BSOD на терминальном сервере Win2003EE x64

[jackrush]

Всем доброго времени суток.

Есть сервер Windows Server 2003R2 Enterprise x64 Edition SP2. На нем поднята роль терминального сервера, и постоянно, когда пользователи работают, он несколько раз в день то виснет с BSOD'ом, то перезагружается(что реже). Сначала ошибки были на физическом терминальном сервере, потом мы переустановили сервер на виртуальной машине на другом железе, но ошибки все-равно те же вылезают.

Коды BSOD:
0x3B mrxsmb.sys
0x7E ntoskrnl.exe
0x0A rdbss.sys
0x7f_c ntoskrnl.exe
0x27 rdbss.sys
0xD1 netbt.sys

Тесты всякие результатов не дают, железо исправное, диспетчер проверки драйверов тоже ничего не дает. Уже не знаем что и делать, подскажите пожалуйста в чем может быть причина...

Вот дампы типовых ошибок:

Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (4 procs) Free x64
Product: Server, suite: Enterprise TerminalServer
Built by: 3790.srv03_sp2_rtm.070216-1710
Machine Name:
Kernel base = 0xfffff800`01000000 PsLoadedModuleList = 0xfffff800`011d5100


BugCheck 27, {baad0080, fffffadf25f43030, fffffadf25f42a40, fffff800010446cd}
Unable to load image \??\C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for TmPreFlt.sys
*** ERROR: Module load completed but symbols could not be loaded for TmPreFlt.sys
Probably caused by : mrxsmb.sys ( mrxsmb!SmbCeInitializeExchangeTransport+53 )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
RDR_FILE_SYSTEM (27)
If you see RxExceptionFilter on the stack then the 2nd and 3rd parameters are the
exception record and context record. Do a .cxr on the 3rd parameter and then kb to
obtain a more informative stack trace.
The high 16 bits of the first parameter is the RDBSS bugcheck code, which is defined
as follows:
RDBSS_BUG_CHECK_CACHESUP = 0xca550000,
RDBSS_BUG_CHECK_CLEANUP = 0xc1ee0000,
RDBSS_BUG_CHECK_CLOSE = 0xc10e0000,
RDBSS_BUG_CHECK_NTEXCEPT = 0xbaad0000,
Arguments:
Arg1: 00000000baad0080
Arg2: fffffadf25f43030
Arg3: fffffadf25f42a40
Arg4: fffff800010446cd

Debugging Details:
------------------
EXCEPTION_RECORD: fffffadf25f43030 -- (.exr 0xfffffadf25f43030)
ExceptionAddress: fffff800010446cd (nt!MiCheckVirtualAddress+0x0000000000000090)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
CONTEXT: fffffadf25f42a40 -- (.cxr 0xfffffadf25f42a40)
rax=fffffadf376c5040 rbx=fffffadf25f432c0 rcx=0000000000000028
rdx=fffffadf376c4c20 rsi=0000000000000028 rdi=0000000000000000
rip=fffff800010446cd rsp=fffffadf25f43250 rbp=fffff68000000000
r8=fffffadf25f432d8 r9=0000000000000000 r10=fffffadf25f432d8
r11=0045005800000000 r12=fffffadf376c4c20 r13=fffffadf25f43350
r14=fffff6fb7da00000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
nt!MiCheckVirtualAddress+0x90:
fffff800`010446cd 493b7b18 cmp rdi,qword ptr [r11+18h] ds:002b:00450058`00000018=?
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
PROCESS_NAME: explorer.exe
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: ffffffffffffffff
READ_ADDRESS: ffffffffffffffff
FOLLOWUP_IP:
mrxsmb!SmbCeInitializeExchangeTransport+53
fffffadf`27d72ea2 ff5028 call qword ptr [rax+28h]
FAULTING_IP:
nt!MiCheckVirtualAddress+90
fffff800`010446cd 493b7b18 cmp rdi,qword ptr [r11+18h]
BUGCHECK_STR: 0x27
TRAP_FRAME: fffffadf25f43350 -- (.trap 0xfffffadf25f43350)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=fffffadf3634d530
rdx=fffffadf362d4d70 rsi=0000000000000000 rdi=0000000000000000
rip=fffffadf27d72ea2 rsp=fffffadf25f434e0 rbp=fffffadf3771e590
r8=fffffadf376c5040 r9=000000000000021d r10=fffff80001000000
r11=fffffa800e22e634 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
mrxsmb!SmbCeInitializeExchangeTransport+0x53:
fffffadf`27d72ea2 ff5028 call qword ptr [rax+28h] ds:01a0:00000000`00000028=?
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800010466d5 to fffff800010446cd
STACK_TEXT:
fffffadf`25f43250 fffff800`010466d5 : fffffadf`376c4c20 0000007f`ffffffff 00000000`00000000 fffffadf`376c5040 : nt!MiCheckVirtualAddress+0x90
fffffadf`25f43280 fffff800`0102d519 : 00000001`00000000 fffffadf`35870ca0 fffffadf`25f43300 fffff800`003d1000 : nt!MmAccessFault+0x1437
fffffadf`25f43350 fffffadf`27d72ea2 : 00000000`00000000 fffffadf`350c11e0 00000000`00000000 fffffadf`27d81900 : nt!KiPageFault+0x119
fffffadf`25f434e0 fffffadf`27d728b4 : fffffadf`362d4d70 fffffadf`362d4d70 00000000`00000000 00000000`00000000 : mrxsmb!SmbCeInitializeExchangeTransport+0x53
fffffadf`25f43510 fffffadf`27d74abf : fffffadf`362d4d70 fffffadf`350c11f8 00000000`00000000 fffffadf`370a7a80 : mrxsmb!SmbCeInitiateExchange+0x264
fffffadf`25f43560 fffffadf`27d74c5b : fffffadf`362d4d70 fffffadf`25f40000 fffffadf`29dc9a00 00000000`00000020 : mrxsmb!SmbCeSubmitTransactionRequest+0x148
fffffadf`25f435d0 fffffadf`27d229cb : fffffa80`0605d010 00000000`00000001 00000000`00000000 fffffa80`0605d570 : mrxsmb!SmbCeTransact+0x1a1
fffffadf`25f436b0 fffffadf`27d9816b : fffffadf`370a7a80 00000000`00000000 00000000`63466d53 fffffadf`362ffc68 : mrxsmb!SmbCeAsynchronousTransact+0x7b
fffffadf`25f43740 fffffadf`27e4951a : 00000000`00000000 fffffadf`25f43c01 fffffadf`27d54120 fffffadf`370a7a80 : mrxsmb!MRxSmbNotifyChangeDirectory+0x22b
fffffadf`25f43800 fffffadf`27e60d55 : fffffadf`35870e00 fffffadf`25f43c01 fffffadf`35870ca0 fffffadf`370a7a80 : rdbss!RxLowIoSubmit+0x28f
fffffadf`25f43860 fffffadf`27e58125 : 00000000`00000000 fffff97f`f3962940 fffffadf`35870ca0 fffffadf`35870ca0 : rdbss!RxNotifyChangeDirectory+0xe5
fffffadf`25f438d0 fffffadf`27e1ca77 : fffffadf`370a7a80 fffffa80`0605d570 00000000`00000000 fffffadf`370a7a80 : rdbss!RxCommonDirectoryControl+0x10a
fffffadf`25f43950 fffffadf`27d683e8 : fffffadf`27e35280 fffffadf`25f43a00 fffffadf`35870e00 fffffadf`36d3a940 : rdbss!RxFsdCommonDispatch+0x51c
fffffadf`25f43a50 fffffadf`28db4922 : fffffadf`35870ca0 fffffadf`25f43cf0 fffffadf`35870ca0 fffffadf`37e33e00 : mrxsmb!MRxSmbFsdDispatch+0x211
fffffadf`25f43aa0 fffffadf`2959cff7 : 00000000`78e289f0 00000000`00000000 fffffadf`378efa40 fffffadf`35870e48 : fltMgr!FltpDispatch+0x1c2
fffffadf`25f43b00 00000000`78e289f0 : 00000000`00000000 fffffadf`378efa40 fffffadf`35870e48 00000000`78e289f0 : TmPreFlt+0x1ff7
fffffadf`25f43b08 00000000`00000000 : fffffadf`378efa40 fffffadf`35870e48 00000000`78e289f0 fffff800`01241cdb : 0x78e289f0
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: mrxsmb!SmbCeInitializeExchangeTransport+53
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: mrxsmb
IMAGE_NAME: mrxsmb.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45d69a55
STACK_COMMAND: .cxr 0xfffffadf25f42a40 ; kb
FAILURE_BUCKET_ID: X64_0x27_mrxsmb!SmbCeInitializeExchangeTransport+53
BUCKET_ID: X64_0x27_mrxsmb!SmbCeInitializeExchangeTransport+53
Followup: MachineOwner
---------

BugCheck 7F, {c, 80050031, 0, fffffadf26f3d2fa}
Probably caused by : ntkrnlmp.exe ( nt!KiStackFault+eb )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 000000000000000c, EXCEPTION_STACK_FAULT
Arg2: 0000000080050031
Arg3: 0000000000000000
Arg4: fffffadf26f3d2fa

Debugging Details:
------------------
BUGCHECK_STR: 0x7f_c
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
PROCESS_NAME: System
CURRENT_IRQL: 1
LAST_CONTROL_TRANSFER: from fffff8000102e674 to fffff8000102e950
STACK_TEXT:
fffffadf`23288918 fffff800`0102e674 : 00000000`0000007f 00000000`0000000c 00000000`80050031 00000000`00000000 : nt!KeBugCheckEx
fffffadf`23288920 fffff800`0102d2eb : fffffadf`36f20a01 fffffadf`36f201a0 00000000`00000202 fffff800`010258d7 : nt!KiBugCheckDispatch+0x74
fffffadf`23288aa0 fffffadf`26f3d2fa : fffffa80`0a767a20 09980000`00000340 fffffadf`357ac9c0 00000000`00000000 : nt!KiStackFault+0xeb
fffffadf`23288c30 fffffa80`0a767a20 : 09980000`00000340 fffffadf`357ac9c0 00000000`00000000 fffffadf`36fa6d70 : 0xfffffadf`26f3d2fa
fffffadf`23288c38 09980000`00000340 : fffffadf`357ac9c0 00000000`00000000 fffffadf`36fa6d70 fffffadf`36fcb920 : 0xfffffa80`0a767a20
fffffadf`23288c40 fffffadf`357ac9c0 : 00000000`00000000 fffffadf`36fa6d70 fffffadf`36fcb920 fffff800`011b5dc0 : 0x9980000`00000340
fffffadf`23288c48 00000000`00000000 : fffffadf`36fa6d70 fffffadf`36fcb920 fffff800`011b5dc0 fffffadf`26e1727d : 0xfffffadf`357ac9c0
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiStackFault+eb
fffff800`0102d2eb 90 nop
SYMBOL_STACK_INDEX: 2
SYMBOL_NAME: nt!KiStackFault+eb
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45d69a89
FAILURE_BUCKET_ID: X64_0x7f_c_nt!KiStackFault+eb
BUCKET_ID: X64_0x7f_c_nt!KiStackFault+eb
Followup: MachineOwner
---------


BugCheck A, {3006e7, 2, 0, fffff800013f0d63}
*** WARNING: Unable to verify timestamp for TmPreFlt.sys
*** ERROR: Module load completed but symbols could not be loaded for TmPreFlt.sys
Probably caused by : rdbss.sys ( rdbss!RxExceptionFilter+15e )
Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000003006e7, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff800013f0d63, address which referenced memory

Debugging Details:
------------------
READ_ADDRESS: 00000000003006e7
CURRENT_IRQL: 0
FAULTING_IP:
nt!VfIrpDatabaseEntryFindAndLock+53
fffff800`013f0d63 4c3948e0 cmp qword ptr [rax-20h],r9
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0xA
PROCESS_NAME: Totalcmd.exe
EXCEPTION_RECORD: fffffadf224419a0 -- (.exr 0xfffffadf224419a0)
ExceptionAddress: fffffadf27316a96 (mrxsmb!MRxSmbWrite+0x0000000000000173)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
TRAP_FRAME: fffffadf22441a30 -- (.trap 0xfffffadf22441a30)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffffadf366cac10 rbx=0000000000000000 rcx=fffffadf365d1210
rdx=fffffa800b2533e8 rsi=0000000000000000 rdi=0000000000000000
rip=fffffadf27316a96 rsp=fffffadf22441bc0 rbp=fffffadf22442001
r8=00000000c000000d r9=0000000000000000 r10=fffffadf2f99c590
r11=fffffadf22441c58 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac po cy
mrxsmb!MRxSmbWrite+0x173:
fffffadf`27316a96 488b4650 mov rax,qword ptr [rsi+50h] ds:00000000`00000050=?
Resetting default scope
LAST_CONTROL_TRANSFER: from fffffadf273c2bde to fffff8000102e950
STACK_TEXT:
fffffadf`22440a78 fffffadf`273c2bde : 00000000`00000027 00000000`baad0080 fffffadf`224419a0 fffffadf`224413b0 : nt!KeBugCheckEx
fffffadf`22440a80 fffffadf`273c3196 : fffffadf`35b16a80 fffffadf`22440b48 fffffadf`273caa9c 00000000`00000009 : rdbss!RxExceptionFilter+0x15e
fffffadf`22440af0 fffff800`010556ab : fffffadf`273d3198 fffffadf`273b7000 00000000`22440cc0 fffffadf`22440cc0 : rdbss!RxFsdCommonDispatch+0x6d5
fffffadf`22440b30 fffff800`010549fd : fffffadf`224419a0 fffffadf`22441ee0 00000000`00000000 00000000`00000000 : nt!_C_specific_handler+0x9b
fffffadf`22440bc0 fffff800`01054f93 : fffffadf`374392e0 fffffadf`22441d20 00000000`00000000 00000000`224413b0 : nt!RtlpExecuteHandlerForException+0xd
fffffadf`22440bf0 fffff800`0100b901 : fffffadf`00000000 fffffadf`224413b0 fffffadf`224419a0 fffffadf`22441ab0 : nt!RtlDispatchException+0x2c0
fffffadf`224412b0 fffff800`0102e76f : fffffadf`224419a0 00000000`00000000 fffffadf`22441a30 fffffadf`35e9ff40 : nt!KiDispatchException+0xd9
fffffadf`224418b0 fffff800`0102d3cd : fffffadf`224419b0 fffffadf`22442e00 00000000`00000000 fffffadf`224427f0 : nt!KiExceptionExit
fffffadf`22441a30 fffffadf`27316a96 : fffffadf`224423f0 00000000`00000000 00000000`00000000 fffffaaf`0a060fb0 : nt!KiGeneralProtectionFault+0xcd
fffffadf`22441bc0 fffffadf`273e551a : 00000000`00000000 fffffadf`22442001 fffffadf`272f0120 fffffadf`35b16a80 : mrxsmb!MRxSmbWrite+0x173
fffffadf`22441c60 fffffadf`273e6308 : fffffa80`0b253010 fffffadf`22442001 fffffaaf`0a060e50 fffffadf`35b16c18 : rdbss!RxLowIoSubmit+0x28f
fffffadf`22441cc0 fffffadf`273e6097 : fffffadf`35b16a80 fffffadf`22438000 fffffa80`0b2533e8 fffffadf`35b16c18 : rdbss!RxLowIoWriteShell+0xa3
fffffadf`22441d20 fffffadf`273b8a77 : fffffadf`35b16a80 fffffaaf`0a060e50 00000000`00000000 fffffaaf`0a060e50 : rdbss!RxCommonWrite+0x1ce3
fffffadf`22441ee0 fffffadf`273043e8 : fffffadf`273d1280 fffffadf`22442000 fffffaaf`0a060fb0 fffffadf`385a0940 : rdbss!RxFsdCommonDispatch+0x51c
fffffadf`22441fe0 fffff800`013df255 : fffffadf`35911dc0 fffffadf`22442060 fffffaaf`0a060e50 fffffadf`385a0940 : mrxsmb!MRxSmbFsdDispatch+0x211
fffffadf`22442030 fffffadf`28db4922 : 00000000`00000001 fffffaaf`0a060e50 00000000`00000000 fffffaaf`0a060e50 : nt!IovCallDriver+0x1b5
fffffadf`224420a0 fffff800`013df255 : fffffadf`43707249 fffffaaf`0a060e50 fffffadf`35b7d540 fffffadf`378c82c0 : fltMgr!FltpDispatch+0x1c2
fffffadf`22442100 fffffadf`295457f5 : fffffadf`35a95010 fffffaaf`0a060e50 fffffadf`22442198 fffffadf`35a95010 : nt!IovCallDriver+0x1b5
fffffadf`22442170 fffffadf`35a95010 : fffffaaf`0a060e50 fffffadf`22442198 fffffadf`35a95010 00000000`00000000 : TmPreFlt+0xa7f5
fffffadf`22442178 fffffaaf`0a060e50 : fffffadf`22442198 fffffadf`35a95010 00000000`00000000 fffff800`013df255 : 0xfffffadf`35a95010
fffffadf`22442180 fffffadf`22442198 : fffffadf`35a95010 00000000`00000000 fffff800`013df255 fffffadf`35a95010 : 0xfffffaaf`0a060e50
fffffadf`22442188 fffffadf`35a95010 : 00000000`00000000 fffff800`013df255 fffffadf`35a95010 fffffadf`224421d0 : 0xfffffadf`22442198
fffffadf`22442190 00000000`00000000 : fffff800`013df255 fffffadf`35a95010 fffffadf`224421d0 fffffadf`374e4880 : 0xfffffadf`35a95010
STACK_COMMAND: kb
FOLLOWUP_IP:
rdbss!RxExceptionFilter+15e
fffffadf`273c2bde cc int 3
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: rdbss!RxExceptionFilter+15e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: rdbss
IMAGE_NAME: rdbss.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45d69a10
FAILURE_BUCKET_ID: X64_0xA_rdbss!RxExceptionFilter+15e
BUCKET_ID: X64_0xA_rdbss!RxExceptionFilter+15e
Followup: MachineOwner
---------

BugCheck 1000007E, {ffffffffc0000005, fffff800013f0d63, fffffadf29863300, fffffadf29862d10}
*** ERROR: Module load completed but symbols could not be loaded for Mup.sys
Probably caused by : Mup.sys ( Mup+21ce )

Followup: MachineOwner
---------
3: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff800013f0d63, The address that the exception occurred at
Arg3: fffffadf29863300, Exception Record Address
Arg4: fffffadf29862d10, Context Record Address

Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
FAULTING_IP:
nt!VfIrpDatabaseEntryFindAndLock+53
fffff800`013f0d63 4c3948e0 cmp qword ptr [rax-20h],r9
EXCEPTION_RECORD: fffffadf29863300 -- (.exr 0xfffffadf29863300)
Cannot read Exception record @ fffffadf29863300
CONTEXT: fffffadf29862d10 -- (.cxr 0xfffffadf29862d10)
Unable to read context, Win32 error 0n30
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0x7E
CURRENT_IRQL: 2
EXCEPTION_STR: 0x0
LAST_CONTROL_TRANSFER: from fffff80001078d77 to fffff800013f0d63
STACK_TEXT:
fffffadf`29863520 fffff800`01078d77 : 00000000`00980008 fffffadf`29863600 00000000`00001204 00000000`00000003 : nt!VfIrpDatabaseEntryFindAndLock+0x53
fffffadf`29863550 fffff800`013e9956 : 00000000`00000003 00000000`00000000 00000000`00000000 fffffaaf`0aee6e50 : nt!IoInitializeIrp+0x41
fffffadf`29863590 fffff800`013df35f : 00000000`00000000 fffffadf`298638b0 00000000`00000000 00000000`00000003 : nt!ViIrpAllocateLockedPacket+0xb6
fffffadf`298635d0 fffff800`0127ff5a : ffffffff`80001203 fffffadf`00000000 00000000`00000000 00000000`00000000 : nt!IovAllocateIrp+0x4f
fffffadf`29863630 fffff800`012626f6 : fffffadf`28bdb8ba 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x6fe
fffffadf`29863750 fffff800`0102e3fd : 00000000`00000020 00000000`00000000 00000000`00000000 fffffadf`00000000 : nt!NtFsControlFile+0x56
fffffadf`298637c0 fffff800`0102e8c0 : fffffadf`28bdc1ce 00000000`00000001 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x3
fffffadf`298639c8 fffffadf`28bdc1ce : 00000000`00000001 00000000`00000000 00000000`00000000 fffffadf`28be7268 : nt!KiServiceLinkage
fffffadf`298639d0 fffffadf`28bdc2f3 : fffffadf`28be7268 fffffadf`29863aa0 00000000`00000000 00000000`00000002 : Mup+0x21ce
fffffadf`29863a60 fffffadf`28bdc4cb : fffffa80`00650638 fffffadf`37bc18b0 00000000`00000000 fffffadf`37bc18a0 : Mup+0x22f3
fffffadf`29863ae0 fffffadf`28bdbbd5 : 00000000`00000000 fffffadf`37cd4740 fffff800`011ce980 fffffadf`38805700 : Mup+0x24cb
fffffadf`29863cd0 fffff800`0103768a : 00000000`00000000 fffffadf`387c3a40 fffffadf`388057a0 fffff800`011ce980 : Mup+0x1bd5
fffffadf`29863d00 fffff800`0124b972 : fffffadf`388057a0 00000000`00000080 fffffadf`388057a0 fffffadf`29493680 : nt!ExpWorkerThread+0x13b
fffffadf`29863d70 fffff800`010202d6 : fffffadf`2948b180 fffffadf`388057a0 fffffadf`29493680 fffff800`011b5dc0 : nt!PspSystemThreadStartup+0x3e
fffffadf`29863dd0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxStartSystemThread+0x16
FOLLOWUP_IP:
Mup+21ce
fffffadf`28bdc1ce 3d230000c0 cmp eax,0C0000023h
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: Mup+21ce
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Mup
IMAGE_NAME: Mup.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45d69a10
STACK_COMMAND: .cxr 0xfffffadf29862d10 ; kb
FAILURE_BUCKET_ID: X64_0x7E_Mup+21ce
BUCKET_ID: X64_0x7E_Mup+21ce
Followup: MachineOwner
---------

BugCheck 3B, {c0000005, fffff800013f0d63, fffffadf25cdf210, 0}

Probably caused by : ntkrnlmp.exe ( nt!VfIrpDatabaseEntryFindAndLock+53 )

Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff800013f0d63, Address of the instruction which caused the bugcheck
Arg3: fffffadf25cdf210, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
FAULTING_IP:
nt!VfIrpDatabaseEntryFindAndLock+53
fffff800`013f0d63 4c3948e0 cmp qword ptr [rax-20h],r9
CONTEXT: fffffadf25cdf210 -- (.cxr 0xfffffadf25cdf210)
rax=0000fffffa800ae5 rbx=fffffaaf0a616e50 rcx=000fffffaaf0a616
rdx=fffffadf38afd420 rsi=0000000000000003 rdi=fffffaaf0a616e50
rip=fffff800013f0d63 rsp=fffffadf25cdfa20 rbp=00000000000001a8
r8=fffffadf372c8010 r9=fffffaaf0a616e50 r10=0000000000000000
r11=0000000000000002 r12=0000000000000001 r13=fffffadf25cdfb00
r14=00000000000001a8 r15=0000000000000000
iopl=0 nv up ei pl nz na po cy
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010207
nt!VfIrpDatabaseEntryFindAndLock+0x53:
fffff800`013f0d63 4c3948e0 cmp qword ptr [rax-20h],r9 ds:002b:0000ffff`fa800ac5=?
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0x3B
PROCESS_NAME: explorer.exe
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from fffff80001078d77 to fffff800013f0d63
STACK_TEXT:
fffffadf`25cdfa20 fffff800`01078d77 : 00000000`00000000 fffffadf`25cdfb00 00000000`000004c0 00000000`00000003 : nt!VfIrpDatabaseEntryFindAndLock+0x53
fffffadf`25cdfa50 fffff800`013e9956 : 00000000`00000003 00000000`00001000 fffffadf`378d6c20 fffffaaf`0a616e50 : nt!IoInitializeIrp+0x41
fffffadf`25cdfa90 fffff800`013df35f : 00000000`00000000 fffffadf`25cdfcf0 00000000`00000001 00000000`00000003 : nt!ViIrpAllocateLockedPacket+0xb6
fffffadf`25cdfad0 fffff800`01241bbb : 00000000`00000003 00000000`00000001 fffffadf`3629c070 00000000`00000001 : nt!IovAllocateIrp+0x4f
fffffadf`25cdfb30 fffff800`0102e3fd : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtNotifyChangeDirectoryFile+0x301
fffffadf`25cdfc00 00000000`78ef156a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x3
00000000`024df8d8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x78ef156a
FOLLOWUP_IP:
nt!VfIrpDatabaseEntryFindAndLock+53
fffff800`013f0d63 4c3948e0 cmp qword ptr [rax-20h],r9
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!VfIrpDatabaseEntryFindAndLock+53
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 45d69a89
STACK_COMMAND: .cxr 0xfffffadf25cdf210 ; kb
FAILURE_BUCKET_ID: X64_0x3B_nt!VfIrpDatabaseEntryFindAndLock+53
BUCKET_ID: X64_0x3B_nt!VfIrpDatabaseEntryFindAndLock+53
Followup: MachineOwner
---------

BugCheck 3B, {c0000005, fffff80001028280, fffffadf24ef52e0, 0}

*** ERROR: Symbol file could not be found. Defaulted to export symbols for win32k.sys -
Probably caused by : win32k.sys ( win32k!EngRestoreFloatingPointState+2ad )

Followup: MachineOwner
---------
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80001028280, Address of the instruction which caused the bugcheck
Arg3: fffffadf24ef52e0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
FAULTING_IP:
nt!KeWaitForSingleObject+26d
fffff800`01028280 41803e02 cmp byte ptr [r14],2
CONTEXT: fffffadf24ef52e0 -- (.cxr 0xfffffadf24ef52e0)
rax=fffff8000123e3c0 rbx=00000048e9e55a9a rcx=fffffadf2946b7f0
rdx=fffffadf24ef5ba0 rsi=fffffadf37c63ab8 rdi=fffffadf37c63a20
rip=fffff80001028280 rsp=fffffadf24ef5af0 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=000000000000001b r12=fffffadf37d3ca80 r13=fffff78000000008
r14=ee65764505060004 r15=fffffadf37c63b18
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nt!KeWaitForSingleObject+0x26d:
fffff800`01028280 41803e02 cmp byte ptr [r14],2 ds:002b:ee657645`05060004=??
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0x3B
PROCESS_NAME: explorer.exe
CURRENT_IRQL: c
LAST_CONTROL_TRANSFER: from fffff80001047738 to fffff80001028280
STACK_TEXT:
fffffadf`24ef5af0 fffff800`01047738 : 00000000`0000010b 00000000`0000001b 00000000`00000000 00000000`00000000 : nt!KeWaitForSingleObject+0x26d
fffffadf`24ef5b70 fffff800`010477b9 : fffffadf`24ef5c18 00000000`024df9d8 fffffadf`37c63a20 fffff800`0102e3fd : nt!ExpWaitForResource+0x48
fffffadf`24ef5be0 fffff800`01037eab : fffffadf`37c63a20 fffffadf`24ef5cf0 00000000`00000000 00000000`00000003 : nt!ExAcquireResourceExclusiveLite+0x1ab
fffffadf`24ef5c10 fffff97f`ff0ccf9d : fffff97f`f3be0d10 00000000`00000002 00000000`000204ff 00000000`00000027 : nt!ExEnterCriticalRegionAndAcquireResourceExclusive+0x1b
fffffadf`24ef5c40 fffff800`0102e3fd : fffffadf`37c63a20 fffffadf`24ef5cf0 fffffadf`37c63a20 00000000`00000020 : win32k!EngRestoreFloatingPointState+0x2ad
fffffadf`24ef5c70 00000000`78c51d3a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x3
00000000`024dfad8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x78c51d3a
FOLLOWUP_IP:
win32k!EngRestoreFloatingPointState+2ad
fffff97f`ff0ccf9d 83ff1e cmp edi,1Eh
SYMBOL_STACK_INDEX: 4
SYMBOL_NAME: win32k!EngRestoreFloatingPointState+2ad
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45d699e1
STACK_COMMAND: .cxr 0xfffffadf24ef52e0 ; kb
FAILURE_BUCKET_ID: X64_0x3B_win32k!EngRestoreFloatingPointState+2ad
BUCKET_ID: X64_0x3B_win32k!EngRestoreFloatingPointState+2ad
Followup: MachineOwner
---------

BugCheck C9, {208, fffffadf26b6ac4d, fffffaaf11cc2ea0, 0}

Unable to load image \SystemRoot\system32\DRIVERS\tmtdi.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for tmtdi.sys
*** ERROR: Module load completed but symbols could not be loaded for tmtdi.sys
Probably caused by : tmtdi.sys ( tmtdi+dc4d )

Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9)
The IO manager has caught a misbehaving driver.
Arguments:
Arg1: 0000000000000208, This IRP is about to run out of stack locations. Someone may have forwarded this
IRP from another stack.
Arg2: fffffadf26b6ac4d, The address in the driver's code where the error was detected.
Arg3: fffffaaf11cc2ea0, IRP address.
Arg4: 0000000000000000

Debugging Details:
------------------
ERROR_CODE: (NTSTATUS) 0xc9 - %1.
EXCEPTION_CODE: (Win32) 0xc9 (201) - %1.
EXCEPTION_PARAMETER1: 0000000000000208
EXCEPTION_PARAMETER2: fffffadf26b6ac4d
EXCEPTION_PARAMETER3: fffffaaf11cc2ea0
EXCEPTION_PARAMETER4: 0
BUGCHECK_STR: 0xc9_208
DRIVER_VERIFIER_IO_VIOLATION_TYPE: 208
FAULTING_IP:
tmtdi+dc4d
fffffadf`26b6ac4d ??
FOLLOWUP_IP:
tmtdi+dc4d
fffffadf`26b6ac4d ??
IRP_ADDRESS: fffffaaf11cc2ea0
CUSTOMER_CRASH_COUNT: 3
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
PROCESS_NAME: svchost.exe
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from fffff800013edf9a to fffff8000102e950
STACK_TEXT:
fffffadf`28725838 fffff800`013edf9a : 00000000`0000004c 00000000`000000c9 fffffadf`28725900 fffffadf`28725a30 : nt!KeBugCheckEx
fffffadf`28725840 fffff800`013edafd : fffffadf`37949270 00000000`00000000 00000000`00000000 00000000`00000000 : nt!VfBugcheckThrowException+0x46a
fffffadf`28725d90 fffff800`013f6131 : 00000000`00000084 fffff800`00000009 fffffadf`26b6ac4d fffffaaf`11cc2ea0 : nt!VfBugcheckThrowIoException+0xf2
fffffadf`28725eb0 fffff800`013f4a8a : 00000000`00000040 01cbc868`89506a36 fffffaaf`11cc2ea0 fffffadf`26b6ac4d : nt!IovpExamineIrpStackForwarding+0x261
fffffadf`28725f20 fffff800`013df210 : fffffadf`26b6a88c fffffaaf`11cc2ea0 fffffadf`26b6ac00 fffffadf`26b6ac4d : nt!IovpCallDriver1+0x35b
fffffadf`28726000 fffffadf`26b6ac4d : 00000000`00000000 fffffaaf`11cc2ea0 00000000`00000000 fffffaaf`11cc2f70 : nt!IovCallDriver+0x170
fffffadf`28726070 00000000`00000000 : fffffaaf`11cc2ea0 00000000`00000000 fffffaaf`11cc2f70 00000000`00000000 : tmtdi+0xdc4d
STACK_COMMAND: kb
SYMBOL_STACK_INDEX: 6
SYMBOL_NAME: tmtdi+dc4d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: tmtdi
IMAGE_NAME: tmtdi.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 4bd301a1
FAILURE_BUCKET_ID: X64_0xc9_208_tmtdi+dc4d
BUCKET_ID: X64_0xc9_208_tmtdi+dc4d
Followup: MachineOwner
---------

BugCheck D1, {fffffaaf1675100e, 2, 0, fffffadf26c5b6b1}

*** ERROR: Module load completed but symbols could not be loaded for netbt.sys
*** ERROR: Symbol file could not be found. Defaulted to export symbols for tcpip.sys -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for NDIS.sys -
*** WARNING: Unable to verify timestamp for e1G5132e.sys
*** ERROR: Module load completed but symbols could not be loaded for e1G5132e.sys
Probably caused by : netbt.sys ( netbt+26b1 )

Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: fffffaaf1675100e, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, value 0 = read operation, 1 = write operation
Arg4: fffffadf26c5b6b1, address which referenced memory

Debugging Details:
------------------
READ_ADDRESS: fffffaaf1675100e
CURRENT_IRQL: 2
FAULTING_IP:
netbt+26b1
fffffadf`26c5b6b1 488b040a mov rax,qword ptr [rdx+rcx]
CUSTOMER_CRASH_COUNT: 5
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0xD1
PROCESS_NAME: Idle
TRAP_FRAME: fffff80000116fe0 -- (.trap 0xfffff80000116fe0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=000000000000009a rbx=0000000000000000 rcx=fffffaaf16750f70
rdx=000000000000009e rsi=0000000000000000 rdi=0000000000000000
rip=fffffadf26c5b6b1 rsp=fffff80000117178 rbp=fffffaaf14e58f10
r8=00000000ffffffe6 r9=0000000007ffffff r10=fffff78000000320
r11=fffffaaf16750f70 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe cy
netbt+0x26b1:
fffffadf`26c5b6b1 488b040a mov rax,qword ptr [rdx+rcx] ds:7488:fffffaaf`1675100e=?
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff8000102e674 to fffff8000102e950
STACK_TEXT:
fffff800`00116e58 fffff800`0102e674 : 00000000`0000000a fffffaaf`1675100e 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx
fffff800`00116e60 fffff800`0102d607 : fffffaaf`1c44cd70 fffffadf`26a19b21 00000000`00000000 fffffaaf`12f34bc0 : nt!KiBugCheckDispatch+0x74
fffff800`00116fe0 fffffadf`26c5b6b1 : fffffadf`26c5b267 fffffadf`3745d24a 00000000`00000002 fffffaaf`00000000 : nt!KiPageFault+0x207
fffff800`00117178 fffffadf`26c5b267 : fffffadf`3745d24a 00000000`00000002 fffffaaf`00000000 fffffadf`28c4f903 : netbt+0x26b1
fffff800`00117180 fffffadf`26c5ba6d : fffffadf`38641d00 fffff800`0000009a 00000000`00000080 fffff800`0000009a : netbt+0x2267
fffff800`001172d0 fffffadf`26c5b843 : 00000000`86fe0006 fffffaaf`deadc0de fffffaaf`148c0020 00000000`00000000 : netbt+0x2a6d
fffff800`001173d0 fffff800`013df98b : fffffaaf`1a38efb8 00000000`00000000 fffffaaf`1a38eea0 fffff800`001175f8 : netbt+0x2843
fffff800`001174e0 fffff800`010251f6 : fffffaaf`1a38efbb 00000000`00000000 00000000`00000000 fffffaaf`1a38eea0 : nt!IovpLocalCompletionRoutine+0xfb
fffff800`00117530 fffff800`013df838 : fffffaaf`1a38eea0 fffffaaf`154aaf02 fffffaaf`1a38eea0 fffffaaf`154aafc0 : nt!IopfCompleteRequest+0x117
fffff800`001175a0 fffffadf`26cc36d1 : 00000000`00000000 fffff800`013e1b10 fffffaaf`1a38eea0 00000000`00000000 : nt!IovCompleteRequest+0x1d8
fffff800`00117680 fffffadf`26cc6d6c : fffffaaf`19164fa0 fffffaaf`161f8d90 00000000`00000000 00000000`00000000 : tcpip!ARPRcv+0x6fb1
fffff800`001176d0 fffffadf`26cd6af6 : fffffaaf`161f8d00 00000000`00000002 00000000`00000000 fffffaaf`161f8d90 : tcpip!ARPRcv+0xa64c
fffff800`00117760 fffffadf`26cc6855 : fffffadf`00000000 fffffadf`27c35615 fffff800`00117818 fffff800`00117810 : tcpip!IPGetAddrType+0x9b06
fffff800`001177f0 fffffadf`26cd29bc : fffffadf`26d7e6c1 00000000`00000000 00000000`00000000 00000000`00000002 : tcpip!ARPRcv+0xa135
fffff800`00117840 fffffadf`28c5d3ad : fffffaaf`0ff68d90 fffffadf`384a7670 00000000`00000000 00000000`00000000 : tcpip!IPGetAddrType+0x59cc
fffff800`00117870 fffffadf`27c2aa47 : 00000000`000000ba fffff800`00117a10 fffff800`00000005 00000000`00000003 : NDIS!NdisCompletePnPEvent+0x7ed
fffff800`00117940 00000000`000000ba : fffff800`00117a10 fffff800`00000005 00000000`00000003 00000000`00000202 : e1G5132e+0xa47
fffff800`00117948 fffff800`00117a10 : fffff800`00000005 00000000`00000003 00000000`00000202 00000000`00000000 : 0xba
fffff800`00117950 fffff800`00000005 : 00000000`00000003 00000000`00000202 00000000`00000000 00000000`00000000 : 0xfffff800`00117a10
fffff800`00117958 00000000`00000003 : 00000000`00000202 00000000`00000000 00000000`00000000 fffffaaf`0e02a0d0 : 0xfffff800`00000005
fffff800`00117960 00000000`00000202 : 00000000`00000000 00000000`00000000 fffffaaf`0e02a0d0 fffff800`00117a38 : 0x3
fffff800`00117968 00000000`00000000 : 00000000`00000000 fffffaaf`0e02a0d0 fffff800`00117a38 00000000`00000040 : 0x202
STACK_COMMAND: kb
FOLLOWUP_IP:
netbt+26b1
fffffadf`26c5b6b1 488b040a mov rax,qword ptr [rdx+rcx]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: netbt+26b1
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: netbt
IMAGE_NAME: netbt.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45d69ccd
FAILURE_BUCKET_ID: X64_0xD1_netbt+26b1
BUCKET_ID: X64_0xD1_netbt+26b1
Followup: MachineOwner
---------

BugCheck 1000007E, {ffffffffc0000005, fffffadf2750d5b9, fffffadf29ab6ab0, fffffadf29ab64c0}
Probably caused by : mrxsmb.sys ( mrxsmb!SmbCeDiscardExchangeWorkerThreadRoutine+39 )
Followup: MachineOwner
---------
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffffadf2750d5b9, The address that the exception occurred at
Arg3: fffffadf29ab6ab0, Exception Record Address
Arg4: fffffadf29ab64c0, Context Record Address

Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
FAULTING_IP:
mrxsmb!SmbCeDiscardExchangeWorkerThreadRoutine+39
fffffadf`2750d5b9 488910 mov qword ptr [rax],rdx
EXCEPTION_RECORD: fffffadf29ab6ab0 -- (.exr 0xfffffadf29ab6ab0)
ExceptionAddress: fffffadf2750d5b9 (mrxsmb!SmbCeDiscardExchangeWorkerThreadRoutine+0x0000000000000039)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000
CONTEXT: fffffadf29ab64c0 -- (.cxr 0xfffffadf29ab64c0)
rax=0000000000000000 rbx=fffffadf27637c40 rcx=0000000000000000
rdx=0000000000000000 rsi=fffffadf37da0900 rdi=fffffadf358bb740
rip=fffffadf2750d5b9 rsp=fffffadf29ab6cd0 rbp=0000000000000000
r8=000093182396ad74 r9=fffff800011b8610 r10=0000000000000000
r11=fffffadf37da0900 r12=0000000000000000 r13=fffffadf37da0900
r14=0000000000000000 r15=fffffadf2948d600
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010282
mrxsmb!SmbCeDiscardExchangeWorkerThreadRoutine+0x39:
fffffadf`2750d5b9 488910 mov qword ptr [rax],rdx ds:002b:00000000`00000000=0000000000000000
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: NULL_DEREFERENCE
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 0000000000000000
WRITE_ADDRESS: 0000000000000000
FOLLOWUP_IP:
mrxsmb!SmbCeDiscardExchangeWorkerThreadRoutine+39
fffffadf`2750d5b9 488910 mov qword ptr [rax],rdx
BUGCHECK_STR: 0x7E
EXCEPTION_STR: 0x0
LAST_CONTROL_TRANSFER: from fffffadf2761e11d to fffffadf2750d5b9
STACK_TEXT:
fffffadf`29ab6cd0 fffffadf`2761e11d : 00000000`00000000 fffffadf`27637c00 00000000`00000000 fffffadf`386b94f0 : mrxsmb!SmbCeDiscardExchangeWorkerThreadRoutine+0x39
fffffadf`29ab6d00 fffff800`0124b972 : fffffadf`37da0900 00000000`00000080 fffffadf`37da0900 fffffadf`29493680 : rdbss!RxpWorkerThreadDispatcher+0xb8
fffffadf`29ab6d70 fffff800`010202d6 : fffffadf`2948b180 fffffadf`37da0900 fffffadf`29493680 00000000`00000000 : nt!PspSystemThreadStartup+0x3e
fffffadf`29ab6dd0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxStartSystemThread+0x16
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: mrxsmb!SmbCeDiscardExchangeWorkerThreadRoutine+39
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: mrxsmb
IMAGE_NAME: mrxsmb.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 45d69a55
STACK_COMMAND: .cxr 0xfffffadf29ab64c0 ; kb
FAILURE_BUCKET_ID: X64_0x7E_mrxsmb!SmbCeDiscardExchangeWorkerThreadRoutine+39
BUCKET_ID: X64_0x7E_mrxsmb!SmbCeDiscardExchangeWorkerThreadRoutine+39
Followup: MachineOwner
---------

[shs]

Unable to load image \??\C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys, Win32 error 0n2

Я бы начал с удаления антивируса на проблемном сервере (не с отключения, а именно с удаления) и последующим наблюдением за поведением сервера.

[Scar]

+1 к совету shs, там еще tmtdi.sys засветился.

[jackrush]

Удаление антивируса ничего не дает... Ошибки все равно возникают...

Кстати терминальные клиенты цепляются с линуксовых машин, может тут где то косяк?
Как можно проверить-посмотреть?

[risc]

jackrush, что в логах?
что значит "цепляются", что там происходит?
нельзя временно отключить связь с линуксовыми машинами?

[Fray]

Удаление антивируса ничего не дает... Ошибки все равно возникают...

Корректное удаление? То есть, этих dll больше нет физически? Может в реестре что-то осталось от него?

[Fray]

Кстати, а может сделать sfc /scannow ? Пусть системные файлы обновит...

[shs]

Удаление антивируса ничего не дает... Ошибки все равно возникают...

Или возникают другие ошибки, или антивирус все-таки не был удален (или не удален до конца).

[jackrush]

jackrush, что в логах?
что значит "цепляются", что там происходит?
нельзя временно отключить связь с линуксовыми машинами?

Цепляются значит запускают удаленный рабочий стол со своей машины, а отключить связь с ними нельзя, т.к. это терминальный сервер именно для линуксов.

[jackrush]

Удаление антивируса ничего не дает... Ошибки все равно возникают...

Корректное удаление? То есть, этих dll больше нет физически? Может в реестре что-то осталось от него?

Удаление антивируса ничего не дает... Ошибки все равно возникают...

Или возникают другие ошибки, или антивирус все-таки не был удален (или не удален до конца).

Этих dll нет, антивирус удален корректно.

Возникают другие ошибки, из последних  0x3B mrxsmb.sys и 0xD1 netbt.sys...

[Fray]

0xD1 netbt.sys

This problem occurs if the NetBIOS over TCP/IP driver, Netbt.sys, does not correctly detect the state of the network connection.

0x3B mrxsmb.sys

Похоже что-то с драйверами... Я бы начал с драйвера сетевой карты, глядя на верхнюю цитату