Jump to content

Recommended Posts

Posted

Hi guys, 

over couple of months i get bsod on windows server 2019 that according minidump log are caused by eset system files epfw.sys em008k_64.dll i found similiar report from another user https://forum.eset.com/topic/21828-em008k_64dll-bsod-0x1d-windows-10/ with answer from that it will be fixed with the next update.  Can you help me with this problem? 

Thanks

Minidump log


Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [\\192.168.0.58\riso\bsod\svitavy felberova\040721-4843-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*
Executable search path is: 
Windows 10 Kernel Version 17763 MP (12 procs) Free x64
Product: Server, suite: TerminalServer <20000>
Machine Name:
Kernel base = 0xfffff800`632b8000 PsLoadedModuleList = 0xfffff800`636ce6b0
Debug session time: Wed Apr  7 01:08:01.178 2021 (UTC + 2:00)
System Uptime: 5 days 10:57:28.857
Loading Kernel Symbols
..

Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.

.............................................................
................................................................
................................................
Loading User Symbols
Loading unloaded module list
..................................................
For analysis of this file, run !analyze -v
10: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
Else
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT
Arg2: ffffc901084e2670
Arg3: fffffd059dbd5f50
Arg4: fffff8006347cb90

Debugging Details:
------------------

*** WARNING: Unable to verify timestamp for epfw.sys
*** WARNING: Unable to verify timestamp for em008k_64.dll

KEY_VALUES_STRING: 1

    Key  : Dump.Attributes.InsufficientDumpfileSize
    Value: 1


PROCESSES_ANALYSIS: 1

SERVICE_ANALYSIS: 1

STACKHASH_ANALYSIS: 1

TIMELINE_ANALYSIS: 1


DUMP_CLASS: 1

DUMP_QUALIFIER: 400

BUILD_VERSION_STRING:  10.0.17763.1637 (WinBuild.160101.0800)

SYSTEM_MANUFACTURER:  Micro-Star International Co., Ltd

SYSTEM_PRODUCT_NAME:  MS-7C02

SYSTEM_SKU:  To be filled by O.E.M.

SYSTEM_VERSION:  1.0

BIOS_VENDOR:  American Megatrends Inc.

BIOS_VERSION:  3.70

BIOS_DATE:  06/09/2020

BASEBOARD_MANUFACTURER:  Micro-Star International Co., Ltd

BASEBOARD_PRODUCT:  B450 TOMAHAWK MAX (MS-7C02)

BASEBOARD_VERSION:  1.0

DUMP_FILE_ATTRIBUTES: 0xc
  Insufficient Dumpfile Size
  Kernel Generated Triage Dump

DUMP_TYPE:  2

BUGCHECK_P1: 8

BUGCHECK_P2: ffffc901084e2670

BUGCHECK_P3: fffffd059dbd5f50

BUGCHECK_P4: fffff8006347cb90

BUGCHECK_STR:  0x7f_8

STACK_OVERFLOW: Stack Limit: fffffd059dbd6000. Use (kF) and (!stackusage) to investigate stack usage.

CPU_COUNT: c

CPU_MHZ: e10

CPU_VENDOR:  AuthenticAMD

CPU_FAMILY: 17

CPU_MODEL: 71

CPU_STEPPING: 0

BLACKBOXBSD: 1 (!blackboxbsd)


CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT_SERVER

PROCESS_NAME:  WmiPrvSE.exe

CURRENT_IRQL:  2

ANALYSIS_SESSION_HOST:  SINO_OFFICE

ANALYSIS_SESSION_TIME:  04-07-2021 09:49:43.0697

ANALYSIS_VERSION: 10.0.18362.1 amd64fre

TRAP_FRAME:  fffffd059dbd5f50 -- (.trap 0xfffffd059dbd5f50)
Unable to read trap frame at fffffd05`9dbd5f50

LAST_CONTROL_TRANSFER:  from fffff80063477ad6 to fffff8006347cb90

STACK_TEXT:  
fffffd05`9dbd5f50 fffff800`63477ad6 : 00000000`00000000 00000000`0010000b fffff800`632d3ffa fffffd05`9dbd7540 : nt!KiPageFault+0x10
fffffd05`9dbd60e8 fffff800`632d3ffa : fffffd05`9dbd7540 00000000`00000000 00000000`00000002 00000000`000004d0 : nt!_chkstk+0x36
fffffd05`9dbd6100 fffff800`634495d5 : fffff800`6364bc90 fffffd05`00000001 fffffd05`9dbd7540 fffffd05`9dbdc000 : nt!RtlUnwindEx+0xaa
fffffd05`9dbd6330 fffff800`63477ebf : fffffd05`9dbd7540 fffffd05`9dbd6910 fffffd05`9dbd69f0 00000000`0010001f : nt!_C_specific_handler+0xe5
fffffd05`9dbd63a0 fffff800`632d7390 : fffffd05`9dbd69f0 00000000`00000000 fffffd05`9dbd6910 fffffd05`9dbd7308 : nt!RtlpExecuteHandlerForException+0xf
fffffd05`9dbd63d0 fffff800`633799c4 : fffffd05`9dbd7308 fffffd05`9dbd7050 fffffd05`9dbd7308 fffff800`636ef650 : nt!RtlDispatchException+0x430
fffffd05`9dbd6b20 fffff800`63480cc2 : ffff5205`aaa5779f 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchException+0x144
fffffd05`9dbd71d0 fffff800`6347cfae : 00000000`00000003 fffffd05`9dbd7451 ffff9980`0992a000 00000000`00000002 : nt!KiExceptionDispatch+0xc2
fffffd05`9dbd73b0 fffff800`63319ab6 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000200 : nt!KiPageFault+0x42e
fffffd05`9dbd7540 fffff800`6333b0b6 : fffff800`636ef650 ffff9d70`45a00000 00000000`00000002 ffff9d4e`b822d000 : nt!MiFastLockLeafPageTable+0x136
fffffd05`9dbd75c0 fffff800`6333b977 : fffffd05`9dbd77e0 00000000`00000002 fffffd05`20001000 00000000`20001000 : nt!MiCommitPoolMemory+0x416
fffffd05`9dbd7710 fffff800`6336db74 : 00000000`00200000 fffffd05`9dbd77b0 00000000`20001001 00000000`00000000 : nt!MmAllocatePoolMemory+0xf3
fffffd05`9dbd7770 fffff800`6336d9ad : ffffe08b`40000000 fffffd05`9dbd78d8 00000000`00200000 00000000`00002000 : nt!RtlpHpEnvAllocVA+0xc4
fffffd05`9dbd77e0 fffff800`6336ce55 : ffffe08a`14010100 00000000`00000000 ffffe089`d4960000 00000000`00000000 : nt!RtlpHpAllocVA+0xf5
fffffd05`9dbd78a0 fffff800`6336b6b2 : 00000000`00200002 ffffe08b`40000000 ffffe08b`40000000 fffff800`6336d617 : nt!RtlpHpSegMgrCommit+0x1c1
fffffd05`9dbd7990 fffff800`6336b004 : ffffe08a`14010100 00000000`00000001 ffffe08a`14010100 fffff800`00200000 : nt!RtlpHpSegMgrAllocate+0x5e
fffffd05`9dbd79f0 fffff800`6336be49 : ffffffff`ffffffff ffffe08a`14010100 00000000`00000001 00000000`00000000 : nt!RtlpHpSegSegmentAllocate+0x2c
fffffd05`9dbd7a50 fffff800`6336bbca : 00000000`00000000 00000000`00000041 00000000`00000041 00000000`08000004 : nt!RtlpHpSegPageRangeAllocate+0x189
fffffd05`9dbd7aa0 fffff800`6336bb05 : fffffd05`9dbd7c20 00000000`00040000 00000000`00040000 00000000`00009e70 : nt!RtlpHpSegAlloc+0x62
fffffd05`9dbd7b00 fffff800`6336babc : ffffe08a`14010340 00000000`00000000 00000000`00040000 ffffe08a`14010340 : nt!RtlpHpSegSubAllocate+0x3d
fffffd05`9dbd7b50 fffff800`63369d43 : ffffe08a`14010340 00000000`00000080 ffffe08b`3fcc5000 00000000`00009e70 : nt!RtlpHpSegLfhAllocate+0x1c
fffffd05`9dbd7b90 fffff800`632f2737 : 00000000`000003b9 ffffffff`00000013 ffffe08b`00000110 fffffd05`00000013 : nt!RtlpHpLfhSubsegmentCreate+0x15f
fffffd05`9dbd7c20 fffff800`632f171b : ffffe08a`14010340 ffffe08a`140120c0 ffffe08a`14010000 00000000`00000110 : nt!RtlpHpLfhSlotAllocate+0xc77
fffffd05`9dbd7d00 fffff800`635fe04d : fffffd05`00000200 00000000`000000f8 00000000`636f6c4d 00000000`000000f0 : nt!ExAllocateHeapPool+0x98b
fffffd05`9dbd7df0 fffff800`6e20669b : 00000000`000000f0 fffffd05`9dbd8018 fffffd05`9dbd8018 00000000`00000010 : nt!ExAllocatePoolWithTag+0x3d
fffffd05`9dbd7ed0 00000000`000000f0 : fffffd05`9dbd8018 fffffd05`9dbd8018 00000000`00000010 fffffd05`9dbd8048 : epfw+0x669b
fffffd05`9dbd7ed8 fffffd05`9dbd8018 : fffffd05`9dbd8018 00000000`00000010 fffffd05`9dbd8048 fffff800`6e204d58 : 0xf0
fffffd05`9dbd7ee0 fffffd05`9dbd8018 : 00000000`00000010 fffffd05`9dbd8048 fffff800`6e204d58 00000000`00000070 : 0xfffffd05`9dbd8018
fffffd05`9dbd7ee8 00000000`00000010 : fffffd05`9dbd8048 fffff800`6e204d58 00000000`00000070 fffffd05`9dbd8048 : 0xfffffd05`9dbd8018
fffffd05`9dbd7ef0 fffffd05`9dbd8048 : fffff800`6e204d58 00000000`00000070 fffffd05`9dbd8048 fffffd05`9dbd8da0 : 0x10
fffffd05`9dbd7ef8 fffff800`6e204d58 : 00000000`00000070 fffffd05`9dbd8048 fffffd05`9dbd8da0 ffffe08a`19140e18 : 0xfffffd05`9dbd8048
fffffd05`9dbd7f00 00000000`00000070 : fffffd05`9dbd8048 fffffd05`9dbd8da0 ffffe08a`19140e18 fffffd05`9dbd8490 : epfw+0x4d58
fffffd05`9dbd7f08 fffffd05`9dbd8048 : fffffd05`9dbd8da0 ffffe08a`19140e18 fffffd05`9dbd8490 fffffd05`9dbd7fb8 : 0x70
fffffd05`9dbd7f10 fffffd05`9dbd8da0 : ffffe08a`19140e18 fffffd05`9dbd8490 fffffd05`9dbd7fb8 fffffd05`9dbd8110 : 0xfffffd05`9dbd8048
fffffd05`9dbd7f18 ffffe08a`19140e18 : fffffd05`9dbd8490 fffffd05`9dbd7fb8 fffffd05`9dbd8110 00000000`00001b58 : 0xfffffd05`9dbd8da0
fffffd05`9dbd7f20 fffffd05`9dbd8490 : fffffd05`9dbd7fb8 fffffd05`9dbd8110 00000000`00001b58 fffffd05`9dbd80b0 : 0xffffe08a`19140e18
fffffd05`9dbd7f28 fffffd05`9dbd7fb8 : fffffd05`9dbd8110 00000000`00001b58 fffffd05`9dbd80b0 fffff800`6e22352e : 0xfffffd05`9dbd8490
fffffd05`9dbd7f30 fffffd05`9dbd8110 : 00000000`00001b58 fffffd05`9dbd80b0 fffff800`6e22352e fffffd05`00000064 : 0xfffffd05`9dbd7fb8
fffffd05`9dbd7f38 00000000`00001b58 : fffffd05`9dbd80b0 fffff800`6e22352e fffffd05`00000064 fffffd05`9dbd7fb8 : 0xfffffd05`9dbd8110
fffffd05`9dbd7f40 fffffd05`9dbd80b0 : fffff800`6e22352e fffffd05`00000064 fffffd05`9dbd7fb8 fffffd05`9dbd7fe8 : 0x1b58
fffffd05`9dbd7f48 fffff800`6e22352e : fffffd05`00000064 fffffd05`9dbd7fb8 fffffd05`9dbd7fe8 00000000`00000000 : 0xfffffd05`9dbd80b0
fffffd05`9dbd7f50 fffffd05`00000064 : fffffd05`9dbd7fb8 fffffd05`9dbd7fe8 00000000`00000000 fffffd05`9dbd8da0 : em008k_64+0x352e
fffffd05`9dbd7f58 fffffd05`9dbd7fb8 : fffffd05`9dbd7fe8 00000000`00000000 fffffd05`9dbd8da0 ffffe08a`19140e18 : 0xfffffd05`00000064
fffffd05`9dbd7f60 fffffd05`9dbd7fe8 : 00000000`00000000 fffffd05`9dbd8da0 ffffe08a`19140e18 fffffd05`9dbd8490 : 0xfffffd05`9dbd7fb8
fffffd05`9dbd7f68 00000000`00000000 : fffffd05`9dbd8da0 ffffe08a`19140e18 fffffd05`9dbd8490 fffffd05`9dbd8018 : 0xfffffd05`9dbd7fe8


THREAD_SHA1_HASH_MOD_FUNC:  f82c0cd745a90bb60f4da08e2233f236f78a8464

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  0cde31454a836fb2c3f9def831d3860edd5f3202

THREAD_SHA1_HASH_MOD:  5d12138571ba6e10428e55ad5ed65f342c70f5fb

FOLLOWUP_IP: 
nt!KiPageFault+10
fffff800`6347cb90 c645ab01        mov     byte ptr [rbp-55h],1

FAULT_INSTR_CODE:  1ab45c6

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!KiPageFault+10

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: nt

IMAGE_NAME:  ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  756e4a4f

IMAGE_VERSION:  10.0.17763.1637

STACK_COMMAND:  .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET:  10

FAILURE_BUCKET_ID:  0x7f_8_nt!KiPageFault

BUCKET_ID:  0x7f_8_nt!KiPageFault

PRIMARY_PROBLEM_CLASS:  0x7f_8_nt!KiPageFault

TARGET_TIME:  2021-04-06T23:08:01.000Z

OSBUILD:  17763

OSSERVICEPACK:  1637

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  131088

PRODUCT_TYPE:  3

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

OSEDITION:  Windows 10 Server TerminalServer

OS_LOCALE:  

USER_LCID:  0

OSBUILD_TIMESTAMP:  2032-06-06 21:17:35

BUILDDATESTAMP_STR:  160101.0800

BUILDLAB_STR:  WinBuild

BUILDOSVER_STR:  10.0.17763.1637

ANALYSIS_SESSION_ELAPSED_TIME:  10c1

ANALYSIS_SOURCE:  KM

FAILURE_ID_HASH_STRING:  km:0x7f_8_nt!kipagefault

FAILURE_ID_HASH:  {2f8e6272-1536-8847-15b3-d73bdf95dfe4}

Followup:     MachineOwner
---------

Eset File Security 7.3.12002.0

Windows server 2019 Latest updates

  • Administrators
Posted

Please provide:
- the minidump
- a complete memory dump from a crash (configure Windows to generate complete memory dumps first)
- logs collected with ESET Log Collector.

Posted

ok got it configured memory dump only generate after bsod right?

  • ESET Moderators
Posted

@RichardT1

2 hours ago, RichardT1 said:

ok got it configured memory dump only generate after bsod right?

Yes the memory will be dumped on the crash event.

Please note that a reboot is required to apply the changes, so if you just configured it without a reboot it will save only a minidump and complete dump will be saved on next BSOD...

Peter

  • 2 weeks later...
  • ESET Moderators
Posted

Hello @RichardT1,

thank you for the provided memory dump, I quickly checked it and opened a ticket for our dev team (P_EFSW-1712) to have it properly investigated.

My colleague hid your post as the memory dums contain a sensitive data so I recommend to share them with us by means of a private message.

 

We will keep you posted,

Peter

  • ESET Moderators
Posted

Hello @RichardT1,

1 minute ago, RichardT1 said:

Hi guys,

any updates?

the development team analyzed the issue, the root cause seems to be a memory leak and the following stack overflow is only indirectly connected to it.

The team has a hypothesis what might be causing it, but it will take some time to verify it...

If I may ask, have you experienced a BSOD again?

Peter

Posted

Okay, no since last time i didnt get any bsod crash.

  • ESET Moderators
Posted

Hello @RichardT1,

3 minutes ago, RichardT1 said:

Okay, no since last time i didnt get any bsod crash.

glad to hear that, I hope it will stay that way.

In case you encounter BOSD again, please let us know and ideally provide me with a crash dump via a private message to check.

btw. do you have some custom scripts or applications using SMB shares in intensively?

Peter

  • ESET Moderators
Posted
33 minutes ago, RichardT1 said:

No, there arent any scripts with smb shares, Its used as terminal server for 15 zero clients connecting through rdp.

Thank you for the info provided, I will update the ticket with it.

Peter

  • 2 months later...
  • ESET Moderators
Posted

Hello Richard,

the root cause is fixed in Network protection module 1690, which is currently available on pre-release update channel.

Thank you once again for reporting it and providing data needed to analyze it.

Peter

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...