I have a problem with a virtual Windows Server 2008 R2 SP1 server running withing VMWare. The server is running Citrix and also has Symantec Endpoint protection installed. It randomly crashes and goes to BSOD.
Investigating the event log didn't yield any useful information about the cause of the crash. I ran windows debug and generated the report shown below. Apparently it points to a failed driver. The problem is I can't pinpoint what driver is causing it. I'm wondering if anyone can offer some help.
----------
## Bugcheck Analysis ##
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff9600008744d, Address of the instruction which caused the bugcheck
Arg3: fffff88007ba3de0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------
Page 125923 not present in the dump file. Type ".hh dbgerr004" for details
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
win32k!xxxInternalInvalidate+7d
fffff960`0008744d f6473208 test byte ptr [rdi+32h],8
CONTEXT: fffff88007ba3de0 -- (.cxr 0xfffff88007ba3de0)
rax=0000000000000000 rbx=0000000000010485 rcx=0000000000000000
rdx=0000000000000b02 rsi=0000000000000000 rdi=0000000000000000
rip=fffff9600008744d rsp=fffff88007ba47c0 rbp=0000000000000000
r8=0000000000010485 r9=0000000000000000 r10=fffff900000004c0
r11=fffff900c26eac30 r12=0000000000000000 r13=0000000000000001
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
win32k!xxxInternalInvalidate+0x7d:
fffff960`0008744d f6473208 test byte ptr [rdi+32h],8 ds:002b:00000000`00000032=??
Resetting default scope
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x3B
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff960001351a2 to fffff9600008744d
STACK_TEXT:
fffff880`07ba47c0 fffff960`001351a2 : 00000000`00000000 00000000`00000040 fffffa80`0678d330 00000000`00000000 : win32k!xxxInternalInvalidate+0x7d
fffff880`07ba4840 fffff960`001352a2 : fffffa80`0678d330 00000000`00000000 fffff880`07ba4ca0 fffffa80`06109ab0 : win32k!xxxInternalUserChangeDisplaySettings+0x486
fffff880`07ba4900 fffff960`001330e3 : 00000000`00000000 00000000`00000000 fffff900`c0f9ead0 fffff900`00000040 : win32k!xxxUserChangeDisplaySettings+0x92
fffff880`07ba49f0 fffff960`00115cba : 00000000`00000001 00000000`00aff960 00000000`00000000 ffffffff`ffffffff : win32k!xxxRemoteReconnect+0x6d7
fffff880`07ba4bf0 fffff800`016d9ed3 : fffffa80`06f66b00 fffff880`07ba4ca0 00000000`00000000 00000000`00000000 : win32k!NtUserCallOneParam+0x4e
fffff880`07ba4c20 000007fe`fd1b2aea : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`00aff918 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x000007fe`fd1b2aea
FOLLOWUP_IP:
win32k!xxxInternalInvalidate+7d
fffff960`0008744d f6473208 test byte ptr [rdi+32h],8
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: win32k!xxxInternalInvalidate+7d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 50e64bda
STACK_COMMAND: .cxr 0xfffff88007ba3de0 ; kb
FAILURE_BUCKET_ID: X64_0x3B_win32k!xxxInternalInvalidate+7d
BUCKET_ID: X64_0x3B_win32k!xxxInternalInvalidate+7d
Followup: MachineOwner
---------
This looks like the issue described in the following KB article:
https://support.microsoft.com/en-us/kb/2359223
"0x0000003B" Stop error occurs in Windows Server 2008 R2 and in Windows 7 when an application or a service performs a GUI-related operation
The reason I think it is the issue described in the hotfix is because it specifically calls out the win32k.sys driver. Also, the CSRSS.exe process which also shows up in the dump is used in inter-process communication between user-mode GUI operations and the kernel which is also indicative of the issue described in the hotfix (reference: https://en.wikipedia.org/wiki/Client/Server_Runtime_Subsystem).
I would recommend applying the hotfix in the KB article and monitoring to see if the stop errors continue.