Automatic server reboot after bugcheck

Hi All,
Thanks for taking the time to read this, even more thanks if you can give a clue.  Our file/print server (Windows Server 2003, fully patched) has been rebooting every few days for no apparent reason.  I haven't been able to figure out a pattern.  Usually there is memory dump and system event log recorded (see event #1 & event #2), but sometimes just a system event log recorded (see event#3).   I do have two memory minidumps (see dump1 which matches the logs below & dump2 from another incident), but am not quite certain a. what the analysis means and b. what's up with the symbols.  Submitting the dump to Microsoft's oca site yields no help.  I've also scoured the web and reviewed MS info.  Sorry for all the info below, but I figure I'd post it before asked about it.  Any assistance?

Event#1
Event Type: Warning
Event Source: USER32
Event Category: None
Event ID:      1076
Date: 4/3/2006
Time: 10:41:26 AM
User: TIM\admin
Computer:      TIM01
Description: The reason supplied by user TIM\admin for the last unexpected shutdown of this computer is: System Failure: Stop error
 Reason Code: 0x805000f
 Bug ID:
 Bugcheck String: 0x000000d1 (0xe3ae2004, 0x00000002, 0x00000001, 0xf636e2ce)
 Comment: 0x000000d1 (0xe3ae2004, 0x00000002, 0x00000001, 0xf636e2ce)
Data:
0000: 0f 00 05 08               ....    

Event#2
Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID:      1003
Date: 4/3/2006
Time: 10:41:37 AM
User: N/A
Computer:      TIM01
Description: Error code 000000d1, parameter1 e3ae2004, parameter2 00000002, parameter3 00000001, parameter4 f636e2ce.
Data:
0000: 53 79 73 74 65 6d 20 45   System E
0008: 72 72 6f 72 20 20 45 72   rror  Er
0010: 72 6f 72 20 63 6f 64 65   ror code
0018: 20 30 30 30 30 30 30 64    000000d
0020: 31 20 20 50 61 72 61 6d   1  Param
0028: 65 74 65 72 73 20 65 33   eters e3
0030: 61 65 32 30 30 34 2c 20   ae2004,
0038: 30 30 30 30 30 30 30 32   00000002
0040: 2c 20 30 30 30 30 30 30   , 000000
0048: 30 31 2c 20 66 36 33 36   01, f636
0050: 65 32 63 65               e2ce    


Event #3
Event Type:      Warning
Event Source:      USER32
Event Category:      None
Event ID:      1076
Date:            3/30/2006
Time:            3:56:11 PM
User:            TIM\admin
Computer:      TIM01
Description:
The reason supplied by user TIM\admin for the last unexpected shutdown of this computer is: Other (Unplanned)
 Reason Code: 0xa000000
 Bug ID:
 Bugcheck String:
 Comment:
Data:
0000: 00 00 00 0a               ....    

------------------------------------------------------------
Dump1

Microsoft (R) Windows Debugger  Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Temp\Mini040306-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Kernel base = 0x80800000 PsLoadedModuleList = 0x808af988
Debug session time: Mon Apr  3 10:36:18.916 2006 (GMT-5)
System Uptime: 3 days 18:41:56.823
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
...........................................................................................................
Loading unloaded module list
....
Loading User Symbols
The call to LoadLibrary(exts) failed, Win32 error 127
    "The specified procedure could not be found."
Please check your debugger configuration and/or network access.
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {e3ae2004, 2, 1, f636e2ce}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Unable to load image \SystemRoot\system32\DRIVERS\srv.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for srv.sys
*** ERROR: Module load completed but symbols could not be loaded for srv.sys
The call to LoadLibrary(exts) failed, Win32 error 127
    "The specified procedure could not be found."
Please check your debugger configuration and/or network access.
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
The call to LoadLibrary(exts) failed, Win32 error 127
    "The specified procedure could not be found."
Please check your debugger configuration and/or network access.
Probably caused by : srv.sys ( srv+172ce )

Followup: MachineOwner
---------
-----------------------------------------------

Dump2


Microsoft (R) Windows Debugger  Version 6.5.0003.7
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\temp1\Mini031506-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 1) MP (4 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Kernel base = 0x80800000 PsLoadedModuleList = 0x808af988
Debug session time: Wed Mar 15 19:07:17.331 2006 (GMT-5)
System Uptime: 0 days 0:22:59.952
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
Unable to load image \WINDOWS\system32\ntoskrnl.exe, Win32 error 2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Loading Kernel Symbols
............................................................................................................
Loading unloaded module list
....
Loading User Symbols
The call to LoadLibrary(exts) failed, Win32 error 127
    "The specified procedure could not be found."
Please check your debugger configuration and/or network access.
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck D1, {e1520000, 2, 1, f727f319}

***** Kernel symbols are WRONG. Please fix symbols to do analysis.

Unable to load image Ntfs.sys, Win32 error 2
*** WARNING: Unable to verify timestamp for Ntfs.sys
*** ERROR: Module load completed but symbols could not be loaded for Ntfs.sys
The call to LoadLibrary(exts) failed, Win32 error 127
    "The specified procedure could not be found."
Please check your debugger configuration and/or network access.
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: nt!_KPRCB                                     ***
***                                                                   ***
*************************************************************************
*** WARNING: Unable to verify timestamp for fltmgr.sys
*** ERROR: Module load completed but symbols could not be loaded for fltmgr.sys
*** WARNING: Unable to verify timestamp for NsiFiltr.sys
*** ERROR: Module load completed but symbols could not be loaded for NsiFiltr.sys
*** WARNING: Unable to verify timestamp for UdDrv.sys
*** ERROR: Module load completed but symbols could not be loaded for UdDrv.sys
*** WARNING: Unable to verify timestamp for naiavf5x.sys
*** ERROR: Module load completed but symbols could not be loaded for naiavf5x.sys
*** WARNING: Unable to verify timestamp for srv.sys
*** ERROR: Module load completed but symbols could not be loaded for srv.sys
The call to LoadLibrary(exts) failed, Win32 error 127
    "The specified procedure could not be found."
Please check your debugger configuration and/or network access.
Probably caused by : fltmgr.sys ( fltmgr+4c53 )

Followup: MachineOwner
---------


rczyzewskiAsked:
Who is Participating?
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Stop 0xD1 messages can occur after installing faulty drivers or system services. If a driver is listed by name, disable, remove, or roll back that driver to confirm that this resolves the error. If so, contact the manufacturer about a possible update. Using updated software is especially important for backup programs, multimedia applications, antivirus scanners, DVD playback, and CD mastering tools.


The srv.sys and fltmgr are related to the server services and file system services.  I suggest you look at drivers for various disk related apps and consider trying to restore older backed up versions of those files to see if the problem goes away.
0
 
Rant32Commented:
Debugging symbols are not installed on normal production machines, that's ok.

This is usually a driver problem. See if there are any unsigned drivers by running SIGVERIF on the server. Update, or if possible remove, all drivers that are not digitally signed. Pay special care to printer drivers, they can wreak havoc on a server.

This server doesn't happen to be a Terminal Server too, right?

What hardware are you running?
0
 
rczyzewskiAuthor Commented:
Executive Undelete Server v5.114 and McAfee AV v8 are the only disk related apps I can think of.  I'll check those out.
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

 
rczyzewskiAuthor Commented:
Running sigverif brings up:
C:\windows\system32\drivers\mvstdi5x.sys  v8.0.0.301
and
C:\windows\system32\drivers\naiavf5x.sys  v8.0.0.309
These look to be related to our McAfee AV.  I've looked with them before, but will follow up.

Server is not a Terminal Server, though a few staff will connect with Remote Desktop to administer printers or folder permissions.
0
 
Rant32Commented:
The most common problems only apply to TS in application mode.

Wouldn't be surprised if it's in the McAfee Mini-firewall drivers, a lot of links pop up googling those files.
0
 
rczyzewskiAuthor Commented:
I'm checking with McAfee on those files.  I disabled one more thing McAfee v8 was monitoring (I think it was in Buffer Overflow Protection Policies, but I can't recall).
It's been good this last week, but I've been fooled before.
0
 
AmoniksCommented:
Hi,

I have also the same problem on a Terminal Server 2008 R2...

The server reboot unexpectedly with the same bugcheck 0xa000000 !
I did a SIGVERIF and we have :

kapfa.sys
stcvsm.sys

that are not signed...

We don't know what to do now.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.