Windows Server 2012 R2 Blue Screen

Question

Use !analyze -v to get detailed debugging information.

BugCheck 50, {ffffe0010d297000, 1, fffff80086eb22d8, 0}

Could not read faulting driver name
Probably caused by : srv.sys ( srv!SrvOs2FeaToNt+48 )

Followup: MachineOwner

---

1: kd> .reload
Loading Kernel Symbols
...............................................................
................................................................
.......
Loading User Symbols
Loading unloaded module list
........................
1: kd> .reload
Loading Kernel Symbols
...............................................................
................................................................
.......
Loading User Symbols
Loading unloaded module list
........................
1: kd> !analyze -v

---

• *
• Bugcheck Analysis *
• *

  ---

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ffffe0010d297000, memory referenced.
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation.
Arg3: fffff80086eb22d8, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)

Debugging Details:

---

Could not read faulting driver name

WRITE_ADDRESS: fffff801c90cfce0: Unable to get special pool info
fffff801c90cfce0: Unable to get special pool info
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
ffffe0010d297000

FAULTING_IP:
srv!SrvOs2FeaToNt+48
fffff800`86eb22d8 c60300 mov byte ptr [rbx],0

MM_INTERNAL_CODE: 0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR: 0x50

PROCESS_NAME: System

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff801c8f9d0e7 to fffff801c8f6bfa0

STACK_TEXT:
ffffd000d22d0db8 fffff801c8f9d0e7 : 0000000000000050 ffffe0010d297000 0000000000000001 ffffd000d22d0fa0 : nt!KeBugCheckEx
ffffd000d22d0dc0 fffff801c8e7f9c9 : 0000000000000001 ffffe000ffa23880 ffffd000d22d0fa0 0000000000000011 : nt! ?? ::FNODOBFM::string'+0x20c37 ffffd000d22d0e60 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 00000000`00000000 : nt!MmAccessFault+0x7a9

STACK_COMMAND: .bugcheck ; kb

FOLLOWUP_IP:
srv!SrvOs2FeaToNt+48
fffff800`86eb22d8 c60300 mov byte ptr [rbx],0

SYMBOL_NAME: srv!SrvOs2FeaToNt+48

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: srv

IMAGE_NAME: srv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 524ff17b

FAILURE_BUCKET_ID: X64_0x50_srv!SrvOs2FeaToNt+48

BUCKET_ID: X64_0x50_srv!SrvOs2FeaToNt+48

Followup: MachineOwner

Answer 1

Hi @东 李

Considering the debug data for 0x50 involving srv.sys and srv!SrvOs2FeaToNt+48 it is highly probably that this system is afected by the EternalBlue SMB exploit.

Please check the information in the next official article:

Information: https://msrc-blog.microsoft.com/2017/04/14/protecting-customers-and-evaluating-risk/

Patch download: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

Hope this helps with your query,

--
--If the reply is helpful, please Upvote and Accept as answer--

Answer 2

Please run the DM log collector and post a share link into this thread using one drive, drop box, or google drive.

If the server can run the V2 log collector then it will collect more useful files for troubleshooting.

https://www.elevenforum.com/t/bsod-posting-instructions.103/

https://www.tenforums.com/bsod-crashes-debugging/2198-bsod-posting-instructions.html

Indicate whether you can create server downtime in case it is needed.

.
.
.
.
.

Please remember to vote and to mark the replies as answers if they help.

On the bottom of each post there is:

Propose as answer = answered the question

On the left side of each post there is /\ with a number: click = a helpful post
.
.
.
.
.