Posts Tagged ‘PAGE_FAULT_IN_NONPAGED_AREA’
Windows Server Restarting often with BSOD
Issue
So here’s the case, during the last two weeks we’ve identified quite a few scenarios where the Domain Controllers kept on restarting out of nowhere. Here are the symptoms;
- BlueScreen (BSOD)
- Restarting every 5-10 mins or quite often
- Windows Server 2012 or Windows Server 2012 R2
Upon going through the dump analysis of those cases and digging in more, the root cause was related to a SRV.SYS windows driver. Apparently this is a driver that handles SMBv1 connections. The restarting is due to a memory overflow in the system.
BugCheck 50, {ffffe00171aad000, 1, fffff80004652c20, 0} Probably caused by : srv.sys ( srv!SrvOs2FeaToNt+48 ) Followup: MachineOwner --------- ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: ffffe00171aad000, memory referenced. Arg2: 0000000000000001, value 0 = read operation, 1 = write operation. Arg3: fffff80004652c20, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) STACK_TEXT: ffffe001`71aad000 00000000`00000001 ffffd000`208c8700 : nt!KeBugCheckEx ffffe001`6c82a040 ffffd000`208c8700 fffff800`276e5c76 : nt! ?? ::FNODOBFM::`string'+0x26b6e ffffe001`71aad000 ffffc000`320d2000 fffff800`27754445 : nt!MmAccessFault+0x769 fffff800`04652b52 00000000`00000010 00000000`00000246 : nt!KiPageFault+0x12f ffffe001`71aacff8 5c725c6e`5c725c36 ffffc000`320c2138 : srv!SrvOs2FeaToNt+0x48 00000000`00000000 ffffc000`320b2010 00000000`00000002 : srv!SrvOs2FeaListToNt+0x125 fffff800`00010fe8 ffffe001`71a9c010 ffffe001`70d56010 : srv!SrvSmbOpen2+0xc3 ffffe001`70d56010 ffffc000`320b2010 00000000`00000002 : srv!ExecuteTransaction+0x2ca 00000000`00000000 ffffe001`00000035 ffffe001`0000f3d0 : srv!SrvSmbTransactionSecondary+0x40b ffffe001`6ef9c388 ffffe001`70d56a80 fffff800`0461b010 : srv!SrvProcessSmb+0x237 ffffe001`70d56010 00000000`00000000 ffffe001`70d56020 : srv!SrvRestartReceive+0x114 ffffc000`329656f0 ffffe001`6ef9c340 00000000`00000080 : srv!WorkerThread+0xffffffff`ffffbda5 ffffe001`72281040 ffffd001`8b5e9180 ffffe001`71ef7040 : nt!IopThreadStart+0x26 ffffe001`72281040 ffffe001`6dbc6880 ffffd000`208c8c90 : nt!PspSystemThreadStartup+0x58 ffffd000`208c3000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
Resolve
Check your Updates!!!!! Well, in all our cases the client servers were not patched. The BSOD was due to the SMBv1 memory overflow.
In order to fix the issue, head over to the Microsoft Security Bulletin MS17-010 – Critical website, look for your Operating System, patch it ASAP.
Pretty strange why it was all good until now. Anyhow, whatever said and done another good reminder for everyone who’s lazy on updating their systems.