3
6
We are investigating BSODs on a Windows 2008 R2 Terminal Server.
We found out that the results of WinDbg and BlueScreenView were inconsistent and so we tried out WhoCrashed Home and WhoCrashed Pro. (Always the latest versions).
These are the results:
BlueScreenView
WhoCrashed Home
WhoCrashed Pro
WhoCrashed Pro and WinDbg have fewest contradictions.
WinDbg often can't determine the causing driver so we used BlueScreenView in the past. But it seems, that none of the tools can ascertain that.
What is the cause of these differences?
Are the tools doing more than just walking down the stack and resolving symbols from different sources (like any kind of heuristic analysis), that may be right but are not always reliable?
Edit
The details
Detail BlueScreenView
Detail WhoCrashed Home
crash dump file: C:\Windows\Minidump\111014-20841-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x75BC0)
Bugcheck code: 0xFC (0xFFFFF880009C6FB8, 0x800000000292F963, 0xFFFFF8800D2F8EB0, 0x2)
Error: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This indicates that an attempt was made to execute non-executable memory. This might be a case of memory corruption. More often memory corruption happens because of software errors in buggy drivers, not because of faulty RAM modules. There is a possibility this problem was caused by a virus or other malware. The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
Detail WhoCrashed Pro
Crash dump file: C:\ZZAnalyze\BAIL\Minidump\111014-20841-01.dmp
Date/time: 10.11.2014 08:45:04 GMT
Uptime: 9 days, 15:04:22
Machine: VMW7X64
Bug check name: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY
Bug check code: 0xFC
Bug check parm 1: 0xFFFFF880009C6FB8
Bug check parm 2: 0x800000000292F963
Bug check parm 3: 0xFFFFF8800D2F8EB0
Bug check parm 4: 0x2
Probably caused by: mfehidk.sys
Driver description:
Driver product:
Driver company:
OS build: Built by: 7601.18409.amd64fre.win7sp1_gdr.140303-2144
Architecture: x64 (64 bit)
CPU count: 4
Page size: 4096
Bug check description:
This indicates that an attempt was made to execute non-executable memory.
Comments: This might be a case of memory corruption. More often memory corruption happens because of software errors in buggy drivers, not because of faulty RAM modules. There is a possibility this problem was caused by a virus or other malware. A third party driver was identified as the probable root cause of this system error. It is suggested you look for an update for the following driver: mfehidk.sys.
marsh-wiggle
Posted 2015-01-08T19:15:37.143
Reputation: 2 357
Can you supply a text file of the analysis each program generates for that particular crash? I believe
BlueScreenViewuses Google results to partially determine the "probably cause by" field. – Ramhound – 2015-01-08T19:44:00.417When you click on particular crash it should have details about the crash. What you display in the screenshot is only a small part of the information
BlueScreenViewdisplays. – Ramhound – 2015-01-08T20:05:55.487@Ramhound Post is edited – marsh-wiggle – 2015-01-08T20:22:24.200
1
all those tools are crap. Only use WinDbg to debug bugchecks: http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-15-WinDbg-Bugchecks. mfehidk.sys = Host Intrusion Detection Link Driver from McAfee. So remove it.
– magicandre1981 – 2015-01-09T05:35:12.507Some colleagues believe that this question is opinion-based. But the question why these tools are contradictory has an answer. But if no one knows more about the internals, then it may be that the question remains unanswered. Whether a question can be answered in any case should not be a criterion to ask it – marsh-wiggle – 2015-01-09T10:08:59.607
have you tried to remove McAfee? – magicandre1981 – 2015-01-09T18:21:21.773
@magicandre1981 Yes, we did. The error occours only every two to six weeks (13 times in 12 months) so it will take a longer time before we can assess it. Thanks for your suggestions :) – marsh-wiggle – 2015-01-11T09:50:20.020