Subject: Sysmon v7.01 uninstallation causing bugcheck 0x3b
Posted: 23 February 2018 at 6:28pm
Hosts - both virtualized and physical
OS - Windows Server 2012 R2 in most recent tests
Bugcheck details – thebugcheck code, faulting IP has been the same in all dumps:
SYSTEM_SERVICE_EXCEPTION(3b)
An exception happenedwhile executing a system service routine.
Arguments:
Arg1:00000000c0000005, Exception code that caused the bugcheck
Arg2:fffff800404c4048, Address of the instruction which caused the bugcheck
Arg3:ffffd0002311c620, Address of the context record for the exception that causedthe bugcheck
Arg4:0000000000000000, zero.
EXCEPTION_CODE:(NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at0x%08lx. The memory could not be %s.
FAULTING_IP:
SysmonDrv+8048
fffff800`404c4048488b4840 mov rcx,qword ptr [rax+40h]
Processes wherebugcheck happens: splunkd.exe, noderunner.exe, Microsoft.Exchange.Search.Service.exe(recent tests were made on Exchange Server 2016 servers).
Upon dump analysis, we’venoticed that the unregister thread runs concurrently with another thread whereSysmonDrv is referenced for filtering an I/O event. In one case it was total of 3 executingthreads – 2 with I/O event and 1 for unregistering SysmonDrv filter.
Edited by evgeny.golov - 45 minutes ago at 6:35pm