Hi,

We have a windows 2008 32bit server that crashes with BSOD(RDR_FILE_SYSTEM Ksecdd.sys error) whenever an user logs into the server with a network drive mapped. This happens for both local and domain users. Server would not crash if the user has not mapped the drive.

This problem would not happen when the server is not in domain or in network.

Please let me know how to proceed?

Thanks

Hi,

here's the explanation of the bugcheck, see if anything applies.

Try also with a clean boot and see if the issue re-occurs.

I assume the server is sp2 already.

Hi aperelli

The hexadecimal codes mentioned in the bug check is not matching with the BSOD we are facing.

The BSOD screen has the following:
STOP: 0x00000027 (0xBAAD0075, 0x9B3E3BE4, 0x9B3E38E0, 0x999389EE)
ksecdd.sys - Address 999389EE base at 998FD000, DateStamp 54b5e188

I have already tried clean boot earlier and it did not help.

Thanks

Hi Vamsi,

it actually is :STOP: 0x00000027 = Bug Check 0x27

Hi Aperelli,

This server has 32GB memory and its free most of the time.

I am not sure how to use .crx commands. 

But i am able to isolate the problem to the below:

This happens whenever an user logs into the server with a network drive mapped.

I have found a thread that is related to this prolem: https://social.technet.microsoft.com/Forums/en-US/5aa69f15-d93b-4b47-9fc3-a181450395c9/rdrfilesystem-ksecddsys-error-bsod?forum=w8itprogeneral

But not sure how to proceed.

Thanks

• Edited by Vamsi123 Monday, July 06, 2015 9:15 AM edit

Well, this could apply to your environment, they are talking about Windows 8.x in that post though. 

If you have that policy configured you can try to disable it as the poster on the thread explained, you mentioned "users that have drive mapped" so that should come from a GPO or a logon script.

It's also possible that you are running out of nonpaged pool. This 'type' of memory is limited to 2GB on 32 bit systems. Did this system ever work or is it a new one?

Hi Aperelli,

This server is not new. Its more than 4 years old.

This BSOD happens only when some one login from rdp/console with a drive mapped.

I manually went to network places and mapped the drive. This error would not happen when i remove the mapped drive and login again. This is same for local and domain accounts.

In a big environment like ours, we can not change settings a DC level.

Thanks

• Edited by Vamsi123 Monday, July 06, 2015 9:38 AM

You should have a file named "memory.dmp" in c:\windows.

You can install standalone debugging tools for Windows on any computer and open the dump file with windbg.exe. Then run "!analyze -v" and post the output. You can also share the file but it might be very big so I'm not sure that's an option.

Hi Aperelli,

Uninstalled Hot fix: KB3000483 . Now BSOD is not happening.

Thanks

• Marked as answer by Ethan HuaMicrosoft contingent staff, Moderator Tuesday, July 07, 2015 10:11 AM

Good to know, thank you for sharing.

Hi Aperelli,

This is a windows 2008 x86 server.
As informed earlier this server is not crashing any more with BSOD - RDR_FILE_SYSTEM (27) after removing hotfix: KB3000483.

Now this server is crashing again with a different BSOD  - PAGE_FAULT_IN_NONPAGED_AREA (50) . The earlier x27 error got fixed.I have even tried by installing hotfix: Windows6.0-KB2280072-x86 for x50.
But still x50 error persist. 

In the below link you can find KB3044428 in section windows 2008 R2 section,which address this problem.
https://support.microsoft.com/en-us/kb/2473205

But the same kind of fix is not available for my current windows 2008 x86 server.
The current server still has kb2508429 installed. Shall i go ahead and remove it?
or is there any standard fix for windows 2008 x86 like the way R2 has?

Thanks

We don't know for sure it's the same cause as per 2008R2 just like we can't know if the issue is about kb2508429 without more information. You can of course uninstall it and give it a try, the suggestion to run !analyze -v is still valid though.

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f6305048, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 825822bd, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

***** Kernel symbols are WRONG. Please fix symbols to do analysis.


ADDITIONAL_DEBUG_TEXT:  
You can run '.symfix; .reload' to try to fix the symbol path and load symbols.

MODULE_NAME: nt

FAULTING_MODULE: 82406000 nt

DEBUG_FLR_IMAGE_TIMESTAMP:  55022ae2

READ_ADDRESS: GetPointerFromAddress: unable to read from 00000000
GetPointerFromAddress: unable to read from 00000000
unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
 f6305048 

FAULTING_IP: 
nt+17c2bd
825822bd 394724          cmp     dword ptr [edi+24h],eax

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT_SERVER

BUGCHECK_STR:  0x50

CURRENT_IRQL:  0

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

LAST_CONTROL_TRANSFER:  from 82588818 to 825822bd

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
9ade7a8c 82588818 01000001 009c4020 009c3f70 nt+0x17c2bd
9ade7abc 82588e46 d73dc7f0 01000001 00000006 nt+0x182818
9ade7b04 8258386c 01000001 9ade7c60 80006a98 nt+0x182e46
9ade7b60 82585fdb 9ade7bb4 00000005 00000000 nt+0x17d86c
9ade7bd8 8258827b 9ade7c60 00000000 9ade7c4c nt+0x17ffdb
9ade7c18 8257e4c3 9ade7c60 00000000 9ade7c7b nt+0x18227b
9ade7d14 8257e6f8 00000002 824fe5a0 00000002 nt+0x1784c3
9ade7d38 8265dd4d 8250813c 91b01ad0 824abcca nt+0x1786f8
9ade7d7c 825dc018 00000000 d37ba5b2 00000000 nt+0x257d4d
9ade7dc0 82444f0e 824abbcd 00000001 00000000 nt+0x1d6018
00000000 00000000 00000000 00000000 00000000 nt+0x3ef0e


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt+17c2bd
825822bd 394724          cmp     dword ptr [edi+24h],eax

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt+17c2bd

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  ntoskrnl.exe

BUCKET_ID:  WRONG_SYMBOLS

FAILURE_BUCKET_ID:  WRONG_SYMBOLS

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:wrong_symbols

FAILURE_ID_HASH:  {70b057e8-2462-896f-28e7-ac72d4d365f8}

Followup: MachineOwner
---------

Unfortunately it doesn't tell much without symbols configured:

https://support.microsoft.com/en-us/kb/311503

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f6305048, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 825822bd, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: GetPointerFromAddress: unable to read from 8253d874
Unable to read MiSystemVaType memory at 8251d420
 f6305048 

FAULTING_IP: 
nt!CmpCheckKey+61b
825822bd 394724          cmp     dword ptr [edi+24h],eax

MM_INTERNAL_CODE:  0

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT_SERVER

BUGCHECK_STR:  0x50

PROCESS_NAME:  System

CURRENT_IRQL:  0

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

LAST_CONTROL_TRANSFER:  from 82588818 to 825822bd

STACK_TEXT:  
9ade7a8c 82588818 01000001 009c4020 009c3f70 nt!CmpCheckKey+0x61b
9ade7abc 82588e46 d73dc7f0 01000001 00000006 nt!CmpCheckRegistry2+0x8c
9ade7b04 8258386c 01000001 9ade7c60 80006a98 nt!CmCheckRegistry+0xf5
9ade7b60 82585fdb 9ade7bb4 00000005 00000000 nt!CmpInitializeHive+0x4c1
9ade7bd8 8258827b 9ade7c60 00000000 9ade7c4c nt!CmpInitHiveFromFile+0x19e
9ade7c18 8257e4c3 9ade7c60 00000000 9ade7c7b nt!CmpCmdHiveOpen+0x36
9ade7d14 8257e6f8 00000002 824fe5a0 00000002 nt!CmpFlushBackupHive+0x2fd
9ade7d38 8265dd4d 8250813c 91b01ad0 824abcca nt!CmpSyncBackupHives+0x90
9ade7d44 824abcca 00000000 00000000 91b01ad0 nt!CmpPeriodicBackupFlushWorker+0x32
9ade7d7c 825dc018 00000000 d37ba5b2 00000000 nt!ExpWorkerThread+0xfd
9ade7dc0 82444f0e 824abbcd 00000001 00000000 nt!PspSystemThreadStartup+0x9d
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!CmpCheckKey+61b
825822bd 394724          cmp     dword ptr [edi+24h],eax

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!CmpCheckKey+61b

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  55022ae2

IMAGE_VERSION:  6.0.6002.19346

FAILURE_BUCKET_ID:  0x50_nt!CmpCheckKey+61b

BUCKET_ID:  0x50_nt!CmpCheckKey+61b

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x50_nt!cmpcheckkey+61b

FAILURE_ID_HASH:  {b0c48432-dfba-c9e0-33fc-874f17d1f0e6}

Followup: MachineOwner
---------

do you have KB3045685 installed?

Yes. Its there.

You could try to remove it but that isn't very wise, I'd rather update all 3rd party drivers.

If you clean boot the server do you get BSOD?

I have updated all 3rd party drivers earlier. It did not help. Even p2v of this machine has the same problem.

This bsod does not happen while booting. It happens during the course of usage,when it make SMB requests.

Did the dump hint you towards KB3045685 ??

I will be removing kb2508429 for now.

I'have just noticed that the version of kernel you are running is very recent (A

I could not understand your statement about kernel.

Would the  removal of kB3045685 or kb2508429 help??

Please suggest.

I cannot be sure, you can be sure only if you properly analyze the dump which in case of BSOD can be difficult even for a specialist since there are symbols which are not published by Microsoft.

You should know that NTOSKRNL.EXE is the Windows kernel.