Advertisement

02.29.2008 at 02:28AM PST, ID: 23203295
[x]
Attachment Details

NO_MORE_IRP_STACK_LOCATIONS. Server bluescreen's on logoff. Memory dump mentions symevent64x86.sys

Asked by prodriveit in Windows 2003 Server, Networking Security Vulnerabilities

Tags: ,

Hi All
Hoping someone can suggest something for this.
A customer has a Windows 2003 R2 64bit server. HP DL380 G5 2 x Quad core CPU's 4GB Ram.
Running exchange 2007. Its the DC and file and print server.
No new hardware or software (except dfs) has gone onto the machine recently.
When we log off the server blue screens with NO_MORE_IRP_STACK_LOCATIONS.
I have recently setup DFS on this server, don't know if thats related
We have another server in a different site that is identical except it doesn't run exchange and we are not having the problem there.

The output from the memory dump is as follows:
NO_MORE_IRP_STACK_LOCATIONS (35)
A higher level driver has attempted to call a lower level driver through
the IoCallDriver() interface, but there are no more stack locations in the
packet, hence, the lower level driver would not be able to access its
parameters, as there are no parameters for it.  This is a disasterous
situation, since the higher level driver "thinks" it has filled in the
parameters for the lower level driver (something it MUST do before it calls
it), but since there is no stack location for the latter driver, the former
has written off of the end of the packet.  This means that some other memory
has probably been trashed at this point.
Arguments:
Arg1: fffffadf98fcd790, Address of the IRP
Arg2: 0000000000000000
Arg3: 0000000000000000
Arg4: fffffadf00000000

Debugging Details:
------------------

Page c5674 not present in the dump file. Type ".hh dbgerr004" for details
Page c558f not present in the dump file. Type ".hh dbgerr004" for details

PEB is paged out (Peb.Ldr = 000007ff`fffdf018).  Type ".hh dbgerr001" for details

PEB is paged out (Peb.Ldr = 000007ff`fffdf018).  Type ".hh dbgerr001" for details

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x35

PROCESS_NAME:  winlogon.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from fffff8000102e871 to fffff8000102e890

STACK_TEXT:  
fffffadf`8ac64728 fffff800`0102e871 : 00000000`00000035 fffffadf`98fcd790 00000000`00000000 00000000`00000000 : nt!KeBugCheckEx
fffffadf`8ac64730 fffff800`01078b1e : 00000000`00000005 00000000`00000000 fffffadf`993f0670 00000000`00000211 : nt!KiBugCheck3+0x11
fffffadf`8ac64760 fffffadf`903b6fe1 : fffffadf`8ac647f0 fffffadf`98fcd860 fffffadf`9c2cc390 fffffadf`993b7010 : nt!IoCallDriver+0x34
fffffadf`8ac64790 fffffadf`903b78c7 : 00000000`002bc2a5 fffffadf`98fcd790 fffffadf`98fcd8a8 fffffadf`9ae88690 : fltmgr!FltpPassThrough+0x241
fffffadf`8ac647d0 fffffadf`903b6fe1 : fffffadf`8ac64890 fffffadf`98fcd8a8 fffffadf`8ac64890 fffffadf`9c2cc390 : fltmgr!FltpDispatch+0x167
fffffadf`8ac64830 fffffadf`903b7862 : fffffa80`08382750 fffffadf`98fcd790 fffffadf`98fcd8f0 fffffadf`9b751870 : fltmgr!FltpPassThrough+0x241
fffffadf`8ac64870 fffffadf`903b6fe1 : fffffadf`8ac64930 fffffadf`98fcd8f0 fffffadf`8ac64930 fffffadf`9c2cc390 : fltmgr!FltpDispatch+0x102
fffffadf`8ac648d0 fffffadf`903b78c7 : fffffa80`00b3a020 fffffadf`98fcd790 fffffadf`8ac649f0 fffffadf`9af83610 : fltmgr!FltpPassThrough+0x241
fffffadf`8ac64910 fffffadf`8e845fbd : fffffadf`9ad343c0 fffffa80`0078c9b8 00000000`00000000 fffffadf`9af83610 : fltmgr!FltpDispatch+0x167
fffffadf`8ac64970 fffffadf`8e84f14a : fffffadf`98c4f920 fffffadf`8ac649f0 fffffadf`9ae91670 00000000`00000000 : SYMEVENT64x86!SYMEvent_GetSubTask+0x754d
fffffadf`8ac649a0 fffffadf`8e846217 : fffffadf`99bc3c10 fffffadf`8ac64cf0 fffffadf`98fcd980 fffffa80`091b8010 : SYMEVENT64x86!EventObjectCreate+0xf1a
fffffadf`8ac649d0 fffffadf`90120e05 : fffffadf`990a3c34 fffffadf`99bc3c10 fffffadf`98fcd980 fffffa80`091b8010 : SYMEVENT64x86!SYMEvent_GetSubTask+0x77a7
fffffadf`8ac64a40 fffffadf`90120c37 : fffffadf`99bc3c10 fffffadf`98fcd790 fffffadf`98fcd790 fffffadf`98fcd790 : Mup!DfsCommonSetInformation+0x165
fffffadf`8ac64ac0 fffff800`0125ca56 : fffffadf`98fcd980 fffffadf`98fcd790 fffffadf`98fcd790 00000000`0000000a : Mup!DfsFsdSetInformation+0x67
fffffadf`8ac64b00 fffff800`0102e33d : 00000000`00000894 00000000`00b5e370 00000000`0146c450 fffffadf`0000006c : nt!NtSetInformationFile+0x916
fffffadf`8ac64c00 00000000`77ef0c5a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x3
00000000`00b5e2c8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x77ef0c5a


STACK_COMMAND:  kb

FOLLOWUP_IP:
SYMEVENT64x86!SYMEvent_GetSubTask+754d
fffffadf`8e845fbd 894630          mov     dword ptr [rsi+30h],eax

SYMBOL_STACK_INDEX:  9

SYMBOL_NAME:  SYMEVENT64x86!SYMEvent_GetSubTask+754d

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: SYMEVENT64x86

IMAGE_NAME:  SYMEVENT64x86.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  45515160

FAILURE_BUCKET_ID:  X64_0x35_SYMEVENT64x86!SYMEvent_GetSubTask+754d

BUCKET_ID:  X64_0x35_SYMEVENT64x86!SYMEvent_GetSubTask+754d

Followup: MachineOwner


I have uninstalled symantec AV and that seemed to resolve the problem. I reinstalled AV and the problem occurred again after about 8 hours so i'm pretty sure its to do with that but not sure what to do next.

Any help would be most appreciated
Start Free Trial
[+][-]02.29.2008 at 05:00AM PST, ID: 21012751

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]02.29.2008 at 07:01AM PST, ID: 21013775

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]02.29.2008 at 07:11AM PST, ID: 21013865

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]02.29.2008 at 07:15AM PST, ID: 21013904

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03.01.2008 at 05:47AM PST, ID: 21021585

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03.01.2008 at 06:05AM PST, ID: 21021681

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.07.2008 at 05:25AM PDT, ID: 21515597

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Windows 2003 Server, Networking Security Vulnerabilities
Tags: Microsoft, 2003 R2 64bit
Sign Up Now!
Solution Provided By: prodriveit
Participating Experts: 2
Solution Grade: A
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628