none
minidump for a Event ID 6008

    Question

  • Our windows 2003 server has begun experiencing intermittent crashes, maybe once a day with and when it reboots we see the message : Event ID 6008 - The previous system shutdown at <time> on <date> was unexpected. 

    I captured a minidump below but am unfamiliar with how to interpret this. For example it refers to file keymmdrv.sys but I can't even locate that on this system.

    Also, this problem began after our data drive (raid array) crashed and was rebuilt. The OS partition never changed.

    Thanks for any insight !

    Bill

    Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [C:\WINDOWS\Minidump\Mini010113-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: srv*c:\Symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
    Product: Server, suite: TerminalServer SingleUserTS
    Built by: 3790.srv03_sp2_gdr.120821-0338
    Machine Name:
    Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
    Debug session time: Tue Jan  1 20:12:36.546 2013 (UTC - 5:00)
    System Uptime: 0 days 4:16:03.177
    Loading Kernel Symbols
    ...............................................................
    .............................................
    Loading User Symbols
    Loading unloaded module list
    ....
    Unable to load image keymmdrv.sys, Win32 error 0n2
    *** WARNING: Unable to verify timestamp for keymmdrv.sys
    *** ERROR: Module load completed but symbols could not be loaded for keymmdrv.sys
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 1000008E, {c0000005, b5bd5017, b5bc2bdc, 0}

    Probably caused by : keymmdrv.sys ( keymmdrv+2017 )

    Followup: MachineOwner
    ---------

    2: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003.  This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG.  This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG.  This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: b5bd5017, The address that the exception occurred at
    Arg3: b5bc2bdc, Trap Frame
    Arg4: 00000000

    Debugging Details:
    ------------------


    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

    FAULTING_IP: 
    keymmdrv+2017
    b5bd5017 895004          mov     dword ptr [eax+4],edx

    TRAP_FRAME:  b5bc2bdc -- (.trap 0xffffffffb5bc2bdc)
    ErrCode = 00000002
    eax=00000000 ebx=00000000 ecx=f9a18dcc edx=00000000 esi=f9a18dcc edi=f9a18c60
    eip=b5bd5017 esp=b5bc2c50 ebp=b5bc2c50 iopl=0         nv up ei pl zr na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
    keymmdrv+0x2017:
    b5bd5017 895004          mov     dword ptr [eax+4],edx ds:0023:00000004=????????
    Resetting default scope

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

    BUGCHECK_STR:  0x8E

    PROCESS_NAME:  tail.exe

    CURRENT_IRQL:  0

    LAST_CONTROL_TRANSFER:  from b5bd5081 to b5bd5017

    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    b5bc2c50 b5bd5081 f9a18dcc 00000001 00000012 keymmdrv+0x2017
    b5bc2c70 8081dfb5 8979b718 f9a18c60 8a2daee0 keymmdrv+0x2081
    b5bc2c84 f724fc45 8a2daee0 00000000 8087ede7 nt!IofCallDriver+0x45
    b5bc2cac 8081dfb5 89804e68 f9a18c60 f9a18c60 fltmgr!FltpDispatch+0x6f
    b5bc2cc0 808f0a49 b5bc2d64 0240fcc0 808f058e nt!IofCallDriver+0x45
    b5bc2d48 8088983c 000007c8 0240fccc 0240fd20 nt!NtQueryInformationFile+0x4bb
    b5bc2d48 7c82845c 000007c8 0240fccc 0240fd20 nt!KiFastCallEntry+0xfc
    0240fd8c 00000000 00000000 00000000 00000000 0x7c82845c


    STACK_COMMAND:  kb

    FOLLOWUP_IP: 
    keymmdrv+2017
    b5bd5017 895004          mov     dword ptr [eax+4],edx

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  keymmdrv+2017

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: keymmdrv

    IMAGE_NAME:  keymmdrv.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  4d01e627

    FAILURE_BUCKET_ID:  0x8E_keymmdrv+2017

    BUCKET_ID:  0x8E_keymmdrv+2017

    Followup: MachineOwner
    ---------

    2: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003.  This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG.  This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG.  This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: b5bd5017, The address that the exception occurred at
    Arg3: b5bc2bdc, Trap Frame
    Arg4: 00000000

    Debugging Details:
    ------------------


    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

    FAULTING_IP: 
    keymmdrv+2017
    b5bd5017 895004          mov     dword ptr [eax+4],edx

    TRAP_FRAME:  b5bc2bdc -- (.trap 0xffffffffb5bc2bdc)
    ErrCode = 00000002
    eax=00000000 ebx=00000000 ecx=f9a18dcc edx=00000000 esi=f9a18dcc edi=f9a18c60
    eip=b5bd5017 esp=b5bc2c50 ebp=b5bc2c50 iopl=0         nv up ei pl zr na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
    keymmdrv+0x2017:
    b5bd5017 895004          mov     dword ptr [eax+4],edx ds:0023:00000004=????????
    Resetting default scope

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

    BUGCHECK_STR:  0x8E

    PROCESS_NAME:  tail.exe

    CURRENT_IRQL:  0

    LAST_CONTROL_TRANSFER:  from b5bd5081 to b5bd5017

    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    b5bc2c50 b5bd5081 f9a18dcc 00000001 00000012 keymmdrv+0x2017
    b5bc2c70 8081dfb5 8979b718 f9a18c60 8a2daee0 keymmdrv+0x2081
    b5bc2c84 f724fc45 8a2daee0 00000000 8087ede7 nt!IofCallDriver+0x45
    b5bc2cac 8081dfb5 89804e68 f9a18c60 f9a18c60 fltmgr!FltpDispatch+0x6f
    b5bc2cc0 808f0a49 b5bc2d64 0240fcc0 808f058e nt!IofCallDriver+0x45
    b5bc2d48 8088983c 000007c8 0240fccc 0240fd20 nt!NtQueryInformationFile+0x4bb
    b5bc2d48 7c82845c 000007c8 0240fccc 0240fd20 nt!KiFastCallEntry+0xfc
    0240fd8c 00000000 00000000 00000000 00000000 0x7c82845c


    STACK_COMMAND:  kb

    FOLLOWUP_IP: 
    keymmdrv+2017
    b5bd5017 895004          mov     dword ptr [eax+4],edx

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  keymmdrv+2017

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: keymmdrv

    IMAGE_NAME:  keymmdrv.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  4d01e627

    FAILURE_BUCKET_ID:  0x8E_keymmdrv+2017

    BUCKET_ID:  0x8E_keymmdrv+2017

    Followup: MachineOwner
    ---------

    Wednesday, January 02, 2013 9:16 PM

Answers

All replies

  • Can you do !lmi keymmdrv.sys

    Who owns that driver?  If its not critical to system you may want to temp disable it.  If you end up engaging support please make sure you change crash option to kernel dump.


    Dave Guenthner [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. http://blogs.technet.com/b/davguents_blog

    Wednesday, January 02, 2013 9:28 PM
  • sorry what is this command  ? --->  !lmi keymmdrv.sys
    Wednesday, January 02, 2013 9:56 PM
  • Yes.  Basically trying to determine who the owner of this driver is...  Also could check version information of file manually.

    Dave Guenthner [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. http://blogs.technet.com/b/davguents_blog

    Wednesday, January 02, 2013 10:07 PM
  • Thanks for your help on this. The strange thing is that i cannot locate that file on this machine. If I do a search, including hidden and system folders, it does not show up.

    Thursday, January 03, 2013 3:32 AM
  • No idea what is keymmdrv.sys for. A quick search on internet returns nothing. Consider updating your Antivirus and running a full scan as this file is probably unwanted.


    To analyze the dump file, please contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request.
     
     
    To obtain the phone numbers for specific technology request please take a look at the web site listed below:
    http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607

     

    Thursday, January 03, 2013 6:32 AM
    Moderator
  • its clear from the log that you have a customized software or 3 party running on your server with the process tail.exe which is actaully creating the problem

    this is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG.  This will let us see why this breakpoint is
    happening.


    http://www.arabitpro.com


    Thursday, January 03, 2013 6:58 AM
  • Hello Bill. I stumbled upon that thread and I can assure you that you have a VERY SERIOUS security issue running here. Could you contact me privately at the following address: white.wolf[(at)]hotmail.fr ? We need to talk. Thank you.
    Monday, February 18, 2013 3:36 PM