SYSTEM_SERVICE_EXCEPTION (3b)

My 2012 R2 terminal server has been crashing every once in a while. I’ve tried to go through the dump files but I’m not good at reading them to get to the root cause. Thought I could get some help here at understanding them so I can find a solution to this problem. Here is the dump log.

Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (http://www.osr.com)
Online Crash Dump Analysis Service
See http://www.osronline.com for more information
Windows 8 Kernel Version 9600 MP (8 procs) Free x64
Product: Server, suite: TerminalServer
Built by: 9600.18821.amd64fre.winblue_ltsb.170914-0600
Machine Name:
Kernel base = 0xfffff8030ec75000 PsLoadedModuleList = 0xfffff8030ef47650
Debug session time: Thu Dec 21 16:25:28.310 2017 (UTC - 5:00)
System Uptime: 31 days 21:12:06.352
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff8030f25e572, Address of the instruction which caused the bugcheck
Arg3: ffffd0002e264e60, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx” referenced memory at “0x%08lx”. The memory could not be “%s”.

FAULTING_IP:
nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10

CONTEXT: ffffd0002e264e60 – (.cxr 0xffffd0002e264e60)
rax=0000000000000000 rbx=ffffffffffffffff rcx=ffffe0004da9d580
rdx=ffffe0004ceb5ef8 rsi=ffffe0004ceb5f88 rdi=ffffe0004ceb5ef0
rip=fffff8030f25e572 rsp=ffffd0002e265890 rbp=0000000000000000
r8=0000000000000000 r9=ffffe0004ceb5ef8 r10=ffffe0004da9d580
r11=fffff8030edce398 r12=0000000000000000 r13=0000000000000011
r14=ffffe0004ceb5e40 r15=ffffe0004da9d580
iopl=0 nv up ei pl nz ac pe cy
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010213
nt!AlpcpReferenceMessageByWaitingThreadPortQueue+0x12:
fffff8030f25e572 4d395020 cmp qword ptr [r8+20h],r10 ds:002b:0000000000000020=???
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER

BUGCHECK_STR: 0x3B

PROCESS_NAME: WerFault.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff8030f25e518 to fffff8030f25e572

STACK_TEXT:
ffffd0002e265890 fffff8030f25e518 : ffffe00056801918 0000000004aeebf0 0000000004aee458 ffffffffffffffff : nt!AlpcpReferenceMessageByWaitingThreadPortQueue+0x12
ffffd0002e2658d0 fffff8030f25e2cf : ffffffffffffffff fffff8030ef48038 ffffe0004ceb5e40 ffffffffffffffff : nt!AlpcpReferenceMessageByWaitingThreadPort+0x184
ffffd0002e265920 fffff8030f25e74a : 0000000000000120 ffffd0002e265b80 0000000000000000 ffffe0005a268080 : nt!AlpcpReferenceMessageByWaitingThread+0xcb
ffffd0002e265970 fffff8030f1c11d6 : 0000000000000000 fffff96000181575 ffffe00000000120 0000000004aee458 : nt!AlpcpPortQueryServerInfo+0xca
ffffd0002e265a30 fffff8030edce3b3 : ffffe0005a268080 0000000004aee408 fffff6fb40001de0 fffff68000000120 : nt! ?? ::NNGAKEGL::string'+0x2c036 ffffd0002e265a90 00007ffb357c0f2a : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13 0000000004aee3e8 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0x7ffb357c0f2a

FOLLOWUP_IP:
nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
fffff803`0f25e572 4d395020 cmp qword ptr [r8+20h],r10

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 59ba8548

STACK_COMMAND: .cxr 0xffffd0002e264e60 ; kb

FAILURE_BUCKET_ID: X64_0x3B_nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12

BUCKET_ID: X64_0x3B_nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12

Followup: MachineOwner

Any help is appreciated.

"xxxxx@yahoo.com windbg"@lists.osr.com wrote:

My 2012 R2 terminal server has been crashing every once in a while. I’ve tried to go through the dump files but I’m not good at reading them to get to the root cause. Thought I could get some help here at understanding them so I can find a solution to this problem. Here is the dump log.

There’s really nothing to be learned here.  You’re getting a null
pointer dereference inside the Asynchronous Local Procedure Call
subsystem.  About all you can do is open a support incident with
Microsoft technical support, and hope your dump reaches the proper hands.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Your going to have to dig deeper into this dump or likely capture a full
memory dump. What I’m interested in is that this process is werfault.exe so
I’d like to see the peb block to see what process its attaching too and
then see why what that process was doing. [!peb]

I’m not sure why werfault.exe is generating an SYSTEM_SERVICE_EXCEPTION
but maybe it’s down to the process it’s attaching to. I guess a non
windbg diagnosis avenue is to see if there is anything about app crashes in
the eventlog.

Kind Regards,
Tom

On Fri, Dec 22, 2017 at 3:20 PM, xxxxx@yahoo.com
wrote:

> My 2012 R2 terminal server has been crashing every once in a while. I’ve
> tried to go through the dump files but I’m not good at reading them to get
> to the root cause. Thought I could get some help here at understanding them
> so I can find a solution to this problem. Here is the dump log.
>
> Crash Dump Analysis provided by OSR Open Systems Resources, Inc. (
> http://www.osr.com)
> Online Crash Dump Analysis Service
> See http://www.osronline.com for more information
> Windows 8 Kernel Version 9600 MP (8 procs) Free x64
> Product: Server, suite: TerminalServer
> Built by: 9600.18821.amd64fre.winblue_ltsb.170914-0600
> Machine Name:
> Kernel base = 0xfffff8030ec75000 PsLoadedModuleList = 0xfffff8030ef47650
> Debug session time: Thu Dec 21 16:25:28.310 2017 (UTC - 5:00)
> System Uptime: 31 days 21:12:06.352
> *****************************************
>

> *
> *
> * Bugcheck Analysis
> *
> *
> *
> *****************************************
>

>
> SYSTEM_SERVICE_EXCEPTION (3b)
> An exception happened while executing a system service routine.
> Arguments:
> Arg1: 00000000c0000005, Exception code that caused the bugcheck
> Arg2: fffff8030f25e572, Address of the instruction which caused the
> bugcheck
> Arg3: ffffd0002e264e60, Address of the context record for the exception
> that caused the bugcheck
> Arg4: 0000000000000000, zero.
>
> Debugging Details:
> ------------------
>
> TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini,
> error 2
>
> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at “0x%08lx”
> referenced memory at “0x%08lx”. The memory could not be “%s”.
>
> FAULTING_IP:
> nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
> fffff8030f25e572 4d395020 cmp qword ptr [r8+20h],r10<br>&gt;<br>&gt; CONTEXT: ffffd0002e264e60 -- (.cxr 0xffffd0002e264e60)<br>&gt; rax=0000000000000000 rbx=ffffffffffffffff rcx=ffffe0004da9d580<br>&gt; rdx=ffffe0004ceb5ef8 rsi=ffffe0004ceb5f88 rdi=ffffe0004ceb5ef0<br>&gt; rip=fffff8030f25e572 rsp=ffffd0002e265890 rbp=0000000000000000<br>&gt; r8=0000000000000000 r9=ffffe0004ceb5ef8 r10=ffffe0004da9d580<br>&gt; r11=fffff8030edce398 r12=0000000000000000 r13=0000000000000011<br>&gt; r14=ffffe0004ceb5e40 r15=ffffe0004da9d580<br>&gt; iopl=0 nv up ei pl nz ac pe cy<br>&gt; cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b<br>&gt; efl=00010213<br>&gt; nt!AlpcpReferenceMessageByWaitingThreadPortQueue+0x12:<br>&gt; fffff8030f25e572 4d395020 cmp qword ptr [r8+20h],r10
> ds:002b:0000000000000020=????????????????<br>&gt; Resetting default scope<br>&gt;<br>&gt; CUSTOMER_CRASH_COUNT: 1<br>&gt;<br>&gt; DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER<br>&gt;<br>&gt; BUGCHECK_STR: 0x3B<br>&gt;<br>&gt; PROCESS_NAME: WerFault.exe<br>&gt;<br>&gt; CURRENT_IRQL: 0<br>&gt;<br>&gt; LAST_CONTROL_TRANSFER: from fffff8030f25e518 to fffff8030f25e572<br>&gt;<br>&gt; STACK_TEXT:<br>&gt; ffffd0002e265890 fffff8030f25e518 : ffffe00056801918 0000000004aeebf0<br>&gt; 0000000004aee458 ffffffffffffffff : nt!AlpcpReferenceMessageByWaiting<br>&gt; ThreadPortQueue+0x12<br>&gt; ffffd0002e2658d0 fffff8030f25e2cf : ffffffffffffffff fffff8030ef48038<br>&gt; ffffe0004ceb5e40 ffffffffffffffff : nt!AlpcpReferenceMessageByWaiting<br>&gt; ThreadPort+0x184<br>&gt; ffffd0002e265920 fffff8030f25e74a : 0000000000000120 ffffd0002e265b80<br>&gt; 0000000000000000 ffffe0005a268080 : nt!AlpcpReferenceMessageByWaiting<br>&gt; Thread+0xcb<br>&gt; ffffd0002e265970 fffff8030f1c11d6 : 0000000000000000 fffff96000181575<br>&gt; ffffe00000000120 0000000004aee458 : nt!AlpcpPortQueryServerInfo+0xca<br>&gt; ffffd0002e265a30 fffff8030edce3b3 : ffffe0005a268080 0000000004aee408<br>&gt; fffff6fb40001de0 fffff68000000120 : nt! ?? ::NNGAKEGL::string’+0x2c036
> ffffd0002e265a90 00007ffb357c0f2a : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : nt!KiSystemServiceCopyEnd+0x13
> 0000000004aee3e8 0000000000000000 : 0000000000000000 0000000000000000
> 0000000000000000 0000000000000000 : 0x7ffb357c0f2a<br>&gt;<br>&gt;<br>&gt; FOLLOWUP_IP:<br>&gt; nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12<br>&gt; fffff8030f25e572 4d395020 cmp qword ptr [r8+20h],r10
>
> SYMBOL_STACK_INDEX: 0
>
> SYMBOL_NAME: nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: nt
>
> IMAGE_NAME: ntkrnlmp.exe
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 59ba8548
>
> STACK_COMMAND: .cxr 0xffffd0002e264e60 ; kb
>
> FAILURE_BUCKET_ID: X64_0x3B_nt!AlpcpReferenceMessageByWaiting
> ThreadPortQueue+12
>
> BUCKET_ID: X64_0x3B_nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12
>
> Followup: MachineOwner
> ---------
>
> Any help is appreciated.
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:>