One of our server often got blue screen recently. We suspect that it is related to hardware memory issue. Any one could advice? Thx << 1ST MEMORY DUMP >> Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible Product: LanManNt, suite: TerminalServer SingleUserTS Built by: 3790.srv03_sp2_gdr.080813-1204 Kernel base = 0x80800000 PsLoadedModuleList = 0x808af9c8 Debug session time: Fri Feb 11 17:32:24.592 2011 (GMT+8) System Uptime: 0 days 0:15:31.109 Loading Kernel Symbols ............................................................................................................... Loading User Symbols PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 8E, {c0000005, bf9487fa, f7626760, 0} Page cba7e not present in the dump file. Type ".hh dbgerr004" for details Page c87d6 not present in the dump file. Type ".hh dbgerr004" for details Page c87d6 not present in the dump file. Type ".hh dbgerr004" for details PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details Probably caused by : win32k.sys ( win32k!bAdjusBaseLine+89 ) Followup: MachineOwner --------- 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: bf9487fa, The address that the exception occurred at Arg3: f7626760, Trap Frame Arg4: 00000000 Debugging Details: ------------------ Page cba7e not present in the dump file. Type ".hh dbgerr004" for details Page c87d6 not present in the dump file. Type ".hh dbgerr004" for details Page c87d6 not present in the dump file. Type ".hh dbgerr004" for details PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 7ffde00c). Type ".hh dbgerr001" for details EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". FAULTING_IP: win32k!bAdjusBaseLine+89 bf9487fa 2b812c010000 sub eax,dword ptr [ecx+12Ch] TRAP_FRAME: f7626760 -- (.trap 0xfffffffff7626760) ErrCode = 00000000 eax=ffffff20 ebx=f7626804 ecx=00000000 edx=e34c8008 esi=f7626824 edi=f7626aa8 eip=bf9487fa esp=f76267d4 ebp=f76267d4 iopl=0 nv up ei pl nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202 win32k!bAdjusBaseLine+0x89: bf9487fa 2b812c010000 sub eax,dword ptr [ecx+12Ch] ds:0023:0000012c=???????? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x8E PROCESS_NAME: spoolsv.exe CURRENT_IRQL: 0 LAST_CONTROL_TRANSFER: from 8085bba7 to 8087c4a0 STACK_TEXT: f762632c 8085bba7 0000008e c0000005 bf9487fa nt!KeBugCheckEx+0x1b f76266f0 808346c4 f762670c 00000000 f7626760 nt!KiDispatchException+0x3a2 f7626758 80834678 f76267d4 bf9487fa badb0d00 nt!CommonDispatchException+0x4a f762676c bf9401ad c0000000 00000002 00001972 nt!KiExceptionExit+0x186 f76267d4 bf94967f f762681c f7626818 f762680c win32k!ESTROBJ::vCharPos_G1+0x150 f7626828 bf8a8ea4 f7626844 00000000 7ffa7210 win32k!ESTROBJ::vEudcOpaqueArea+0xcc f7626a90 bf8abbe2 f7626d2c 00000030 00000024 win32k!GreExtTextOutWLocked+0x6bf f7626bf8 bf89d0c8 f7626d2c 7ffa71dc 00000084 win32k!GreBatchTextOut+0x344 f7626d54 80833bc0 00000096 01d6ac08 01d6ac14 win32k!NtGdiFlushUserBatch+0x11a f7626d64 7c8285ec badb0d00 01d6ac08 00000000 nt!KiFastCallEntry+0xcd WARNING: Frame IP not in any known module. Following frames may be wrong. f7626d68 badb0d00 01d6ac08 00000000 00000000 0x7c8285ec f7626d6c 01d6ac08 00000000 00000000 00000000 0xbadb0d00 f7626d70 00000000 00000000 00000000 00000000 0x1d6ac08 STACK_COMMAND: kb FOLLOWUP_IP: win32k!bAdjusBaseLine+89 bf9487fa 2b812c010000 sub eax,dword ptr [ecx+12Ch] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: win32k!bAdjusBaseLine+89 FOLLOWUP_NAME: MachineOwner MODULE_NAME: win32k IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 48ce617a FAILURE_BUCKET_ID: 0x8E_win32k!bAdjusBaseLine+89 BUCKET_ID: 0x8E_win32k!bAdjusBaseLine+89 Followup: MachineOwner --------- << 2ND MEMORY DUMP >> Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible Product: LanManNt, suite: TerminalServer SingleUserTS Built by: 3790.srv03_sp2_gdr.080813-1204 Kernel base = 0x80800000 PsLoadedModuleList = 0x808af9c8 Debug session time: Sun Feb 13 20:39:44.326 2011 (GMT+8) System Uptime: 2 days 3:05:02.921 Loading Kernel Symbols ............................................................................................................... Loading User Symbols PEB is paged out (Peb.Ldr = 7ffdb00c). Type ".hh dbgerr001" for details Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 4E, {99, 0, 0, 0} PEB is paged out (Peb.Ldr = 7ffdb00c). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 7ffdb00c). Type ".hh dbgerr001" for details Probably caused by : memory_corruption ( nt!MiRestoreTransitionPte+173 ) Followup: MachineOwner --------- 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PFN_LIST_CORRUPT (4e) Typically caused by drivers passing bad memory descriptor lists (ie: calling MmUnlockPages twice with the same list, etc). If a kernel debugger is available get the stack trace. Arguments: Arg1: 00000099, A PTE or PFN is corrupt Arg2: 00000000, page frame number Arg3: 00000000, current page state Arg4: 00000000, 0 Debugging Details: ------------------ PEB is paged out (Peb.Ldr = 7ffdb00c). Type ".hh dbgerr001" for details PEB is paged out (Peb.Ldr = 7ffdb00c). Type ".hh dbgerr001" for details BUGCHECK_STR: 0x4E_99 DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: scan32.exe CURRENT_IRQL: 2 LAST_CONTROL_TRANSFER: from 80865ba5 to 8087c4a0 STACK_TEXT: b8516cc4 80865ba5 0000004e 00000099 00000000 nt!KeBugCheckEx+0x1b b8516cf0 808885c1 873c6db0 ffffffff 00000012 nt!MiRestoreTransitionPte+0x173 b8516d08 8086b6cd 00000000 808694b3 0126521c nt!MiRemovePageFromList+0xd1 b8516d10 808694b3 0126521c 08008904 0001ab80 nt!MiRemoveAnyPage+0x68 b8516d4c 80836c2a 00000001 0126521c 00000001 nt!MmAccessFault+0xc90 b8516d4c 1226cb0b 00000001 0126521c 00000001 nt!KiTrap0E+0xdc WARNING: Frame IP not in any known module. Following frames may be wrong. 0001ab80 00000000 00000000 00000000 00000000 0x1226cb0b STACK_COMMAND: kb FOLLOWUP_IP: nt!MiRestoreTransitionPte+173 80865ba5 cc int 3 SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: nt!MiRestoreTransitionPte+173 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt DEBUG_FLR_IMAGE_TIMESTAMP: 48a2bc85 IMAGE_NAME: memory_corruption FAILURE_BUCKET_ID: 0x4E_99_nt!MiRestoreTransitionPte+173 BUCKET_ID: 0x4E_99_nt!MiRestoreTransitionPte+173 Followup: MachineOwner ---------

Hi, According to the description, we find it seems to be system crash issue and we need to analyze the crash dump file to narrow down the root cause of the issue. I would like to suggest that you contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request. To obtain the phone numbers for specific technology request please take a look at the web site listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607 Hope the issue will be resolved soon. ScorprioTechNet Software Assurance Managed Newsgroup MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin | System Architect

After analyzing the Dump file I can clearly see there are 2 things which are effecting you server. 1) DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x8E PROCESS_NAME: spoolsv.exe CURRENT_IRQL: 0 Spoolsv.exe relates to the spooler servrice which is been effected with 2 reasons Antivirus and corrupt or incompatible printer drivers on the server. 2) BUGCHECK_STR: 0x4E_99 DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: scan32.exe CURRENT_IRQL: 2 The above log indicates that you have MCAFEE installed on you computer and it having a problem better contact MCAFEE for the problem http://www.virmansec.com/blogs/skhairuddin

Thanks for Syed Khairuddin. There are about 40 print queue on this server, and we are not sure which print queue caused the problem. We have more than 10 windows servers running Mcafee 8.5 patch 8. Only this server got blue screen, and none of other servers got the same problem. Should we upgrade Mcafee 8.5 to Mcafee 8.7 first?

I dont have much idea about MCAFEE please contact the suport and ask them. I dont really know which printer driver has really caused the problem but this is for sure that there are some drivers whihc are ocrrupted on the server so please update the drivers on the server if its the terminal server or print server. Thankshttp://www.virmansec.com/blogs/skhairuddin

Last night, we got another blue screen/reboot. << 3RD MEMORY DUMP >> Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible Product: LanManNt, suite: TerminalServer SingleUserTS Built by: 3790.srv03_sp2_gdr.080813-1204 Kernel base = 0x80800000 PsLoadedModuleList = 0x808af9c8 Debug session time: Mon Feb 14 21:29:03.706 2011 (GMT+8) System Uptime: 1 days 0:46:51.671 Loading Kernel Symbols ............................................................................................................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7E, {c0000005, 8089b897, f78eec4c, f78ee948} *** ERROR: Symbol file could not be found. Defaulted to export symbols for mfehidk.sys - Probably caused by : Pool_Corruption ( nt!ExFreePool+f ) Followup: Pool_corruption --------- 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 8089b897, The address that the exception occurred at Arg3: f78eec4c, Exception Record Address Arg4: f78ee948, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". FAULTING_IP: nt!ExFreePoolWithTag+53f 8089b897 668b4b04 mov cx,word ptr [ebx+4] EXCEPTION_RECORD: f78eec4c -- (.exr 0xfffffffff78eec4c) ExceptionAddress: 8089b897 (nt!ExFreePoolWithTag+0x0000053f) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000004 Attempt to read from address 00000004 CONTEXT: f78ee948 -- (.cxr 0xfffffffff78ee948) eax=f7727120 ebx=00000000 ecx=f751eb50 edx=006755cb esi=880001a0 edi=808b7600 eip=8089b897 esp=f78eed14 ebp=f78eed60 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 nt!ExFreePoolWithTag+0x53f: 8089b897 668b4b04 mov cx,word ptr [ebx+4] ds:0023:00000004=???? Resetting default scope PROCESS_NAME: System CURRENT_IRQL: 0 ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s". READ_ADDRESS: 00000004 BUGCHECK_STR: 0x7E DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE LAST_CONTROL_TRANSFER: from 8089c26e to 8089b897 STACK_TEXT: f78eed60 8089c26e 880001a8 00000000 f78eed80 nt!ExFreePoolWithTag+0x53f f78eed70 b9074b9b 880001a8 808b711c f78eedac nt!ExFreePool+0xf WARNING: Stack unwind information not available. Following frames may be wrong. f78eed80 8082db10 880001a8 00000000 8a78cdb0 mfehidk+0xdb9b f78eedac 80920833 880001a8 00000000 00000000 nt!ExpWorkerThread+0xeb f78eeddc 8083fe9f 8082da53 00000001 00000000 nt!PspSystemThreadStartup+0x2e 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 FOLLOWUP_IP: nt!ExFreePool+f 8089c26e 5d pop ebp SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: nt!ExFreePool+f FOLLOWUP_NAME: Pool_corruption IMAGE_NAME: Pool_Corruption DEBUG_FLR_IMAGE_TIMESTAMP: 0 MODULE_NAME: Pool_Corruption STACK_COMMAND: .cxr 0xfffffffff78ee948 ; kb FAILURE_BUCKET_ID: 0x7E_nt!ExFreePool+f BUCKET_ID: 0x7E_nt!ExFreePool+f Followup: Pool_corruption ---------

I have already answered your question that this problem is arising due to Thrid party applications and the drivers. So please remove MCAFEE and monitor it However, in this forum, we do not provide debugging support. If you would like to perform debugging, please contact Microsoft Customer Support Service (CSS). To obtain the phone numbers for specific technology request, please refer to the website listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS If you are outside the US, please refer to http://support.microsoft.com for regional support phone numbers. thanks for understanding. http://www.virmansec.com/blogs/skhairuddin

Hi, In addition to the suggestions “Syed Khairuddin” provided, please also diagnose or replace the memory to test the issue. Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.