Randonly BSOD on newly installed servers, need help with analysing dump files
For our customer we have installed 4 new servers. These servers are a newer model then the previous servers. A new image has been created for these servers.
Standard tooling, such as IBM Director Agent, ITM monitoring software, LSI RAID management software and Symantec Antivirus 10 have been installed.
All servers appear to operate fine, but they randomly crash.
We found that Symantec generated an error during a full system scan. At the time Symantec starts scanning inside archives (zip, dat, cab etc) the systems crashes (sometimes)
We disabled scanning inside files and the systems don't crash during the Full Scan, but now randomly crash at different times with different dump file results.
Although the dumpfile generate different causes, some results are unique for all the crashes, such as:
Unable to load image \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : SYMEVENT.SYS ( SYMEVENT+3d8a )
and
CURRENT_IRQL: 2
But some results are totally different:
PROCESS_NAME: Rtvscan.exe
PROCESS_NAME: kntcma.exe
PROCESS_NAME: dsmcsvc.exe
Is my assumption correct that Symevent.sys (part of Symantec) is still causing the system crashes? Or do I have some other issue (memory errors (on all servers?))
Symantec support had a workaround for the crashes during the systemscan, which was disabling scanning inside archives. Using this workaround causes crashes at different times.
Here are some complete Bugcheck results: (All from the same server)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Opened log file 'c:debuglog.txt'
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [All minidumps\Mini030711-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Loading Kernel Symbols
...............................................................
....................................................
Loading User Symbols
Loading unloaded module list
..........
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {0, d0000002, 1, 80866ea6}
Unable to load image \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : SYMEVENT.SYS ( SYMEVENT+3d8a )
Followup: MachineOwner
---------
4: kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80866ea6, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: 00000000
CURRENT_IRQL: 2
FAULTING_IP:
nt!MiRemovePageByColor+7c
80866ea6 ff08 dec dword ptr [eax]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0xA
PROCESS_NAME: Rtvscan.exe
TRAP_FRAME: b9fb67d0 -- (.trap 0xffffffffb9fb67d0)
.trap 0xffffffffb9fb67d0
ErrCode = 00000002
eax=00000000 ebx=00000001 ecx=00000000 edx=00000017 esi=81401ce0 edi=83e4bdbc
eip=80866ea6 esp=b9fb6844 ebp=b9fb6864 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!MiRemovePageByColor+0x7c:
80866ea6 ff08 dec dword ptr [eax] ds:0023:00000000=????????
.trap
Resetting default scope
LAST_CONTROL_TRANSFER: from 80866ea6 to 8088c99b
STACK_TEXT:
b9fb67d0 80866ea6 badb0d00 00000017 e81bb000 nt!KiTrap0E+0x2a7
b9fb6864 808672b2 e81bb018 00000017 c0740dd8 nt!MiRemovePageByColor+0x7c
b9fb6880 808597d0 00000000 d4843000 00001000 nt!MiRemoveZeroPage+0x8a
b9fb69d0 8080edbe d4843000 13783f28 00000000 nt!MmCopyToCachedPage+0x512
b9fb6a60 8080cb1b 86f2ac98 13783f28 b9fb6a94 nt!CcMapAndCopy+0x1b2
b9fb6ae4 f7b0e52f 87181bb0 0dd00000 00008000 nt!CcFastCopyWrite+0x229
b9fb6b48 f76d2ca2 87181bb0 b9fb6bb8 00008000 Ntfs!NtfsCopyWriteA+0x1fb
b9fb6b7c f76dfa2f 00000004 00000000 b9fb6bb0 fltMgr!FltpPerformFastIoCall+0x230
b9fb6bd0 ba521d8a 87181bb0 b9fb6c74 00008000 fltMgr!FltpFastIoWrite+0xa9
WARNING: Stack unwind information not available. Following frames may be wrong.
b9fb6c04 f76d2ca2 87181bb0 b9fb6c74 00008000 SYMEVENT+0x3d8a
b9fb6c38 f76dfa2f 00000004 00000000 b9fb6c6c fltMgr!FltpPerformFastIoCall+0x230
b9fb6c8c 808f2e0b 87181bb0 b9fb6cd0 00008000 fltMgr!FltpFastIoWrite+0xa9
b9fb6d38 808897bc 000003b0 00000000 00000000 nt!NtWriteFile+0x317
b9fb6d38 7c82860c 000003b0 00000000 00000000 nt!KiFastCallEntry+0xfc
121dde50 00000000 00000000 00000000 00000000 0x7c82860c
STACK_COMMAND: kb
FOLLOWUP_IP:
SYMEVENT+3d8a
ba521d8a ?? ???
SYMBOL_STACK_INDEX: 9
SYMBOL_NAME: SYMEVENT+3d8a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SYMEVENT
IMAGE_NAME: SYMEVENT.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4551513d
FAILURE_BUCKET_ID: 0xA_SYMEVENT+3d8a
BUCKET_ID: 0xA_SYMEVENT+3d8a
Followup: MachineOwner
---------
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Opened log file 'c:debuglog.txt'
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [All minidumps\Mini032611-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.090805-1438
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Sat Mar 26 06:50:43.860 2011 (UTC + 2:00)
System Uptime: 2 days 15:59:46.337
Loading Kernel Symbols
...............................................................
...................................................
Loading User Symbols
Loading unloaded module list
......
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck A, {0, d0000002, 1, 80866ea6}
Unable to load image \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : SYMEVENT.SYS ( SYMEVENT+3d8a )
Followup: MachineOwner
---------
2: kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000001, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 80866ea6, address which referenced memory
Debugging Details:
------------------
WRITE_ADDRESS: 00000000
CURRENT_IRQL: 2
FAULTING_IP:
nt!MiRemovePageByColor+7c
80866ea6 ff08 dec dword ptr [eax]
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0xA
PROCESS_NAME: kntcma.exe
TRAP_FRAME: b8a657d4 -- (.trap 0xffffffffb8a657d4)
.trap 0xffffffffb8a657d4
ErrCode = 00000002
eax=00000000 ebx=00000001 ecx=00000000 edx=00000008 esi=81401ce0 edi=83e4c0bc
eip=80866ea6 esp=b8a65848 ebp=b8a65868 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!MiRemovePageByColor+0x7c:
80866ea6 ff08 dec dword ptr [eax] ds:0023:00000000=????????
.trap
Resetting default scope
LAST_CONTROL_TRANSFER: from 80866ea6 to 8088c99b
STACK_TEXT:
b8a657d4 80866ea6 badb0d00 00000008 00000000 nt!KiTrap0E+0x2a7
b8a65868 8086745a e88f3988 00000002 c0744798 nt!MiRemovePageByColor+0x7c
b8a65880 808597e6 00000000 c5cb1000 00001000 nt!MiRemoveAnyPage+0xc0
b8a659d0 8080edbe c5cb1000 037d56b8 00000000 nt!MmCopyToCachedPage+0x528
b8a65a60 8080cb1b 87690be0 037d56b8 b8a65a94 nt!CcMapAndCopy+0x1b2
b8a65ae4 f7b0e52f 878a2328 02231000 00001000 nt!CcFastCopyWrite+0x229
b8a65b48 f76d2ca2 878a2328 b8a65bb8 00001000 Ntfs!NtfsCopyWriteA+0x1fb
b8a65b7c f76dfa2f 00000004 00000000 b8a65bb0 fltMgr!FltpPerformFastIoCall+0x230
b8a65bd0 ba521d8a 878a2328 b8a65c74 00001000 fltMgr!FltpFastIoWrite+0xa9
WARNING: Stack unwind information not available. Following frames may be wrong.
b8a65c04 f76d2ca2 878a2328 b8a65c74 00001000 SYMEVENT+0x3d8a
b8a65c38 f76dfa2f 00000004 00000000 b8a65c6c fltMgr!FltpPerformFastIoCall+0x230
b8a65c8c 808f2e0b 878a2328 b8a65cd0 00001000 fltMgr!FltpFastIoWrite+0xa9
b8a65d38 808897bc 00001804 00000000 00000000 nt!NtWriteFile+0x317
b8a65d38 7c82860c 00001804 00000000 00000000 nt!KiFastCallEntry+0xfc
0591f520 00000000 00000000 00000000 00000000 0x7c82860c
STACK_COMMAND: kb
FOLLOWUP_IP:
SYMEVENT+3d8a
ba521d8a ?? ???
SYMBOL_STACK_INDEX: 9
SYMBOL_NAME: SYMEVENT+3d8a
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: SYMEVENT
IMAGE_NAME: SYMEVENT.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4551513d
FAILURE_BUCKET_ID: 0xA_SYMEVENT+3d8a
BUCKET_ID: 0xA_SYMEVENT+3d8a
Followup: MachineOwner
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Opened log file 'c:debuglog.txt'
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [\All minidumps\Mini042411-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.090805-1438
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Sun Apr 24 03:42:15.493 2011 (UTC + 2:00)
System Uptime: 5 days 17:22:27.039
Loading Kernel Symbols
...............................................................
....................................................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 4E, {2, 335ce, 182b58, 108}
Unable to load image \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : memory_corruption ( nt!MiUnlinkPageFromList+3d )
Followup: MachineOwner
---------
1: kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
PFN_LIST_CORRUPT (4e)
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc). If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 00000002, A list entry was corrupt
Arg2: 000335ce, entry in list being removed
Arg3: 00182b58, highest physical page number
Arg4: 00000108, reference count of entry being removed
Debugging Details:
------------------
BUGCHECK_STR: 0x4E_2
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
PROCESS_NAME: dsmcsvc.exe
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from 80865f63 to 80827c83
STACK_TEXT:
b89bda24 80865f63 0000004e 00000002 000335ce nt!KeBugCheckEx+0x1b
b89bda44 80858f83 00001000 86d6d1e8 c4704000 nt!MiUnlinkPageFromList+0x3d
b89bda70 808b587c c4704000 00000000 b89bdbc8 nt!MmCheckCachedPageState+0x1cb
b89bdb00 f7b0e6ce 86fb3600 15380000 00005591 nt!CcFastCopyRead+0x2fa
b89bdb58 f76d2ca2 86fb3600 b89bdbc8 00007ffc Ntfs!NtfsCopyReadA+0x1c1
b89bdb8c f76df8b3 00000003 00000000 b89bdbc0 fltMgr!FltpPerformFastIoCall+0x230
b89bdbe0 ba521cca 86fb3600 b89bdc84 00007ffc fltMgr!FltpFastIoRead+0xa9
WARNING: Stack unwind information not available. Following frames may be wrong.
b89bdc14 f76d2ca2 86fb3600 b89bdc84 00007ffc SYMEVENT+0x3cca
b89bdc48 f76df8b3 00000003 00000000 b89bdc7c fltMgr!FltpPerformFastIoCall+0x230
b89bdc9c 808f22db 86fb3600 b89bdcd8 00007ffc fltMgr!FltpFastIoRead+0xa9
b89bdd38 808897bc 00000720 00000000 00000000 nt!NtReadFile+0x2c5
b89bdd38 7c82860c 00000720 00000000 00000000 nt!KiFastCallEntry+0xfc
02ca27c8 00000000 00000000 00000000 00000000 0x7c82860c
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!MiUnlinkPageFromList+3d
80865f63 33c0 xor eax,eax
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!MiUnlinkPageFromList+3d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4a799091
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: 0x4E_2_nt!MiUnlinkPageFromList+3d
BUCKET_ID: 0x4E_2_nt!MiUnlinkPageFromList+3d
Followup: MachineOwner
---------
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Opened log file 'c:debuglog.txt'
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [\All minidumps\Mini043011-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\system32\drivers
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.090805-1438
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Sat Apr 30 22:02:26.348 2011 (UTC + 2:00)
System Uptime: 6 days 18:10:11.939
Loading Kernel Symbols
...............................................................
....................................................
Loading User Symbols
Loading unloaded module list
.....
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 4E, {2, 335ce, 182b58, 108}
Unable to load image \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : memory_corruption ( nt!MiUnlinkPageFromList+3d )
Followup: MachineOwner
---------
1: kd> !analyze -v;r;kv;lmtn;.logclose;q
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************
PFN_LIST_CORRUPT (4e)
Typically caused by drivers passing bad memory descriptor lists (ie: calling
MmUnlockPages twice with the same list, etc). If a kernel debugger is
available get the stack trace.
Arguments:
Arg1: 00000002, A list entry was corrupt
Arg2: 000335ce, entry in list being removed
Arg3: 00182b58, highest physical page number
Arg4: 00000108, reference count of entry being removed
Debugging Details:
------------------
BUGCHECK_STR: 0x4E_2
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
PROCESS_NAME: Rtvscan.exe
CURRENT_IRQL: 2
LAST_CONTROL_TRANSFER: from 80865f63 to 80827c83
STACK_TEXT:
b97efa24 80865f63 0000004e 00000002 000335ce nt!KeBugCheckEx+0x1b
b97efa44 80858f83 000000ec 86e60020 d4fa5000 nt!MiUnlinkPageFromList+0x3d
b97efa70 808b56db d4fa5000 00000000 b97efbc8 nt!MmCheckCachedPageState+0x1cb
b97efb00 f7b0e6ce 874d3568 00124fec 00000100 nt!CcFastCopyRead+0x159
b97efb58 f76d2ca2 874d3568 b97efbc8 00000100 Ntfs!NtfsCopyReadA+0x1c1
b97efb8c f76df8b3 00000003 00000000 b97efbc0 fltMgr!FltpPerformFastIoCall+0x230
b97efbe0 ba521cca 874d3568 b97efc84 00000100 fltMgr!FltpFastIoRead+0xa9
WARNING: Stack unwind information not available. Following frames may be wrong.
b97efc14 f76d2ca2 874d3568 b97efc84 00000100 SYMEVENT+0x3cca
b97efc48 f76df8b3 00000003 00000000 b97efc7c fltMgr!FltpPerformFastIoCall+0x230
b97efc9c 808f22db 874d3568 b97efcd8 00000100 fltMgr!FltpFastIoRead+0xa9
b97efd38 808897bc 00000af0 00000000 00000000 nt!NtReadFile+0x2c5
b97efd38 7c82860c 00000af0 00000000 00000000 nt!KiFastCallEntry+0xfc
0177e224 00000000 00000000 00000000 00000000 0x7c82860c
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!MiUnlinkPageFromList+3d
80865f63 33c0 xor eax,eax
SYMBOL_STACK_INDEX: 1
SYMBOL_NAME: nt!MiUnlinkPageFromList+3d
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
DEBUG_FLR_IMAGE_TIMESTAMP: 4a799091
IMAGE_NAME: memory_corruption
FAILURE_BUCKET_ID: 0x4E_2_nt!MiUnlinkPageFromList+3d
BUCKET_ID: 0x4E_2_nt!MiUnlinkPageFromList+3dPeter
May 3rd, 2011 7:09am
I see that SYMEVENT.SYS is probably causing your BSOD. It belongs to Symantec Corporation so I think
that the antivirus is causing the BSODs.
Also, run memtest86+ to check that all is okay with your RAM.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Microsoft
Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2011 7:20am
Good Morning Peter,
Granted, this document specifies for Windows XP... it still may apply as a possible fix. Run msconfig in safe-mode to setup a "diagnostic" boot which only loads core Windows services. Then reboot and you should start windows in diagnostic boot mode.
This will allow you to make registry changes as needed if not permitted via safe mode. It's been a while since I needed to use safe mode... stability is a wonderful thing. :)
The first link below is the original KB from Symantec for this issue. The second one regards files for SymAV 10 files. Please read both before continuing... always research!!! In short, this is a KB from Symantec that is providing steps on how to reinstall
the Symantec Event Manager. When you reboot in diagnostics mode, make a backup JIC!
Error: "ErrorMessage: IRQL_NOT_LESS_OR_EQUAL STOP. . ." occurs after installing the Symantec Event Manager Driver on Windows XP
http://service1.symantec.com/SUPPORT/sharedtech.nsf/da4acf74cec0351e852567a100650ce5/2671ef6e5d72d3cd88256d26006699d5?OpenDocument
SymEvent.exe Link is Dead on this previous link! Use the one below!
This document seems to fit your issue fairly well exception to the OS.
Situation:
You installed the latest Symantec Event Manager (SymEvent) update on your Windows XP computer. When you restart the computer, you see a blue screen with the message "ErrorMessage: IRQL_NOT_LESS_OR_EQUAL STOP: 0X0000000A (0X0000000B,0X00000002,0X00000000,0X804EA7AB)."
SymEvent Installer files for Symantec Antivirus 10
http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16ef8825734100634940/a515a5cdaa9aeb1788256f040051e680?OpenDocument
Please note the mark on your error code listed from your output.
Additional Troubleshooting sites. If you can't use em now, bookmark them for later!
MSDN Bug Check Codes
http://msdn.microsoft.com/en-us/library/ff542347(v=VS.85).aspx
Stop Code CheatSheet(This is the best STOP(bsod) Code reference...)
http://www.aumha.org/a/stop.htm
Brief: Interpretting stop codes>
0x0000007B can also be noted without the 0's as 0x7B because those 0's are nothing but fillers on an 8 Character code.
Steve Kline
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7
Microsoft Certified Product Specialist & Network Product Specialist
Red Hat Certified System Administrator
This posting is "as is" without warranties and confers no rights.
May 3rd, 2011 9:26am
Good Morning Peter,
Granted, this document specifies for Windows XP... it still may apply as a possible fix. Run msconfig in safe-mode to setup a "diagnostic" boot which only loads core Windows services. Then reboot and you should start windows in diagnostic boot mode.
This will allow you to make registry changes as needed if not permitted via safe mode. It's been a while since I needed to use safe mode... stability is a wonderful thing. :)
The first link below is the original KB from Symantec for this issue. The second one regards files for SymAV 10 files. Please read both before continuing... always research!!! In short, this is a KB from Symantec that is providing steps on how to reinstall
the Symantec Event Manager. When you reboot in diagnostics mode, make a backup JIC!
Error: "ErrorMessage: IRQL_NOT_LESS_OR_EQUAL STOP. . ." occurs after installing the Symantec Event Manager Driver on Windows XP
http://service1.symantec.com/SUPPORT/sharedtech.nsf/da4acf74cec0351e852567a100650ce5/2671ef6e5d72d3cd88256d26006699d5?OpenDocument
SymEvent.exe Link is Dead on this previous link! Use the one below!
This document seems to fit your issue fairly well exception to the OS.
Situation:
You installed the latest Symantec Event Manager (SymEvent) update on your Windows XP computer. When you restart the computer, you see a blue screen with the message "ErrorMessage: IRQL_NOT_LESS_OR_EQUAL STOP: 0X0000000A (0X0000000B,0X00000002,0X00000000,0X804EA7AB)."
SymEvent Installer files for Symantec Antivirus 10
http://service1.symantec.com/SUPPORT/ent-security.nsf/dbe87fe9662c16ef8825734100634940/a515a5cdaa9aeb1788256f040051e680?OpenDocument
Please note the mark on your error code listed from your output.
Additional Troubleshooting sites. If you can't use em now, bookmark them for later!
MSDN Bug Check Codes
http://msdn.microsoft.com/en-us/library/ff542347(v=VS.85).aspx
Stop Code CheatSheet(This is the best STOP(bsod) Code reference...)
http://www.aumha.org/a/stop.htm
Brief: Interpretting stop codes>
0x0000007B can also be noted without the 0's as 0x7B because those 0's are nothing but fillers on an 8 Character code.
Steve Kline
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7
Microsoft Certified Product Specialist & Network Product Specialist
Red Hat Certified System Administrator
This posting is "as is" without warranties and confers no rights.
Additionally:
Symantec AV 10 CE Walkthrough for Administrators
http://www.symantec.com/business/support/index?page=content&id=TECH101768&key=51852
Symantec AV 10 SMBE Walkthrough for Administrators
http://www.symantec.com/business/support/index?page=content&id=TECH101781&locale=en_US
Contact Symantec Technical Support
(800) 342-0652 or (407) 357-7600Steve Kline
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7
Microsoft Certified Product Specialist & Network Product Specialist
Red Hat Certified System Administrator
This posting is "as is" without warranties and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2011 9:42am
Hi,
If the issue continues, it is suggest that you contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional
can assist with your request. As we find it seems to be system crash issue and we need to analyze the crash dump file to narrow down the root cause of the issue. Unfortunately, it is not effective for us to debug the crash dump file here in the forum.
To obtain the phone numbers for specific technology request please take a look at the web site listed below:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607
Hope the issue will be resolved soon.
Best Regards,
Vincent Hu
May 9th, 2011 2:49am
Thanks for your reply
I ran memtest86+, no faulty RAM
Now investigating Symantec.Peter
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2011 8:00am
Thank you very much for your reply.
Just reinstalled symevent on all 4 servers.
Now I have to monitor and see whether systems are stable.Peter
May 9th, 2011 9:31am
Servers are 2 weeks stable, so problems appears to be resolved.
Thanks again for the helpPeter
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2011 10:03am
Servers are 2 weeks stable, so problems appears to be resolved.
Thanks again for the help
Peter
Thanks for the update Peter!
Sincerely,Steve Kline
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Technology Specialist: Active Directory, Network Infrastructure, Application Platform, Windows 7
Microsoft Certified Product Specialist & Network Product Specialist
Red Hat Certified System Administrator
Microsoft® Community Contributor Award 2011
This posting is "as is" without warranties and confers no rights.
May 31st, 2011 9:35am