Hello,
Last night i received an alarm that one of my servers went offline.
Nothing strange in the logfiles either, the last logfiles created in the system logbook is from 41 minutes before the BSOD appeared.
I've checked the dumpfile, can someone help me analyze the issues? I've found the following:
Loading Kernel Symbols
-- User interrupt
Loading Dump File [D:\BSOD\VOS\Mini012914-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 3790.srv03_sp2_qfe.130502-1535
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808b1a08
Debug session time: Wed Jan 29 22:50:55.165 2014 (UTC + 1:00)
System Uptime: 5 days 22:41:13.531
Loading Kernel Symbols
.................................................. .............
.................................................. ..........
Loading User Symbols
Loading unloaded module list
..................
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {ffffff50, 0, 808468d9, 0}
Could not read faulting driver name
Probably caused by : ntkrnlmp.exe ( nt!ObReferenceObjectSafe+3 )
Followup: MachineOwner
---------
3: kd> !analyze -v
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffff50, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 808468d9, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: ffffff50
FAULTING_IP:
nt!ObReferenceObjectSafe+3
808468d9 8b0a mov ecx,dword ptr [edx]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0x50
PROCESS_NAME: zabbix_agentd.e
CURRENT_IRQL: 1
TRAP_FRAME: b6709940 -- (.trap 0xffffffffb6709940)
ErrCode = 00000000
eax=87659300 ebx=808b7c48 ecx=ffffff68 edx=ffffff50 esi=87f57020 edi=00000000
eip=808468d9 esp=b67099b4 ebp=b67099c8 iopl=0 nv up ei pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010217
nt!ObReferenceObjectSafe+0x3:
808468d9 8b0a mov ecx,dword ptr [edx] ds:0023:ffffff50=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 808695c0 to 8087ccc2
STACK_TEXT:
b67098d8 808695c0 00000050 ffffff50 00000000 nt!KeBugCheckEx+0x1b
b6709928 8083692c 00000000 ffffff50 00000000 nt!MmAccessFault+0x813
b6709928 808468d9 00000000 ffffff50 00000000 nt!KiTrap0E+0xdc
b67099b0 8094439a b407e480 00e4f67c 87659328 nt!ObReferenceObjectSafe+0x3
b67099c8 80854021 87659328 00023000 00e4f67c nt!PsGetNextProcess+0x6c
b6709a58 80944617 01410050 00023000 00e4f67c nt!ExpGetProcessInformation+0x36d
b6709d4c 808338db 00000005 01410050 00023000 nt!NtQuerySystemInformation+0x11e0
b6709d4c 7c82845c 00000005 01410050 00023000 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
00e4f684 00000000 00000000 00000000 00000000 0x7c82845c
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ObReferenceObjectSafe+3
808468d9 8b0a mov ecx,dword ptr [edx]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!ObReferenceObjectSafe+3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 51831c55
FAILURE_BUCKET_ID: 0x50_nt!ObReferenceObjectSafe+3
BUCKET_ID: 0x50_nt!ObReferenceObjectSafe+3
Followup: MachineOwner
---------
Last night i received an alarm that one of my servers went offline.
Nothing strange in the logfiles either, the last logfiles created in the system logbook is from 41 minutes before the BSOD appeared.
I've checked the dumpfile, can someone help me analyze the issues? I've found the following:
Loading Kernel Symbols
-- User interrupt
Loading Dump File [D:\BSOD\VOS\Mini012914-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*C:\SymCache*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Built by: 3790.srv03_sp2_qfe.130502-1535
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808b1a08
Debug session time: Wed Jan 29 22:50:55.165 2014 (UTC + 1:00)
System Uptime: 5 days 22:41:13.531
Loading Kernel Symbols
.................................................. .............
.................................................. ..........
Loading User Symbols
Loading unloaded module list
..................
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************
Use !analyze -v to get detailed debugging information.
BugCheck 50, {ffffff50, 0, 808468d9, 0}
Could not read faulting driver name
Probably caused by : ntkrnlmp.exe ( nt!ObReferenceObjectSafe+3 )
Followup: MachineOwner
---------
3: kd> !analyze -v
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffff50, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 808468d9, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: ffffff50
FAULTING_IP:
nt!ObReferenceObjectSafe+3
808468d9 8b0a mov ecx,dword ptr [edx]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0x50
PROCESS_NAME: zabbix_agentd.e
CURRENT_IRQL: 1
TRAP_FRAME: b6709940 -- (.trap 0xffffffffb6709940)
ErrCode = 00000000
eax=87659300 ebx=808b7c48 ecx=ffffff68 edx=ffffff50 esi=87f57020 edi=00000000
eip=808468d9 esp=b67099b4 ebp=b67099c8 iopl=0 nv up ei pl nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010217
nt!ObReferenceObjectSafe+0x3:
808468d9 8b0a mov ecx,dword ptr [edx] ds:0023:ffffff50=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 808695c0 to 8087ccc2
STACK_TEXT:
b67098d8 808695c0 00000050 ffffff50 00000000 nt!KeBugCheckEx+0x1b
b6709928 8083692c 00000000 ffffff50 00000000 nt!MmAccessFault+0x813
b6709928 808468d9 00000000 ffffff50 00000000 nt!KiTrap0E+0xdc
b67099b0 8094439a b407e480 00e4f67c 87659328 nt!ObReferenceObjectSafe+0x3
b67099c8 80854021 87659328 00023000 00e4f67c nt!PsGetNextProcess+0x6c
b6709a58 80944617 01410050 00023000 00e4f67c nt!ExpGetProcessInformation+0x36d
b6709d4c 808338db 00000005 01410050 00023000 nt!NtQuerySystemInformation+0x11e0
b6709d4c 7c82845c 00000005 01410050 00023000 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
00e4f684 00000000 00000000 00000000 00000000 0x7c82845c
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!ObReferenceObjectSafe+3
808468d9 8b0a mov ecx,dword ptr [edx]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!ObReferenceObjectSafe+3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 51831c55
FAILURE_BUCKET_ID: 0x50_nt!ObReferenceObjectSafe+3
BUCKET_ID: 0x50_nt!ObReferenceObjectSafe+3
Followup: MachineOwner
---------
Comment