HI , I have IBM server rebooted with the minidump file generated. I have done dump analysis with WINDBG. But I have no idea what cause the reboot. Can somebody have a look at it.. The dump is attached here;-
Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Documents and Settings\Administrator\Desktop\RIO\All Incidents\RIOCHITS1160307\Mini031607-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: Server, suite: TerminalServer
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Fri Mar 16 06:56:02.364 2007 (GMT+5)
System Uptime: 46 days 20:28:29.394
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
...................................................................................................................
Loading User Symbols
Loading unloaded module list
..................................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck AB, {1a, 1ec8, 0, 55}
Probably caused by : ntoskrnl.exe ( nt!RtlCompareMemory+49 )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SESSION_HAS_VALID_POOL_ON_EXIT (ab)
Caused by a session driver not freeing its pool allocations prior to a
session unload. This indicates a bug in win32k.sys, atmfd.dll,
rdpdd.dll or a video driver.
Arguments:
Arg1: 0000001a, session ID
Arg2: 00001ec8, number of paged pool bytes that are leaking
Arg3: 00000000, number of nonpaged pool bytes that are leaking
Arg4: 00000055, total number of paged and nonpaged allocations that are leaking.
nonpaged allocations are in the upper half of this word,
paged allocations are in the lower half of this word.
Debugging Details:
------------------
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0xAB
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8092ea6f to 80827451
STACK_TEXT:
8b9d6c24 8092ea6f 000000ab 0000001a 00001ec8 nt!RtlCompareMemory+0x49
8b9d6c68 809ab017 88228070 88228070 00000000 nt!IopGetRegistryValue+0x8f
8b9d6ce8 8084c1a7 88228070 00000000 896cf020 nt!WmipSwitchToNewFile+0xa7
8b9d6d04 8094b539 88228070 896cf020 896cf260 nt!NtAllocateVirtualMemory+0x605
8b9d6d8c 8094b68d 00000000 00000000 896cf020 nt!IopProcessRelation+0x33c
8b9d6da4 80948bc0 896cf020 00000000 00000001 nt!IopProcessRelation+0x490
8b9d6ddc 8088d4d2 bf92b980 87574180 00000000 nt!IopReallocateResources+0xdf
8b9d6dec 00000000 00000000 00000000 00000000 nt!ExRundownCompletedCacheAware+0x1f
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!RtlCompareMemory+49
80827451 5d pop ebp
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!RtlCompareMemory+49
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 42435b14
FAILURE_BUCKET_ID: 0xAB_nt!RtlCompareMemory+49
BUCKET_ID: 0xAB_nt!RtlCompareMemory+49
Followup: MachineOwner
---------
3: kd> !process
GetPointerFromAddress: unable to read from 8089c298
PROCESS 88228070 SessionId: none Cid: 1a84 Peb: 7ffdf000 ParentCid: 032c
DirBase: cffb5600 ObjectTable: 00000000 HandleCount: 0.
Image: csrss.exe
VadRoot 8a4b53d0 Vads 45 Clone 0 Private 187. Modified 1373. Locked 0.
DeviceMap e1001840
Token e27bf650
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
ffdf0000: Unable to get shared data
ElapsedTime 00:00:00.000
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 18456
QuotaPoolUsage[NonPagedPool] 1800
Working Set Sizes (now,min,max) (616, 50, 345) (2464KB, 200KB, 1380KB)
PeakWorkingSetSize 924
VirtualSize 15 Mb
PeakVirtualSize 26 Mb
PageFaultCount 2212
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 259
THREAD 896cf020 Cid 1a84.0dd0 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 3
3: kd> !thread
GetPointerFromAddress: unable to read from 8089c298
THREAD 896cf020 Cid 1a84.0dd0 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 3
Not impersonating
GetUlongFromAddress: unable to read from 808ad8d4
Owning Process 88228070 Image: csrss.exe
ffdf0000: Unable to get shared data
Wait Start TickCount 259079001
Context Switch Count 4
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime 00:00:00.0000
KernelTime 00:00:00.0000
Unable to load image win32k.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for win32k.sys
Start Address win32k!InitiateWin32kCleanup (0xbf92b980)
Stack Init 8b9d7000 Current 8b9d6c68 Base 8b9d7000 Limit 8b9d4000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
8b9d6c24 8092ea6f 000000ab 0000001a 00001ec8 nt!RtlCompareMemory+0x49
8b9d6c68 809ab017 88228070 88228070 00000000 nt!IopGetRegistryValue+0x8f (FPO: [Non-Fpo])
8b9d6ce8 8084c1a7 88228070 00000000 896cf020 nt!WmipSwitchToNewFile+0xa7 (FPO: [Non-Fpo])
8b9d6d04 8094b539 88228070 896cf020 896cf260 nt!NtAllocateVirtualMemory+0x605 (FPO: [Non-Fpo])
8b9d6d8c 8094b68d 00000000 00000000 896cf020 nt!IopProcessRelation+0x33c (FPO: [Non-Fpo])
8b9d6da4 80948bc0 896cf020 00000000 00000001 nt!IopProcessRelation+0x490 (FPO: [Non-Fpo])
8b9d6ddc 8088d4d2 bf92b980 87574180 00000000 nt!IopReallocateResources+0xdf (FPO: [Non-Fpo])
8b9d6dec 00000000 00000000 00000000 00000000 nt!ExRundownCompletedCacheAware+0x1f (FPO: [0,0,0])
3: kd> kv
ChildEBP RetAddr Args to Child
8b9d6c24 8092ea6f 000000ab 0000001a 00001ec8 nt!RtlCompareMemory+0x49
8b9d6c68 809ab017 88228070 88228070 00000000 nt!IopGetRegistryValue+0x8f (FPO: [Non-Fpo])
8b9d6ce8 8084c1a7 88228070 00000000 896cf020 nt!WmipSwitchToNewFile+0xa7 (FPO: [Non-Fpo])
8b9d6d04 8094b539 88228070 896cf020 896cf260 nt!NtAllocateVirtualMemory+0x605 (FPO: [Non-Fpo])
8b9d6d8c 8094b68d 00000000 00000000 896cf020 nt!IopProcessRelation+0x33c (FPO: [Non-Fpo])
8b9d6da4 80948bc0 896cf020 00000000 00000001 nt!IopProcessRelation+0x490 (FPO: [Non-Fpo])
8b9d6ddc 8088d4d2 bf92b980 87574180 00000000 nt!IopReallocateResources+0xdf (FPO: [Non-Fpo])
8b9d6dec 00000000 00000000 00000000 00000000 nt!ExRundownCompletedCacheAware+0x1f (FPO: [0,0,0])
3: kd> !stacks
Proc.Thread .Thread Ticks ThreadState Blocker
GetUlongFromAddress: unable to read from 8089c298
Unable to get value of PsActiveProcessHead.Flink
Threads Processed: 0
3: kd> u
nt!RtlCompareMemory+0x49:
80827451 5d pop ebp
80827452 c21400 ret 14h
80827455 cc int 3
80827456 cc int 3
80827457 cc int 3
nt!RtlCompareMemoryUlong:
80827458 cc int 3
80827459 cc int 3
8082745a 8bff mov edi,edi
3: kd> ut
^ Unknown ut command 'ut'
3: kd> uf
Address expression missing from '<EOL>'
3: kd> !object
GetUlongFromAddress: unable to read from 8089c290
808ac650: Unable to get value of ObpTypeObjectType
======================================================
Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Documents and Settings\Administrator\Desktop\RIO\All Incidents\RIOCHITS1160307\Mini031607-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: Server, suite: TerminalServer
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Fri Mar 16 06:56:02.364 2007 (GMT+5)
System Uptime: 46 days 20:28:29.394
Unable to load image ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
Loading Kernel Symbols
...................................................................................................................
Loading User Symbols
Loading unloaded module list
..................................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck AB, {1a, 1ec8, 0, 55}
Probably caused by : ntoskrnl.exe ( nt!RtlCompareMemory+49 )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SESSION_HAS_VALID_POOL_ON_EXIT (ab)
Caused by a session driver not freeing its pool allocations prior to a
session unload. This indicates a bug in win32k.sys, atmfd.dll,
rdpdd.dll or a video driver.
Arguments:
Arg1: 0000001a, session ID
Arg2: 00001ec8, number of paged pool bytes that are leaking
Arg3: 00000000, number of nonpaged pool bytes that are leaking
Arg4: 00000055, total number of paged and nonpaged allocations that are leaking.
nonpaged allocations are in the upper half of this word,
paged allocations are in the lower half of this word.
Debugging Details:
------------------
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0xAB
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8092ea6f to 80827451
STACK_TEXT:
8b9d6c24 8092ea6f 000000ab 0000001a 00001ec8 nt!RtlCompareMemory+0x49
8b9d6c68 809ab017 88228070 88228070 00000000 nt!IopGetRegistryValue+0x8f
8b9d6ce8 8084c1a7 88228070 00000000 896cf020 nt!WmipSwitchToNewFile+0xa7
8b9d6d04 8094b539 88228070 896cf020 896cf260 nt!NtAllocateVirtualMemory+0x605
8b9d6d8c 8094b68d 00000000 00000000 896cf020 nt!IopProcessRelation+0x33c
8b9d6da4 80948bc0 896cf020 00000000 00000001 nt!IopProcessRelation+0x490
8b9d6ddc 8088d4d2 bf92b980 87574180 00000000 nt!IopReallocateResources+0xdf
8b9d6dec 00000000 00000000 00000000 00000000 nt!ExRundownCompletedCacheAware+0x1f
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!RtlCompareMemory+49
80827451 5d pop ebp
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!RtlCompareMemory+49
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntoskrnl.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 42435b14
FAILURE_BUCKET_ID: 0xAB_nt!RtlCompareMemory+49
BUCKET_ID: 0xAB_nt!RtlCompareMemory+49
Followup: MachineOwner
---------
3: kd> !process
GetPointerFromAddress: unable to read from 8089c298
PROCESS 88228070 SessionId: none Cid: 1a84 Peb: 7ffdf000 ParentCid: 032c
DirBase: cffb5600 ObjectTable: 00000000 HandleCount: 0.
Image: csrss.exe
VadRoot 8a4b53d0 Vads 45 Clone 0 Private 187. Modified 1373. Locked 0.
DeviceMap e1001840
Token e27bf650
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
ffdf0000: Unable to get shared data
ElapsedTime 00:00:00.000
UserTime 00:00:00.000
KernelTime 00:00:00.000
QuotaPoolUsage[PagedPool] 18456
QuotaPoolUsage[NonPagedPool] 1800
Working Set Sizes (now,min,max) (616, 50, 345) (2464KB, 200KB, 1380KB)
PeakWorkingSetSize 924
VirtualSize 15 Mb
PeakVirtualSize 26 Mb
PageFaultCount 2212
MemoryPriority BACKGROUND
BasePriority 13
CommitCharge 259
THREAD 896cf020 Cid 1a84.0dd0 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 3
3: kd> !thread
GetPointerFromAddress: unable to read from 8089c298
THREAD 896cf020 Cid 1a84.0dd0 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 3
Not impersonating
GetUlongFromAddress: unable to read from 808ad8d4
Owning Process 88228070 Image: csrss.exe
ffdf0000: Unable to get shared data
Wait Start TickCount 259079001
Context Switch Count 4
ReadMemory error: Cannot get nt!KeMaximumIncrement value.
UserTime 00:00:00.0000
KernelTime 00:00:00.0000
Unable to load image win32k.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for win32k.sys
Start Address win32k!InitiateWin32kCleanup (0xbf92b980)
Stack Init 8b9d7000 Current 8b9d6c68 Base 8b9d7000 Limit 8b9d4000 Call 0
Priority 13 BasePriority 13 PriorityDecrement 0
ChildEBP RetAddr Args to Child
8b9d6c24 8092ea6f 000000ab 0000001a 00001ec8 nt!RtlCompareMemory+0x49
8b9d6c68 809ab017 88228070 88228070 00000000 nt!IopGetRegistryValue+0x8f (FPO: [Non-Fpo])
8b9d6ce8 8084c1a7 88228070 00000000 896cf020 nt!WmipSwitchToNewFile+0xa7 (FPO: [Non-Fpo])
8b9d6d04 8094b539 88228070 896cf020 896cf260 nt!NtAllocateVirtualMemory+0x605 (FPO: [Non-Fpo])
8b9d6d8c 8094b68d 00000000 00000000 896cf020 nt!IopProcessRelation+0x33c (FPO: [Non-Fpo])
8b9d6da4 80948bc0 896cf020 00000000 00000001 nt!IopProcessRelation+0x490 (FPO: [Non-Fpo])
8b9d6ddc 8088d4d2 bf92b980 87574180 00000000 nt!IopReallocateResources+0xdf (FPO: [Non-Fpo])
8b9d6dec 00000000 00000000 00000000 00000000 nt!ExRundownCompletedCacheAware+0x1f (FPO: [0,0,0])
3: kd> kv
ChildEBP RetAddr Args to Child
8b9d6c24 8092ea6f 000000ab 0000001a 00001ec8 nt!RtlCompareMemory+0x49
8b9d6c68 809ab017 88228070 88228070 00000000 nt!IopGetRegistryValue+0x8f (FPO: [Non-Fpo])
8b9d6ce8 8084c1a7 88228070 00000000 896cf020 nt!WmipSwitchToNewFile+0xa7 (FPO: [Non-Fpo])
8b9d6d04 8094b539 88228070 896cf020 896cf260 nt!NtAllocateVirtualMemory+0x605 (FPO: [Non-Fpo])
8b9d6d8c 8094b68d 00000000 00000000 896cf020 nt!IopProcessRelation+0x33c (FPO: [Non-Fpo])
8b9d6da4 80948bc0 896cf020 00000000 00000001 nt!IopProcessRelation+0x490 (FPO: [Non-Fpo])
8b9d6ddc 8088d4d2 bf92b980 87574180 00000000 nt!IopReallocateResources+0xdf (FPO: [Non-Fpo])
8b9d6dec 00000000 00000000 00000000 00000000 nt!ExRundownCompletedCacheAware+0x1f (FPO: [0,0,0])
3: kd> !stacks
Proc.Thread .Thread Ticks ThreadState Blocker
GetUlongFromAddress: unable to read from 8089c298
Unable to get value of PsActiveProcessHead.Flink
Threads Processed: 0
3: kd> u
nt!RtlCompareMemory+0x49:
80827451 5d pop ebp
80827452 c21400 ret 14h
80827455 cc int 3
80827456 cc int 3
80827457 cc int 3
nt!RtlCompareMemoryUlong:
80827458 cc int 3
80827459 cc int 3
8082745a 8bff mov edi,edi
3: kd> ut
^ Unknown ut command 'ut'
3: kd> uf
Address expression missing from '<EOL>'
3: kd> !object
GetUlongFromAddress: unable to read from 8089c290
808ac650: Unable to get value of ObpTypeObjectType
======================================================
