none
Sysmon v9.0 BSOD on multiple servers

    Question

  • Sysmon 9.0 caused BSOD on many servers.

    Older versions of sysmon worked fine.

    ---------
    Microsoft (R) Windows Debugger Version 10.0.14321.1024 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    Loading Dump File [C:\Users\xxx\Desktop\MEMORY.DMP]
    Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
    Symbol search path is: srv*
    Executable search path is: 
    Windows 10 Kernel Version 14393 MP (20 procs) Free x64
    Product: Server, suite: TerminalServer SingleUserTS
    Built by: 14393.2999.amd64fre.rs1_release_inmarket.190520-1518
    Machine Name:
    Kernel base = 0xfffff800`d6407000 PsLoadedModuleList = 0xfffff800`d670a040
    Debug session time: Sun May 26 10:08:43.725 2019 (UTC + 3:00)
    System Uptime: 1 days 21:58:18.664
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    .............................................
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 0000009f`7456e018).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    ......
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    Use !analyze -v to get detailed debugging information.
    BugCheck 3B, {c0000005, fffff80e1ce08098, ffffdf012bcce6f0, 0}
    Page ffff00000 too large to be in the dump file.
    Page ffff00000 too large to be in the dump file.
    Page 4c6794b39 too large to be in the dump file.
    Page 4c6794b39 too large to be in the dump file.
    *** ERROR: Module load completed but symbols could not be loaded for SysmonDrv.sys
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Probably caused by : SysmonDrv.sys ( SysmonDrv+8098 )
    Followup:     MachineOwner
    ---------
    16: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    SYSTEM_SERVICE_EXCEPTION (3b)
    An exception happened while executing a system service routine.
    Arguments:
    Arg1: 00000000c0000005, Exception code that caused the bugcheck
    Arg2: fffff80e1ce08098, Address of the instruction which caused the bugcheck
    Arg3: ffffdf012bcce6f0, Address of the context record for the exception that caused the bugcheck
    Arg4: 0000000000000000, zero.
    Debugging Details:
    ------------------
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    Page 200 not present in the dump file. Type ".hh dbgerr004" for details
    DUMP_CLASS: 1
    DUMP_QUALIFIER: 401
    BUILD_VERSION_STRING:  14393.2999.amd64fre.rs1_release_inmarket.190520-1518
    SYSTEM_MANUFACTURER:  FUJITSU
    SYSTEM_PRODUCT_NAME:  PRIMERGY RX2530 M2
    SYSTEM_SKU:  ABN:xxx
    SYSTEM_VERSION:  GS01
    BIOS_VENDOR:  FUJITSU // American Megatrends Inc.
    BIOS_VERSION:  V5.0.0.11 R1.22.0 for D3279-B1x                   
    BIOS_DATE:  01/30/2019
    BASEBOARD_MANUFACTURER:  FUJITSU
    BASEBOARD_PRODUCT:  xxx
    BASEBOARD_VERSION:  xxx
    DUMP_TYPE:  1
    BUGCHECK_P1: c0000005
    BUGCHECK_P2: fffff80e1ce08098
    BUGCHECK_P3: ffffdf012bcce6f0
    BUGCHECK_P4: 0
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    FAULTING_IP: 
    SysmonDrv+8098
    fffff80e`1ce08098 488b4840        mov     rcx,qword ptr [rax+40h]
    CONTEXT:  ffffdf012bcce6f0 -- (.cxr 0xffffdf012bcce6f0)
    rax=0000000000000000 rbx=ffffdf012bccf250 rcx=ffffa3883400c360
    rdx=0000000000000000 rsi=ffffa3883400c360 rdi=ffff8c8612b92b58
    rip=fffff80e1ce08098 rsp=ffffdf012bccf0e0 rbp=0000000000000472
     r8=ffff9487ba807010  r9=fffff800d6407000 r10=ffffdf0119cc6900
    r11=ffff9487ba5d2010 r12=0000000000000000 r13=ffff8c85fee68ee0
    r14=0000000000000000 r15=0000000000000000
    iopl=0         nv up ei pl zr na po nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    SysmonDrv+0x8098:
    fffff80e`1ce08098 488b4840        mov     rcx,qword ptr [rax+40h] ds:002b:00000000`00000040=????????????????
    Resetting default scope
    CPU_COUNT: 14
    CPU_MHZ: 95a
    CPU_VENDOR:  GenuineIntel
    CPU_FAMILY: 6
    CPU_MODEL: 4f
    CPU_STEPPING: 1
    CPU_MICROCODE: 6,4f,1,0 (F,M,S,R)  SIG: B000033'00000000 (cache) B000033'00000000 (init)
    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
    BUGCHECK_STR:  0x3B
    PROCESS_NAME:  Microsoft.Exchange.Store.Worker.exe
    CURRENT_IRQL:  0
    ANALYSIS_SESSION_HOST:  xxx
    ANALYSIS_SESSION_TIME:  05-27-2019 10:51:06.0639
    ANALYSIS_VERSION: 10.0.14321.1024 amd64fre
    LAST_CONTROL_TRANSFER:  from fffff80e1ce02d5d to fffff80e1ce08098
    STACK_TEXT:  
    ffffdf01`2bccf0e0 fffff80e`1ce02d5d : ffffdf01`2bccf250 ffffdf01`2bccf199 ffffdf01`2bccf199 00000000`00000005 : SysmonDrv+0x8098
    ffffdf01`2bccf110 fffff80e`1ba03d15 : ffff8c86`12b92b58 ffff8c86`12b92c78 ffff8c86`12b92a80 00000000`00000000 : SysmonDrv+0x2d5d
    ffffdf01`2bccf200 fffff80e`1ba03756 : ffff8c86`12b92a00 ffff8c86`0ef52120 ffff8c86`00000000 00000000`00000000 : FLTMGR!FltpPerformPostCallbacks+0x2a5
    ffffdf01`2bccf2d0 fffff80e`1ba05299 : ffff8c86`12b92a98 ffff8c86`12b92a80 ffff8c86`0ef52120 ffff8c86`0ef52430 : FLTMGR!FltpPassThroughCompletionWorker+0x76
    ffffdf01`2bccf310 fffff80e`1ba34065 : fffff80e`1ba24060 fffff800`d6935c43 ffffa388`00000000 ffffdf01`2bccf6c0 : FLTMGR!FltpLegacyProcessingAfterPreCallbacksCompleted+0x239
    ffffdf01`2bccf3a0 fffff800`d689a8ff : 00000000`00000000 00000000`00000005 ffff8c85`00000000 00000000`00000000 : FLTMGR!FltpCreate+0x2f5
    ffffdf01`2bccf450 fffff800`d68ae0ff : fffff800`d6899270 fffff800`d6899270 ffffdf01`2bccf740 ffff9487`b6b02360 : nt!IopParseDevice+0x168f
    ffffdf01`2bccf640 fffff800`d68e28dd : ffff8c85`ecbc8001 ffffdf01`2bccf8a0 ffffdf01`00000040 ffff8c85`e7f9ab00 : nt!ObpLookupObjectName+0x8af
    ffffdf01`2bccf810 fffff800`d6902af0 : 00000000`00000001 00000000`00000000 000000a8`1a0bcff8 000000a8`1a0bd058 : nt!ObOpenObjectByNameEx+0x1dd
    ffffdf01`2bccf950 fffff800`d6902279 : ffff9487`c61f3080 ffffdf01`0013019f 000000a8`1a0bd058 000000a8`1a0bcf88 : nt!IopCreateFile+0x860
    ffffdf01`2bccfa00 fffff800`d6573703 : 00000000`00000000 ffff9487`bc9cbed0 ffffdf01`2bccfb00 000000a8`1a0bf278 : nt!NtCreateFile+0x79
    ffffdf01`2bccfa90 00007ffb`6fd965b4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
    000000a8`1a0bcf68 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007ffb`6fd965b4
    
    THREAD_SHA1_HASH_MOD_FUNC:  c5ad241c55b8ce6f138951dcf8b63395ea14a626
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  8213062dd1a9bc0ee7baf0dac22487aec085ce03
    THREAD_SHA1_HASH_MOD:  8946911ce46a92a2ce7d7141726eb460f09850c8
    FOLLOWUP_IP: 
    SysmonDrv+8098
    fffff80e`1ce08098 488b4840        mov     rcx,qword ptr [rax+40h]
    FAULT_INSTR_CODE:  40488b48
    SYMBOL_STACK_INDEX:  0
    SYMBOL_NAME:  SysmonDrv+8098
    FOLLOWUP_NAME:  MachineOwner
    MODULE_NAME: SysmonDrv
    IMAGE_NAME:  SysmonDrv.sys
    DEBUG_FLR_IMAGE_TIMESTAMP:  5b3c4fda
    STACK_COMMAND:  .cxr 0xffffdf012bcce6f0 ; kb
    BUCKET_ID_FUNC_OFFSET:  8098
    FAILURE_BUCKET_ID:  0x3B_SysmonDrv!unknown_function
    BUCKET_ID:  0x3B_SysmonDrv!unknown_function
    PRIMARY_PROBLEM_CLASS:  0x3B_SysmonDrv!unknown_function
    TARGET_TIME:  2019-05-26T07:08:43.000Z
    OSBUILD:  14393
    OSSERVICEPACK:  0
    SERVICEPACK_NUMBER: 0
    OS_REVISION: 0
    SUITE_MASK:  272
    PRODUCT_TYPE:  3
    OSPLATFORM_TYPE:  x64
    OSNAME:  Windows 10
    OSEDITION:  Windows 10 Server TerminalServer SingleUserTS
    OS_LOCALE:  
    USER_LCID:  0
    OSBUILD_TIMESTAMP:  2019-05-21 06:13:42
    BUILDDATESTAMP_STR:  190520-1518
    BUILDLAB_STR:  rs1_release_inmarket
    BUILDOSVER_STR:  10.0.14393.2999.amd64fre.rs1_release_inmarket.190520-1518
    ANALYSIS_SESSION_ELAPSED_TIME: 13cf
    ANALYSIS_SOURCE:  KM
    FAILURE_ID_HASH_STRING:  km:0x3b_sysmondrv!unknown_function
    FAILURE_ID_HASH:  {842c90c8-79e5-bb47-7364-628a086c856b}
    Followup:     MachineOwner
    ---------
    
    



    Tuesday, May 28, 2019 9:21 AM

All replies

  • Hi Sherif

    could you contact me offline at syssite@microsoft.com so that I can help you with this.

    MarkC(MSFT)

    Wednesday, June 12, 2019 10:03 AM