I have an Full Memory Dump of the server. On analyzing the dump I have found what happened?
Use !analyze -v to get detailed debugging information.
BugCheck 50, {e4ddd010, 0, bfa36fb5, 0}
Probably caused by : ADOBEPS5.DLL
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e4ddd010, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bfa36fb5, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
READ_ADDRESS: e4ddd010 Paged pool
FAULTING_IP:
+64362faf034ed9c0
bfa36fb5 8b0481 mov eax,dword ptr [ecx+eax*4]
MM_INTERNAL_CODE: 0
IMAGE_NAME: ADOBEPS5.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MODULE_NAME: ADOBEPS5
FAULTING_MODULE: 00000000
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: POWERPNT.EXE
CURRENT_IRQL: 1
TRAP_FRAME: f564e5b8 -- (.trap 0xfffffffff564e5b8)
ErrCode = 00000000
eax=ffff8000 ebx=e4dc0b90 ecx=e4dfd010 edx=e4dfd010 esi=f564ed2c edi=00000d0d
eip=bfa36fb5 esp=f564e62c ebp=f564e670 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
bfa36fb5 8b0481 mov eax,dword ptr [ecx+eax*4] ds:0023:e4ddd010=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 8085a533 to 80826de7
STACK_TEXT:
f564e52c 8085a533 00000050 e4ddd010 00000000 nt!KeBugCheckEx+0x1b
f564e5a0 808868d0 00000000 e4ddd010 00000000 nt!MmAccessFault+0xa91
f564e5a0 bfa36fb5 00000000 e4ddd010 00000000 nt!KiTrap0E+0xd8
WARNING: Frame IP not in any known module. Following frames may be wrong.
f564e670 bfa37212 e505e408 00000d0d f564ed2c 0xbfa36fb5
f564e718 bf8c053e 000176ac 00000000 00000258 0xbfa37212
f564e808 bf8a96e6 e4dc0ba0 f564e864 e4d85ac8 win32k!EngMulDiv+0x4e
f564ea90 bf8ab7f9 f564ed2c e4d966b0 e4d9670c win32k!GreExtTextOutWLocked+0xfc7
f564ebf8 bf89cc98 f564ed2c 7ffd81dc 000000b4 win32k!GreBatchTextOut+0x344
f564ed54 8088390a 0000007a 0227f3d0 0227f3e8 win32k!NtGdiFlushUserBatch+0x11a
f564ed64 7c82860b badb0d00 0227f3d0 00000000 nt!KiFastCallEntry+0xca
f564ed68 badb0d00 0227f3d0 00000000 00000000 ntdll!KiFastSystemCall+0x3
f564ed6c 0227f3d0 00000000 00000000 00000000 0xbadb0d00
f564ed70 00000000 00000000 00000000 00000000 0x227f3d0
STACK_COMMAND: kb
FOLLOWUP_NAME: MachineOwner
FAILURE_BUCKET_ID: 0x50_IMAGE_ADOBEPS5.DLL
BUCKET_ID: 0x50_IMAGE_ADOBEPS5.DLL
Followup: MachineOwner---------
As per the above analysis -
Probably caused by : ADOBEPS5.DLL
PROCESS_NAME: POWERPNT.EXE
But ADOBEPS5 is an Module which was running by PowerPoint.exe
Arg1: e4ddd010, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bfa36fb5, If non-zero, the instruction address which referenced the bad memory
To analyze which process was running, put command !thread
POWERPNT.EXE is the Image executing Thread 8564dd08 RUNNING on Processor 0
kd> !thread
THREAD 8564dd08 Cid 01b4.0e70 Teb: 7ffd8000 Win32Thread: e4cf5b78 RUNNING on processor 0Not impersonating
DeviceMap e10010a0
Owning Process 85813548 Image: POWERPNT.EXEAttached Process N/A Image: N/A
Wait Start TickCount 182489 Ticks: 0
Context Switch Count 674 LargeStack
UserTime 00:00:00.031
KernelTime 00:00:00.046
*** ERROR: Symbol file could not be found. Defaulted to export symbols for POWERPNT.EXE -
Win32 Start Address POWERPNT (0x3004404c)
Start Address kernel32!BaseThreadStartThunk (0x77e617ec)
Stack Init f564f000 Current f564e5e4 Base f564f000 Limit f564b000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f564e52c 8085a533 00000050 e4ddd010 00000000 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f564e5a0 808868d0 00000000 e4ddd010 00000000 nt!MmAccessFault+0xa91 (FPO: [Non-Fpo])
f564e5a0 bfa36fb5 00000000 e4ddd010 00000000 nt!KiTrap0E+0xd8 (FPO: [0,0] TrapFrame @ f564e5b8)
WARNING: Frame IP not in any known module. Following frames may be wrong.
f564e670 bfa37212 e505e408 00000d0d f564ed2c 0xbfa36fb5
f564e718 bf8c053e 000176ac 00000000 00000258 0xbfa37212
f564e808 bf8a96e6 e4dc0ba0 f564e864 e4d85ac8 win32k!EngMulDiv+0x4e (FPO: [Non-Fpo])
f564ea90 bf8ab7f9 f564ed2c e4d966b0 e4d9670c win32k!GreExtTextOutWLocked+0xfc7 (FPO: [Non-Fpo])
f564ebf8 bf89cc98 f564ed2c 7ffd81dc 000000b4 win32k!GreBatchTextOut+0x344 (FPO: [Non-Fpo])
f564ed54 8088390a 0000007a 0227f3d0 0227f3e8 win32k!NtGdiFlushUserBatch+0x11a (FPO: [Non-Fpo])
f564ed64 7c82860b badb0d00 0227f3d0 00000000 nt!KiFastCallEntry+0xca
f564ed68 badb0d00 0227f3d0 00000000 00000000 ntdll!KiFastSystemCall+0x3 (FPO: [0,0,0])
f564ed6c 0227f3d0 00000000 00000000 00000000 0xbadb0d00
f564ed70 00000000 00000000 00000000 00000000 0x227f3d0
Use !analyze -v to get detailed debugging information.
BugCheck 50, {e4ddd010, 0, bfa36fb5, 0}
Probably caused by : ADOBEPS5.DLL
Followup: MachineOwner
---------
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e4ddd010, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bfa36fb5, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
READ_ADDRESS: e4ddd010 Paged pool
FAULTING_IP:
+64362faf034ed9c0
bfa36fb5 8b0481 mov eax,dword ptr [ecx+eax*4]
MM_INTERNAL_CODE: 0
IMAGE_NAME: ADOBEPS5.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MODULE_NAME: ADOBEPS5
FAULTING_MODULE: 00000000
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: POWERPNT.EXE
CURRENT_IRQL: 1
TRAP_FRAME: f564e5b8 -- (.trap 0xfffffffff564e5b8)
ErrCode = 00000000
eax=ffff8000 ebx=e4dc0b90 ecx=e4dfd010 edx=e4dfd010 esi=f564ed2c edi=00000d0d
eip=bfa36fb5 esp=f564e62c ebp=f564e670 iopl=0 nv up ei ng nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
bfa36fb5 8b0481 mov eax,dword ptr [ecx+eax*4] ds:0023:e4ddd010=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 8085a533 to 80826de7
STACK_TEXT:
f564e52c 8085a533 00000050 e4ddd010 00000000 nt!KeBugCheckEx+0x1b
f564e5a0 808868d0 00000000 e4ddd010 00000000 nt!MmAccessFault+0xa91
f564e5a0 bfa36fb5 00000000 e4ddd010 00000000 nt!KiTrap0E+0xd8
WARNING: Frame IP not in any known module. Following frames may be wrong.
f564e670 bfa37212 e505e408 00000d0d f564ed2c 0xbfa36fb5
f564e718 bf8c053e 000176ac 00000000 00000258 0xbfa37212
f564e808 bf8a96e6 e4dc0ba0 f564e864 e4d85ac8 win32k!EngMulDiv+0x4e
f564ea90 bf8ab7f9 f564ed2c e4d966b0 e4d9670c win32k!GreExtTextOutWLocked+0xfc7
f564ebf8 bf89cc98 f564ed2c 7ffd81dc 000000b4 win32k!GreBatchTextOut+0x344
f564ed54 8088390a 0000007a 0227f3d0 0227f3e8 win32k!NtGdiFlushUserBatch+0x11a
f564ed64 7c82860b badb0d00 0227f3d0 00000000 nt!KiFastCallEntry+0xca
f564ed68 badb0d00 0227f3d0 00000000 00000000 ntdll!KiFastSystemCall+0x3
f564ed6c 0227f3d0 00000000 00000000 00000000 0xbadb0d00
f564ed70 00000000 00000000 00000000 00000000 0x227f3d0
STACK_COMMAND: kb
FOLLOWUP_NAME: MachineOwner
FAILURE_BUCKET_ID: 0x50_IMAGE_ADOBEPS5.DLL
BUCKET_ID: 0x50_IMAGE_ADOBEPS5.DLL
Followup: MachineOwner---------
As per the above analysis -
Probably caused by : ADOBEPS5.DLL
PROCESS_NAME: POWERPNT.EXE
But ADOBEPS5 is an Module which was running by PowerPoint.exe
Arg1: e4ddd010, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: bfa36fb5, If non-zero, the instruction address which referenced the bad memory
To analyze which process was running, put command !thread
POWERPNT.EXE is the Image executing Thread 8564dd08 RUNNING on Processor 0
kd> !thread
THREAD 8564dd08 Cid 01b4.0e70 Teb: 7ffd8000 Win32Thread: e4cf5b78 RUNNING on processor 0Not impersonating
DeviceMap e10010a0
Owning Process 85813548 Image: POWERPNT.EXEAttached Process N/A Image: N/A
Wait Start TickCount 182489 Ticks: 0
Context Switch Count 674 LargeStack
UserTime 00:00:00.031
KernelTime 00:00:00.046
*** ERROR: Symbol file could not be found. Defaulted to export symbols for POWERPNT.EXE -
Win32 Start Address POWERPNT (0x3004404c)
Start Address kernel32!BaseThreadStartThunk (0x77e617ec)
Stack Init f564f000 Current f564e5e4 Base f564f000 Limit f564b000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0
ChildEBP RetAddr Args to Child
f564e52c 8085a533 00000050 e4ddd010 00000000 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo])
f564e5a0 808868d0 00000000 e4ddd010 00000000 nt!MmAccessFault+0xa91 (FPO: [Non-Fpo])
f564e5a0 bfa36fb5 00000000 e4ddd010 00000000 nt!KiTrap0E+0xd8 (FPO: [0,0] TrapFrame @ f564e5b8)
WARNING: Frame IP not in any known module. Following frames may be wrong.
f564e670 bfa37212 e505e408 00000d0d f564ed2c 0xbfa36fb5
f564e718 bf8c053e 000176ac 00000000 00000258 0xbfa37212
f564e808 bf8a96e6 e4dc0ba0 f564e864 e4d85ac8 win32k!EngMulDiv+0x4e (FPO: [Non-Fpo])
f564ea90 bf8ab7f9 f564ed2c e4d966b0 e4d9670c win32k!GreExtTextOutWLocked+0xfc7 (FPO: [Non-Fpo])
f564ebf8 bf89cc98 f564ed2c 7ffd81dc 000000b4 win32k!GreBatchTextOut+0x344 (FPO: [Non-Fpo])
f564ed54 8088390a 0000007a 0227f3d0 0227f3e8 win32k!NtGdiFlushUserBatch+0x11a (FPO: [Non-Fpo])
f564ed64 7c82860b badb0d00 0227f3d0 00000000 nt!KiFastCallEntry+0xca
f564ed68 badb0d00 0227f3d0 00000000 00000000 ntdll!KiFastSystemCall+0x3 (FPO: [0,0,0])
f564ed6c 0227f3d0 00000000 00000000 00000000 0xbadb0d00
f564ed70 00000000 00000000 00000000 00000000 0x227f3d0
I have checked the ADOBEPS5.DLL on Internet and found it is a print driver of Acrobat 4. I have checked the installed application on server and found Acrobat 4.1 is installed. Checked the installed printer on server, Acrobat Distiller is installed and using AdodePs Acrobat Distiller as a driver.
![]()
Check the eventlog of the server if someone sent the print command to Acrobat Distiller Printer.
Check the eventlog of the server if someone sent the print command to Acrobat Distiller Printer.
--------------------------------------------------------------------------
Event Type: Information
Event Source: Print
Event Category: None
Event ID: 10
Date: 4/10/2012
Time: 3:40:29 AM
User: NT AUTHORITY\SYSTEM
Computer:
Description:
Document 2, Microsoft PowerPoint - BIM_WORK_sro2.PPT owned by SYSTEM was printed on Acrobat Distiller via port C:\Program Files\Adobe\Acrobat 4.0\PDF Output\*.pdf. Size in bytes: 19613809; pages printed: 8
Event Type: Information
Event Source: Save Dump
Event Category: None
Event ID: 1001
Date: 4/10/2012
Time: 3:52:37 AM
User: N/A
Computer:
Description:
The computer has rebooted from a bugcheck. The bugcheck was: 0x00000050 (0xe5373010, 0x00000000, 0xbfa36fb5, 0x00000000). A dump was saved in: C:\WINNT\MEMORY.DMP.
--------------------------------------------------------------------------
As per above log, Print command was execute by PowerPoint @ 3:40:29 AM and Dump was created @ 3:52:37 AM. Acrobat 4.1 was an old application, so if we update with current, issue can fixed.
No comments:
Post a Comment