Application not access with spoolsv and printisolationhost having large amounts of threads, trying to use process dumps

-

every often, have application not allow new logins.  have taken process dumps spoolsv, cpsvc , single printisolationhosts  process, have high thread counts of 763, 214 , 715.   normal thread counts 26, 60 , 5 or 6. 

i teaching myself use windbg, process explorer , reading forum posts.   assistance appreciated. 

i  have screen shots spoolsv, printisolationhost , cpsvc,  analyze wait chain selections resource monitor, show waiting on spoolsv.

from reading several posts, have used windbg process dumps finding locks , threads "criticalsection" entries.  using information have tried find if there locked file causing issue. 

microsoft (r) windows debugger version 6.3.9600.17200 x86
copyright (c) microsoft corporation. rights reserved.

loading dump file [c:\spoolsv.dmp]
user mini dump file full memory: application data available


************* symbol path validation summary **************
response                         time (ms)     location
ok                                             c:\symbols
symbol search path is: c:\symbols
executable search path is:
windows 7 version 7601 (service pack 1) mp (8 procs) free x64
product: server, suite: enterprise terminalserver
machine name:
debug session time: fri jan 30 10:18:00.000 2015 (utc - 5:00)
system uptime: 49 days 2:14:23.457
process uptime: 3 days 18:21:30.000
................................................................
................................................................
.......................................................
loading unloaded module list
................................................................
*** error: symbol file not found.  defaulted export symbols kernelbase.dll -
ntdll!zwwaitforsingleobject+0xa: 00000000`77c9135a c3              ret

i used "!locks" , used "lockcount" enty trace threads, none had "criticalsection" entry

 ****  used  ~*  kn list threads, , used "find"  search "criticalsection" , wrote down thread references.

0:000> ~739 kn
 # child-sp          retaddr           call site
00 00000000`1c10f198 00000000`77c8e4e8 ntdll!zwwaitforsingleobject+0xa
01 00000000`1c10f1a0 00000000`77c8e3db ntdll!rtlpwaitoncriticalsection+0xe8
*** error: symbol file not found.  defaulted export symbols localspl.dll -
02 00000000`1c10f250 000007fe`ea910cd9 ntdll!rtlentercriticalsection+0xd1
03 00000000`1c10f280 000007fe`ea8f058d localspl!spldriverevent+0x219
04 00000000`1c10f2d0 000007fe`ea8f089d localspl!splpowerevent+0x2373d
*** error: symbol file not found.  defaulted export symbols win32spl.dll -
05 00000000`1c10f310 000007fe`e4f1ac61 localspl!spldeleteprinterwithjobs+0x179
06 00000000`1c10f360 000007fe`e4eed70d win32spl!initializeprintmonitor2+0x3d15
07 00000000`1c10f390 000007fe`e4eefa7b win32spl!providerentryw+0x5481
08 00000000`1c10f400 000007fe`e4f1177b win32spl!providerentryw+0x77ef
09 00000000`1c10f490 000007fe`e4f19a25 win32spl!providerentryw+0x294ef
0a 00000000`1c10f500 000007fe`e4f19b40 win32spl!initializeprintmonitor2+0x2ad9
0b 00000000`1c10f550 000007fe`e4f12cce win32spl!initializeprintmonitor2+0x2bf4
0c 00000000`1c10f5e0 000007fe`e4ec8e0d win32spl!providerentryw+0x2aa42
0d 00000000`1c10f690 000007fe`e4ec8d57 win32spl+0x8e0d
0e 00000000`1c10f6e0 000007fe`e4ec8a16 win32spl+0x8d57
0f 00000000`1c10f710 00000000`77c563e5 win32spl+0x8a16
10 00000000`1c10f740 00000000`77c60c26 ntdll!tpptimerpexecutecallback+0x105
*** error: symbol file not found.  defaulted export symbols kernel32.dll -
11 00000000`1c10f7a0 00000000`77b359ed ntdll!tppworkerthread+0x5ff
12 00000000`1c10faa0 00000000`77c6c521 kernel32!basethreadinitthunk+0xd
13 00000000`1c10fad0 00000000`00000000 ntdll!rtluserthreadstart+0x1d


0:000> u ntdll!rtlentercriticalsection
ntdll!rtlentercriticalsection:
00000000`77c92fc0 fff3            push    rbx
00000000`77c92fc2 4883ec20        sub     rsp,20h
00000000`77c92fc6 f00fba710800    lock btr dword ptr [rcx+8],0
00000000`77c92fcc 488bd9          mov     rbx,rcx
00000000`77c92fcf 0f83e9b1ffff    jae     ntdll!rtlentercriticalsection+0x31 (00000000`77c8e1be)
00000000`77c92fd5 65488b042530000000 mov   rax,qword ptr gs:[30h]
00000000`77c92fde 488b4848        mov     rcx,qword ptr [rax+48h]
00000000`77c92fe2 c7430c01000000  mov     dword ptr [rbx+0ch],1

0:000> u ntdll!rtlpwaitoncriticalsection
ntdll!rtlpwaitoncriticalsection:
00000000`77c8e400 48895c2420      mov     qword ptr [rsp+20h],rbx
00000000`77c8e405 55              push    rbp
00000000`77c8e406 56              push    rsi
00000000`77c8e407 57              push    rdi
00000000`77c8e408 4156            push    r14
00000000`77c8e40a 4157            push    r15
00000000`77c8e40c 4881ec80000000  sub     rsp,80h
00000000`77c8e413 488d0576900e00  lea     rax,[ntdll!ldrploaderlock (00000000`77d77490)]

0:000> !cs 77d77490
-----------------------------------------
critical section   = 0x0000000077d77490 (ntdll!ldrploaderlock+0x0)
debuginfo          = 0x0000000077d77100
not locked
locksemaphore      = 0x3c4
spincount          = 0x0000000000000000



Windows Server  >  Server Manager



Comments

Post a Comment

Popular posts from this blog

some help on Event 540

-
does event 540 me distinguish between user , administrator access?    this event generated ypon successfull logon, logon exactly? successful logon on system?   is there other way log administrator access system using event viewer?   thank valuable response   georges hi,   as far know, cannot distinguish between user , administrator access event 540. more information, please refer to:   event id: 540 http://www.microsoft.com/technet/support/ee/transform.aspx?prodname=windows+operating+system&prodver=5.0&evtid=540&evtsrc=security&lcid=1033   events 528 , 540 http://blogs.msdn.com/b/ericfitz/archive/2004/12/09/279282.aspx   regards, bruce this posting provided "as is" no warranties, , confers no rights. please remember click "mark answer" on post helps you, , click "unmark answer" if marked post not answer question. can beneficial other community members reading thread.
Read more

WMI Repository 4GB limit - Win 2003 Ent Question

-
Image
hi there, i've question size limit on wmi repository (being 4gb). if isn't correct place post this, apologies , can let me know wheere post this? i've come across few servers running citrix have reached limit on wmi repository size , need install ibm director agent hw monitoring. during install getting 'out of disk space' errors entered in mofcomp.log: "(mon apr 02 04:10:36 2012.172843) : error occurred while processing item 4: (mon apr 02 04:10:36 2012.172843) : error number: 0x8004103b, facility: wmi description: out of disk space" when error number http://msdn.microsoft.com/en-us/library/windows/desktop/aa394559%28v=vs.85%29.aspx i see this: wbem_e_out_of_disk_space 2147749947 (0x8004103b) disk out of space or 4 gb limit on wmi repository (cim repository) size reached. windows xp , windows 2000/nt:   disk out of space. i'm wondering if there reason why limit set 4gb or can increase needs be? can't seem find reas
Read more

Event ID 1302 (error 1307) DFS replication service encountered an error while writing to the debug log file

-
Image
hello. we @ step 0 of migration frs dfsr sysvol replication on windows 2008r2 dc. every time run powershell dfsrmig / getmigrationstate says: "unable create dfsr migration log file. error 1307. all domain controllers have migrated global state 'start'. migration has reached consistent state on domain controllers. succeeded." it creates event id 1302 in "dfs replication" event log, explaining error 1307 means: "this security id may not assigned ownder of object ". i already checked space limits, quotas, permissions on c:\windows\debug according microsoft support article unable fix it. although, there new entries added dfsr00095.txt log file despite error. dfsrxxxx file has not been archived .gz format, and, beleive, contains dfsr diagnostics , events. here of latest entries: 20150908 08:47:27.867 11616 sysm  3354 migration::sysvolmigration::getsysvolreadyflag [mig] sysvol ready 20150908 08:47:27.867 11616 sysm   456 migrati
Read more