I used windbg to analyze this .dmp but I am not getting much out of it. I would appreciated any assistance. This is a server that seems to Blue screen at random times while trying to backup to a local USB drive. This is the full memory dump (not the minidump) but still does not look complete (the other ones I have seen while researching this have a lot more data associated with them). I see the faulting address is 808107f8 but I don't know what that maps to.

Thank you in advance


Microsoft (R) Windows Debugger Version 6.6.0007.5 Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [D:\Digi_data\Cases\2095_Loram\memory.dmp]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: D:\Download\Microsoft\Symbols Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS Built by: 3790.srv03_sp1_rtm.050324-1447 Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8 Debug session time: Fri Mar 9 19:51:20.765 2007 (GMT-6) System Uptime: 1 days 9:49:16.426 Loading Kernel Symbols .................................................. .................................................. ................................
Loading User Symbols

Loading unloaded module list
....
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {c0000005, 808107f8, f78d6c1c, f78d6918}

Probably caused by : ntkrpamp.exe ( nt!CcDeleteSharedCacheMap+fe )

Followup: MachineOwner
---------

3: kd> !analyze -v
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 808107f8, The address that the exception occurred at
Arg3: f78d6c1c, Exception Record Address
Arg4: f78d6918, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!CcDeleteSharedCacheMap+fe
808107f8 8b38 mov edi,dword ptr [eax]

EXCEPTION_RECORD: f78d6c1c -- (.exr fffffffff78d6c1c)
ExceptionAddress: 808107f8 (nt!CcDeleteSharedCacheMap+0x000000fe)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000002
Attempt to read from address 00000002

CONTEXT: f78d6918 -- (.cxr fffffffff78d6918)
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000 esi=8b9eae40 edi=00000002
eip=808107f8 esp=f78d6ce4 ebp=f78d6d08 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!CcDeleteSharedCacheMap+0xfe:
808107f8 8b38 mov edi,dword ptr [eax] ds:0023:00000002=????????
Resetting default scope

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

READ_ADDRESS: 00000002

BUGCHECK_STR: 0x7E

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER: from 8080fd97 to 808107f8

STACK_TEXT:
f78d6d08 8080fd97 00000001 808a3ff0 8bfa70d8 nt!CcDeleteSharedCacheMap+0xfe f78d6d40 80812502 8cf61a80 808ae5c0 8cf5a0d8 nt!CcWriteBehind+0x359 f78d6d80 8087f925 8cf5a0d8 00000000 8cf61a80 nt!CcWorkerThread+0x12c f78d6dac 80948bb2 8cf5a0d8 00000000 00000000 nt!ExpWorkerThread+0xeb f78d6ddc 8088d4d2 8087f83a 00000000 00000000 nt!PspSystemThreadStartup+0x2e 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


FOLLOWUP_IP:
nt!CcDeleteSharedCacheMap+fe
808107f8 8b38 mov edi,dword ptr [eax]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt!CcDeleteSharedCacheMap+fe

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrpamp.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 42435b14

STACK_COMMAND: .cxr 0xfffffffff78d6918 ; kb

FAILURE_BUCKET_ID: 0x7E_nt!CcDeleteSharedCacheMap+fe

BUCKET_ID: 0x7E_nt!CcDeleteSharedCacheMap+fe

Followup: MachineOwner
---------

More dumps would help as they are often most informative in comparison.

From a first glance on the above there was a memory issue.

Most other dumps you see here are from XP. This might have a bearing on the layout. I will load a dump on my XP 64 bit which is also detected as 2003 server just to verify that.

More dumps please.

This is the only other dump I have so far and thanks in advance for your help.


Microsoft (R) Windows Debugger Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [D:\Digi_data\Cases\2095_Loram\mini030907-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: D:\Download\Microsoft\Symbols
Executable search path is:
Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Fri Mar 9 19:51:20.765 2007 (GMT-6)
System Uptime: 1 days 9:49:16.426
Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
Loading Kernel Symbols
.................................................. .................................................. ................................
Loading User Symbols
Loading unloaded module list
....
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 808107f8, f78d6c1c, f78d6918}

Probably caused by : ntkrnlpa.exe ( nt!CcInitializeCacheMap+34c )

Followup: MachineOwner
---------

3: kd> !analyze -v
************************************************** *****************************
* *
* Bugcheck Analysis *
* *
************************************************** *****************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 808107f8, The address that the exception occurred at
Arg3: f78d6c1c, Exception Record Address
Arg4: f78d6918, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!CcInitializeCacheMap+34c
808107f8 8b38 mov edi,dword ptr [eax]

EXCEPTION_RECORD: f78d6c1c -- (.exr fffffffff78d6c1c)
ExceptionAddress: 808107f8 (nt!CcInitializeCacheMap+0x0000034c)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000002
Attempt to read from address 00000002

CONTEXT: f78d6918 -- (.cxr fffffffff78d6918)
eax=00000002 ebx=00000000 ecx=00000000 edx=00000000 esi=8b9eae40 edi=00000002
eip=808107f8 esp=f78d6ce4 ebp=f78d6d08 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!CcInitializeCacheMap+0x34c:
808107f8 8b38 mov edi,dword ptr [eax] ds:0023:00000002=00000000
Resetting default scope

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

READ_ADDRESS: 00000002

BUGCHECK_STR: 0x7E

EXCEPTION_STR: 0x0

LAST_CONTROL_TRANSFER: from 8080fd97 to 808107f8

STACK_TEXT:
f78d6d08 8080fd97 00000001 808a3ff0 8bfa70d8 nt!CcInitializeCacheMap+0x34c
f78d6d40 80812502 8cf61a80 808ae5c0 8cf5a0d8 nt!CcGetDirtyPages+0x157
f78d6d80 8087f925 8cf5a0d8 00000000 8cf61a80 nt!CcSetActiveVacb+0xa8
f78d6dac 80948bb2 8cf5a0d8 00000000 00000000 nt!__ascii_memicmp+0x5
f78d6ddc 8088d4d2 8087f83a 00000000 00000000 nt!NtSetInformationJobObject+0x57c
f78d6e2c 00000000 00000000 00000000 00000000 nt!ExAllocatePoolWithTag+0x9a4


FOLLOWUP_IP:
nt!CcInitializeCacheMap+34c
808107f8 8b38 mov edi,dword ptr [eax]

SYMBOL_STACK_INDEX: 0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

IMAGE_NAME: ntkrnlpa.exe

DEBUG_FLR_IMAGE_TIMESTAMP: 42435b14

SYMBOL_NAME: nt!CcInitializeCacheMap+34c

STACK_COMMAND: .cxr 0xfffffffff78d6918 ; kb

FAILURE_BUCKET_ID: 0x7E_nt!CcInitializeCacheMap+34c

BUCKET_ID: 0x7E_nt!CcInitializeCacheMap+34c

Followup: MachineOwner
---------

Those dumps are nearly identical which is a good thing as your problem appears to be fairly specific to itself.
We just need to translate what it is telling itself.
First off go to start Run... cmd

Then type:

fsutil dirty query C:

Assuming C: as the System drive.

Is it dirty or not dirty? You will be told this.

Next try again from cmd

chkdsk /f

You will be told the volume is in use do you want to run chkdsk on next boot? Choose Y and reboot the computer.