Help analyzing Crash Dump file
- From: "Darhl Thomason" <darhlt@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 19 Apr 2007 18:03:48 -0700
I have been having problems with my Win03 SP2 server crashing/rebooting for
no apparent reason. The event log shows nothing other than "The previous
shutdown was unexpected" (Duh!)
I downloaded WinDbg and the Symbol files for my server. I ran WinDbg
against the Memory.dmp, but I don't know how to interpret what it is saying.
The content of the debug session is below:
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available
Symbol search path is:
SRV*c:\windows\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) UP Free x86
compatible
Product: LanManNt, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_rtm.070216-1710
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a8e48
Debug session time: Thu Apr 19 06:55:27.617 2007 (GMT-7)
System Uptime: 0 days 15:44:44.347
Loading Kernel Symbols
..................................................................................................................................
Loading User Symbols
.......................................................................................................
Loading unloaded module list
.........................
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 20, {0, fed8, 0, 1}
Probably caused by : ntoskrnl.exe ( nt!PspExitThread+64c )
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
KERNEL_APC_PENDING_DURING_EXIT (20)
The key data item is the thread's APC disable count.
If this is non-zero, then this is the source of the problem.
The APC disable count is decremented each time a driver calls
KeEnterCriticalRegion, KeInitializeMutex, or FsRtlEnterFileSystem. The APC
disable count is incremented each time a driver calls KeLeaveCriticalRegion,
KeReleaseMutex, or FsRtlExitFileSystem. Since these calls should always be
in
pairs, this value should be zero when a thread exits. A negative value
indicates that a driver has disabled APC calls without re-enabling them. A
positive value indicates that the reverse is true.
If you ever see this error, be very suspicious of all drivers installed on
the
machine -- especially unusual or non-standard drivers. Third party file
system redirectors are especially suspicious since they do not generally
receive the heavy duty testing that NTFS, FAT, RDR, etc receive.
This current IRQL should also be 0. If it is not, that a driver's
cancelation routine can cause this bugcheck by returning at an elevated
IRQL. Always attempt to note what you were doing/closing at the
time of the crash, and note all of the installed drivers at the time of
the crash. This symptom is usually a severe bug in a third party
driver.
Arguments:
Arg1: 00000000, The address of the APC found pending during exit.
Arg2: 0000fed8, The thread's APC disable count
Arg3: 00000000, The current IRQL
Arg4: 00000001
Debugging Details:
------------------
BUGCHECK_STR: 0x20_NULLAPC_KAPC_NEGATIVE
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: winlogon.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8095b0b8 to 80876ae0
STACK_TEXT:
babacc80 8095b0b8 00000020 00000000 0000fed8 nt!KeBugCheckEx+0x1b
babacd18 8090a5c6 00000000 00000000 825bf368 nt!PspExitThread+0x64c
babacd30 809159cf 825bf368 00000000 00000001
nt!PspTerminateThreadByPointer+0x4b
babacd54 808234cb 00000000 00000000 00c3ffb8 nt!NtTerminateThread+0x71
babacd54 7c8285ec 00000000 00000000 00c3ffb8 nt!KiFastCallEntry+0xf8
00c3ff9c 7c827c2b 77e4f932 00000000 00000000 ntdll!KiFastSystemCallRet
00c3ffa0 77e4f932 00000000 00000000 00000000 ntdll!ZwTerminateThread+0xc
00c3ffb8 77e6482e 00000000 00000000 00000000 kernel32!ExitThread+0x41
00c3ffec 00000000 76becac1 00000000 00000000 kernel32!BaseThreadStart+0x39
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!PspExitThread+64c
8095b0b8 cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!PspExitThread+64c
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45d6a072
FAILURE_BUCKET_ID: 0x20_NULLAPC_KAPC_NEGATIVE_nt!PspExitThread+64c
BUCKET_ID: 0x20_NULLAPC_KAPC_NEGATIVE_nt!PspExitThread+64c
Followup: MachineOwner
---------
.
- Follow-Ups:
- Re: Help analyzing Crash Dump file
- From: Herb Martin
- Re: Help analyzing Crash Dump file
- Prev by Date: Re: WSUS not working?
- Next by Date: Re: backup concerns
- Previous by thread: Re: WSUS not working?
- Next by thread: Re: Help analyzing Crash Dump file
- Index(es):
