I'm running the 64bit Win2008RC1 build as PDC for a test domain (DNS/WINS/NAP/VirtualServer) I'm getting BSOD in NTFS.sys every 24hrs or so & auto reboots.. when I attempt to debug memory.dmp using WinDBG 64bit.. and point to the MS Symbol server on srv*c:\symbols\*http://msdl.microsoft.com/download/symbols - I'm getting symbols mismatches.. (the beta symbols areprobably not there) is there a place I can download public symbol files *.dbg for RC1 64bit to troubleshoot this... or is it possible for someone at MS to post the private symbol files *.pdb for RC1 up to the server linkabove (which I believeisstandard policy for all currentRelease OS) I'm concerned filing a bug report would be a waste of time, simply becausenobodyis actually working on the server at all & we have hardly any programs/services running on it, (DNS/WINS/DHCP/ File server, syslog to cisco TFTP etc) and I have no repro steps so it wouldprobably be closed "no repro" by Dev Test ..and MSFTPSS/CPR-wont do a remote debug for a beta OS in non production enviroment.. thanks Kevin **************************************************************************** ****** ****** Your debugger is not using the correct symbols ****** ****** In order for this command to work properly, your symbol path ****** must point to .pdb files that have full type information. ****** ****** Certain .pdb files (such as the public OS symbols) do not ****** contain the required information. Contact the group that ****** provided you with these symbols if you need this command to ****** work. ****** ****** Type referenced: nt!_KPRCB ***

Correct path for public symbol server is: srv*DownstreamStore*http://msdl.microsoft.com/download/symbolsAllway you can set path as:set _NT_SYMBOL_PATH=srv*DownstreamStore*http://msdl.microsoft.com/download/symbols Until public realizesymbolsforWindowsSever2K8canbeunavailable.

the symbols file path is correct.. (I did a typo in the posting above but as you see below it's correcty. The problem is that I need symbols files (either made avail from the public symbols server or as a download, to even attempt to determine what is cause the BSOD's usually when the debugger points to a windows file like ntfs.sys it is NOT a bug in windows but rather the concept of "blame the victim" (see Mark Russinovich Debug BSOD Talk on http://technet.microsoft.com/en-us/sysinternals/bb963887.aspx How Should customers report bugs to MS on Win2008? here's the problem, if you call MS Support your told Public Beta isn't supported except for TAP Customer (which we are not) If you happen to file a bug report via some automated tool and attach the memory.dmp.. even if a Tester on the Dev Team looks at it.. at this point it will probably be closed as "couldn't repro" or by some miracle it was.. "postpone to W2008-SP1"as Launch date isless then 52 days away 02/27/08- meaning the product has probably alreadyGone RTM - as it take about 60days for physical packaging, disks etc.. and Marketing wantsGOLD RTMCode to hand out for Freeto people that attend lauch events..(my guess only, based on prior experience) If we had a premier Support Contract (which we dont) we would have leverage with an MS TAM (Tech account manager) to have CPR/QFE involved to work with Dev.. the last alternatives... we could post the debug info to this newsgroup (this posting) and wait for an answer... back to the technical stuff... please make symbols files avail or is a remote debug possible? Microsoft (R) Windows Debugger Version 6.8.0004.0 AMD64Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\symbols\Mini010508-01.dmp]Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbolsExecutable search path is: Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2*** WARNING: Unable to verify timestamp for ntoskrnl.exe*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exeWindows Kernel Version 6001 (Service Pack 1.735) UP Free x64Product: LanManNt, suite: Enterprise TerminalServer SingleUserTSKernel base = 0xfffff800`01849000 PsLoadedModuleList = 0xfffff800`01a0fdb0Debug session time: Sat Jan 5 14:11:20.936 2008 (GMT-8)System Uptime: 2 days 12:12:22.505Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2*** WARNING: Unable to verify timestamp for ntoskrnl.exe*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exeLoading Kernel Symbols....................................................................................................................................................Loading User SymbolsLoading unloaded module list....Unable to load image \SystemRoot\system32\drivers\fltmgr.sys, Win32 error 0n2*** WARNING: Unable to verify timestamp for fltmgr.sys*** ERROR: Module load completed but symbols could not be loaded for fltmgr.sys--------- kd> !analyze -v******************************************************************************** ** Bugcheck Analysis ** ******************************************************************************** DRIVER_OVERRAN_STACK_BUFFER (f7)A driver has overrun a stack-based buffer. This overrun could potentiallyallow a malicious user to gain control of this machine.DESCRIPTIONA driver overran a stack-based buffer (or local variable) in a way that wouldhave overwritten the function's return address and jumped back to an arbitraryaddress when the function returned. This is the classic "buffer overrun"hacking attack and the system has been brought down to prevent a malicious userfrom gaining complete control of it.Do a kb to get a stack backtrace -- the last routine on the stack before thebuffer overrun handlers and bugcheck call is the one that overran its localvariable(s).Arguments:Arg1: b1530000fa6000d8, Actual security check cookie from the stackArg2: 0000fa6000d8b153, Expected security check cookieArg3: ffff059fff274eac, Complement of the expected security check cookieArg4: 0000000000000000, zero Debugging Details:------------------ ***** Kernel symbols are WRONG. Please fix symbols to do analysis. **************************************************************************** ****** ****** Your debugger is not using the correct symbols ****** ****** In order for this command to work properly, your symbol path ****** must point to .pdb files that have full type information. ****** ****** Certain .pdb files (such as the public OS symbols) do not ****** contain the required information. Contact the group that ****** provided you with these symbols if you need this command to ****** work. ****** ****** Type referenced: nt!_KPRCB ****** **************************************************************************** MODULE_NAME: nt FAULTING_MODULE: fffff80001849000 nt DEBUG_FLR_IMAGE_TIMESTAMP: 475e2481 DEFAULT_BUCKET_ID: WRONG_SYMBOLS SECURITY_COOKIE: Expected 0000fa6000d8b153 found b1530000fa6000d8 CUSTOMER_CRASH_COUNT: 1 BUGCHECK_STR: 0xF7 LAST_CONTROL_TRANSFER: from fffffa6000d7aa52 to fffff800018a1e90 STACK_TEXT: <I removed from post to save space>STACK_COMMAND: kb FOLLOWUP_IP: nt+58e90fffff800`018a1e90 48894c2408 mov qword ptr [rsp+8],rcx SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt+58e90 FOLLOWUP_NAME: MachineOwner IMAGE_NAME: ntoskrnl.exe BUCKET_ID: WRONG_SYMBOLS Followup: MachineOwner--------- dump # 2 Microsoft (R) Windows Debugger Version 6.8.0004.0 AMD64Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\symbols\Mini010308-01.dmp]Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbolsExecutable search path is: Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2*** WARNING: Unable to verify timestamp for ntoskrnl.exe*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exeWindows Kernel Version 6001 (Service Pack 1.735) UP Free x64Product: LanManNt, suite: Enterprise TerminalServer SingleUserTSKernel base = 0xfffff800`0180e000 PsLoadedModuleList = 0xfffff800`019d4db0Debug session time: Thu Jan 3 01:55:28.942 2008 (GMT-8)System Uptime: 0 days 5:42:22.821Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2*** WARNING: Unable to verify timestamp for ntoskrnl.exe*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exeLoading Kernel Symbols................................................................................................................................................Loading User SymbolsLoading unloaded module listkd> !analyze -v******************************************************************************** ** Bugcheck Analysis ** ******************************************************************************** SYSTEM_SERVICE_EXCEPTION (3b)An exception happened while executing a system service routine.Arguments:Arg1: 00000000c0000005, Exception code that caused the bugcheckArg2: fffffa60012c1213, Address of the exception record for the exception that caused the bugcheckArg3: fffffa6004b93a90, Address of the context record for the exception that caused the bugcheckArg4: 0000000000000000, zero. Debugging Details:------------------ ***** Kernel symbols are WRONG. Please fix symbols to do analysis. **************************************************************************** ****** ****** Your debugger is not using the correct symbols ****** ****** In order for this command to work properly, your symbol path ****** must point to .pdb files that have full type information. ****** ****** Certain .pdb files (such as the public OS symbols) do not ****** contain the required information. Contact the group that ****** provided you with these symbols if you need this command to ****** work. ****** ****** Type referenced: nt!_KPRCB ****** *** MODULE_NAME: Ntfs FAULTING_MODULE: fffff8000180e000 nt DEBUG_FLR_IMAGE_TIMESTAMP: 475e23a6 EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: Ntfs+b5213fffffa60`012c1213 ?? ??? CONTEXT: fffffa6004b93a90 -- (.cxr 0xfffffa6004b93a90)rax=0000000000000000 rbx=fffff88006072010 rcx=fffffa8004bf6230rdx=fffff88006072140 rsi=fffffa8004bf6230 rdi=fffffa8004dc1e50rip=fffffa60012c1213 rsp=fffffa6004b942f0 rbp=0000000000000000r8=0000000000000103 r9=0000000000000000 r10=0000000000000004r11=fffffa8004dc1e50 r12=fffff88006072140 r13=fffff88006072140r14=fffffa8004bf6230 r15=0000000000000000iopl=0 nv up ei pl nz na po nccs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206Ntfs+0xb5213:fffffa60`012c1213 ?? ???Resetting default scope CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: WRONG_SYMBOLS BUGCHECK_STR: 0x3B LAST_CONTROL_TRANSFER: from fffffa800282a180 to fffffa60012c1213 STACK_TEXT: FOLLOWUP_IP: Ntfs+b5213 fffffa60`012c1213 ?? ??? SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: Ntfs+b5213 FOLLOWUP_NAME: MachineOwner IMAGE_NAME: Ntfs.sys STACK_COMMAND: .cxr 0xfffffa6004b93a90 ; kb BUCKET_ID: WRONG_SYMBOLS Followup: MachineOwner--------- dump # 3 Microsoft (R) Windows Debugger Version 6.8.0004.0 AMD64Copyright (c) Microsoft Corporation. All rights reserved. Loading Dump File [C:\symbols\Mini010208-01.dmp]Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbolsExecutable search path is: Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2*** WARNING: Unable to verify timestamp for ntoskrnl.exe*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exeWindows Kernel Version 6001 (Service Pack 1.735) UP Free x64Product: LanManNt, suite: Enterprise TerminalServer SingleUserTSKernel base = 0xfffff800`01816000 PsLoadedModuleList = 0xfffff800`019dcdb0Debug session time: Wed Jan 2 01:44:27.796 2008 (GMT-8)System Uptime: 0 days 1:46:01.343Unable to load image \SystemRoot\system32\ntoskrnl.exe, Win32 error 0n2*** WARNING: Unable to verify timestamp for ntoskrnl.exe*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exeLoading Kernel Symbols...............................................................................................................................................Loading User SymbolsLoading unloaded module list....Unable to load image \SystemRoot\system32\drivers\volmgr.sys, Win32 error 0n2*** WARNING: Unable to verify timestamp for volmgr.sys*** ERROR: Module load completed but symbols could not be loaded for volmgr.sys--------- kd> !analyze -v******************************************************************************** ** Bugcheck Analysis ** ******************************************************************************** DRIVER_OVERRAN_STACK_BUFFER (f7)A driver has overrun a stack-based buffer. This overrun could potentiallyallow a malicious user to gain control of this machine.DESCRIPTIONA driver overran a stack-based buffer (or local variable) in a way that wouldhave overwritten the function's return address and jumped back to an arbitraryaddress when the function returned. This is the classic "buffer overrun"hacking attack and the system has been brought down to prevent a malicious userfrom gaining complete control of it.Do a kb to get a stack backtrace -- the last routine on the stack before thebuffer overrun handlers and bugcheck call is the one that overran its localvariable(s).Arguments:Arg1: 011e0000fa6000bc, Actual security check cookie from the stackArg2: 0000fa6000bc011e, Expected security check cookieArg3: ffff059fff43fee1, Complement of the expected security check cookieArg4: 0000000000000000, zero Debugging Details:------------------ MODULE_NAME: volmgr FAULTING_MODULE: fffff80001816000 nt DEBUG_FLR_IMAGE_TIMESTAMP: 475e2a36 DEFAULT_BUCKET_ID: WRONG_SYMBOLS SECURITY_COOKIE: Expected 0000fa6000bc011e found 011e0000fa6000bc CUSTOMER_CRASH_COUNT: 1 BUGCHECK_STR: 0xF7 LAST_CONTROL_TRANSFER: from fffffa6000bbcb76 to fffff8000186ee90 STACK_TEXT: <i removed stack trace to save space)

If you are an MSDN subscriber we generally make the symbol file packages downloadable when we release the build on MSDN. We also generally post them here and on the symbol server but it looks like the latest symbols available are Beta3 and RC0 on the public server. These are all mini-dumps and depending on the issue kernel dumps may be required. That being said I assume that you are uploading these failures to Windows Error Reporting (WER). If so you should see an event log entry in the application log with a bucket ID. Can you post the bucket IDs for these failures? Thanks, -Steve