OSLEE
asked on
Windows Server 2008 R2 - Random Reboots
We recently rolled out a new file server running Windows Server 2008 R2. For the past couple of weeks however it has randomly restarted itself 3 times. After sending a full memory dump and MPS report on the server to Microsoft Support, they advised us to install a patch(see related KB article link below).
http://support.microsoft.com/kb/2203330
After installing this patch successfully, the following day the "Server" service stopped unexpectedly around lunch time. Note that this time the server did not restart but the service just stopped. I was able to restart the service but would like to find out what the underlying issue is so I can prevent this from happening again. Below are the event logs received when the server service stopped:
Log Name: Application
Source: Application Error
Date: 1/12/2010 12:49:18 PM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: ServerNameHere
Description:
Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: ntdll.dll, version: 6.1.7600.16559, time stamp: 0x4ba9b802
Exception code: 0xc000071f
Fault offset: 0x000000000006e51c
Faulting process id: 0x3b8
Faulting application start time: 0x01cb907356097e3d
Faulting application path: C:\Windows\system32\svchos t.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll. dll
Report Id: 96ed026f-fcf5-11df-b7ea-00 1e0bd1bb1c
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</Event ID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000 </Keywords >
<TimeCreated SystemTime="2010-12-01T02: 49:18.0000 00000Z" />
<EventRecordID>8669</Event RecordID>
<Channel>Application</Chan nel>
<Computer>ServerNameHere</ Computer>
<Security />
</System>
<EventData>
<Data>svchost.exe</Data>
<Data>6.1.7600.16385</Data >
<Data>4a5bc3c1</Data>
<Data>ntdll.dll</Data>
<Data>6.1.7600.16559</Data >
<Data>4ba9b802</Data>
<Data>c000071f</Data>
<Data>000000000006e51c</Da ta>
<Data>3b8</Data>
<Data>01cb907356097e3d</Da ta>
<Data>C:\Windows\system32\ svchost.ex e</Data>
<Data>C:\Windows\SYSTEM32\ ntdll.dll< /Data>
<Data>96ed026f-fcf5-11df-b 7ea-001e0b d1bb1c</Da ta>
</EventData>
</Event>
-------------------------- ---------
Log Name: Application
Source: Microsoft-Windows-PerfNet
Date: 1/12/2010 12:50:46 PM
Event ID: 2005
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ServerNameHere
Description:
Unable to read performance data for the Server service. The first four bytes (DWORD) of the Data section contains the status code, the second four bytes contains the IOSB.Status and the next four bytes contains the IOSB.Information.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Pe rfNet" Guid="{CAB2B8A5-49B9-4EEC- B1B0-FAC21 DA05A3B}" EventSourceName="PerfNet" />
<EventID Qualifiers="49152">2005</E ventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000 </Keywords >
<TimeCreated SystemTime="2010-12-01T02: 50:46.0000 00000Z" />
<EventRecordID>8674</Event RecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Chan nel>
<Computer>ServerNameHere</ Computer>
<Security />
</System>
<EventData>
<Binary>050098C00300000008 D98F00</Bi nary>
</EventData>
</Event>
http://support.microsoft.com/kb/2203330
After installing this patch successfully, the following day the "Server" service stopped unexpectedly around lunch time. Note that this time the server did not restart but the service just stopped. I was able to restart the service but would like to find out what the underlying issue is so I can prevent this from happening again. Below are the event logs received when the server service stopped:
Log Name: Application
Source: Application Error
Date: 1/12/2010 12:49:18 PM
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: ServerNameHere
Description:
Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: ntdll.dll, version: 6.1.7600.16559, time stamp: 0x4ba9b802
Exception code: 0xc000071f
Fault offset: 0x000000000006e51c
Faulting process id: 0x3b8
Faulting application start time: 0x01cb907356097e3d
Faulting application path: C:\Windows\system32\svchos
Faulting module path: C:\Windows\SYSTEM32\ntdll.
Report Id: 96ed026f-fcf5-11df-b7ea-00
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</Event
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2010-12-01T02:
<EventRecordID>8669</Event
<Channel>Application</Chan
<Computer>ServerNameHere</
<Security />
</System>
<EventData>
<Data>svchost.exe</Data>
<Data>6.1.7600.16385</Data
<Data>4a5bc3c1</Data>
<Data>ntdll.dll</Data>
<Data>6.1.7600.16559</Data
<Data>4ba9b802</Data>
<Data>c000071f</Data>
<Data>000000000006e51c</Da
<Data>3b8</Data>
<Data>01cb907356097e3d</Da
<Data>C:\Windows\system32\
<Data>C:\Windows\SYSTEM32\
<Data>96ed026f-fcf5-11df-b
</EventData>
</Event>
--------------------------
Log Name: Application
Source: Microsoft-Windows-PerfNet
Date: 1/12/2010 12:50:46 PM
Event ID: 2005
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ServerNameHere
Description:
Unable to read performance data for the Server service. The first four bytes (DWORD) of the Data section contains the status code, the second four bytes contains the IOSB.Status and the next four bytes contains the IOSB.Information.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Pe
<EventID Qualifiers="49152">2005</E
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2010-12-01T02:
<EventRecordID>8674</Event
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Chan
<Computer>ServerNameHere</
<Security />
</System>
<EventData>
<Binary>050098C00300000008
</EventData>
</Event>
ASKER
32-bit apps include:
- Junction Link Magic 2.0.0.1
- Sophos Antivirus 7.6.21
- Secure Copy 5.02.0000
There are no other 3rd party apps in use and I doubt there is anything out of the ordinary in GPO.
- Junction Link Magic 2.0.0.1
- Sophos Antivirus 7.6.21
- Secure Copy 5.02.0000
There are no other 3rd party apps in use and I doubt there is anything out of the ordinary in GPO.
Any other event id's that repeatedly appear.
Are you using Junction Link Magic extensively or redirecting to external storage?
Rob
Are you using Junction Link Magic extensively or redirecting to external storage?
Rob
Possible hardware issue? bad memory? usually memory caused random restart...
ASKER
Junction Link Magic is used extensively, pointing to 37 shared directories on 13 RAID configured hard-disks.
With regards to application logs, no other recurring event ids other than . For system logs only the below one.
Log Name: System
Source: srv
Date: 30/11/2010 7:54:02 PM
Event ID: 2012
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: SRIDFIL02.osl.local
Description:
While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration. The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="srv" />
<EventID Qualifiers="32768">2012</E ventID>
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000 </Keywords >
<TimeCreated SystemTime="2010-11-30T09: 54:02.0804 04200Z" />
<EventRecordID>22262</Even tRecordID>
<Channel>System</Channel>
<Computer>SRIDFIL02.osl.lo cal</Compu ter>
<Security />
</System>
<EventData>
<Data>\Device\LanmanServer </Data>
<Binary>0000040001002C0000 000000DC07 0080000000 00840100C0 0000000000 0000000000 0000000000 008F050000 </Binary>
</EventData>
</Event>
With regards to application logs, no other recurring event ids other than . For system logs only the below one.
Log Name: System
Source: srv
Date: 30/11/2010 7:54:02 PM
Event ID: 2012
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: SRIDFIL02.osl.local
Description:
While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration. The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="srv" />
<EventID Qualifiers="32768">2012</E
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2010-11-30T09:
<EventRecordID>22262</Even
<Channel>System</Channel>
<Computer>SRIDFIL02.osl.lo
<Security />
</System>
<EventData>
<Data>\Device\LanmanServer
<Binary>0000040001002C0000
</EventData>
</Event>
ASKER
Below is the debug information:
Windows 7 Kernel Version 7600 MP (4 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Built by: 7600.16617.amd64fre.win7_g dr.100618- 1621
Machine Name:
Kernel base = 0xfffff800`01808000 PsLoadedModuleList = 0xfffff800`01a45e50
Debug session time: Sat Dec 4 10:34:22.447 2010 (UTC + 11:00)
System Uptime: 0 days 20:19:55.531
Loading Kernel Symbols
.......................... .......... .......... .......... .......
.......................... .......... .......... .......... ........
.........................
Loading User Symbols
Loading unloaded module list
......
************************** ********** ********** ********** ********** ********** ***
* *
* Bugcheck Analysis *
* *
************************** ********** ********** ********** ********** ********** ***
Use !analyze -v to get detailed debugging information.
BugCheck 1, {fffff8000186c358, 0, ffff, 1}
Probably caused by : ntkrnlmp.exe ( nt!CcWorkerThread+0 )
Followup: MachineOwner
---------
2: kd> !analyze -v
************************** ********** ********** ********** ********** ********** ***
* *
* Bugcheck Analysis *
* *
************************** ********** ********** ********** ********** ********** ***
APC_INDEX_MISMATCH (1)
This is a kernel internal error. The most common reason to see this
bugcheck is when a filesystem or a driver has a mismatched number of
calls to disable and re-enable APCs. The key data item is the
Thread->KernelApcDisable field. A negative value indicates that a driver
has disabled APC calls without re-enabling them. A positive value indicates
that the reverse is true. This check is made on exit from a system call.
Arguments:
Arg1: fffff8000186c358, address of system function (system call)
Arg2: 0000000000000000, Thread->ApcStateIndex << 8 | Previous ApcStateIndex
Arg3: 000000000000ffff, Thread->KernelApcDisable
Arg4: 0000000000000001, Previous KernelApcDisable
Debugging Details:
------------------
FAULTING_IP:
nt!CcWorkerThread+0
fffff800`0186c358 488bc4 mov rax,rsp
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x1
PROCESS_NAME: System
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff80001823511 to fffff80001878740
STACK_TEXT:
fffff880`099a8ca8 fffff800`01823511 : 00000000`00000001 fffff800`0186c358 00000000`00000000 00000000`0000ffff : nt!KeBugCheckEx
fffff880`099a8cb0 fffff800`01b1cc06 : fffff880`0c048ae0 fffffa80`0a18f590 00000000`00000080 fffffa80`0396e990 : nt! ?? ::FNODOBFM::`string'+0x544 06
fffff880`099a8d40 fffff800`01856c26 : fffff880`009bf180 fffffa80`0a18f590 fffffa80`039de680 fffff880`01657a90 : nt!PspSystemThreadStartup+ 0x5a
fffff880`099a8d80 00000000`00000000 : fffff880`099a9000 fffff880`099a3000 fffff880`099a8380 00000000`00000000 : nt!KxStartSystemThread+0x1 6
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
nt!CcWorkerThread+0
fffff800`0186c358 488bc4 mov rax,rsp
SYMBOL_NAME: nt!CcWorkerThread+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4c1c44a9
FAILURE_BUCKET_ID: X64_0x1_SysCallNum_0_nt!Cc WorkerThre ad+0
BUCKET_ID: X64_0x1_SysCallNum_0_nt!Cc WorkerThre ad+0
Followup: MachineOwner
Windows 7 Kernel Version 7600 MP (4 procs) Free x64
Product: Server, suite: TerminalServer SingleUserTS
Built by: 7600.16617.amd64fre.win7_g
Machine Name:
Kernel base = 0xfffff800`01808000 PsLoadedModuleList = 0xfffff800`01a45e50
Debug session time: Sat Dec 4 10:34:22.447 2010 (UTC + 11:00)
System Uptime: 0 days 20:19:55.531
Loading Kernel Symbols
..........................
..........................
.........................
Loading User Symbols
Loading unloaded module list
......
**************************
* *
* Bugcheck Analysis *
* *
**************************
Use !analyze -v to get detailed debugging information.
BugCheck 1, {fffff8000186c358, 0, ffff, 1}
Probably caused by : ntkrnlmp.exe ( nt!CcWorkerThread+0 )
Followup: MachineOwner
---------
2: kd> !analyze -v
**************************
* *
* Bugcheck Analysis *
* *
**************************
APC_INDEX_MISMATCH (1)
This is a kernel internal error. The most common reason to see this
bugcheck is when a filesystem or a driver has a mismatched number of
calls to disable and re-enable APCs. The key data item is the
Thread->KernelApcDisable field. A negative value indicates that a driver
has disabled APC calls without re-enabling them. A positive value indicates
that the reverse is true. This check is made on exit from a system call.
Arguments:
Arg1: fffff8000186c358, address of system function (system call)
Arg2: 0000000000000000, Thread->ApcStateIndex << 8 | Previous ApcStateIndex
Arg3: 000000000000ffff, Thread->KernelApcDisable
Arg4: 0000000000000001, Previous KernelApcDisable
Debugging Details:
------------------
FAULTING_IP:
nt!CcWorkerThread+0
fffff800`0186c358 488bc4 mov rax,rsp
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x1
PROCESS_NAME: System
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff80001823511 to fffff80001878740
STACK_TEXT:
fffff880`099a8ca8 fffff800`01823511 : 00000000`00000001 fffff800`0186c358 00000000`00000000 00000000`0000ffff : nt!KeBugCheckEx
fffff880`099a8cb0 fffff800`01b1cc06 : fffff880`0c048ae0 fffffa80`0a18f590 00000000`00000080 fffffa80`0396e990 : nt! ?? ::FNODOBFM::`string'+0x544
fffff880`099a8d40 fffff800`01856c26 : fffff880`009bf180 fffffa80`0a18f590 fffffa80`039de680 fffff880`01657a90 : nt!PspSystemThreadStartup+
fffff880`099a8d80 00000000`00000000 : fffff880`099a9000 fffff880`099a3000 fffff880`099a8380 00000000`00000000 : nt!KxStartSystemThread+0x1
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP:
nt!CcWorkerThread+0
fffff800`0186c358 488bc4 mov rax,rsp
SYMBOL_NAME: nt!CcWorkerThread+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
DEBUG_FLR_IMAGE_TIMESTAMP:
FAILURE_BUCKET_ID: X64_0x1_SysCallNum_0_nt!Cc
BUCKET_ID: X64_0x1_SysCallNum_0_nt!Cc
Followup: MachineOwner
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Problem resolved on our own. Issue was Disk Keeper.
Which if any third-party applications are in use?
Anything extraordinary in terms of a GPO?
Rob