question

chaps-0125 avatar image
0 Votes"
chaps-0125 asked dstaulcu commented

BSOD Page Fault in Non Paged Area using SysInternals Sysmon V11

HI All



We recently been getting BSOD's on our Windows Server 2016 servers. We had Sysmon V11 installed and running since September but the last few days we been getting BSOD's saying Page Fault in Non Paged Area and the mini dump shows Sysmondrv.sys as the fauting bucket.



This only seems to affect Server 2016 and our Server 2012 R2 servers dont seem to have this. Another issue we are seeing is that this seems to cause pagefile issues where after the restart, windows will create a new pagefile showing a corruption in the existing one. Its not till we remove the pagefile and restart and it is OK until the subsequent reboot.

As these are Prod servers, we are anxious to get this sorted ASAP.



Hopefully Someone can assist.



A little bit of info

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffc2082219a0e8, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff800a3d7b380, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)


FAULT_INSTR_CODE: c085d88b

SYMBOL_STACK_INDEX: 9

SYMBOL_NAME: SysmonDrv+1e9f

MODULE_NAME: SysmonDrv

IMAGE_NAME: SysmonDrv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 5ea6fa67

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 1e9f

FAILURE_BUCKET_ID: AV_R_INVALID_SysmonDrv!unknown_function

BUCKET_ID: AV_R_INVALID_SysmonDrv!unknown_function

PRIMARY_PROBLEM_CLASS: AV_R_INVALID_SysmonDrv!unknown_function

windows-sysinternals-sysmon
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Does the problem still occur after upgrading to sysmon v12.03? Many issues have been addressed since v11.0.


0 Votes 0 ·

HI dstaulcu

Since its a production system, we have to follow change control and created an emergency change. We upgraded to V11.10 first and then found we had a memory leak on that version in which caused high memory usage on our servers in the space of 12 hours. We subsequently upgraded to V11.11 which resolved the memory leak and monitoring the situation for now.

We do plan to upgrade to V12.03 however need to review our configuration files first as V12 does have some funtionality which we like to incorporate.

0 Votes 0 ·

Here is a list of release notes I have scraped from Sysinternals blog entries.

I do not represent the sysinternals team. I'm just another implementer keeping a close eye on forums to make sure I am not contributing to deployment of unstable code versions. Version 10.42 had a long shelf life for me. Version 12.03 is new and unproven but is where your problematic host needs to be to maximize possibility of help from Sysinternals team through memory dump analysis.

0 Votes 0 ·
Show more comments

0 Answers