SCOM agent rebooted the server.
we got one case where the log saying that health service increase the memory utilisaion of the server and which rebooted the server.Please check below debug log.
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Documents and Settings\admcontsg\Desktop\Mini022811-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
*** WARNING: Unable to verify checksum for ntkrnlmp.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x64
Product: LanManNt, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.100216-1301
Machine Name:
Kernel base = 0xfffff800`01000000 PsLoadedModuleList = 0xfffff800`011d4140
Debug session time: Mon Feb 28 17:07:38.688 2011 (GMT+1)
System Uptime: 0 days 2:10:03.046
*** WARNING: Unable to verify checksum for ntkrnlmp.exe
Loading Kernel Symbols
...............................................................
................................................
Loading User Symbols
Loading unloaded module list
...........
*******************************************************************************
*
*
*
Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {0, 2, 1, fffff800010366bc}
Probably caused by : memory_corruption ( nt!MiRemovePageByColor+c5 )
Followup: MachineOwner
---------
7: kd> !analyze -v
*******************************************************************************
*
*
*
Bugcheck Analysis
*
*
*
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000000000000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff800010366bc, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: 0000000000000000
CURRENT_IRQL: 2
FAULTING_IP:
nt!MiRemovePageByColor+c5
fffff800`010366bc 49ff08
dec qword ptr [r8]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0xA
PROCESS_NAME: HealthService.e
TRAP_FRAME: fffffadf8a31b8c0 -- (.trap 0xfffffadf8a31b8c0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000006 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000004 rsi=0000000000000000 rdi=0000000000000000
rip=fffff800010366bc rsp=fffffadf8a31ba50 rbp=fffffadf8a31ba80
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=000000000000003f r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
nt!MiRemovePageByColor+0xc5:
fffff800`010366bc 49ff08
dec qword ptr [r8] ds:1740:00000000`00000000=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff8000102e5b4 to fffff8000102e890
STACK_TEXT:
fffffadf`8a31b738 fffff800`0102e5b4 : 00000000`0000000a 00000000`00000000 00000000`00000002 00000000`00000001 : nt!KeBugCheckEx
fffffadf`8a31b740 fffff800`0102d547 : fffffa80`019d85e0 fffffadf`8b793f9e fffffa80`019d8500 fffffa80`019d8610 : nt!KiBugCheckDispatch+0x74
fffffadf`8a31b8c0 fffff800`010366bc : 00000000`00000080 fffff800`011a98fd 00000000`00000000 fffffadf`9a4bb980 : nt!KiPageFault+0x207
fffffadf`8a31ba50 fffff800`01040248 : 00000000`00000001 00000000`00000004 fffffadf`94afffd0 00000000`00000000 : nt!MiRemovePageByColor+0xc5
fffffadf`8a31bb00 fffff800`0104fbab : fffff680`0005d880 fffff680`0005d888 00000000`00000004 00000000`00000001 : nt!MiRemoveZeroPage+0xb6
fffffadf`8a31bb30 fffff800`01052c0f : 0000007f`ffffffff fffff680`0005d888 00000000`0bb11000 fffffadf`95aa1740 : nt!MiResolveDemandZeroFault+0x1be
fffffadf`8a31bba0 fffff800`0102d459 : ffffffff`ffffffff fffffadf`8a31bcf0 00000000`00000001 00000000`00004000 : nt!MmAccessFault+0x1331
fffffadf`8a31bc70 00000000`7863e2fe : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiPageFault+0x119
00000000`0a14e9e8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7863e2fe
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!MiRemovePageByColor+c5
fffff800`010366bc 49ff08
dec qword ptr [r8]
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: nt!MiRemovePageByColor+c5
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4b7abd06
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: X64_0xA_nt!MiRemovePageByColor+c5
BUCKET_ID: X64_0xA_nt!MiRemovePageByColor+c5
Followup: MachineOwner
---------
Omkar umarani SCOM STUDENT
March 14th, 2011 10:04pm