No announcement yet.

BSOD caused by ntoskrnl.exe

  • Filter
  • Time
  • Show
Clear All
new posts

  • BSOD caused by ntoskrnl.exe

    Some background: virtualized (Hyper-V) Server 2008 OS, provides AD/CS, AD/DS, DHCP, DNS, Files, TS, Web & WSUS. This server is one of three from the Essential Business Server 2008 line (Management). Basically we're looking at a pretty important server that has just out of the blue started having BSOD.

    Second time within a week this has happened. Only thing to really change on the server are security patches (not including this past Tuesday's updates). Checking the event logs shows nothing out of the ordinary prior to the BSOD occurring.

    Upon logging in after the BSOD I receive the following details:

    Problem signature:
    Problem Event Name: BlueScreen
    OS Version: 6.0.6002.
    Locale ID: 1033

    Additional information about the problem:
    BCCode: 1e
    BCP1: FFFFFFFFC0000005
    BCP2: FFFFF80001C84760
    BCP3: 0000000000000000
    BCP4: 00000000000000E4
    OS Version: 6_0_6002
    Service Pack: 2_0
    Product: 272_2

    Files that help describe the problem:
    C:\Users\amolina\AppData\Local\Temp\ rsion.txt

    I have included a screenshot from Blue Screen View. The only action I have taken after the BSOD has occurred is running sfc /scannow. Both times the console reports corrupted files have been detected and repaired. I have the shortened version of the CBS.log file but I have no idea what to search.

    Lucky for me I have a second server acting as a failover DC/DNS so users don't even notice it goes out. Suggestions on where to start?
    Attached Files

  • #2
    Re: BSOD caused by ntoskrnl.exe

    During your security installs were any drivers updated??

    Most of the BSOD's i've ever dealt with have been as a result of either failing hardware or bad drivers.

    Maybe also have a quick look at this


    • #3
      Re: BSOD caused by ntoskrnl.exe

      There have been no driver updates ever as these servers are virtualized. I was starting to lean towards a hardware failure since the VHD for this VM is on a dedicated RAID array. The last major update was applying Exchange Server 2007 SP3 but this only applies to the management tools that are installed on this server. I'm currently working with Blue Screen View to obtain the crash info.


      • #4
        Re: BSOD caused by ntoskrnl.exe

        maybe b .luescreenview gives you the same info, but pushing the .dmp file through windbg can help you find out what caused the crash..
        Please do show your appreciation to those who assist you by leaving Rep Point


        • #5
          Re: BSOD caused by ntoskrnl.exe

          I've got it open in WinDgb and it says it was "probably caused by ntoskrnl.exe" at the end of it. There's more info but it's all gibberish to me, anything I should be looking for?


          • #6
            Re: BSOD caused by ntoskrnl.exe

            Can you upload the dump file somewhere and one of us might be able to take a look at it??


            • #7
              Re: BSOD caused by ntoskrnl.exe


              Didn't see one yesterday but we restarted the servers over the weekend.


              • #8
                Re: BSOD caused by ntoskrnl.exe

                Just adding my 2 cents.
                To view a crash dump easily I use the free tool WhoCrashed 3.06
                Install it, click analyse and it will show you the contents of memory.dmp in an easy to read format. Then Just copy/paste it.
                For more info on the tool:
                Last edited by uk_network; 25th September 2012, 21:40.
                Please remember to award reputation points if you have received good advice.
                I do tend to think 'outside the box' so others may not always share the same views.

                MCITP -W7,
                MCSA+Messaging, CCENT, ICND2 slowly getting around to.


                • #9
                  Re: BSOD caused by ntoskrnl.exe

                  If only recent change was patching, and it worked fine before patch date, I would evaluate which patches were installed one the problematic server, that the other servers did not receive. Compare the patch lists if servers are same OS.

                  You might see patches specific to for example WSUS if it is an WSUS server.
                  The other servers would not have those in all likelyhood. Try to narrow down what is different between the patches applied to the faulting server, and the working ones.

                  You might find a patch which is a potential problem, and be able to remove it.
                  The BSOD itself generally points to OS Corruption, Hardware (Unlikely on virtual) or driver changes. So virtual drivers is what I would look at first.


                  • #10
                    Re: BSOD caused by ntoskrnl.exe

                    All i can't get from it is that NTOSKERNEL has caused it.

                    Review all the patches that were installed on the server and start removing them 1 by one until you find the culprit.


                    • #11
                      Re: BSOD caused by ntoskrnl.exe

                      Just had another one occur not that long ago. Looks like the bug check string is different from the previous blue screen. Still showing ntoskrnl.exe as the cause.

                      This from WhoCrashed on the latest minidump. Should I just enable full memory dump instead?

                      Crash Dump Analysis

                      Crash dump directory: C:\Windows\Minidump

                      Crash dumps are enabled on your computer.

                      On Wed 9/26/2012 11:01:01 PM GMT your computer crashed
                      crash dump file: C:\Windows\Minidump\Mini092612-01.dmp
                      This was probably caused by the following module: ntoskrnl.exe (nt+0x57AD0)
                      Bugcheck code: 0x4A (0x74B7385E, 0x1, 0x0, 0xFFFFFA6004505CA0)
                      Error: IRQL_GT_ZERO_AT_SYSTEM_SERVICE
                      file path: C:\Windows\system32\ntoskrnl.exe
                      product: Microsoft® Windows® Operating System
                      company: Microsoft Corporation
                      description: NT Kernel & System
                      Bug check description: This indicates that a thread is returning to user mode from a system call when its IRQL is still above PASSIVE_LEVEL.
                      The crash took place in the Windows kernel. Possibly this problem is caused by another driver which cannot be identified at this time.


                      1 crash dumps have been found and analyzed. No offending third party drivers have been found. Consider configuring your system to produce a full memory dump for better analysis.
                      Attached Files
                      Last edited by crowntech; 27th September 2012, 00:43.


                      • #12
                        Re: BSOD caused by ntoskrnl.exe

                        Could still have been caused by a bad update. Have you removed all the updates that were applied before the issue started??


                        • #13
                          Re: BSOD caused by ntoskrnl.exe

                          That's what I'm beginning to suspect: an update. Looking through our update history, I am able to see on 8/26/12 there was a security update for Office 2003 (KB2687323) that failed but was retried and successfully applied. Other updates to consider: Essential Business Server 2008 feature packs/updates. Prior to that there are mostly security updates for Server 2008, Malicious Software Removal tools and IE9 updates.

                          I'll begin by removing the Office 2003 update then EBS updates.


                          • #14
                            Re: BSOD caused by ntoskrnl.exe

                            I would be more tempted do remove driver updates and .net + system updates etc before Office 2003. Office updates are less likely to impact system kernel in most cases.

                            On another note as possible solution, check if you recently upgraded your VMWare tools.
                            If yes, perhaps there is an issue here, as the BSOD does report IRQG, which generally relates to drivers.

                            If not, check if an updated VMWare Tools version is available to install.

                            You could also open up device manager, and under view select "Show hidden devices" see if any devices are throwing a fit.


                            • #15
                              Re: BSOD caused by ntoskrnl.exe

                              We're running Hyper-V on Server 2008 Standard.

                              Looking at the host machine updates I am seeing the following before our VM started having its problems

                              4x security updates
                              1x MSRT (August)

                              We did have another BSOD occur on 9/26

                              Not sure if this is relevant but all bug check codes have been different all 3 times. I did see on our host machine that there is a NIC driver update but when I attempted to install it back on 4/26 it failed. I haven't made an attempt to update the NIC since then but I figure now would probably be the best time. Is there anything in particular that I need to do before updating the NIC? Will I need to re-configure the virtual networks?

                              As for the bug check codes they are as follows:

                              9/11/12: 0x00000024

                              9/17/12: 0x0000001e

                              9/26/12: 0x0000004a

                              Anyone recognize a pattern?