Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dell Optiplex 3020 - Recently Upgraded to Windows 10 Pro


  • Please log in to reply
7 replies to this topic

#1 byloadedmemory

byloadedmemory

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 25 January 2016 - 08:17 AM

I'm scratching my head with this one. I'm new to analyzing crash dumps and was hoping someone could point me in the right direction. This PC receives a BSOD with the message "Critical Process Died". Here's the text from the analyzed dump.

 

Microsoft ® Windows Debugger Version 10.0.10586.567 AMD64
Copyright © Microsoft Corporation. All rights reserved.
 
 
Loading Dump File [C:\Windows\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
 
 
************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Windows\symbol_cache*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 10 Kernel Version 10586 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 10586.0.amd64fre.th2_release.151029-1700
Machine Name:
Kernel base = 0xfffff800`a2c83000 PsLoadedModuleList = 0xfffff800`a2f61cb0
Debug session time: Mon Jan 25 07:48:18.689 2016 (UTC - 5:00)
System Uptime: 2 days 14:48:57.138
Loading Kernel Symbols
.............................................................Page 10394a not present in the dump file. Type ".hh dbgerr004" for details
..
................................................................
...........................
Loading User Symbols
.....................
Loading unloaded module list
............
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
Use !analyze -v to get detailed debugging information.
 
BugCheck EF, {ffffe00091636840, 0, 0, 0}
 
Page 106494 not present in the dump file. Type ".hh dbgerr004" for details
Page 1180 not present in the dump file. Type ".hh dbgerr004" for details
Page 1180 not present in the dump file. Type ".hh dbgerr004" for details
Page 1180 not present in the dump file. Type ".hh dbgerr004" for details
Page 1180 not present in the dump file. Type ".hh dbgerr004" for details
Page 1180 not present in the dump file. Type ".hh dbgerr004" for details
Page 1180 not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : ntdll.dll ( ntdll!NtTerminateProcess+14 )
 
Followup:     MachineOwner
---------
 
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
 
CRITICAL_PROCESS_DIED (ef)
        A critical system process died
Arguments:
Arg1: ffffe00091636840, Process object or thread object
Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died.
Arg3: 0000000000000000
Arg4: 0000000000000000
 
Debugging Details:
------------------
 
Page 106494 not present in the dump file. Type ".hh dbgerr004" for details
Page 1180 not present in the dump file. Type ".hh dbgerr004" for details
Page 1180 not present in the dump file. Type ".hh dbgerr004" for details
Page 1180 not present in the dump file. Type ".hh dbgerr004" for details
Page 1180 not present in the dump file. Type ".hh dbgerr004" for details
Page 1180 not present in the dump file. Type ".hh dbgerr004" for details
Page 1180 not present in the dump file. Type ".hh dbgerr004" for details
 
DUMP_CLASS: 1
 
DUMP_QUALIFIER: 401
 
BUILD_VERSION_STRING:  10586.0.amd64fre.th2_release.151029-1700
 
SYSTEM_MANUFACTURER:  Dell Inc.
 
SYSTEM_PRODUCT_NAME:  OptiPlex 3020
 
SYSTEM_SKU:  0612
 
SYSTEM_VERSION:  00
 
BIOS_VENDOR:  Dell Inc.
 
BIOS_VERSION:  A09
 
BIOS_DATE:  07/27/2015
 
BASEBOARD_MANUFACTURER:  Dell Inc.
 
BASEBOARD_PRODUCT:  0WMJ54
 
BASEBOARD_VERSION:  A01
 
DUMP_TYPE:  1
 
BUGCHECK_P1: ffffe00091636840
 
BUGCHECK_P2: 0
 
BUGCHECK_P3: 0
 
BUGCHECK_P4: 0
 
PROCESS_NAME:  svchost.exe
 
CRITICAL_PROCESS:  svchost.exe
 
EXCEPTION_CODE: (NTSTATUS) 0x9207c080 - <Unable to get error code text>
 
ERROR_CODE: (NTSTATUS) 0x9207c080 - <Unable to get error code text>
 
CPU_COUNT: 4
 
CPU_MHZ: cdc
 
CPU_VENDOR:  GenuineIntel
 
CPU_FAMILY: 6
 
CPU_MODEL: 3c
 
CPU_STEPPING: 3
 
CPU_MICROCODE: 6,3c,3,0 (F,M,S,R)  SIG: 1E'00000000 (cache) 1E'00000000 (init)
 
DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
 
BUGCHECK_STR:  0xEF
 
CURRENT_IRQL:  0
 
ANALYSIS_SESSION_HOST:  CC-IT24463
 
ANALYSIS_SESSION_TIME:  01-25-2016 07:57:46.0758
 
ANALYSIS_VERSION: 10.0.10586.567 amd64fre
 
LAST_CONTROL_TRANSFER:  from fffff800a32c3c10 to fffff800a2dc4f80
 
STACK_TEXT:  
ffffd000`214929a8 fffff800`a32c3c10 : 00000000`000000ef ffffe000`91636840 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
ffffd000`214929b0 fffff800`a308bb1c : 00000000`00000000 ffffe000`9207c3a0 00000000`00000001 fffff800`a2d07c7e : nt!PspCatchCriticalBreak+0xa4
ffffd000`214929f0 fffff800`a30a7cb9 : ffffe000`91636840 ffffe000`91636840 ffffe000`9207c3a0 00000000`00000000 : nt!PspTerminateAllThreads+0x74
ffffd000`21492a50 fffff800`a31042b0 : ffffe000`8ee1f840 00000000`c0000005 ffffe000`91636840 ffffe000`9207c080 : nt!PspTerminateProcess+0x101
ffffd000`21492a90 fffff800`a2dcf7a3 : ffffe000`91636840 ffffe000`9207c080 ffffd000`21492b80 ffffd000`21492b80 : nt!NtTerminateProcess+0x9c
ffffd000`21492b00 00007ffc`046452d4 : 00007ffc`0139e1f9 00000000`00000000 00007ffb`f0a7d178 00000000`00000154 : nt!KiSystemServiceCopyEnd+0x13
0000005e`a1ffe9d8 00007ffc`0139e1f9 : 00000000`00000000 00007ffb`f0a7d178 00000000`00000154 00007ffb`f0a7d178 : ntdll!NtTerminateProcess+0x14
0000005e`a1ffe9e0 00007ffb`f0a662b4 : 00000000`00000000 00000000`00001084 00000000`00000000 00000000`00000844 : KERNELBASE!TerminateProcess+0x29
0000005e`a1ffea10 00007ffb`f0a65679 : 00000000`00000000 00000000`00000000 000001c4`68e061f8 000001c4`68c1af60 : wersvc!CWerService::ReportCrashKernelMsg+0x9d4
0000005e`a1ffebc0 00007ffb`f0a64678 : 000001c4`68c04ef0 00007ffc`045cd120 00007ffc`045cde30 000001c4`68e061f0 : wersvc!CWerService::DispatchPortRequestWorkItem+0xfb9
0000005e`a1fff8a0 00007ffc`045a66e6 : 000001c4`68c1af60 000001c4`68c1aea0 0000005e`a1fffb38 000001c4`68c1af60 : wersvc!CWerService::StaticDispatchPortRequestWorkItem+0x18
0000005e`a1fff8d0 00007ffc`045cb788 : 000001c4`68c1af60 000001c4`68c1a8e0 00000000`00000000 000001c4`68c050f8 : ntdll!TppSimplepExecuteCallback+0x76
0000005e`a1fff910 00007ffc`01f68102 : 00000000`00000000 00007ffc`045cb050 000001c4`68c04ef0 00000000`00000000 : ntdll!TppWorkerThread+0x738
0000005e`a1fffd20 00007ffc`045fc264 : 00007ffc`01f680e0 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
0000005e`a1fffd50 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34
 
 
STACK_COMMAND:  kb
 
THREAD_SHA1_HASH_MOD_FUNC:  21b61b06332dd02638ad60bc619c5340615ce95f
 
THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  8fb74dda24ac9f2b9dd3f17b18249c5f4ac097cc
 
THREAD_SHA1_HASH_MOD:  eda76160e2c5458b8b380c0037ad9d926b654e06
 
FOLLOWUP_IP: 
ntdll!NtTerminateProcess+14
00007ffc`046452d4 c3              ret
 
FAULT_INSTR_CODE:  c32ecdc3
 
SYMBOL_STACK_INDEX:  6
 
SYMBOL_NAME:  ntdll!NtTerminateProcess+14
 
FOLLOWUP_NAME:  MachineOwner
 
MODULE_NAME: ntdll
 
IMAGE_NAME:  ntdll.dll
 
DEBUG_FLR_IMAGE_TIMESTAMP:  5632d193
 
BUCKET_ID_FUNC_OFFSET:  14
 
FAILURE_BUCKET_ID:  0xEF_svchost.exe_BUGCHECK_CRITICAL_PROCESS_9207c080_ntdll!NtTerminateProcess
 
BUCKET_ID:  0xEF_svchost.exe_BUGCHECK_CRITICAL_PROCESS_9207c080_ntdll!NtTerminateProcess
 
PRIMARY_PROBLEM_CLASS:  0xEF_svchost.exe_BUGCHECK_CRITICAL_PROCESS_9207c080_ntdll!NtTerminateProcess
 
TARGET_TIME:  2016-01-25T12:48:18.000Z
 
OSBUILD:  10586
 
OSSERVICEPACK:  0
 
SERVICEPACK_NUMBER: 0
 
OS_REVISION: 0
 
SUITE_MASK:  272
 
PRODUCT_TYPE:  1
 
OSPLATFORM_TYPE:  x64
 
OSNAME:  Windows 10
 
OSEDITION:  Windows 10 WinNt TerminalServer SingleUserTS
 
OS_LOCALE:  
 
USER_LCID:  0
 
OSBUILD_TIMESTAMP:  2015-10-29 22:15:45
 
BUILDDATESTAMP_STR:  151029-1700
 
BUILDLAB_STR:  th2_release
 
BUILDOSVER_STR:  10.0.10586.0.amd64fre.th2_release.151029-1700
 
ANALYSIS_SESSION_ELAPSED_TIME: 421
 
ANALYSIS_SOURCE:  KM
 
FAILURE_ID_HASH_STRING:  km:0xef_svchost.exe_bugcheck_critical_process_9207c080_ntdll!ntterminateprocess
 
FAILURE_ID_HASH:  {20f6202b-e20f-8f17-80f5-9bd9134998dd}
 
Followup:     MachineOwner
---------
 


BC AdBot (Login to Remove)

 


#2 Bulgaristan

Bulgaristan

  • Members
  • 294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:31 PM

Posted 25 January 2016 - 10:31 AM

This is driver failure or AV crashing drivers.

Remove the startup and services different than Microsoft services.

if you have a 3rd party AV software is recommended to remove it.

After the reboot use :

1.Sfc/scannow 

2.dism.exe /online /cleanup-image /restorehealth

If the problem persist, remove all of the USB connected and test if the problem will occur again.


Edited by Bulgaristan, 25 January 2016 - 10:32 AM.


#3 byloadedmemory

byloadedmemory
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 25 January 2016 - 10:45 AM

Ok, We use Kaspersky Endpoint 10 for the business so I will follow your instructions and uninstall it and run the 2 commands.

I am a bit hesitant to run the PC in production without an AV though.



#4 Bulgaristan

Bulgaristan

  • Members
  • 294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:31 PM

Posted 25 January 2016 - 11:34 AM

If you perform "Reset" that will reinstall the Windows 10, but unfortunately will delete all of the existing software.

Problems occur when you update with the AV, otherwise Kaspersky will work on normal install.

However I would not amend to use Windows 10 for business.

Windows 10 is still under development, for business I would recommend to use Windows OS with final release as 7 or 8.1 

Still you can clean most of problems but that might consume time and daily headache :) 



 



#5 byloadedmemory

byloadedmemory
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 25 January 2016 - 01:40 PM

So I ran the 2 commands.

The first came by saying it wasn't able to fix some of the corrupt files it found.

The second cam back with error 0x800f081f "Source Files could not be found." 

I've attached the two log files in case you need to view those. 
Am I ok to proceed or is there more going on than we think?

Attached Files



#6 Bulgaristan

Bulgaristan

  • Members
  • 294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:31 PM

Posted 25 January 2016 - 02:29 PM

Can you please post them as plain text instead .zip



#7 byloadedmemory

byloadedmemory
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:31 AM

Posted 25 January 2016 - 03:24 PM

The logs are too big to post as plain text, it crashes the reply when I try.



#8 Bulgaristan

Bulgaristan

  • Members
  • 294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:31 PM

Posted 25 January 2016 - 04:08 PM

That is fine I already opened them in linux environment.

There is a drivers from Windows updates and they crash the computer when trying to replace the old one.

You can remove the Windows.old folder, also remove all of the computer vendor software.

The chain failing for multiple drivers, if you can reinstall all of the additional software easily the best option will be to perform Windows 10 reset.

Here is the guidance  Link.

That will literally make а clean installation of Windows 10, but will remove all of the installed software.


Edited by Bulgaristan, 25 January 2016 - 04:18 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users