Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 2003 Enterprise Logon Failure


  • Please log in to reply
1 reply to this topic

#1 PaulBleeper

PaulBleeper

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 20 March 2011 - 03:06 PM

My Win 2K3 Domain Controller was infected by a VirusDoctor variant of malware. I used Malware bytes to get rid of it but only after rebooting the into Last Known Configuration. I was not surprised to find out that the removal also chewed up some of my boot up files and since then have been racking my brains to get it to boot. I have 4 hard disks 2 ide, 2 SATA, My boot volume is 160Gb SATA split into 3 partitions. My 2nd 500Gb SATA HDD is also split into 3 partitions. The other 2 HDD are 2 80Gb single partitions. I want to cure this problem without completely re-installing windows. That said I have used recovery console to try and replace files, performed a full repair on windows. Even so the boot up into Windows only happens in safe mode and crashes and recycles eventually in full mode; always after setting up network connections. Never reaches the logon box. I have installed the debugger on my laptop and copied over minidump files and a memory dump.

this is the result of 1 mini dump file:-



Microsoft ® Windows Debugger Version 6.12.0002.633 X86
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Documents and Settings\Administrator\My Documents\dmp\Mini032011-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 UP Free x86 compatible
Product: LanManNt, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_rtm.030324-2048
Machine Name:
Kernel base = 0x804de000 PsLoadedModuleList = 0x80568c08
Debug session time: Sun Mar 20 00:04:32.296 2011 (UTC + 0:00)
System Uptime: 0 days 0:07:02.875
Loading Kernel Symbols
...............................................................
................................................................
.........
Loading User Symbols
Loading unloaded module list
...
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck F4, {3, 8a51dd88, 8a51dedc, 80614d74}

unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase
<Failed to Read Entire ETW Buffer (expected 0, read 0)>Probably caused by : XeoŠXeoŠ

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: 8a51dd88, Terminating object
Arg3: 8a51dedc, Process image file name
Arg4: 80614d74, Explanatory message (ascii)

Debugging Details:
------------------

unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase
<Failed to Read Entire ETW Buffer (expected 0, read 0)>
PROCESS_OBJECT: 8a51dd88

IMAGE_NAME: XeoŠXeoŠ

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MODULE_NAME: XeoŠXeoŠ

FAULTING_MODULE: 00000000

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

BUGCHECK_STR: 0xF4_C0000005

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

CURRENT_IRQL: 0

STACK_TEXT:
ba703d00 8064f714 000000f4 00000003 8a51dd88 nt!KeBugCheckEx+0x19
ba703d24 80614d3c 80614d74 8a51dd88 8a51dedc nt!PspCatchCriticalBreak+0x73
ba703d54 804e7a8c ffffffff c0000005 00000000 nt!NtTerminateProcess+0x78
ba703d54 7ffe0304 ffffffff c0000005 00000000 nt!KiSystemService+0xcb
0052f478 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4


STACK_COMMAND: kb

FOLLOWUP_NAME: MachineOwner

FAILURE_BUCKET_ID: 0xF4_C0000005_IMAGE_Xeo_Xeo__

BUCKET_ID: 0xF4_C0000005_IMAGE_Xeo_Xeo__

Followup: MachineOwner
---------

I might add that I have been working with Paragon & Powerquest, Partition Manager 2011 disk managers. UBCD, MHDD32, Cleaning the registry , scanning disks for errors, rebuilding MBR etc. All tests has passed. Checked cables slave settings etc. SATA doesn't ofcourse use slave settings. Had to check the boot order in BIOS. Just wish I had a backup image of the Sys Volume then I could have avoided the downtime but still I would like to know why this has happened and how to get out of it. One thing I noticed in older Paragon Disk managers I can see my 160Gb HDD twice. Once as Drive 0 and then bizarrely Drive 4. Wondered if this could be the problem!! but in Partiton Manager 2011 it sees only 4 HDD's which is correct.

Any ideas much appreciated. I do not want to rebuild my server from scratch and re-install a lot of apps. Also restore Active directory from an old system state backup. I just want to crack this and improve my debugging skills in windows.

Some Stop Errors I'm getting:-

0xc000021a (0xe233f0c0, 0xc0000005, 0x77f473c7, 0x00c5f5ac)

0x000000f4 (0x00000003, 0x8a51dd88, 0x8a51dedc, 0x80614d74)

0xc000021a (0xe1167e38, 0xc0000005, 0x77f473c7, 0x00c5f5ac)

Laters

Paul

Edited by PaulBleeper, 20 March 2011 - 06:33 PM.


BC AdBot (Login to Remove)

 


#2 Baltboy

Baltboy

    Bleepin' Flame Head


  • Members
  • 1,432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:10:34 AM

Posted 21 March 2011 - 09:12 AM

Seems like it might be driver related. Not sure what xeosxeos is. Is that some form of laser cutter? Doesn't really matter what it is really. I think i would go into safe mode and uninstall the drivers to anything network related and restart in normal mode. If you can download fresh drivers as well to be sure the you have uncorrupted files.
Get your facts first, then you can distort them as you please.
Mark Twain




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users