Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.SYSTEM_SERVICE_EXCEPTION (3b)
My 2012 R2 terminal server has been crashing every once in a while. I've tried to go through the dump files but I'm not good at reading them to get to the root cause. Thought I could get some help here at understanding them so I can find a solution to this problem. Here is the dump log.
Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: Server, suite: TerminalServer
Built by: 9600.18821.amd64fre.winblue_ltsb.170914-0600
Machine Name:
Kernel base = 0xfffff803`0ec75000 PsLoadedModuleList = 0xfffff803`0ef47650
Debug session time: Thu Dec 21 16:25:28.310 2017 (UTC - 5:00)
System Uptime: 31 days 21:12:06.352
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8030f25e572, Address of the instruction which caused the bugcheck
Arg3: ffffd0002e264e60, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10
CONTEXT: ffffd0002e264e60 -- (.cxr 0xffffd0002e264e60)
rax=0000000000000000 rbx=ffffffffffffffff rcx=ffffe0004da9d580
rdx=ffffe0004ceb5ef8 rsi=ffffe0004ceb5f88 rdi=ffffe0004ceb5ef0
rip=fffff8030f25e572 rsp=ffffd0002e265890 rbp=0000000000000000
r8=0000000000000000 r9=ffffe0004ceb5ef8 r10=ffffe0004da9d580
r11=fffff8030edce398 r12=0000000000000000 r13=0000000000000011
r14=ffffe0004ceb5e40 r15=ffffe0004da9d580
iopl=0 nv up ei pl nz ac pe cy
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010213
nt!AlpcpReferenceMessageByWaitingThreadPortQueue+0x12:
fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10 ds:002b:00000000`00000020=????????????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER
BUGCHECK_STR: 0x3B
PROCESS_NAME: WerFault.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff8030f25e518 to fffff8030f25e572
STACK_TEXT:
ffffd000`2e265890 fffff803`0f25e518 : ffffe000`56801918 00000000`04aeebf0 00000000`04aee458 ffffffff`ffffffff : nt!AlpcpReferenceMessageByWaitingThreadPortQueue+0x12
ffffd000`2e2658d0 fffff803`0f25e2cf : ffffffff`ffffffff fffff803`0ef48038 ffffe000`4ceb5e40 ffffffff`ffffffff : nt!AlpcpReferenceMessageByWaitingThreadPort+0x184
ffffd000`2e265920 fffff803`0f25e74a : 00000000`00000120 ffffd000`2e265b80 00000000`00000000 ffffe000`5a268080 : nt!AlpcpReferenceMessageByWaitingThread+0xcb
ffffd000`2e265970 fffff803`0f1c11d6 : 00000000`00000000 fffff960`00181575 ffffe000`00000120 00000000`04aee458 : nt!AlpcpPortQueryServerInfo+0xca
ffffd000`2e265a30 fffff803`0edce3b3 : ffffe000`5a268080 00000000`04aee408 fffff6fb`40001de0 fffff680`00000120 : nt! ?? ::NNGAKEGL::`string'+0x2c036
ffffd000`2e265a90 00007ffb`357c0f2a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`04aee3e8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7ffb`357c0f2a
FOLLOWUP_IP:
nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 59ba8548
STACK_COMMAND: .cxr 0xffffd0002e264e60 ; kb
FAILURE_BUCKET_ID: X64_0x3B_nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
BUCKET_ID: X64_0x3B_nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
Followup: MachineOwner
---------
Any help is appreciated.
Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: Server, suite: TerminalServer
Built by: 9600.18821.amd64fre.winblue_ltsb.170914-0600
Machine Name:
Kernel base = 0xfffff803`0ec75000 PsLoadedModuleList = 0xfffff803`0ef47650
Debug session time: Thu Dec 21 16:25:28.310 2017 (UTC - 5:00)
System Uptime: 31 days 21:12:06.352
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8030f25e572, Address of the instruction which caused the bugcheck
Arg3: ffffd0002e264e60, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10
CONTEXT: ffffd0002e264e60 -- (.cxr 0xffffd0002e264e60)
rax=0000000000000000 rbx=ffffffffffffffff rcx=ffffe0004da9d580
rdx=ffffe0004ceb5ef8 rsi=ffffe0004ceb5f88 rdi=ffffe0004ceb5ef0
rip=fffff8030f25e572 rsp=ffffd0002e265890 rbp=0000000000000000
r8=0000000000000000 r9=ffffe0004ceb5ef8 r10=ffffe0004da9d580
r11=fffff8030edce398 r12=0000000000000000 r13=0000000000000011
r14=ffffe0004ceb5e40 r15=ffffe0004da9d580
iopl=0 nv up ei pl nz ac pe cy
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010213
nt!AlpcpReferenceMessageByWaitingThreadPortQueue+0x12:
fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10 ds:002b:00000000`00000020=????????????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER
BUGCHECK_STR: 0x3B
PROCESS_NAME: WerFault.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff8030f25e518 to fffff8030f25e572
STACK_TEXT:
ffffd000`2e265890 fffff803`0f25e518 : ffffe000`56801918 00000000`04aeebf0 00000000`04aee458 ffffffff`ffffffff : nt!AlpcpReferenceMessageByWaitingThreadPortQueue+0x12
ffffd000`2e2658d0 fffff803`0f25e2cf : ffffffff`ffffffff fffff803`0ef48038 ffffe000`4ceb5e40 ffffffff`ffffffff : nt!AlpcpReferenceMessageByWaitingThreadPort+0x184
ffffd000`2e265920 fffff803`0f25e74a : 00000000`00000120 ffffd000`2e265b80 00000000`00000000 ffffe000`5a268080 : nt!AlpcpReferenceMessageByWaitingThread+0xcb
ffffd000`2e265970 fffff803`0f1c11d6 : 00000000`00000000 fffff960`00181575 ffffe000`00000120 00000000`04aee458 : nt!AlpcpPortQueryServerInfo+0xca
ffffd000`2e265a30 fffff803`0edce3b3 : ffffe000`5a268080 00000000`04aee408 fffff6fb`40001de0 fffff680`00000120 : nt! ?? ::NNGAKEGL::`string'+0x2c036
ffffd000`2e265a90 00007ffb`357c0f2a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`04aee3e8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7ffb`357c0f2a
FOLLOWUP_IP:
nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 59ba8548
STACK_COMMAND: .cxr 0xffffd0002e264e60 ; kb
FAILURE_BUCKET_ID: X64_0x3B_nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
BUCKET_ID: X64_0x3B_nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
Followup: MachineOwner
---------
Any help is appreciated.
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Developing Minifilters | 24 May 2021 | Live, Online |
| Writing WDF Drivers | 14 June 2021 | Live, Online |
| Internals & Software Drivers | 27 September 2021 | Live, Online |
| Kernel Debugging | 15 November 2021 | Live, Online |
Comments
> My 2012 R2 terminal server has been crashing every once in a while. I've tried to go through the dump files but I'm not good at reading them to get to the root cause. Thought I could get some help here at understanding them so I can find a solution to this problem. Here is the dump log.
There's really nothing to be learned here. You're getting a null
pointer dereference inside the Asynchronous Local Procedure Call
subsystem. About all you can do is open a support incident with
Microsoft technical support, and hope your dump reaches the proper hands.
--
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
memory dump. What I'm interested in is that this process is werfault.exe so
I'd like to see the peb block to see what process its attaching too and
then see why what that process was doing. [!peb]
I'm not sure why werfault.exe is generating an SYSTEM_SERVICE_EXCEPTION
but maybe it's down to the process it's attaching to. I guess a non
windbg diagnosis avenue is to see if there is anything about app crashes in
the eventlog.
Kind Regards,
Tom
On Fri, Dec 22, 2017 at 3:20 PM, [email protected]
wrote:
> My 2012 R2 terminal server has been crashing every once in a while. I've
> tried to go through the dump files but I'm not good at reading them to get
> to the root cause. Thought I could get some help here at understanding them
> so I can find a solution to this problem. Here is the dump log.
>
> Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (
> http://www.osr.com)
> Online Crash Dump Analysis Service
> See http://www.osronline.com for more information
> Windows 8 Kernel Version 9600 MP (8 procs) Free x64
> Product: Server, suite: TerminalServer
> Built by: 9600.18821.amd64fre.winblue_ltsb.170914-0600
> Machine Name:
> Kernel base = 0xfffff803`0ec75000 PsLoadedModuleList = 0xfffff803`0ef47650
> Debug session time: Thu Dec 21 16:25:28.310 2017 (UTC - 5:00)
> System Uptime: 31 days 21:12:06.352
> ************************************************************
> *******************
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> ************************************************************
> *******************
>
> SYSTEM_SERVICE_EXCEPTION (3b)
> An exception happened while executing a system service routine.
> Arguments:
> Arg1: 00000000c0000005, Exception code that caused the bugcheck
> Arg2: fffff8030f25e572, Address of the instruction which caused the
> bugcheck
> Arg3: ffffd0002e264e60, Address of the context record for the exception
> that caused the bugcheck
> Arg4: 0000000000000000, zero.
>
> Debugging Details:
> ------------------
>
> TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini,
> error 2
>
> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
> referenced memory at "0x%08lx". The memory could not be "%s".
>
> FAULTING_IP:
> nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
> fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10
>
> CONTEXT: ffffd0002e264e60 -- (.cxr 0xffffd0002e264e60)
> rax=0000000000000000 rbx=ffffffffffffffff rcx=ffffe0004da9d580
> rdx=ffffe0004ceb5ef8 rsi=ffffe0004ceb5f88 rdi=ffffe0004ceb5ef0
> rip=fffff8030f25e572 rsp=ffffd0002e265890 rbp=0000000000000000
> r8=0000000000000000 r9=ffffe0004ceb5ef8 r10=ffffe0004da9d580
> r11=fffff8030edce398 r12=0000000000000000 r13=0000000000000011
> r14=ffffe0004ceb5e40 r15=ffffe0004da9d580
> iopl=0 nv up ei pl nz ac pe cy
> cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
> efl=00010213
> nt!AlpcpReferenceMessageByWaitingThreadPortQueue+0x12:
> fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10
> ds:002b:00000000`00000020=????????????????
> Resetting default scope
>
> CUSTOMER_CRASH_COUNT: 1
>
> DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER
>
> BUGCHECK_STR: 0x3B
>
> PROCESS_NAME: WerFault.exe
>
> CURRENT_IRQL: 0
>
> LAST_CONTROL_TRANSFER: from fffff8030f25e518 to fffff8030f25e572
>
> STACK_TEXT:
> ffffd000`2e265890 fffff803`0f25e518 : ffffe000`56801918 00000000`04aeebf0
> 00000000`04aee458 ffffffff`ffffffff : nt!AlpcpReferenceMessageByWaiting
> ThreadPortQueue+0x12
> ffffd000`2e2658d0 fffff803`0f25e2cf : ffffffff`ffffffff fffff803`0ef48038
> ffffe000`4ceb5e40 ffffffff`ffffffff : nt!AlpcpReferenceMessageByWaiting
> ThreadPort+0x184
> ffffd000`2e265920 fffff803`0f25e74a : 00000000`00000120 ffffd000`2e265b80
> 00000000`00000000 ffffe000`5a268080 : nt!AlpcpReferenceMessageByWaiting
> Thread+0xcb
> ffffd000`2e265970 fffff803`0f1c11d6 : 00000000`00000000 fffff960`00181575
> ffffe000`00000120 00000000`04aee458 : nt!AlpcpPortQueryServerInfo+0xca
> ffffd000`2e265a30 fffff803`0edce3b3 : ffffe000`5a268080 00000000`04aee408
> fffff6fb`40001de0 fffff680`00000120 : nt! ?? ::NNGAKEGL::`string'+0x2c036
> ffffd000`2e265a90 00007ffb`357c0f2a : 00000000`00000000 00000000`00000000
> 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
> 00000000`04aee3e8 00000000`00000000 : 00000000`00000000 00000000`00000000
> 00000000`00000000 00000000`00000000 : 0x7ffb`357c0f2a
>
>
> FOLLOWUP_IP:
> nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
> fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10
>
> SYMBOL_STACK_INDEX: 0
>
> SYMBOL_NAME: nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: nt
>
> IMAGE_NAME: ntkrnlmp.exe
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 59ba8548
>
> STACK_COMMAND: .cxr 0xffffd0002e264e60 ; kb
>
> FAILURE_BUCKET_ID: X64_0x3B_nt!AlpcpReferenceMessageByWaiting
> ThreadPortQueue+12
>
> BUCKET_ID: X64_0x3B_nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
>
> Followup: MachineOwner
> ---------
>
> Any help is appreciated.
>
> ---
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>