blue screen error

[sandy561]

*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: daa3b000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 83653b70, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

TRIAGER: Could not open triage file : e:\dump_analysis\program\triage\modclass.ini, error 2

WRITE_ADDRESS: GetPointerFromAddress: unable to read from 8377d718
Unable to read MiSystemVaType memory at 8375d160
daa3b000

FAULTING_IP:
nt!memmove+90
83653b70 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]

MM_INTERNAL_CODE: 0

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: System

CURRENT_IRQL: 0

TRAP_FRAME: b43abbb4 -- (.trap 0xffffffffb43abbb4)
ErrCode = 00000002
eax=00000000 ebx=daa3aff9 ecx=00000028 edx=00000001 esi=c9c4f041 edi=daa3b000
eip=83653b70 esp=b43abc28 ebp=b43abc30 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!memmove+0x90:
83653b70 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

LAST_CONTROL_TRANSFER: from 8365b5f8 to 8369a8e3

STACK_TEXT:
b43abb9c 8365b5f8 00000001 daa3b000 00000000 nt!MmAccessFault+0x106
b43abb9c 83653b70 00000001 daa3b000 00000000 nt!KiTrap0E+0xdc
b43abc30 b5833047 daa3aff9 c9c4f03a 000000a8 nt!memmove+0x90
b43abc5c b58333cc daa3aff0 c9c4f035 8b0de380 srv!SrvOs2FeaToNt+0x53
b43abc7c b584c4be daa3aff0 b43abcbc b43abca8 srv!SrvOs2FeaListToNt+0x9e
b43abcb4 b5853fed daa2a008 83653ae0 c9c3f008 srv!SrvSmbOpen2+0x93
b43abcc8 b585505c b58226ec 8b0de380 b5824000 srv!ExecuteTransaction+0x101
b43abd00 b581e2cc 8b0de380 8b0b44d8 8b0b44a0 srv!SrvSmbTransactionSecondary+0x2c5
b43abd28 b582dc84 00000000 8b0bb698 00000000 srv!SrvProcessSmb+0x187
b43abd50 8382366d 000b44a0 9c2bd66a 00000000 srv!WorkerThread+0x15c
b43abd90 836d50d9 b582db28 8b0b44a0 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19


STACK_COMMAND: kb

FOLLOWUP_IP:
srv!SrvOs2FeaToNt+53
b5833047 0fb74606 movzx eax,word ptr [esi+6]

SYMBOL_STACK_INDEX: 3

SYMBOL_NAME: srv!SrvOs2FeaToNt+53

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: srv

IMAGE_NAME: srv.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bbffe

FAILURE_BUCKET_ID: 0x50_srv!SrvOs2FeaToNt+53

BUCKET_ID: 0x50_srv!SrvOs2FeaToNt+53

Followup: MachineOwner
---------

 

[johnbl]

smb server is likely being attacked thru a open port in the firewall.
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010

google "srv!SrvOs2FeaToNt"

look a few pages down on this thread:
https://answers.microsoft.com/en-us/windows/forum/windows_other-performance/windows-server-2012-bug-check-systems-restarts/412432ba-1439-4f04-b47a-760579674bd9

text from above answer:
You server has SMB ports open to the world, probably. Close your ports TCP 139 and 445, UDP 137 and 138, specially the TCP 445.