Need Help Analyze MEMPORY.DMP Windows Server 2008 R2 Std SP1

Hi all,

Recently My Server crash with event id :

Log Name:      System
Source:        Microsoft-Windows-WER-SystemErrorReporting
Date:          4/13/2015 4:06:49 PM
Event ID:      1001
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:     
Description:
The computer has rebooted from a bugcheck.  The bugcheck was: 0x00000050 (0xfffff6fb40000000, 0x0000000000000000, 0xfffff80001869a10, 0x0000000000000002). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: .
Event Xml:
< Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-WER-SystemErrorReporting" Guid="{ABCE23E7-DE45-4366-8631-84FA6C525952}" EventSourceName="BugCheck" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2015-04-13T09:06:49.000000000Z" />
    <EventRecordID>13466</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>MYSERVER.WHATEVER.COM</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="param1">0x00000050 (0xfffff6fb40000000, 0x0000000000000000, 0xfffff80001869a10, 0x0000000000000002)</Data>
    <Data Name="param2">C:\Windows\MEMORY.DMP</Data>
    <Data Name="param3">
    </Data>
  </EventData>
< /Event>

 

Already trying debug the MEMORY.DMP but have no clue about the cause of crash:

Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*d:\localsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Built by: 7601.17514.amd64fre.win7sp1_rtm.101119-1850
Machine Name:
Kernel base = 0xfffff800`01818000 PsLoadedModuleList = 0xfffff800`01a5de90
Debug session time: Mon Apr 13 16:04:32.741 2015 (UTC + 7:00)
System Uptime: 72 days 7:28:38.963
Loading Kernel Symbols
...............................................................
................................................................
..........
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`7efdf018).  Type ".hh dbgerr001" for details
Loading unloaded module list
.........
The context is partially valid. Only x86 user-mode context is available.
The wow64exts extension must be loaded to access 32-bit state.
.load wow64exts will do this if you haven't loaded it already.
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffff6fb40000000, 0, fffff80001869a10, 2}

Probably caused by : Unknown_Image ( nt!MiRemoveWorkingSetPages+388 )

Followup: MachineOwner
---------

16.3: kd:x86> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff6fb40000000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff80001869a10, If non-zero, the instruction address which referenced the bad memory
 address.
Arg4: 0000000000000002, (reserved)

Debugging Details:
------------------


READ_ADDRESS:  fffff6fb40000000

FAULTING_IP:
nt!MiRemoveWorkingSetPages+388
fffff800`01869a10 49              dec     ecx

MM_INTERNAL_CODE:  2

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x50

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 0000000000000000 to 0000000000000000

STACK_TEXT: 
00000000 00000000 00000000 00000000 00000000 0x0


STACK_COMMAND:  .bugcheck ; kb

FOLLOWUP_IP:
nt!MiRemoveWorkingSetPages+388
fffff800`01869a10 49              dec     ecx

SYMBOL_NAME:  nt!MiRemoveWorkingSetPages+388

FOLLOWUP_NAME:  MachineOwner

DEBUG_FLR_IMAGE_TIMESTAMP:  0

IMAGE_NAME:  Unknown_Image

BUCKET_ID:  INVALID_KERNEL_CONTEXT

MODULE_NAME: Unknown_Module

Followup: MachineOwner
---------

Any help would be appriciated. :)

Added:

Link for the MEMORY.DMP:

http://1drv.ms/1OtWVEf

thanks


  • Edited by w3_ka 6 hours 0 minutes ago add link for DUMP
April 26th, 2015 10:43am

Very often it is hardware failure (device). My starting point for troubleshooting is here

https://msdn.microsoft.com/en-us/library/windows/hardware/ff559023(v=vs.85).aspx

HTH

Milos

Free Windows Admin Tool Kit Click here and download it now
April 26th, 2015 10:56am

Here is the MEMORY.DMP:

http://1drv.ms/1OtWVEf

April 26th, 2015 8:52pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics