Win server 2019 - The bugcheck was: 0x0000003b , 0x00000000c0000005 RRS feed

  • Question

  • Hello,

    our server win 2019 Standart 64 bit which is deployed in VMware, crushed few times with those same errors:

    The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000003b (0x00000000c0000005, 0xfffff80408640ac1, 0xffffd48a05115c40, 0x0000000000000000). 
    A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: d921e02c-980b-4754-af0b-1a3c66dad600.

    I google the error and there is always advice: Download C:\WINDOWS\MEMORY.DMP and send this file to Microsoft support. I upload dump file on my one drive account. I want paste here link, but when I submit this question there is a messeage: Body text cannot contain images or links until we are able to verify your account. So let me know when it will be possible. Without analyze this file, Im not sure you can help me. But I also used WinDbg program and I paste here output (bottom). Unfortunatelly Im not skilled in reading of dump files. 

    In other MS forums, solutions for others people with this same error, make no sense for our company enviroment. 

    Please let me know, what cause this error. 

    S pozdravem / Best regards


    Správce systému / System administrator

    WinDbg output:

    Microsoft (R) Windows Debugger Version 10.0.19528.1000 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.

    Loading Dump File [D:\maketernDump\MEMORY.DMP]
    Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.

    ************* Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       srv*
    Symbol search path is: srv*
    Executable search path is: 
    Windows 10 Kernel Version 17763 MP (16 procs) Free x64
    Product: Server, suite: TerminalServer <20000>
    Machine Name:
    Kernel base = 0xfffff804`0860c000 PsLoadedModuleList = 0xfffff804`08a256f0
    Debug session time: Tue Apr 14 16:07:37.370 2020 (UTC + 2:00)
    System Uptime: 7 days 1:12:46.022
    Loading Kernel Symbols
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 00000000`00249018).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    For analysis of this file, run !analyze -v
    fffff804`087c2a50 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:ffffd48a`05115310=000000000000003b
    10: kd> !analyze -v
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *

    An exception happened while executing a system service routine.
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff80408640ac1, Address of the instruction which caused the bugcheck
    Arg3: ffffd48a05115c40, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.

    Debugging Details:


        Key  : Analysis.CPU.Sec
        Value: 4

        Key  : Analysis.DebugAnalysisProvider.CPP
        Value: Create: 8007007e on MIKLICANTB

        Key  : Analysis.DebugData
        Value: CreateObject

        Key  : Analysis.DebugModel
        Value: CreateObject

        Key  : Analysis.Elapsed.Sec
        Value: 6

        Key  : Analysis.Memory.CommitPeak.Mb
        Value: 59

        Key  : Analysis.System
        Value: CreateObject




    BUGCHECK_P1: c0000005

    BUGCHECK_P2: fffff80408640ac1

    BUGCHECK_P3: ffffd48a05115c40

    BUGCHECK_P4: 0

    CONTEXT:  ffffd48a05115c40 -- (.cxr 0xffffd48a05115c40)
    rax=ffffffffffffffff rbx=fffff80407423244 rcx=ffff8a09d68f5378
    rdx=fffffffffffffffe rsi=0000000000001589 rdi=0000000000000000
    rip=fffff80408640ac1 rsp=ffffd48a05116630 rbp=ffffd48a05117480
     r8=0000000000000000  r9=0000000000000004 r10=0000000000000004
    r11=fffff80408c032f0 r12=ffffd48a05117480 r13=ffffd48a05116e00
    r14=ffffd48a05116da0 r15=fffff80407420000
    iopl=0         nv up ei pl zr na po nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    fffff804`08640ac1 f0490fc100      lock xadd qword ptr [r8],rax ds:002b:00000000`00000000=????????????????
    Resetting default scope

    BLACKBOXBSD: 1 (!blackboxbsd)

    BLACKBOXPNP: 1 (!blackboxpnp)

    PROCESS_NAME:  procexp64.exe

    ffffd48a`05116630 fffff804`086aad63 : 00000000`00000202 00000000`00000000 ffffd48a`051166b0 00000000`086ac7a9 : nt!ExfReleaseRundownProtection+0x31
    ffffd48a`05116660 fffff804`08c03300 : 00000008`00000001 ffff840d`04b40990 ffffd48a`051167c0 00000000`00000023 : nt!ExReleaseRundownProtection+0x23
    ffffd48a`05116690 fffff804`07421761 : fffff804`07423244 00000000`00001589 fffff804`0860c000 ffff840d`04b40990 : nt!ObDereferenceProcessHandleTable+0x10
    ffffd48a`051166c0 fffff804`0879ce21 : ffff840d`00000003 ffffd48a`05117480 ffffd48a`05112000 ffffd48a`05118000 : PROCEXP111+0x1761
    ffffd48a`05116720 fffff804`087cb5df : ffffd48a`05117480 ffffd48a`05116d00 00000000`00000000 ffffd48a`05116f20 : nt!_C_specific_handler+0x1a1
    ffffd48a`05116790 fffff804`0872eb9f : 00000000`00000000 ffffd48a`05117450 ffffd48a`05116d00 fffff804`07421587 : nt!RtlpExecuteHandlerForUnwind+0xf
    ffffd48a`051167c0 fffff804`08669800 : ffffd48a`05116f20 ffffd48a`05117420 00000000`00000000 00000000`00000000 : nt!RtlUnwindEx+0x4df
    ffffd48a`05116ef0 fffff804`0879de23 : ffff8a09`d26e9b80 ffff8a09`d26e9b80 00000000`00000000 ffff8a09`d5ef2080 : nt!RtlUnwind+0xa0
    ffffd48a`05117450 fffff804`07421587 : ffffd48a`05117480 fffff804`07421589 ffff8a09`d26e9b80 00000000`00000000 : nt!local_unwind+0x23
    ffffd48a`05117480 fffff804`07421bfe : ffff8a09`d26e9b60 00000000`00000fff 00000000`00000000 ffff8a09`d68f5080 : PROCEXP111+0x1587
    ffffd48a`05117560 fffff804`07421fbb : 00000000`00000000 ffff8a09`d5f18170 00000000`0000020c 00000000`00000118 : PROCEXP111+0x1bfe
    ffffd48a`05117750 fffff804`086f9469 : ffff8a09`d2dfbbd0 fffff804`08c5ec84 ffffd48a`05117a50 ffff8467`2220dd01 : PROCEXP111+0x1fbb
    ffffd48a`051177f0 fffff804`08c856d1 : ffffd48a`05117b80 ffff8a09`d2dfbbd0 00000000`00000001 ffff8a09`d5f18170 : nt!IofCallDriver+0x59
    ffffd48a`05117830 fffff804`08c6009c : ffff8a09`00000005 ffff8a09`d5f18170 ffffd48a`20206f49 ffffd48a`05117b80 : nt!IopSynchronousServiceTail+0x1b1
    ffffd48a`051178e0 fffff804`08bf4406 : 00000000`80000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0xe0c
    ffffd48a`05117a20 fffff804`087d3d05 : 00000000`00000b88 fffff804`08bcde96 ffff8a09`cdbaf080 00000000`00000124 : nt!NtDeviceIoControlFile+0x56
    ffffd48a`05117a90 00007fff`dbdbf834 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25
    00000000`07b8c908 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`dbdbf834




    STACK_COMMAND:  .cxr 0xffffd48a05115c40 ; kb


    FAILURE_BUCKET_ID:  0x3B_c0000005_PROCEXP111!unknown_function

    OS_VERSION:  10.0.17763.1

    BUILDLAB_STR:  rs5_release


    OSNAME:  Windows 10

    FAILURE_ID_HASH:  {c750a3bc-2340-1bf9-08dd-7cf2379ea933}

    Followup:     MachineOwner

    Thursday, April 16, 2020 7:37 AM

All replies

  • Looks like the bugcheck is caused by the PROCEXP111.sys.

    This is the Process Explorer driver.. to unload it from memory and avoid conflict with Disk2vhd reboot the machine before trying to virtualize the disk, so the Process Explorer driver will not be in memory and should not be able to cause a conflict.. if you have Process Explorer running at logon disable it and reboot. at that point you should be fine..

    In any case, latest Process Explorer driver is procexp152.sys so for sure you are using a very old version of Process Explorer. So first thing first download the latest suite and replace all the utility you are using with up to date versions..


    Thursday, April 16, 2020 9:15 AM
  • Hello,

    looks like you hit the root cause. I showed your reply to my colleagues and they confirmed this could be it.

    Procexpxxx.sys is needed on this server, so we choose option upgrade to procexp152.sys.

    I will wait one week if server will crush again. If everthing will be fine, I will mark as answer.

    Thank you.

    S pozdravem / Best regards


    Správce systému / System administrator


    Friday, April 17, 2020 8:32 AM
  • If you see this again with the latest version could you contact me offline at and I will arrange to collect the dump file from you.


    Monday, April 27, 2020 2:46 PM