[SOLVED] Windows Server 2022 BSOD Critical Process Died

[lifewithloki]

Hello,

I have a windows server 2022 that went down. I attached a link the the latest memory dump however I am not sure I am reading it correctly. I think the exception has something to do with Core Message DLL. Any help would be great.

I also added a cross link to my DISM issue and missing CBS packages. I would like to think they are related.

Thank you.


https://lstacktech-my.sharepoint.co...hDrLFiBor4VfkB9K3awG1PT32YJjwmVIcq1Q?e=obgrku

Windows Server 2022 DISM missing cbs packages

 

[x BlueRobot]

Please make sure that you .zip all large memory dump files before uploading them especially as they can approach 1-2GB quite easily.

It looks like one of your Kerberos services is possibly crashing and then terminating afterwards due to some unrecoverable error.

7: kd> .exr ffff9e8cd1cbca00
ExceptionAddress: 00007ffe3c87d497 (coremessaging!Microsoft::CoreUI::Registrar::AlpcServerAdapter::GetPortSecurityDescriptor+0x000000000001c7e3)
   ExceptionCode: e0464645
  ExceptionFlags: 00000001
NumberParameters: 2
   Parameter[0]: ffffffffd0000034
   Parameter[1]: 0000000000000000

7: kd> !error d0000034
Error code: (NTSTATUS) 0xd0000034 (3489660980) - Object Name not found.

I assume that GetPortSecurityDescriptor returns a security descriptor object for the given ALPC port. However, either a bad name is being passed or the name was completely null. This issue appears to be completely unrelated to your Windows Update issue.

[...]
0xffff9e8cd1cbcc18 : 0xfffff80575033185 : nt!KiSystemServiceCopyEnd+0x25
0xffff9e8cd1cbcc20 : 0xffffb40538bb1080 :  Trap @ ffff9e8cd1cbcc20
0xffff9e8cd1cbccf0 : 0x00007ffe43ba2204 : ntdll!NtRaiseException+0x14
0xffff9e8cd1cbcd80 : 0x00007ffe41336130 : KERNELBASE!RaiseFailFastException
0xffff9e8cd1cbcd88 : 0x00007ffe41336282 : KERNELBASE!RaiseFailFastException+0x152
0xffff9e8cd1cbcdb8 : 0xffff9e8cd1cb7000 :  !du "Kerberos"
0xffff9e8cd1cbceb8 : 0x00007ff60bbb5320 : svchost!wmainCRTStartup

Just some additional background information:

Spoiler

7: kd> !alpc /lpp ffffb40538a42300

Ports created by the process ffffb40538a42300:

    <none>

Ports the process ffffb40538a42300 is connected to:

    ffffb40538a35d20 0 -> ffffb40536ac5090 ('ApiPort') 0 ffffb40536a0e080 ('csrss.exe')
    ffffb40538a61a80 0 -> ffffb40536d61aa0 ('epmapper') 2 ffffb40537ec2300 ('svchost.exe')
    ffffb40538a51d90 0 -> ffffb40536c15d20 ('lsapolicylookup') 0 ffffb4053745f080 ('lsass.exe')
    ffffb40538af8ce0 0 -> ffffb40536c16db0 ('ntsvcs') 64 ffffb405374630c0 ('services.exe')

In your other thread, by recovery environment, I assume you're referring to Safe Mode? If so, then this issue probably isn't hardware-related. Have you got any security programs which run at boot?

 

[lifewithloki]

Not safe mode. I can't boot into safe mode either. I have to go into advance startup settings, repair computer, then command prompt

No, no security programs I believe.

Having missing/corrupt packages wouldn't cause this? If a bad name or null is being return maybe it is one of those packages?

 

[x BlueRobot]

Having missing/corrupt packages wouldn't cause this? If a bad name or null is being return maybe it is one of those packages?

No it wouldn't, those packages are just .mum and .cat files, both of which are used by the servicing stack which is the part of Windows Update. They're both part of %systemroot%\servicing\Packages which is then hardlinked to a couple of directories.

I would see if you can clone server and then see if you're able to disable Kerberos, at least we'll be able to see if you're able to boot the system normally.

 

[lifewithloki]

Okay.

How would I disable Kerberos? I've read a few links and haven't found a way to disable Kerberos and Kerberos can't be disabled

 

[x BlueRobot]

You should be able to change the authentication method used by Active Directory. I assume that this server is a domain controller? It might not be possible to disable it outside of Windows itself unfortunately, you could try opening RegEdit from Command Prompt by entering regedit.exe and then going to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos

And then check for any values which allow you to configure it to be disabled. Otherwise, you might want to consider running MemTest86 for at least 8 passes to reduce the likelihood of any RAM issues as this can cause Stop 0xEF bugchecks: Test RAM with PassMark MemTest86 (version 7.4 was used)

Is there any other dump files apart from the one you uploaded? Have you checked under %systemroot%\Minidump?

 

[lifewithloki]

I will try that.

These are all the dump files I have. I did look at minidump but they had no file size.

https://lstacktech-my.sharepoint.co...VEjf6OEYa3WtUBQYXiVwzhu2vkYKsdN_QNww?e=D2gJ4f

 

[lifewithloki]

Okay. I used these 2 articles to try and disable Kerberos.

Disabling Kerberos
Disallow Kerberos authentication

In the dump file, memory-dk1 is after link #1. memory-dk12 is after link 2 but with link 1 still in the registry. memory-dk2 is after link 2 without link 1 registry keys. memory and memory-2 might be a duplicate from previous files.

https://lstacktech-my.sharepoint.co...pPleCBh0EYTrcB25XdRSaO-QY6eEm7htpKeg?e=nwUaCM

 

[x BlueRobot]

All your crashes appear to be consistent with each other so I doubt that this is a hardware issue. Every crash is because of the GetPortSecurityDescriptor function. You may want to run the following command to get an ideal of which driver-related services are starting and which ones aren't essential.

sc query type=driver | find /i "DISPLAY_NAME:"

Do you have any recent backups which you can restore from?

 

[lifewithloki]

No, no backups. Luckily they had an old DC which was decommissioned not too long ago so I was able to configure a new DC with minimal issues.

 

[x BlueRobot]

I'm glad you managed to resolve the issue at least.