?
Solved

Automatic server reboot after bugcheck

Posted on 2006-04-03
7
Medium Priority
?
22,923 Views
Last Modified: 2013-03-01
Hi All,
Thanks for taking the time to read this, even more thanks if you can give a clue.  Our file/print server (Windows Server 2003, fully patched) has been rebooting every few days for no apparent reason.  I haven't been able to figure out a pattern.  Usually there is memory dump and system event log recorded (see event #1 & event #2), but sometimes just a system event log recorded (see event#3).   I do have two memory minidumps (see dump1 which matches the logs below & dump2 from another incident), but am not quite certain a. what the analysis means and b. what's up with the symbols.  Submitting the dump to Microsoft's oca site yields no help.  I've also scoured the web and reviewed MS info.  Sorry for all the info below, but I figure I'd post it before asked about it.  Any assistance?

Event#1
Event Type: Warning
Event Source: USER32
Event Category: None
Event ID:      1076
Date: 4/3/2006
Time: 10:41:26 AM
User: TIM\admin
Computer:      TIM01
Description: The reason supplied by user TIM\admin for the last unexpected shutdown of this computer is: System Failure: Stop error
 Reason Code: 0x805000f
 Bug ID:
 Bugcheck String: 0x000000d1 (0xe3ae2004, 0x00000002, 0x00000001, 0xf636e2ce)
 Comment: 0x000000d1 (0xe3ae2004, 0x00000002, 0x00000001, 0xf636e2ce)
Data:
0000: 0f 00 05 08               ....    

Event#2
Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID:      1003
Date: 4/3/2006
Time: 10:41:37 AM
User: N/A
Computer:      TIM01
Description: Error code 000000d1, parameter1 e3ae2004, parameter2 00000002, parameter3 00000001, parameter4 f636e2ce.
Data:
0000: 53 79 73 74 65 6d 20 45   System E
0008: 72 72 6f 72 20 20 45 72   rror  Er
0010: 72 6f 72 20 63 6f 64 65   ror code
0018: 20 30 30 30 30 30 30 64    000000d
0020: 31 20 20 50 61 72 61 6d   1  Param
0028: 65 74 65 72 73 20 65 33   eters e3
0030: 61 65 32 30 30 34 2c 20   ae2004,
0038: 30 30 30 30 30 30 30 32   00000002
0040: 2c 20 30 30 30 30 30 30   , 000000
0048: 30 31 2c 20 66 36 33 36   01, f636
0050: 65 32 63 65               e2ce    


Event #3
Event Type:      Warning
Event Source:      USER32
Event Category:      None
Event ID:      1076
Date:            3/30/2006
Time:            3:56:11 PM
User:            TIM\admin
Computer:      TIM01
Description:
The reason supplied by user TIM\admin for the last unexpected shutdown of this computer is: Other (Unplanned)
 Reason Code: 0xa000000
 Bug ID:
 Bugcheck String:
 Comment:
Data:
0000: 00 00 00 0a               ....    

------------------------------------------------------------
Dump1

Microsoft (R) Windows Debugger  Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Temp\Mini040306-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Kernel base = 0x80800000 PsLoadedModuleList = 0x808af988
Debug session time: Mon Apr  3 10:36:18.916 2006 (GMT-5)
System Uptime: 3 days 18:41:56.823
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...........................................................................................................
Loading unloaded module list
....
Loading User Symbols
The call to LoadLibrary(exts) failed, Win32 error 127
    "The specified procedure could not be found."
Please check your debugger configuration and/or network access.
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {e3ae2004, 2, 1, f636e2ce}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Unable to load image \SystemRoot\system32\DRIVERS\srv.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for srv.sys
*** ERROR: Module load completed but symbols could not be loaded for srv.sys
The call to LoadLibrary(exts) failed, Win32 error 127
    "The specified procedure could not be found."
Please check your debugger configuration and/or network access.
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
The call to LoadLibrary(exts) failed, Win32 error 127
    "The specified procedure could not be found."
Please check your debugger configuration and/or network access.
Probably caused by : srv.sys ( srv+172ce )

Followup: MachineOwner
---------
-----------------------------------------------

Dump2


Microsoft (R) Windows Debugger  Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\temp1\Mini031506-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Kernel base = 0x80800000 PsLoadedModuleList = 0x808af988
Debug session time: Wed Mar 15 19:07:17.331 2006 (GMT-5)
System Uptime: 0 days 0:22:59.952
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
............................................................................................................
Loading unloaded module list
....
Loading User Symbols
The call to LoadLibrary(exts) failed, Win32 error 127
    "The specified procedure could not be found."
Please check your debugger configuration and/or network access.
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {e1520000, 2, 1, f727f319}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Unable to load image Ntfs.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for Ntfs.sys
*** ERROR: Module load completed but symbols could not be loaded for Ntfs.sys
The call to LoadLibrary(exts) failed, Win32 error 127
    "The specified procedure could not be found."
Please check your debugger configuration and/or network access.
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*** WARNING: Unable to verify timestamp for fltmgr.sys
*** ERROR: Module load completed but symbols could not be loaded for fltmgr.sys
*** WARNING: Unable to verify timestamp for NsiFiltr.sys
*** ERROR: Module load completed but symbols could not be loaded for NsiFiltr.sys
*** WARNING: Unable to verify timestamp for UdDrv.sys
*** ERROR: Module load completed but symbols could not be loaded for UdDrv.sys
*** WARNING: Unable to verify timestamp for naiavf5x.sys
*** ERROR: Module load completed but symbols could not be loaded for naiavf5x.sys
*** WARNING: Unable to verify timestamp for srv.sys
*** ERROR: Module load completed but symbols could not be loaded for srv.sys
The call to LoadLibrary(exts) failed, Win32 error 127
    "The specified procedure could not be found."
Please check your debugger configuration and/or network access.
Probably caused by : fltmgr.sys ( fltmgr+4c53 )

Followup: MachineOwner
---------


0
Comment
Question by:rczyzewski
7 Comments
 
LVL 97

Accepted Solution

by:
Lee W, MVP earned 1000 total points
ID: 16363987
Stop 0xD1 messages can occur after installing faulty drivers or system services. If a driver is listed by name, disable, remove, or roll back that driver to confirm that this resolves the error. If so, contact the manufacturer about a possible update. Using updated software is especially important for backup programs, multimedia applications, antivirus scanners, DVD playback, and CD mastering tools.


The srv.sys and fltmgr are related to the server services and file system services.  I suggest you look at drivers for various disk related apps and consider trying to restore older backed up versions of those files to see if the problem goes away.
0
 
LVL 12

Expert Comment

by:Rant32
ID: 16364451
Debugging symbols are not installed on normal production machines, that's ok.

This is usually a driver problem. See if there are any unsigned drivers by running SIGVERIF on the server. Update, or if possible remove, all drivers that are not digitally signed. Pay special care to printer drivers, they can wreak havoc on a server.

This server doesn't happen to be a Terminal Server too, right?

What hardware are you running?
0
 

Author Comment

by:rczyzewski
ID: 16364653
Executive Undelete Server v5.114 and McAfee AV v8 are the only disk related apps I can think of.  I'll check those out.
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 

Author Comment

by:rczyzewski
ID: 16364662
Running sigverif brings up:
C:\windows\system32\drivers\mvstdi5x.sys  v8.0.0.301
and
C:\windows\system32\drivers\naiavf5x.sys  v8.0.0.309
These look to be related to our McAfee AV.  I've looked with them before, but will follow up.

Server is not a Terminal Server, though a few staff will connect with Remote Desktop to administer printers or folder permissions.
0
 
LVL 12

Assisted Solution

by:Rant32
Rant32 earned 1000 total points
ID: 16364803
The most common problems only apply to TS in application mode.

Wouldn't be surprised if it's in the McAfee Mini-firewall drivers, a lot of links pop up googling those files.
0
 

Author Comment

by:rczyzewski
ID: 16401758
I'm checking with McAfee on those files.  I disabled one more thing McAfee v8 was monitoring (I think it was in Buffer Overflow Protection Policies, but I can't recall).
It's been good this last week, but I've been fooled before.
0
 

Expert Comment

by:Amoniks
ID: 38942133
Hi,

I have also the same problem on a Terminal Server 2008 R2...

The server reboot unexpectedly with the same bugcheck 0xa000000 !
I did a SIGVERIF and we have :

kapfa.sys
stcvsm.sys

that are not signed...

We don't know what to do now.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question