5

I have a problem with a virtual Windows Server 2008 R2 SP1 server running withing VMWare. The server is running Citrix and also has Symantec Endpoint protection installed. It randomly crashes and goes to BSOD.

Investigating the event log didn't yield any useful information about the cause of the crash. I ran windows debug and generated the report shown below. Apparently it points to a failed driver. The problem is I can't pinpoint what driver is causing it. I'm wondering if anyone can offer some help.

----------
## Bugcheck Analysis   ##
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff9600008744d, Address of the instruction which caused the bugcheck
Arg3: fffff88007ba3de0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------
Page 125923 not present in the dump file. Type ".hh dbgerr004" for details

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP: 
win32k!xxxInternalInvalidate+7d
fffff960`0008744d f6473208        test    byte ptr [rdi+32h],8

CONTEXT:  fffff88007ba3de0 -- (.cxr 0xfffff88007ba3de0)
rax=0000000000000000 rbx=0000000000010485 rcx=0000000000000000
rdx=0000000000000b02 rsi=0000000000000000 rdi=0000000000000000
rip=fffff9600008744d rsp=fffff88007ba47c0 rbp=0000000000000000
 r8=0000000000010485  r9=0000000000000000 r10=fffff900000004c0
r11=fffff900c26eac30 r12=0000000000000000 r13=0000000000000001
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
win32k!xxxInternalInvalidate+0x7d:
fffff960`0008744d f6473208        test    byte ptr [rdi+32h],8 ds:002b:00000000`00000032=??
Resetting default scope

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  csrss.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff960001351a2 to fffff9600008744d

STACK_TEXT:  
fffff880`07ba47c0 fffff960`001351a2 : 00000000`00000000 00000000`00000040 fffffa80`0678d330 00000000`00000000 : win32k!xxxInternalInvalidate+0x7d
fffff880`07ba4840 fffff960`001352a2 : fffffa80`0678d330 00000000`00000000 fffff880`07ba4ca0 fffffa80`06109ab0 : win32k!xxxInternalUserChangeDisplaySettings+0x486
fffff880`07ba4900 fffff960`001330e3 : 00000000`00000000 00000000`00000000 fffff900`c0f9ead0 fffff900`00000040 : win32k!xxxUserChangeDisplaySettings+0x92
fffff880`07ba49f0 fffff960`00115cba : 00000000`00000001 00000000`00aff960 00000000`00000000 ffffffff`ffffffff : win32k!xxxRemoteReconnect+0x6d7
fffff880`07ba4bf0 fffff800`016d9ed3 : fffffa80`06f66b00 fffff880`07ba4ca0 00000000`00000000 00000000`00000000 : win32k!NtUserCallOneParam+0x4e
fffff880`07ba4c20 000007fe`fd1b2aea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`00aff918 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x000007fe`fd1b2aea


FOLLOWUP_IP: 
win32k!xxxInternalInvalidate+7d
fffff960`0008744d f6473208        test    byte ptr [rdi+32h],8

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  win32k!xxxInternalInvalidate+7d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  50e64bda

STACK_COMMAND:  .cxr 0xfffff88007ba3de0 ; kb

FAILURE_BUCKET_ID:  X64_0x3B_win32k!xxxInternalInvalidate+7d

BUCKET_ID:  X64_0x3B_win32k!xxxInternalInvalidate+7d

Followup: MachineOwner
---------
Rex
  • 7,815
  • 3
  • 28
  • 44
user176320
  • 139
  • 2
  • 4
  • 11
  • Looks like it's related to changing a display setting, I'd guess the display driver first... – Chris S Jun 04 '13 at 13:43
  • I tried to replicate that by changing resolution on the server couple of times with different settings, unfortunately or not but it didn’t cause the blue screen. – user176320 Jun 04 '13 at 19:33
  • 2
    Do you meant that the host is crashing or that the guest is crashing? Also, since you only list one operating system (Server 2008 R2), is that the OS of the host, the guest, or both? Also, what version of VMWare are you using? – Moshe Katz Jun 06 '13 at 19:40
  • Display driver problems on a Windows VM? - haven't seen that before. What version of Symantec EP? Are VMWare tools installed? – abstrask Jan 03 '14 at 01:52
  • 1
    Use [BlueScreenView](http://www.nirsoft.net/utils/blue_screen_view.html) to analyse the dump file. – Konrad Gajewski May 10 '15 at 10:28

1 Answers1

1

This looks like the issue described in the following KB article:

https://support.microsoft.com/en-us/kb/2359223

"0x0000003B" Stop error occurs in Windows Server 2008 R2 and in Windows 7 when an application or a service performs a GUI-related operation

The reason I think it is the issue described in the hotfix is because it specifically calls out the win32k.sys driver. Also, the CSRSS.exe process which also shows up in the dump is used in inter-process communication between user-mode GUI operations and the kernel which is also indicative of the issue described in the hotfix (reference: https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem).

I would recommend applying the hotfix in the KB article and monitoring to see if the stop errors continue.

learley
  • 439
  • 2
  • 5