Windows Server 2008 R2 STD BSOD crash reason

[Vir Gnarus]

Are you implying you have a kernel/full dump from the client in hand? I personally am not sure how I can help you, as I especially am unfamiliar with .NET debugging. I only know enough to get WinDBG setup for it and to traverse managed callstacks, but I have no .NET experience to enable me to debug further. If you need help setting up WinDBG for .NET debugging I can lead you through that (since it's usually a pain in the butt to do).

 

[martys]

Well if it would point me to the exact place in the code that causes the issue, then it's worth a try.
About the dump - if "the client" would create a "shared screen" meeting, would that help ?

 

[Vir Gnarus]

I'm not confident with doing such, especially since I feel there are policy restrictions here that would prevent that. If the client is willing to meet up with you on this that would of course be at their discretion. It'd be better off that way, as we're dealing with a company environment here and they shouldn't be sharing something like that with just anyone.

Concerning .NET debugging on Windbg, it boils down to getting the proper .NET debugging extension (sos.dll) and the associated mscorwks.dll/clr.dll variant. They both have to be version matched, because every .NET version (even hotfixed) is different, so you most certainly will need to grab these from the .NET installation on the victim machine that has been generating the crashdumps. Once these are placed, either in the appropriate .NET directory on your debugging system or the Windbg parent directory (I think this'll work), then you should be able to run SOS extension commands in Windbg (!analyze -v output will also change to reflect .NET managed code). Remember to use the appropriate x86/x64 Windbg depending on if crashdump contains 32-bit or 64-bit .NET environment.

Here's an example I have from debugging (attempting too) an x86 .NET application hang and eventual unhandled exception error for a genetic scanner application:

0:000> .loadby sos mscorwks
0:000> !analyze -v
TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\triage\oca.ini, error 2
TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\winxp\triage.ini, error 2
TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\triage\user.ini, error 2
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Module load completed but symbols could not be loaded for GCScanner.exe
*** WARNING: Unable to verify checksum for mscorlib.ni.dll
TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\triage\guids.ini, error 2
TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x86\triage\modclass.ini, error 2

FAULTING_IP: 
+0
00000000 ??              ???

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 00000000
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 0

FAULTING_THREAD:  0000140c

PROCESS_NAME:  GCScanner.exe

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

APP:  gcscanner.exe

MANAGED_STACK: !dumpstack -EE
OS Thread Id: 0x140c (0)
Current frame: 
ChildEBP RetAddr  Caller,Callee
0012f800 047512d7 (MethodDesc 0x1104490 +0x97 <Module>.Affymetrix.AGCCInstrumentInterface.ICJOInterface.SendEmail(Affymetrix.AGCCInstrumentInterface.ICJOInterface*, Int32, std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, std.basic_string<char,std::char_traits<char>,std::allocator<char> >*))

BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS_NOSOS

PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS_NOSOS

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS_NOSOS

LAST_CONTROL_TRANSFER:  from 7e419418 to 7c90e514

STACK_TEXT:  
0012f52c 7e419418 7e42770a 00040140 00000000 ntdll!KiFastSystemCallRet
0012f564 7e4249c4 000502f2 00040140 00000001 user32!NtUserWaitMessage+0xc
0012f58c 7e43a956 7e410000 00220e78 00040140 user32!InternalDialogBox+0xd0
0012f84c 7e43a2bc 0012f9a8 00000000 ffffffff user32!SoftModalMessageBox+0x938
0012f99c 7e4663fd 0012f9a8 00000028 00040140 user32!MessageBoxWorker+0x2ba
0012f9f4 7e4664a2 00040140 00248910 045b8f48 user32!MessageBoxTimeoutW+0x7a
0012fa28 7e450877 00040140 006af988 006a9e30 user32!MessageBoxTimeoutA+0x9c
0012fa48 7e45082f 00040140 006af988 006a9e30 user32!MessageBoxExA+0x1b
0012fa64 7863fddb 00040140 006af988 006a9e30 user32!MessageBoxA+0x45
0012fab0 7867cc9f 00040140 006af988 006a9e30 mfc90!AfxCtxMessageBoxA+0x48
0012fbf0 7867cb73 00420530 006af988 00000010 mfc90!CWinApp::ShowAppMessageBox+0x120
0012fc08 00405dc8 006af988 00000010 00000000 mfc90!CWinApp::DoMessageBox+0x14
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fc3c 004050f6 00000007 006aa1a8 0012fcf8 GCScanner+0x5dc8
0012fc4c 7863bcf7 00000007 00000000 82096549 GCScanner+0x50f6
0012fcf8 7863ba49 00000520 00000007 00000000 mfc90!CWnd::OnWndMsg+0x287
0012fd18 7863a63d 00000520 00000007 00000000 mfc90!CWnd::WindowProc+0x24
0012fd80 7863a8c9 00000000 00040140 00000520 mfc90!AfxCallWndProc+0xa3
0012fda4 786385b3 00040140 00000520 00000007 mfc90!AfxWndProc+0x37
0012fde8 7e418734 00040140 00000520 00000007 mfc90!AfxWndProcBase+0x56
0012fe14 7e418816 7863855d 00040140 00000520 user32!InternalCallWinProc+0x28
0012fe7c 7e4189cd 00161e70 7863855d 00040140 user32!UserCallWinProcCheckWow+0x150
0012fedc 7e4196c7 00160ad8 00000001 0012ff1c user32!DispatchMessageWorker+0x306
0012feec 7867a867 00160ad8 00000000 00420530 user32!DispatchMessageA+0xf
0012fefc 7867aeee 00420530 00420530 ffffffff mfc90!AfxInternalPumpMessage+0x40
0012ff1c 786471e8 00420b50 0015234c 00000000 mfc90!CWinThread::Run+0x5b
0012ff30 00412845 00400000 00000000 0015234c mfc90!AfxWinMain+0x6a
0012ffc0 7c817077 00380037 00350039 7ffd7000 GCScanner+0x12845
0012fff0 00000000 004129c5 00000000 78746341 kernel32!BaseProcessStart+0x23


STACK_COMMAND:  ~0s; .ecxr ; kb

FOLLOWUP_IP: 
mfc90!AfxCtxMessageBoxA+48
7863fddb 8945e4          mov     dword ptr [ebp-1Ch],eax

SYMBOL_STACK_INDEX:  9

SYMBOL_NAME:  mfc90!AfxCtxMessageBoxA+48

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: mfc90

IMAGE_NAME:  mfc90.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4dad06e0

FAILURE_BUCKET_ID:  WRONG_SYMBOLS_NOSOS_80000003_mfc90.dll!AfxCtxMessageBoxA

BUCKET_ID:  APPLICATION_FAULT_WRONG_SYMBOLS_NOSOS_mfc90!AfxCtxMessageBoxA+48

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/GCScanner_exe/3_2_3_1515/4ea0b1a1/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1

Followup: MachineOwner
---------

0:000> !dumpstack -EE
OS Thread Id: 0x140c (0)
Current frame: 
ChildEBP RetAddr  Caller,Callee
0012f800 047512d7 (MethodDesc 0x1104490 +0x97 <Module>.Affymetrix.AGCCInstrumentInterface.ICJOInterface.SendEmail(Affymetrix.AGCCInstrumentInterface.ICJOInterface*, Int32, std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, std.basic_string<char,std::char_traits<char>,std::allocator<char> >*))
0:000> !dumpstack
OS Thread Id: 0x140c (0)
Current frame: ntdll!KiFastSystemCallRet
ChildEBP RetAddr  Caller,Callee
0012f52c 7e419418 user32!NtUserWaitMessage+0xc
0012f530 7e42770a user32!DialogBox2+0x1fd, calling user32!NtUserWaitMessage
0012f564 7e4249c4 user32!InternalDialogBox+0xd0, calling user32!DialogBox2
0012f58c 7e43a956 user32!SoftModalMessageBox+0x938, calling user32!InternalDialogBox
0012f648 79eddfaf mscorwks!StubLinker::~StubLinker+0x20, calling mscorwks!_EH_epilog3
0012f64c 79eddfcd mscorwks!StubLinkerCPU::~StubLinkerCPU+0x1d, calling mscorwks!_EH_epilog3
0012f678 79e90dbb mscorwks!MethodDesc::GetTemporaryEntryPoint+0x46, calling mscorwks!MethodDesc::GetMethodDescFromStubAddr
0012f6a4 7c9100b8 ntdll!RtlpFreeToHeapLookaside+0x22, calling ntdll!RtlpInterlockedPushEntrySList
0012f6b0 7c910041 ntdll!RtlFreeHeap+0x1e9, calling ntdll!RtlpFreeToHeapLookaside
0012f6b8 7c91005d ntdll!RtlFreeHeap+0x647, calling ntdll!_SEH_epilog
0012f6c8 79e806b8 mscorwks!MethodDesc::DoPrestub+0x517, calling mscorwks!_EH_epilog3
0012f6f8 7c91005d ntdll!RtlFreeHeap+0x647, calling ntdll!_SEH_epilog
0012f6fc 79e72445 mscorwks!MemoryReport::ContextScope::ContextScope+0x5f, calling mscorwks!__security_check_cookie
0012f708 78583c3a msvcr90!free+0xec, calling msvcr90!_SEH_epilog4
0012f71c 79e80828 mscorwks!PreStubWorker+0x141, calling mscorwks!_EH_epilog3
0012f728 79eeb952 mscorwks!RunML+0x47, calling mscorwks!MemoryReport::ContextScope::ContextScope
0012f738 79e73fed mscorwks!StackingAllocator::Collapse+0x1e, calling mscorwks!StackingAllocator::Clear
0012f750 79e79954 mscorwks!_EH_epilog3_catch_GS+0xa, calling mscorwks!__security_check_cookie
0012f754 79e9782c mscorwks!CleanupWorkList::Cleanup+0x7f4, calling mscorwks!_EH_epilog3_catch_GS
0012f76c 7c910222 ntdll!RtlpAllocateFromHeapLookaside+0x42, calling ntdll!_SEH_epilog
0012f798 7c910222 ntdll!RtlpAllocateFromHeapLookaside+0x42, calling ntdll!_SEH_epilog
0012f79c 7c91019b ntdll!RtlAllocateHeap+0x1c2, calling ntdll!RtlpAllocateFromHeapLookaside
0012f7a0 7c9101db ntdll!RtlAllocateHeap+0xeac, calling ntdll!_SEH_epilog
0012f7e4 010fbd69 010fbd69, calling ntdll!RtlGetLastWin32Error
0012f800 047512d7 (MethodDesc 0x1104490 +0x97 <Module>.Affymetrix.AGCCInstrumentInterface.ICJOInterface.SendEmail(Affymetrix.AGCCInstrumentInterface.ICJOInterface*, Int32, std.basic_string<char,std::char_traits<char>,std::allocator<char> >*, std.basic_string<char,std::char_traits<char>,std::allocator<char> >*)), calling 0110fb0c
0012f81c 7e42934b user32!IsWindow+0x44, calling user32!_SEH_epilog
0012f84c 7e43a2bc user32!MessageBoxWorker+0x2ba, calling user32!SoftModalMessageBox
0012f878 79e71b4c mscorwks!CallDescrWorker+0x33
0012f898 79e71b4c mscorwks!CallDescrWorker+0x33
0012f8a4 79e74438 mscorwks!CrstBase::Leave+0xab, calling mscorwks!_EH_epilog3
0012f8a8 79e802a5 mscorwks!EELeaveCriticalSection+0xb, calling mscorwks!CrstBase::Leave
0012f8b0 79e8969e mscorwks!CallDescrWorkerWithHandler+0xa3, calling mscorwks!CallDescrWorker
0012f8d0 7863ba49 mfc90!CWnd::WindowProc+0x24
0012f904 7c9177c4 ntdll!RtlDeactivateActivationContext+0x17d, calling ntdll!RtlpFreeActivationContextStackFrame
0012f92c 78639166 mfc90!CThreadLocalObject::GetData+0x7d, calling mfc90!_EH_epilog3
0012f930 7863869a mfc90!AfxGetModuleThreadState+0x16, calling mfc90!CThreadLocalObject::GetData
0012f938 7863a784 mfc90!afxMapHWND+0x71, calling mfc90!_EH_epilog3
0012f954 7863a691 mfc90!AfxCallWndProc+0xf7, calling mfc90!_EH_epilog3
0012f958 7863a8c9 mfc90!AfxWndProc+0x37, calling mfc90!AfxCallWndProc
0012f970 7c80a73d kernel32!DeactivateActCtx+0x31, calling ntdll!RtlDeactivateActivationContext
0012f980 786387a3 mfc90!AFX_MAINTAIN_STATE2::~AFX_MAINTAIN_STATE2+0x1c, calling mfc90!AfxDeactivateActCtx
0012f98c 786385c3 mfc90!AfxWndProcBase+0x66, calling mfc90!AFX_MAINTAIN_STATE2::~AFX_MAINTAIN_STATE2
0012f99c 7e4663fd user32!MessageBoxTimeoutW+0x7a, calling user32!MessageBoxWorker
0012f9f4 7e4664a2 user32!MessageBoxTimeoutA+0x9c, calling user32!MessageBoxTimeoutW
0012fa28 7e450877 user32!MessageBoxExA+0x1b, calling user32!MessageBoxTimeoutA
0012fa48 7e45082f user32!MessageBoxA+0x45, calling user32!MessageBoxExA
0012fa64 7863fddb mfc90!AfxCtxMessageBoxA+0x48, calling user32!MessageBoxA
0012fab0 7867cc9f mfc90!CWinApp::ShowAppMessageBox+0x120, calling mfc90!AfxCtxMessageBoxA
0012fb48 7c9101db ntdll!RtlAllocateHeap+0xeac, calling ntdll!_SEH_epilog
0012fb4c 78583db8 msvcr90!malloc+0x79
0012fb5c 785569ed msvcr90!memcpy_s+0x4a, calling msvcr90!memcpy
0012fb78 7862f9d9 mfc90!ATL::CSimpleStringT<char,1>::Fork+0x4f, calling msvcr90!memcpy_s
0012fb88 7862f9e9 mfc90!ATL::CSimpleStringT<char,1>::Fork+0x5f, calling mfc90!ATL::CStringData::Release
0012fb9c 785569ed msvcr90!memcpy_s+0x4a, calling msvcr90!memcpy
0012fbb8 78640061 mfc90!ATL::CSimpleStringT<char,1>::Append+0x6d, calling msvcr90!memcpy_s
0012fbc0 78638e57 mfc90!CThreadSlotData::GetThreadValue+0x3e, calling ntdll!RtlLeaveCriticalSection
0012fbd4 78639166 mfc90!CThreadLocalObject::GetData+0x7d, calling mfc90!_EH_epilog3
0012fbf0 7867cb73 mfc90!CWinApp::DoMessageBox+0x14, calling mfc90!CWinApp::ShowAppMessageBox
0012fc08 00405dc8 GCScanner+0x5dc8, calling mfc90!AfxMessageBox
0012fc3c 004050f6 GCScanner+0x50f6, calling GCScanner+0x5cf0
0012fc4c 7863bcf7 mfc90!CWnd::OnWndMsg+0x287
0012fc90 7c9100b8 ntdll!RtlpFreeToHeapLookaside+0x22, calling ntdll!RtlpInterlockedPushEntrySList
0012fc9c 7c910041 ntdll!RtlFreeHeap+0x1e9, calling ntdll!RtlpFreeToHeapLookaside
0012fca4 7c91005d ntdll!RtlFreeHeap+0x647, calling ntdll!_SEH_epilog
0012fcb4 7752aee1 ole32!CServerSecurity::`scalar deleting destructor'+0x28, calling ole32!CServerSecurity::operator delete
0012fcd8 77601b36 ole32!ComInvokeWithLockAndIPID+0x3aa
0012fcf8 7863ba49 mfc90!CWnd::WindowProc+0x24
0012fd18 7863a63d mfc90!AfxCallWndProc+0xa3
0012fd54 78639166 mfc90!CThreadLocalObject::GetData+0x7d, calling mfc90!_EH_epilog3
0012fd58 7863869a mfc90!AfxGetModuleThreadState+0x16, calling mfc90!CThreadLocalObject::GetData
0012fd60 7863a784 mfc90!afxMapHWND+0x71, calling mfc90!_EH_epilog3
0012fd80 7863a8c9 mfc90!AfxWndProc+0x37, calling mfc90!AfxCallWndProc
0012fda4 786385b3 mfc90!AfxWndProcBase+0x56, calling mfc90!AfxWndProc
0012fde8 7e418734 user32!InternalCallWinProc+0x28
0012fe14 7e418816 user32!UserCallWinProcCheckWow+0x150, calling user32!InternalCallWinProc
0012fe64 7e429165 user32!GetParent+0x68, calling user32!_SEH_epilog
0012fe7c 7e4189cd user32!DispatchMessageWorker+0x306, calling user32!UserCallWinProcCheckWow
0012fec4 7867a93a mfc90!AfxInternalPreTranslateMessage+0x5c, calling mfc90!CWnd::GetTopLevelParent
0012fedc 7e4196c7 user32!DispatchMessageA+0xf, calling user32!DispatchMessageWorker
0012feec 7867a867 mfc90!AfxInternalPumpMessage+0x40, calling user32!DispatchMessageA
0012fefc 7867aeee mfc90!CWinThread::Run+0x5b
0012ff1c 786471e8 mfc90!AfxWinMain+0x6a
0012ff30 00412845 GCScanner+0x12845, calling GCScanner+0x13400
0012ffc0 7c817077 kernel32!BaseProcessStart+0x23

This particular instance just shows the current running thread which dealt with postmortem stuff like sending an email of the error n whatnot. Nothing particularly interesting but it does show the SOS extension working. I'm not sure why it says NOSOS and WRONG_SYMBOLS in the bucket id when this particular sos and mscorwks are matched properly and are loaded, otherwise it'd fail the load. I think it just has to do with the lack of symbols for the scanner dlls.

You'll want to review this to get the lowdown on all the extension commands from SOS for Windbg. Other articles I've come across real quick that explain things are this, this and this, though I know there's plenty more (.NET debugging in Windbg is pretty commonplace).