Stop-Error: Terminalserver reboots weekly - ntkrpamp.exe

[Guest Andreas.Konrad]

Hi,

 

one of our terminalserver crashes quite often with BugCheck 100000D1!

Could someone analyse my minidump and tell me what is the faulting module?

 

Thanks a lot!

Regards

Andi

 

************************************************************

Microsoft ® Windows Debugger Version 6.8.0004.0 X86

Copyright © Microsoft Corporation. All rights reserved.

 

 

Loading Dump File [C:\d\Analysedaten\BSOD_NTCL0512\Mini012308-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is:

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:

Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (16 procs) Free

x86 compatible

Product: Server, suite: Enterprise TerminalServer

Built by: 3790.srv03_sp2_gdr.070304-2240

Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8

Debug session time: Wed Jan 23 18:54:02.559 2008 (GMT+1)

System Uptime: 2 days 3:32:48.671

Loading Kernel Symbols

.........................................................................................................................

Loading User Symbols

Loading unloaded module list

............

*******************************************************************************

*

*

* Bugcheck Analysis

*

*

*

*******************************************************************************

 

Use !analyze -v to get detailed debugging information.

 

BugCheck 100000D1, {0, d0000002, 8, 0}

 

 

 

Probably caused by : ntkrpamp.exe ( nt!KiIdleLoop+a )

 

Followup: MachineOwner

---------

 

14: kd> !analyze -v

*******************************************************************************

*

*

* Bugcheck Analysis

*

*

*

*******************************************************************************

 

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high. This is usually

caused by drivers using improper addresses.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: 00000000, memory referenced

Arg2: d0000002, IRQL

Arg3: 00000008, value 0 = read operation, 1 = write operation

Arg4: 00000000, address which referenced memory

 

Debugging Details:

------------------

 

 

 

 

READ_ADDRESS: 00000000

 

CURRENT_IRQL: 2

 

FAULTING_IP:

+0

00000000 ?? ???

 

PROCESS_NAME: Idle

 

CUSTOMER_CRASH_COUNT: 1

 

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

 

BUGCHECK_STR: 0xD1

 

LAST_CONTROL_TRANSFER: from f779fee0 to 00000000

 

FAILED_INSTRUCTION_ADDRESS:

+0

00000000 ?? ???

 

STACK_TEXT:

WARNING: Frame IP not in any known module. Following frames may be wrong.

f7916d30 f779fee0 8086efcf f779f000 a37c2c70 0x0

f7916d50 8088ddf2 00000000 0000000e 00000000 0xf779fee0

f7916d54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

nt!KiIdleLoop+a

8088ddf2 f390 pause

 

SYMBOL_STACK_INDEX: 2

 

SYMBOL_NAME: nt!KiIdleLoop+a

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: nt

 

IMAGE_NAME: ntkrpamp.exe

 

DEBUG_FLR_IMAGE_TIMESTAMP: 45ec0a19

 

FAILURE_BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

 

BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

 

Followup: MachineOwner

---------

 

************************************************************

[Guest Thee Chicago Wolf]

Re: Stop-Error: Terminalserver reboots weekly - ntkrpamp.exe

 

>one of our terminalserver crashes quite often with BugCheck 100000D1!

>Could someone analyse my minidump and tell me what is the faulting module?

>

>Thanks a lot!

>Regards

>Andi

>

>************************************************************

>Microsoft ® Windows Debugger Version 6.8.0004.0 X86

>Copyright © Microsoft Corporation. All rights reserved.

>

>

>Loading Dump File [C:\d\Analysedaten\BSOD_NTCL0512\Mini012308-01.dmp]

>Mini Kernel Dump File: Only registers and stack trace are available

>

>Symbol search path is:

>SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

>Executable search path is:

>Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (16 procs) Free

>x86 compatible

>Product: Server, suite: Enterprise TerminalServer

>Built by: 3790.srv03_sp2_gdr.070304-2240

>Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8

>Debug session time: Wed Jan 23 18:54:02.559 2008 (GMT+1)

>System Uptime: 2 days 3:32:48.671

>Loading Kernel Symbols

>.........................................................................................................................

>Loading User Symbols

>Loading unloaded module list

>...........

>*******************************************************************************

>*

> *

>* Bugcheck Analysis

> *

>*

> *

>*******************************************************************************

>

>Use !analyze -v to get detailed debugging information.

>

>BugCheck 100000D1, {0, d0000002, 8, 0}

>

>

>

>Probably caused by : ntkrpamp.exe ( nt!KiIdleLoop+a )

>

>Followup: MachineOwner

>---------

>

>14: kd> !analyze -v

>*******************************************************************************

>*

> *

>* Bugcheck Analysis

> *

>*

> *

>*******************************************************************************

>

>DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

>An attempt was made to access a pageable (or completely invalid) address at an

>interrupt request level (IRQL) that is too high. This is usually

>caused by drivers using improper addresses.

>If kernel debugger is available get stack backtrace.

>Arguments:

>Arg1: 00000000, memory referenced

>Arg2: d0000002, IRQL

>Arg3: 00000008, value 0 = read operation, 1 = write operation

>Arg4: 00000000, address which referenced memory

>

>Debugging Details:

>------------------

>

>

>

>

>READ_ADDRESS: 00000000

>

>CURRENT_IRQL: 2

>

>FAULTING_IP:

>+0

>00000000 ?? ???

>

>PROCESS_NAME: Idle

>

>CUSTOMER_CRASH_COUNT: 1

>

>DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

>

>BUGCHECK_STR: 0xD1

>

>LAST_CONTROL_TRANSFER: from f779fee0 to 00000000

>

>FAILED_INSTRUCTION_ADDRESS:

>+0

>00000000 ?? ???

>

>STACK_TEXT:

>WARNING: Frame IP not in any known module. Following frames may be wrong.

>f7916d30 f779fee0 8086efcf f779f000 a37c2c70 0x0

>f7916d50 8088ddf2 00000000 0000000e 00000000 0xf779fee0

>f7916d54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa

>

>

>STACK_COMMAND: kb

>

>FOLLOWUP_IP:

>nt!KiIdleLoop+a

>8088ddf2 f390 pause

>

>SYMBOL_STACK_INDEX: 2

>

>SYMBOL_NAME: nt!KiIdleLoop+a

>

>FOLLOWUP_NAME: MachineOwner

>

>MODULE_NAME: nt

>

>IMAGE_NAME: ntkrpamp.exe

>

>DEBUG_FLR_IMAGE_TIMESTAMP: 45ec0a19

>

>FAILURE_BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

>

>BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

>

>Followup: MachineOwner

>---------

>

>************************************************************

 

Since it seems that ntkrpamp.exe is acting up, try the update from

this KB article: http://support.microsoft.com/kb/938486

 

- Thee Chicago Wolf

[Guest Andreas.Konrad]

Re: Stop-Error: Terminalserver reboots weekly - ntkrpamp.exe

 

Well, downloaded and installed the hotfix. Improvements will be shown within

the next days. I'll keep you posted.

Thanks so far.

Andi

 

 

"Thee Chicago Wolf" wrote:

> Since it seems that ntkrpamp.exe is acting up, try the update from

> this KB article: http://support.microsoft.com/kb/938486

>

> - Thee Chicago Wolf

>

[Guest Thee Chicago Wolf]

Re: Stop-Error: Terminalserver reboots weekly - ntkrpamp.exe

 

>Well, downloaded and installed the hotfix. Improvements will be shown within

>the next days. I'll keep you posted.

>Thanks so far.

 

Great. Let the group know if there's been any improvement. It would be

good to know this does address the issues you've been facing and can

be recommended to others.

 

- Thee Chicago Wolf

[Guest Andreas.Konrad]

Re: Stop-Error: Terminalserver reboots weekly - ntkrpamp.exe

 

Sorry, here is the next Minidump after installing the hotfix... :-(

 

 

 

Microsoft ® Windows Debugger Version 6.8.0004.0 X86

Copyright © Microsoft Corporation. All rights reserved.

 

 

Loading Dump File [C:\d\Analysedaten\BSOD_NTCL0512\Mini020908-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is:

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:

Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (16 procs) Free

x86 compatible

Product: Server, suite: Enterprise TerminalServer

Built by: 3790.srv03_sp2_qfe.071022-1210

Kernel base = 0x80800000 PsLoadedModuleList = 0x808a8e48

Debug session time: Sat Feb 9 01:45:34.232 2008 (GMT+1)

System Uptime: 0 days 12:29:43.359

Loading Kernel Symbols

..........................................................................................................................

Loading User Symbols

Loading unloaded module list

........

*******************************************************************************

*

*

* Bugcheck Analysis

*

*

*

*******************************************************************************

 

Use !analyze -v to get detailed debugging information.

 

BugCheck 100000D1, {0, d0000002, 8, 0}

 

 

 

Probably caused by : ntkrpamp.exe ( nt!KiIdleLoop+a )

 

Followup: MachineOwner

---------

 

14: kd> !analyze -v

*******************************************************************************

*

*

* Bugcheck Analysis

*

*

*

*******************************************************************************

 

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high. This is usually

caused by drivers using improper addresses.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: 00000000, memory referenced

Arg2: d0000002, IRQL

Arg3: 00000008, value 0 = read operation, 1 = write operation

Arg4: 00000000, address which referenced memory

 

Debugging Details:

------------------

 

 

 

 

READ_ADDRESS: 00000000

 

CURRENT_IRQL: 2

 

FAULTING_IP:

+0

00000000 ?? ???

 

PROCESS_NAME: Idle

 

CUSTOMER_CRASH_COUNT: 1

 

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

 

BUGCHECK_STR: 0xD1

 

LAST_CONTROL_TRANSFER: from f779fee0 to 00000000

 

FAILED_INSTRUCTION_ADDRESS:

+0

00000000 ?? ???

 

STACK_TEXT:

WARNING: Frame IP not in any known module. Following frames may be wrong.

f7916d30 f779fee0 8086feb9 f779f000 a3863af8 0x0

f7916d50 8088f2b2 00000000 0000000e 00000000 0xf779fee0

f7916d54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

nt!KiIdleLoop+a

8088f2b2 f390 pause

 

SYMBOL_STACK_INDEX: 2

 

SYMBOL_NAME: nt!KiIdleLoop+a

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: nt

 

IMAGE_NAME: ntkrpamp.exe

 

DEBUG_FLR_IMAGE_TIMESTAMP: 471cab92

 

FAILURE_BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

 

BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

 

Followup: MachineOwner

---------

 

 

 

"Thee Chicago Wolf" wrote:

> >Well, downloaded and installed the hotfix. Improvements will be shown within

> >the next days. I'll keep you posted.

> >Thanks so far.

>

> Great. Let the group know if there's been any improvement. It would be

> good to know this does address the issues you've been facing and can

> be recommended to others.

>

> - Thee Chicago Wolf

>

[Guest Andreas.Konrad]

Re: Stop-Error: Terminalserver reboots weekly - ntkrpamp.exe

 

Sorry, here is the next minidump after installing the hotfix... :-(

 

 

Microsoft ® Windows Debugger Version 6.8.0004.0 X86

Copyright © Microsoft Corporation. All rights reserved.

 

 

Loading Dump File [C:\d\Analysedaten\BSOD_NTCL0512\Mini020908-01.dmp]

Mini Kernel Dump File: Only registers and stack trace are available

 

Symbol search path is:

SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:

Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (16 procs) Free

x86 compatible

Product: Server, suite: Enterprise TerminalServer

Built by: 3790.srv03_sp2_qfe.071022-1210

Kernel base = 0x80800000 PsLoadedModuleList = 0x808a8e48

Debug session time: Sat Feb 9 01:45:34.232 2008 (GMT+1)

System Uptime: 0 days 12:29:43.359

Loading Kernel Symbols

..........................................................................................................................

Loading User Symbols

Loading unloaded module list

........

*******************************************************************************

*

*

* Bugcheck Analysis

*

*

*

*******************************************************************************

 

Use !analyze -v to get detailed debugging information.

 

BugCheck 100000D1, {0, d0000002, 8, 0}

 

 

 

Probably caused by : ntkrpamp.exe ( nt!KiIdleLoop+a )

 

Followup: MachineOwner

---------

 

14: kd> !analyze -v

*******************************************************************************

*

*

* Bugcheck Analysis

*

*

*

*******************************************************************************

 

DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high. This is usually

caused by drivers using improper addresses.

If kernel debugger is available get stack backtrace.

Arguments:

Arg1: 00000000, memory referenced

Arg2: d0000002, IRQL

Arg3: 00000008, value 0 = read operation, 1 = write operation

Arg4: 00000000, address which referenced memory

 

Debugging Details:

------------------

 

 

 

 

READ_ADDRESS: 00000000

 

CURRENT_IRQL: 2

 

FAULTING_IP:

+0

00000000 ?? ???

 

PROCESS_NAME: Idle

 

CUSTOMER_CRASH_COUNT: 1

 

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

 

BUGCHECK_STR: 0xD1

 

LAST_CONTROL_TRANSFER: from f779fee0 to 00000000

 

FAILED_INSTRUCTION_ADDRESS:

+0

00000000 ?? ???

 

STACK_TEXT:

WARNING: Frame IP not in any known module. Following frames may be wrong.

f7916d30 f779fee0 8086feb9 f779f000 a3863af8 0x0

f7916d50 8088f2b2 00000000 0000000e 00000000 0xf779fee0

f7916d54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa

 

 

STACK_COMMAND: kb

 

FOLLOWUP_IP:

nt!KiIdleLoop+a

8088f2b2 f390 pause

 

SYMBOL_STACK_INDEX: 2

 

SYMBOL_NAME: nt!KiIdleLoop+a

 

FOLLOWUP_NAME: MachineOwner

 

MODULE_NAME: nt

 

IMAGE_NAME: ntkrpamp.exe

 

DEBUG_FLR_IMAGE_TIMESTAMP: 471cab92

 

FAILURE_BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

 

BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

 

Followup: MachineOwner

---------

 

 

 

"Thee Chicago Wolf" wrote:

> >Well, downloaded and installed the hotfix. Improvements will be shown within

> >the next days. I'll keep you posted.

> >Thanks so far.

>

> Great. Let the group know if there's been any improvement. It would be

> good to know this does address the issues you've been facing and can

> be recommended to others.

>

> - Thee Chicago Wolf

>

[Guest Thee Chicago Wolf]

Re: Stop-Error: Terminalserver reboots weekly - ntkrpamp.exe

 

>Sorry, here is the next Minidump after installing the hotfix... :-(

>

>Microsoft ® Windows Debugger Version 6.8.0004.0 X86

>Copyright © Microsoft Corporation. All rights reserved.

>

>

>Loading Dump File [C:\d\Analysedaten\BSOD_NTCL0512\Mini020908-01.dmp]

>Mini Kernel Dump File: Only registers and stack trace are available

>

>Symbol search path is:

>SRV*c:\symbols*http://msdl.microsoft.com/download/symbols

>Executable search path is:

>Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (16 procs) Free

>x86 compatible

>Product: Server, suite: Enterprise TerminalServer

>Built by: 3790.srv03_sp2_qfe.071022-1210

>Kernel base = 0x80800000 PsLoadedModuleList = 0x808a8e48

>Debug session time: Sat Feb 9 01:45:34.232 2008 (GMT+1)

>System Uptime: 0 days 12:29:43.359

>Loading Kernel Symbols

>..........................................................................................................................

>Loading User Symbols

>Loading unloaded module list

>.......

>*******************************************************************************

>*

> *

>* Bugcheck Analysis

> *

>*

> *

>*******************************************************************************

>

>Use !analyze -v to get detailed debugging information.

>

>BugCheck 100000D1, {0, d0000002, 8, 0}

>

>

>

>Probably caused by : ntkrpamp.exe ( nt!KiIdleLoop+a )

>

>Followup: MachineOwner

>---------

>

>14: kd> !analyze -v

>*******************************************************************************

>*

> *

>* Bugcheck Analysis

> *

>*

> *

>*******************************************************************************

>

>DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)

>An attempt was made to access a pageable (or completely invalid) address at an

>interrupt request level (IRQL) that is too high. This is usually

>caused by drivers using improper addresses.

>If kernel debugger is available get stack backtrace.

>Arguments:

>Arg1: 00000000, memory referenced

>Arg2: d0000002, IRQL

>Arg3: 00000008, value 0 = read operation, 1 = write operation

>Arg4: 00000000, address which referenced memory

>

>Debugging Details:

>------------------

>

>READ_ADDRESS: 00000000

>

>CURRENT_IRQL: 2

>

>FAULTING_IP:

>+0

>00000000 ?? ???

>

>PROCESS_NAME: Idle

>

>CUSTOMER_CRASH_COUNT: 1

>

>DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

>

>BUGCHECK_STR: 0xD1

>

>LAST_CONTROL_TRANSFER: from f779fee0 to 00000000

>

>FAILED_INSTRUCTION_ADDRESS:

>+0

>00000000 ?? ???

>

>STACK_TEXT:

>WARNING: Frame IP not in any known module. Following frames may be wrong.

>f7916d30 f779fee0 8086feb9 f779f000 a3863af8 0x0

>f7916d50 8088f2b2 00000000 0000000e 00000000 0xf779fee0

>f7916d54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa

>

>

>STACK_COMMAND: kb

>

>FOLLOWUP_IP:

>nt!KiIdleLoop+a

>8088f2b2 f390 pause

>

>SYMBOL_STACK_INDEX: 2

>

>SYMBOL_NAME: nt!KiIdleLoop+a

>

>FOLLOWUP_NAME: MachineOwner

>

>MODULE_NAME: nt

>

>IMAGE_NAME: ntkrpamp.exe

>

>DEBUG_FLR_IMAGE_TIMESTAMP: 471cab92

>

>FAILURE_BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

>

>BUCKET_ID: 0xD1_CODE_AV_NULL_IP_nt!KiIdleLoop+a

>

>Followup: MachineOwner

>---------

 

Andreas,

 

Damn. Well, it certainly looks like it is still having something to do

with the ntkrpamp failing. You said this was a terminal server right?

Lot of people coming in and out of it? There is an updated set of the

ntkrnl files from Jan 22nd 2008. You might want to try the hotfix from

this KB article: http://support.microsoft.com/kb/944984

 

Review the event viewer and see if you're also getting those log

messages mentioned in the KB article.

 

I also don't think it would hurt to apply the patch from this KB as

well: http://support.microsoft.com/kb/936357

 

What about system BIOS, up to date? NIC driver up to date as well?

 

- Thee Chicago Wolf

[Guest Andreas.Konrad]

Re: Stop-Error: Terminalserver reboots weekly - ntkrpamp.exe

 

hi wolf,

 

we are using uphclean.exe, so 1517 events shouldn't appear.

right, it is a terminalserver but there is no load on it because it's not in

production, yet.

bios, nic, raid etc. have been updated last week.

 

i'll try kb936357...

most likely calling ms support would be the best next step?!

 

regards

andreas

 

"Thee Chicago Wolf" wrote:

>

> Andreas,

>

> Damn. Well, it certainly looks like it is still having something to do

> with the ntkrpamp failing. You said this was a terminal server right?

> Lot of people coming in and out of it? There is an updated set of the

> ntkrnl files from Jan 22nd 2008. You might want to try the hotfix from

> this KB article: http://support.microsoft.com/kb/944984

>

> Review the event viewer and see if you're also getting those log

> messages mentioned in the KB article.

>

> I also don't think it would hurt to apply the patch from this KB as

> well: http://support.microsoft.com/kb/936357

>

> What about system BIOS, up to date? NIC driver up to date as well?

>

> - Thee Chicago Wolf

>

[Guest Thee Chicago Wolf]

Re: Stop-Error: Terminalserver reboots weekly - ntkrpamp.exe

 

>hi wolf,

>

>we are using uphclean.exe, so 1517 events shouldn't appear.

>right, it is a terminalserver but there is no load on it because it's not in

>production, yet.

>bios, nic, raid etc. have been updated last week.

>

>i'll try kb936357...

>most likely calling ms support would be the best next step?!

>

>regards

>andreas

 

Andreas,

 

Wow, if it's non-production I can't imagine how it would behave in

production. Yes, definitely give KB936357 a try for sure. At this

point it couldn't hurt the situation. And I guess calling MS if it

doesn't help would be the next option. Let know how things turn out.

 

- Thee Chicago Wolf