none
ntkrnlmp.exe causing the BSOD

    Question

  • Hi Team, 

    ntkrnlmp.exe causing the BSOD. may i know if someone can help me to find the root cause which driver is causing the issue.

    Following is the primary analysis from my side. but unable to find the exact root cause. Kindly help me on this. OS is windows 2012 R2.

    Windows 8 Kernel Version 9600 MP (2 procs) Free x64
    Product: Server, suite: TerminalServer DataCenter SingleUserTS
    Built by: 9600.18969.amd64fre.winblue_ltsb.180309-0600
    Machine Name:
    Kernel base = 0xfffff803`9a80a000 PsLoadedModuleList = 0xfffff803`9aad6570
    Debug session time: Mon May 14 06:51:05.163 2018 (UTC - 4:00)
    System Uptime: 3 days 0:44:48.504
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    WINLOGON_FATAL_ERROR (c000021a)
    The Winlogon process terminated unexpectedly.
    Arguments:
    Arg1: ffffc000726b9e10, String that identifies the problem.
    Arg2: 0000000000000000, Error Code.
    Arg3: 0000000000000000
    Arg4: 0000000000000000
    
    Debugging Details:
    ------------------
    
    ----- ETW minidump data unavailable-----TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2
    
    BUGCHECK_STR:  0xc000021a_0
    
    ERROR_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error}  The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x).  The system has been shut down.
    
    EXCEPTION_CODE: (NTSTATUS) 0xc000021a - {Fatal System Error}  The %hs system process terminated unexpectedly with a status of 0x%08x (0x%08x 0x%08x).  The system has been shut down.
    
    EXCEPTION_PARAMETER1:  ffffc000726b9e10
    
    EXCEPTION_PARAMETER2:  0000000000000000
    
    EXCEPTION_PARAMETER3:  0000000000000000
    
    EXCEPTION_PARAMETER4: 0
    
    ADDITIONAL_DEBUG_TEXT:  Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT_SERVER
    
    PROCESS_NAME:  services.exe
    
    CURRENT_IRQL:  0
    
    LAST_CONTROL_TRANSFER:  from fffff8039ab890c9 to fffff8039a95f2a0
    
    STACK_TEXT:  
    ffffd000`232d06b8 fffff803`9ab890c9 : 00000000`0000004c 00000000`c000021a ffffd000`269393f8 ffffe000`d1b91530 : nt!KeBugCheckEx
    ffffd000`232d06c0 fffff803`9ab80d0a : 00000000`00000000 ffffd000`232d07d9 00000000`00000000 00000000`00000002 : nt!PopGracefulShutdown+0x2c9
    ffffd000`232d0700 fffff803`9a971513 : ffffe000`d5a23040 fffff803`9a947000 00000000`c0000004 fffff803`9a8a2400 : nt! ?? ::OKHAJAOM::`string'+0x111a
    ffffd000`232d0840 fffff803`9a963240 : fffff803`9ad8c61b 00000000`00000001 ffffd000`232d0a58 00000000`c0000004 : nt!KiSystemServiceCopyEnd+0x13
    ffffd000`232d09d8 fffff803`9ad8c61b : 00000000`00000001 ffffd000`232d0a58 00000000`c0000004 fffff803`9a983ffc : nt!KiServiceLinkage
    ffffd000`232d09e0 fffff803`9acccbe7 : 00000000`00000000 00000000`00000000 fffff803`9aaf2180 ffffe000`d5a23180 : nt! ?? ::NNGAKEGL::`string'+0x6571b
    ffffd000`232d0aa0 fffff803`9a8bd986 : fffff803`9a8bd8cc 00000000`00000000 00000000`00000002 00000000`00000000 : nt!PopPolicyWorkerAction+0x63
    ffffd000`232d0b10 fffff803`9a87128f : fffff803`00000002 ffffe000`d5a23040 fffff803`9aabd080 00000000`00000000 : nt!PopPolicyWorkerThread+0xba
    ffffd000`232d0b50 fffff803`9a8ffa34 : ffffe000`d8a74d80 fffff803`9aaf2180 00000000`00000080 ffffe000`cf21e900 : nt!ExpWorkerThread+0x69f
    ffffd000`232d0c00 fffff803`9a9675d6 : fffff803`9aaf2180 ffffe000`d5a23040 ffffe000`dd7d1040 00000000`00000000 : nt!PspSystemThreadStartup+0x178
    ffffd000`232d0c60 00000000`00000000 : ffffd000`232d1000 ffffd000`232cb000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    nt! ?? ::OKHAJAOM::`string'+111a
    fffff803`9ab80d0a cc              int     3
    
    SYMBOL_STACK_INDEX:  2
    
    SYMBOL_NAME:  nt! ?? ::OKHAJAOM::`string'+111a
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: nt
    
    IMAGE_NAME:  ntkrnlmp.exe
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  5aa29c76
    
    FAILURE_BUCKET_ID:  X64_0xc000021a_0_nt!_??_::OKHAJAOM::_string_+111a
    
    BUCKET_ID:  X64_0xc000021a_0_nt!_??_::OKHAJAOM::_string_+111a
    
    Followup: MachineOwner

    Monday, May 14, 2018 2:43 PM

All replies

  • Hi,

    Detail dump file analyzing is beyond the support scope on this forum. However, if possible, please upload full dump file to OneDrive(https://onedrive.live.com/), share it and provide me the access link, I will try my best to find useful information.

    Besides, please try to re-start system in Clean Boot and Safe Mode separately, do not manually start any 3rd party process and wait for a period of time. If problem happens in Clean Boot while it does not happen in Safe Mode, then, we may try to narrow down the problem during drivers.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 15, 2018 6:22 AM
    Moderator
  • Hi,

    How things are going there on this issue?

    Please let me know if you would like further assistance.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 17, 2018 1:43 AM
    Moderator
  • Hi Eve Wang,

    Thank you very much For prompt response. I am uploading Full dump file to one drive and will provide you the link at the earliest.

    In the mean while we have done the clean boot of the System, we haven't observed any other reboots apart from previous reboot.

    Regards,

    Gurucharan G

    Thursday, May 17, 2018 10:33 AM
  • Hi Eve Wang,

    I have uploaded Full and Mini dump file to one drive. Following is the link is to access the dump file also i have shared the link to your email id. 

    https : //1drv.ms/f/s!AlgCc2YFp1lMbbL14ZI_KE_fcKI

    Waiting for your update.

    Regards,
    Gurucharan G
    Thursday, May 17, 2018 11:48 AM
  • Hi,

    I had downloaded your sharing, and you can delete it if necessary.

    Please try Clean Boot and Safe Mode separately. Try to re-start system in Clean Boot, this model will disable 3rd party software and process, then, enter system if possible and wait for a period of time to confirm that if problem will happen.

    Perform a clean startup to determine whether background programs are interfering with your game or program:
    https://support.microsoft.com/en-us/help/331796/perform-a-clean-startup-to-determine-whether-background-programs-are-i

    If problem does not happen, we can try to narrow down problem during 3rd party process/program. If problem happens again, try to re-start system in Safe Mode, this model will only enable mini service and process for system booting, wait for a period of time and if problem does not happen, try to narrow down problem during drivers. If problem still happens, it is recommended to have a full hardware scanning then.

    Start your PC in safe mode in Windows 10(also applied to Windows Server):
    https://support.microsoft.com/en-us/help/12376/windows-10-start-your-pc-in-safe-mode

    >BugCheck C000021A, Probably caused by : ntoskrnl.exe ( nt+1552a0 )
    >Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly
    Open CMD and type “sfc /scannow” to check/repair system files. 

    Besides, is there any change before problem happens? Such as system restoration, update/software installation?

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 18, 2018 5:31 AM
    Moderator
  • Thanks for the update Eve Wang,

    I will try with the possible steps you suggested. Please let me know is the dump file given any clue on any faulty drivers or software. Till now problem is not reoccurred.

    Regards,

    Gurucharan.

    Monday, May 21, 2018 10:21 AM
  • Hi,

    Detail dump file analyzing (such as find out specific driver which cause BSOD problem based on dump file) is beyond the support scope.  


    If possible, you may contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.

    Global Customer Service phone numbers:
    https://support.microsoft.com/en-us/help/13948/global-customer-service-phone-numbers

    Thank you for your understanding.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 22, 2018 1:59 AM
    Moderator
  • Hi,

    How things are going there on this issue?

    Please let me know if you would like further assistance.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 24, 2018 1:44 AM
    Moderator
  • Hi,

    Is there any update?

    Please click “Mark as answer” if any of above reply is helpful. It would make this reply to the top and easier to be found for other people who has the similar problem.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 28, 2018 1:30 AM
    Moderator