I am new to this forum and I hope I can find some help here. I administer a small network with about 6 people connecting to a terminal server with Wyse thin clients. Recently, the server starting getting BSOD's, and rebooting on it's own. I can't say this for sure, but from what I can tell this happens when someone logs off. I have the memory dump, and was hoping someone might be able to point me in the right direction. I already ran memtest for a night and it made it through a dozen passes without an error so I think the memory is good. Anyway, here is the dump:
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*c:\symbols*Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: Server, suite: TerminalServer
Built by: 3790.srv03_sp2_gdr.101019-0340
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Wed Sep 21 16:29:13.401 2011 (GMT-4)
System Uptime: 2 days 5:17:21.085
Loading Kernel Symbols
...............................................................
..............................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
Loading unloaded module list
................................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 8E, {c0000005, bf8a235d, f4133a90, 0}
Page 114a12 not present in the dump file. Type ".hh dbgerr004" for details
Page 114a2e not present in the dump file. Type ".hh dbgerr004" for details
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
Probably caused by : SYMEVENT.SYS ( SYMEVENT+12175 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: bf8a235d, The address that the exception occurred at
Arg3: f4133a90, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
win32k!xxxRedrawWindow+4c
bf8a235d f6461e40 test byte ptr [esi+1Eh],40h
TRAP_FRAME: f4133a90 -- (.trap 0xfffffffff4133a90)
ErrCode = 00000000
eax=00000001 ebx=00000000 ecx=0000029d edx=00000001 esi=00000000 edi=bca79868
eip=bf8a235d esp=f4133b04 ebp=f4133b1c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
win32k!xxxRedrawWindow+0x4c:
bf8a235d f6461e40 test byte ptr [esi+1Eh],40h ds:0023:0000001e=??
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8082d820 to 80827c83
STACK_TEXT:
f413365c 8082d820 0000008e c0000005 bf8a235d nt!KeBugCheckEx+0x1b
f4133a20 8088a2ca f4133a3c 00000000 f4133a90 nt!KiDispatchException+0x3a2
f4133a88 8088a27e f4133b1c bf8a235d badb0d00 nt!CommonDispatchException+0x4a
f4133a9c bf85d467 00000000 00000000 bca79828 nt!KiExceptionExit+0x186
f4133b1c bf84a43f 00000000 bca79868 00000000 win32k!xxxEndDeferWindowPosEx+0x29d
f4133b78 bf83c6dd 00000000 f4133be0 bf8b7aec win32k!xxxDestroyWindow+0x21e
f4133b84 bf8b7aec be118898 bc997930 bc9978b0 win32k!HMDestroyUnlockedObject+0x1c
f4133b98 bf8b7ee8 88deb500 00000000 00000000 win32k!DestroyThreadsObjects+0x72
f4133be0 bf8b6740 00000001 f4133c08 bf8b759f win32k!xxxDestroyThreadInfo+0x23e
f4133bec bf8b759f 88deb500 00000001 00000000 win32k!UserThreadCallout+0x4b
f4133c08 8094c3d2 88deb500 00000001 88deb500 win32k!W32pThreadCallout+0x3a
f4133c94 8094c765 00000000 00000000 88deb500 nt!PspExitThread+0x3b2
f4133cac 8094cab7 88deb500 00000000 00000001 nt!PspTerminateThreadByPointer+0x4b
f4133cd0 f5f23175 fffffffe 00000000 8a6d40c0 nt!NtTerminateThread+0x71
WARNING: Stack unwind information not available. Following frames may be wrong.
f4133d54 808897ec fffffffe 00000000 013effdc SYMEVENT+0x12175
f4133d54 0016b100 fffffffe 00000000 013effdc nt!KiFastCallEntry+0xfc
0000003b 00000000 00000000 00000000 00000000 0x16b100
STACK_COMMAND: kb
FOLLOWUP_IP:
SYMEVENT+12175
f5f23175 e96c030000 jmp SYMEVENT+0x124e6 (f5f234e6)
SYMBOL_STACK_INDEX: e
SYMBOL_NAME: SYMEVENT+12175
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SYMEVENT
IMAGE_NAME: SYMEVENT.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4551513d
FAILURE_BUCKET_ID: 0x8E_SYMEVENT+12175
BUCKET_ID: 0x8E_SYMEVENT+12175
Followup: MachineOwner
---------
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available
Symbol search path is: SRV*c:\symbols*Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: Server, suite: TerminalServer
Built by: 3790.srv03_sp2_gdr.101019-0340
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Wed Sep 21 16:29:13.401 2011 (GMT-4)
System Uptime: 2 days 5:17:21.085
Loading Kernel Symbols
...............................................................
..............................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
Loading unloaded module list
................................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 8E, {c0000005, bf8a235d, f4133a90, 0}
Page 114a12 not present in the dump file. Type ".hh dbgerr004" for details
Page 114a2e not present in the dump file. Type ".hh dbgerr004" for details
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
Probably caused by : SYMEVENT.SYS ( SYMEVENT+12175 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: bf8a235d, The address that the exception occurred at
Arg3: f4133a90, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd900c). Type ".hh dbgerr001" for details
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
win32k!xxxRedrawWindow+4c
bf8a235d f6461e40 test byte ptr [esi+1Eh],40h
TRAP_FRAME: f4133a90 -- (.trap 0xfffffffff4133a90)
ErrCode = 00000000
eax=00000001 ebx=00000000 ecx=0000029d edx=00000001 esi=00000000 edi=bca79868
eip=bf8a235d esp=f4133b04 ebp=f4133b1c iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
win32k!xxxRedrawWindow+0x4c:
bf8a235d f6461e40 test byte ptr [esi+1Eh],40h ds:0023:0000001e=??
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8082d820 to 80827c83
STACK_TEXT:
f413365c 8082d820 0000008e c0000005 bf8a235d nt!KeBugCheckEx+0x1b
f4133a20 8088a2ca f4133a3c 00000000 f4133a90 nt!KiDispatchException+0x3a2
f4133a88 8088a27e f4133b1c bf8a235d badb0d00 nt!CommonDispatchException+0x4a
f4133a9c bf85d467 00000000 00000000 bca79828 nt!KiExceptionExit+0x186
f4133b1c bf84a43f 00000000 bca79868 00000000 win32k!xxxEndDeferWindowPosEx+0x29d
f4133b78 bf83c6dd 00000000 f4133be0 bf8b7aec win32k!xxxDestroyWindow+0x21e
f4133b84 bf8b7aec be118898 bc997930 bc9978b0 win32k!HMDestroyUnlockedObject+0x1c
f4133b98 bf8b7ee8 88deb500 00000000 00000000 win32k!DestroyThreadsObjects+0x72
f4133be0 bf8b6740 00000001 f4133c08 bf8b759f win32k!xxxDestroyThreadInfo+0x23e
f4133bec bf8b759f 88deb500 00000001 00000000 win32k!UserThreadCallout+0x4b
f4133c08 8094c3d2 88deb500 00000001 88deb500 win32k!W32pThreadCallout+0x3a
f4133c94 8094c765 00000000 00000000 88deb500 nt!PspExitThread+0x3b2
f4133cac 8094cab7 88deb500 00000000 00000001 nt!PspTerminateThreadByPointer+0x4b
f4133cd0 f5f23175 fffffffe 00000000 8a6d40c0 nt!NtTerminateThread+0x71
WARNING: Stack unwind information not available. Following frames may be wrong.
f4133d54 808897ec fffffffe 00000000 013effdc SYMEVENT+0x12175
f4133d54 0016b100 fffffffe 00000000 013effdc nt!KiFastCallEntry+0xfc
0000003b 00000000 00000000 00000000 00000000 0x16b100
STACK_COMMAND: kb
FOLLOWUP_IP:
SYMEVENT+12175
f5f23175 e96c030000 jmp SYMEVENT+0x124e6 (f5f234e6)
SYMBOL_STACK_INDEX: e
SYMBOL_NAME: SYMEVENT+12175
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SYMEVENT
IMAGE_NAME: SYMEVENT.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4551513d
FAILURE_BUCKET_ID: 0x8E_SYMEVENT+12175
BUCKET_ID: 0x8E_SYMEVENT+12175
Followup: MachineOwner
---------