H
hshabany
Hi,
I have Windows Server 2008R2 that started shutting down randomly do to a bugcheck. The machine was functional for several years but this started to happen in the last couple of weeks. I have analyzed the memory dumb file but it specifies the cause as
ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+487ed ). I have searched this and it is a very common and it is most likely related to a bad driver. I need to find out which driver is it relating to so I can update it. Below is the bugcheck analysis.
Microsoft (R) Windows Debugger Version 10.0.17763.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\changanadmin\Desktop\MEMORY.DMP]
Kernel Summary Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (24 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`01c5e000 PsLoadedModuleList = 0xfffff800`01ea1670
Debug session time: Wed Mar 6 22:55:04.737 2019 (UTC - 4:00)
System Uptime: 0 days 1:35:45.737
Loading Kernel Symbols
...............................................................
................................................................
................................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {ffffffffc000001d, fffffa80172f0002, 0, ffffff00}
Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+487ed )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc000001d, The exception code that was not handled
Arg2: fffffa80172f0002, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 00000000ffffff00, Parameter 1 of the exception
Debugging Details:
------------------
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
SYSTEM_MANUFACTURER: HP
SYSTEM_PRODUCT_NAME: ProLiant DL380 G7
SYSTEM_SKU: 605875-005
BIOS_VENDOR: HP
BIOS_VERSION: P67
BIOS_DATE: 08/16/2015
DUMP_TYPE: 1
BUGCHECK_P1: ffffffffc000001d
BUGCHECK_P2: fffffa80172f0002
BUGCHECK_P3: 0
BUGCHECK_P4: ffffff00
EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.
FAULTING_IP:
+0
fffffa80`172f0002 41 ???
BUGCHECK_STR: 0x1E_c000001d
CPU_COUNT: 18
CPU_MHZ: d04
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 2c
CPU_STEPPING: 2
CPU_MICROCODE: 6,2c,2,0 (F,M,S,R) SIG: 1D'00000000 (cache) 1D'00000000 (init)
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: CAUSLP-071
ANALYSIS_SESSION_TIME: 03-12-2019 09:11:05.0037
ANALYSIS_VERSION: 10.0.17763.1 amd64fre
LAST_CONTROL_TRANSFER: from fffff80001d1e728 to fffff80001cd3c00
FAILED_INSTRUCTION_ADDRESS:
+0
fffffa80`172f0002 41 ???
STACK_TEXT:
fffff880`10510f78 fffff800`01d1e728 : 00000000`0000001e ffffffff`c000001d fffffa80`172f0002 00000000`00000000 : nt!KeBugCheckEx
fffff880`10510f80 fffff800`01cd3282 : fffff880`10511758 00000000`0002ca00 fffff880`10511800 00000000`172f9a00 : nt! ?? ::FNODOBFM::`string'+0x487ed
fffff880`10511620 fffff800`01cd13df : fffff880`10511800 fffff880`01867d00 fffffa80`172b5a00 fffffa80`00000000 : nt!KiExceptionDispatch+0xc2
fffff880`10511800 fffffa80`172f0002 : fffffa80`15f2317a 00000000`00000000 fffffa80`2adb1f60 fffff880`0464acf0 : nt!KiInvalidOpcodeFault+0x11f
fffff880`10511998 fffffa80`15f2317a : 00000000`00000000 fffffa80`2adb1f60 fffff880`0464acf0 fffffa80`2adb1f60 : 0xfffffa80`172f0002
fffff880`105119a0 00000000`00000000 : fffffa80`2adb1f60 fffff880`0464acf0 fffffa80`2adb1f60 fffff8a0`00000002 : 0xfffffa80`15f2317a
THREAD_SHA1_HASH_MOD_FUNC: 39fdd2401a938d43ff74f9e2e8a7949bee6f7971
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: dee522e47da05aa9e16be9c5579c7a7a5c31f7db
THREAD_SHA1_HASH_MOD: d084f7dfa548ce4e51810e4fd5914176ebc66791
FOLLOWUP_IP:
nt! ?? ::FNODOBFM::`string'+487ed
fffff800`01d1e728 cc int 3
FAULT_INSTR_CODE: 78868bcc
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+487ed
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5147d9c6
IMAGE_VERSION: 6.1.7601.18113
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: X64_0x1E_c000001d_BAD_IP_nt!_??_::FNODOBFM::_string_+487ed
BUCKET_ID: X64_0x1E_c000001d_BAD_IP_nt!_??_::FNODOBFM::_string_+487ed
PRIMARY_PROBLEM_CLASS: X64_0x1E_c000001d_BAD_IP_nt!_??_::FNODOBFM::_string_+487ed
TARGET_TIME: 2019-03-07T02:55:04.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 274
PRODUCT_TYPE: 3
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
OSEDITION: Windows 7 Server (Service Pack 1) Enterprise TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2013-03-18 23:21:42
BUILDDATESTAMP_STR: 130318-1533
BUILDLAB_STR: win7sp1_gdr
BUILDOSVER_STR: 6.1.7601.18113.amd64fre.win7sp1_gdr.130318-1533
ANALYSIS_SESSION_ELAPSED_TIME: 379
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x1e_c000001d_bad_ip_nt!_??_::fnodobfm::_string_+487ed
FAILURE_ID_HASH: {31b87173-9076-a67a-c3ba-18b033152baf}
Followup: MachineOwner
---------
Continue reading...
I have Windows Server 2008R2 that started shutting down randomly do to a bugcheck. The machine was functional for several years but this started to happen in the last couple of weeks. I have analyzed the memory dumb file but it specifies the cause as
ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+487ed ). I have searched this and it is a very common and it is most likely related to a bad driver. I need to find out which driver is it relating to so I can update it. Below is the bugcheck analysis.
Microsoft (R) Windows Debugger Version 10.0.17763.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Users\changanadmin\Desktop\MEMORY.DMP]
Kernel Summary Dump File: Kernel address space is available, User address space may not be available.
Symbol search path is: srv*
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (24 procs) Free x64
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
Machine Name:
Kernel base = 0xfffff800`01c5e000 PsLoadedModuleList = 0xfffff800`01ea1670
Debug session time: Wed Mar 6 22:55:04.737 2019 (UTC - 4:00)
System Uptime: 0 days 1:35:45.737
Loading Kernel Symbols
...............................................................
................................................................
................................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {ffffffffc000001d, fffffa80172f0002, 0, ffffff00}
Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+487ed )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc000001d, The exception code that was not handled
Arg2: fffffa80172f0002, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 00000000ffffff00, Parameter 1 of the exception
Debugging Details:
------------------
KEY_VALUES_STRING: 1
STACKHASH_ANALYSIS: 1
TIMELINE_ANALYSIS: 1
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 7601.18113.amd64fre.win7sp1_gdr.130318-1533
SYSTEM_MANUFACTURER: HP
SYSTEM_PRODUCT_NAME: ProLiant DL380 G7
SYSTEM_SKU: 605875-005
BIOS_VENDOR: HP
BIOS_VERSION: P67
BIOS_DATE: 08/16/2015
DUMP_TYPE: 1
BUGCHECK_P1: ffffffffc000001d
BUGCHECK_P2: fffffa80172f0002
BUGCHECK_P3: 0
BUGCHECK_P4: ffffff00
EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.
FAULTING_IP:
+0
fffffa80`172f0002 41 ???
BUGCHECK_STR: 0x1E_c000001d
CPU_COUNT: 18
CPU_MHZ: d04
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 2c
CPU_STEPPING: 2
CPU_MICROCODE: 6,2c,2,0 (F,M,S,R) SIG: 1D'00000000 (cache) 1D'00000000 (init)
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
PROCESS_NAME: System
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: CAUSLP-071
ANALYSIS_SESSION_TIME: 03-12-2019 09:11:05.0037
ANALYSIS_VERSION: 10.0.17763.1 amd64fre
LAST_CONTROL_TRANSFER: from fffff80001d1e728 to fffff80001cd3c00
FAILED_INSTRUCTION_ADDRESS:
+0
fffffa80`172f0002 41 ???
STACK_TEXT:
fffff880`10510f78 fffff800`01d1e728 : 00000000`0000001e ffffffff`c000001d fffffa80`172f0002 00000000`00000000 : nt!KeBugCheckEx
fffff880`10510f80 fffff800`01cd3282 : fffff880`10511758 00000000`0002ca00 fffff880`10511800 00000000`172f9a00 : nt! ?? ::FNODOBFM::`string'+0x487ed
fffff880`10511620 fffff800`01cd13df : fffff880`10511800 fffff880`01867d00 fffffa80`172b5a00 fffffa80`00000000 : nt!KiExceptionDispatch+0xc2
fffff880`10511800 fffffa80`172f0002 : fffffa80`15f2317a 00000000`00000000 fffffa80`2adb1f60 fffff880`0464acf0 : nt!KiInvalidOpcodeFault+0x11f
fffff880`10511998 fffffa80`15f2317a : 00000000`00000000 fffffa80`2adb1f60 fffff880`0464acf0 fffffa80`2adb1f60 : 0xfffffa80`172f0002
fffff880`105119a0 00000000`00000000 : fffffa80`2adb1f60 fffff880`0464acf0 fffffa80`2adb1f60 fffff8a0`00000002 : 0xfffffa80`15f2317a
THREAD_SHA1_HASH_MOD_FUNC: 39fdd2401a938d43ff74f9e2e8a7949bee6f7971
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: dee522e47da05aa9e16be9c5579c7a7a5c31f7db
THREAD_SHA1_HASH_MOD: d084f7dfa548ce4e51810e4fd5914176ebc66791
FOLLOWUP_IP:
nt! ?? ::FNODOBFM::`string'+487ed
fffff800`01d1e728 cc int 3
FAULT_INSTR_CODE: 78868bcc
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+487ed
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5147d9c6
IMAGE_VERSION: 6.1.7601.18113
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: X64_0x1E_c000001d_BAD_IP_nt!_??_::FNODOBFM::_string_+487ed
BUCKET_ID: X64_0x1E_c000001d_BAD_IP_nt!_??_::FNODOBFM::_string_+487ed
PRIMARY_PROBLEM_CLASS: X64_0x1E_c000001d_BAD_IP_nt!_??_::FNODOBFM::_string_+487ed
TARGET_TIME: 2019-03-07T02:55:04.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 274
PRODUCT_TYPE: 3
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
OSEDITION: Windows 7 Server (Service Pack 1) Enterprise TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2013-03-18 23:21:42
BUILDDATESTAMP_STR: 130318-1533
BUILDLAB_STR: win7sp1_gdr
BUILDOSVER_STR: 6.1.7601.18113.amd64fre.win7sp1_gdr.130318-1533
ANALYSIS_SESSION_ELAPSED_TIME: 379
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:x64_0x1e_c000001d_bad_ip_nt!_??_::fnodobfm::_string_+487ed
FAILURE_ID_HASH: {31b87173-9076-a67a-c3ba-18b033152baf}
Followup: MachineOwner
---------
Continue reading...