Windows Sysinternals
A website that offers technical information and advanced system utilities to manage, troubleshoot, and diagnose Windows systems and applications.
873 questions
BSOD Page Fault in Non Paged Area using SysInternals Sysmon V11
chaps-0125
1
Reputation point
HI All
We recently been getting BSOD's on our Windows Server 2016 servers. We had Sysmon V11 installed and running since September but the last few days we been getting BSOD's saying Page Fault in Non Paged Area and the mini dump shows Sysmondrv.sys as the fauting bucket.
This only seems to affect Server 2016 and our Server 2012 R2 servers dont seem to have this. Another issue we are seeing is that this seems to cause pagefile issues where after the restart, windows will create a new pagefile showing a corruption in the existing one. Its not till we remove the pagefile and restart and it is OK until the subsequent reboot.
As these are Prod servers, we are anxious to get this sorted ASAP.
Hopefully Someone can assist.
A little bit of info
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffc2082219a0e8, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff800a3d7b380, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
FAULT_INSTR_CODE: c085d88b
SYMBOL_STACK_INDEX: 9
SYMBOL_NAME: SysmonDrv+1e9f
MODULE_NAME: SysmonDrv
IMAGE_NAME: SysmonDrv.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5ea6fa67
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 1e9f
FAILURE_BUCKET_ID: AV_R_INVALID_SysmonDrv!unknown_function
BUCKET_ID: AV_R_INVALID_SysmonDrv!unknown_function
PRIMARY_PROBLEM_CLASS: AV_R_INVALID_SysmonDrv!unknown_function
Windows Sysinternals
{count} votes
HI dstaulcu
Since its a production system, we have to follow change control and created an emergency change. We upgraded to V11.10 first and then found we had a memory leak on that version in which caused high memory usage on our servers in the space of 12 hours. We subsequently upgraded to V11.11 which resolved the memory leak and monitoring the situation for now.
We do plan to upgrade to V12.03 however need to review our configuration files first as V12 does have some funtionality which we like to incorporate.
Here is a list of release notes I have scraped from Sysinternals blog entries.
I do not represent the sysinternals team. I'm just another implementer keeping a close eye on forums to make sure I am not contributing to deployment of unstable code versions. Version 10.42 had a long shelf life for me. Version 12.03 is new and unproven but is where your problematic host needs to be to maximize possibility of help from Sysinternals team through memory dump analysis.
Hi dstaulcu
Thanks for this. It seems one of our servers suffered the same fate with a BugCheck error this morning with Sysmon V11.11 so I am not confident that the latest version solves this issue. How do i get support from the Sysinternals team. Given its Christmas and hardly no one will be around, we may just have to look at alternatives for now.
It appears that the FileDelete function has a memory leak. Avoid deploying sysmon versions 11.0 through 12.0 as the FileDelete component leaks memory regardless of whether FileDelete collection is enabled or disabled. The leak only occurs when FileDelete collection is enabled in Sysmon versions 12.1 to 12.3. A new version with FileDelete memory mitigations is soon to be published.
Sign in to comment