Tech Support banner

Not open for further replies.
1 - 4 of 4 Posts

18 Posts
Discussion Starter #1
Morning All,

We have a 2003 Terminal Server which keeps blue screening and throwing up Office applications as the cause (usually Word or Outlook)

We have repaired Office, removed and reinstalled, and even formatted the OS to start from scratch, the problem just keeps reappearing at random intervals

We have another Terminal Server set up in exactly the same way (but on different hardware) which is working without problem. The server has been in for years and has only started giving us problems for the past few months

Apologies I couldn't find posting instructions for 2003 so have just copied my windbg output, can anyone see anything other than Office in this?

JFI we have NOD32v4 AntiVirus


5: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8000104efca, The address that the exception occurred at
Arg3: 0000000000000000, Parameter 0 of the exception
Arg4: 00000000000000d0, Parameter 1 of the exception

Debugging Details:

Page 9429f not present in the dump file. Type ".hh dbgerr004" for details
Page 8bf12 not present in the dump file. Type ".hh dbgerr004" for details

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

fffff800`0104efca 488b02          mov     rax,qword ptr [rdx]

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  00000000000000d0

READ_ADDRESS:  00000000000000d0 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

BUGCHECK_STR:  0x1E_c0000005




EXCEPTION_RECORD:  fffffaddd6d95bd0 -- (.exr 0xfffffaddd6d95bd0)
ExceptionAddress: fffff8000104efca (nt!RtlpUnwindPrologue+0x000000000000016b)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 00000000000000d0
Attempt to read from address 00000000000000d0

TRAP_FRAME:  fffffaddd6d95c60 -- (.trap 0xfffffaddd6d95c60)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000004 rbx=0000000000000000 rcx=fffff8000104efb8
rdx=00000000000000d0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8000104efca rsp=fffffaddd6d95df0 rbp=fffffaddd6d95f00
 r8=0000000000000006  r9=fffff80001170f98 r10=0000000000000001
r11=fffffaddd6d95f20 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
fffff800`0104efca 488b02          mov     rax,qword ptr [rdx] ds:00000000`000000d0=????????????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from fffff80001080e46 to fffff8000102e890

fffffadd`d6d954d8 fffff800`01080e46 : 00000000`0000001e ffffffff`c0000005 fffff800`0104efca 00000000`00000000 : nt!KeBugCheckEx
fffffadd`d6d954e0 fffff800`0102e6af : fffffadd`d6d95bd0 fffffade`5b64f946 fffffadd`d6d95c60 00000000`00000030 : nt!KiDispatchException+0x128
fffffadd`d6d95ae0 fffff800`0102d521 : fffffadd`d6d961f0 00000000`00000001 fffffadd`d6d96200 fffffade`5b652a15 : nt!KiExceptionExit
fffffadd`d6d95c60 fffff800`0104efca : fffffadd`d6d96254 00000000`00000001 fffff800`011eb678 fffff800`01000000 : nt!KiPageFault+0x1e1
fffffadd`d6d95df0 fffff800`0104a1d1 : fffff800`01027eb1 fffffadd`d6d95f00 00000000`00027eb3 fffffadd`d6d95f20 : nt!RtlpUnwindPrologue+0x16b
fffffadd`d6d95e40 fffff800`0127440b : fffffa80`005acc00 fffff800`0102e33d fffffadd`d6d96c70 fffffadd`dce7e5c0 : nt!RtlVirtualUnwind+0x27b
fffffadd`d6d95ec0 fffff800`0104236b : fffffade`6d76abf0 00000000`00000000 fffffade`6d76ac38 00000000`00000000 : nt!PspGetSetContextInternal+0x1ed
fffffadd`d6d96410 fffff800`01027eb1 : fffffadd`d6d966a8 fffffadd`d6d96848 fffffa80`004ce8a8 fffff800`012db568 : nt!PspGetSetContextSpecialApc+0xab
fffffadd`d6d96520 fffff800`0103bf97 : 00000000`0000001b 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiDeliverApc+0x215
fffffadd`d6d965c0 fffff800`0102828e : 00000000`00000000 00000000`00000000 fffffade`6d76ac88 fffffade`6d76abf0 : nt!KiSwapThread+0x3e9
fffffadd`d6d96620 fffff800`0101f88c : 00000000`00000000 fffffa80`00000005 fffffadd`00000000 fffff800`011aa100 : nt!KeWaitForSingleObject+0x5a6
fffffadd`d6d966a0 fffff800`0101f51b : ffffffff`ffffffff 00000000`00000000 00000001`00000000 fffff800`011a98fd : nt!KiSuspendThread+0x2c
fffffadd`d6d966e0 fffff800`01027abd : 00000001`00000001 00000000`00000000 fffff800`0101f860 fffffade`6fe71018 : nt!KiDeliverApc+0x2d3
fffffadd`d6d96780 fffffade`70935953 : fffffade`70beb008 fffffadd`d6d96960 fffffadd`00000000 fffffadd`00000019 : nt!KiApcInterrupt+0xdd
fffffadd`d6d96910 fffffade`70beb008 : fffffadd`d6d96960 fffffadd`00000000 fffffadd`00000019 fffffadd`d6d96a58 : 0xfffffade`70935953
fffffadd`d6d96918 fffffadd`d6d96960 : fffffadd`00000000 fffffadd`00000019 fffffadd`d6d96a58 fffffade`7093662e : 0xfffffade`70beb008
fffffadd`d6d96920 fffffadd`00000000 : fffffadd`00000019 fffffadd`d6d96a58 fffffade`7093662e 00000000`00000000 : 0xfffffadd`d6d96960
fffffadd`d6d96928 fffffadd`00000019 : fffffadd`d6d96a58 fffffade`7093662e 00000000`00000000 00000000`00000001 : 0xfffffadd`00000000
fffffadd`d6d96930 fffffadd`d6d96a58 : fffffade`7093662e 00000000`00000000 00000000`00000001 00000000`00000001 : 0xfffffadd`00000019
fffffadd`d6d96938 fffffade`7093662e : 00000000`00000000 00000000`00000001 00000000`00000001 fffff800`0129a9fd : 0xfffffadd`d6d96a58
fffffadd`d6d96940 00000000`00000000 : 00000000`00000001 00000000`00000001 fffff800`0129a9fd 00000000`0000010e : 0xfffffade`7093662e


fffff800`0104efca 488b02          mov     rax,qword ptr [rdx]


SYMBOL_NAME:  nt!RtlpUnwindPrologue+16b

FOLLOWUP_NAME:  MachineOwner


IMAGE_NAME:  ntkrnlmp.exe


FAILURE_BUCKET_ID:  X64_0x1E_c0000005_nt!RtlpUnwindPrologue+16b

BUCKET_ID:  X64_0x1E_c0000005_nt!RtlpUnwindPrologue+16b

Followup: MachineOwner

Administrator, Team Manager, Gaming, Team Manager,
54,102 Posts
Outlook is named as the process calling for the stop, but that does not mean it was the cause. A rouge driver that overwrites it's address space into another drive/process's assigned space is usually the cause. Outlook would then call for the stop because it see's the data in that address as corrupt. Or in other words the Office apps are left holding the bag.
Driver verifier would be the next step unless you can isolate a recent driver/program/update install to around the time the stop orders started.

One other thing to mention is that we at TSF like most forums provide free support to home users not to business users.

18 Posts
Discussion Starter #3
Thanks Wrench

I have just been watching some dump analysis videos (Windows Hang and Crash Dump Analysis 1/9 - YouTube) so understand how Outlook can be left 'holding the bag', but I am unable to see any more information, other than DRIVER\AFD and intelppm being loaded at the time of the crash

We used to post on EE, however I was brought to TSF by jcgriff2 who did some great analysis on another of our BSOD's and provided a much appreciated solution

I will post on EE and see how I get on
1 - 4 of 4 Posts
Not open for further replies.