We are having unexpected reboot issue with a few W2K3R2+SP2 x86 systems. They are all VMs and created from the same template. We are running a script on those systems to copy data to remote hosts. Here is what happened in the event logs. Basically RPC service terminated after svchost.exe ended. The unexpected termination of RPC caused system to reboot. KB 910666 http://support.microsoft.com/kb/910666 describes similar symptom but it is for W2K3 SP1. However, I disabled PAE on those systems as suggested in KB910666 but still no luck. Also, there's no memory dump generated on those systems even we configured them to do upon system failure. Thanks in advance ! Event Type: Error Event Source: Application Error Event Category: (100) Event ID: 1000 Date: 11/8/2011 Time: 8:56:21 PM User: N/A Computer: Description: Faulting application svchost.exe, version 5.2.3790.3959, faulting module unknown, version 0.0.0.0, fault address 0x04d30fb9. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 41 70 70 6c 69 63 61 74 Applicat 0008: 69 6f 6e 20 46 61 69 6c ion Fail 0010: 75 72 65 20 20 73 76 63 ure svc 0018: 68 6f 73 74 2e 65 78 65 host.exe 0020: 20 35 2e 32 2e 33 37 39 5.2.379 0028: 30 2e 33 39 35 39 20 69 0.3959 i 0030: 6e 20 75 6e 6b 6e 6f 77 n unknow 0038: 6e 20 30 2e 30 2e 30 2e n 0.0.0. 0040: 30 20 61 74 20 6f 66 66 0 at off 0048: 73 65 74 20 30 34 64 33 set 04d3 0050: 30 66 62 39 0fb9 Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7031 Date: 11/8/2011 Time: 8:56:22 PM User: N/A Computer: Description: The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine. Event Type: Information Event Source: USER32 Event Category: None Event ID: 1074 Date: 11/8/2011 Time: 8:56:38 PM User: NT AUTHORITY\SYSTEM Computer: Description: The process winlogon.exe has initiated the restart of computer on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found Reason Code: 0x30006 Shutdown Type: restart Comment: Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 06 00 03 00 43 00 3a 00 ....C.:. 0008: 5c 00 57 00 49 00 4e 00 \.W.I.N. 0010: 44 00 4f 00 57 00 53 00 D.O.W.S. 0018: 5c 00 73 00 79 00 73 00 \.s.y.s. 0020: 74 00 65 00 6d 00 33 00 t.e.m.3. 0028: 32 00 5c 00 4c 00 6f 00 2.\.L.o. 0030: 67 00 46 00 69 00 6c 00 g.F.i.l. 0038: 65 00 73 00 5c 00 53 00 e.s.\.S. 0040: 68 00 75 00 74 00 44 00 h.u.t.D. 0048: 6f 00 77 00 6e 00 5c 00 o.w.n.\. 0050: 53 00 68 00 75 00 74 00 S.h.u.t. 0058: 44 00 6f 00 77 00 6e 00 D.o.w.n. 0060: 5f 00 32 00 30 00 31 00 _.2.0.1. 0068: 31 00 31 00 31 00 30 00 1.1.1.0. 0070: 38 00 32 00 30 00 35 00 8.2.0.5. 0078: 36 00 32 00 32 00 2e 00 6.2.2... 0080: 78 00 6d 00 6c 00 00 00 x.m.l...This posting is provided AS-IS with no warranties/guarantees and confers no rights.

Here is the dump in windbg. I am a newbie of windgb. It would be much appreciated if you can shed light.. 0:000> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: +5a0c7d0 00000000 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 00000000 ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000 NumberParameters: 0 FAULTING_THREAD: 000002ec DEFAULT_BUCKET_ID: STATUS_BREAKPOINT PROCESS_NAME: svchost.exe ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached. EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid MOD_LIST: <ANALYSIS/> NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT LAST_CONTROL_TRANSFER: from 7c8275f9 to 7c82847c STACK_TEXT: 0006fc40 7c8275f9 77e418b6 0000004c 00000000 ntdll!KiFastSystemCallRet 0006fc44 77e418b6 0000004c 00000000 00000000 ntdll!ZwReadFile+0xc 0006fcac 7d1f5edb 0000004c 0006fd78 0000021a kernel32!ReadFile+0x16c 0006fcd8 7d1f5f82 0000004c 0006fd78 0000021a advapi32!ScGetPipeInput+0x2a 0006fd4c 7d1e1ed9 0000004c 0006fd78 0000021a advapi32!ScDispatcherLoop+0x51 0006ffb0 0100213d 00083d60 00000000 00000000 advapi32!StartServiceCtrlDispatcherW+0xe3 0006ffc0 77e6f23b 00000000 00000000 7ffdd000 svchost!_wmainCRTStartup+0x7f 0006fff0 00000000 010020b9 00000000 78746341 kernel32!BaseProcessStart+0x23 STACK_COMMAND: ~0s; .ecxr ; kb FOLLOWUP_IP: svchost!_wmainCRTStartup+7f 0100213d 6a00 push 0 SYMBOL_STACK_INDEX: 6 SYMBOL_NAME: svchost!_wmainCRTStartup+7f FOLLOWUP_NAME: MachineOwner MODULE_NAME: svchost IMAGE_NAME: svchost.exe DEBUG_FLR_IMAGE_TIMESTAMP: 45d6a03c FAILURE_BUCKET_ID: STATUS_BREAKPOINT_80000003_svchost.exe!_wmainCRTStartup BUCKET_ID: APPLICATION_FAULT_STATUS_BREAKPOINT_svchost!_wmainCRTStartup+7f WATSON_IBUCKET: 395569790 WATSON_IBUCKETTABLE: 1 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/svchost_exe/5_2_3790_3959/45d6a03c/unknown/0_0_0_0/bbbbbbb4/80000003/00000000.htm?Retriage=1 Followup: MachineOwnerThis posting is provided AS-IS with no warranties/guarantees and confers no rights.

Hello, run tasklist /svc command to get the list of processes associated with svchost. This will help you to get more information about what is associated with it. More if you contact Microsoft CSS for assistance. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hello, run tasklist /svc command to get the list of processes associated with svchost. This will help you to get more information about what is associated with it. More if you contact Microsoft CSS for assistance. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hi, If the issue persists, you may contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request. To troubleshoot this kind of kernel crash issue, we need to debug the crashed system dump. Unfortunately, debugging is beyond what we can do in the forum. Please be advised that contacting phone support will be a charged call. To obtain the phone numbers for specific technology request please take a look at the web site listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607 Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, If the issue persists, you may contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request. To troubleshoot this kind of kernel crash issue, we need to debug the crashed system dump. Unfortunately, debugging is beyond what we can do in the forum. Please be advised that contacting phone support will be a charged call. To obtain the phone numbers for specific technology request please take a look at the web site listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607 Regards,Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.