0

We have a quite urgent issue, where company old SBS server BSOD's right before presenting the logon screen.

I ran the mini-dumps via the WinDbg, and got following output:

CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, Process
Arg2: fe39ad88, Terminating object
Arg3: fe39aeec, Process image file name
Arg4: e094c7c4, Explanatory message (ascii)

Debugging Details:
------------------

unable to get nt!KiCurrentEtwBufferOffset
unable to get nt!KiCurrentEtwBufferBase
<Failed to Read Entire ETW Buffer (expected 0, read 0)>
PROCESS_OBJECT: fe39ad88

IMAGE_NAME:  csrss.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: csrss

FAULTING_MODULE: 00000000 

PROCESS_NAME:  csrss.exe

EXCEPTION_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx".

BUGCHECK_STR:  0xF4_IOERR

CUSTOMER_CRASH_COUNT:  5

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

CURRENT_IRQL:  0

STACK_TEXT:  
f4a0b4e8 e094b927 000000f4 00000003 fe39ad88 nt!KeBugCheckEx+0x1b
f4a0b50c e094c86c e094c7c4 fe39ad88 fe39aeec nt!PspCatchCriticalBreak+0x75
f4a0b53c feb35fa6 ffffffff c0000006 f4a0b58c nt!NtTerminateProcess+0x7a
WARNING: Frame IP not in any known module. Following frames may be wrong.
00000000 f000e81a f000e2c3 f000e81a f000e81a 0xfeb35fa6
00000000 00000000 f000e2c3 f000e81a f000e81a 0xf000e81a


STACK_COMMAND:  kb

FOLLOWUP_NAME:  MachineOwner

FAILURE_BUCKET_ID:  0xF4_IOERR_IMAGE_csrss.exe

BUCKET_ID:  0xF4_IOERR_IMAGE_csrss.exe

Followup: MachineOwner
---------

From the dump it seems as problem in driver, but I can't just get what driver responsible for this.

I will appreciate any hint what could be the culprit, or how to hunt for one.

Thanks!

mattdm
  • 6,600
  • 1
  • 26
  • 48
SyRenity
  • 3,179
  • 11
  • 57
  • 79

2 Answers2

2

Call Microsoft PSS and get professional help. Move to backup hardware, unless obviouly "important" is something people realize now. I would say the problem is some disc based problem. Image IO errors indicate something is bad reading from disc, on a critical moment. WHich would mean - rebuild machine using backup.

TomTom
  • 51,649
  • 7
  • 54
  • 136
  • By image IO you mean error reading from csrss.exe itself, or from anything additional stored on disk? The system running on RAID1 which looks fine. Any idea if replacing csrss.exe from backup will help? – SyRenity Jan 25 '11 at 17:52
  • No idea. Never had that. Seems like a CSRSS load error. And a Raid 1 that - obviously - did not protect. – TomTom Jan 25 '11 at 18:10
  • Keep the original binary image for `csrss.exe` is all I can say. Rename it and drag and drop one from backup, but consider there will have been possible updates to the binary or dependent binaries a la Windows Update. You could create an even more messed up machine through version mismatching. – songei2f Jan 25 '11 at 18:45
  • While this was not a full solution, pin-pointing the problem as disk related helped us during repair procedure (BSOD during repair, removed a suspected disk from RAID, re-run repair again and viola). – SyRenity Jan 27 '11 at 21:46
2

It looks to be csrss.ese which is causing the problem. Csrss.exe is the Client/Server Runtime Subsystem and is (as the debug states) critical to the system. Have you tried starting Windows in Safe Mode or starting it using the Last Known Good configuration?

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Safe mode is working good, but we need full mode to at least be able to migrate domain data and email boxes to a new machine. Last known good doesn't help. We now trying to disable any service or driver we can think of, without much luck so far. – SyRenity Jan 25 '11 at 17:51
  • 2
    Since it's booting in Safe Mode it's likely a driver or boot-start service problem. Start disabling services and drivers and you'll find the culprit. – Evan Anderson Jan 25 '11 at 17:59