minidump for a Event ID 6008
-
Wednesday, January 02, 2013 9:16 PM
Our windows 2003 server has begun experiencing intermittent crashes, maybe once a day with and when it reboots we see the message : Event ID 6008 - The previous system shutdown at <time> on <date> was unexpected.
I captured a minidump below but am unfamiliar with how to interpret this. For example it refers to file keymmdrv.sys but I can't even locate that on this system.
Also, this problem began after our data drive (raid array) crashed and was rebuilt. The OS partition never changed.
Thanks for any insight !
Bill
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\Minidump\Mini010113-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.120821-0338
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Tue Jan 1 20:12:36.546 2013 (UTC - 5:00)
System Uptime: 0 days 4:16:03.177
Loading Kernel Symbols
...............................................................
.............................................
Loading User Symbols
Loading unloaded module list
....
Unable to load image keymmdrv.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for keymmdrv.sys
*** ERROR: Module load completed but symbols could not be loaded for keymmdrv.sys
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, b5bd5017, b5bc2bdc, 0}
Probably caused by : keymmdrv.sys ( keymmdrv+2017 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: b5bd5017, The address that the exception occurred at
Arg3: b5bc2bdc, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
keymmdrv+2017
b5bd5017 895004 mov dword ptr [eax+4],edx
TRAP_FRAME: b5bc2bdc -- (.trap 0xffffffffb5bc2bdc)
ErrCode = 00000002
eax=00000000 ebx=00000000 ecx=f9a18dcc edx=00000000 esi=f9a18dcc edi=f9a18c60
eip=b5bd5017 esp=b5bc2c50 ebp=b5bc2c50 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
keymmdrv+0x2017:
b5bd5017 895004 mov dword ptr [eax+4],edx ds:0023:00000004=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0x8E
PROCESS_NAME: tail.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from b5bd5081 to b5bd5017
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
b5bc2c50 b5bd5081 f9a18dcc 00000001 00000012 keymmdrv+0x2017
b5bc2c70 8081dfb5 8979b718 f9a18c60 8a2daee0 keymmdrv+0x2081
b5bc2c84 f724fc45 8a2daee0 00000000 8087ede7 nt!IofCallDriver+0x45
b5bc2cac 8081dfb5 89804e68 f9a18c60 f9a18c60 fltmgr!FltpDispatch+0x6f
b5bc2cc0 808f0a49 b5bc2d64 0240fcc0 808f058e nt!IofCallDriver+0x45
b5bc2d48 8088983c 000007c8 0240fccc 0240fd20 nt!NtQueryInformationFile+0x4bb
b5bc2d48 7c82845c 000007c8 0240fccc 0240fd20 nt!KiFastCallEntry+0xfc
0240fd8c 00000000 00000000 00000000 00000000 0x7c82845c
STACK_COMMAND: kb
FOLLOWUP_IP:
keymmdrv+2017
b5bd5017 895004 mov dword ptr [eax+4],edx
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: keymmdrv+2017
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: keymmdrv
IMAGE_NAME: keymmdrv.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4d01e627
FAILURE_BUCKET_ID: 0x8E_keymmdrv+2017
BUCKET_ID: 0x8E_keymmdrv+2017
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: b5bd5017, The address that the exception occurred at
Arg3: b5bc2bdc, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
FAULTING_IP:
keymmdrv+2017
b5bd5017 895004 mov dword ptr [eax+4],edx
TRAP_FRAME: b5bc2bdc -- (.trap 0xffffffffb5bc2bdc)
ErrCode = 00000002
eax=00000000 ebx=00000000 ecx=f9a18dcc edx=00000000 esi=f9a18dcc edi=f9a18c60
eip=b5bd5017 esp=b5bc2c50 ebp=b5bc2c50 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
keymmdrv+0x2017:
b5bd5017 895004 mov dword ptr [eax+4],edx ds:0023:00000004=????????
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0x8E
PROCESS_NAME: tail.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from b5bd5081 to b5bd5017
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
b5bc2c50 b5bd5081 f9a18dcc 00000001 00000012 keymmdrv+0x2017
b5bc2c70 8081dfb5 8979b718 f9a18c60 8a2daee0 keymmdrv+0x2081
b5bc2c84 f724fc45 8a2daee0 00000000 8087ede7 nt!IofCallDriver+0x45
b5bc2cac 8081dfb5 89804e68 f9a18c60 f9a18c60 fltmgr!FltpDispatch+0x6f
b5bc2cc0 808f0a49 b5bc2d64 0240fcc0 808f058e nt!IofCallDriver+0x45
b5bc2d48 8088983c 000007c8 0240fccc 0240fd20 nt!NtQueryInformationFile+0x4bb
b5bc2d48 7c82845c 000007c8 0240fccc 0240fd20 nt!KiFastCallEntry+0xfc
0240fd8c 00000000 00000000 00000000 00000000 0x7c82845c
STACK_COMMAND: kb
FOLLOWUP_IP:
keymmdrv+2017
b5bd5017 895004 mov dword ptr [eax+4],edx
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: keymmdrv+2017
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: keymmdrv
IMAGE_NAME: keymmdrv.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4d01e627
FAILURE_BUCKET_ID: 0x8E_keymmdrv+2017
BUCKET_ID: 0x8E_keymmdrv+2017
Followup: MachineOwner
---------
All Replies
-
Wednesday, January 02, 2013 9:28 PM
Can you do !lmi keymmdrv.sys
Who owns that driver? If its not critical to system you may want to temp disable it. If you end up engaging support please make sure you change crash option to kernel dump.
Dave Guenthner [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. http://blogs.technet.com/b/davguents_blog
-
Wednesday, January 02, 2013 9:56 PMsorry what is this command ? ---> !lmi keymmdrv.sys
-
Wednesday, January 02, 2013 10:07 PMYes. Basically trying to determine who the owner of this driver is... Also could check version information of file manually.
Dave Guenthner [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. http://blogs.technet.com/b/davguents_blog
-
Thursday, January 03, 2013 3:32 AM
Thanks for your help on this. The strange thing is that i cannot locate that file on this machine. If I do a search, including hidden and system folders, it does not show up.
-
Thursday, January 03, 2013 6:32 AMModerator
No idea what is keymmdrv.sys for. A quick search on internet returns nothing. Consider updating your Antivirus and running a full scan as this file is probably unwanted.
To analyze the dump file, please contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
To obtain the phone numbers for specific technology request please take a look at the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607- Marked As Answer by Cheers ZHANGMicrosoft Contingent Staff, Moderator Tuesday, January 08, 2013 5:41 AM
-
Thursday, January 03, 2013 6:58 AM
its clear from the log that you have a customized software or 3 party running on your server with the process tail.exe which is actaully creating the problem
this is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
http://www.arabitpro.com
- Edited by Syed KhairuddinMVP Thursday, January 03, 2013 7:01 AM
-
Monday, February 18, 2013 3:36 PMHello Bill. I stumbled upon that thread and I can assure you that you have a VERY SERIOUS security issue running here. Could you contact me privately at the following address: white.wolf[(at)]hotmail.fr ? We need to talk. Thank you.
.png)
