x13
04 ffffd000`270f59d8 fffff801`3f210191 nt!KiServiceLinkage
05 ffffd000`270f59e0 fffff801`3f1480d3 nt! ?? ::NNGAKEGL::`string'+0x6ea61
06 ffffd000`270f5aa0 fffff801`3ecf253a nt!PopPolicyWorkerAction+0x63
07 ffffd000`270f5b10 fffff801`3ed0775f nt!PopPolicyWorkerThread+0xba
08 ffffd000`270f5b50 fffff801`3ed7af1c nt!ExpWorkerThread+0x69f
09 ffffd000`270f5c00 fffff801`3edd2ec6 nt!PspSystemThreadStartup+0x58
0a ffffd000`270f5c60 00000000`00000000 nt!KiStartSystemThread+0x16
3: kd> .frame 0n2;dv /t /v
02 ffffd000`270f5700 fffff801`3edd80b3 nt! ?? ::OKHAJAOM::`string'+0x269a
Unable to enumerate locals, HRESULT 0x80004005
Private symbols (symbols.pri) are required for locals.
Type ".hh dbgerr005" for details.

can some one help me on this
 
Hi ksangam20 & welcome to the forums ^_^,

I have analysed your dump file and below has been provided an analysis of the same for informative purposes :-
WINLOGON_FATAL_ERROR (c000021a)
The Winlogon process terminated unexpectedly.
Arguments:
Arg1: ffffc001dab984f0, String that identifies the problem.
Arg2: 0000000000000000, Error Code.
Arg3: 0000000000000000
Arg4: 0000000000000000


Let's dump the first argument -
Code: 
3: kd> db [COLOR=#FF0000][B]ffffc001dab984f0[/B][/COLOR]
ffffc001`dab984f0  57 69 6e 64 6f 77 73 20-6d 75 73 74 20 6e 6f 77  Windows must now
ffffc001`dab98500  20 72 65 73 74 61 72 74-20 62 65 63 61 75 73 65   restart because
ffffc001`dab98510  20 74 68 65 20 52 65 6d-6f 74 65 20 50 72 6f 63   the Remote Proc
ffffc001`dab98520  65 64 75 72 65 20 43 61-6c 6c 20 28 52 50 43 29  edure Call (RPC)
ffffc001`dab98530  20 73 65 72 76 69 63 65-20 74 65 72 6d 69 6e 61   service termina
ffffc001`dab98540  74 65 64 20 75 6e 65 78-70 65 63 74 65 64 6c 79  ted unexpectedly
ffffc001`dab98550  00 01 00 00 00 00 00 05-12 00 00 00 00 00 00 00  ................
ffffc001`dab98560  08 02 03 03 4e 74 66 30-d6 b2 12 35 4d eb 7e ed  ....Ntf0...5M.~.
According to the error message, the RPC (Remote Procedure Service) terminated unexpectedly. Below is the stack trace -
Code: 
3: kd> knL
 # Child-SP          RetAddr           Call Site
00 ffffd000`270f56b8 fffff801`3f003991 nt!KeBugCheckEx
01 ffffd000`270f56c0 fffff801`3effd4ea nt!PopGracefulShutdown+0x2c9
02 ffffd000`270f5700 fffff801`3edd80b3 nt!NtSetSystemPowerState+0x269a
03 ffffd000`270f5840 fffff801`3edd0520 nt!KiSystemServiceCopyEnd+0x13
04 ffffd000`270f59d8 fffff801`3f210191 nt!KiServiceLinkage
05 ffffd000`270f59e0 fffff801`3f1480d3 nt!PopIssueActionRequest+0x6ea61
06 ffffd000`270f5aa0 fffff801`3ecf253a nt!PopPolicyWorkerAction+0x63
07 ffffd000`270f5b10 fffff801`3ed0775f nt!PopPolicyWorkerThread+0xba
08 ffffd000`270f5b50 fffff801`3ed7af1c nt!ExpWorkerThread+0x69f
09 ffffd000`270f5c00 fffff801`3edd2ec6 nt!PspSystemThreadStartup+0x58
0a ffffd000`270f5c60 00000000`00000000 nt!KiStartSystemThread+0x16


There are two locked threads (Although it is not necessary that they are the root cause), one belongs to the services.exe while the other one belongs to the Virtual Disk Service.

I also noticed one strange thing in the dump file and that is the inclusion of the below module -
Code: 
services.exe
Even though the executable was signed, it is not supposed to be there in the Modules list. We generally see drivers and this would be the first time when I am seeing an Executable.

I would suggest you to follow the below instructions -
  1. First of all, let's start with the removal of Mcafee. It is known to cause problems and lately, I have been seeing various cases involving this. Kindly use **THIS** tool to remove it.
  2. Kindly uninstall VMWare till the time we are troubleshooting the system.
  3. Please check the system for malware using MalwareBytes.
  4. Kindly follow the instructions given **HERE** and upload the ZIP file with your next post.


Let me know how it goes ^_^

-Pranav
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top