Faulting Application Cscript on Windows 2008 DCs
Two of my Windows 2008 Enterprise DCs are both getting Event 1000 errors every 5 minutes in their Application logs.
Type: Error
Source: Application Error
Event ID: 1000
Event Time: 2/10/2011 7:10:37 AM
User: n/a
Computer: CMSAdmin001.cmsprod.da.ocgov.com
Description:
Faulting application name: cscript.exe, version: 5.8.7600.16385, time stamp: 0x4a5bca2a
Faulting module name: ntdll.dll, version: 6.1.7600.16695, time stamp: 0x4cc7b325
Exception code: 0xc00000fd
Fault offset: 0x0000000000004a23
Faulting process id: 0x1cf4
Faulting application start time: 0x01cbc934aabd2ae1
Faulting application path: C:\Windows\system32\cscript.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: e9befded-3527-11e0-93b2-00215ad07292
They both have SCOM 2007 R2 CU4 agents installed. I've stopped the HealthService on one for 10 minutes and the errors go away. Has anyone seen this behavior before? My guess is that it's a Windows 2008 issue, perhaps a memory leak maybe?Orange County District Attorney
February 10th, 2011 6:26pm
Well, the health service will run monitoringhosts which in turn will run scripts by launching CSCRIPT.exe. Has the allow scripting policy been changed on those computers recently?Microsoft Corporation
Free Windows Admin Tool Kit Click here and download it now
February 10th, 2011 7:44pm
No, it doesn't look like we have changed any policies on these servers. The are in a child domain, that's the only difference for us.Orange County District Attorney
February 10th, 2011 8:53pm
Hi,
Please try clearing the HealthService queue on the server and see how it works:
1.
Stop System Center Management service.
2.
Go to C:\Program Files\System Center Operations Manger 2007\, and rename the “Health Service State” folder.
3.
Restart System Center Management service.
Hope this helps.
Thanks.
Nicholas Li - MSFT
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
February 15th, 2011 4:28am
Thanks for the suggestions Nicholas. I cleared the HealthService queue as you suggested however I'm still getting the errors. Also, after every error a Windows Error Report is generated too.
Perhaps SP1 soon to be released might offer a fix.Orange County District Attorney
February 15th, 2011 6:44pm
Hi,
Thank you for your feedback.
You can try to use Effective Configuration Viewer to check what are running on the agents:
SC Ops Mgr 2007 Resource Kit – Effective Configuration Viewer
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=A9DB4DCA-6716-478D-89B9-42F27EBC76A8&displaylang=en
In addition, please also ensure the management packs are up-to-date.
Thanks.
Nicholas Li - MSFT
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
February 21st, 2011 10:56am
Any solution for this problem related with AD Management pack (Windows Server 2008 R2 SP1 x64?
Log Name: Application
Source: Application Error
Date: 9/28/2011 8:15:11 PM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: xxx.xxx.xxx.com
Description:
Faulting application name: cscript.exe, version: 5.8.7600.16385, time stamp: 0x4a5bca2a
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c8f9
Exception code: 0xc00000fd
Fault offset: 0x0000000000053560
Faulting process id: 0x288
Faulting application start time: 0x01cc7e0a8fa5172f
Faulting application path: C:\Windows\system32\cscript.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: cd860055-e9fd-11e0-aeb9-00199917bda5
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-09-28T18:15:11.000000000Z" />
<EventRecordID>114341</EventRecordID>
<Channel>Application</Channel>
<Computer>DCDUNAV02.internal.dunav.com</Computer>
<Security />
</System>
<EventData>
<Data>cscript.exe</Data>
<Data>5.8.7600.16385</Data>
<Data>4a5bca2a</Data>
<Data>ntdll.dll</Data>
<Data>6.1.7601.17514</Data>
<Data>4ce7c8f9</Data>
<Data>c00000fd</Data>
<Data>0000000000053560</Data>
<Data>288</Data>
<Data>01cc7e0a8fa5172f</Data>
<Data>C:\Windows\system32\cscript.exe</Data>
<Data>C:\Windows\SYSTEM32\ntdll.dll</Data>
<Data>cd860055-e9fd-11e0-aeb9-00199917bda5</Data>
</EventData>
</Event>
September 28th, 2011 9:26pm
having crash dump you are able to identify cscript.exe arguments(WinDBG/IDA) and therefor identify exact SCOM vbs/js name.
then you will be able to run the same script line by line finding crashing place.
most likely the issue is related to some COM component which is created through CreateObject() invocation.
try to find where you crash dump is located and if possible share it. maybe someone will be able to help.
Free Windows Admin Tool Kit Click here and download it now
September 28th, 2011 11:21pm
Do you have step-by-step procedure, how to do that?
Tools?
I have used Process Monitor, regarding this article
http://blogs.technet.com/b/smsandmom/archive/2008/12/10/opsmgr-2007-how-to-identify-what-scripts-are-running-on-the-agents-including-frequency-and-parameters.aspx
but all cscript.exe processess show me SUCCESS.. can not locate problematic script.
Do you have any suggestion?
September 29th, 2011 8:43am
I have event points on this C:\ProgramData\Microsoft\Windows\WER
...Report.wer
I can not see from this report, what it causing problem.
Version=1
EventType=APPCRASH
EventTime=129617071205156410
ReportType=2
Consent=1
ReportIdentifier=5ba0c8da-e9fd-11e0-aeb9-00199917bda5
IntegratorReportIdentifier=5ba0c8d9-e9fd-11e0-aeb9-00199917bda5
Response.type=4
Sig[0].Name=Application Name
Sig[0].Value=cscript.exe
Sig[1].Name=Application Version
Sig[1].Value=5.8.7600.16385
Sig[2].Name=Application Timestamp
Sig[2].Value=4a5bca2a
Sig[3].Name=Fault Module Name
Sig[3].Value=ntdll.dll
Sig[4].Name=Fault Module Version
Sig[4].Value=6.1.7601.17514
Sig[5].Name=Fault Module Timestamp
Sig[5].Value=4ce7c8f9
Sig[6].Name=Exception Code
Sig[6].Value=c00000fd
Sig[7].Name=Exception Offset
Sig[7].Value=0000000000053560
DynamicSig[1].Name=OS Version
DynamicSig[1].Value=6.1.7601.2.1.0.272.7
DynamicSig[2].Name=Locale ID
DynamicSig[2].Value=1033
DynamicSig[22].Name=Additional Information 1
DynamicSig[22].Value=12a9
DynamicSig[23].Name=Additional Information 2
DynamicSig[23].Value=12a916a0b6b7b4801583f9091703375b
DynamicSig[24].Name=Additional Information 3
DynamicSig[24].Value=cee4
DynamicSig[25].Name=Additional Information 4
DynamicSig[25].Value=cee411bbc812729f97eef1399c58d532
UI[2]=C:\Windows\system32\cscript.exe
UI[5]=Check online for a solution (recommended)
UI[6]=Check for a solution later (recommended)
UI[7]=Close
UI[8]=Microsoft ® Console Based Script Host stopped working and was closed
UI[9]=A problem caused the application to stop working correctly. Windows will notify you if a solution is available.
UI[10]=&Close
LoadedModule[0]=C:\Windows\system32\cscript.exe
LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll
LoadedModule[2]=C:\Windows\system32\kernel32.dll
LoadedModule[3]=C:\Windows\system32\KERNELBASE.dll
LoadedModule[4]=C:\Windows\system32\msvcrt.dll
LoadedModule[5]=C:\Windows\system32\OLEAUT32.dll
LoadedModule[6]=C:\Windows\system32\ole32.dll
LoadedModule[7]=C:\Windows\system32\GDI32.dll
LoadedModule[8]=C:\Windows\system32\USER32.dll
LoadedModule[9]=C:\Windows\system32\LPK.dll
LoadedModule[10]=C:\Windows\system32\USP10.dll
LoadedModule[11]=C:\Windows\system32\RPCRT4.dll
LoadedModule[12]=C:\Windows\system32\VERSION.dll
LoadedModule[13]=C:\Windows\system32\ADVAPI32.dll
LoadedModule[14]=C:\Windows\SYSTEM32\sechost.dll
LoadedModule[15]=C:\Windows\system32\IMM32.DLL
LoadedModule[16]=C:\Windows\system32\MSCTF.dll
LoadedModule[17]=C:\Windows\system32\CRYPTBASE.dll
LoadedModule[18]=C:\Windows\system32\SXS.DLL
LoadedModule[19]=C:\Windows\system32\CLBCatQ.DLL
LoadedModule[20]=C:\Windows\system32\vbscript.dll
LoadedModule[21]=C:\Windows\system32\WINTRUST.dll
LoadedModule[22]=C:\Windows\system32\CRYPT32.dll
LoadedModule[23]=C:\Windows\system32\MSASN1.dll
LoadedModule[24]=C:\Windows\system32\CRYPTSP.dll
LoadedModule[25]=C:\Windows\system32\rsaenh.dll
LoadedModule[26]=C:\Windows\system32\MSISIP.DLL
LoadedModule[27]=C:\Windows\system32\wshext.dll
LoadedModule[28]=C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\COMCTL32.dll
LoadedModule[29]=C:\Windows\system32\COMDLG32.dll
LoadedModule[30]=C:\Windows\system32\SHLWAPI.dll
LoadedModule[31]=C:\Windows\system32\SHELL32.dll
LoadedModule[32]=C:\Windows\system32\scrobj.dll
LoadedModule[33]=C:\Windows\system32\mlang.dll
LoadedModule[34]=C:\Program Files\System Center Operations Manager 2007\MOMScriptAPI.dll
LoadedModule[35]=C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
LoadedModule[36]=C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCP90.dll
LoadedModule[37]=C:\Program Files\System Center Operations Manager 2007\HealthServiceRuntime.dll
LoadedModule[38]=C:\Windows\system32\ESENT.dll
LoadedModule[39]=C:\Windows\system32\psapi.dll
LoadedModule[40]=C:\Program Files\Common Files\Active Directory Management Pack Objects\oomads.dll
LoadedModule[41]=C:\Windows\system32\NETAPI32.dll
LoadedModule[42]=C:\Windows\system32\netutils.dll
LoadedModule[43]=C:\Windows\system32\srvcli.dll
LoadedModule[44]=C:\Windows\system32\wkscli.dll
LoadedModule[45]=C:\Windows\system32\DSROLE.DLL
LoadedModule[46]=C:\Windows\system32\LOGONCLI.DLL
LoadedModule[47]=C:\Windows\system32\WSOCK32.dll
LoadedModule[48]=C:\Windows\system32\WS2_32.dll
LoadedModule[49]=C:\Windows\system32\NSI.dll
LoadedModule[50]=C:\Windows\system32\ACTIVEDS.dll
LoadedModule[51]=C:\Windows\system32\adsldpc.dll
LoadedModule[52]=C:\Windows\system32\WLDAP32.dll
LoadedModule[53]=C:\Windows\system32\ATL.DLL
LoadedModule[54]=C:\Windows\system32\NTDSAPI.dll
LoadedModule[55]=C:\Windows\system32\adsldp.dll
LoadedModule[56]=C:\Windows\system32\mswsock.dll
LoadedModule[57]=C:\Windows\System32\wshtcpip.dll
LoadedModule[58]=C:\Windows\system32\SECUR32.DLL
LoadedModule[59]=C:\Windows\system32\SSPICLI.DLL
LoadedModule[60]=C:\Windows\system32\credssp.dll
LoadedModule[61]=C:\Windows\system32\pwdssp.dll
LoadedModule[62]=C:\Windows\System32\wship6.dll
LoadedModule[63]=C:\Windows\system32\DNSAPI.dll
LoadedModule[64]=C:\Windows\system32\IPHLPAPI.DLL
LoadedModule[65]=C:\Windows\system32\WINNSI.DLL
LoadedModule[66]=C:\Windows\system32\rasadhlp.dll
LoadedModule[67]=C:\Windows\System32\fwpuclnt.dll
LoadedModule[68]=C:\Windows\system32\kerberos.DLL
LoadedModule[69]=C:\Windows\system32\cryptdll.dll
LoadedModule[70]=C:\Windows\system32\bcrypt.dll
LoadedModule[71]=C:\Windows\system32\bcryptprimitives.dll
LoadedModule[72]=C:\Windows\system32\wshom.ocx
LoadedModule[73]=C:\Windows\system32\MPR.dll
LoadedModule[74]=C:\Windows\system32\ScrRun.dll
FriendlyEventName=Stopped working
ConsentKey=APPCRASH
AppName=Microsoft ® Console Based Script Host
AppPath=C:\Windows\system32\cscript.exe
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2011 9:34am
you need to find binary file with extenstion mdb/mdmp
as for text report, the crashed script is exactly related to AD MP (not windows os MP, not cluster MP, etc ) as oomads.dll
module was loaded.
you may go further with crash dump analysis or simply check all AD scripts (not many) one by one manually running them.
September 29th, 2011 10:43am
BTW, are you using the latest AD MP available?
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2011 10:44am
check if you have crash dumps of cscript.exe here
C:\Users\XXX\AppData\Local\Microsoft\Windows\WER
C:\ProgramData\Microsoft\Windows\WER
if no, enable Error Reporting in ServiceManager>StartPage>ResourcesAndSupport
or simple change regitry
HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\
DWORD Disabled =0
and having mdmp file use WinDBG to get process arguments,
September 29th, 2011 2:02pm
Yes I do.
I am more concernd about "What I should do when I locate problematic script".
Thanks Pavel
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2011 2:24am
once you find failing script, you will be able to debug it, isolate place inside script which causes crash.
and then think about next steps, they depend on what you will find in script.
this sub-thread deserves dedicated thread.
September 30th, 2011 5:43am
I think this is a AD_General_Response.vbs script, cause I have too this problem.
Free Windows Admin Tool Kit Click here and download it now
December 30th, 2011 1:54am