Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reading minidump files


  • Please log in to reply
2 replies to this topic

#1 Vince11

Vince11

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 27 February 2012 - 01:11 PM

I have a number of servers that have been rebooting from BSOD. I need help analyzing the dmp files. All of the servers are VM's. I suspected the issue might be related to Trend Micro Deep security agent but I am not sure. Here is an example of the of the minidumps using windbg


Microsoft ® Windows Debugger Version 6.12.0002.633 AMD64
Copyright © Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\vmacneil\Desktop\dump\caotwvqamail1\022512-26015-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: SRV*C:\WebSymb*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x64
Product: Server, suite: TerminalServer SingleUserTS
Built by: 7601.17640.amd64fre.win7sp1_gdr.110622-1506
Machine Name:
Kernel base = 0xfffff800`01611000 PsLoadedModuleList = 0xfffff800`01856670
Debug session time: Sat Feb 25 10:04:34.221 2012 (UTC - 5:00)
System Uptime: 34 days 0:52:21.234
Loading Kernel Symbols
...............................................................
................................................................
.......
Loading User Symbols
Loading unloaded module list
.......
ERROR: FindPlugIns 80070005
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {80000003, fffff80001634766, fffff880041669b0, 0}

Probably caused by : ntkrnlmp.exe ( nt! ?? ::FNODOBFM::`string'+3235e )

Followup: MachineOwner
---------

kd> !analyze -v
ERROR: FindPlugIns 80070005
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 0000000080000003, Exception code that caused the bugcheck
Arg2: fffff80001634766, Address of the instruction which caused the bugcheck
Arg3: fffff880041669b0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------


EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

FAULTING_IP:
nt! ?? ::FNODOBFM::`string'+3235e
fffff800`01634766 cc int 3

CONTEXT: fffff880041669b0 -- (.cxr 0xfffff880041669b0)
rax=0000000000000001 rbx=fffffa8005ee0758 rcx=1d1f40f4f5940000
rdx=000000000000004e rsi=0000000000000000 rdi=fffff80001803e80
rip=fffff80001634766 rsp=fffff88004167390 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=fffff88004166fb0 r12=0000000000000000 r13=fffff80001803e80
r14=000000000009e341 r15=0000000000010224
iopl=0 nv up di ng nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000086
nt! ?? ::FNODOBFM::`string'+0x3235e:
fffff800`01634766 cc int 3
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR: 0x3B

PROCESS_NAME: lsass.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 0000000000000000 to fffff80001634766

STACK_TEXT:
fffff880`04167390 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt! ?? ::FNODOBFM::`string'+0x3235e


FOLLOWUP_IP:
nt! ?? ::FNODOBFM::`string'+3235e
fffff800`01634766 cc int 3

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt! ?? ::FNODOBFM::`string'+3235e

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 4e02aaa3

STACK_COMMAND: .cxr 0xfffff880041669b0 ; kb

FAILURE_BUCKET_ID: X64_0x3B_nt!_??_::FNODOBFM::_string_+3235e

BUCKET_ID: X64_0x3B_nt!_??_::FNODOBFM::_string_+3235e

Followup: MachineOwner
---------

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:46 AM

Posted 03 March 2012 - 02:20 PM

Hi Vince -
We normally use Blue Screen View for a detailed look at the reasons for BSOD problems as they are more detailed -

Download BlueScreenView:

Unzip downloaded file and double click on BlueScreenView.exe to run the program.
When scanning is done, go to EDIT - Select All
Go to FILE - SAVE Selected Items, and save the report as BSOD.txt
Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply

Thank You -

#3 Baltboy

Baltboy

    Bleepin' Flame Head


  • Members
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pennsylvania
  • Local time:09:46 AM

Posted 04 March 2012 - 11:43 AM

Have you looked into the possibility that this could be the result of a Sasser virus infection??? Read this Trend article HERE.
Get your facts first, then you can distort them as you please.
Mark Twain




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users