Hi All,
Am facing a repeated unexpected shutdown of one server 2003 R2 Sp1 , I have configured Minidump on the server and analysed the minidumb. The Last cause i could find is
"BSOD - ntkrpamp.exe is probable cause"
I have checked in google where this file actually belongs to ,it says base operating system but not sure what it does and why it is causing the unexpected restart. Can any one please help me how can i progress after this.
I have Posted the completed dump below for your clarity. If i have not followed any process, please let me know as am handling this dump analysis first time.
Loading Dump File [C:\Documents and Settings\Administrator\Desktop\Toolket\Minidump\Mini051109-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (2 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp1_rtm.050324-1447
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Mon May 11 10:22:56.892 2009 (GMT+10)
System Uptime: 9 days 5:17:54.171
Loading Kernel Symbols
...............................................................
........................................................
Loading User Symbols
Loading unloaded module list
..............
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000000A, {4, 1b, 1, 80831d88}
Probably caused by : ntkrpamp.exe ( nt!KiInsertTimerTable+50 )
Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 0000001b, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80831d88, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: 00000004
CURRENT_IRQL: 1b
FAULTING_IP:
nt!KiInsertTimerTable+50
80831d88 894f04 mov dword ptr [edi+4],ecx
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0xA
PROCESS_NAME: System
LAST_CONTROL_TRANSFER: from 80827696 to 80831d88
STACK_TEXT:
f78fed20 80827696 ff676980 00000000 ffffffff nt!KiInsertTimerTable+0x50
f78fed38 80827824 008fed78 ff676980 ffffffff nt!KeSetTimerEx+0x15a
f78fed54 80990168 f78fed78 ff676980 ffffffff nt!KeSetTimer+0x18
f78fedac 80948bb2 00000000 00000000 00000000 nt!ExpWorkerThreadBalanceManager+0x4c
f78feddc 8088d4d2 8099011c 00000000 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiInsertTimerTable+50
80831d88 894f04 mov dword ptr [edi+4],ecx
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!KiInsertTimerTable+50
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 42435b14
FAILURE_BUCKET_ID: 0xA_nt!KiInsertTimerTable+50
BUCKET_ID: 0xA_nt!KiInsertTimerTable+50
Followup: MachineOwner
