Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Troubleshooting Windows CallManager server "blue screen of death" crashes

Symptoms

Event Log Entries

Event Type: Error

Event Source: EventLog

Event Category: None

Event ID: 6008

Date: 2/24/2009

Time: 11:45:49 AM

User: N/A

Computer: CCM

Description:

The previous system shutdown at 9:38:48 AM on 2/24/2009 was unexpected.

Event Type: Information

Event Source: Save Dump

Event Category: None

Event ID: 1001

Date: 2/24/2009

Time: 11:49:09 AM

User: N/A

Computer: CCM

Description: The computer has rebooted from a bugcheck. The bugcheck was: 0x0000001e (0xc0000005, 0xf5504f42, 0x00000000, 0x00000004). A dump was saved in: Microsoft Windows 2000 [v15.2195].

The bugcheck text can and will vary.

Troubleshooting

Look for c:\memory.dmp.   The filesize should be the same as the physical memory in the server.

Several things can prevent Windows from creating a complete memory dump.

  • System page file is smaller than the amount of physical memory
  • HP ASR feature kicks in and reboots the server in the middle of the dump.


You will need Windbg to debug the memory.dmp file.  www.microsoft.com/whdc/DevTools/Debugging/default.mspx.

After downloading and installing Windbg you need to set up the symbol path.  www.microsoft.com/whdc/DevTools/Debugging/debugstart.mspx.

Next go to File->Open Crash Dump and point to the memoy.dmp file.  It will automatically do an initial analysis.

Microsoft (R) Windows Debugger Version 6.10.0003.233 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [F:\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

************************************************************
WARNING: Dump file has been truncated.  Data may be missing.
************************************************************
Symbol search path is: SRV*f:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 2000 Kernel Version 2195 (Service Pack 4) MP (2 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Machine Name:
Kernel base = 0xdd400000 PsLoadedModuleList = 0xdd485b40
Debug session time: Tue Feb 24 11:42:48.540 2009 (GMT-4)
System Uptime: 0 days 12:04:29.466
Loading Kernel Symbols
...............................................................
.......................................
Loading User Symbols

Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1E, {c0000005, f5504f42, 0, 4}

*** WARNING: Unable to verify timestamp for ctclient.sys
*** ERROR: Module load completed but symbols could not be loaded for ctclient.sys
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for SYMTDI.SYS -
Probably caused by : ctclient.sys ( ctclient+41f42 )

Followup: MachineOwner
---------

As the output notes you now type "!analyze -v" to complete the analysis.

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: f5504f42, The address that the exception occurred at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 00000004, Parameter 1 of the exception

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
ctclient+41f42
f5504f42 ??              ???

EXCEPTION_PARAMETER1:  00000000

EXCEPTION_PARAMETER2:  00000004

READ_ADDRESS:  00000004

DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO

BUGCHECK_STR:  0x1E

PROCESS_NAME:  System

EXCEPTION_RECORD:  eb4579e0 -- (.exr 0xffffffffeb4579e0)
ExceptionAddress: f5504f42 (ctclient+0x00041f42)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000004
Attempt to read from address 00000004

TRAP_FRAME:  eb457a34 -- (.trap 0xffffffffeb457a34)
ErrCode = 00000000
eax=f9442678 ebx=f5504e40 ecx=00000000 edx=f9442678 esi=eb457c3c edi=eb457bc0
eip=f5504f42 esp=eb457aa8 ebp=eb457bb4 iopl=0         nv up ei ng nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010282
ctclient+0x41f42:
f5504f42 ??              ???
Resetting default scope

LAST_CONTROL_TRANSFER:  from dd468e95 to dd4308e6

STACK_TEXT: 
eb4579c4 dd468e95 eb4579e0 00000000 eb457a34 nt!KiDispatchException+0x30e
eb457a2c dd468e46 fd6c2020 00000048 00000000 nt!CommonDispatchException+0x4d
eb457a40 f5a1dc35 fd6e4c40 fd6f61c8 00000000 nt!KiUnexpectedInterruptTail+0x207
fd6c2020 00000000 fd6c2028 fd6c2028 fd6c2030 tcpip!TdiQueryInformationEx+0xf0


STACK_COMMAND:  .bugcheck ; kb

FOLLOWUP_IP:
ctclient+41f42
f5504f42 ??              ???

SYMBOL_NAME:  ctclient+41f42

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: ctclient

IMAGE_NAME:  ctclient.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  0x1E_ctclient+41f42

BUCKET_ID:  0x1E_ctclient+41f42

Followup: MachineOwner
---------

Note the indication that the memory dump was corrupted.

This was a case where the system page file was not large enough to allow a complete dump.  It did not prevent a complete analysis and the faulty driver in this case is ctclient.sys.

Where do we go from here?

Now that you have the driver that caused the crash you need to find what application that driver belongs to.

Google is your friend here.

If the application is part of the standard MCS OS installation or a Cisco product then you should first search the bug toolkit to see if your crash is a known problem. If you are not able to find an existing bug then open a TAC service request.

If the application is from a 3rd party then you will need to work with the 3rd party application vendor for support.

1861
Views
4
Helpful
0
Comments