Exchange Server 2013–0xEF BSOD

Lately I have seen a couple of incidents where Exchange Server 2013 machines would blue screen periodically. All BSOD’s had the same bugcheck code 0xEF.

From WinDBG help:

0: kd> !analyze -show 0xEF
CRITICAL_PROCESS_DIED (ef)
        A critical system process died
Arguments:
Arg1: 0000000000000000, Process object or thread object
Arg2: 0000000000000000, If this is 0, a process died. If this is 1, a thread died.
Arg3: 0000000000000000
Arg4: 0000000000000000

Well in this case we know that something killed a critical part of the operating system. From one of the bugcheck code:

0: kd> .bugcheck
Bugcheck code 000000EF
Arguments fffffa80`30e39200 00000000`00000000 00000000`00000000 00000000`00000000

0: kd> !process fffffa8030e39200 0
GetPointerFromAddress: unable to read from fffff802c9775000
PROCESS fffffa8030e39200
    SessionId: none  Cid: 01e0    Peb: 7f74e02f000  ParentCid: 018c
    DirBase: 108e0c000  ObjectTable: fffff8a0019a9600  HandleCount: <Data Not Accessible>
    Image: wininit.exe

We know that something terminated WININIT, from Windbg since we know that once we open it the current thread is displayed by !thread

0: kd> !thread
GetPointerFromAddress: unable to read from fffff802c9775000
THREAD fffffa803a4146c0  Cid 05c8.a370  Teb: 000007f5ff496000 Win32Thread: fffff90100751010 RUNNING on processor 0
Not impersonating
GetUlongFromAddress: unable to read from fffff802c9694cf0
Owning Process            fffffa8031941080       Image:        msexchangerepl
Attached Process          N/A            Image:         N/A
fffff78000000000: Unable to get shared data
Wait Start TickCount      79453518    
Context Switch Count      295            IdealProcessor: 0            
ReadMemory error: Cannot get nt!KeMaximumIncrement value.

It points to a thread from MSExchangeRepl service, by dumping the stack you see the Terminate Process

0: kd> k
Child-SP          RetAddr           Call Site
fffff880`0b2f49a8 fffff802`c99a165d nt!KeBugCheckEx
fffff880`0b2f49b0 fffff802`c9938e7e nt!PspCatchCriticalBreak+0xad
fffff880`0b2f49f0 fffff802`c98ae7a1 nt! ?? ::NNGAKEGL::`string’+0x4aba4
fffff880`0b2f4a50 fffff802`c98b45d6 nt!PspTerminateProcess+0x6d
fffff880`0b2f4a90 fffff802`c9476453 nt!NtTerminateProcess+0x9e
fffff880`0b2f4b00 000007fa`b5ee2eaa nt!KiSystemServiceCopyEnd+0x13
00000000`2442e5d8 00000000`00000000 0x000007fa`b5ee2eaa

 

So now we know that MSExchangeRepl called nt!NtTerminateProcess. Basically your time with WinDBG is done, the good thing is that all information can be obtained from a Mini dump and now we have to go and check Exchange Server for what could be possibly causing this BSOD, and you guessed if you say Managed Availability Smile

Run the following powershell command from kb 2883203

(Get-WinEvent -LogName Microsoft-Exchange-ManagedAvailability/* | % {[XML]$_.toXml()}).event.userData.eventXml| ?{$_.ActionID -like “*ForceReboot*”} | ft RequesterName

It will show you the requester which issued the Reboot and then you start your Exchange Troubleshooting from there.

Good hunt,

Alessandro

Advertisements

About smartwindows

Support professional for Microsoft technologies with interest in Performance and Debugging
This entry was posted in 0xEF, BSOD and tagged . Bookmark the permalink.

One Response to Exchange Server 2013–0xEF BSOD

  1. Stuart Rowe says:

    Alessandro – We’ve just seen this happen in Exchange 2016 CU1! Haven’t had my customer run the PS command yet, or apply CU2 or CU3 (I know the issue of bad default D:\ paths for some components has returned with CU3).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s