• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1819
  • Last Modified:

sbs 2003 server rebooted with error: event id 1003

2003 sbs server sp2 rebooted with error : event id 1003, Error code 000000c2, parameter1 00000007, parameter2 0000121a, parameter3 0205000d, parameter4 893064b0.
disk seem to be ok, mo system errors before the crash.
asking for help to find the reason.
is it safe to use verifier.exe? i do not like it because it needs a reboot, which i prefer to avoid.
attaching the dmp file is not allowed.
  • 8
  • 7
  • 2
1 Solution
Our troubleshooting hands are pretty much tied without a minidump. There are articles that might be able to help:

A minidump will help us get to the root of the problem quicker.
A minidump would help a lot providing you the best help possible.
gilsolutionsAuthor Commented:
i renamed the file to .doc and attach it
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Heres a summary;

5: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 0000121a, (reserved)
Arg3: 0205000d, Memory contents of the pool block
Arg4: 893064b0, Address of the block of pool being deallocated

Debugging Details:

Failed calling InternetOpenUrl, GLE=12007

POOL_ADDRESS:  893064b0


BUGCHECK_STR:  0xc2_7_VsDi





LAST_CONTROL_TRANSFER:  from 808927bb to 80827c63

9be2fac0 808927bb 000000c2 00000007 0000121a nt!KeBugCheckEx+0x1b
9be2fb28 80892b6f 893064b0 00000000 9be2fb60 nt!ExFreePoolWithTag+0x477
9be2fb38 f721e3ff 893064b0 f721e896 8a0a3c98 nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
9be2fb60 f721e5f7 8a0a3c58 893064b0 00000001 SymSnap+0x23ff
9be2fb88 f72261c9 8a0a3c58 c000000d 8a2caa10 SymSnap+0x25f7
9be2fbbc f722134d 00000000 00083f94 00000000 SymSnap+0xa1c9
9be2fc24 f7224644 8a2caa10 882c8998 882c8998 SymSnap+0x534d
9be2fc50 808f5437 882c8a08 88fe7930 882c8998 SymSnap+0x8644
9be2fc64 808f61bf 8a2b8df8 882c8998 88fe7930 nt!IopSynchronousServiceTail+0x10b
9be2fd00 808eed08 000007a4 00000000 00000000 nt!IopXxxControlFile+0x5e5
9be2fd34 8088978c 000007a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
9be2fd34 7c8285ec 000007a4 00000000 00000000 nt!KiFastCallEntry+0xfc
01b7e9c8 00000000 00000000 00000000 00000000 0x7c8285ec


f721e3ff ??              ???


SYMBOL_NAME:  SymSnap+23ff

FOLLOWUP_NAME:  wintriag


IMAGE_NAME:  SymSnap.sys


FAILURE_BUCKET_ID:  0xc2_7_VsDi_SymSnap+23ff

BUCKET_ID:  0xc2_7_VsDi_SymSnap+23ff

Followup: wintriag

5: kd> lmvm SymSnap
start    end        module name
f721c000 f72319a0   SymSnap  T (no symbols)          
    Loaded symbol image file: SymSnap.sys
    Image path: SymSnap.sys
    Image name: SymSnap.sys
    Timestamp:        Tue Nov 21 19:41:00 2006 (4563564C)
    CheckSum:         000253C8
    ImageSize:        000159A0
    Translations:     0000.04b0 0000.04e0 0409.04b0 0409.04e0

The SymSnap module calls nt!ExFreePool and then nt!ExFreePool calls nt!ExFreePoolWithTag causing the crash.
The inicial call comes from SymSnap

In summary update SymSnap.sys or contact the support from the OEM providing that driver.

So, I was looking at this:

Your problem is between symantec AV (symsnap.sys) and Norton Ghost (VProSvc.exe). They are competing for Non-page pool space and causing a memory leak. Now, what to do????? So, I have to ask myself, why would two norton products fight with one another?

It is my opinion, norton ghost is being comprimised by a virus. As Norton Ghost is trying to reinstall the virus from ghosted data, Norton (Symantec) AV is trying to remove it. After doing battle with one another, they fail in non page pool memory and you get a BSOD.

Temporarily Disable norton ghost and do a Hijackthis. Post the Hijack this log onto this site and see if you have SMITFRAUD and/or TROJAN GENERIC on your server. If so, you will have to clean this and any system resotore type utilities or your ghosted image.

Run a Hijackthis and post it on this website:
**Hijack this download site:

**Then, you can copy and past your results on this page to evaluate it automatically for you:

Another test is to use poolmon and watch what services are increasing in usage.
gilsolutionsAuthor Commented:
thanks for advice,
the vprosvc service here is not of ghost but of "symantec backupexec system recovery" v.6/54(BESR), which, in fact is a ghost like application.
I ran the hijack this as adviced and enclose here the log. I could stop the BESR service but not the vprosvc before running the test.
i cannot see anything wrong on this log. can you? the only change about this server relevant to the issue was an upgrade of the symantec mail security about 2 months ago. The BESR runs more than 2 years on this server.
You are correct, the hijack this log seems clean:

I had to convey with my favorite link that helps me troubleshoot stop errors:
Pages 46-48 will be what you want to look at:

parameter 1 = 0x07
parameter 2 = Reserved  
parameter 3 = Pool header contents  
parameter 4 = Address of the block of pool being freed  

Cause of the error: The current thread attempted to free the pool, which was already freed.

Since symantec is trying to free the space, it may be trying to clean a virus in memory that isn't there.

I don't see why disabling Symantec AV and running verifier would hurt anything.
gilsolutionsAuthor Commented:
what do you mean by disabling symantec av and running verifier? leave the server without av protection?
Disabling the AV is only temporary:

Symantec is trying to free a that memory area and it is already freed. Running Verifyer.exe should look at that address block that was already freed and might fix the issue. With Symantec temporarily out of the way, It might resolve the issue.

gilsolutionsAuthor Commented:
i'm not familiar with the verifier. which option you suggest to choose?
go to the run line and type: verifier

Select "custom settings>>select individual settings>> and enable the top four counters
Those should be
Special pool
pool tracking
IRQL checking
I/O verification

Then select Automatically select ALL drivers on this computer
gilsolutionsAuthor Commented:
As it demands reboot, I will be able to do it only on sunday.
gilsolutionsAuthor Commented:
so, i rebooted the server, and got a blue screen at the stage of "preparing computer settings"
what i did is enter safe mode, run again the verifier with standard settings, and rebooted - this time successfully.
as to the initial issue - i am steel at the same place.
So, you have the latest versions of video, chipset, AV, and backup software?
Another thing we might do is look at the AV logs to see what the AV software is trying to do.
gilsolutionsAuthor Commented:
Well, finally, and for more reasons (issue of slow backups), I upgraded the anti virus software. I don't really know for sure that the problem is solved but i think so. It is also possible that the crash was enhanced due to a disk problem (during the period the raid entered the spare disk to array). Thanks for advice.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now