Determine which driver cause blue screen.

PiotrIrPiotrIr Member Posts: 236
Hi,
Could you help me to find which driver causes the problem please? I have two IIS servers (the same hardware – DL380 G5 and drivers) based on Windows Server 2008 SP1 in NLB cluster. They have been working fine for 1.5 year without any problems. Last month one of the crushed and rebooted, since then it is working fine. Unfortunately yesterday second one did exactly the same. Their memory.dmp files are similar. I can see that the problem is in driver (obviously I may be wrong in my analyse – if so please advise) however I don’t know how to check which driver cause it.

Could you help me to find it please?

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 48, {950fc008, 8fb66ff1, 0, 0}

Probably caused by : ntkrnlmp.exe ( nt!IoCancelIrp+73 )

Followup: MachineOwner

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

CANCEL_STATE_IN_COMPLETED_IRP (4icon_cool.gif
This bugcheck indicates that an I/O Request Packet (IRP) that is to be
cancelled, has a cancel routine specified in it -- meaning that the packet
is in a state in which the packet can be cancelled -- however, the packet
no longer belongs to a driver, as it has entered I/O completion. This is
either a driver bug, or more than one driver is accessing the same packet,
which is not likely and much more difficult to find. The cancel routine
parameter will provide a clue as to which driver or stack is the culprit.
Arguments:
Arg1: 950fc008, Pointer to the IRP
Arg2: 8fb66ff1, Cancel routine set by the driver.
Arg3: 00000000
Arg4: 00000000

Debugging Details:


DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x48

PROCESS_NAME: w3wp.exe

CURRENT_IRQL: 2

LAST_CONTROL_TRANSFER: from 81c82297 to 81c6e72f

STACK_TEXT:
8f5d1be4 81c82297 950fc008 95027dd8 00000000 nt!IoCancelIrp+0x73
8f5d1c18 81e38234 8800a168 88ffad90 00000000 nt!IopCancelIrpsInFileObjectList+0xb3
8f5d1c74 81e3310a 88ffad90 8800a168 00100081 nt!IopCloseFile+0x409
8f5d1cc4 81e32f9a 88ffad90 0041ed40 00100081 nt!ObpDecrementHandleCount+0x146
8f5d1d14 81e32cad 9e33fa70 9bc6d500 88ffad90 nt!ObpCloseHandleTableEntry+0x234
8f5d1d44 81e33530 88ffad90 a7a89901 a7a89901 nt!ObpCloseHandle+0x73
8f5d1d58 81c9997a 00000280 0019f9cc 76f79a94 nt!NtClose+0x20
8f5d1d58 76f79a94 00000280 0019f9cc 76f79a94 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0019f9cc 00000000 00000000 00000000 00000000 0x76f79a94


STACK_COMMAND: kb

FOLLOWUP_IP:
nt!IoCancelIrp+73
81c6e72f 8a442414 mov al,byte ptr [esp+14h]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!IoCancelIrp+73

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 48d1b7e8

FAILURE_BUCKET_ID: 0x48_nt!IoCancelIrp+73

BUCKET_ID: 0x48_nt!IoCancelIrp+73

Followup: MachineOwner
Sign In or Register to comment.