locked
When a non administrator logins into domain,intermittent BSOD issue. RRS feed

  • Question

  • Hi,

    This issue is reported by corporate customer where we have supplied 160 Acer desktops

    Operating system in windows 8.1 64 bit.

    1.        Whenever a domain user logs in into the computer , the BSOD error is appearing randomly.
    2.        If we login to the local machine using the domain administrator or the local  user/administrator, the BSOD issue is not replicated in the client computer where Windows 8.1 Professional is installed.

    Mcafee is installed and I can see in forum that it can be due to Macfee also,please check attached dumps and help in expert advise to resolve the issue.

    Dump files are uploaded to below link

    http://1drv.ms/1KUXm4y

    Regards,

    Lakshmikanth

    Wednesday, June 10, 2015 11:33 AM

Answers

  • MS would tell you to update to SP2. You are running an unsupported system on the server side, so Windows 8.1 has not been tested with it.

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    • Marked as answer by Bruce Wooding Thursday, June 25, 2015 2:19 PM
    Friday, June 12, 2015 8:48 AM
  • Every SP is supported for 24 months after the last SP is released.

    Here's an article from 07/2011:

    Last Week Before Vista and Win2008 SP1 Support Ends

    "Windows Vista and Windows Server 2008 Service Pack 1 support ends on July 12"


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    • Marked as answer by Bruce Wooding Thursday, June 25, 2015 2:19 PM
    Friday, June 12, 2015 12:44 PM

All replies

  • McAfee is killing  ksecdd.sys Kernel Security Support Provider Interface.  It is the cause.

    Microsoft (R) Windows Debugger Version 10.0.10075.9 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.
    
    
    Loading Dump File [C:\Users\zigza\Desktop\dumps\052715-10421-01.dmp]
    Mini Kernel Dump File: Only registers and stack trace are available
    
    
    ************* Symbol Path validation summary **************
    Response                         Time (ms)     Location
    Deferred                                       SRV*D:\Symbols*http://msdl.microsoft.com/download/symbols
    Symbol search path is: SRV*D:\Symbols*http://msdl.microsoft.com/download/symbols
    Executable search path is: 
    Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 9600.16384.amd64fre.winblue_rtm.130821-1623
    Machine Name:
    Kernel base = 0xfffff802`b801d000 PsLoadedModuleList = 0xfffff802`b82e49b0
    Debug session time: Tue May 26 23:44:29.945 2015 (UTC - 4:00)
    System Uptime: 0 days 0:01:21.616
    Loading Kernel Symbols
    ...............................................................
    ................................................................
    .......................
    Loading User Symbols
    Loading unloaded module list
    ........
    No .natvis files found at C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\Visualizers.
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck 27, {baad0073, ffffd0002457bac8, ffffd0002457b2d0, fffff80000c1f05d}
    
    *** WARNING: Unable to verify timestamp for mfehidk.sys
    *** ERROR: Module load completed but symbols could not be loaded for mfehidk.sys
    Probably caused by : ksecdd.sys ( ksecdd!SspiHelperEqualPackedCredentials+d )
    
    Followup:     MachineOwner
    ---------
    
    3: kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    RDR_FILE_SYSTEM (27)
        If you see RxExceptionFilter on the stack then the 2nd and 3rd parameters are the
        exception record and context record. Do a .cxr on the 3rd parameter and then kb to
        obtain a more informative stack trace.
        The high 16 bits of the first parameter is the RDBSS bugcheck code, which is defined
        as follows:
         RDBSS_BUG_CHECK_CACHESUP  = 0xca550000,
         RDBSS_BUG_CHECK_CLEANUP   = 0xc1ee0000,
         RDBSS_BUG_CHECK_CLOSE     = 0xc10e0000,
         RDBSS_BUG_CHECK_NTEXCEPT  = 0xbaad0000,
    Arguments:
    Arg1: 00000000baad0073
    Arg2: ffffd0002457bac8
    Arg3: ffffd0002457b2d0
    Arg4: fffff80000c1f05d
    
    Debugging Details:
    ------------------
    
    
    SYSTEM_SKU:  To be filled by O.E.M.
    
    SYSTEM_VERSION:  1.02
    
    BIOS_DATE:  03/04/2015
    
    BASEBOARD_PRODUCT:  H81-M1
    
    BASEBOARD_VERSION:  1.02
    
    BUGCHECK_P1: baad0073
    
    BUGCHECK_P2: ffffd0002457bac8
    
    BUGCHECK_P3: ffffd0002457b2d0
    
    BUGCHECK_P4: fffff80000c1f05d
    
    EXCEPTION_RECORD:  ffffd0002457bac8 -- (.exr 0xffffd0002457bac8)
    ExceptionAddress: fffff80000c1f05d (ksecdd!SspiHelperEqualPackedCredentials+0x000000000000000d)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000000
       Parameter[1]: 0000000000000000
    Attempt to read from address 0000000000000000
    
    CONTEXT:  ffffd0002457b2d0 -- (.cxr 0xffffd0002457b2d0)
    rax=0000000000000201 rbx=0000000000000000 rcx=0000000000000000
    rdx=ffffc00003bff410 rsi=0000000000000000 rdi=0000000000000000
    rip=fffff80000c1f05d rsp=ffffd0002457bd00 rbp=ffffd0002457bd88
     r8=0000000000000000  r9=0000000000000000 r10=0000000000000000
    r11=0000000000000000 r12=ffffc00002fe8b10 r13=ffffd0002457be70
    r14=ffffc00001e34670 r15=0000000000000000
    iopl=0         nv up ei pl zr na po nc
    cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
    ksecdd!SspiHelperEqualPackedCredentials+0xd:
    fffff800`00c1f05d 3901            cmp     dword ptr [rcx],eax ds:002b:00000000`00000000=????????
    Resetting default scope
    
    CPU_COUNT: 4
    
    CPU_MHZ: cdc
    
    CPU_VENDOR:  GenuineIntel
    
    CPU_FAMILY: 6
    
    CPU_MODEL: 3c
    
    CPU_STEPPING: 3
    
    CUSTOMER_CRASH_COUNT:  1
    
    DEFAULT_BUCKET_ID:  NULL_DEREFERENCE
    
    PROCESS_NAME:  svchost.exe
    
    CURRENT_IRQL:  0
    
    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
    
    EXCEPTION_PARAMETER1:  0000000000000000
    
    EXCEPTION_PARAMETER2:  0000000000000000
    
    READ_ADDRESS: GetPointerFromAddress: unable to read from fffff802b836d150
    GetUlongPtrFromAddress: unable to read from fffff802b836d3c8
    GetUlongPtrFromAddress: unable to read from fffff802b836d568
     0000000000000000 Nonpaged pool
    
    FOLLOWUP_IP: 
    ksecdd!SspiHelperEqualPackedCredentials+d
    fffff800`00c1f05d 3901            cmp     dword ptr [rcx],eax
    
    FAULTING_IP: 
    ksecdd!SspiHelperEqualPackedCredentials+d
    fffff800`00c1f05d 3901            cmp     dword ptr [rcx],eax
    
    BUGCHECK_STR:  0x27
    
    ANALYSIS_VERSION: 10.0.10075.9 amd64fre
    
    LAST_CONTROL_TRANSFER:  from fffff80000c1caf7 to fffff80000c1f05d
    
    STACK_TEXT:  
    ffffd000`2457bd00 fffff800`00c1caf7 : 00000000`00000000 ffffd000`2457bd70 ffffd000`2457bd60 ffffd000`2457bde0 : ksecdd!SspiHelperEqualPackedCredentials+0xd
    ffffd000`2457bd30 fffff800`01904aab : 00000000`00000000 ffffc000`03bff410 ffffc000`02fe8b10 00000000`00000000 : ksecdd!SspiCompareAuthIdentities+0x22d7
    ffffd000`2457bdd0 fffff800`019023a2 : fffff800`018f4700 00000000`00000001 00000000`00000000 00000000`00000000 : rdbss!RxIsCompatibleSecurityContext+0x10b
    ffffd000`2457be70 fffff800`019126fe : 00000000`63457852 ffffd000`2457c0c8 fffff800`01904ec0 ffffe000`00edf0c8 : rdbss!RxFindOrConstructVirtualNetRoot+0x473
    ffffd000`2457c080 fffff800`0190519c : ffffc000`003d8201 ffffe000`02682b70 ffffe000`03093010 ffffe000`02682b70 : rdbss!RxCreateTreeConnect+0xfe
    ffffd000`2457c100 fffff800`018cfd9e : 01d0982f`6fbf98dc ffffe000`02682a10 ffffe000`02682b70 00000000`00000000 : rdbss!RxCommonCreate+0x2dc
    ffffd000`2457c1b0 fffff800`019007df : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : rdbss!RxFsdCommonDispatch+0x56e
    ffffd000`2457c320 fffff800`02bce1b3 : 00000000`00000000 ffffe000`02682a01 ffffe000`02682a10 fffff800`011c7010 : rdbss!RxFsdDispatch+0xcf
    ffffd000`2457c390 fffff800`011cc682 : ffffe000`0278e220 ffffe000`02682a10 ffffc000`004c1c40 00000000`00000000 : mrxsmb!MRxSmbFsdDispatch+0x83
    ffffd000`2457c3d0 fffff800`011cac07 : ffffc000`004c1c40 ffffe000`00edf000 fffff800`011c7010 ffffe000`03183010 : mup!MupiCallUncProvider+0xc2
    ffffd000`2457c440 fffff800`006d03a4 : 30080000`0450040c ffffe000`00000008 ffffe000`00edf070 ffffe000`03183010 : mup!MupCreate+0x5f8
    ffffd000`2457c4e0 fffff800`00924aa0 : ffffd000`2457c700 ffffd000`2457c7f0 00000000`00000000 fffff800`03002c31 : fltmgr!FltpCreate+0x3a5
    ffffd000`2457c590 ffffd000`2457c700 : ffffd000`2457c7f0 00000000`00000000 fffff800`03002c31 00000000`00000000 : mfehidk+0x75aa0
    ffffd000`2457c598 ffffd000`2457c7f0 : 00000000`00000000 fffff800`03002c31 00000000`00000000 ffffd000`2457c6d0 : 0xffffd000`2457c700
    ffffd000`2457c5a0 00000000`00000000 : fffff800`03002c31 00000000`00000000 ffffd000`2457c6d0 00000000`00060000 : 0xffffd000`2457c7f0
    
    
    SYMBOL_STACK_INDEX:  0
    
    SYMBOL_NAME:  ksecdd!SspiHelperEqualPackedCredentials+d
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: ksecdd
    
    IMAGE_NAME:  ksecdd.sys
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  5215f86d
    
    IMAGE_VERSION:  6.3.9600.16384
    
    STACK_COMMAND:  .cxr 0xffffd0002457b2d0 ; kb
    
    BUCKET_ID_FUNC_OFFSET:  d
    
    FAILURE_BUCKET_ID:  0x27_ksecdd!SspiHelperEqualPackedCredentials
    
    BUCKET_ID:  0x27_ksecdd!SspiHelperEqualPackedCredentials
    
    PRIMARY_PROBLEM_CLASS:  0x27_ksecdd!SspiHelperEqualPackedCredentials
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:0x27_ksecdd!sspihelperequalpackedcredentials
    
    FAILURE_ID_HASH:  {020b5662-e3ac-c43e-b2fc-2ad97f2abb2b}
    
    Followup:     MachineOwner
    ---------
    
    


    Wanikiya and Dyami--Team Zigzag

    Wednesday, June 10, 2015 12:02 PM
  • Hi,

    Yesterday we checked and able to see the issue without mcafee also.

    As per below link  This issue was caused by a mapped drive group policy,.

    we changed the group policy by creating new group and user and found working fine.

    Server OS here is Windows 2008 SP1,is there any patch for server or Win8.1 to resolve this issue

    https://social.technet.microsoft.com/Forums/windows/en-US/5aa69f15-d93b-4b47-9fc3-a181450395c9/rdrfilesystem-ksecddsys-error-bsod?forum=w8itprogeneral

    Regards,

    Lakshmikanth

    Friday, June 12, 2015 3:57 AM
  • Hi,

    How did you configure the drive map policy settings? You may create another one test GPO with one mapped drive by following the below link:

    Using Group Policy Preferences to Map Drives Based on Group Membership

    http://blogs.technet.com/b/askds/archive/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership.aspx

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 12, 2015 7:36 AM
  • Server OS here is Windows 2008 SP1,is there any patch for server or Win8.1 to resolve this issue


    I'd start installing SP2

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Friday, June 12, 2015 7:41 AM
  • Hi,

    Configuration has been done by server administrator and we are not allowed to do any changes due to security reason.

    Isuue is not observed in Windows 7 clients but only with windows 8.1 clients,is there any compatibility issue or any hotfix from MS.

    Regards,

    Lakshmikanth

    Friday, June 12, 2015 8:44 AM
  • This server is in Production and user does not want update SP2 instead ready to implement only hot fix such issue.

    Regards,

    Lakshmikanth

    Friday, June 12, 2015 8:45 AM
  • MS would tell you to update to SP2. You are running an unsupported system on the server side, so Windows 8.1 has not been tested with it.

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    • Marked as answer by Bruce Wooding Thursday, June 25, 2015 2:19 PM
    Friday, June 12, 2015 8:48 AM
  • Thanks for reply

    Can you provide link where it says Win2008 Sp1 is unsupported for Win 8.1 so that I can take up with the customer.

    Regards,

    Lakshmikanth

    Friday, June 12, 2015 12:38 PM
  • There is no link that specifically states that Win2008 Sp1 doesn't support Win 8.1, it's implied that it doesn't because it is no longer supported. MS isn't going to test systems that support has expired on, well.... because support has expired! :D

    SP1 support ends 24 months after the next service pack is released, you can read the server lifecycles here.

    • Edited by Acreed02 Friday, June 12, 2015 12:44 PM
    Friday, June 12, 2015 12:44 PM
  • Every SP is supported for 24 months after the last SP is released.

    Here's an article from 07/2011:

    Last Week Before Vista and Win2008 SP1 Support Ends

    "Windows Vista and Windows Server 2008 Service Pack 1 support ends on July 12"


    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    • Marked as answer by Bruce Wooding Thursday, June 25, 2015 2:19 PM
    Friday, June 12, 2015 12:44 PM
  • Lol Aperelli, nice timing!
    Friday, June 12, 2015 12:55 PM
  • Are You sure that,issue will be resolved once we update Windows 2008 Sp2
    Wednesday, June 17, 2015 9:06 AM
  • How could I be sure? I think your customer should understand that updating has to be done, troubleshooting unsupported system could be time wasting. 

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    Wednesday, June 17, 2015 9:17 AM