Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to diagnose crash on Windows Server 2003


  • Please log in to reply
11 replies to this topic

#1 anlkjdj

anlkjdj

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 28 January 2018 - 02:04 AM

I ran a cleaner program from malwarebyes to remove their software for our server.  Restarted server and it kept crashing as soon as it got to login screen.  We had a 3rd party get us back up, but would only tell us that a "registry file" was missing that he had to put back.
 
So I'm trying to examine whatever dumps/log files to help figure out what the problem was.
 
I have a memory.dmp file and several minidump files from that day as well as an ntbtlog file and PFRO log file (and Event log), but am not making much progress figuring out how to extract the info I need.  I installed latest debug tools and tried using windbg.exe to open dump files and tried !analyze, but I'm not sure what I'm looking at.
 
Would be grateful for any assistance--


BC AdBot (Login to Remove)

 


#2 anlkjdj

anlkjdj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 28 January 2018 - 12:58 PM

Since this is for Windows Server 2003, I suspect I will not get much of a response (60+ views so far with no responses...).  I've posted also at windowssecrets.com where I have been referred to NirSoft's BlueScreenViewer: the BugCheckString says "Registry_Error".  Anyone know how I can find out more about the registry error?



#3 anlkjdj

anlkjdj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 30 January 2018 - 01:12 PM

Thanks Adrian - anyone else, specifically re: the logs?  I'm particularly interested in finding out if there is a way to determine what boot options were selected (I can see in Event log that server was booted into Safe mode, but how can I tell if e.g. LKGC (i.e. "Last Known Good Configuration") was selected for startup?



#4 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,027 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:06:40 AM

Posted 30 January 2018 - 01:43 PM

Can you zip and attach the minidump files in your next reply?


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#5 anlkjdj

anlkjdj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 01 February 2018 - 11:35 PM

Thanks for your interest.  Files attached.  I think a user restarted the server 8 times - not sure if they chose any restart options.  A techie restarted re: #9 and #10 and I'm most interested in what options were chosen.  Event Log tells me that Server was started in "Safe Mode" at 5:19pm on 1/23/2017, but not what options were chosen e.g. "Last Known Good Configuration"



#6 anlkjdj

anlkjdj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 01 February 2018 - 11:37 PM

Files attached

Attached Files



#7 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,027 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:06:40 AM

Posted 02 February 2018 - 10:27 AM

Thanks. Nothing much we can do here, can't find any symbols for Server 2003!

 

I ran a cleaner program from malwarebyes to remove their software for our server.  Restarted server and it kept crashing as soon as it got to login screen.  We had a 3rd party get us back up, but would only tell us that a "registry file" was missing that he had to put back.

Was this MBAM Clean?


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#8 anlkjdj

anlkjdj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 02 February 2018 - 10:59 AM

Thanks. Nothing much we can do here, can't find any symbols for Server 2003!

 

Can I get the symbols from the server?

 

 

Was this MBAM Clean?

Not sure what you're asking.  If you mean: did I reinstall MBAM and it has identified and cleaned all malware it identified, no - I haven't reinstalled MBAM yet


Edited by anlkjdj, 02 February 2018 - 11:10 AM.


#9 anlkjdj

anlkjdj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 02 February 2018 - 11:09 AM

Ah - I think you're asking which malwarebytes cleaner program I ran?

 

I ran mbam-clean-2.3.0.1001.exe first, but still had problems getting mbam to run after reinstalling.  malwarebytes support said to run their other clean tool "MB-Clean".



#10 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,027 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:06:40 AM

Posted 02 February 2018 - 11:27 AM

My WinDbg has trouble finding OS symbols for Server 2003 on Microsoft's Symbol server — that's all. :) Probably because Server 2003 is so ancient... :wink: Didn't you run into symbol errors too when you ran WinDbg?

 

Did you get crashes RIGHT AFTER you ran the MBAM removal tool?

 

Without symbols, I can only decipher the bugcheck code, STOP 0x00000051: REGISTRY_ERROR, which means exactly what it means... :)

 

You're not experiencing any active problems right now, right?


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#11 anlkjdj

anlkjdj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 02 February 2018 - 12:11 PM

I tried WinDbg but wasn't sure how to find symbols; someone suggested NirSoft's BlueScreenViewer which is what I then used (it didn't ask for symbols).

 

The 0x00000051 STOP code (per internet search) suggested it was usually hardware problem, but sometimes anitvirus/security software.  I thought this aligned with malwarebytes having done something to the registry. 

 

Further examination suggested it was a corrupt user profile which let me to the following scenario:

 

When trying to run the malwarebytes cleaner program (I was connected via rdp), I received a message that another user was logged into the server and would affect the clean program running successfully.  Taskmgr showed another "administrator" was logged in, Session: "console".  Since there was nobody at the office, I used Taskmgr to "logoff" that user.  I'm wondering now whether that might have resulted in a corrupt profile?

 

Server is running right now, but I need to get malwarebytes installed and running again, but I'd rather try to figure out what caused the server to not restart last time before I run the malwarebytes cleaner programs again, hence my desire to get as much relevant info from the logs as possible and to learn whether the techie merely did a "Last Known Good Configuration" to get the server back up.

 

So I'm wondering if there's anything in the  memory.dmp file, minidump files, ntbtlog file, PFRO log file, Event log or some other log files I have yet to identify that could answer these questions


Edited by anlkjdj, 02 February 2018 - 12:12 PM.


#12 anlkjdj

anlkjdj
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 02 February 2018 - 12:26 PM

>> Did you get crashes RIGHT AFTER you ran the MBAM removal tool?

Server didn't crash right after running MBAM removal tools.  malwarebytes support said to restart server after running cleaners; I needed to wait several hours before restarting server.  After server restart, that's when crashing started.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users