Issue

So here’s the case, during the last two weeks we’ve identified quite a few scenarios where the Domain Controllers kept on restarting out of nowhere. Here are the symptoms;

• BlueScreen (BSOD)
• Restarting every 5-10 mins or quite often
• Windows Server 2012 or Windows Server 2012 R2

Upon going through the dump analysis of those cases and digging in more, the root cause was related to a SRV.SYS windows driver. Apparently this is a driver that handles SMBv1 connections. The restarting is due to a memory overflow in the system.

BugCheck 50, {ffffe00171aad000, 1, fffff80004652c20, 0}

Probably caused by : srv.sys ( srv!SrvOs2FeaToNt+48 )

Followup:     MachineOwner
---------

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffe00171aad000, memory referenced.
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation.
Arg3: fffff80004652c20, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 0000000000000000, (reserved)

STACK_TEXT:  
ffffe001`71aad000 00000000`00000001 ffffd000`208c8700 : nt!KeBugCheckEx
ffffe001`6c82a040 ffffd000`208c8700 fffff800`276e5c76 : nt! ?? ::FNODOBFM::`string'+0x26b6e
ffffe001`71aad000 ffffc000`320d2000 fffff800`27754445 : nt!MmAccessFault+0x769
fffff800`04652b52 00000000`00000010 00000000`00000246 : nt!KiPageFault+0x12f
ffffe001`71aacff8 5c725c6e`5c725c36 ffffc000`320c2138 : srv!SrvOs2FeaToNt+0x48
00000000`00000000 ffffc000`320b2010 00000000`00000002 : srv!SrvOs2FeaListToNt+0x125
fffff800`00010fe8 ffffe001`71a9c010 ffffe001`70d56010 : srv!SrvSmbOpen2+0xc3
ffffe001`70d56010 ffffc000`320b2010 00000000`00000002 : srv!ExecuteTransaction+0x2ca
00000000`00000000 ffffe001`00000035 ffffe001`0000f3d0 : srv!SrvSmbTransactionSecondary+0x40b
ffffe001`6ef9c388 ffffe001`70d56a80 fffff800`0461b010 : srv!SrvProcessSmb+0x237
ffffe001`70d56010 00000000`00000000 ffffe001`70d56020 : srv!SrvRestartReceive+0x114
ffffc000`329656f0 ffffe001`6ef9c340 00000000`00000080 : srv!WorkerThread+0xffffffff`ffffbda5
ffffe001`72281040 ffffd001`8b5e9180 ffffe001`71ef7040 : nt!IopThreadStart+0x26
ffffe001`72281040 ffffe001`6dbc6880 ffffd000`208c8c90 : nt!PspSystemThreadStartup+0x58
ffffd000`208c3000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16

Resolve

Check your Updates!!!!! Well, in all our cases the client servers were not patched. The BSOD was due to the SMBv1 memory overflow.

In order to fix the issue, head over to the Microsoft Security Bulletin MS17-010 – Critical website, look for your Operating System, patch it ASAP.

Pretty strange why it was all good until now. Anyhow, whatever said and done another good reminder for everyone who’s lazy on updating their systems.