Windows server 2016 : PAGE_FAULT_IN_NONPAGED_AREA PROCEXP141.SYS failed RRS feed

  • Question

  • Hello,

    I have a blue screen with stop code PAGE_FAULT_IN_NONPAGED_AREA with PROCEXP141.SYS failed, starting a Windows 2016 server.

    With Windbg, I have these informations.




    STACK_COMMAND:  .thread ; .cxr ; kb


    FAILURE_BUCKET_ID:  AV_R_INVALID_PROCEXP141!unknown_function

    OS_VERSION:  10.0.14393.3930

    BUILDLAB_STR:  rs1_release


    OSNAME:  Windows 10

    FAILURE_ID_HASH:  {0910806e-dcd6-1a7f-65b6-de1b88bbce9c}

    > Could someone tells me how to fix this issue ?



    Sunday, September 20, 2020 12:40 PM

All replies

  • It appears that you are running an older version of Process Explorer. I have version 152 on my Win10 machine.

    C:\>dir procexp*.sys /b /a /s
    C:\>dir C:\Windows\System32\drivers\PROCEXP152.SYS
     Volume in drive C is OS
     Volume Serial Number is 9EE0-DE09
     Directory of C:\Windows\System32\drivers
    07/28/2020  12:30 PM            42,904 PROCEXP152.SYS
                   1 File(s)         42,904 bytes
                   0 Dir(s)  123,088,117,760 bytes free

    Download the latest version here.

    Sunday, September 20, 2020 2:31 PM
  • Hello Hervé,

    Probably Process Explorer 14.1 version is not compatible with Windows Server 2016.

    Try removing/uninstalling Process Explorer 14.1 and installing a new one as previously suggested.

    Could you please provide a link to the dumps if the problem is reproducible after updating the app?

    Avis de non-responsabilité:
    Mon opinion ne peut pas coïncider avec la position officielle de Microsoft.

    Bien cordialement, Andrei ...


    • Edited by SQx Sunday, September 20, 2020 5:46 PM updated
    Sunday, September 20, 2020 5:35 PM
  • Hello,

    Thank you both for your help.

    On my system, I can find in C:\Windows\System32\drivers PROCEXP141.Sys and PROCEXP152.SYS

    The question is how to uninstall Process Explorer: it isn't listed in Control Pannel > Remove or modifie programm.

    If I change the name, or delete the file PROCEXP141.sys, it reappears.

    The last version of Process Explorer is an exectutable that doesn't need installation and doesn't offer an uninstall tool.

    As requested, you can access the dump following this link:

    Thanks a lot for helping


    Friday, September 25, 2020 2:54 PM
  • Hello,

    Dump analysis:

    PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffffff9e310010, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff80cdea5102b, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000002, (reserved) Debugging Details: ------------------ *** WARNING: Unable to verify timestamp for PROCEXP141.SYS Could not read faulting driver name KEY_VALUES_STRING: 1 PROCESSES_ANALYSIS: 1 SERVICE_ANALYSIS: 1 STACKHASH_ANALYSIS: 1 TIMELINE_ANALYSIS: 1 DUMP_CLASS: 1 DUMP_QUALIFIER: 400 BUILD_VERSION_STRING: 14393.3930.amd64fre.rs1_release.200901-1914 SYSTEM_MANUFACTURER: QEMU SYSTEM_PRODUCT_NAME: Standard PC (i440FX + PIIX, 1996) SYSTEM_VERSION: pc-i440fx-5.0 BIOS_VENDOR: SeaBIOS BIOS_VERSION: BIOS_DATE: 04/01/2014 DUMP_TYPE: 2 BUGCHECK_P1: ffffffff9e310010 BUGCHECK_P2: 0 BUGCHECK_P3: fffff80cdea5102b BUGCHECK_P4: 2 READ_ADDRESS: fffff8019e631338: Unable to get MiVisibleState Unable to get NonPagedPoolStart Unable to get NonPagedPoolEnd Unable to get PagedPoolStart Unable to get PagedPoolEnd ffffffff9e310010 FAULTING_IP: PROCEXP141+102b fffff80c`dea5102b 66833807 cmp word ptr [rax],7 MM_INTERNAL_CODE: 2 CPU_COUNT: a CPU_MHZ: da5 CPU_VENDOR: AuthenticAMD CPU_FAMILY: 17 CPU_MODEL: 1 CPU_STEPPING: 1 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER BUGCHECK_STR: AV PROCESS_NAME: handle64.exe CURRENT_IRQL: 0 ANALYSIS_SESSION_HOST: SQ-PC ANALYSIS_SESSION_TIME: 09-25-2020 17:26:04.0267 ANALYSIS_VERSION: 10.0.18362.1 amd64fre TRAP_FRAME: ffffbc80f30dc2d0 -- (.trap 0xffffbc80f30dc2d0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=ffffffff9e310010 rbx=0000000000000000 rcx=ffff87038d518d30 rdx=ffffd08de77f47c4 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80cdea5102b rsp=ffffbc80f30dc460 rbp=ffffd08de77f47c0 r8=ffffd08de2703f20 r9=fffff8019e28b000 r10=ffffd08de29e2100 r11=0000000000000000 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc PROCEXP141+0x102b: fffff80c`dea5102b 66833807 cmp word ptr [rax],7 ds:ffffffff`9e310010=???? Resetting default scope LAST_CONTROL_TRANSFER: from fffff8019e2a059b to fffff8019e3e82d0 STACK_TEXT: ffffbc80`f30dbfd8 fffff801`9e2a059b : 00000000`00000050 ffffffff`9e310010 00000000`00000000 ffffbc80`f30dc2d0 : nt!KeBugCheckEx ffffbc80`f30dbfe0 fffff801`9e2daf04 : 00000000`00000000 ffff857f`ffffffff ffff429b`9c791351 ffffffff`9e310010 : nt!MiSystemFault+0x106b ffffbc80`f30dc0d0 fffff801`9e3f5361 : 00000000`00000000 ffffd08d`e29a0854 00000000`00000000 00000000`00000000 : nt!MmAccessFault+0x254 ffffbc80`f30dc2d0 fffff80c`dea5102b : ffffd08d`e77f47c0 fffff801`9e38c478 00000000`746c6644 00000000`000004e8 : nt!KiPageFault+0x321 ffffbc80`f30dc460 ffffd08d`e77f47c0 : fffff801`9e38c478 00000000`746c6644 00000000`000004e8 00000000`00000000 : PROCEXP141+0x102b ffffbc80`f30dc468 fffff801`9e38c478 : 00000000`746c6644 00000000`000004e8 00000000`00000000 00000000`00000000 : 0xffffd08d`e77f47c0 ffffbc80`f30dc470 fffff80c`dea516a3 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000040 : nt!KeDetachProcess+0x24 ffffbc80`f30dc4a0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000040 ffffbc80`f30dc4e8 : PROCEXP141+0x16a3 THREAD_SHA1_HASH_MOD_FUNC: 3280de3c3c82ecc932181c454bafa40c344724b7 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 3a39c77e6ca142a1e279cc3768ad31b1476f3ea5 THREAD_SHA1_HASH_MOD: 6a36c801b88e8a922ebc4ffbaa44606a3566dadb FOLLOWUP_IP: PROCEXP141+102b fffff80c`dea5102b 66833807 cmp word ptr [rax],7 FAULT_INSTR_CODE: 7388366 SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: PROCEXP141+102b FOLLOWUP_NAME: MachineOwner MODULE_NAME: PROCEXP141 IMAGE_NAME: PROCEXP141.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 4d3a274b STACK_COMMAND: .thread ; .cxr ; kb BUCKET_ID_FUNC_OFFSET: 102b FAILURE_BUCKET_ID: AV_R_INVALID_PROCEXP141!unknown_function BUCKET_ID: AV_R_INVALID_PROCEXP141!unknown_function PRIMARY_PROBLEM_CLASS: AV_R_INVALID_PROCEXP141!unknown_function TARGET_TIME: 2020-09-25T06:45:39.000Z OSBUILD: 14393 OSSERVICEPACK: 3930 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 16 PRODUCT_TYPE: 2 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 LanManNt TerminalServer OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2020-09-02 01:40:13 BUILDDATESTAMP_STR: 200901-1914 BUILDLAB_STR: rs1_release BUILDOSVER_STR: 10.0.14393.3930.amd64fre.rs1_release.200901-1914 ANALYSIS_SESSION_ELAPSED_TIME: 5341 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:av_r_invalid_procexp141!unknown_function FAILURE_ID_HASH: {0910806e-dcd6-1a7f-65b6-de1b88bbce9c} Followup: MachineOwner --------- 3: kd> lmDvmprocexp141 Browse full module list start end module name fffff80c`dea50000 fffff80c`dea5b000 PROCEXP141 T (no symbols) Loaded symbol image file: PROCEXP141.SYS Image path: \??\C:\Windows\system32\Drivers\PROCEXP141.SYS Image name: PROCEXP141.SYS Browse all global symbols functions data Timestamp: Fri Jan 21 19:39:39 2011 (4D3A274B) CheckSum: 0001523B ImageSize: 0000B000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 Information from resource tables:

    Could you please show me the result of the following command at command prompt (cmd.exe):
    reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe"

    Avis de non-responsabilité:
    Mon opinion ne peut pas coïncider avec la position officielle de Microsoft.

    Bien cordialement, Andrei ...


    Friday, September 25, 2020 9:56 PM
  • There is no uninstall. Search all local drives for procexp.exe. Talk to other system administrators and ask them if that have used process explorer on that machine. Delete all old versions. 
    Friday, September 25, 2020 10:46 PM
  • Hello Andrei,

    Here is the reslut:

    "Erreur : Erreur : le système n’a pas trouvé la clé ou la valeur de Registre spécifiée."

    Error : Error : system couldn't find the specified Registery key or value


    Saturday, September 26, 2020 8:12 AM
  • Hello,

    Could you please provide a log of the third-party anti-virus utility FRST according to the following instruction:
    - Download Farbar Recovery Scan Tooland save it on the desktop.

    Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

        • Run the program by double-clicking. When the program starts, click Yes to agree with a warning.
        • Ensure that Optional Scan is checked "List BCD" , "SignCheckExt" and"Addition.txt".

        • Press Scan button to run the tool...
        • It will make a log (FRST.txt) in the same directory the tool is run.
        • The tool will also make a log named (Addition.txt).
        • Please attach it in the following message as a link to downloading from the file storage (e.g. onedrive).

    Avis de non-responsabilité:
    Mon opinion ne peut pas coïncider avec la position officielle de Microsoft.

    Bien cordialement, Andrei ...


    • Edited by SQx Saturday, September 26, 2020 3:03 PM updated
    Saturday, September 26, 2020 3:03 PM
  • Thank you all for your help,

    This old driver is part of a third party installation.

    As you suggested, they asked me to update the file procexp.exe and some others.

    Things should go back to normal.

    Wednesday, September 30, 2020 3:06 PM