Random unexpected shutdown 0x000000d1

By srs41880 ·
The firewall software was updated to the current version and a few days later this started. This is a terminal services server and the update was not installed the proper way. The software has been taken off the machine, the drivers for video card, Bios, and NIC card have all been updated as well without any luck. Here is the dump file:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [D:\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV* d:\websymbols*
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x86 compatible
Product: Server, suite: TerminalServer
Built by: 3790.srv03_sp2_rtm.070216-1710
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Fri Mar 19 03:53:21.613 2010 (GMT-4)
System Uptime: 0 days 11:12:56.546
Loading Kernel Symbols
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
Loading unloaded module list
* *
* Bugcheck Analysis *
* *

Use !analyze -v to get detailed debugging information.

BugCheck 8E, {c0000005, 8081e247, f4602b14, 0}

Page b8520 not present in the dump file. Type ".hh dbgerr004" for details
Page b8585 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
Probably caused by : NDIS.sys ( NDIS!ndisDeviceControlIrpHandler+338 )

Followup: MachineOwner

3: kd> !analyze -v
* *
* Bugcheck Analysis *
* *

This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
Arg1: c0000005, The exception code that was not handled
Arg2: 8081e247, The address that the exception occurred at
Arg3: f4602b14, Trap Frame
Arg4: 00000000

Debugging Details:

Page b8520 not present in the dump file. Type ".hh dbgerr004" for details
Page b8585 not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffdc00c). Type ".hh dbgerr001" for details

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

8081e247 8b3f mov edi,dword ptr [edi]

TRAP_FRAME: f4602b14 -- (.trap 0xfffffffff4602b14)
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=8089d8a4 edx=8a7dd558 esi=00000008 edi=00000008
eip=8081e247 esp=f4602b88 ebp=f4602ba4 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
8081e247 8b3f mov edi,dword ptr [edi] ds:0023:00000008=????????
Resetting default scope



PROCESS_NAME: explorer.exe


LAST_CONTROL_TRANSFER: from 8082d800 to 80827c63

f46026e0 8082d800 0000008e c0000005 8081e247 nt!KeBugCheckEx+0x1b
f4602aa4 8088a262 f4602ac0 00000000 f4602b14 nt!KiDispatchException+0x3a2
f4602b0c 8088a216 f4602ba4 8081e247 badb0d00 nt!CommonDispatchException+0x4a
f4602b14 8081e247 badb0d00 8a7dd558 000094a4 nt!KiExceptionExit+0x186
f4602ba4 f7161326 8a368ca0 8a27be28 8a27be28 nt!IopfCompleteRequest+0x211
f4602c3c 8081df65 8a35e930 8a27be28 8a42f0c0 NDIS!ndisDeviceControlIrpHandler+0x338
f4602c50 808f5437 8a27bebc 8a42f0c0 8a27be28 nt!IofCallDriver+0x45
f4602c64 808f61bf 8a35e930 8a27be28 8a42f0c0 nt!IopSynchronousServiceTail+0x10b
f4602d00 808eed08 00000450 00000000 00000000 nt!IopXxxControlFile+0x5e5
f4602d34 8088978c 00000450 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
f4602d34 7c8285ec 00000450 00000000 00000000 nt!KiFastCallEntry+0xfc
WARNING: Frame IP not in any known module. Following frames may be wrong.
0149f7fc 00000000 00000000 00000000 00000000 0x7c8285ec


f7161326 837d8400 cmp dword ptr [ebp-7Ch],0


SYMBOL_NAME: NDIS!ndisDeviceControlIrpHandler+338





FAILURE_BUCKET_I 0x8E_NDIS!ndisDeviceControlIrpHandler+338

BUCKET_I 0x8E_NDIS!ndisDeviceControlIrpHandler+338

Followup: MachineOwner

3: kd> lmvm NDIS
start end module name
f7151000 f7190000 NDIS (pdb symbols) d:\websymbols\ndis.pdb\A14D420**57649C29C2B53ACB7C24C122\ndis.pdb
Loaded symbol image file: NDIS.sys
Image path: NDIS.sys
Image name: NDIS.sys
Timestamp: Sat Feb 17 01:28:49 2007 (45D6A0A1)
CheckSum: 0003CA0F
ImageSize: 0003F000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Related Discussions

Related Forums