Windows 2000 w. SP4 Crash [NEW DUMP POSTED]

because its exactly the same as before. If you havent updated your NIC drivers, and reviewed your installed networking software, you should not expect the software to behave any different.

Update or change your NIC drivers, Update or remove PCAnywhere, Figure out what dcdbas32.sys is and update if possible.

 

hi again
sorry - I am using this actual case for some investigating in kernel crash debugging so I try to grap as much information out of this not-to-complicated server setup as possibly - I have first updated the driver tonight and then let us se if it has made it more stable. But - is there a simple way to determine the source for the different libraries - eg - ndis.sys - I would expect this to be part of the windows runtime to which then the miniport drivers interface but I am not sure where the cut has been made - if we look at the actual case in the last dump: NDIS!ethFilterLockHandler - the rutine ethfilterlockhandler - this is part of the miniport-driver or what ?

regards /ti

 

eax=00000000 ebx=00000000 ecx=88ef1d88 edx=eb427928 esi=869c249a edi=88f16130
eip=bfe68856 esp=eb427904 ebp=eb427934 iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
NDIS!ndisMIsLoopbackPacket+0x339:
bfe68856 ff972c010000 call dword ptr [edi+0x12c]{NDIS!ethFilterLockHandler (bfe7122f)} ds:0023:88f1625c=bfe7122f


eax=00000000 ebx=00000000 ecx=88eaf008 edx=80474088 esi=88e44530 edi=88fb06f0
eip=bfe68856 esp=80474064 ebp=80474094 iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
NDIS!ndisMIsLoopbackPacket+0x339:
bfe68856 ff972c010000 call dword ptr [edi+0x12c] ds:0023:88fb081c=????????


In both of these dumps, we see NDIS is running a function called ndisMIsLoopbackPacket. The specific line of assembly it is running is shown to us by the debugger, it is trying to call the function located at EDI+12c as a pointer. I unassembled this function on one of my win2000 machines and note this is a call to an NDIS miniport driver. In one of the dumps, this memory is empty space (highlited red as ????????), and in the other dump it contains garbage, which just HAPPENS to point to a named location, called NDIS!ethFilterLockHandler. This is bogus and can be accepted as garbage.

 

hi again
Thanks joe - this makes sense - can you in short terms tell me how you disassembled that routine so that I can dig into that myself another time (I am very familiar with debugging unix kernels both al those windows tools confuse me a bit ..)

regards /ti

 

using CDB or WinDbg:

CDB> u NDIS!ndisMIsLoopbackPacket NDIS!ndisMIsLoopbackPacket+0x33a

would unassemble the function from beginning to current. EIP is the instruction pointer register for x86, so you could just u eip-50 eip+1 to get the last 50 bytes of instruction.

 

Hi again out there
There server just crashed yesterday again - this time with a new type (illegal instruction) - any comments on this? I am not sure what to conclude on this - I think that I more and more lean on buggy hw - memory maybe..

Microsoft (R) Windows Debugger Version 6.4.0004.4
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINNT\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

************************************************************************
WARNING: Dump file has inconsistent set-bit count. Data may be missing.
************************************************************************
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINNT;C:\WINNT\system32;C:\WINNT\system32\drivers
Windows 2000 Kernel Version 2195 (Service Pack 4) MP (2 procs) Free x86 compatible
Product: LanManNt, suite: TerminalServer
Kernel base = 0x80400000 PsLoadedModuleList = 0x80484520
Debug session time: Sun Jan 30 13:40:41.198 2005 (GMT+1)
System Uptime: 1 days 12:02:26.297
Loading Kernel Symbols
.............................Page b213 not present in the dump file. Type ".hh dbgerr004" for details
...................................................................
Loading unloaded module list
.....
Loading User Symbols
............................................................................................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {c000001d, 804339ff, 12e, 1}

Probably caused by : ntkrnlmp.exe ( nt!NtYieldExecution+45 )

Followup: MachineOwner
---------

0: kd> !analyze -v;.trap be02bc70;r;kv;.logclose;q
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c000001d, The exception code that was not handled
Arg2: 804339ff, The address that the exception occurred at
Arg3: 0000012e, Parameter 0 of the exception
Arg4: 00000001, Parameter 1 of the exception

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc000001d - {EXCEPTION} Illegal Instruction An attempt was made to execute an illegal instruction.

FAULTING_IP:
nt!NtYieldExecution+45
804339ff 85c0 test eax,eax

EXCEPTION_PARAMETER1: 0000012e

EXCEPTION_PARAMETER2: 00000001

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x1E

LAST_CONTROL_TRANSFER: from 80466389 to 804339ff

TRAP_FRAME: be02bce0 -- (.trap ffffffffbe02bce0)
.trap ffffffffbe02bce0
ErrCode = 00000000
eax=888bf020 ebx=40000024 ecx=00000008 edx=80483780 esi=8858d560 edi=ffdff120
eip=804339ff esp=be02bd54 ebp=be02bd64 iopl=0 nv up ei pl zr na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!NtYieldExecution+0x45:
804339ff 85c0 test eax,eax
.trap
Resetting default scope

STACK_TEXT:
be02bd5c 80466389 00000000 00000000 00000000 nt!NtYieldExecution+0x45
be02bd5c 77f92450 00000000 00000000 00000000 nt!KiSystemService+0xc9
023eff50 7c59c415 79e7d9a6 00000000 00000014 ntdll!ZwYieldExecution+0xb
023eff54 79e7d9a6 00000000 00000014 02230f78 KERNEL32!SwitchToThread+0x6
023eff70 79e7dd48 00000068 01b741e0 01b74148 aspnet_isapi!CProcessTableManager:rivateMonitorHealth+0x1ff
023eff80 01b1940f 00000000 00000000 00000000 aspnet_isapi!MonitorHealth+0x2d
023effb4 7c57b382 01b74148 00000000 00000000 MSVCR71!_endthread+0xaa
023effec 00000000 01b193a3 01b74148 00000000 KERNEL32!BaseThreadStart+0x52


FAILED_INSTRUCTION_ADDRESS:
nt!NtYieldExecution+45
804339ff 85c0 test eax,eax

FOLLOWUP_IP:
nt!NtYieldExecution+45
804339ff 85c0 test eax,eax

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: nt!NtYieldExecution+45

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 3ee650b3

STACK_COMMAND: .trap ffffffffbe02bce0 ; kb

FAILURE_BUCKET_ID: 0x1E_BAD_IP_nt!NtYieldExecution+45

BUCKET_ID: 0x1E_BAD_IP_nt!NtYieldExecution+45

Followup: MachineOwner
---------

ErrCode = 8858d648
eax=be02bcd4 ebx=8046aae9 ecx=8858d614 edx=ffffffff esi=00000246 edi=be02bd44
eip=8858d560 esp=be02bd64 ebp=be02bd04 iopl=3 ov dn di ng zr na po nc
cs=71b0 ss=ff34 ds=375e es=0001 fs=ace3 gs=012e efl=8042bdce
71b0:d560 6e outsb
Last set context:
eax=be02bcd4 ebx=8046aae9 ecx=8858d614 edx=ffffffff esi=00000246 edi=be02bd44
eip=8858d560 esp=be02bd64 ebp=be02bd04 iopl=3 ov dn di ng zr na po nc
cs=71b0 ss=ff34 ds=375e es=0001 fs=ace3 gs=012e efl=8042bdce
71b0:d560 6e outsb
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong.
be02bd04 8052670d 00000101 00000000 00000023 0x8858d560
be02bd54 023eff58 804339ba 80466389 00000000 nt!NtDelayExecution+0x7f (FPO: [Non-Fpo])
be02bd64 00000000 00000000 00000000 00000000 0x23eff58
Closing open log file c:\debuglog.txt

regards /ti