none
Windows server 2003 Enterprise SP2 reboots 0x0000008e (0xc0000005, 0xbf8a28d8, 0xb7b3cb1c, 0x00000000)

    Question

  • Hello,

    I have one problem, my server reboots by self one time in a day. And give error on event . On company was other admin, and he goes out of a job. Can be here his hacking?

    Ewent:

    Event Type: Warning
    Event Source: USER32
    Event Category: None
    Event ID: 1076
    Date:  2013.02.11
    Time:  08:48:08
    User:  SERVER\Administrator
    Computer: SERVER
    Description:
    The reason supplied by user SERVER\Administrator for the last unexpected shutdown of this computer is: System Failure: Stop error
    Reason Code: 0x805000f
    Bug ID:
    Bugcheck String: 0x0000008e (0xc0000005, 0xbf8a28d8, 0xb7b3cb1c, 0x00000000)
    Comment: 0x0000008e (0xc0000005, 0xbf8a28d8, 0xb7b3cb1c, 0x00000000)
    For more information, see Help and Support Center at <link remowed my account not werified>.
    Data:
    0000: 0f 00 05 08               ....   
    words: 0000: 0805000f

    Debugger:

    Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.


    Loading Dump File [c:\MEMORY\Mini.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available

    Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is:
    Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
    Product: Server, suite: Enterprise TerminalServer
    Built by: 3790.srv03_sp2_gdr.090805-1438
    Machine Name:
    Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
    Debug session time: Mon Feb 11 08:35:27.718 2013 (UTC + 2:00)
    System Uptime: 0 days 0:33:14.784
    Loading Kernel Symbols
    ...............................................................
    .......................................................
    Loading User Symbols
    Loading unloaded module list
    ........
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    Use !analyze -v to get detailed debugging information.

    BugCheck 1000008E, {c0000005, bf8a28d8, b7b3cb1c, 0}

    Probably caused by : win32k.sys ( win32k!xxxRedrawWindow+4c )

    Followup: MachineOwner
    ---------

    3: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
    This is a very common bugcheck.  Usually the exception address pinpoints
    the driver/function that caused the problem.  Always note this address
    as well as the link date of the driver/image that contains this address.
    Some common problems are exception code 0x80000003.  This means a hard
    coded breakpoint or assertion was hit, but this system was booted
    /NODEBUG.  This is not supposed to happen as developers should never have
    hardcoded breakpoints in retail code, but ...
    If this happens, make sure a debugger gets connected, and the
    system is booted /DEBUG.  This will let us see why this breakpoint is
    happening.
    Arguments:
    Arg1: c0000005, The exception code that was not handled
    Arg2: bf8a28d8, The address that the exception occurred at
    Arg3: b7b3cb1c, Trap Frame
    Arg4: 00000000

    Debugging Details:
    ------------------


    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    FAULTING_IP:
    win32k!xxxRedrawWindow+4c
    bf8a28d8 f6461e40        test    byte ptr [esi+1Eh],40h

    TRAP_FRAME:  b7b3cb1c -- (.trap 0xffffffffb7b3cb1c)
    ErrCode = 00000000
    eax=00000001 ebx=00000000 ecx=0000029d edx=00000001 esi=00000000 edi=bc58c8e8
    eip=bf8a28d8 esp=b7b3cb90 ebp=b7b3cba8 iopl=0         nv up ei ng nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
    win32k!xxxRedrawWindow+0x4c:
    bf8a28d8 f6461e40        test    byte ptr [esi+1Eh],40h     ds:0023:0000001e=00
    Resetting default scope

    DEFAULT_BUCKET_ID:  DRIVER_FAULT

    BUGCHECK_STR:  0x8E

    CURRENT_IRQL:  0

    LAST_CONTROL_TRANSFER:  from bf84abdd to bf8a28d8

    STACK_TEXT: 
    b7b3cba8 bf84abdd 00000000 bc58c8e8 00000000 win32k!xxxRedrawWindow+0x4c
    b7b3cc00 bf83c96d 00000000 b7b3cc64 bf8b83c4 win32k!xxxDestroyWindow+0x20f
    b7b3cc0c bf8b83c4 be112ac0 bc49aa38 bc49a9b8 win32k!HMDestroyUnlockedObject+0x1c
    b7b3cc20 bf8b8775 884cd5f0 00000000 00000000 win32k!DestroyThreadsObjects+0x72
    b7b3cc64 bf8b701a 00000001 b7b3cc8c bf8b7e77 win32k!xxxDestroyThreadInfo+0x206
    b7b3cc70 bf8b7e77 884cd5f0 00000001 00000000 win32k!UserThreadCallout+0x4b
    b7b3cc8c 8094c2b0 884cd5f0 00000001 884cd5f0 win32k!W32pThreadCallout+0x3a
    b7b3cd18 8094c643 00000000 00000000 884cd5f0 nt!PspExitThread+0x3b2
    b7b3cd30 8094c995 884cd5f0 00000000 00000001 nt!PspTerminateThreadByPointer+0x4b
    b7b3cd54 808897bc fffffffe 00000000 012dffdc nt!NtTerminateThread+0x71
    b7b3cd54 7c82860c fffffffe 00000000 012dffdc nt!KiFastCallEntry+0xfc
    WARNING: Frame IP not in any known module. Following frames may be wrong.
    012dffdc 00000000 00000000 00000000 00000000 0x7c82860c


    STACK_COMMAND:  kb

    FOLLOWUP_IP:
    win32k!xxxRedrawWindow+4c
    bf8a28d8 f6461e40        test    byte ptr [esi+1Eh],40h

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  win32k!xxxRedrawWindow+4c

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: win32k

    IMAGE_NAME:  win32k.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  4a8417a6

    FAILURE_BUCKET_ID:  0x8E_win32k!xxxRedrawWindow+4c

    BUCKET_ID:  0x8E_win32k!xxxRedrawWindow+4c

    Followup: MachineOwner
    ---------

     

    Monday, February 11, 2013 8:24 AM

Answers

All replies

  • 0x8e is the code for a KERNEL_MODE_EXCEPTION_NOT_HANDLED bugcheck. This is a very common bug check - nothing to worry so far.

    Halfwag through the log it says "EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. 0xC0000005 is the code for a STATUS_ACCESS_VIOLATION which indicates a memory access violation occurred.

    From what I see, I would suggest testing the RAM in the computer. However, the analysis mentions win32k.sys, so the source of the error might be a third-party remote control program. If such software is installed, you can remove the service by starting the system by using the Recovery Console and then deleting the offending system service file.

    Monday, February 11, 2013 10:01 AM
  • Again its a  know issue  you will have to install the patch check this Kb article and the blog 

    http://support.microsoft.com/kb/2567053?wa=wsignin1.0

    Here is the Blog which mentions 

    http://blogs.technet.com/b/dip/archive/2011/11/30/3442492.aspx


    http://www.arabitpro.com

    • Marked as answer by meridianasm Tuesday, February 12, 2013 6:33 PM
    Monday, February 11, 2013 11:23 AM
  • After all updates, problem disappear. Thank you.
    Tuesday, February 12, 2013 6:37 PM
  • Thank you very much for exception code encoding.
    Tuesday, February 12, 2013 6:39 PM