Bsod windows server 2012

Ntoskrnl.exe, short for NT Operating System Kernel, is like the brain of your Windows server. It oversees everything, from running software to handling system resources and hardware in virtual and regular environments.

If it has a problem or goes missing, the system can’t function properly, and in most cases, you’ll get a blue screen of death (BSoD), which forces a reboot.

Картинка с сайта: www.fortect.com

If your organization runs Windows Server 2012 R2, a BSoD can be particularly troublesome as it can knock out the whole network.

I first encountered this error on a virtual terminal server, which is less serious, but diagnosing and fixing the problem is the same regardless of the system. Here’s everything you need to know.

Why does Ntoskrnl.exe cause a BSoD on Windows Server 2012 R2?

There are several reasons why this type of blue screen error can occur. It usually boils down to system file corruption within the Windows Server OS, which happened to me during a bad Windows update, but driver problems are also common. Generally, these are the underlying causes:

• Corrupted System Files – Windows Server comprises many backend files that make the system function. If any of these are deleted or corrupted, including ntoskrnl.exe and others, it can lead to the executable failing and displaying the BSoD. Corruption can happen due to malware infections, incomplete or interrupted updates, accidental deletion, or unexpected power outages.
• Driver Problems – Outdated, corrupt, or incompatible device drivers can lead to Ntoskrnl.exe BSoD errors. This is more likely if the blue screen error uses the term pointer, a technical term related to drivers. For example, you may see: REFERENCE_BY_POINTER 0x18 ntoskrnl.exe+16395d
• Virtualization Issues – If you’re using virtual servers like Hyper-V, issues within the virtualization environment can lead to Ntoskrnl.exe BSoD errors. Ensure that your virtualization software and configurations are correctly set up and up to date.
• Hardware Issues – Incompatible or failing hardware components, such as RAM, hard drives, or graphics cards, can cause crashes. For example, a disk could have bad sectors causing corruption, or you could have faulty RAM modules or incorrect memory configurations. Because Ntoskrnl.exe communicates with hardware, it can express itself as a BSoD.
• Power Supply Issues – Insufficient or unstable power supply to your server can affect hardware and server processes.
• Windows Updates – Sometimes, updates or patches from Microsoft may conflict with your server’s configuration, causing BSoD errors.

Step-by-step fixes for Ntoskrnl.exe BSoD on Windows Server 2012 R2

Fixing your Windows server and Ntoskrnl.exe can be difficult if you don’t know the cause, but following each of these steps will bring things back to life. If you can boot into the server, it’s always a good idea to scan for malware and perform Windows and virtualization updates before proceeding with the other fixes.

1. Check Hardware

For a physical server, power it off, open the machine, and check if all the RAM and other hardware components are properly seated and connected to the motherboard.

It’s also worth checking for proper ventilation. I.e., no dust buildup and fans working properly.

2. Run System File Checker

The System File Checker can be accessed in the boot recovery environment if you can’t get into the system or by opening the Command Prompt from the server’s desktop.

This native Windows utility scans for and replaces corrupted or missing system files, such as Ntoskrnl.exe itself and related files.

1. Find the Command Prompt option in the recovery environment or type CMD into the Windows start menu search bar and run as admin.

Картинка с сайта: www.fortect.com

2. Type sfc /scannow and hit Enter.

3. Wait for the process to complete, which may involve an automatic reboot.

3. Run DISM

Another native utility is the Deployment Image Service and Management Tool. This too helps fix the Windows server file system. In the Command Prompt, type the following command:

DISM /Online /Cleanup-Image /Restorehealth

Картинка с сайта: www.fortect.com

4. Run CHKDSK

Check Disk (CHKDSK) is an in-built Windows tool used to check your server’s hard disk for errors. If there are bad sectors or other issues, this can lead to Ntoskrnl.exe and other system file corruption.

Картинка с сайта: www.fortect.com

1. Open the Command Prompt and type the following command (use the correct drive letter if you do not use a C drive for the Windows installation): chkdsk C: /f

2. The F in the command instructs the tool to reboot and attempt to fix any errors.

3. Wait for the results, but be aware that serious issues, like a full hard drive failure that may require you to backup data and replace the entire disk.

5. Run Startup Repair

If you can’t boot into the server at all, it’s a bit more complicated than a regular Windows OS, as there is no standalone startup repair for BSoD. However, if you have a boot disc or bootable media, which can be downloaded and put on to a drive, you can repair Windows Server.

1. Insert your boot disc or USB drive.

2. If it doesn’t automatically take you to the setup screen, reboot and keep pressing F8.

Картинка с сайта: www.fortect.com

3. Once at the startup menu, press Shift + F10 to open the Command Prompt. Here, you can run any of the previous utilities.

4. To run startup repair, type the following command: bootrec /scanos

Картинка с сайта: www.fortect.com

5. Once it finds your Windows installation, type the following command to fix boot issues: bootrec /fixboot

6. Update Drivers

1. Identify the Drivers to Update

Before updating drivers, determine which drivers need to be updated. You can check the device manager for devices with outdated or problematic drivers. Right-click on the Start button and select Device Manager.

2. Visit the manufacturer’s website for the hardware component you want to update. Download the latest drivers for Windows Server 2012 R2. Ensure that you choose drivers specifically designed for this operating system.

3. Once you’ve downloaded the updated drivers, open Device Manager. Right-click on the device you want to update and select Update driver.

Картинка с сайта: www.fortect.com

4. Browse to the location where you saved the downloaded drivers and follow the on-screen instructions to install the updated driver.

5. Windows Server 2012 R2 can also automatically search for and update drivers through Windows Update. To enable this feature, open Server Manager, click on Configure this local server, and under Windows Update, click on Not configured.

6. Select Install updates automatically (recommended). Windows will now check for driver updates through Windows Update.

7. Run Windows Memory Diagnostic

Ntoskrnl.exe is required for Windows memory processes, so troubleshooting RAM with the can detect any problems.

1. Press the Windows key and type Windows Memory Diagnostic.

2. Click the Restart now and check for problems option.

Картинка с сайта: www.fortect.com

3. Wait for the scan to finish. Your server will restart and provide a summary of results when Windows loads.

5. You may need to replace or repair faulty RAM before you can run Windows Server 2012 in a stable manner.

8. Use a Windows Repair Tool

A Windows repair suite like Fortect applies many of the same built-in tools mentioned above under one interface, along with lots of extras.

1. Download and Install Fortect on your Windows server.

Картинка с сайта: www.fortect.com

2. Launch Fortect and Start Scanning. It will perform a system-wide analysis, checking for issues in the Windows registry and corrupted system files related to Ntoskrnl.exe BSoD problems. It quickly detects errors by comparing your system to its database of healthy Windows components.

Картинка с сайта: www.fortect.com

3. Click on Start Repair to replace any corrupted or missing files with clean versions from Fortect.

4. Restart Windows Server after the repair and scan process is complete.

Fortect is also useful because it gives a system and hardware summary, which can inform you if any hardware isn’t recognized or the system is overheating.

Conclusion

A Blue Screen of Death is not just a minor inconvenience as it can disrupt your workflow and lead to potential data loss. Fortect offers a comprehensive solution to diagnose and fix BSoD issues related to ntoskrnl.exe, ensuring your system’s stability without compromising your data.

I do a lot of virtual machines Save, and hardly reboot my VMs. So for the past weeks, my Windows 8.1 host did a lot of Windows Updates. Then yesterday I had to reboot one of my VMs named SP1 and I got Blue Screen of Death at the boot screen. I became curious and restarted SQL1, DC1, then ROUTER1. They all had the same Blue Screen of Death: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (WppRecorder.sys). Ok, now I’m panicking…I could rebuild the virtual machines using PowerShell that I described in previous post, but it would take hours to re-install SQL Server 2014, SharePoint 2013, etc. I find bits and pieces from the Internet, but not a comprehensive solution, so here is my solution to fixing all my virtual machines without rebuilding the virtual machines. Hopefully this will help someone in similar situation.

This is the dreaded BSOD that hit all my Windows Server 2012 R2 virtual machines after restarting the VMs:

Картинка с сайта: zeddylabs.com

1. First of all, according to MSDN Blue Screen Code Reference, SYSTEM_THREAD_EXCEPTION_NOT_HANDLED is usually caused by not enough disk space + drivers problem. So the first thing you need to do is Delete all VM CheckPoints to enable you to Edit the VHDX Disk.

Картинка с сайта: zeddylabs.com

Once you deleted all CheckPoints, Edit the Disk and choose Expand (add 10 GB more):

2. Now start your virtual machine. It will show the BSOD 2-3 times, but eventually it will go to the Recovery Menu. From here you can select Command Prompt, choose Local Administrator and type the password for it. Now we need to use the command-line DiskPart to extend the volume and claim the extra space. The commands are:
diskpart
list volume
select volume 0
extend
list volume


Make sure when you select volume, the number 0 is the C: where your Windows is installed:

Картинка с сайта: zeddylabs.com

3. While we’re trying to fix the disk issue, might as well run chkdsk to fix some filesystem links that could be broken, type this command:
chkdsk /r c:

Картинка с сайта: zeddylabs.com

4. So we took care of the “not enough free space” problem, now we need to solve the WppRecorder.sys or other .sys driver problem. Type this command:
c:\windows\system32\compact.exe /U c:\windows\system32\drivers\*.sys

This command will uncompress those *.sys drivers that were compressed due to space-saving. In my case there were 84 .sys drivers that were compressed, so maybe during the boot-up, Windows was trying to uncompress some drivers but then there was not enough hard disk space? Could be.

Картинка с сайта: zeddylabs.com

5. Finally, we need to run System File Checker to fix any corrupted windows .DLL, run this command
sfc /scannow

Картинка с сайта: zeddylabs.com

6. Next we need to go to Safe Mode with Command Prompt to type one last command that will disable .SYS compression for space-saving sake feature

Картинка с сайта: zeddylabs.com

Картинка с сайта: zeddylabs.com

And type this last command in Safe Mode with Command Prompt:
fsutil behavior set DisableCompression 1

7. Finally Reboot to Normal mode and voila! Your virtual machine is back from the dreaded Blue Screen of Death 🙂

Привет

В продакшине есть сервер dell poweredge r720xd с windows server 2012 datacenter edition, он забсодил после того как я отправил виртуальную машину в ребут.

интересное из мини дампа:
Технические характеристики kd>! analyze -v

*******************************************************************************

* *

* Bugcheck Analysis *

* *

*******************************************************************************

DRIVER_CORRUPTED_EXPOOL (c5)

An attempt was made to access a pageable (or completely invalid) address at an

interrupt request level (IRQL) that is too high. This is

caused by drivers that have corrupted the system pool. Run the driver

verifier against any new (or suspect) drivers, and if that doesn’t turn up

the culprit, then use gflags to enable special pool.

Arguments:

Arg1: 000000000000f6c8, memory referenced

Arg2: 0000000000000002, IRQL

Arg3: 0000000000000000, value 0 = read operation, 1 = write operation

Arg4: fffff8016a28be15, address which referenced memory

Debugging Details:

— *** WARNING: Unable to verify timestamp for Vid.sys

*** ERROR: Module load completed but symbols could not be loaded for Vid.sys

BUGCHECK_STR: 0xC5_2

CURRENT_IRQL: 2

FAULTING_IP:

nt!ExDeferredFreePool+1b5

fffff801`6a28be15 49394208 cmp qword ptr [r10+8],rax

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT_SERVER

PROCESS_NAME: vmwp.exe

TRAP_FRAME: fffff8800e6a9fb0 — (.trap 0xfffff8800e6a9fb0)

NOTE: The trap frame does not contain all registers.

Some register values may be zeroed or incorrect.

rax=fffffa80629cc6d0 rbx=0000000000000000 rcx=fffffa80629cc6c0

rdx=fffffa80626d3d60 rsi=0000000000000000 rdi=0000000000000000

rip=fffff8016a28be15 rsp=fffff8800e6aa140 rbp=fffff8800e6aa1b8

r8=fffffa80629cc6e0 r9=0000000000000000 r10=000000000000f6c0

r11=0000000000000001 r12=0000000000000000 r13=0000000000000000

r14=0000000000000000 r15=0000000000000000

iopl=0 nv up ei ng nz na po nc

nt!ExDeferredFreePool+0x1b5:

fffff801`6a28be15 49394208 cmp qword ptr [r10+8],rax ds:00000000`0000f6c8=????????????????

Resetting default scope

LAST_CONTROL_TRANSFER: from fffff8016a096369 to fffff8016a097040

STACK_TEXT:

fffff880`0e6a9e68 fffff801`6a096369: 00000000`0000000a 00000000`0000f6c8 00000000`00000002 00000000`00000000: nt!KeBugCheckEx

fffff880`0e6a9e70 fffff801`6a094be0: 00000000`00000000 00000000`00000000 00000000`00000000 fffff880`0e6a9fb0: nt!KiBugCheckDispatch+0x69

fffff880`0e6a9fb0 fffff801`6a28be15: 00000000`0001453e 00000000`00000000 00000000`00014600 fffffa80`60c47c78: nt!KiPageFault+0x260

fffff880`0e6aa140 fffff801`6a28ab48: fffff880`00000000 fffffa80`680cbac0 fffffa80`636db870 fffff880`00800008: nt!ExDeferredFreePool+0x1b5

fffff880`0e6aa1d0 fffff801`6a0dcc71: fffffa80`680cbad0 0000001d`f5615fff fffffa80`dee2d980 fffffa80`76706d4d: nt!ExFreePoolWithTag+0xb39

fffff880`0e6aa2b0 fffff801`6a483c5b: 00000000`00000000 fffff700`0003b000 0000001d`f5610000 00000000`00000001: nt!MiFreePhysicalView+0x51

fffff880`0e6aa2e0 fffff801`6a0dcac0: fffffa80`dee2d980 fffffa80`7151fb00 fffffa80`680969b0 fffffa80`dee2d980: nt!MiRemoveVadCharges+0x12b

fffff880`0e6aa320 fffff801`6a0fbe54: fffffa80`680969b0 fffffa80`69592d10 fffffa80`6db99320 00000000`00000000: nt!MiFinishVadDeletion+0x1d0

fffff880`0e6aa390 fffff801`6a1492da: fffffa80`680969b0 00000000`00000000 fffffa80`6a55cd70 0000001d`f5610000: nt!MiUnmapVad+0xf4

fffff880`0e6aa3f0 fffff880`0501637f: 00000000`00000000 00000000`00000000 0000001d`f480f270 fffffa80`70875d80: nt!MiUnmapLockedPagesInUserSpace+0xfa

fffff880`0e6aa420 00000000`00000000: 00000000`00000000 0000001d`f480f270 fffffa80`70875d80 fffff880`0e6aa600: Vid+0x1637f

STACK_COMMAND: kb

FOLLOWUP_IP:

nt!ExDeferredFreePool+1b5

fffff801`6a28be15 49394208 cmp qword ptr [r10+8],rax

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: nt!ExDeferredFreePool+1b5

FOLLOWUP_NAME: Pool_corruption

IMAGE_NAME: Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP: 0

MODULE_NAME: Pool_Corruption

BUCKET_ID_FUNC_OFFSET: 1b5

FAILURE_BUCKET_ID: 0xC5_2_nt!ExDeferredFreePool

BUCKET_ID: 0xC5_2_nt!ExDeferredFreePool

Followup: Pool_corruption

есть идеи в каком направлении копать?