question

YatMingLo-3992 avatar image
0 Votes"
YatMingLo-3992 asked TeemoTang-MSFT commented

Remote session VM reboot automatically with BugCheck error - Windows Server 2016

88992-event-id-1001.jpg



As title, our RD VM faced this problem twice with same bugcheck error.
It is a VM with Windows Server 2016. I've searched this error and found some case, but it won't like mine.
So I use WinDbg to analyst the dump with this accident, get the result as below:
Can anyone help me to identify the error and advise any suggestion? Thanks.

5: kd> !analyze -v



  •                      Bugcheck Analysis                                    *
    



MEMORY_MANAGEMENT (1a)
# Any other values for parameter 1 must be individually examined.
Arguments:
Arg1: 0000000000004477, A driver tried to write to an unallocated address in the
user space of the system process. Parameter 2 contains the
address of the attempted write.
Arg2: 0000000651cfe9d0
Arg3: 0000000000000000
Arg4: 0000000000000000

Debugging Details:




KEY_VALUES_STRING: 1

 Key  : Analysis.CPU.mSec
 Value: 1874

 Key  : Analysis.DebugAnalysisManager
 Value: Create

 Key  : Analysis.Elapsed.mSec
 Value: 13988

 Key  : Analysis.Init.CPU.mSec
 Value: 1483

 Key  : Analysis.Init.Elapsed.mSec
 Value: 30074

 Key  : Analysis.Memory.CommitPeak.Mb
 Value: 86

 Key  : WER.OS.Branch
 Value: rs1_release

 Key  : WER.OS.Timestamp
 Value: 2020-08-05T13:27:00Z

 Key  : WER.OS.Version
 Value: 10.0.14393.3866


VIRTUAL_MACHINE: VMware

BUGCHECK_CODE: 1a

BUGCHECK_P1: 4477

BUGCHECK_P2: 651cfe9d0

BUGCHECK_P3: 0

BUGCHECK_P4: 0

PROCESS_NAME: System

TRAP_FRAME: ffffde80806a5540 -- (.trap 0xffffde80806a5540)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000090 rbx=0000000000000000 rcx=0000000651cfe9f0
rdx=ffffaa80cbf3a9c4 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80ac6ec35af rsp=ffffde80806a56d8 rbp=ffffde80806a57a0
r8=0000000000000010 r9=0000000000000004 r10=ffffc0815eeef4d0
r11=0000000651cfe9d0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
rdpdr+0x35af:
fffff80a`c6ec35af 660f7f41e0 movdqa xmmword ptr [rcx-20h],xmm0 ds:00000006`51cfe9d0=????????????????????????????????
Resetting default scope

STACK_TEXT:
ffffde80`806a5278 fffff802`ba8d1904 : 00000000`0000001a 00000000`00004477 00000006`51cfe9d0 00000000`00000000 : nt!KeBugCheckEx
ffffde80`806a5280 fffff802`ba8d031f : 00000000`00000002 ffffc081`4cc99600 ffffde80`806a54a8 00000000`00000000 : nt!MiResolvePageTablePage+0x694
ffffde80`806a5340 fffff802`ba9ea661 : ffffc081`504fd940 00000000`000000ff ffffc081`00000001 ffffc081`4f314d78 : nt!MmAccessFault+0x61f
ffffde80`806a5540 fffff80a`c6ec35af : fffff80a`c6eeaeee fffff80a`c6ecc000 fffff80a`c6eeb868 ffffc081`60dc7cc0 : nt!KiPageFault+0x321
ffffde80`806a56d8 fffff80a`c6eeaeee : fffff80a`c6ecc000 fffff80a`c6eeb868 ffffc081`60dc7cc0 00000000`00000000 : rdpdr+0x35af
ffffde80`806a56e0 fffff80a`c6eeb432 : ffffc081`64cd5470 fffff802`00000090 00000000`00000090 ffffde80`806a58d0 : rdpdr+0x2aeee
ffffde80`806a5760 fffff80a`c6ee8ded : 00000000`000000a4 00000000`00000005 ffffde80`806a58d0 ffffde80`806a58d0 : rdpdr+0x2b432
ffffde80`806a57d0 fffff80a`c6ee8d2b : ffffc081`5eae42e0 ffffc081`59d12d70 fffff80a`c6ecc000 ffffc081`66e6556b : rdpdr+0x28ded
ffffde80`806a5820 fffff80a`c6ed93a9 : fffff802`babb8702 ffffc081`5eae42e0 ffffc081`5eae42e0 fffff802`ba8a7500 : rdpdr+0x28d2b
ffffde80`806a5850 fffff80a`c6ed8b96 : 00000000`00000001 ffffc081`66e65450 ffffde80`806a59b9 ffffc081`5eae42e0 : rdpdr+0x193a9
ffffde80`806a58d0 fffff802`ba8e5992 : ffffc081`66e65450 00000000`00000000 00000000`7246704e 00000000`000000f0 : rdpdr+0x18b96
ffffde80`806a5900 fffff80a`c749b042 : ffffaa87`0ec16140 ffffaa87`0ec161e8 00000000`00000000 fffff802`baca7900 : nt!IopfCompleteRequest+0x112
ffffde80`806a5a20 fffff80a`c4833172 : ffffc081`4da2edf0 fffff802`00000c80 00000000`000000a4 ffffaa87`1dc39380 : Npfs!NpFsdRead+0x202
ffffde80`806a5ad0 fffff80a`c6ed5c0b : 00000000`00000000 00000000`00000003 ffffc081`6409a802 00000000`00000202 : FLTMGR!FltpDispatch+0xe2
ffffde80`806a5b30 fffff80a`c6ec259a : ffffc081`6409a860 ffffc081`00000c80 00000000`00000000 fffff802`00000000 : rdpdr+0x15c0b
ffffde80`806a5bc0 fffff802`ba98a1cd : ffffc081`5050d080 00000000`00000080 fffff80a`c6ec24d0 ffffc081`4f314cf0 : rdpdr+0x259a
ffffde80`806a5c10 fffff802`ba9e4836 : ffffde80`7c058180 ffffc081`5050d080 fffff802`ba98a18c 00000000`00000000 : nt!PspSystemThreadStartup+0x41
ffffde80`806a5c60 00000000`00000000 : ffffde80`806a6000 ffffde80`806a0000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16


SYMBOL_NAME: rdpdr+35af

MODULE_NAME: rdpdr

IMAGE_NAME: rdpdr.sys

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 35af

FAILURE_BUCKET_ID: 0x1a_4477_rdpdr!unknown_function

OS_VERSION: 10.0.14393.3866

BUILDLAB_STR: rs1_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {a9de405d-a06e-b156-1e3d-083f7440b64d}

Followup: MachineOwner


windows-server-2016
event-id-1001.jpg (46.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

YatMingLo-3992 avatar image
0 Votes"
YatMingLo-3992 answered TeemoTang-MSFT commented

Thanks for your reply, I've been running SFC /Scannow at affected VM and it did repaired something but not related rdpdr.sys
Our system is not quite up to date, but we planning to upgrade it later.

During we have other 2 VM's upgrade also not up to date as same as affected VM so I didn't think this is the root cause.
Except this, any other suggestion?

Appreciated for your help.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Run DISM /Online /Cleanup-Image /RestoreHealth command firstly, the run sfc /scannow command.
In-place upgrade is a good way to fix system related issue, you could use clean ISO file for upgrade

0 Votes 0 ·
TeemoTang-MSFT avatar image
0 Votes"
TeemoTang-MSFT answered

rdpdr.sys is OS built-in file which is stored at C:\Windows\System32\drivers.
Please open CMD with admin permission, using SFC /SCANNOW to repair system files.

After command executed complete, check for updates, make sure system is up to date.


If the Answer is helpful, please click "Accept Answer" and upvote it.
Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.