Hi Experts,
I am facing a problem with one of the server wherein server crashes with 0x00000041 error. It also logs event id 2019. Prelimary dump analysis shows it may be due to Mcafee NAI. But we are doubtful. Any help in this regard will be of great help
I analyzed the dump and here it is
oading Dump File [C:\Mini020707-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: C:\Program Files\Debugging Tools for Windows\SYMBOLS
Executable search path is: Y:\WINNT2K;Y:\WINNT2K\SYST
EM32;Y:\WI
NNT2K\SYST
EM32\DRIVE
RS
*** WARNING: symbols timestamp is wrong 0x45069e6e 0x3ee6c002 for ntoskrnl.exe
Windows 2000 Kernel Version 2195 (Service Pack 4) UP Free x86 compatible
Kernel base = 0x80400000 PsLoadedModuleList = 0x80481580
Debug session time: Wed Feb 7 21:05:45.687 2007 (GMT+6)
System Uptime: not available
*** WARNING: symbols timestamp is wrong 0x45069e6e 0x3ee6c002 for ntoskrnl.exe
Loading Kernel Symbols
..........................
..........
..........
..........
..........
..........
..........
......
Loading User Symbols
Loading unloaded module list
...
**************************
**********
**********
**********
**********
**********
***
* *
* Bugcheck Analysis *
* *
**************************
**********
**********
**********
**********
**********
***
Use !analyze -v to get detailed debugging information.
BugCheck 41, {1000, f921, 6cc, 2b87d}
*** ERROR: Module load completed but symbols could not be loaded for naiavf5x.sys
Probably caused by : naiavf5x.sys ( naiavf5x+1eae )
Followup: MachineOwner
---------
kd> !analyze -v
**************************
**********
**********
**********
**********
**********
***
* *
* Bugcheck Analysis *
* *
**************************
**********
**********
**********
**********
**********
***
MUST_SUCCEED_POOL_EMPTY (41)
No component should ever ask for must-succeed pool as if there is none left,
the system crashes. Instead, components should ask for normal pool and
gracefully handle the scenario where the pool is temporarily empty. This
bugcheck definitely reveals a bug in the caller (use kb to identify the caller).
In addition, the fact that the pool is empty may be either a transient condition
or possibly a leak in another component (distinguish between the 2 cases by
following the directions below).
Type kb to show the calling stack.
Type !vm 1 to display total pool usage.
Then type !poolused 2 to display per-tag nonpaged pool usage.
Then type !poolused 4 to display per-tag paged pool usage.
The crash should be looked at by the tag owner that is consuming the most pool.
Arguments:
Arg1: 00001000, size of the request that could not be satisfied
Arg2: 0000f921, number of pages used of nonpaged pool
Arg3: 000006cc, number of > PAGE_SIZE requests from nonpaged pool
Arg4: 0002b87d, number of pages available
Debugging Details:
------------------
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x41
LAST_CONTROL_TRANSFER: from 8046a914 to 8046b00e
STACK_TEXT:
f6c570f0 8046a914 00000002 00001000 00000000 nt!ExAllocatePoolWithTag+0
x3e8
f6c57128 8041eff8 00000002 00000000 20707249 nt!LZNT1DecompressChunk+0x
76c
f6c57158 bfece446 817222a8 000001b4 88ff1810 nt!DisplayFilter+0x35
f6c571ac bfece2f4 88ceca48 88ff5e20 817222a8 Ntfs!NtfsMultipleAsync+0x7
2
f6c57370 bfec9526 88ceca48 817222a8 e1833d78 Ntfs!NtfsNonCachedIo+0x360
f6c576fc bfec83e8 88ceca48 817222a8 88ff1740 Ntfs!NtfsCommonWrite+0x1d9
0
f6c57764 8041dded 88ff1740 817222a8 81722438 Ntfs!NtfsFsdWrite+0xee
f6c57778 be330eae 817222a8 8887e008 89011ac8 nt!FsRtlCancelOplockIIIrp+
0x18
WARNING: Stack unwind information not available. Following frames may be wrong.
00000000 00000000 00000000 00000000 00000000 naiavf5x+0x1eae
STACK_COMMAND: kb
FOLLOWUP_IP:
naiavf5x+1eae
be330eae 8bf0 mov esi,eax
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: naiavf5x+1eae
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: naiavf5x
IMAGE_NAME: naiavf5x.sys
DEBUG_FLR_IMAGE_TIMESTAMP:
4249ad5f
FAILURE_BUCKET_ID: 0x41_naiavf5x+1eae
BUCKET_ID: 0x41_naiavf5x+1eae
Followup: MachineOwner
---------
