G
Gurucharann
Hi Team,
ntkrnlmp.exe causing the BSOD. may i know if someone can help me to find the root cause which driver is causing the issue.
Following is the primary analysis from my side. but unable to find the exact root cause. Kindly help me on this. OS is windows 2012 R2.
Windows 8 Kernel Version 9600 MP (2 procs) Free x64
Product: Server, suite: TerminalServer DataCenter SingleUserTS
Built by: 9600.18969.amd64fre.winblue_ltsb.180309-0600
Machine Name:
Kernel base = 0xfffff803`9a80a000 PsLoadedModuleList = 0xfffff803`9aad6570
Debug session time: Mon May 14 06:51:05.163 2018 (UTC - 4:00)
System Uptime: 3 days 0:44:48.504
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
WINLOGON_FATAL_ERROR (c000021a)
The Winlogon process terminated unexpectedly.
Arguments:
Arg1: ffffc000726b9e10, String that identifies the problem.
Arg2: 0000000000000000, Error Code.
Arg3: 0000000000000000
Arg4: 0000000000000000
Debugging Details:
------------------
----- ETW minidump data unavailable-----TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2
BUGCHECK_STR: 0xc000021a_0
ERROR_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error} The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x). The system has been shut down.
EXCEPTION_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error} The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x). The system has been shut down.
EXCEPTION_PARAMETER1: ffffc000726b9e10
EXCEPTION_PARAMETER2: 0000000000000000
EXCEPTION_PARAMETER3: 0000000000000000
EXCEPTION_PARAMETER4: 0
ADDITIONAL_DEBUG_TEXT: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER
PROCESS_NAME: services.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff8039ab890c9 to fffff8039a95f2a0
STACK_TEXT:
ffffd000`232d06b8 fffff803`9ab890c9 : 00000000`0000004c 00000000`c000021a ffffd000`269393f8 ffffe000`d1b91530 : nt!KeBugCheckEx
ffffd000`232d06c0 fffff803`9ab80d0a : 00000000`00000000 ffffd000`232d07d9 00000000`00000000 00000000`00000002 : nt!PopGracefulShutdown+0x2c9
ffffd000`232d0700 fffff803`9a971513 : ffffe000`d5a23040 fffff803`9a947000 00000000`c0000004 fffff803`9a8a2400 : nt! ?? ::OKHAJAOM::`string'+0x111a
ffffd000`232d0840 fffff803`9a963240 : fffff803`9ad8c61b 00000000`00000001 ffffd000`232d0a58 00000000`c0000004 : nt!KiSystemServiceCopyEnd+0x13
ffffd000`232d09d8 fffff803`9ad8c61b : 00000000`00000001 ffffd000`232d0a58 00000000`c0000004 fffff803`9a983ffc : nt!KiServiceLinkage
ffffd000`232d09e0 fffff803`9acccbe7 : 00000000`00000000 00000000`00000000 fffff803`9aaf2180 ffffe000`d5a23180 : nt! ?? ::NNGAKEGL::`string'+0x6571b
ffffd000`232d0aa0 fffff803`9a8bd986 : fffff803`9a8bd8cc 00000000`00000000 00000000`00000002 00000000`00000000 : nt!PopPolicyWorkerAction+0x63
ffffd000`232d0b10 fffff803`9a87128f : fffff803`00000002 ffffe000`d5a23040 fffff803`9aabd080 00000000`00000000 : nt!PopPolicyWorkerThread+0xba
ffffd000`232d0b50 fffff803`9a8ffa34 : ffffe000`d8a74d80 fffff803`9aaf2180 00000000`00000080 ffffe000`cf21e900 : nt!ExpWorkerThread+0x69f
ffffd000`232d0c00 fffff803`9a9675d6 : fffff803`9aaf2180 ffffe000`d5a23040 ffffe000`dd7d1040 00000000`00000000 : nt!PspSystemThreadStartup+0x178
ffffd000`232d0c60 00000000`00000000 : ffffd000`232d1000 ffffd000`232cb000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt! ?? ::OKHAJAOM::`string'+111a
fffff803`9ab80d0a cc int 3
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt! ?? ::OKHAJAOM::`string'+111a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5aa29c76
FAILURE_BUCKET_ID: X64_0xc000021a_0_nt!_??_::OKHAJAOM::_string_+111a
BUCKET_ID: X64_0xc000021a_0_nt!_??_::OKHAJAOM::_string_+111a
Followup: MachineOwner
Continue reading...
ntkrnlmp.exe causing the BSOD. may i know if someone can help me to find the root cause which driver is causing the issue.
Following is the primary analysis from my side. but unable to find the exact root cause. Kindly help me on this. OS is windows 2012 R2.
Windows 8 Kernel Version 9600 MP (2 procs) Free x64
Product: Server, suite: TerminalServer DataCenter SingleUserTS
Built by: 9600.18969.amd64fre.winblue_ltsb.180309-0600
Machine Name:
Kernel base = 0xfffff803`9a80a000 PsLoadedModuleList = 0xfffff803`9aad6570
Debug session time: Mon May 14 06:51:05.163 2018 (UTC - 4:00)
System Uptime: 3 days 0:44:48.504
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
WINLOGON_FATAL_ERROR (c000021a)
The Winlogon process terminated unexpectedly.
Arguments:
Arg1: ffffc000726b9e10, String that identifies the problem.
Arg2: 0000000000000000, Error Code.
Arg3: 0000000000000000
Arg4: 0000000000000000
Debugging Details:
------------------
----- ETW minidump data unavailable-----TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2
BUGCHECK_STR: 0xc000021a_0
ERROR_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error} The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x). The system has been shut down.
EXCEPTION_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error} The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x). The system has been shut down.
EXCEPTION_PARAMETER1: ffffc000726b9e10
EXCEPTION_PARAMETER2: 0000000000000000
EXCEPTION_PARAMETER3: 0000000000000000
EXCEPTION_PARAMETER4: 0
ADDITIONAL_DEBUG_TEXT: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER
PROCESS_NAME: services.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff8039ab890c9 to fffff8039a95f2a0
STACK_TEXT:
ffffd000`232d06b8 fffff803`9ab890c9 : 00000000`0000004c 00000000`c000021a ffffd000`269393f8 ffffe000`d1b91530 : nt!KeBugCheckEx
ffffd000`232d06c0 fffff803`9ab80d0a : 00000000`00000000 ffffd000`232d07d9 00000000`00000000 00000000`00000002 : nt!PopGracefulShutdown+0x2c9
ffffd000`232d0700 fffff803`9a971513 : ffffe000`d5a23040 fffff803`9a947000 00000000`c0000004 fffff803`9a8a2400 : nt! ?? ::OKHAJAOM::`string'+0x111a
ffffd000`232d0840 fffff803`9a963240 : fffff803`9ad8c61b 00000000`00000001 ffffd000`232d0a58 00000000`c0000004 : nt!KiSystemServiceCopyEnd+0x13
ffffd000`232d09d8 fffff803`9ad8c61b : 00000000`00000001 ffffd000`232d0a58 00000000`c0000004 fffff803`9a983ffc : nt!KiServiceLinkage
ffffd000`232d09e0 fffff803`9acccbe7 : 00000000`00000000 00000000`00000000 fffff803`9aaf2180 ffffe000`d5a23180 : nt! ?? ::NNGAKEGL::`string'+0x6571b
ffffd000`232d0aa0 fffff803`9a8bd986 : fffff803`9a8bd8cc 00000000`00000000 00000000`00000002 00000000`00000000 : nt!PopPolicyWorkerAction+0x63
ffffd000`232d0b10 fffff803`9a87128f : fffff803`00000002 ffffe000`d5a23040 fffff803`9aabd080 00000000`00000000 : nt!PopPolicyWorkerThread+0xba
ffffd000`232d0b50 fffff803`9a8ffa34 : ffffe000`d8a74d80 fffff803`9aaf2180 00000000`00000080 ffffe000`cf21e900 : nt!ExpWorkerThread+0x69f
ffffd000`232d0c00 fffff803`9a9675d6 : fffff803`9aaf2180 ffffe000`d5a23040 ffffe000`dd7d1040 00000000`00000000 : nt!PspSystemThreadStartup+0x178
ffffd000`232d0c60 00000000`00000000 : ffffd000`232d1000 ffffd000`232cb000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt! ?? ::OKHAJAOM::`string'+111a
fffff803`9ab80d0a cc int 3
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt! ?? ::OKHAJAOM::`string'+111a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5aa29c76
FAILURE_BUCKET_ID: X64_0xc000021a_0_nt!_??_::OKHAJAOM::_string_+111a
BUCKET_ID: X64_0xc000021a_0_nt!_??_::OKHAJAOM::_string_+111a
Followup: MachineOwner
Continue reading...