RichardT1 2 Posted April 7, 2021 Posted April 7, 2021 Hi guys, over couple of months i get bsod on windows server 2019 that according minidump log are caused by eset system files epfw.sys em008k_64.dll i found similiar report from another user https://forum.eset.com/topic/21828-em008k_64dll-bsod-0x1d-windows-10/ with answer from that it will be fixed with the next update. Can you help me with this problem? Thanks Minidump log Microsoft (R) Windows Debugger Version 10.0.18362.1 AMD64 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [\\192.168.0.58\riso\bsod\svitavy felberova\040721-4843-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv* Executable search path is: Windows 10 Kernel Version 17763 MP (12 procs) Free x64 Product: Server, suite: TerminalServer <20000> Machine Name: Kernel base = 0xfffff800`632b8000 PsLoadedModuleList = 0xfffff800`636ce6b0 Debug session time: Wed Apr 7 01:08:01.178 2021 (UTC + 2:00) System Uptime: 5 days 10:57:28.857 Loading Kernel Symbols .. Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long. Run !sym noisy before .reload to track down problems loading symbols. ............................................................. ................................................................ ................................................ Loading User Symbols Loading unloaded module list .................................................. For analysis of this file, run !analyze -v 10: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f) This means a trap occurred in kernel mode, and it's a trap of a kind that the kernel isn't allowed to have/catch (bound trap) or that is always instant death (double fault). The first number in the bugcheck params is the number of the trap (8 = double fault, etc) Consult an Intel x86 family manual to learn more about what these traps are. Here is a *portion* of those codes: If kv shows a taskGate use .tss on the part before the colon, then kv. Else if kv shows a trapframe use .trap on that value Else .trap on the appropriate frame will show where the trap was taken (on x86, this will be the ebp that goes with the procedure KiTrap) Endif kb will then show the corrected stack. Arguments: Arg1: 0000000000000008, EXCEPTION_DOUBLE_FAULT Arg2: ffffc901084e2670 Arg3: fffffd059dbd5f50 Arg4: fffff8006347cb90 Debugging Details: ------------------ *** WARNING: Unable to verify timestamp for epfw.sys *** WARNING: Unable to verify timestamp for em008k_64.dll KEY_VALUES_STRING: 1 Key : Dump.Attributes.InsufficientDumpfileSize Value: 1 PROCESSES_ANALYSIS: 1 SERVICE_ANALYSIS: 1 STACKHASH_ANALYSIS: 1 TIMELINE_ANALYSIS: 1 DUMP_CLASS: 1 DUMP_QUALIFIER: 400 BUILD_VERSION_STRING: 10.0.17763.1637 (WinBuild.160101.0800) SYSTEM_MANUFACTURER: Micro-Star International Co., Ltd SYSTEM_PRODUCT_NAME: MS-7C02 SYSTEM_SKU: To be filled by O.E.M. SYSTEM_VERSION: 1.0 BIOS_VENDOR: American Megatrends Inc. BIOS_VERSION: 3.70 BIOS_DATE: 06/09/2020 BASEBOARD_MANUFACTURER: Micro-Star International Co., Ltd BASEBOARD_PRODUCT: B450 TOMAHAWK MAX (MS-7C02) BASEBOARD_VERSION: 1.0 DUMP_FILE_ATTRIBUTES: 0xc Insufficient Dumpfile Size Kernel Generated Triage Dump DUMP_TYPE: 2 BUGCHECK_P1: 8 BUGCHECK_P2: ffffc901084e2670 BUGCHECK_P3: fffffd059dbd5f50 BUGCHECK_P4: fffff8006347cb90 BUGCHECK_STR: 0x7f_8 STACK_OVERFLOW: Stack Limit: fffffd059dbd6000. Use (kF) and (!stackusage) to investigate stack usage. CPU_COUNT: c CPU_MHZ: e10 CPU_VENDOR: AuthenticAMD CPU_FAMILY: 17 CPU_MODEL: 71 CPU_STEPPING: 0 BLACKBOXBSD: 1 (!blackboxbsd) CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER PROCESS_NAME: WmiPrvSE.exe CURRENT_IRQL: 2 ANALYSIS_SESSION_HOST: SINO_OFFICE ANALYSIS_SESSION_TIME: 04-07-2021 09:49:43.0697 ANALYSIS_VERSION: 10.0.18362.1 amd64fre TRAP_FRAME: fffffd059dbd5f50 -- (.trap 0xfffffd059dbd5f50) Unable to read trap frame at fffffd05`9dbd5f50 LAST_CONTROL_TRANSFER: from fffff80063477ad6 to fffff8006347cb90 STACK_TEXT: fffffd05`9dbd5f50 fffff800`63477ad6 : 00000000`00000000 00000000`0010000b fffff800`632d3ffa fffffd05`9dbd7540 : nt!KiPageFault+0x10 fffffd05`9dbd60e8 fffff800`632d3ffa : fffffd05`9dbd7540 00000000`00000000 00000000`00000002 00000000`000004d0 : nt!_chkstk+0x36 fffffd05`9dbd6100 fffff800`634495d5 : fffff800`6364bc90 fffffd05`00000001 fffffd05`9dbd7540 fffffd05`9dbdc000 : nt!RtlUnwindEx+0xaa fffffd05`9dbd6330 fffff800`63477ebf : fffffd05`9dbd7540 fffffd05`9dbd6910 fffffd05`9dbd69f0 00000000`0010001f : nt!_C_specific_handler+0xe5 fffffd05`9dbd63a0 fffff800`632d7390 : fffffd05`9dbd69f0 00000000`00000000 fffffd05`9dbd6910 fffffd05`9dbd7308 : nt!RtlpExecuteHandlerForException+0xf fffffd05`9dbd63d0 fffff800`633799c4 : fffffd05`9dbd7308 fffffd05`9dbd7050 fffffd05`9dbd7308 fffff800`636ef650 : nt!RtlDispatchException+0x430 fffffd05`9dbd6b20 fffff800`63480cc2 : ffff5205`aaa5779f 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDispatchException+0x144 fffffd05`9dbd71d0 fffff800`6347cfae : 00000000`00000003 fffffd05`9dbd7451 ffff9980`0992a000 00000000`00000002 : nt!KiExceptionDispatch+0xc2 fffffd05`9dbd73b0 fffff800`63319ab6 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000200 : nt!KiPageFault+0x42e fffffd05`9dbd7540 fffff800`6333b0b6 : fffff800`636ef650 ffff9d70`45a00000 00000000`00000002 ffff9d4e`b822d000 : nt!MiFastLockLeafPageTable+0x136 fffffd05`9dbd75c0 fffff800`6333b977 : fffffd05`9dbd77e0 00000000`00000002 fffffd05`20001000 00000000`20001000 : nt!MiCommitPoolMemory+0x416 fffffd05`9dbd7710 fffff800`6336db74 : 00000000`00200000 fffffd05`9dbd77b0 00000000`20001001 00000000`00000000 : nt!MmAllocatePoolMemory+0xf3 fffffd05`9dbd7770 fffff800`6336d9ad : ffffe08b`40000000 fffffd05`9dbd78d8 00000000`00200000 00000000`00002000 : nt!RtlpHpEnvAllocVA+0xc4 fffffd05`9dbd77e0 fffff800`6336ce55 : ffffe08a`14010100 00000000`00000000 ffffe089`d4960000 00000000`00000000 : nt!RtlpHpAllocVA+0xf5 fffffd05`9dbd78a0 fffff800`6336b6b2 : 00000000`00200002 ffffe08b`40000000 ffffe08b`40000000 fffff800`6336d617 : nt!RtlpHpSegMgrCommit+0x1c1 fffffd05`9dbd7990 fffff800`6336b004 : ffffe08a`14010100 00000000`00000001 ffffe08a`14010100 fffff800`00200000 : nt!RtlpHpSegMgrAllocate+0x5e fffffd05`9dbd79f0 fffff800`6336be49 : ffffffff`ffffffff ffffe08a`14010100 00000000`00000001 00000000`00000000 : nt!RtlpHpSegSegmentAllocate+0x2c fffffd05`9dbd7a50 fffff800`6336bbca : 00000000`00000000 00000000`00000041 00000000`00000041 00000000`08000004 : nt!RtlpHpSegPageRangeAllocate+0x189 fffffd05`9dbd7aa0 fffff800`6336bb05 : fffffd05`9dbd7c20 00000000`00040000 00000000`00040000 00000000`00009e70 : nt!RtlpHpSegAlloc+0x62 fffffd05`9dbd7b00 fffff800`6336babc : ffffe08a`14010340 00000000`00000000 00000000`00040000 ffffe08a`14010340 : nt!RtlpHpSegSubAllocate+0x3d fffffd05`9dbd7b50 fffff800`63369d43 : ffffe08a`14010340 00000000`00000080 ffffe08b`3fcc5000 00000000`00009e70 : nt!RtlpHpSegLfhAllocate+0x1c fffffd05`9dbd7b90 fffff800`632f2737 : 00000000`000003b9 ffffffff`00000013 ffffe08b`00000110 fffffd05`00000013 : nt!RtlpHpLfhSubsegmentCreate+0x15f fffffd05`9dbd7c20 fffff800`632f171b : ffffe08a`14010340 ffffe08a`140120c0 ffffe08a`14010000 00000000`00000110 : nt!RtlpHpLfhSlotAllocate+0xc77 fffffd05`9dbd7d00 fffff800`635fe04d : fffffd05`00000200 00000000`000000f8 00000000`636f6c4d 00000000`000000f0 : nt!ExAllocateHeapPool+0x98b fffffd05`9dbd7df0 fffff800`6e20669b : 00000000`000000f0 fffffd05`9dbd8018 fffffd05`9dbd8018 00000000`00000010 : nt!ExAllocatePoolWithTag+0x3d fffffd05`9dbd7ed0 00000000`000000f0 : fffffd05`9dbd8018 fffffd05`9dbd8018 00000000`00000010 fffffd05`9dbd8048 : epfw+0x669b fffffd05`9dbd7ed8 fffffd05`9dbd8018 : fffffd05`9dbd8018 00000000`00000010 fffffd05`9dbd8048 fffff800`6e204d58 : 0xf0 fffffd05`9dbd7ee0 fffffd05`9dbd8018 : 00000000`00000010 fffffd05`9dbd8048 fffff800`6e204d58 00000000`00000070 : 0xfffffd05`9dbd8018 fffffd05`9dbd7ee8 00000000`00000010 : fffffd05`9dbd8048 fffff800`6e204d58 00000000`00000070 fffffd05`9dbd8048 : 0xfffffd05`9dbd8018 fffffd05`9dbd7ef0 fffffd05`9dbd8048 : fffff800`6e204d58 00000000`00000070 fffffd05`9dbd8048 fffffd05`9dbd8da0 : 0x10 fffffd05`9dbd7ef8 fffff800`6e204d58 : 00000000`00000070 fffffd05`9dbd8048 fffffd05`9dbd8da0 ffffe08a`19140e18 : 0xfffffd05`9dbd8048 fffffd05`9dbd7f00 00000000`00000070 : fffffd05`9dbd8048 fffffd05`9dbd8da0 ffffe08a`19140e18 fffffd05`9dbd8490 : epfw+0x4d58 fffffd05`9dbd7f08 fffffd05`9dbd8048 : fffffd05`9dbd8da0 ffffe08a`19140e18 fffffd05`9dbd8490 fffffd05`9dbd7fb8 : 0x70 fffffd05`9dbd7f10 fffffd05`9dbd8da0 : ffffe08a`19140e18 fffffd05`9dbd8490 fffffd05`9dbd7fb8 fffffd05`9dbd8110 : 0xfffffd05`9dbd8048 fffffd05`9dbd7f18 ffffe08a`19140e18 : fffffd05`9dbd8490 fffffd05`9dbd7fb8 fffffd05`9dbd8110 00000000`00001b58 : 0xfffffd05`9dbd8da0 fffffd05`9dbd7f20 fffffd05`9dbd8490 : fffffd05`9dbd7fb8 fffffd05`9dbd8110 00000000`00001b58 fffffd05`9dbd80b0 : 0xffffe08a`19140e18 fffffd05`9dbd7f28 fffffd05`9dbd7fb8 : fffffd05`9dbd8110 00000000`00001b58 fffffd05`9dbd80b0 fffff800`6e22352e : 0xfffffd05`9dbd8490 fffffd05`9dbd7f30 fffffd05`9dbd8110 : 00000000`00001b58 fffffd05`9dbd80b0 fffff800`6e22352e fffffd05`00000064 : 0xfffffd05`9dbd7fb8 fffffd05`9dbd7f38 00000000`00001b58 : fffffd05`9dbd80b0 fffff800`6e22352e fffffd05`00000064 fffffd05`9dbd7fb8 : 0xfffffd05`9dbd8110 fffffd05`9dbd7f40 fffffd05`9dbd80b0 : fffff800`6e22352e fffffd05`00000064 fffffd05`9dbd7fb8 fffffd05`9dbd7fe8 : 0x1b58 fffffd05`9dbd7f48 fffff800`6e22352e : fffffd05`00000064 fffffd05`9dbd7fb8 fffffd05`9dbd7fe8 00000000`00000000 : 0xfffffd05`9dbd80b0 fffffd05`9dbd7f50 fffffd05`00000064 : fffffd05`9dbd7fb8 fffffd05`9dbd7fe8 00000000`00000000 fffffd05`9dbd8da0 : em008k_64+0x352e fffffd05`9dbd7f58 fffffd05`9dbd7fb8 : fffffd05`9dbd7fe8 00000000`00000000 fffffd05`9dbd8da0 ffffe08a`19140e18 : 0xfffffd05`00000064 fffffd05`9dbd7f60 fffffd05`9dbd7fe8 : 00000000`00000000 fffffd05`9dbd8da0 ffffe08a`19140e18 fffffd05`9dbd8490 : 0xfffffd05`9dbd7fb8 fffffd05`9dbd7f68 00000000`00000000 : fffffd05`9dbd8da0 ffffe08a`19140e18 fffffd05`9dbd8490 fffffd05`9dbd8018 : 0xfffffd05`9dbd7fe8 THREAD_SHA1_HASH_MOD_FUNC: f82c0cd745a90bb60f4da08e2233f236f78a8464 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 0cde31454a836fb2c3f9def831d3860edd5f3202 THREAD_SHA1_HASH_MOD: 5d12138571ba6e10428e55ad5ed65f342c70f5fb FOLLOWUP_IP: nt!KiPageFault+10 fffff800`6347cb90 c645ab01 mov byte ptr [rbp-55h],1 FAULT_INSTR_CODE: 1ab45c6 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt!KiPageFault+10 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrnlmp.exe DEBUG_FLR_IMAGE_TIMESTAMP: 756e4a4f IMAGE_VERSION: 10.0.17763.1637 STACK_COMMAND: .thread ; .cxr ; kb BUCKET_ID_FUNC_OFFSET: 10 FAILURE_BUCKET_ID: 0x7f_8_nt!KiPageFault BUCKET_ID: 0x7f_8_nt!KiPageFault PRIMARY_PROBLEM_CLASS: 0x7f_8_nt!KiPageFault TARGET_TIME: 2021-04-06T23:08:01.000Z OSBUILD: 17763 OSSERVICEPACK: 1637 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 131088 PRODUCT_TYPE: 3 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 Server TerminalServer OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 2032-06-06 21:17:35 BUILDDATESTAMP_STR: 160101.0800 BUILDLAB_STR: WinBuild BUILDOSVER_STR: 10.0.17763.1637 ANALYSIS_SESSION_ELAPSED_TIME: 10c1 ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:0x7f_8_nt!kipagefault FAILURE_ID_HASH: {2f8e6272-1536-8847-15b3-d73bdf95dfe4} Followup: MachineOwner --------- Eset File Security 7.3.12002.0 Windows server 2019 Latest updates
Administrators Marcos 5,451 Posted April 7, 2021 Administrators Posted April 7, 2021 Please provide: - the minidump - a complete memory dump from a crash (configure Windows to generate complete memory dumps first) - logs collected with ESET Log Collector.
RichardT1 2 Posted April 7, 2021 Author Posted April 7, 2021 Eset log is bigger than maximum file size of this forum here is the link https://mega.nz/file/3olXjQ6T#4jBscpl02_pIb6XwbMrHM6skKd0ID362aX8WdJy-xpg when i try to setup memory.dmp i get error that paging file is too small, i will try to solve it, for now only minidump is working 040721-4843-01.rar
RichardT1 2 Posted April 7, 2021 Author Posted April 7, 2021 ok got it configured memory dump only generate after bsod right?
ESET Moderators Peter Randziak 1,181 Posted April 7, 2021 ESET Moderators Posted April 7, 2021 @RichardT1 2 hours ago, RichardT1 said: ok got it configured memory dump only generate after bsod right? Yes the memory will be dumped on the crash event. Please note that a reboot is required to apply the changes, so if you just configured it without a reboot it will save only a minidump and complete dump will be saved on next BSOD... Peter
ESET Moderators Peter Randziak 1,181 Posted April 16, 2021 ESET Moderators Posted April 16, 2021 Hello @RichardT1, thank you for the provided memory dump, I quickly checked it and opened a ticket for our dev team (P_EFSW-1712) to have it properly investigated. My colleague hid your post as the memory dums contain a sensitive data so I recommend to share them with us by means of a private message. We will keep you posted, Peter
ESET Moderators Peter Randziak 1,181 Posted April 23, 2021 ESET Moderators Posted April 23, 2021 Hello @RichardT1, 1 minute ago, RichardT1 said: Hi guys, any updates? the development team analyzed the issue, the root cause seems to be a memory leak and the following stack overflow is only indirectly connected to it. The team has a hypothesis what might be causing it, but it will take some time to verify it... If I may ask, have you experienced a BSOD again? Peter
RichardT1 2 Posted April 23, 2021 Author Posted April 23, 2021 Okay, no since last time i didnt get any bsod crash.
ESET Moderators Peter Randziak 1,181 Posted April 23, 2021 ESET Moderators Posted April 23, 2021 Hello @RichardT1, 3 minutes ago, RichardT1 said: Okay, no since last time i didnt get any bsod crash. glad to hear that, I hope it will stay that way. In case you encounter BOSD again, please let us know and ideally provide me with a crash dump via a private message to check. btw. do you have some custom scripts or applications using SMB shares in intensively? Peter
RichardT1 2 Posted April 23, 2021 Author Posted April 23, 2021 No, there arent any scripts with smb shares, Its used as terminal server for 15 zero clients connecting through rdp. Peter Randziak 1
ESET Moderators Peter Randziak 1,181 Posted April 23, 2021 ESET Moderators Posted April 23, 2021 33 minutes ago, RichardT1 said: No, there arent any scripts with smb shares, Its used as terminal server for 15 zero clients connecting through rdp. Thank you for the info provided, I will update the ticket with it. Peter
ESET Moderators Peter Randziak 1,181 Posted June 25, 2021 ESET Moderators Posted June 25, 2021 Hello Richard, the root cause is fixed in Network protection module 1690, which is currently available on pre-release update channel. Thank you once again for reporting it and providing data needed to analyze it. Peter
Recommended Posts