Windows server 2003 Enterprise SP2 reboots 0x0000008e (0xc0000005, 0xbf8a28d8, 0xb7b3cb1c, 0x00000000)

Ask a question

Monday, February 11, 2013 8:24 AM

0

Hello,

I have one problem, my server reboots by self one time in a day. And give error on event . On company was other admin, and he goes out of a job. Can be here his hacking?

Ewent:

Event Type: Warning
Event Source: USER32
Event Category: None
Event ID: 1076
Date: 2013.02.11
Time: 08:48:08
User: SERVER\Administrator
Computer: SERVER
Description:
The reason supplied by user SERVER\Administrator for the last unexpected shutdown of this computer is: System Failure: Stop error
Reason Code: 0x805000f
Bug ID:
Bugcheck String: 0x0000008e (0xc0000005, 0xbf8a28d8, 0xb7b3cb1c, 0x00000000)
Comment: 0x0000008e (0xc0000005, 0xbf8a28d8, 0xb7b3cb1c, 0x00000000)
For more information, see Help and Support Center at <link remowed my account not werified>.
Data:
0000: 0f 00 05 08               ....
words: 0000: 0805000f

Debugger:

Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [c:\MEMORY\Mini.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer
Built by: 3790.srv03_sp2_gdr.090805-1438
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Mon Feb 11 08:35:27.718 2013 (UTC + 2:00)
System Uptime: 0 days 0:33:14.784
Loading Kernel Symbols
...............................................................
.......................................................
Loading User Symbols
Loading unloaded module list
........
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, bf8a28d8, b7b3cb1c, 0}

Probably caused by : win32k.sys ( win32k!xxxRedrawWindow+4c )

Followup: MachineOwner
---------

3: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: bf8a28d8, The address that the exception occurred at
Arg3: b7b3cb1c, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
win32k!xxxRedrawWindow+4c
bf8a28d8 f6461e40        test    byte ptr [esi+1Eh],40h

TRAP_FRAME: b7b3cb1c -- (.trap 0xffffffffb7b3cb1c)
ErrCode = 00000000
eax=00000001 ebx=00000000 ecx=0000029d edx=00000001 esi=00000000 edi=bc58c8e8
eip=bf8a28d8 esp=b7b3cb90 ebp=b7b3cba8 iopl=0         nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000             efl=00010286
win32k!xxxRedrawWindow+0x4c:
bf8a28d8 f6461e40        test    byte ptr [esi+1Eh],40h     ds:0023:0000001e=00
Resetting default scope

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x8E

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from bf84abdd to bf8a28d8

STACK_TEXT:
b7b3cba8 bf84abdd 00000000 bc58c8e8 00000000 win32k!xxxRedrawWindow+0x4c
b7b3cc00 bf83c96d 00000000 b7b3cc64 bf8b83c4 win32k!xxxDestroyWindow+0x20f
b7b3cc0c bf8b83c4 be112ac0 bc49aa38 bc49a9b8 win32k!HMDestroyUnlockedObject+0x1c
b7b3cc20 bf8b8775 884cd5f0 00000000 00000000 win32k!DestroyThreadsObjects+0x72
b7b3cc64 bf8b701a 00000001 b7b3cc8c bf8b7e77 win32k!xxxDestroyThreadInfo+0x206
b7b3cc70 bf8b7e77 884cd5f0 00000001 00000000 win32k!UserThreadCallout+0x4b
b7b3cc8c 8094c2b0 884cd5f0 00000001 884cd5f0 win32k!W32pThreadCallout+0x3a
b7b3cd18 8094c643 00000000 00000000 884cd5f0 nt!PspExitThread+0x3b2
b7b3cd30 8094c995 884cd5f0 00000000 00000001 nt!PspTerminateThreadByPointer+0x4b
b7b3cd54 808897bc fffffffe 00000000 012dffdc nt!NtTerminateThread+0x71
b7b3cd54 7c82860c fffffffe 00000000 012dffdc nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
012dffdc 00000000 00000000 00000000 00000000 0x7c82860c

STACK_COMMAND: kb

FOLLOWUP_IP:
win32k!xxxRedrawWindow+4c
bf8a28d8 f6461e40        test    byte ptr [esi+1Eh],40h

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: win32k!xxxRedrawWindow+4c

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: win32k

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a8417a6

FAILURE_BUCKET_ID: 0x8E_win32k!xxxRedrawWindow+4c

BUCKET_ID: 0x8E_win32k!xxxRedrawWindow+4c

Followup: MachineOwner
---------
- Reply
- Quote

All Replies

Monday, February 11, 2013 10:01 AM

1

0x8e is the code for a KERNEL_MODE_EXCEPTION_NOT_HANDLED bugcheck. This is a very common bug check - nothing to worry so far.

Halfwag through the log it says "EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. 0xC0000005 is the code for a STATUS_ACCESS_VIOLATION which indicates a memory access violation occurred.

From what I see, I would suggest testing the RAM in the computer. However, the analysis mentions win32k.sys, so the source of the error might be a third-party remote control program. If such software is installed, you can remove the service by starting the system by using the Recovery Console and then deleting the offending system service file.
- Reply
- Quote
Monday, February 11, 2013 11:23 AM

1
Again its a know issue you will have to install the patch check this Kb article and the blog

http://support.microsoft.com/kb/2567053?wa=wsignin1.0

Here is the Blog which mentions

http://blogs.technet.com/b/dip/archive/2011/11/30/3442492.aspx
http://www.arabitpro.com
- Marked As Answer by meridianasm Tuesday, February 12, 2013 6:33 PM
- Reply
- Quote
Tuesday, February 12, 2013 6:37 PM

0

After all updates, problem disappear. Thank you.
- Reply
- Quote
Tuesday, February 12, 2013 6:39 PM

0

Thank you very much for exception code encoding.
- Reply
- Quote

Windows server 2003 Enterprise SP2 reboots 0x0000008e (0xc0000005, 0xbf8a28d8, 0xb7b3cb1c, 0x00000000)

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?