Re: Blue screen with Event 1076
- From: "jolteroli" <jolt1976@xxxxxxx>
- Date: Tue, 20 Jan 2009 22:48:18 +0100
yes it's a driver fault in the sense that win32k is a kernel mode driver. it
doesn't mean necessarily a printer driver fault, altought it smells like
that... however, it seems spoolsv called something and the code path ended
in executing
mov al, [edi+1]
an "!analyze -show 0x50" will show us the details for the bug check:
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain
bad or it
is pointing at freed memory.
Arguments:
Arg1: bc245000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bf886358, If non-zero, the instruction address which referenced
the bad memory address.
Arg4: 00000000, (reserved)
as you can see in the !analyze, the instruction at bf886358 is this "mov
al,[edi+1]". the address referenced is bc245000, hence edi should have had
the value bc244fff. you can see it in the register dump (edi=bc244fff).
for a futher investigation you should look at the call stack. this are the
lines with the header "STACK_TEXT:". here you can see the strace of the
kernel stack. may be the image- and function names showed can give you
additional hints.
feel free to post back...
-jolt
"HDI" <hdinf@xxxxxxxxxxx> schrieb im Newsbeitrag
news:e11cce13-6211-4d0f-986b-a4eb0a58d370@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On 19 jan, 18:51, "jolteroli" <jolt1...@xxxxxxx> wrote:
a windows xp computer will do fine, as long as you have set the
_NT_SYMBOL_PATH properly. then, windbg will download the proper symbol
files
and images of the foreign system from the ms symbol server. just analyze
the
dump /wo and then /w symbols configured. youll see a "difference"...
btw: each and everything is explained very very well in the help file of
windbg, it's awesome! there is a section "Analyzing a Kernel-Mode Dump
File
with WinDgb". just give it a try and start diggin' there! if you want,
post
back the output. may be we can help you, im not a kernel guru though...
all the best
-jolt
"HDI" <hd...@xxxxxxxxxxx> schrieb im
Newsbeitragnews:cc92a55e-f17a-47b2-aec8-6ff00c6b1f54@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On 18 jan, 17:37, "jolteroli" <jolt1...@xxxxxxx> wrote:
most likely, that win32k.sys got called by wrong parameters (invalid
pointer) and hence faulted by accessing non-mapped memory in the
non-paged
memory area. since the page can't be loaded from disk...
so, the culprit is the caller not the callee win32k.sys (the gofer). try
getting the memory dump, load it in windbg and do a "!analyze -v". the
call
stack can tell you who's involved. here's the Microsoft-way, if you
like...
http://support.microsoft.com/kb/315263/en-us/
when do you get BSOD'ed? on startup? after a while? on printing? when
opening IE? any correlation?
also, you should consider corrupted images (files). just get a tool to
read
and calculate the checksum within an PE file.
http://www.codeproject.com/KB/cpp/PEChecksum.aspx
then check win32k.sys and any involved file seen in the call stack from
the
"analyze -v".
gd'luck
-jolt
"HDI" <hd...@xxxxxxxxxxx> schrieb im
Newsbeitragnews:899f7476-e02b-4613-b0d7-f4af7fd39a3c@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On 16 jan, 21:58, "Vera Noest [MVP]" <vera.no...@remove-
this.hem.utfors.se> wrote:
And here's troubleshooting info for Bug Check 0x00000050
:http://msdn.microsoft.com/en-us/library/ms793437.aspx
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
HDI <hd...@xxxxxxxxxxx> wrote on 16 jan 2009 in
microsoft.public.windows.terminal_services:
Hi,
A few days ago I got a blue screen on our terminal server 2003 and
pointed tot the file win32k.sys.
In the event log I found event id 1076 with the discription:
system failure: stop error
reason code 0x805000f
bugcheck string: 0x00000050
(0xbc245000,0x00000000,0xbf886358,0x00000000)
Any ideas?
It's Windows 2003 SP2 with all patches, I installed the last 6 à 7
updates the morning of the error.
There isn't new hardware added in the last week.
If it was a driver can I see which one caused the error?- Tekst uit
oorspronkelijk bericht niet weergeven -
- Tekst uit oorspronkelijk bericht weergeven -
It occured only 1 time while the server was running.
Thanks for the information.
I experimented already with windbg.exe but like I said I'm
experimenting.
So can I run windbg.exe en examine the dump file (copy it to a local
pc) of a windows 2003 terminal server on a windows xp or should I run
it on that server who caused the error?- Tekst uit oorspronkelijk bericht
niet weergeven -
- Tekst uit oorspronkelijk bericht weergeven -
When I do !analyze -v I can see that it's a driver fault and the
process name is spoolsv.exe.
IMAGE_NAME: win32k.sys
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: spoolsv.exe
FOLLOWUP_IP:
win32k!vSrcCopyS1D1LtoR+331
bf886358 8a4701 mov al,byte ptr [edi+1]
So was the soolsv.exe responsible for the stop error?
.
- References:
- Blue screen with Event 1076
- From: HDI
- Re: Blue screen with Event 1076
- From: Vera Noest [MVP]
- Re: Blue screen with Event 1076
- From: HDI
- Re: Blue screen with Event 1076
- From: jolteroli
- Re: Blue screen with Event 1076
- From: HDI
- Re: Blue screen with Event 1076
- From: jolteroli
- Re: Blue screen with Event 1076
- From: HDI
- Blue screen with Event 1076
- Prev by Date: Terminal Server
- Next by Date: Re: KB 954398 - MaxOutstandingConnections registry key
- Previous by thread: Re: Blue screen with Event 1076
- Next by thread: User get logoff without appearant reason
- Index(es):
Relevant Pages
|
