Windows 2008 R2 memory dump . how to fix it

K

ksangam20

Member
Joined
Jul 13, 2015
Posts
13
The computer has rebooted from a bugcheck. The bugcheck was: 0x000000f4 (0x0000000000000003, 0xfffffa8012ee7060, 0xfffffa8012ee7340, 0xfffff80001dd4e30). A dump was saved in: C:\Memory.dmp. Report Id: 070915-34429-01.

Code: 
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 0000000000000003, Process
Arg2: fffffa8012ee7060, Terminating object
Arg3: fffffa8012ee7340, Process image file name
Arg4: fffff80001dd4e30, Explanatory message (ascii)

Debugging Details:
------------------

PEB is paged out (Peb.Ldr = 00000000`7efdf018).  Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 00000000`7efdf018).  Type ".hh dbgerr001" for details

PROCESS_OBJECT: fffffa8012ee7060

IMAGE_NAME:  _

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: _

FAULTING_MODULE: 0000000000000000 

PROCESS_NAME:  java.exe

BUGCHECK_STR:  0xF4_java.exe

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff80001e655c2 to fffff80001ad2c80

STACK_TEXT:  
fffff880`0b095b18 fffff800`01e655c2 : 00000000`000000f4 00000000`00000003 fffffa80`12ee7060 fffffa80`12ee7340 : nt!KeBugCheckEx
fffff880`0b095b20 fffff800`01e1dfbb : 00000000`00000001 fffffa80`124502f0 fffffa80`12ee7060 fffffa80`08282801 : nt!PspCatchCriticalBreak+0x92
fffff880`0b095b60 fffff800`01d88834 : 00000000`00000001 00000000`00000cc4 fffffa80`12ee7060 fffffa80`00000008 : nt! ?? ::NNGAKEGL::`string'+0x29d46
fffff880`0b095bb0 fffff800`01ad1f13 : 00000000`00000cc4 fffffa80`124502f0 fffffa80`12ee7060 00000000`000123d8 : nt!NtTerminateProcess+0x284
fffff880`0b095c20 00000000`7713c0da : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`192ee638 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7713c0da


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  X64_0xF4_java.exe_IMAGE__

BUCKET_ID:  X64_0xF4_java.exe_IMAGE__

Followup: MachineOwner
---------
 
Last edited by a moderator:
Okay, we'll need the dump from C:\Windows\MEMORY.dmp

Upload it to a file sharing site in a .zip folder.
 
I would mention, it would be preferable, to me at least, that you use a reputable file sharing site such as Dropbox or OneDrive (originally named SkyDrive).
 
I'm struggling a bit here.
We might need to capture a full memory dump.

Press the Windows key + R
Type in the following: control sysdm.cpl,,3
Then click on settings under startup and recovery, and under the write debugging information drop down menu select Complete Memory dump.
Restart the PC and wait for another crash.

Code: 
//Thread that was executing at the time of the crash

1: kd> !thread fffffa80124502f0
THREAD fffffa80124502f0  Cid 06a0.12480  Teb: 000000007ef74000 Win32Thread: 0000000000000000 RUNNING on processor 1
Not impersonating
DeviceMap                 fffff8a000008890
Owning Process            fffffa80082828a0       Image:         java.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      63390148       Ticks: 0
Context Switch Count      15             IdealProcessor: 0             
UserTime                  00:00:00.000
KernelTime                00:00:00.046
Win32 Start Address 0x000000007445c724
Stack Init fffff8800b095db0 Current fffff8800b095390
Base fffff8800b096000 Limit fffff8800b090000 Call 0
Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0b095b18 fffff800`01e655c2 : 00000000`000000f4 00000000`00000003 fffffa80`12ee7060 fffffa80`12ee7340 : nt!KeBugCheckEx
fffff880`0b095b20 fffff800`01e1dfbb : 00000000`00000001 fffffa80`124502f0 fffffa80`12ee7060 fffffa80`08282801 : nt!PspCatchCriticalBreak+0x92
fffff880`0b095b60 fffff800`01d88834 : 00000000`00000001 00000000`00000cc4 fffffa80`12ee7060 fffffa80`00000008 : nt! ?? ::NNGAKEGL::`string'+0x29d46
fffff880`0b095bb0 fffff800`01ad1f13 : 00000000`00000cc4 fffffa80`124502f0 fffffa80`12ee7060 00000000`000123d8 : nt!NtTerminateProcess+0x284
fffff880`0b095c20 00000000`7713c0da : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0b095c20)
00000000`192ee638 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7713c0da

//Thread that I believe caused the crash

1: kd> !thread fffffa800a959810
THREAD fffffa800a959810  Cid 06a0.10cb8  Teb: 000000007ef77000 Win32Thread: 0000000000000000 WAIT: (Executive) UserMode Non-Alertable
    fffffa800c091e68  NotificationEvent
IRP List:
    fffffa800a6305f0: (0006,0118) Flags: 00060900  Mdl: 00000000
Not impersonating
DeviceMap                 fffff8a000008890
Owning Process            fffffa80082828a0       Image:         java.exe
Attached Process          N/A            Image:         N/A
Wait Start TickCount      63388993       Ticks: 1155 (0:00:00:18.018)
Context Switch Count      7              IdealProcessor: 1             
UserTime                  00:00:00.000
KernelTime                00:00:00.000
Win32 Start Address 0x000000007445c724
Stack Init fffff8800b069db0 Current fffff8800b0697a0
Base fffff8800b06a000 Limit fffff8800b064000 Call 0
Priority 10 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5
Child-SP          RetAddr           : Args to Child                                                           : Call Site
fffff880`0b0697e0 fffff800`01ad6a02 : fffffa80`0a6305f0 fffffa80`0a959810 00000000`00000000 fffffa80`139ffc00 : nt!KiSwapContext+0x7a
fffff880`0b069920 fffff800`01ada71f : fffffa80`00000000 fffff880`00faa785 fffff880`00000000 fffff880`00faa851 : nt!KiCommitThreadWait+0x1d2
fffff880`0b0699b0 fffff800`01dd99a9 : 00000000`00000000 fffffa80`00000000 00000000`00000001 fffffa80`0a630500 : nt!KeWaitForSingleObject+0x19f
fffff880`0b069a50 fffff800`01dba1d3 : fffffa80`0c091dd0 fffffa80`0c091dd0 fffffa80`0c091dd0 fffff880`009bf180 : nt!IopSynchronousServiceTail+0x2a9
fffff880`0b069ac0 fffff800`01ad1f13 : fffffa80`08282801 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtReadFile+0x631
fffff880`0b069bb0 00000000`74af2e09 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff880`0b069c20)
00000000`1809eb68 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x74af2e09

//IRP associated with the faulting thread

1: kd> !irp fffffa800a6305f0
Irp is active with 1 stacks 1 is current (= 0xfffffa800a6306c0)
 No Mdl: No System Buffer: Thread fffffa800a959810:  Irp stack trace.  
     cmd  flg cl Device   File     Completion-Context
>[  3, 0]   0  1 fffffa80073a98d0 fffffa800c091dd0 00000000-00000000    pending
	       \FileSystem\Npfs
			Args: 00002000 00000000 00000000 00000000

//Npfs irp

1: kd> !fileobj fffffa800c091dd0



Related File Object: 0xfffffa800abfe580

Device Object: 0xfffffa80073a98d0   \FileSystem\Npfs
Vpb is NULL

Flags:  0x40082
	Synchronous IO
	Named Pipe
	Handle Created

File Object is currently busy and has 0 waiters.

FsContext: 0x00010101	FsContext2: 0xfffff8a01d7a76b0
Private Cache Map: 0x00000001
CurrentByteOffset: 0

1: kd> !handle 40082

PROCESS fffffa80082828a0
    SessionId: 0  Cid: 06a0    Peb: 7efdf000  ParentCid: 0654
    DirBase: 22ab89000  ObjectTable: fffff8a0022dc480  HandleCount: 823.
    Image: java.exe

Handle table at fffff8a0022dc480 with 823 entries in use

Could not read handle entry at 1000400100000000

1: kd> .cxr fffff8a01d7a76b0
rax=fffff8a01d7a7728 rbx=0000101800000000 rcx=fffff8a01d7a7728
rdx=0000000000000002 rsi=fffff8a01d7a7758 rdi=fffff8a01d7a7758
rip=000000000067006f rsp=0000000000000000 rbp=fffff8a021129910
 r8=fffff8a02628a078  r9=fffff8a02628a078 r10=fffff8a0215bbb00
r11=fffff8a0030943a0 r12=fffff8a01d7a7788 r13=fffff8a01d7a7788
r14=fffff8a01d7a7798 r15=fffff8a01d7a7798
iopl=3 vip vif ov up ei ng nz na pe nc
cs=1dd0  ss=0828  ds=0c09  es=fa80  fs=ffff  gs=28a0             efl=fffffa80
1dd0:006f ??              ???

It could be related to Java, but I'm not sure exactly what it did that cause the Windows Subsystem to crash, hence why it would be better to get a full dump to find out.
If you want, it might be worth removing Java, especially if you don't need it as it can contain a lot of vulnerabilities and exploits that provide a serious security risk if not updated.
 
Even if Java ends up having nothing to do with the crash, I would remove it anyway. There's no point in having it installed, and if an app requires java to run, it's not an app worth using.
 
Although Java is generally terrible - I believe there was recently an update for around 193 different vulnerabilities around different products in one update - you can change your Java security settings to only enable Java to run for desktop applications, thus preventing (hopefully) malicious Java applets from being run in your web browser - Setting the Security Level of the Java Client

However, as Patrick said, any programs which are still reliant upon Java should be considered carefully. Most companies which were previously dependent upon Java have overhauled this design flaw and ensured their program to be independent of the Java run-time. Just as an example, Runescape created a standalone client a few years ago which could run the game without requiring Java.

The below is for informational purposes:


 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top