rgutwein
asked on
Anti-Virus Crashing Server
Hi,
We have a few Windows 2003 Servers that have been crashing lately. Here are a few error messages that I was able to capture:
http://static.flickr.com/102/307686879_4d73a68c3e.jpg?v=0
http://static.flickr.com/121/307686883_41af8d5619.jpg?v=0
http://static.flickr.com/120/307686885_1ce8f00d46.jpg?v=0
I believe that the problem could be the latest version of our Anti-Virus program. We are currently the latest Authentium Command Anti Virus version 4.93.8. We never had any servers crashing before, until this newest install. The problem is, that it happens randomly, so I cannot pin point when it is going to crash. Also, it seems to only happen to a few of the 6 servers that have the new update. I un-installed the Anti-Virus on one of the servers that was having problems, and it stopped crashing.
I want to contact Authentium, but I need proof that it is their program that is causing the problems. Is there some sort of log that I can look at that will show exactly what driver is giving me the problem? I checked the Event Viewer, and was not able to find such information.
Please help....thanks!
We have a few Windows 2003 Servers that have been crashing lately. Here are a few error messages that I was able to capture:
http://static.flickr.com/102/307686879_4d73a68c3e.jpg?v=0
http://static.flickr.com/121/307686883_41af8d5619.jpg?v=0
http://static.flickr.com/120/307686885_1ce8f00d46.jpg?v=0
I believe that the problem could be the latest version of our Anti-Virus program. We are currently the latest Authentium Command Anti Virus version 4.93.8. We never had any servers crashing before, until this newest install. The problem is, that it happens randomly, so I cannot pin point when it is going to crash. Also, it seems to only happen to a few of the 6 servers that have the new update. I un-installed the Anti-Virus on one of the servers that was having problems, and it stopped crashing.
I want to contact Authentium, but I need proof that it is their program that is causing the problems. Is there some sort of log that I can look at that will show exactly what driver is giving me the problem? I checked the Event Viewer, and was not able to find such information.
Please help....thanks!
ASKER
Hi, Thanks for the quick response....what is DFS?
Distributed File System (for shares and data replication). Are you using roaming profiles?
http://www.microsoft.com/windowsserver2003/technologies/storage/dfs/default.mspx
http://www.microsoft.com/windowsserver2003/technologies/storage/dfs/default.mspx
ASKER
Hi Arnold,
Thanks for the response...we are not using Roaming profiles.
Thanks for the response...we are not using Roaming profiles.
Hi rgutwein,
Have you checked your "Event Viewer" logs (Application or System) for any Warning or Error messages at the time the servers are crashing?
Vic
Have you checked your "Event Viewer" logs (Application or System) for any Warning or Error messages at the time the servers are crashing?
Vic
ASKER
Hi younghv,
I checked the event viewer, and it looks normal, except for the error message i posted above. Thanks for the response!
I checked the event viewer, and it looks normal, except for the error message i posted above. Thanks for the response!
I don't have access to those websites from work, but will check them later.
please see the following article it looks like the issue that you are describing
http://support.microsoft.com/kb/892260/en-us
http://support.microsoft.com/kb/892260/en-us
Also remember to exclude the sysvol and netlogons folders from being scanned by your AV client.
or may be temporarily remove the antivirus and then check
Hi,
Please check the EventViewer for any errors and provide a snapshot here. Those errors will surely point towards the error.
Please check the EventViewer for any errors and provide a snapshot here. Those errors will surely point towards the error.
Hi,
Dump analysis is the formal way to find the culprit. Attach the minidump at any webspace and post the url link here. You can find the minidump at the folder \winnt\minidumps
If you don't have webspace, use free public webspace.
Get public webspace
Use a free service like rapidshare to attach the minidumps and post the url of the mimidumps at this thread.
http://www.rapidshare.de/
cpc2004
Dump analysis is the formal way to find the culprit. Attach the minidump at any webspace and post the url link here. You can find the minidump at the folder \winnt\minidumps
If you don't have webspace, use free public webspace.
Get public webspace
Use a free service like rapidshare to attach the minidumps and post the url of the mimidumps at this thread.
http://www.rapidshare.de/
cpc2004
ASKER
Thanks for the response.
I have uploaded all the Minidump files from the two servers that are giving me trouble. It can be found here:
http://www.box.net/public/btygimej9p
Thanks!
Randy
I have uploaded all the Minidump files from the two servers that are giving me trouble. It can be found here:
http://www.box.net/public/btygimej9p
Thanks!
Randy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
Refer the debug report of Mini110306-01.dmp.txt, the stack trace has the footprint of css_dvp. Obviously it is the software error of the anti-virus software.
BugCheck C5, {4, 2, 1, 8089bac3}
Unable to load image \SystemRoot\system32\DRIVE
*** WARNING: Unable to verify timestamp for css-dvp.sys
*** ERROR: Module load completed but symbols could not be loaded for css-dvp.sys
Probably caused by : css-dvp.sys ( css_dvp+13969 )
DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8089bac3, address which referenced memory
Debugging Details:
------------------
BUGCHECK_STR: 0xC5_2
CURRENT_IRQL: 2
FAULTING_IP:
nt!ExAllocatePoolWithTag+8
8089bac3 897004 mov dword ptr [eax+4],esi
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDU
PROCESS_NAME: userinit.exe
TRAP_FRAME: ba5ca5a0 -- (.trap ffffffffba5ca5a0)
.trap ffffffffba5ca5a0
ErrCode = 00000002
eax=00000000 ebx=808b75c0 ecx=808b9140 edx=00000004 esi=808b7618 edi=88970e70
eip=8089bac3 esp=ba5ca614 ebp=ba5ca650 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
nt!ExAllocatePoolWithTag+0
8089bac3 897004 mov dword ptr [eax+4],esi ds:0023:00000004=????????
.trap
Resetting default scope
LAST_CONTROL_TRANSFER: from 8089bac3 to 80837ed5
STACK_TEXT:
ba5ca5a0 8089bac3 badb0d00 00000004 f7727568 nt!KiTrap0E+0x2a7
ba5ca650 b9694969 00000000 00000000 206b6444 nt!ExAllocatePoolWithTag+0
WARNING: Stack unwind information not available. Following frames may be wrong.
ba5ca68c b9697e23 00000012 b96bfc4a 00000012 css_dvp+0x13969
ba5ca76c 8089c622 888f3838 00000000 ba5ca7ac css_dvp+0x16e23
ba5ca77c b96949f6 888f3838 0000013c 00000000 nt!ExFreePool+0xf
ba5ca7ac b9728e78 b9728eb8 89350b26 89de6079 css_dvp+0x139f6
ba5ca7b0 b9728eb8 89350b26 89de6079 00000000 css_dvp+0xa7e78
ba5ca7b4 89350b26 89de6079 00000000 0000003e css_dvp+0xa7eb8
ba5ca7b8 89de6079 00000000 0000003e 888f3842 0x89350b26
ba5ca7bc 00000000 0000003e 888f3842 000000ed 0x89de6079
STACK_COMMAND: kb
FOLLOWUP_IP:
css_dvp+13969
b9694969 ?? ???
SYMBOL_STACK_INDEX: 2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: css_dvp
IMAGE_NAME: css-dvp.sys
DEBUG_FLR_IMAGE_TIMESTAMP:
SYMBOL_NAME: css_dvp+13969
FAILURE_BUCKET_ID: 0xC5_2_css_dvp+13969
BUCKET_ID: 0xC5_2_css_dvp+13969
Refer the debug report of Mini110306-01.dmp.txt, the stack trace has the footprint of css_dvp. Obviously it is the software error of the anti-virus software.
BugCheck C5, {4, 2, 1, 8089bac3}
Unable to load image \SystemRoot\system32\DRIVE
*** WARNING: Unable to verify timestamp for css-dvp.sys
*** ERROR: Module load completed but symbols could not be loaded for css-dvp.sys
Probably caused by : css-dvp.sys ( css_dvp+13969 )
DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is
caused by drivers that have corrupted the system pool. Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: 00000004, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: 8089bac3, address which referenced memory
Debugging Details:
------------------
BUGCHECK_STR: 0xC5_2
CURRENT_IRQL: 2
FAULTING_IP:
nt!ExAllocatePoolWithTag+8
8089bac3 897004 mov dword ptr [eax+4],esi
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDU
PROCESS_NAME: userinit.exe
TRAP_FRAME: ba5ca5a0 -- (.trap ffffffffba5ca5a0)
.trap ffffffffba5ca5a0
ErrCode = 00000002
eax=00000000 ebx=808b75c0 ecx=808b9140 edx=00000004 esi=808b7618 edi=88970e70
eip=8089bac3 esp=ba5ca614 ebp=ba5ca650 iopl=0 nv up ei pl nz ac po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212
nt!ExAllocatePoolWithTag+0
8089bac3 897004 mov dword ptr [eax+4],esi ds:0023:00000004=????????
.trap
Resetting default scope
LAST_CONTROL_TRANSFER: from 8089bac3 to 80837ed5
STACK_TEXT:
ba5ca5a0 8089bac3 badb0d00 00000004 f7727568 nt!KiTrap0E+0x2a7
ba5ca650 b9694969 00000000 00000000 206b6444 nt!ExAllocatePoolWithTag+0
WARNING: Stack unwind information not available. Following frames may be wrong.
ba5ca68c b9697e23 00000012 b96bfc4a 00000012 css_dvp+0x13969
ba5ca76c 8089c622 888f3838 00000000 ba5ca7ac css_dvp+0x16e23
ba5ca77c b96949f6 888f3838 0000013c 00000000 nt!ExFreePool+0xf
ba5ca7ac b9728e78 b9728eb8 89350b26 89de6079 css_dvp+0x139f6
ba5ca7b0 b9728eb8 89350b26 89de6079 00000000 css_dvp+0xa7e78
ba5ca7b4 89350b26 89de6079 00000000 0000003e css_dvp+0xa7eb8
ba5ca7b8 89de6079 00000000 0000003e 888f3842 0x89350b26
ba5ca7bc 00000000 0000003e 888f3842 000000ed 0x89de6079
STACK_COMMAND: kb
FOLLOWUP_IP:
css_dvp+13969
b9694969 ?? ???
SYMBOL_STACK_INDEX: 2
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: css_dvp
IMAGE_NAME: css-dvp.sys
DEBUG_FLR_IMAGE_TIMESTAMP:
SYMBOL_NAME: css_dvp+13969
FAILURE_BUCKET_ID: 0xC5_2_css_dvp+13969
BUCKET_ID: 0xC5_2_css_dvp+13969
ASKER
Thank you so much! What software did you use to debug those Mini-dump files? Also, how would I go about resolving this issue?
Thanks again!
Thanks again!
Hi,
I use microsoft windbg to format the minidump
Refer the following webpage for basic minidump analysis.
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=4981
However the minidump is easy to format but it is difficult to interpret the debug report.
cpc2004
I use microsoft windbg to format the minidump
Refer the following webpage for basic minidump analysis.
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=4981
However the minidump is easy to format but it is difficult to interpret the debug report.
cpc2004
try excluding TEMP from the anti-virus scan on one system that keeps crashing.