BSODs (System_Service_Exception and Kmode_exception_not_handled)

[bermjuice]

I've got a couple different BSODs popping up a bunch. I've got a server 2008 r2 server. This is a small business, so they've got everything lumped on one box. Active directory, Exchange 2010, terminal services. They remote in to run a couple programs that have weird licensing, so there's no way around it. Super tough to deal with, but oh well. I have all anti virus programs ripped off, and everything on the device manager looks ok. I've dug through a billion posts, and I just can't find anything related.

The sure fire way to get these BSODs replicated is to log off a terminal services (remote desktop services in R2) session. Every time someone logs off (instead of just hitting the X on the session) it blue screens. Also, it will just do it randomly too. I'm attaching the minidump files to see if anyone can give me a direction to search in here.

Thanks for anyone who might be able to give me some direction.

 

[bermjuice]

Any way I can put a bounty on this? 100 bucks if someone has an answer that fixes it tomorrow. Does that incentive help anyone?

 

[frallan123]

read up here http://support.microsoft.com/kb/294728

"This behavior can occur if you downloaded the Backdoor.NTHack virus from a remote host into your computer. This virus is initiated by the Dl.bat file in the InetPub\Scripts folder.

As a result, both the Firedaemon.exe and Sud.exe files are installed on the computer as well as the Os2srv.exe and Mmtask.exe files, which along with the Sud.exe and Index.exe files are run as services."

 

[Shintaro]

Welcome to the W7 forums.

I will try to help as much as I can.

Please start by updating:

lmimirr.sys Wed Apr 11 08:32:45 2007 (461C108D)
RemotelyAnywhere Mirror Miniport Driver or LogMeIn Mirror Miniport Driver
http://www.carrona.org/drivers/driver.php?id=lmimirr.sys

It's an interesting statement, but I am only interested in getting the machine working correctly.

 

[bermjuice]

I have removed the logmein stuff already, but I'm not sure where that is being referenced. how do I clean logmein off completely? is that what's causing this? i only tried to get logmein on there as a temporary fix while i got all the remote desktop stuff working, which was obviously a bad idea

 

[bermjuice]

read up here http://support.microsoft.com/kb/294728

"This behavior can occur if you downloaded the Backdoor.NTHack virus from a remote host into your computer. This virus is initiated by the Dl.bat file in the InetPub\Scripts folder.

As a result, both the Firedaemon.exe and Sud.exe files are installed on the computer as well as the Os2srv.exe and Mmtask.exe files, which along with the Sud.exe and Index.exe files are run as services."

I don't have any of those files on my computer, so I don't think that's it.

 

[Shintaro]

If you can please upload the latest crash dump files.

 

[bermjuice]

updated crash dumps

Here's the latest dump. I got rid of all references to services that were remnants of the logmein stuff

 

[bermjuice]

Here's the latest dump. I got rid of all references to services that were remnants of the logmein stuff

by saying i removed the references, i removed them from the controlset entries in registry editor.

i renamed the .dll files in the system32 folder as well.

 

[Shintaro]

Is there any reason you are running a "Checked" build?

Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Checked x64

http://msdn.microsoft.com/en-us/library/windows/hardware/ff543457(v=vs.85).aspx

 

[bermjuice]

This is my MSDN version.

 

[Shintaro]

Sorry are you running a debug build in a production environment?

 

[bermjuice]

I'm not sure I'd call this a production environment. Kind of staging. Is that build really the issue?

 

[Shintaro]

Well yes, if it is production we need to be very careful about changes. But if you say it is staging, then enable driver verifier.

(Borrowed from Zigzag3143 posts)
Driver verifier

Using Driver Verifier is an iffy proposition. Most times it'll crash and it'll tell you what the driver is. But sometimes it'll crash and won't tell you the driver. Other times it'll crash before you can log in to Windows. If you can't get to Safe Mode, then you'll have to resort to offline editing of the registry to disable Driver Verifier.

So, I'd suggest that you first backup your stuff and then make sure you've got access to another computer so you can contact us if problems arise.
Then make a System Restore point (so you can restore the system using the Vista/Win7 Startup Repair feature).

Then, here's the procedure:

1. Go to Start and type in "verifier" (without the quotes) and press Enter
2. Select "Create custom settings (for code developers)" and click "Next"
3. Select "Select individual settings from a full list" and click "Next"
4. Select everything EXCEPT FOR "Special Pool", "Force Pending I/O Requests" and "Low Resource Simulation" and click "Next"
5. Select "Select driver names from a list" and click "Next"
6. Then select all drivers NOT provided by Microsoft and click "Next"
7. Select "Finish" on the next page.

• Reboot the system and wait for it to crash to the Blue Screen.
• Continue to use your system normally, and if you know what causes the crash, do that repeatedly.
• The objective here is to get the system to crash because Driver Verifier is stressing the drivers out.

If it doesn't crash for you, then let it run for at least 36 hours of continuous operation.

Reboot into Windows (after the crash) and turn off Driver Verifier by going back in and selecting "Delete existing settings" on the first page, then locate and zip up the memory dump file and upload it with your next post.

If you can't get into Windows because it crashes too soon, try it in Safe Mode.
If you can't get into Safe Mode, try using System Restore from your installation DVD to set the system back to the previous restore point that you created.

Let us know how you go.

 

[bermjuice]

I did run this before, but it didn't crash when I was running it so I turned it off. If it crashes, where does the memory dump file go to? Same windows\minidumps folder? I'll go turn this on and go see if I can make it crap out. It usually craps out when someone logs off a remote desktop session.

 

[Shintaro]

Unless it has been changed it should be c:\windows\minidump.

 

[bermjuice]

ok, so here's the minidumps with verifier on.

fyi, it's super easy to get it to bsod. i just have multiple users remote desktop in, and then have one of them log off. triggered it both times.

 

[Shintaro]

This is quite difficult.

Just to be sure and I know you said you removed the AV programs.
But when you can, could you please run:
http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline

Then in Safe Mode run:
Malwarebytes (Free Version)

Other than that I might need a full memory dump.