Windows Server 2022 Standard is giving me crashes in the HTTP module that reboot my server. I need help tracking down the exact issue. How?

Question

I don't know if this is a problem with the memory on the server, one of my SSD's, or something software related. the crash has happened 4+ times in the last few months.

I need some help in figuring out how to stop this from happening ASAP. Any ideas?

Here is the stack trace:

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common BugCheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8029ea8ba7b, The address that the exception occurred at
Arg3: ffff928ac148b858, Exception Record Address
Arg4: ffff928ac148b070, Context Record Address
KEY_VALUES_STRING: 1
Key  : AV.Fault
Value: Read

Key  : Analysis.CPU.mSec
Value: 3936

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 3841

Key  : Analysis.Init.CPU.mSec
Value: 17968

Key  : Analysis.Init.Elapsed.mSec
Value: 585841

Key  : Analysis.Memory.CommitPeak.Mb
Value: 130

Key  : WER.OS.Branch
Value: fe_release_svc_prod2

Key  : WER.OS.Timestamp
Value: 2022-07-07T18:32:00Z

Key  : WER.OS.Version
Value: 10.0.20348.859



FILE_IN_CAB:  MEMORY.DMP
DUMP_FILE_ATTRIBUTES: 0x1000
BUGCHECK_CODE:  7e
BUGCHECK_P1: ffffffffc0000005
BUGCHECK_P2: fffff8029ea8ba7b
BUGCHECK_P3: ffff928ac148b858
BUGCHECK_P4: ffff928ac148b070
EXCEPTION_RECORD:  ffff928ac148b858 -- (.exr 0xffff928ac148b858)
ExceptionAddress: fffff8029ea8ba7b (HTTP!UlpGetSendCacheDataSize+0x0000000000000017)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
CONTEXT:  ffff928ac148b070 -- (.cxr 0xffff928ac148b070)
rax=0000000000000000 rbx=ffff80009068ed98 rcx=3a22707061222020
rdx=0000000000000000 rsi=ffffc38e63d74840 rdi=ffffc38e6414b030
rip=fffff8029ea8ba7b rsp=ffff928ac148ba98 rbp=ffff928ac148bb20
 r8=0000000000000001  r9=00000000ffffffff r10=fffff80276af8d60
r11=ffff928ac148ba70 r12=0000000000000000 r13=ffffc38e6414b010
r14=ffffc38e63d748b0 r15=ffffc38e623aba80
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
HTTP!UlpGetSendCacheDataSize+0x17:
fffff8029ea8ba7b 8b4128 mov eax,dword ptr [rcx+28h] ds:002b:3a22707061222048=????????
Resetting default scope
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
PROCESS_NAME:  System
READ_ADDRESS:  ffffffffffffffff
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR:  c0000005
EXCEPTION_PARAMETER1:  0000000000000000
EXCEPTION_PARAMETER2:  ffffffffffffffff
EXCEPTION_STR:  0xc0000005
STACK_TEXT:

ffff928ac148ba98 fffff8029eb57402     : 0000000000000001 ffffc38e66bc0710 ffffc38e646e6780 fffff80276a3162f : HTTP!UlpGetSendCacheDataSize+0x17
ffff928ac148baa0 fffff8029eb2e012     : fffff8029eb57301 fffff8029eb33901 0000000000000001 fffff8029eb57380 : HTTP!UlSendCacheEntryWorker+0x82
ffff928ac148bb60 fffff80276b69f15     : ffffc38e63d748b0 fffff8029eafe580 0000000000000480 0000000000000000 : HTTP!UlpThreadPoolWorker+0x112
ffff928ac148bbf0 fffff80276c24488     : ffffad814ca40180 ffffc38e646e6080 fffff80276b69ec0 0000000000000000 : nt!PspSystemThreadStartup+0x55
ffff928ac148bc40 0000000000000000     : ffff928ac148c000 ffff928ac1486000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x28
SYMBOL_NAME:  HTTP!UlpGetSendCacheDataSize+17
MODULE_NAME: HTTP
IMAGE_NAME:  HTTP.sys
STACK_COMMAND:  .cxr 0xffff928ac148b070 ; kb
BUCKET_ID_FUNC_OFFSET:  17
FAILURE_BUCKET_ID:  AV_HTTP!UlpGetSendCacheDataSize
OS_VERSION:  10.0.20348.859
BUILDLAB_STR:  fe_release_svc_prod2
OSPLATFORM_TYPE:  x64
OSNAME:  Windows 10
FAILURE_ID_HASH:  {640925e0-41aa-2deb-fe92-17674389e426}
Followup:     MachineOwner

Answer 1

This is almost certainly related to an update, you are by far not the only one having it https://learn.microsoft.com/en-us/answers/questions/1185893/windows-server-2022-standard-(21h2-20348-1547)-cra

IF I had to guess (I do not run a comparable ENV to test) https://learn.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-034 is likely where to start

OR

Your system does NOT contain this patch, and the nature of the CVE https://nvd.nist.gov/vuln/detail/CVE-2015-1635 this could indicate that someone is actively TRYING to exploit the system. The fact that others started getting the error before the Apr patch, tends to favor this theory.As does an access violation in a memory operation!

IF the update is present I would rollback and see if that assists (I would consider other mitigation if you can, and remember this is an RCE.)

If it IS present do packet capture of the affected system if feasible, and correlate actual traffic to the web server to instance of crash. Would not be the first patch to not fully get a bug leading to another variant, or lead to instability because of an incomplete patch. Take the results to MS and let them look it over to make sure the patch is sound.