Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

many BSOD ntoskrnl.exe


  • Please log in to reply
3 replies to this topic

#1 Micha_K

Micha_K

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 26 September 2017 - 02:56 AM

Hello everybody,

 

i have many BSOD with the ntoskrnl.exe since August 2017.

 

My System is:

Windows Server 2012r2 Version 6.3.9600 x64

 

- it is a Remotedesktopserver

- it is a VM on ESXi 5.5.0

 

I have attach the minidumps with all BSOD.

 

Perhaps you can help me to verify the problem.

 

Thank you..

 

Best regards 

 

Michael

Attached Files



BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:12:10 PM

Posted 26 September 2017 - 08:22 AM

Please run this report collecting tool so that we can provide a complete analysis: (from the pinned topic at the top of the forum)   http://www.bleepingcomputer.com/forums/t/576314/blue-screen-of-death-bsod-posting-instructions-windows-10-81-8-7-vista/
NOTE:  On problem systems it can take up to 20 minutes for the log files to complete.  Please be patient and let it run.

If you still have problems with it running, there's an alternate tool here (direct download link):  https://github.com/blueelvis/BSOD-Inspector/releases/download/1.0.5/BSODInspector-1.0.5.exe

NOTE:
Please zip up the (.ZIP) files - do not use .RAR, .7z or other compression utilities. 
.ZIP is the type file that can be uploaded to the forums.

 

As for the memory dumps that you uploaded:

 

The most common error here blames tmcomm.sys - a driver for Trend Micro.
Please uninstall TrendMicro and see if that fixes things (use Windows Defender and the Windows Firewall while testing)

If you'd like to reinstall TrendMicro - please download and install a fresh copy that's compatible with the Windows Server OS

 

Is this a production server?  Is it a problem to restart/run tests that will take it offline for short periods of time (a couple of hours at most)?  Do you have physical access to the server that the VM runs on?

I ask because that will affect what tests I ask you to run. 

Unfortunately, testing a production server is very difficult and time consuming because of the need for it to remain online and working for the users.

 

If removing TrendMicro doesn't fix the problem, I'll next ask you to run Driver Verifier.
As Driver Verifier is designed to make the system crash, this will be very inconvenient with a production server.

If able, I'll ask you to follow the instructions for Driver Verifier that are listed here:  http://www.carrona.org/verifier.html

 

Analysis:
The following is for information purposes only.
The following information contains the relevant information from the blue screen analysis:
**************************Tue Sep 26 01:56:27.242 2017 (UTC - 4:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\092617-23296-01.dmp]
Windows 8.1 Kernel Version 9600 MP (6 procs) Free x64
Built by: 9600.18790.amd64fre.winblue_ltsb.170810-1616
System Uptime:3 days 17:10:46.890
*** WARNING: Unable to verify timestamp for tmcomm.sys
*** ERROR: Module load completed but symbols could not be loaded for tmcomm.sys
Probably caused by :tmcomm.sys ( tmcomm+6814 )
BugCheck 18, {0, ffffe001d1966428, 20, ffffe001d1966410}
BugCheck Info: REFERENCE_BY_POINTER (18)
Arguments:
Arg1: 0000000000000000, Object type of the object whose reference count is being lowered
Arg2: ffffe001d1966428, Object whose reference count is being lowered
Arg3: 0000000000000020, Reserved
Arg4: ffffe001d1966410, Reserved
    The reference count of an object is illegal for the current state of the object.
    Each time a driver uses a pointer to an object the driver calls a kernel routine
    to increment the reference count of the object. When the driver is done with the
    pointer the driver calls another kernel routine to decrement the reference count.
    Drivers must match calls to the increment and decrement routines. This bugcheck
    can occur because an object's reference count goes to zero while there are still
    open handles to the object, in which case the fourth parameter indicates the number
    of opened handles. It may also occur when the object?s reference count drops below zero
    whether or not there are open handles to the object, and in that case the fourth parameter
    contains the actual value of the pointer references count.
BUGCHECK_STR:  0x18
DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT_SERVER
PROCESS_NAME:  System
FAILURE_BUCKET_ID: 0x18_tmcomm!unknown_function
CPUID:        "Intel® Xeon® CPU E5-2620 v2 @ 2.10GHz"
MaxSpeed:     2100
CurrentSpeed: 2095
  BIOS Version                  6.00
  BIOS Release Date             04/14/2014
  Manufacturer                  VMware, Inc.
  Baseboard Manufacturer        Intel Corporation
  Product Name                  VMware Virtual Platform
  Baseboard Product             440BX Desktop Reference Platform
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Wed Sep 20 05:37:00.099 2017 (UTC - 4:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\092017-32609-01.dmp]
Windows 8.1 Kernel Version 9600 MP (6 procs) Free x64
Built by: 9600.18790.amd64fre.winblue_ltsb.170810-1616
System Uptime:5 days 2:04:49.950
Probably caused by :ntkrnlmp.exe ( nt!AlpcpReferenceMessageByWaitingThreadPortQueue+12 )
BugCheck 3B, {c0000005, fffff80268bff592, ffffd00024de7e60, 0}
BugCheck Info: SYSTEM_SERVICE_EXCEPTION (3b)
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80268bff592, Address of the instruction which caused the bugcheck
Arg3: ffffd00024de7e60, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
BUGCHECK_STR:  0x3B
DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT_SERVER
PROCESS_NAME:  WerFault.exe
FAILURE_BUCKET_ID: 0x3B_nt!AlpcpReferenceMessageByWaitingThreadPortQueue
CPUID:        "Intel® Xeon® CPU E5-2620 v2 @ 2.10GHz"
MaxSpeed:     2100
CurrentSpeed: 2095
  BIOS Version                  6.00
  BIOS Release Date             04/14/2014
  Manufacturer                  VMware, Inc.
  Baseboard Manufacturer        Intel Corporation
  Product Name                  VMware Virtual Platform
  Baseboard Product             440BX Desktop Reference Platform
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
**************************Fri Sep 15 03:11:49.520 2017 (UTC - 4:00)**************************
Loading Dump File [C:\Users\john\SysnativeBSODApps\091517-30828-01.dmp]
Windows 8.1 Kernel Version 9600 MP (6 procs) Free x64
Built by: 9600.18790.amd64fre.winblue_ltsb.170810-1616
System Uptime:0 days 23:42:21.820
*** WARNING: Unable to verify timestamp for tmcomm.sys
*** ERROR: Module load completed but symbols could not be loaded for tmcomm.sys
Probably caused by :tmcomm.sys ( tmcomm+6814 )
BugCheck 18, {0, ffffe000ce8bc148, 20, ffffe000ce8bc130}
BugCheck Info: REFERENCE_BY_POINTER (18)
Arguments:
Arg1: 0000000000000000, Object type of the object whose reference count is being lowered
Arg2: ffffe000ce8bc148, Object whose reference count is being lowered
Arg3: 0000000000000020, Reserved
Arg4: ffffe000ce8bc130, Reserved
    The reference count of an object is illegal for the current state of the object.
    Each time a driver uses a pointer to an object the driver calls a kernel routine
    to increment the reference count of the object. When the driver is done with the
    pointer the driver calls another kernel routine to decrement the reference count.
    Drivers must match calls to the increment and decrement routines. This bugcheck
    can occur because an object's reference count goes to zero while there are still
    open handles to the object, in which case the fourth parameter indicates the number
    of opened handles. It may also occur when the object?s reference count drops below zero
    whether or not there are open handles to the object, and in that case the fourth parameter
    contains the actual value of the pointer references count.
BUGCHECK_STR:  0x18
DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT_SERVER
PROCESS_NAME:  System
FAILURE_BUCKET_ID: 0x18_tmcomm!unknown_function
CPUID:        "Intel® Xeon® CPU E5-2620 v2 @ 2.10GHz"
MaxSpeed:     2100
CurrentSpeed: 2095
  BIOS Version                  6.00
  BIOS Release Date             04/14/2014
  Manufacturer                  VMware, Inc.
  Baseboard Manufacturer        Intel Corporation
  Product Name                  VMware Virtual Platform
  Baseboard Product             440BX Desktop Reference Platform
¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨¨``
The rest of the memory dump summaries are hidden in the Spoiler tag below.  Click on "Show" to reveal them.

Spoiler



3rd Party Drivers:
The following is for information purposes only.
My recommendations were given above. The drivers that follow belong to software or devices that were not developed by Microsoft.  You can find links to the driver information and where to update the drivers in the section after the code box:

**************************Tue Sep 26 01:56:27.242 2017 (UTC - 4:00)**************************
vmmouse.sys                 Mon Jun  4 05:34:25 2012 (4FCC8121)
dump_LSI_SAS.sys            Thu Mar 28 13:42:34 2013 (5154810A)
lsi_sas.sys                 Thu Mar 28 13:42:34 2013 (5154810A)
vmci.sys                    Fri May 17 21:19:18 2013 (5196D716)
vsock.sys                   Wed Jul 31 22:46:10 2013 (51F9CBF2)
intelppm.sys                Thu Aug 22 04:46:35 2013 (5215CFEB)
TSFairShare.sys             Thu Aug 22 07:36:31 2013 (5215F7BF)
intelide.sys                Thu Aug 22 07:40:03 2013 (5215F893)
vmxnet3n61x64.sys           Fri Sep 27 05:40:11 2013 (5245527B)
vm3dmp.sys                  Tue Nov 12 00:42:46 2013 (5281BFD6)
tmeevw.sys                  Tue Dec  9 22:33:47 2014 (5487BF1B)
vmmemctl.sys                Thu Jun 18 03:44:36 2015 (558276E4)
tmusa.sys                   Wed Jun 24 21:44:59 2015 (558B5D1B)
tmcomm.sys                  Fri Aug 12 02:50:23 2016 (57AD71AF)
tmevtmgr.sys                Sun Sep 25 23:30:58 2016 (57E89672)
tmactmon.sys                Sun Sep 25 23:30:59 2016 (57E89673)
VSApiNt.sys                 Wed Mar 15 05:26:24 2017 (58C908C0)
TmPreFlt.sys                Wed Mar 15 05:40:14 2017 (58C90BFE)
TmXPFlt.sys                 Wed Mar 15 05:40:16 2017 (58C90C00)


http://www.carrona.org/drivers/driver.php?id=vmmouse.sys
http://www.carrona.org/drivers/driver.php?id=dump_LSI_SAS.sys
http://www.carrona.org/drivers/driver.php?id=lsi_sas.sys
http://www.carrona.org/drivers/driver.php?id=vmci.sys
http://www.carrona.org/drivers/driver.php?id=vsock.sys
http://www.carrona.org/drivers/driver.php?id=intelppm.sys
TSFairShare.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=intelide.sys
http://www.carrona.org/drivers/driver.php?id=vmxnet3n61x64.sys
vm3dmp.sys - this driver hasn't been added to the DRT as of this run. Please search Google/Bing for the driver if additional information is needed.
http://www.carrona.org/drivers/driver.php?id=tmeevw.sys
http://www.carrona.org/drivers/driver.php?id=vmmemctl.sys
http://www.carrona.org/drivers/driver.php?id=tmusa.sys
http://www.carrona.org/drivers/driver.php?id=tmcomm.sys
http://www.carrona.org/drivers/driver.php?id=tmevtmgr.sys
http://www.carrona.org/drivers/driver.php?id=tmactmon.sys
http://www.carrona.org/drivers/driver.php?id=VSApiNt.sys
http://www.carrona.org/drivers/driver.php?id=TmPreFlt.sys
http://www.carrona.org/drivers/driver.php?id=TmXPFlt.sys
 
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 Micha_K

Micha_K
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 26 September 2017 - 08:59 AM

Hello usasma and many thanks.

 

so i run the sysnative tool and attach this here.

 

The second tool is crashing on the Server.

 

So i will deinstall Trendmicro in the evening.

 

This is a productive System so i can test the Server at the evening or the weekend.

 

I have no "real" pysical access but i have access with vmware vsphere client so i could attach ISO Files.

 

Over the night i can run test...this ist no Problem. The Server must run at 7.30am :)

 

So what test should i do ?

 

Best regards,

 

Michael

Attached Files



#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:12:10 PM

Posted 27 September 2017 - 05:24 AM

I don't think you can update the BIOS on a VM - but that would depend upon the host.  Just let me know if you can't.

Your UEFI/BIOS (version 6.00) dates from 2014.  Please check at the manufacturer's website to see if there are any UEFI/BIOS updates available for your system.  If you are able to install the update through Windows (without booting from an external drive), then go ahead and update it.  WARNING - if the computer might shut down during this procedure, please don't do it, as this may physically damage the computer and prevent it from booting.
FYI - W8 and W10 communicate more with the UEFI/BIOS than previous versions of Windows, so it's important to ensure that the UEFI/BIOS is kept up to date (and the outdated UEFI/BIOS' may be the cause of some compatibility issues).

Only 286 Windows Update hotfixes installed.  Most systems have more than this  Please visit Windows Update and get ALL available updates (it may take several trips to get them all).
Don't worry about the specific number, it's just important that you have checked and installed any updates that were available (and didn't experience any errors).

C: drive only has about 7% free space.  Windows likes 15% free space in order to perform stuff "behind the scenes" without adversely affecting the system's performance.  Please free up 15% on ALL hard drives (you can get away with 10% on larger drives and won't notice a large performance penalty).  Low free space can cause BSOD's - but the actual amount depends on the files being used by the system.

On a production server this is (IMO) more critical than on single client systems.  I would ensure that you have 15% free space on the C: drive

 

I would wait to see if uninstalling Trend Micro helps stop the BSOD's.

If it doesn't, then I'd run Driver Verifier according to these instructions:  http://www.carrona.org/verifier.html

As this will likely crash the system, it's a test that you should run in the evening when no other users are connected to the system.


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users