# Windows 2012 R2 BSOD - IRQL_NOT_LESS_OR_EQUAL ntoskrnl.exe



## Ingmar79 (Oct 6, 2014)

Hello,

I am running Windows 2012 R2, 64-bit servers. Using these as RDS servers. The problem is at random times (2/3 times a day) I get a BSOD. Servers automatically reboots. From what I read in Bluescreenview, I'm getting IRQL_NOT_LESS_OR_EQUAL and ntoskrnl.exe or PAGE_FAULT_IN_NONPAGED_AREA and notoskrnl.exe errors.

Seems to happen most when a user logs off.

Besides that, I cannot run the perfmon /report command, it gives me a 'operator or administrator has refused the request' error. If someone has a hint on how to fix that?

The servers are running on Vmware 5.5, HP DL360 Gen8 ESX Servers. Vmnetx3 adapters. Nothing out of the ordinary. I'm suspecting McAfee or FlaconStor (backup) driver issues, but cannot find the cause.

It would appriciate the help, if anyone has the time


----------



## Ingmar79 (Oct 6, 2014)

The Perform result command still bugged, but got the report.html from the system folder, so attaching it now.

Will run the driver verifier tonight, when users are logged off. I'll exlude the specified server for new connections, so driver verifier can continue tomorrow morning.

The Windows 2012 R2 is a datacenter version.


----------



## Ingmar79 (Oct 6, 2014)

Sorry for the messy uploads. Couldn't edit the posts.


----------



## Ingmar79 (Oct 6, 2014)

I don't know if this helps, but:

Usually the BSOD crashes happen, when a administrator account logs of. I haven't seen the crash happen at a normal domain user logoff. But I know for a fact, that I've seen it happen multiple times, when I tried to logg of either under my account or the domain administrator account, the remote desktop session disconnects and the server crashes.

Driver verifier hasn't come up with anything yet.


----------



## Patrick (Apr 15, 2012)

Hi,

Sorry for the late reply.

*IRQL_NOT_LESS_OR_EQUAL (a)*

_This indicates that Microsoft Windows or a kernel-mode driver accessed paged memory at DISPATCH_LEVEL or above._


```
1: kd> .trap 0xffffd000230e4180
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8034a315383 rsp=ffffd000230e4310 rbp=ffffd000230e4468
 r8=0000000000004740  r9=00000000000007ff r10=ffffd000e5180000
r11=00000000000001c8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe cy
nt!IopCompleteRequest+0x10a3:
fffff803`4a315383 488b09          [COLOR=Red]mov     [/COLOR][COLOR=Blue]rcx[/COLOR],qword ptr [[COLOR=Indigo]rcx[/COLOR]] ds:00000000`00000000=????????????????
```
Immediate cause of the crash was the failure moving the contents stored within the rcx register to the rcx register. This obviously makes no sense, why are we trying to move contents from rcx to rcx? Buggy driver is why!

*-----------------------------*

Remove and replace McAfee with Windows 8's built-in Windows Defender for temporary troubleshooting purposes as it's very likely causing conficts:

*McAfee removal - *How to uninstall or reinstall supported McAfee products using the Consumer Products Removal tool (MCPR)

*Windows Defender (how to turn on after removal)*

A.Navigate to* Control Panel (with icons). *You can do this by hitting* Start > Search > Control Panel. *Once in Control Panel*, *change the drop-down from* Category *to *Large and/or Small icons*.

B.Among the list of icons, find and click *Action Center*.

C.Assuming the removal of your prior antivirus software went properly, you will notice for both *Spyware and unwated software protection (important)* and *Virus protection (important)*, it'll have a button labeled *Turn on now*. Click this button (it doesn't matter which, as Windows Defender serves as *both* in Windows 8/8.1).

*Windows Defender (turn on) Windows 8:*

*1. *Navigate to *Control Panel* (with icons). You can do this by hitting *Start *> *Search *> *Control Panel*. Once in *Control Panel*, change the drop-down from *Category *to *Large *_and/or_ *Small icons*.

*2. *Among the list of icons, find and click *Windows Defender*.

*3. *Once the Windows Defender window pops up, select the *Settings *tab. As soon as you're in Settings, on the left-hand side, select *Administrator* (below *MAPS*), and then *un-check* *Turn on this app*. If UAC (User Account Control) notes this is an administrative privilege and requires you to prompt it, select *yes*.

Regards,

Patrick


----------



## Ingmar79 (Oct 6, 2014)

Hello Patrick,

First of all, many thanks for helping me out. Very much appriciate your effort.

I've also spoken to Microsoft support by phone by creating a ticket. the person helping me with the full dump analyses, told me McAfee or FalconStor drivers (ISCM) were possible suspects. They couldn't tell me conclusively if McAfee was the culprit, unfortunatly. Something about their analyses tools couldn't work out 3rd party drivers. It would be nice to be able to contact McAfee and have some sort of evidence of bad performing drivers.

The weird thing in this though, is that I have about 30 VM's on Windows Servers 2012 R2, that are all running fine, in various configurations for months now. Might be that AV drivers are having a hard time dealing with RDS sessions or user profile disks perhaps.

I'll report back, if the BSOD's stop after the removal of McAfee.


----------



## Ingmar79 (Oct 6, 2014)

For all other visitors, that may be having problems concerning McAfee VSE 8.8 patch 4 installations, please read this: https://kc.mcafee.com/corporate/index?page=content&id=KB81529


----------



## Patrick (Apr 15, 2012)

My pleasure.



> Something about their analyses tools couldn't work out 3rd party drivers.


Correct, as debugging clients work based on what is known as symbols. There are public symbols and symbols that only can be obtained if you're internally at a company and are on the escalation team, usually. In this case, people over at MSFT on the escalation team that analyze crashes only have access to internal (private) MSFT symbols, and public symbols. We only have access to public symbols. 

McAfee only has access to McAfee's internal (private) symbols, so they'd be able to tell you 100% why it's happening. The most we can do is make educated guesses, which mine would be that McAfee is somehow conflicting with the file system in some way or another.

How's the system, have you figured out a fix/workaround (judging by the above link), or have you uninstalled for now?

Regards,

Patrick


----------



## Ingmar79 (Oct 6, 2014)

Hello Patrick,

I have uninstalled McAfee for now, just to see what happends. If I am BSOD free for the next few days, I'm assuming McAfee is the cause. I'm going to create a clone VM of that server with McAfee patch 2 or 3 to see if the BSOD's appear on that clone. If that's not the case, I can use patch 2 or 3 as a safe option on my RDSH servers. 

I'll contact McAfee to see if they can analyse their own symbols in the BSOD full dumps. I'll use this forum thread as a reference for them. Hopefully they can come to a full conclusion as to why the server crashes occured. And that might hopefully help other people, that are having this issue.


----------



## Patrick (Apr 15, 2012)

Let me know how everything works out.

Regards,

Patrick


----------

