I received this dump files from our customer. Unfortunately there seem to be something wrong with dump file itself and I had a bit of trouble getting necessary information from it.
Computer in trouble:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_rtm.070216-1710
Kernel base = 0x80800000 PsLoadedModuleList = 0x808af9c8
Debug session time: Wed Oct 31 11:46:37.968 2007 (GMT+1)
System Uptime: 0 days 0:01:33.781
Error reported by the computer:
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
!analyze –v returns following information
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP: fw+288aebf66b6aeb 0c8b or al,0x8b
FAULTING_SOURCE_CODE:
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: fw+288aeb
MODULE_NAME: fw
IMAGE_NAME: fw.sys <-- It looks like fw.sys driver is causing problems
DEBUG_FLR_IMAGE_TIMESTAMP: 45214c7f
FAILURE_BUCKET_ID: 0x8E_fw+288aeb
BUCKET_ID: 0x8E_fw+288aeb
Followup: MachineOwner
STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong.808a3600 80839b02 00000000 0000000e 00000000 intelppm+0x2ca2
808a3604 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa
Let's take a look at registers
0: kd> r
eax=6029c494 ebx=ffdffee0 ecx=ffdffee0 edx=00000041 esi=ffdffec0 edi=867edd70
eip=f75d9ca2 esp=808a35e4 ebp=808a3600 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
intelppm+0x2ca2:f75d9ca2 01895104fbf4 add [ecx+0xf4fb0451],ecx ds:0023:f4db0331=????????
I am not sure if this is actual dump file problem or something else. Analysis it stating that fw.sys caused the problem, but in STACK_TEXT and in registers we can spotintelppm+0x2ca2 (intelppm.sys driver). intelppm.sys is Microsoft's Processor Device Driver... :-). OK. Let's say I am willing to give benefit of the doubt to WinDBG... :-)
Let's get some more information about fw.sys
0: kd> lm v m fw*
start end module name
f642e000 f69ceb20 fw (no symbols)
Loaded symbol image file: fw.sys
Image path: fw.sys
Image name: fw.sys
Timestamp: Mon Oct 02 19:29:35 2006 (45214C7F) <-- Coult be a bit old...
CheckSum: 005ACF67
ImageSize: 005A0B20
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
And for intelppm.sys
0: kd> lm v m intel*
start end module name
f75d7000 f75e6000 intelppm T (no symbols)
Loaded symbol image file: intelppm.sys
Image path: intelppm.sys
Image name: intelppm.sys
Timestamp: unavailable (FFFFFFFE) <-- Hmmm... ?
CheckSum: missing <-- Hmmm; This shouldn't be missing
ImageSize: 0000F000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
fw.sys driver belongs to Check Point firewall.
I checked for any updates on Chek Point's website and knowledgebase where they do list few problems/solutions related to fw.sys and blue screens. Unfortunately Check Point seemed to have some connectivity problems between their front end and backend servers and I was not able to see any solutions... At this point I turned the case over to our in house Check Point experts... :-)