System Crash - STOP 0x50

Hello,

I am currently running "Microsoft Windows Server 2003 R2 - Enterprise x64
Edition", to quote its full title, and am experiencing system crash's
(BSOD's) periodically. These system crash's typically occur at some point
after which the system has been running for at least 24hrs. The system has
been installed very recently (less than a month ago), and is running all the
latest drivers for the hardware, as well as being completely up-to-date with
the latest software patches. To date, I have attempted to minimize the
problem by ensuring I reboot at least once a day, but this isn't exactly an
ideal solution.

I have selected the option to have a "Kernel Memory Dump" when a system
crash occurs, and have installed Microsoft Debugging Tools for Windows
64-bit. I am completely inexperienced in the area of debugging crash dumps,
and am not a programmer, but I have loaded the crash dump into WinDbg, and
have done a bugcheck analysis, the results of which follows. Although I can
attempt to draw some conclusions from this, would anyone please be able to
provide a more experienced perspective on the data? I do not wish to draw
incorrect conclusions. Any help whatsoever in resolving this problem would
be greatly appreciated, as it is an incredible pain to deal with.

----------

Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*C:\Program Files\Debugging Tools for Windows
64-bit\symbols*http://msdl.microsoft.com/download/symbols

Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (2 procs) Free
x64
Product: LanManNt, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp1_gdr.060315-1609
Kernel base = 0xfffff800`01000000 PsLoadedModuleList = 0xfffff800`011d60c0
Debug session time: Sat Nov 18 00:10:07.974 2006 (GMT+11)
System Uptime: 1 days 1:42:01.728
Loading Kernel Symbols
.................................................. .................................................. .................................................. ...............
Loading User Symbols
PEB is paged out (Peb.Ldr = 00000000`7efdf018). Type ".hh dbgerr001" for
details
Loading unloaded module list
.......
************************************************** *****************************
*
*
* Bugcheck Analysis
*
*
*
************************************************** *****************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {fffffa8007fda000, 0, fffff97fff177fd4, 0}

windbg> .hh dbgerr001
Probably caused by : win32k.sys ( win32k!NtUserfnINDEVICECHANGE+1bb )

Followup: MachineOwner
---------

0: kd> !analyze -v
************************************************** *****************************
*
*
* Bugcheck Analysis
*
*
*
************************************************** *****************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by
try-except,
it must be protected by a Probe. Typically the address is just plain bad or
it
is pointing at freed memory.
Arguments:
Arg1: fffffa8007fda000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff97fff177fd4, If non-zero, the instruction address which
referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)

Debugging Details:
------------------


READ_ADDRESS: fffffa8007fda000 Paged pool

FAULTING_IP:
win32k!NtUserfnINDEVICECHANGE+1bb
fffff97f`ff177fd4 8b4630 mov eax,dword ptr [rsi+30h]

MM_INTERNAL_CODE: 0

IMAGE_NAME: win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 43446f9e

MODULE_NAME: win32k

FAULTING_MODULE: fffff97fff000000 win32k

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: winamp.exe

CURRENT_IRQL: 1

TRAP_FRAME: fffffadfc4123bb0 -- (.trap fffffadfc4123bb0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed.
rax=0000000000000000 rbx=0000000000008006 rcx=fffffa8007fd9fd0
rdx=0000000000000016 rsi=0000000076647355 rdi=fffff97fff000000
rip=fffff97fff177fd4 rsp=fffffadfc4123d40 rbp=0000000006efead0
r8=0000000000000000 r9=fffffa8007fd9fd0 r10=0000032000000000
r11=fffffa8007fd9fd0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
win32k!NtUserfnINDEVICECHANGE+0x1bb:
fffff97f`ff177fd4 8b4630 mov eax,dword ptr [rsi+30h]
ds:ac1a:7385=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from fffff800010b25d8 to fffff8000104e890

STACK_TEXT:
fffffadf`c4123ad8 fffff800`010b25d8 : 00000000`00000050 fffffa80`07fda000
00000000`00000000 fffffadf`c4123bb0 : nt!KeBugCheckEx
fffffadf`c4123ae0 fffff800`0104d499 : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : nt!MmAccessFault+0xa22
fffffadf`c4123bb0 fffff97f`ff177fd4 : 00000000`00000000 00000000`06efead0
00000000`00000000 00000000`0000002c : nt!KiPageFault+0x119
fffffadf`c4123d40 fffff97f`ff0a6701 : fffff97f`f7c40340 00000000`00010458
00000000`0000002c fffffa80`07fd9fd0 : win32k!NtUserfnINDEVICECHANGE+0x1bb
fffffadf`c4123de0 fffff800`0104e37d : 00000000`00000016 00000000`00000016
00000000`00000000 00000001`00000000 : win32k!NtUserMessageCall+0x142
fffffadf`c4123e80 00000000`78bc5dda : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x3
00000000`06efd6d8 fffff800`010493a0 : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : 0x78bc5dda
fffffadf`c4124280 00000000`7ef95000 : fffff97f`ff08275c 00000000`00001388
00000000`00010458 00000000`00000036 : nt!KiCallUserMode
fffffadf`c4124288 fffff97f`ff08275c : 00000000`00001388 00000000`00010458
00000000`00000036 fffffadf`c4124e00 : 0x7ef95000
fffffadf`c4124290 00000000`00000000 : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : win32k!NtUserGetClassName+0xfe


STACK_COMMAND: kb

FOLLOWUP_IP:
win32k!NtUserfnINDEVICECHANGE+1bb
fffff97f`ff177fd4 8b4630 mov eax,dword ptr [rsi+30h]

SYMBOL_STACK_INDEX: 3

FOLLOWUP_NAME: MachineOwner

SYMBOL_NAME: win32k!NtUserfnINDEVICECHANGE+1bb

FAILURE_BUCKET_ID: X64_0x50_win32k!NtUserfnINDEVICECHANGE+1bb

BUCKET_ID: X64_0x50_win32k!NtUserfnINDEVICECHANGE+1bb

Followup: MachineOwner
---------

0: kd> lmvm win32k
start end module name
fffff97f`ff000000 fffff97f`ff45d000 win32k (pdb symbols)
C:\Program Files\Debugging Tools for Windows
64-bit\symbols\win32k.pdb\A1D512A10F464D808570C94E694 17A4D2\win32k.pdb
Loaded symbol image file: win32k.sys
Image path: \SystemRoot\System32\win32k.sys
Image name: win32k.sys
Timestamp: Thu Oct 06 10:28:14 2005 (43446F9E)
CheckSum: 00456770
ImageSize: 0045D000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
----------

Thanks in advance,

Samuel Denbigh Leslie

I am not really the one to analyse this sort of thing, but generally BSOD's
are Hardware related, the listing mentions memory to some extent (not
surprising) perhaps you should run a memory diagnostic for a day or two?

It mentions WINAMP and 'Device Changes', does that tell you anything? Is the
system crashing while you are looking at it, or do you wake up to a blue
screen?

Are you alone on that system, or are there someone else perhaps with not
rigorous enough Permissions?

A quick search on Yahoo revealed the code to relate to installed Anti-Virus,
as one possible cause.

Check your Eventviewer!


Tony. . .


"Samuel Denbigh Leslie" <> wrote in message
news:...
> Hello,
>
> I am currently running "Microsoft Windows Server 2003 R2 - Enterprise x64
> Edition", to quote its full title, and am experiencing system crash's
> (BSOD's) periodically. These system crash's typically occur at some point
> after which the system has been running for at least 24hrs. The system has
> been installed very recently (less than a month ago), and is running all
the
> latest drivers for the hardware, as well as being completely up-to-date
with
> the latest software patches. To date, I have attempted to minimize the
> problem by ensuring I reboot at least once a day, but this isn't exactly
an
> ideal solution.
>
> I have selected the option to have a "Kernel Memory Dump" when a system
> crash occurs, and have installed Microsoft Debugging Tools for Windows
> 64-bit. I am completely inexperienced in the area of debugging crash
dumps,
> and am not a programmer, but I have loaded the crash dump into WinDbg, and
> have done a bugcheck analysis, the results of which follows. Although I
can
> attempt to draw some conclusions from this, would anyone please be able to
> provide a more experienced perspective on the data? I do not wish to draw
> incorrect conclusions. Any help whatsoever in resolving this problem would
> be greatly appreciated, as it is an incredible pain to deal with.
>
> ----------

Thank-you both for your posts, the help is very much appreciated!

I can't say I have run the Windows Memory Diagnostics for a day or two, but
I have run it for a couple of hours, with no problems rising. However, I
doubt the problem is due to faulty memory, as I previously ran Windows XP
Professional (x86) on the machine with absolutely no problems.

The device changes mention does not mean anything to me, no device changes
occur at the time of the BSOD's. As for Winamp, I find this surprising, as I
often seem to be using a program called "WinImage" (floppy disk image
program) at the times of the BSOD's (apologies, I probably should have
mentioned this in the original post). I don't believe WinImage is at fault,
but is perhaps being something of a "catalyst" that sets off the required
events for the BSOD to occur. Also, it's probably worth noting I am running
the native x64 version of WinImage.

I am the only user of this system, and it is situated in a private LAN
behind a number of routers and a solid firewall. I am positive the system is
secure and has not been comprised in anyway.

As for anti-virus, I am running McAfee Enterprise VirusScan v8.0i w/ Patch
14 on this machine. I'm not sure where these references to anti-virus in the
report are? Could you explain this a bit further, could there be any link?

I have previously checked Event Viewer, and there are no error or warning
events logged at the time of or before the BSOD's occur, with the exception
of the actual system failure event.

Martin: That site would not open for me, perhaps it is experiencing
downtime? I'll try again in the morning.

Thanks again,

Samuel Denbigh Leslie

PS: I'll set the machine to run Windows Memory Diagnostic before heading off
tonight, leaving it to run all night, will inform of any interesting results
in the morning.

"Samuel Denbigh Leslie" <> wrote in message
news:...
> Hello,
>
> I am currently running "Microsoft Windows Server 2003 R2 - Enterprise x64
> Edition", to quote its full title, and am experiencing system crash's
> (BSOD's) periodically. These system crash's typically occur at some point
> after which the system has been running for at least 24hrs. The system has
> been installed very recently (less than a month ago), and is running all
> the latest drivers for the hardware, as well as being completely
> up-to-date with the latest software patches. To date, I have attempted to
> minimize the problem by ensuring I reboot at least once a day, but this
> isn't exactly an ideal solution.
>
> I have selected the option to have a "Kernel Memory Dump" when a system
> crash occurs, and have installed Microsoft Debugging Tools for Windows
> 64-bit. I am completely inexperienced in the area of debugging crash
> dumps, and am not a programmer, but I have loaded the crash dump into
> WinDbg, and have done a bugcheck analysis, the results of which follows.
> Although I can attempt to draw some conclusions from this, would anyone
> please be able to provide a more experienced perspective on the data? I do
> not wish to draw incorrect conclusions. Any help whatsoever in resolving
> this problem would be greatly appreciated, as it is an incredible pain to
> deal with.
>
> ----------
>
> Microsoft (R) Windows Debugger Version 6.6.0007.5
> Copyright (c) Microsoft Corporation. All rights reserved.
>
>
> Loading Dump File [C:\WINDOWS\MEMORY.DMP]
> Kernel Summary Dump File: Only kernel address space is available
>
> Symbol search path is: SRV*C:\Program Files\Debugging Tools for Windows
> 64-bit\symbols*http://msdl.microsoft.com/download/symbols
>
> Executable search path is:
> Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (2 procs) Free
> x64
> Product: LanManNt, suite: Enterprise TerminalServer SingleUserTS
> Built by: 3790.srv03_sp1_gdr.060315-1609
> Kernel base = 0xfffff800`01000000 PsLoadedModuleList = 0xfffff800`011d60c0
> Debug session time: Sat Nov 18 00:10:07.974 2006 (GMT+11)
> System Uptime: 1 days 1:42:01.728
> Loading Kernel Symbols
> .................................................. .................................................. .................................................. ..............
> Loading User Symbols
> PEB is paged out (Peb.Ldr = 00000000`7efdf018). Type ".hh dbgerr001" for
> details
> Loading unloaded module list
> ......
> ************************************************** *****************************
> * *
> * Bugcheck Analysis *
> * *
> ************************************************** *****************************
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck 50, {fffffa8007fda000, 0, fffff97fff177fd4, 0}
>
> windbg> .hh dbgerr001
> Probably caused by : win32k.sys ( win32k!NtUserfnINDEVICECHANGE+1bb )
>
> Followup: MachineOwner
> ---------
>
> 0: kd> !analyze -v
> ************************************************** *****************************
> * *
> * Bugcheck Analysis *
> * *
> ************************************************** *****************************
>
> PAGE_FAULT_IN_NONPAGED_AREA (50)
> Invalid system memory was referenced. This cannot be protected by
> try-except,
> it must be protected by a Probe. Typically the address is just plain bad
> or it
> is pointing at freed memory.
> Arguments:
> Arg1: fffffa8007fda000, memory referenced.
> Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
> Arg3: fffff97fff177fd4, If non-zero, the instruction address which
> referenced the bad memory
> address.
> Arg4: 0000000000000000, (reserved)
>
> Debugging Details:
> ------------------
>
>
> READ_ADDRESS: fffffa8007fda000 Paged pool
>
> FAULTING_IP:
> win32k!NtUserfnINDEVICECHANGE+1bb
> fffff97f`ff177fd4 8b4630 mov eax,dword ptr [rsi+30h]
>
> MM_INTERNAL_CODE: 0
>
> IMAGE_NAME: win32k.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 43446f9e
>
> MODULE_NAME: win32k
>
> FAULTING_MODULE: fffff97fff000000 win32k
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0x50
>
> PROCESS_NAME: winamp.exe
>
> CURRENT_IRQL: 1
>
> TRAP_FRAME: fffffadfc4123bb0 -- (.trap fffffadfc4123bb0)
> NOTE: The trap frame does not contain all registers.
> Some register values may be zeroed.
> rax=0000000000000000 rbx=0000000000008006 rcx=fffffa8007fd9fd0
> rdx=0000000000000016 rsi=0000000076647355 rdi=fffff97fff000000
> rip=fffff97fff177fd4 rsp=fffffadfc4123d40 rbp=0000000006efead0
> r8=0000000000000000 r9=fffffa8007fd9fd0 r10=0000032000000000
> r11=fffffa8007fd9fd0 r12=0000000000000000 r13=0000000000000000
> r14=0000000000000000 r15=0000000000000000
> iopl=0 nv up ei pl zr na po nc
> win32k!NtUserfnINDEVICECHANGE+0x1bb:
> fffff97f`ff177fd4 8b4630 mov eax,dword ptr [rsi+30h]
> ds:ac1a:7385=????????
> Resetting default scope
>
> LAST_CONTROL_TRANSFER: from fffff800010b25d8 to fffff8000104e890
>
> STACK_TEXT:
> fffffadf`c4123ad8 fffff800`010b25d8 : 00000000`00000050 fffffa80`07fda000
> 00000000`00000000 fffffadf`c4123bb0 : nt!KeBugCheckEx
> fffffadf`c4123ae0 fffff800`0104d499 : 00000000`00000000 00000000`00000000
> 00000000`00000000 00000000`00000000 : nt!MmAccessFault+0xa22
> fffffadf`c4123bb0 fffff97f`ff177fd4 : 00000000`00000000 00000000`06efead0
> 00000000`00000000 00000000`0000002c : nt!KiPageFault+0x119
> fffffadf`c4123d40 fffff97f`ff0a6701 : fffff97f`f7c40340 00000000`00010458
> 00000000`0000002c fffffa80`07fd9fd0 : win32k!NtUserfnINDEVICECHANGE+0x1bb
> fffffadf`c4123de0 fffff800`0104e37d : 00000000`00000016 00000000`00000016
> 00000000`00000000 00000001`00000000 : win32k!NtUserMessageCall+0x142
> fffffadf`c4123e80 00000000`78bc5dda : 00000000`00000000 00000000`00000000
> 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x3
> 00000000`06efd6d8 fffff800`010493a0 : 00000000`00000000 00000000`00000000
> 00000000`00000000 00000000`00000000 : 0x78bc5dda
> fffffadf`c4124280 00000000`7ef95000 : fffff97f`ff08275c 00000000`00001388
> 00000000`00010458 00000000`00000036 : nt!KiCallUserMode
> fffffadf`c4124288 fffff97f`ff08275c : 00000000`00001388 00000000`00010458
> 00000000`00000036 fffffadf`c4124e00 : 0x7ef95000
> fffffadf`c4124290 00000000`00000000 : 00000000`00000000 00000000`00000000
> 00000000`00000000 00000000`00000000 : win32k!NtUserGetClassName+0xfe
>
>
> STACK_COMMAND: kb
>
> FOLLOWUP_IP:
> win32k!NtUserfnINDEVICECHANGE+1bb
> fffff97f`ff177fd4 8b4630 mov eax,dword ptr [rsi+30h]
>
> SYMBOL_STACK_INDEX: 3
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: win32k!NtUserfnINDEVICECHANGE+1bb
>
> FAILURE_BUCKET_ID: X64_0x50_win32k!NtUserfnINDEVICECHANGE+1bb
>
> BUCKET_ID: X64_0x50_win32k!NtUserfnINDEVICECHANGE+1bb
>
> Followup: MachineOwner
> ---------
>
> 0: kd> lmvm win32k
> start end module name
> fffff97f`ff000000 fffff97f`ff45d000 win32k (pdb symbols) C:\Program
> Files\Debugging Tools for Windows
> 64-bit\symbols\win32k.pdb\A1D512A10F464D808570C94E694 17A4D2\win32k.pdb
> Loaded symbol image file: win32k.sys
> Image path: \SystemRoot\System32\win32k.sys
> Image name: win32k.sys
> Timestamp: Thu Oct 06 10:28:14 2005 (43446F9E)
> CheckSum: 00456770
> ImageSize: 0045D000
> Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
> ----------
>
> Thanks in advance,
>
> Samuel Denbigh Leslie
>

Sam,

I was hoping there would've been something in EventViewer, this would
possibly have directed us to something specific in the KB. Best thing for
you to do is probably to go there yourself and type in any stop codes or
error messages, the only trouble is to digest the mass of information that
results.

The same goes for the standard Internet searches, lots and lots of seemingly
unrelated information pops out and none of it may be important at all - on
the other hand, reading it can often trigger your own mind to follow a
direction of thought that turns out helpfull.

Let me say that Norton and McAffe does not have a great following in this
group, [one] of the 'usual suspects' here, swear's by Symantec Enterprise
(or Server Edition) or whatever it was called. Quite a large group hangs on
to Avast, NOD32, or AVG.

Personally, I go with Avast, what I like is that it puts no visible load on
the machine - it's as if it wasn't there at all, and it seems to do it's job
allright. It updates several times in a day, so I do not feel abandoned
although this is the 'free' Home Edition. You can pay for it too - I am
considering doing that. You'll hear pretty much the same statements from the
rest. If you like what you're having that is fine, obviously. But you could
consider disabling it for a period and install one of the free versions as a
test? Run it concurrently with Windows Defender and you'll be as well
protected as one could reasonably wish for, I think.

These sites I mentioned were random finds, I'm affraid, probably refers to
forum discusions, 95% of which have no relation - a better thing to focus on
could be that the code refers to "requested data not found in memory".

I suggest looking in at the KB:

http://support.microsoft.com/search/


Tony. . .

I have exactly the same problem and hardware and software. I think it is related to the NVidia drivers and the soundcard but I am not sure. I see that you were running winamp at the time. My computer blows up when I am running windows media player..

Let me know if your resolved the problem.

Alan

EggHeadCafe.com - .NET Developer Portal of Choice
http://www.eggheadcafe.com