Randonly BSOD on newly installed servers, need help with analysing dump files
For our customer we have installed 4 new servers. These servers are a newer model then the previous servers. A new image has been created for these servers. Standard tooling, such as IBM Director Agent, ITM monitoring software, LSI RAID management software and Symantec Antivirus 10 have been installed. All servers appear to operate fine, but they randomly crash. We found that Symantec generated an error during a full system scan. At the time Symantec starts scanning inside archives (zip, dat, cab etc) the systems crashes (sometimes) We disabled scanning inside files and the systems don't crash during the Full Scan, but now randomly crash at different times with different dump file results. Although the dumpfile generate different causes, some results are unique for all the crashes, such as: Unable to load image \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS, Win32 error 0n2 *** WARNING: Unable to verify timestamp for SYMEVENT.SYS *** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS Probably caused by : SYMEVENT.SYS ( SYMEVENT+3d8a ) and CURRENT_IRQL: 2 But some results are totally different: PROCESS_NAME: Rtvscan.exe PROCESS_NAME: kntcma.exe PROCESS_NAME: dsmcsvc.exe Is my assumption correct that Symevent.sys (part of Symantec) is still causing the system crashes? Or do I have some other issue (memory errors (on all servers?)) Symantec support had a workaround for the crashes during the systemscan, which was disabling scanning inside archives. Using this workaround causes crashes at different times. Here are some complete Bugcheck results: (All from the same server) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Opened log file 'c:debuglog.txt' Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [All minidumps\Mini030711-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers Loading Kernel Symbols ............................................................... .................................................... Loading User Symbols Loading unloaded module list .......... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck A, {0, d0000002, 1, 80866ea6} Unable to load image \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS, Win32 error 0n2 *** WARNING: Unable to verify timestamp for SYMEVENT.SYS *** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS Probably caused by : SYMEVENT.SYS ( SYMEVENT+3d8a ) Followup: MachineOwner --------- 4: kd> !analyze -v;r;kv;lmtn;.logclose;q ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 00000000, memory referenced Arg2: d0000002, IRQL Arg3: 00000001, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: 80866ea6, address which referenced memory Debugging Details: ------------------ WRITE_ADDRESS: 00000000 CURRENT_IRQL: 2 FAULTING_IP: nt!MiRemovePageByColor+7c 80866ea6 ff08 dec dword ptr [eax] CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP BUGCHECK_STR: 0xA PROCESS_NAME: Rtvscan.exe TRAP_FRAME: b9fb67d0 -- (.trap 0xffffffffb9fb67d0) .trap 0xffffffffb9fb67d0 ErrCode = 00000002 eax=00000000 ebx=00000001 ecx=00000000 edx=00000017 esi=81401ce0 edi=83e4bdbc eip=80866ea6 esp=b9fb6844 ebp=b9fb6864 iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206 nt!MiRemovePageByColor+0x7c: 80866ea6 ff08 dec dword ptr [eax] ds:0023:00000000=???????? .trap Resetting default scope LAST_CONTROL_TRANSFER: from 80866ea6 to 8088c99b STACK_TEXT: b9fb67d0 80866ea6 badb0d00 00000017 e81bb000 nt!KiTrap0E+0x2a7 b9fb6864 808672b2 e81bb018 00000017 c0740dd8 nt!MiRemovePageByColor+0x7c b9fb6880 808597d0 00000000 d4843000 00001000 nt!MiRemoveZeroPage+0x8a b9fb69d0 8080edbe d4843000 13783f28 00000000 nt!MmCopyToCachedPage+0x512 b9fb6a60 8080cb1b 86f2ac98 13783f28 b9fb6a94 nt!CcMapAndCopy+0x1b2 b9fb6ae4 f7b0e52f 87181bb0 0dd00000 00008000 nt!CcFastCopyWrite+0x229 b9fb6b48 f76d2ca2 87181bb0 b9fb6bb8 00008000 Ntfs!NtfsCopyWriteA+0x1fb b9fb6b7c f76dfa2f 00000004 00000000 b9fb6bb0 fltMgr!FltpPerformFastIoCall+0x230 b9fb6bd0 ba521d8a 87181bb0 b9fb6c74 00008000 fltMgr!FltpFastIoWrite+0xa9 WARNING: Stack unwind information not available. Following frames may be wrong. b9fb6c04 f76d2ca2 87181bb0 b9fb6c74 00008000 SYMEVENT+0x3d8a b9fb6c38 f76dfa2f 00000004 00000000 b9fb6c6c fltMgr!FltpPerformFastIoCall+0x230 b9fb6c8c 808f2e0b 87181bb0 b9fb6cd0 00008000 fltMgr!FltpFastIoWrite+0xa9 b9fb6d38 808897bc 000003b0 00000000 00000000 nt!NtWriteFile+0x317 b9fb6d38 7c82860c 000003b0 00000000 00000000 nt!KiFastCallEntry+0xfc 121dde50 00000000 00000000 00000000 00000000 0x7c82860c STACK_COMMAND: kb FOLLOWUP_IP: SYMEVENT+3d8a ba521d8a ?? ??? SYMBOL_STACK_INDEX: 9 SYMBOL_NAME: SYMEVENT+3d8a FOLLOWUP_NAME: MachineOwner MODULE_NAME: SYMEVENT IMAGE_NAME: SYMEVENT.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 4551513d FAILURE_BUCKET_ID: 0xA_SYMEVENT+3d8a BUCKET_ID: 0xA_SYMEVENT+3d8a Followup: MachineOwner --------- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Opened log file 'c:debuglog.txt' Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [All minidumps\Mini032611-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible Product: Server, suite: TerminalServer SingleUserTS Built by: 3790.srv03_sp2_gdr.090805-1438 Machine Name: Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8 Debug session time: Sat Mar 26 06:50:43.860 2011 (UTC + 2:00) System Uptime: 2 days 15:59:46.337 Loading Kernel Symbols ............................................................... ................................................... Loading User Symbols Loading unloaded module list ...... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck A, {0, d0000002, 1, 80866ea6} Unable to load image \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS, Win32 error 0n2 *** WARNING: Unable to verify timestamp for SYMEVENT.SYS *** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS Probably caused by : SYMEVENT.SYS ( SYMEVENT+3d8a ) Followup: MachineOwner --------- 2: kd> !analyze -v;r;kv;lmtn;.logclose;q ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 00000000, memory referenced Arg2: d0000002, IRQL Arg3: 00000001, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: 80866ea6, address which referenced memory Debugging Details: ------------------ WRITE_ADDRESS: 00000000 CURRENT_IRQL: 2 FAULTING_IP: nt!MiRemovePageByColor+7c 80866ea6 ff08 dec dword ptr [eax] CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP BUGCHECK_STR: 0xA PROCESS_NAME: kntcma.exe TRAP_FRAME: b8a657d4 -- (.trap 0xffffffffb8a657d4) .trap 0xffffffffb8a657d4 ErrCode = 00000002 eax=00000000 ebx=00000001 ecx=00000000 edx=00000008 esi=81401ce0 edi=83e4c0bc eip=80866ea6 esp=b8a65848 ebp=b8a65868 iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206 nt!MiRemovePageByColor+0x7c: 80866ea6 ff08 dec dword ptr [eax] ds:0023:00000000=???????? .trap Resetting default scope LAST_CONTROL_TRANSFER: from 80866ea6 to 8088c99b STACK_TEXT: b8a657d4 80866ea6 badb0d00 00000008 00000000 nt!KiTrap0E+0x2a7 b8a65868 8086745a e88f3988 00000002 c0744798 nt!MiRemovePageByColor+0x7c b8a65880 808597e6 00000000 c5cb1000 00001000 nt!MiRemoveAnyPage+0xc0 b8a659d0 8080edbe c5cb1000 037d56b8 00000000 nt!MmCopyToCachedPage+0x528 b8a65a60 8080cb1b 87690be0 037d56b8 b8a65a94 nt!CcMapAndCopy+0x1b2 b8a65ae4 f7b0e52f 878a2328 02231000 00001000 nt!CcFastCopyWrite+0x229 b8a65b48 f76d2ca2 878a2328 b8a65bb8 00001000 Ntfs!NtfsCopyWriteA+0x1fb b8a65b7c f76dfa2f 00000004 00000000 b8a65bb0 fltMgr!FltpPerformFastIoCall+0x230 b8a65bd0 ba521d8a 878a2328 b8a65c74 00001000 fltMgr!FltpFastIoWrite+0xa9 WARNING: Stack unwind information not available. Following frames may be wrong. b8a65c04 f76d2ca2 878a2328 b8a65c74 00001000 SYMEVENT+0x3d8a b8a65c38 f76dfa2f 00000004 00000000 b8a65c6c fltMgr!FltpPerformFastIoCall+0x230 b8a65c8c 808f2e0b 878a2328 b8a65cd0 00001000 fltMgr!FltpFastIoWrite+0xa9 b8a65d38 808897bc 00001804 00000000 00000000 nt!NtWriteFile+0x317 b8a65d38 7c82860c 00001804 00000000 00000000 nt!KiFastCallEntry+0xfc 0591f520 00000000 00000000 00000000 00000000 0x7c82860c STACK_COMMAND: kb FOLLOWUP_IP: SYMEVENT+3d8a ba521d8a ?? ??? SYMBOL_STACK_INDEX: 9 SYMBOL_NAME: SYMEVENT+3d8a FOLLOWUP_NAME: MachineOwner MODULE_NAME: SYMEVENT IMAGE_NAME: SYMEVENT.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 4551513d FAILURE_BUCKET_ID: 0xA_SYMEVENT+3d8a BUCKET_ID: 0xA_SYMEVENT+3d8a Followup: MachineOwner XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Opened log file 'c:debuglog.txt' Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [\All minidumps\Mini042411-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible Product: Server, suite: TerminalServer SingleUserTS Built by: 3790.srv03_sp2_gdr.090805-1438 Machine Name: Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8 Debug session time: Sun Apr 24 03:42:15.493 2011 (UTC + 2:00) System Uptime: 5 days 17:22:27.039 Loading Kernel Symbols ............................................................... .................................................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 4E, {2, 335ce, 182b58, 108} Unable to load image \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS, Win32 error 0n2 *** WARNING: Unable to verify timestamp for SYMEVENT.SYS *** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS Probably caused by : memory_corruption ( nt!MiUnlinkPageFromList+3d ) Followup: MachineOwner --------- 1: kd> !analyze -v;r;kv;lmtn;.logclose;q ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PFN_LIST_CORRUPT (4e) Typically caused by drivers passing bad memory descriptor lists (ie: calling MmUnlockPages twice with the same list, etc). If a kernel debugger is available get the stack trace. Arguments: Arg1: 00000002, A list entry was corrupt Arg2: 000335ce, entry in list being removed Arg3: 00182b58, highest physical page number Arg4: 00000108, reference count of entry being removed Debugging Details: ------------------ BUGCHECK_STR: 0x4E_2 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP PROCESS_NAME: dsmcsvc.exe CURRENT_IRQL: 2 LAST_CONTROL_TRANSFER: from 80865f63 to 80827c83 STACK_TEXT: b89bda24 80865f63 0000004e 00000002 000335ce nt!KeBugCheckEx+0x1b b89bda44 80858f83 00001000 86d6d1e8 c4704000 nt!MiUnlinkPageFromList+0x3d b89bda70 808b587c c4704000 00000000 b89bdbc8 nt!MmCheckCachedPageState+0x1cb b89bdb00 f7b0e6ce 86fb3600 15380000 00005591 nt!CcFastCopyRead+0x2fa b89bdb58 f76d2ca2 86fb3600 b89bdbc8 00007ffc Ntfs!NtfsCopyReadA+0x1c1 b89bdb8c f76df8b3 00000003 00000000 b89bdbc0 fltMgr!FltpPerformFastIoCall+0x230 b89bdbe0 ba521cca 86fb3600 b89bdc84 00007ffc fltMgr!FltpFastIoRead+0xa9 WARNING: Stack unwind information not available. Following frames may be wrong. b89bdc14 f76d2ca2 86fb3600 b89bdc84 00007ffc SYMEVENT+0x3cca b89bdc48 f76df8b3 00000003 00000000 b89bdc7c fltMgr!FltpPerformFastIoCall+0x230 b89bdc9c 808f22db 86fb3600 b89bdcd8 00007ffc fltMgr!FltpFastIoRead+0xa9 b89bdd38 808897bc 00000720 00000000 00000000 nt!NtReadFile+0x2c5 b89bdd38 7c82860c 00000720 00000000 00000000 nt!KiFastCallEntry+0xfc 02ca27c8 00000000 00000000 00000000 00000000 0x7c82860c STACK_COMMAND: kb FOLLOWUP_IP: nt!MiUnlinkPageFromList+3d 80865f63 33c0 xor eax,eax SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: nt!MiUnlinkPageFromList+3d FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt DEBUG_FLR_IMAGE_TIMESTAMP: 4a799091 IMAGE_NAME: memory_corruption FAILURE_BUCKET_ID: 0x4E_2_nt!MiUnlinkPageFromList+3d BUCKET_ID: 0x4E_2_nt!MiUnlinkPageFromList+3d Followup: MachineOwner --------- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Opened log file 'c:debuglog.txt' Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [\All minidumps\Mini043011-01.dmp] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible Product: Server, suite: TerminalServer SingleUserTS Built by: 3790.srv03_sp2_gdr.090805-1438 Machine Name: Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8 Debug session time: Sat Apr 30 22:02:26.348 2011 (UTC + 2:00) System Uptime: 6 days 18:10:11.939 Loading Kernel Symbols ............................................................... .................................................... Loading User Symbols Loading unloaded module list ..... ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 4E, {2, 335ce, 182b58, 108} Unable to load image \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS, Win32 error 0n2 *** WARNING: Unable to verify timestamp for SYMEVENT.SYS *** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS Probably caused by : memory_corruption ( nt!MiUnlinkPageFromList+3d ) Followup: MachineOwner --------- 1: kd> !analyze -v;r;kv;lmtn;.logclose;q ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PFN_LIST_CORRUPT (4e) Typically caused by drivers passing bad memory descriptor lists (ie: calling MmUnlockPages twice with the same list, etc). If a kernel debugger is available get the stack trace. Arguments: Arg1: 00000002, A list entry was corrupt Arg2: 000335ce, entry in list being removed Arg3: 00182b58, highest physical page number Arg4: 00000108, reference count of entry being removed Debugging Details: ------------------ BUGCHECK_STR: 0x4E_2 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP PROCESS_NAME: Rtvscan.exe CURRENT_IRQL: 2 LAST_CONTROL_TRANSFER: from 80865f63 to 80827c83 STACK_TEXT: b97efa24 80865f63 0000004e 00000002 000335ce nt!KeBugCheckEx+0x1b b97efa44 80858f83 000000ec 86e60020 d4fa5000 nt!MiUnlinkPageFromList+0x3d b97efa70 808b56db d4fa5000 00000000 b97efbc8 nt!MmCheckCachedPageState+0x1cb b97efb00 f7b0e6ce 874d3568 00124fec 00000100 nt!CcFastCopyRead+0x159 b97efb58 f76d2ca2 874d3568 b97efbc8 00000100 Ntfs!NtfsCopyReadA+0x1c1 b97efb8c f76df8b3 00000003 00000000 b97efbc0 fltMgr!FltpPerformFastIoCall+0x230 b97efbe0 ba521cca 874d3568 b97efc84 00000100 fltMgr!FltpFastIoRead+0xa9 WARNING: Stack unwind information not available. Following frames may be wrong. b97efc14 f76d2ca2 874d3568 b97efc84 00000100 SYMEVENT+0x3cca b97efc48 f76df8b3 00000003 00000000 b97efc7c fltMgr!FltpPerformFastIoCall+0x230 b97efc9c 808f22db 874d3568 b97efcd8 00000100 fltMgr!FltpFastIoRead+0xa9 b97efd38 808897bc 00000af0 00000000 00000000 nt!NtReadFile+0x2c5 b97efd38 7c82860c 00000af0 00000000 00000000 nt!KiFastCallEntry+0xfc 0177e224 00000000 00000000 00000000 00000000 0x7c82860c STACK_COMMAND: kb FOLLOWUP_IP: nt!MiUnlinkPageFromList+3d 80865f63 33c0 xor eax,eax SYMBOL_STACK_INDEX: 1 SYMBOL_NAME: nt!MiUnlinkPageFromList+3d FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt DEBUG_FLR_IMAGE_TIMESTAMP: 4a799091 IMAGE_NAME: memory_corruption FAILURE_BUCKET_ID: 0x4E_2_nt!MiUnlinkPageFromList+3d BUCKET_ID: 0x4E_2_nt!MiUnlinkPageFromList+3dPeter
May 3rd, 2011 7:09am

I see that SYMEVENT.SYS is probably causing your BSOD. It belongs to Symantec Corporation so I think that the antivirus is causing the BSODs. Also, run memtest86+ to check that all is okay with your RAM. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2011 7:20am

Good Morning Peter, Granted, this document specifies for Windows XP... it still may apply as a possible fix. Run msconfig in safe-mode to setup a "diagnostic" boot which only loads core Windows services. Then reboot and you should start windows in diagnostic boot mode. This will allow you to make registry changes as needed if not permitted via safe mode. It's been a while since I needed to use safe mode... stability is a wonderful thing. :) The first link below is the original KB from Symantec for this issue. The second one regards files for SymAV 10 files. Please read both before continuing... always research!!! In short, this is a KB from Symantec that is providing steps on how to reinstall the Symantec Event Manager. When you reboot in diagnostics mode, make a backup JIC! Error: "ErrorMessage: IRQL_NOT_LESS_OR_EQUAL STOP. . ." occurs after installing the Symantec Event Manager Driver on Windows XP http://service1.symantec.com/SUPPORT/sharedtech.nsf/da4acf74cec0351e852567a100650ce5/2671ef6e5d72d3cd88256d26006699d5?OpenDocument SymEvent.exe Link is Dead on this previous link! Use the one below! This document seems to fit your issue fairly well exception to the OS. Situation: You installed the latest Symantec Event Manager (SymEvent) update on your Windows XP computer. When you restart the computer, you see a blue screen with the message "ErrorMessage: IRQL_NOT_LESS_OR_EQUAL STOP: 0X0000000A (0X0000000B,0X00000002,0X00000000,0X804EA7AB)." SymEvent Installer files for Symantec Antivirus 10 http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16ef8825734100634940/a515a5cdaa9aeb1788256f040051e680?OpenDocument Please note the mark on your error code listed from your output. Additional Troubleshooting sites. If you can't use em now, bookmark them for later! MSDN Bug Check Codes http://msdn.microsoft.com/en-us/library/ff542347(v=VS.85).aspx Stop Code CheatSheet(This is the best STOP(bsod) Code reference...) http://www.aumha.org/a/stop.htm Brief: Interpretting stop codes> 0x0000007B can also be noted without the 0's as 0x7B because those 0's are nothing but fillers on an 8 Character code. Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7 Microsoft Certified Product Specialist & Network Product Specialist Red Hat Certified System Administrator This posting is "as is" without warranties and confers no rights.
May 3rd, 2011 9:26am

Good Morning Peter, Granted, this document specifies for Windows XP... it still may apply as a possible fix. Run msconfig in safe-mode to setup a "diagnostic" boot which only loads core Windows services. Then reboot and you should start windows in diagnostic boot mode. This will allow you to make registry changes as needed if not permitted via safe mode. It's been a while since I needed to use safe mode... stability is a wonderful thing. :) The first link below is the original KB from Symantec for this issue. The second one regards files for SymAV 10 files. Please read both before continuing... always research!!! In short, this is a KB from Symantec that is providing steps on how to reinstall the Symantec Event Manager. When you reboot in diagnostics mode, make a backup JIC! Error: "ErrorMessage: IRQL_NOT_LESS_OR_EQUAL STOP. . ." occurs after installing the Symantec Event Manager Driver on Windows XP http://service1.symantec.com/SUPPORT/sharedtech.nsf/da4acf74cec0351e852567a100650ce5/2671ef6e5d72d3cd88256d26006699d5?OpenDocument SymEvent.exe Link is Dead on this previous link! Use the one below! This document seems to fit your issue fairly well exception to the OS. Situation: You installed the latest Symantec Event Manager (SymEvent) update on your Windows XP computer. When you restart the computer, you see a blue screen with the message "ErrorMessage: IRQL_NOT_LESS_OR_EQUAL STOP: 0X0000000A (0X0000000B,0X00000002,0X00000000,0X804EA7AB)." SymEvent Installer files for Symantec Antivirus 10 http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16ef8825734100634940/a515a5cdaa9aeb1788256f040051e680?OpenDocument Please note the mark on your error code listed from your output. Additional Troubleshooting sites. If you can't use em now, bookmark them for later! MSDN Bug Check Codes http://msdn.microsoft.com/en-us/library/ff542347(v=VS.85).aspx Stop Code CheatSheet(This is the best STOP(bsod) Code reference...) http://www.aumha.org/a/stop.htm Brief: Interpretting stop codes> 0x0000007B can also be noted without the 0's as 0x7B because those 0's are nothing but fillers on an 8 Character code. Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7 Microsoft Certified Product Specialist & Network Product Specialist Red Hat Certified System Administrator This posting is "as is" without warranties and confers no rights. Additionally: Symantec AV 10 CE Walkthrough for Administrators http://www.symantec.com/business/support/index?page=content&id=TECH101768&key=51852 Symantec AV 10 SMBE Walkthrough for Administrators http://www.symantec.com/business/support/index?page=content&id=TECH101781&locale=en_US Contact Symantec Technical Support (800) 342-0652 or (407) 357-7600Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7 Microsoft Certified Product Specialist & Network Product Specialist Red Hat Certified System Administrator This posting is "as is" without warranties and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2011 9:42am

Hi, If the issue continues, it is suggest that you contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request. As we find it seems to be system crash issue and we need to analyze the crash dump file to narrow down the root cause of the issue. Unfortunately, it is not effective for us to debug the crash dump file here in the forum. To obtain the phone numbers for specific technology request please take a look at the web site listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607 Hope the issue will be resolved soon. Best Regards, Vincent Hu
May 9th, 2011 2:49am

Thanks for your reply I ran memtest86+, no faulty RAM Now investigating Symantec.Peter
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2011 8:00am

Thank you very much for your reply. Just reinstalled symevent on all 4 servers. Now I have to monitor and see whether systems are stable.Peter
May 9th, 2011 9:31am

Servers are 2 weeks stable, so problems appears to be resolved. Thanks again for the helpPeter
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2011 10:03am

Servers are 2 weeks stable, so problems appears to be resolved. Thanks again for the help Peter Thanks for the update Peter! Sincerely,Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7 Microsoft Certified Product Specialist & Network Product Specialist Red Hat Certified System Administrator Microsoft® Community Contributor Award 2011 This posting is "as is" without warranties and confers no rights.
May 31st, 2011 9:35am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics