When a non administrator logins into domain,intermittent BSOD issue.

Hi,

This issue is reported by corporate customer where we have supplied 160 Acer desktops

Operating system in windows 8.1 64 bit.

  1.        Whenever a domain user logs in into the computer , the BSOD error is appearing randomly.
  2.        If we login to the local machine using the domain administrator or the local  user/administrator, the BSOD issue is not replicated in the client computer where Windows 8.1 Professional is installed.

Mcafee is installed and I can see in forum that it can be due to Macfee also,please check attached dumps and help in expert advise to resolve the issue.

Dump files are uploaded to below link

http://1drv.ms/1KUXm4y

Regards,

Lakshmikanth

June 10th, 2015 7:35am

McAfee is killing  ksecdd.sys Kernel Security Support Provider Interface.  It is the cause.

Microsoft (R) Windows Debugger Version 10.0.10075.9 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Users\zigza\Desktop\dumps\052715-10421-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available


************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*D:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*D:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 9600.16384.amd64fre.winblue_rtm.130821-1623
Machine Name:
Kernel base = 0xfffff802`b801d000 PsLoadedModuleList = 0xfffff802`b82e49b0
Debug session time: Tue May 26 23:44:29.945 2015 (UTC - 4:00)
System Uptime: 0 days 0:01:21.616
Loading Kernel Symbols
...............................................................
................................................................
.......................
Loading User Symbols
Loading unloaded module list
........
No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers.
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 27, {baad0073, ffffd0002457bac8, ffffd0002457b2d0, fffff80000c1f05d}

*** WARNING: Unable to verify timestamp for mfehidk.sys
*** ERROR: Module load completed but symbols could not be loaded for mfehidk.sys
Probably caused by : ksecdd.sys ( ksecdd!SspiHelperEqualPackedCredentials+d )

Followup:     MachineOwner
---------

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

RDR_FILE_SYSTEM (27)
    If you see RxExceptionFilter on the stack then the 2nd and 3rd parameters are the
    exception record and context record. Do a .cxr on the 3rd parameter and then kb to
    obtain a more informative stack trace.
    The high 16 bits of the first parameter is the RDBSS bugcheck code, which is defined
    as follows:
     RDBSS_BUG_CHECK_CACHESUP  = 0xca550000,
     RDBSS_BUG_CHECK_CLEANUP   = 0xc1ee0000,
     RDBSS_BUG_CHECK_CLOSE     = 0xc10e0000,
     RDBSS_BUG_CHECK_NTEXCEPT  = 0xbaad0000,
Arguments:
Arg1: 00000000baad0073
Arg2: ffffd0002457bac8
Arg3: ffffd0002457b2d0
Arg4: fffff80000c1f05d

Debugging Details:
------------------


SYSTEM_SKU:  To be filled by O.E.M.

SYSTEM_VERSION:  1.02

BIOS_DATE:  03/04/2015

BASEBOARD_PRODUCT:  H81-M1

BASEBOARD_VERSION:  1.02

BUGCHECK_P1: baad0073

BUGCHECK_P2: ffffd0002457bac8

BUGCHECK_P3: ffffd0002457b2d0

BUGCHECK_P4: fffff80000c1f05d

EXCEPTION_RECORD:  ffffd0002457bac8 -- (.exr 0xffffd0002457bac8)
ExceptionAddress: fffff80000c1f05d (ksecdd!SspiHelperEqualPackedCredentials+0x000000000000000d)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000

CONTEXT:  ffffd0002457b2d0 -- (.cxr 0xffffd0002457b2d0)
rax=0000000000000201 rbx=0000000000000000 rcx=0000000000000000
rdx=ffffc00003bff410 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80000c1f05d rsp=ffffd0002457bd00 rbp=ffffd0002457bd88
 r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=ffffc00002fe8b10 r13=ffffd0002457be70
r14=ffffc00001e34670 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
ksecdd!SspiHelperEqualPackedCredentials+0xd:
fffff800`00c1f05d 3901            cmp     dword ptr [rcx],eax ds:002b:00000000`00000000=????????
Resetting default scope

CPU_COUNT: 4

CPU_MHZ: cdc

CPU_VENDOR:  GenuineIntel

CPU_FAMILY: 6

CPU_MODEL: 3c

CPU_STEPPING: 3

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  NULL_DEREFERENCE

PROCESS_NAME:  svchost.exe

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000000000

READ_ADDRESS: GetPointerFromAddress: unable to read from fffff802b836d150
GetUlongPtrFromAddress: unable to read from fffff802b836d3c8
GetUlongPtrFromAddress: unable to read from fffff802b836d568
 0000000000000000 Nonpaged pool

FOLLOWUP_IP: 
ksecdd!SspiHelperEqualPackedCredentials+d
fffff800`00c1f05d 3901            cmp     dword ptr [rcx],eax

FAULTING_IP: 
ksecdd!SspiHelperEqualPackedCredentials+d
fffff800`00c1f05d 3901            cmp     dword ptr [rcx],eax

BUGCHECK_STR:  0x27

ANALYSIS_VERSION: 10.0.10075.9 amd64fre

LAST_CONTROL_TRANSFER:  from fffff80000c1caf7 to fffff80000c1f05d

STACK_TEXT:  
ffffd000`2457bd00 fffff800`00c1caf7 : 00000000`00000000 ffffd000`2457bd70 ffffd000`2457bd60 ffffd000`2457bde0 : ksecdd!SspiHelperEqualPackedCredentials+0xd
ffffd000`2457bd30 fffff800`01904aab : 00000000`00000000 ffffc000`03bff410 ffffc000`02fe8b10 00000000`00000000 : ksecdd!SspiCompareAuthIdentities+0x22d7
ffffd000`2457bdd0 fffff800`019023a2 : fffff800`018f4700 00000000`00000001 00000000`00000000 00000000`00000000 : rdbss!RxIsCompatibleSecurityContext+0x10b
ffffd000`2457be70 fffff800`019126fe : 00000000`63457852 ffffd000`2457c0c8 fffff800`01904ec0 ffffe000`00edf0c8 : rdbss!RxFindOrConstructVirtualNetRoot+0x473
ffffd000`2457c080 fffff800`0190519c : ffffc000`003d8201 ffffe000`02682b70 ffffe000`03093010 ffffe000`02682b70 : rdbss!RxCreateTreeConnect+0xfe
ffffd000`2457c100 fffff800`018cfd9e : 01d0982f`6fbf98dc ffffe000`02682a10 ffffe000`02682b70 00000000`00000000 : rdbss!RxCommonCreate+0x2dc
ffffd000`2457c1b0 fffff800`019007df : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : rdbss!RxFsdCommonDispatch+0x56e
ffffd000`2457c320 fffff800`02bce1b3 : 00000000`00000000 ffffe000`02682a01 ffffe000`02682a10 fffff800`011c7010 : rdbss!RxFsdDispatch+0xcf
ffffd000`2457c390 fffff800`011cc682 : ffffe000`0278e220 ffffe000`02682a10 ffffc000`004c1c40 00000000`00000000 : mrxsmb!MRxSmbFsdDispatch+0x83
ffffd000`2457c3d0 fffff800`011cac07 : ffffc000`004c1c40 ffffe000`00edf000 fffff800`011c7010 ffffe000`03183010 : mup!MupiCallUncProvider+0xc2
ffffd000`2457c440 fffff800`006d03a4 : 30080000`0450040c ffffe000`00000008 ffffe000`00edf070 ffffe000`03183010 : mup!MupCreate+0x5f8
ffffd000`2457c4e0 fffff800`00924aa0 : ffffd000`2457c700 ffffd000`2457c7f0 00000000`00000000 fffff800`03002c31 : fltmgr!FltpCreate+0x3a5
ffffd000`2457c590 ffffd000`2457c700 : ffffd000`2457c7f0 00000000`00000000 fffff800`03002c31 00000000`00000000 : mfehidk+0x75aa0
ffffd000`2457c598 ffffd000`2457c7f0 : 00000000`00000000 fffff800`03002c31 00000000`00000000 ffffd000`2457c6d0 : 0xffffd000`2457c700
ffffd000`2457c5a0 00000000`00000000 : fffff800`03002c31 00000000`00000000 ffffd000`2457c6d0 00000000`00060000 : 0xffffd000`2457c7f0


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  ksecdd!SspiHelperEqualPackedCredentials+d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ksecdd

IMAGE_NAME:  ksecdd.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5215f86d

IMAGE_VERSION:  6.3.9600.16384

STACK_COMMAND:  .cxr 0xffffd0002457b2d0 ; kb

BUCKET_ID_FUNC_OFFSET:  d

FAILURE_BUCKET_ID:  0x27_ksecdd!SspiHelperEqualPackedCredentials

BUCKET_ID:  0x27_ksecdd!SspiHelperEqualPackedCredentials

PRIMARY_PROBLEM_CLASS:  0x27_ksecdd!SspiHelperEqualPackedCredentials

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x27_ksecdd!sspihelperequalpackedcredentials

FAILURE_ID_HASH:  {020b5662-e3ac-c43e-b2fc-2ad97f2abb2b}

Followup:     MachineOwner
---------

Free Windows Admin Tool Kit Click here and download it now
June 10th, 2015 8:03am

Hi,

How did you configure the drive map policy settings? You may create another one test GPO with one mapped drive by following the below link:

Using Group Policy Preferences to Map Drives Based on Group Membership

http://blogs.technet.com/b/askds/archive/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership.aspx

Regards,

Yan Li

June 12th, 2015 3:37am

Server OS here is Windows 2008 SP1,is there any patch for server or Win8.1 to resolve this issue


I'd start installing SP2
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2015 3:42am

Hi,

Yesterday we checked and able to see the issue without mcafee also.

As per below link  This issue was caused by a mapped drive group policy,.

we changed the group policy by creating new group and user and found working fine.

Server OS here is Windows 2008 SP1,is there any patch for server or Win8.1 to resolve this issue

https://social.technet.microsoft.com/Forums/windows/en-US/5aa69f15-d93b-4b47-9fc3-a181450395c9/rdrfilesystem-ksecddsys-error-bsod?forum=w8itprogeneral

Regards,

Lakshmikanth

June 12th, 2015 3:57am

Hi,

Configuration has been done by server administrator and we are not allowed to do any changes due to security reason.

Isuue is not observed in Windows 7 clients but only with windows 8.1 clients,is there any compatibility issue or any hotfix from MS.

Regards,

Lakshmikanth

Free Windows Admin Tool Kit Click here and download it now
June 12th, 2015 4:45am

This server is in Production and user does not want update SP2 instead ready to implement only hot fix such issue.

Regards,

Lakshmikanth

June 12th, 2015 4:46am
MS would tell you to update to SP2. You are running an unsupported system on the server side, so Windows 8.1 has not been tested with it.
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2015 4:48am

Thanks for reply

Can you provide link where it says Win2008 Sp1 is unsupported for Win 8.1 so that I can take up with the customer.

Regards,

Lakshmikanth

June 12th, 2015 8:39am

There is no link that specifically states that Win2008 Sp1 doesn't support Win 8.1, it's implied that it doesn't because it is no longer supported. MS isn't going to test systems that support has expired on, well.... because support has expired! :D

SP1 support ends 24 months after the next service pack is released, you can read the server lifecycles here.

  • Edited by Acreed02 18 hours 39 minutes ago
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2015 8:44am

Every SP is supported for 24 months after the last SP is released.

Here's an article from 07/2011:

Last Week Before Vista and Win2008 SP1 Support Ends

"Windows Vista and Windows Server 2008 Service Pack 1 support ends on July 12"

June 12th, 2015 8:45am
Lol Aperelli, nice timing!
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2015 8:56am

There is no link that specifically states that Win2008 Sp1 doesn't support Win 8.1, it's implied that it doesn't because it is no longer supported. MS isn't going to test systems that support has expired on, well.... because support has expired! :D

SP1 support ends 24 months after the next service pack is released, you can read the server lifecycles here.

  • Edited by Acreed02 Friday, June 12, 2015 12:44 PM
June 12th, 2015 12:44pm

There is no link that specifically states that Win2008 Sp1 doesn't support Win 8.1, it's implied that it doesn't because it is no longer supported. MS isn't going to test systems that support has expired on, well.... because support has expired! :D

SP1 support ends 24 months after the next service pack is released, you can read the server lifecycles here.

  • Edited by Acreed02 Friday, June 12, 2015 12:44 PM
Free Windows Admin Tool Kit Click here and download it now
June 12th, 2015 12:44pm
Are You sure that,issue will be resolved once we update Windows 2008 Sp2
June 17th, 2015 5:08am
How could I be sure? I think your customer should understand that updating has to be done, troubleshooting unsupported system could be time wasting. 
Free Windows Admin Tool Kit Click here and download it now
June 17th, 2015 5:19am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics