20,212 questions
I'd check here and with manufacturer that the host supports Server 2019
https://www.windowsservercatalog.com/
--please don't forget to upvote and Accept as answer if the reply is helpful--
BSOD Server 2019
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 36%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJK%3C/text%3E%3C/svg%3E)
Jordan Kirby
1
Reputation point
I am getting a BSOD pointing back to the ntsokrnl on multiple Server 2019 Standard VMs I have running on Hyper V. I started getting these a few months randomly without any major software changes, etc. Since this we have multiple servers on 2 different machines all getting the same type BSOD errors. I have ran Windows Updates and fully updated, fixed via SFC, DISM, etc and still having the issue. I am not a debugger by any means but unsure on where else to go. I recently updated the server drivers and software and still having same issue. Any ideas on what could be causing this? With it being a VM, I would think most drivers would be standard. Would anyone be willing to take a look at the dump files and let me know if you can see something I don't. I have ran them through windbg without much help.
Windows for business | Windows Server | User experience | Other
13 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2022-11-22T19:07:24.287+00:00 -
Anonymous
2022-11-22T19:17:47.67+00:00 the server manufacturer (HP) will be your best resource for troubleshooting problems with the hardware.
https://community.hpe.com/t5/proliant-servers-ml-dl-sl/bd-p/itrc-264#.Y30gSsvMK3A--please don't forget to
upvoteandAccept as answerif the reply is helpful---
Jordan Kirby 1 Reputation point
2022-11-22T19:31:18.18+00:00 Thanks, I will check with them. I didn't know if their "hardware" support extended to OS drivers and others as well. I know many are quick to blame the OS and not want to help.
Sign in to comment -
-
Gary Nebbett 6,216 Reputation points2022-11-22T19:25:01.297+00:00 Hello Jordan,
Are your crash dumps "minidumps" or one of the larger types of dump?
One can create a minidump from a larger dump with the debugger ".dump /m <FileName>" command.
My suggestion would be to make some minidumps available and just see what happens. As an example, I sometimes look at crash dumps that have been posted but only respond in the forum if I have something useful/helpful to say; in other words, a lack of response does not necessarily mean that no-one has tried to help.
Sometimes a minidump provides a strong hint for a helpful next step, sometimes it suggests that the true cause of the problem happened sometime in the past (corruption of some data structure) and that the crash occurred when the problem was discovered (even detailed crash dump analysis is unlikely to reveal the true cause) and sometimes it is clear that a larger dump is needed (to examine relevant data structures that are not included in the minidump) in order to make progress.
Gary
-
Gary Nebbett 6,216 Reputation points
2022-11-23T15:16:58.303+00:00 Hello Jordan,
The cause of the crash was a kernel stack overflow:
The Windows kernel had to switch to a special stack to handle the stack overflow (that explains the change in Child-SP between the yellow and green highlighting).
Visible on the stack is WRkrn.sys, which seems to be part of Webroot SecureAnywhere; since no debug symbols for WRkrn.sys are available, the Child-SP/RetAddr values below the blue highlighting are meaningless.
Third party security products are often the cause of crashes and WRkrn.sys is certainly a suspect in this case.
However, a large part of the stack is seemingly taken up with recursive calls to win32kfull!xxxDestroyWindow (the current process is NextGenEMR.exe).
I would suggest checking other dumps (if you have them) to see whether they are similar to this crash (especially presence of WRkrn.sys on the stack at time of crash and, to a lesser extent, NextGenEMR.exe as the current process).
Gary
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 74%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Docs 15,761 Reputation points2022-11-23T21:08:45.22+00:00 There was one collected mini dump file.
The debugging displayed two misbehaving Webroot drivers.
wrkrn.sys
c:\windows\system32\drivers\wrkrn.syswrcore.x64.sys
c:\program files\webroot\core\wrcore.x64.sysPlease uninstall the antivirus software:
https://answers.webroot.com/Webroot/ukp.aspx?pid=1&app=vw&vw=1&solutionid=3925
There was only one mini dump file but this is likely to fix the BSOD.
After uninstalling Webroot you can wait one day and then reinstall the AV software.
If there are any new BSOD they can be troubleshooted (run the V2 log collector).
.
.
.
.
.Please remember to vote and to mark the replies as answers if they help.
On the bottom of each post there is:
Propose as answer = answered the question
On the left side of each post there is /\ with a number: click = a helpful post
.
.
.
.
.