Solved

sbs 2003 server rebooted with error: event id 1003

Posted on 2008-10-04
17
1,631 Views
Last Modified: 2012-06-27
2003 sbs server sp2 rebooted with error : event id 1003, Error code 000000c2, parameter1 00000007, parameter2 0000121a, parameter3 0205000d, parameter4 893064b0.
disk seem to be ok, mo system errors before the crash.
asking for help to find the reason.
is it safe to use verifier.exe? i do not like it because it needs a reboot, which i prefer to avoid.
attaching the dmp file is not allowed.
0
Comment
Question by:gilsolutions
  • 8
  • 7
  • 2
17 Comments
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22642416
Our troubleshooting hands are pretty much tied without a minidump. There are articles that might be able to help:
Example:
http://support.microsoft.com/kb/890756

A minidump will help us get to the root of the problem quicker.
0
 
LVL 4

Expert Comment

by:asrdias
ID: 22642930
A minidump would help a lot providing you the best help possible.
0
 

Author Comment

by:gilsolutions
ID: 22643540
i renamed the file to .doc and attach it
Mini100408-01.doc
0
 
LVL 4

Expert Comment

by:asrdias
ID: 22644285
Heres a summary;

5: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 0000121a, (reserved)
Arg3: 0205000d, Memory contents of the pool block
Arg4: 893064b0, Address of the block of pool being deallocated

Debugging Details:
------------------

Failed calling InternetOpenUrl, GLE=12007



POOL_ADDRESS:  893064b0

FREED_POOL_TAG:  VsDi

BUGCHECK_STR:  0xc2_7_VsDi

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

PROCESS_NAME:  VProSvc.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 808927bb to 80827c63

STACK_TEXT:  
9be2fac0 808927bb 000000c2 00000007 0000121a nt!KeBugCheckEx+0x1b
9be2fb28 80892b6f 893064b0 00000000 9be2fb60 nt!ExFreePoolWithTag+0x477
9be2fb38 f721e3ff 893064b0 f721e896 8a0a3c98 nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
9be2fb60 f721e5f7 8a0a3c58 893064b0 00000001 SymSnap+0x23ff
9be2fb88 f72261c9 8a0a3c58 c000000d 8a2caa10 SymSnap+0x25f7
9be2fbbc f722134d 00000000 00083f94 00000000 SymSnap+0xa1c9
9be2fc24 f7224644 8a2caa10 882c8998 882c8998 SymSnap+0x534d
9be2fc50 808f5437 882c8a08 88fe7930 882c8998 SymSnap+0x8644
9be2fc64 808f61bf 8a2b8df8 882c8998 88fe7930 nt!IopSynchronousServiceTail+0x10b
9be2fd00 808eed08 000007a4 00000000 00000000 nt!IopXxxControlFile+0x5e5
9be2fd34 8088978c 000007a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
9be2fd34 7c8285ec 000007a4 00000000 00000000 nt!KiFastCallEntry+0xfc
01b7e9c8 00000000 00000000 00000000 00000000 0x7c8285ec


STACK_COMMAND:  kb

FOLLOWUP_IP:
SymSnap+23ff
f721e3ff ??              ???

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  SymSnap+23ff

FOLLOWUP_NAME:  wintriag

MODULE_NAME: SymSnap

IMAGE_NAME:  SymSnap.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4563564c

FAILURE_BUCKET_ID:  0xc2_7_VsDi_SymSnap+23ff

BUCKET_ID:  0xc2_7_VsDi_SymSnap+23ff

Followup: wintriag
---------

5: kd> lmvm SymSnap
start    end        module name
f721c000 f72319a0   SymSnap  T (no symbols)          
    Loaded symbol image file: SymSnap.sys
    Image path: SymSnap.sys
    Image name: SymSnap.sys
    Timestamp:        Tue Nov 21 19:41:00 2006 (4563564C)
    CheckSum:         000253C8
    ImageSize:        000159A0
    Translations:     0000.04b0 0000.04e0 0409.04b0 0409.04e0





The SymSnap module calls nt!ExFreePool and then nt!ExFreePool calls nt!ExFreePoolWithTag causing the crash.
The inicial call comes from SymSnap

In summary update SymSnap.sys or contact the support from the OEM providing that driver.

0
 
LVL 38

Accepted Solution

by:
ChiefIT earned 500 total points
ID: 22648111
So, I was looking at this:
http://forum.storagecraft.com/Community/forums/p/239/885.aspx

Your problem is between symantec AV (symsnap.sys) and Norton Ghost (VProSvc.exe). They are competing for Non-page pool space and causing a memory leak. Now, what to do????? So, I have to ask myself, why would two norton products fight with one another?

It is my opinion, norton ghost is being comprimised by a virus. As Norton Ghost is trying to reinstall the virus from ghosted data, Norton (Symantec) AV is trying to remove it. After doing battle with one another, they fail in non page pool memory and you get a BSOD.

Temporarily Disable norton ghost and do a Hijackthis. Post the Hijack this log onto this site and see if you have SMITFRAUD and/or TROJAN GENERIC on your server. If so, you will have to clean this and any system resotore type utilities or your ghosted image.

Run a Hijackthis and post it on this website:
**Hijack this download site:
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

**Then, you can copy and past your results on this page to evaluate it automatically for you:
http://www.hijackthis.de/index.php?langselect=english#anl

0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22648163
Another test is to use poolmon and watch what services are increasing in usage.
0
 

Author Comment

by:gilsolutions
ID: 22656730
thanks for advice,
the vprosvc service here is not of ghost but of "symantec backupexec system recovery" v.6/54(BESR), which, in fact is a ghost like application.
I ran the hijack this as adviced and enclose here the log. I could stop the BESR service but not the vprosvc before running the test.
i cannot see anything wrong on this log. can you? the only change about this server relevant to the issue was an upgrade of the symantec mail security about 2 months ago. The BESR runs more than 2 years on this server.
hijackthis.log
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22657639
You are correct, the hijack this log seems clean:

I had to convey with my favorite link that helps me troubleshoot stop errors:
Pages 46-48 will be what you want to look at:
http://hidev.com/files/2003_STP.pdf

parameter 1 = 0x07
parameter 2 = Reserved  
parameter 3 = Pool header contents  
parameter 4 = Address of the block of pool being freed  

Cause of the error: The current thread attempted to free the pool, which was already freed.

Since symantec is trying to free the space, it may be trying to clean a virus in memory that isn't there.

I don't see why disabling Symantec AV and running verifier would hurt anything.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 

Author Comment

by:gilsolutions
ID: 22657791
what do you mean by disabling symantec av and running verifier? leave the server without av protection?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22657853
Disabling the AV is only temporary:

Symantec is trying to free a that memory area and it is already freed. Running Verifyer.exe should look at that address block that was already freed and might fix the issue. With Symantec temporarily out of the way, It might resolve the issue.

0
 

Author Comment

by:gilsolutions
ID: 22657945
i'm not familiar with the verifier. which option you suggest to choose?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22662312
go to the run line and type: verifier

Select "custom settings>>select individual settings>> and enable the top four counters
Those should be
Special pool
pool tracking
IRQL checking
I/O verification

Then select Automatically select ALL drivers on this computer
0
 

Author Comment

by:gilsolutions
ID: 22662807
Thanks,
As it demands reboot, I will be able to do it only on sunday.
0
 

Author Comment

by:gilsolutions
ID: 22719126
so, i rebooted the server, and got a blue screen at the stage of "preparing computer settings"
what i did is enter safe mode, run again the verifier with standard settings, and rebooted - this time successfully.
as to the initial issue - i am steel at the same place.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22747517
So, you have the latest versions of video, chipset, AV, and backup software?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22747526
Another thing we might do is look at the AV logs to see what the AV software is trying to do.
0
 

Author Closing Comment

by:gilsolutions
ID: 31521252
Well, finally, and for more reasons (issue of slow backups), I upgraded the anti virus software. I don't really know for sure that the problem is solved but i think so. It is also possible that the crash was enhanced due to a disk problem (during the period the raid entered the spare disk to array). Thanks for advice.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now