Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

SYSTEM_SERVICE_EXCEPTION (3b)

My 2012 R2 terminal server has been crashing every once in a while. I've tried to go through the dump files but I'm not good at reading them to get to the root cause. Thought I could get some help here at understanding them so I can find a solution to this problem. Here is the dump log.

Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: Server, suite: TerminalServer
Built by: 9600.18821.amd64fre.winblue_ltsb.170914-0600
Machine Name:
Kernel base = 0xfffff803`0ec75000 PsLoadedModuleList = 0xfffff803`0ef47650
Debug session time: Thu Dec 21 16:25:28.310 2017 (UTC - 5:00)
System Uptime: 31 days 21:12:06.352
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8030f25e572, Address of the instruction which caused the bugcheck
Arg3: ffffd0002e264e60, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10

CONTEXT: ffffd0002e264e60 -- (.cxr 0xffffd0002e264e60)
rax=0000000000000000 rbx=ffffffffffffffff rcx=ffffe0004da9d580
rdx=ffffe0004ceb5ef8 rsi=ffffe0004ceb5f88 rdi=ffffe0004ceb5ef0
rip=fffff8030f25e572 rsp=ffffd0002e265890 rbp=0000000000000000
r8=0000000000000000 r9=ffffe0004ceb5ef8 r10=ffffe0004da9d580
r11=fffff8030edce398 r12=0000000000000000 r13=0000000000000011
r14=ffffe0004ceb5e40 r15=ffffe0004da9d580
iopl=0 nv up ei pl nz ac pe cy
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010213
nt!AlpcpReferenceMessageByWaitingThreadPortQueue+0x12:
fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10 ds:002b:00000000`00000020=????????????????
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER

BUGCHECK_STR: 0x3B

PROCESS_NAME: WerFault.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff8030f25e518 to fffff8030f25e572

STACK_TEXT:
ffffd000`2e265890 fffff803`0f25e518 : ffffe000`56801918 00000000`04aeebf0 00000000`04aee458 ffffffff`ffffffff : nt!AlpcpReferenceMessageByWaitingThreadPortQueue+0x12
ffffd000`2e2658d0 fffff803`0f25e2cf : ffffffff`ffffffff fffff803`0ef48038 ffffe000`4ceb5e40 ffffffff`ffffffff : nt!AlpcpReferenceMessageByWaitingThreadPort+0x184
ffffd000`2e265920 fffff803`0f25e74a : 00000000`00000120 ffffd000`2e265b80 00000000`00000000 ffffe000`5a268080 : nt!AlpcpReferenceMessageByWaitingThread+0xcb
ffffd000`2e265970 fffff803`0f1c11d6 : 00000000`00000000 fffff960`00181575 ffffe000`00000120 00000000`04aee458 : nt!AlpcpPortQueryServerInfo+0xca
ffffd000`2e265a30 fffff803`0edce3b3 : ffffe000`5a268080 00000000`04aee408 fffff6fb`40001de0 fffff680`00000120 : nt! ?? ::NNGAKEGL::`string'+0x2c036
ffffd000`2e265a90 00007ffb`357c0f2a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`04aee3e8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7ffb`357c0f2a


FOLLOWUP_IP:
nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 59ba8548

STACK_COMMAND: .cxr 0xffffd0002e264e60 ; kb

FAILURE_BUCKET_ID: X64_0x3B_nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12

BUCKET_ID: X64_0x3B_nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12

Followup: MachineOwner
---------

Any help is appreciated.

Comments

  • Tim_RobertsTim_Roberts Posts: 12,622
    "xxxxx@yahoo.com windbg"@lists.osr.com wrote:
    > My 2012 R2 terminal server has been crashing every once in a while. I've tried to go through the dump files but I'm not good at reading them to get to the root cause. Thought I could get some help here at understanding them so I can find a solution to this problem. Here is the dump log.

    There's really nothing to be learned here.  You're getting a null
    pointer dereference inside the Asynchronous Local Procedure Call
    subsystem.  About all you can do is open a support incident with
    Microsoft technical support, and hope your dump reaches the proper hands.

    --
    Tim Roberts, xxxxx@probo.com
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Your going to have to dig deeper into this dump or likely capture a full
    memory dump. What I'm interested in is that this process is werfault.exe so
    I'd like to see the peb block to see what process its attaching too and
    then see why what that process was doing. [!peb]

    I'm not sure why werfault.exe is generating an SYSTEM_SERVICE_EXCEPTION
    but maybe it's down to the process it's attaching to. I guess a non
    windbg diagnosis avenue is to see if there is anything about app crashes in
    the eventlog.

    Kind Regards,
    Tom

    On Fri, Dec 22, 2017 at 3:20 PM, xxxxx@yahoo.com
    wrote:

    > My 2012 R2 terminal server has been crashing every once in a while. I've
    > tried to go through the dump files but I'm not good at reading them to get
    > to the root cause. Thought I could get some help here at understanding them
    > so I can find a solution to this problem. Here is the dump log.
    >
    > Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (
    > http://www.osr.com)
    > Online Crash Dump Analysis Service
    > See http://www.osronline.com for more information
    > Windows 8 Kernel Version 9600 MP (8 procs) Free x64
    > Product: Server, suite: TerminalServer
    > Built by: 9600.18821.amd64fre.winblue_ltsb.170914-0600
    > Machine Name:
    > Kernel base = 0xfffff803`0ec75000 PsLoadedModuleList = 0xfffff803`0ef47650
    > Debug session time: Thu Dec 21 16:25:28.310 2017 (UTC - 5:00)
    > System Uptime: 31 days 21:12:06.352
    > ************************************************************
    > *******************
    > *
    > *
    > * Bugcheck Analysis
    > *
    > *
    > *
    > ************************************************************
    > *******************
    >
    > SYSTEM_SERVICE_EXCEPTION (3b)
    > An exception happened while executing a system service routine.
    > Arguments:
    > Arg1: 00000000c0000005, Exception code that caused the bugcheck
    > Arg2: fffff8030f25e572, Address of the instruction which caused the
    > bugcheck
    > Arg3: ffffd0002e264e60, Address of the context record for the exception
    > that caused the bugcheck
    > Arg4: 0000000000000000, zero.
    >
    > Debugging Details:
    > ------------------
    >
    > TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini,
    > error 2
    >
    > EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
    > referenced memory at "0x%08lx". The memory could not be "%s".
    >
    > FAULTING_IP:
    > nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
    > fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10
    >
    > CONTEXT: ffffd0002e264e60 -- (.cxr 0xffffd0002e264e60)
    > rax=0000000000000000 rbx=ffffffffffffffff rcx=ffffe0004da9d580
    > rdx=ffffe0004ceb5ef8 rsi=ffffe0004ceb5f88 rdi=ffffe0004ceb5ef0
    > rip=fffff8030f25e572 rsp=ffffd0002e265890 rbp=0000000000000000
    > r8=0000000000000000 r9=ffffe0004ceb5ef8 r10=ffffe0004da9d580
    > r11=fffff8030edce398 r12=0000000000000000 r13=0000000000000011
    > r14=ffffe0004ceb5e40 r15=ffffe0004da9d580
    > iopl=0 nv up ei pl nz ac pe cy
    > cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
    > efl=00010213
    > nt!AlpcpReferenceMessageByWaitingThreadPortQueue+0x12:
    > fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10
    > ds:002b:00000000`00000020=????????????????
    > Resetting default scope
    >
    > CUSTOMER_CRASH_COUNT: 1
    >
    > DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER
    >
    > BUGCHECK_STR: 0x3B
    >
    > PROCESS_NAME: WerFault.exe
    >
    > CURRENT_IRQL: 0
    >
    > LAST_CONTROL_TRANSFER: from fffff8030f25e518 to fffff8030f25e572
    >
    > STACK_TEXT:
    > ffffd000`2e265890 fffff803`0f25e518 : ffffe000`56801918 00000000`04aeebf0
    > 00000000`04aee458 ffffffff`ffffffff : nt!AlpcpReferenceMessageByWaiting
    > ThreadPortQueue+0x12
    > ffffd000`2e2658d0 fffff803`0f25e2cf : ffffffff`ffffffff fffff803`0ef48038
    > ffffe000`4ceb5e40 ffffffff`ffffffff : nt!AlpcpReferenceMessageByWaiting
    > ThreadPort+0x184
    > ffffd000`2e265920 fffff803`0f25e74a : 00000000`00000120 ffffd000`2e265b80
    > 00000000`00000000 ffffe000`5a268080 : nt!AlpcpReferenceMessageByWaiting
    > Thread+0xcb
    > ffffd000`2e265970 fffff803`0f1c11d6 : 00000000`00000000 fffff960`00181575
    > ffffe000`00000120 00000000`04aee458 : nt!AlpcpPortQueryServerInfo+0xca
    > ffffd000`2e265a30 fffff803`0edce3b3 : ffffe000`5a268080 00000000`04aee408
    > fffff6fb`40001de0 fffff680`00000120 : nt! ?? ::NNGAKEGL::`string'+0x2c036
    > ffffd000`2e265a90 00007ffb`357c0f2a : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    > 00000000`04aee3e8 00000000`00000000 : 00000000`00000000 00000000`00000000
    > 00000000`00000000 00000000`00000000 : 0x7ffb`357c0f2a
    >
    >
    > FOLLOWUP_IP:
    > nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
    > fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10
    >
    > SYMBOL_STACK_INDEX: 0
    >
    > SYMBOL_NAME: nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
    >
    > FOLLOWUP_NAME: MachineOwner
    >
    > MODULE_NAME: nt
    >
    > IMAGE_NAME: ntkrnlmp.exe
    >
    > DEBUG_FLR_IMAGE_TIMESTAMP: 59ba8548
    >
    > STACK_COMMAND: .cxr 0xffffd0002e264e60 ; kb
    >
    > FAILURE_BUCKET_ID: X64_0x3B_nt!AlpcpReferenceMessageByWaiting
    > ThreadPortQueue+12
    >
    > BUCKET_ID: X64_0x3B_nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
    >
    > Followup: MachineOwner
    > ---------
    >
    > Any help is appreciated.
    >
    > ---
    > WINDBG is sponsored by OSR
    >
    > OSR is hiring!! Info at http://www.osr.com/careers
    >
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer>;
    >
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!