Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


sbs 2003 server rebooted with error: event id 1003

Posted on 2008-10-04
Medium Priority
Last Modified: 2012-06-27
2003 sbs server sp2 rebooted with error : event id 1003, Error code 000000c2, parameter1 00000007, parameter2 0000121a, parameter3 0205000d, parameter4 893064b0.
disk seem to be ok, mo system errors before the crash.
asking for help to find the reason.
is it safe to use verifier.exe? i do not like it because it needs a reboot, which i prefer to avoid.
attaching the dmp file is not allowed.
Question by:gilsolutions
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 2
LVL 39

Expert Comment

ID: 22642416
Our troubleshooting hands are pretty much tied without a minidump. There are articles that might be able to help:

A minidump will help us get to the root of the problem quicker.

Expert Comment

ID: 22642930
A minidump would help a lot providing you the best help possible.

Author Comment

ID: 22643540
i renamed the file to .doc and attach it
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  


Expert Comment

ID: 22644285
Heres a summary;

5: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 0000121a, (reserved)
Arg3: 0205000d, Memory contents of the pool block
Arg4: 893064b0, Address of the block of pool being deallocated

Debugging Details:

Failed calling InternetOpenUrl, GLE=12007

POOL_ADDRESS:  893064b0


BUGCHECK_STR:  0xc2_7_VsDi





LAST_CONTROL_TRANSFER:  from 808927bb to 80827c63

9be2fac0 808927bb 000000c2 00000007 0000121a nt!KeBugCheckEx+0x1b
9be2fb28 80892b6f 893064b0 00000000 9be2fb60 nt!ExFreePoolWithTag+0x477
9be2fb38 f721e3ff 893064b0 f721e896 8a0a3c98 nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
9be2fb60 f721e5f7 8a0a3c58 893064b0 00000001 SymSnap+0x23ff
9be2fb88 f72261c9 8a0a3c58 c000000d 8a2caa10 SymSnap+0x25f7
9be2fbbc f722134d 00000000 00083f94 00000000 SymSnap+0xa1c9
9be2fc24 f7224644 8a2caa10 882c8998 882c8998 SymSnap+0x534d
9be2fc50 808f5437 882c8a08 88fe7930 882c8998 SymSnap+0x8644
9be2fc64 808f61bf 8a2b8df8 882c8998 88fe7930 nt!IopSynchronousServiceTail+0x10b
9be2fd00 808eed08 000007a4 00000000 00000000 nt!IopXxxControlFile+0x5e5
9be2fd34 8088978c 000007a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
9be2fd34 7c8285ec 000007a4 00000000 00000000 nt!KiFastCallEntry+0xfc
01b7e9c8 00000000 00000000 00000000 00000000 0x7c8285ec


f721e3ff ??              ???


SYMBOL_NAME:  SymSnap+23ff

FOLLOWUP_NAME:  wintriag


IMAGE_NAME:  SymSnap.sys


FAILURE_BUCKET_ID:  0xc2_7_VsDi_SymSnap+23ff

BUCKET_ID:  0xc2_7_VsDi_SymSnap+23ff

Followup: wintriag

5: kd> lmvm SymSnap
start    end        module name
f721c000 f72319a0   SymSnap  T (no symbols)          
    Loaded symbol image file: SymSnap.sys
    Image path: SymSnap.sys
    Image name: SymSnap.sys
    Timestamp:        Tue Nov 21 19:41:00 2006 (4563564C)
    CheckSum:         000253C8
    ImageSize:        000159A0
    Translations:     0000.04b0 0000.04e0 0409.04b0 0409.04e0

The SymSnap module calls nt!ExFreePool and then nt!ExFreePool calls nt!ExFreePoolWithTag causing the crash.
The inicial call comes from SymSnap

In summary update SymSnap.sys or contact the support from the OEM providing that driver.

LVL 39

Accepted Solution

ChiefIT earned 1500 total points
ID: 22648111
So, I was looking at this:

Your problem is between symantec AV (symsnap.sys) and Norton Ghost (VProSvc.exe). They are competing for Non-page pool space and causing a memory leak. Now, what to do????? So, I have to ask myself, why would two norton products fight with one another?

It is my opinion, norton ghost is being comprimised by a virus. As Norton Ghost is trying to reinstall the virus from ghosted data, Norton (Symantec) AV is trying to remove it. After doing battle with one another, they fail in non page pool memory and you get a BSOD.

Temporarily Disable norton ghost and do a Hijackthis. Post the Hijack this log onto this site and see if you have SMITFRAUD and/or TROJAN GENERIC on your server. If so, you will have to clean this and any system resotore type utilities or your ghosted image.

Run a Hijackthis and post it on this website:
**Hijack this download site:

**Then, you can copy and past your results on this page to evaluate it automatically for you:

LVL 39

Expert Comment

ID: 22648163
Another test is to use poolmon and watch what services are increasing in usage.

Author Comment

ID: 22656730
thanks for advice,
the vprosvc service here is not of ghost but of "symantec backupexec system recovery" v.6/54(BESR), which, in fact is a ghost like application.
I ran the hijack this as adviced and enclose here the log. I could stop the BESR service but not the vprosvc before running the test.
i cannot see anything wrong on this log. can you? the only change about this server relevant to the issue was an upgrade of the symantec mail security about 2 months ago. The BESR runs more than 2 years on this server.
LVL 39

Expert Comment

ID: 22657639
You are correct, the hijack this log seems clean:

I had to convey with my favorite link that helps me troubleshoot stop errors:
Pages 46-48 will be what you want to look at:

parameter 1 = 0x07
parameter 2 = Reserved  
parameter 3 = Pool header contents  
parameter 4 = Address of the block of pool being freed  

Cause of the error: The current thread attempted to free the pool, which was already freed.

Since symantec is trying to free the space, it may be trying to clean a virus in memory that isn't there.

I don't see why disabling Symantec AV and running verifier would hurt anything.

Author Comment

ID: 22657791
what do you mean by disabling symantec av and running verifier? leave the server without av protection?
LVL 39

Expert Comment

ID: 22657853
Disabling the AV is only temporary:

Symantec is trying to free a that memory area and it is already freed. Running Verifyer.exe should look at that address block that was already freed and might fix the issue. With Symantec temporarily out of the way, It might resolve the issue.


Author Comment

ID: 22657945
i'm not familiar with the verifier. which option you suggest to choose?
LVL 39

Expert Comment

ID: 22662312
go to the run line and type: verifier

Select "custom settings>>select individual settings>> and enable the top four counters
Those should be
Special pool
pool tracking
IRQL checking
I/O verification

Then select Automatically select ALL drivers on this computer

Author Comment

ID: 22662807
As it demands reboot, I will be able to do it only on sunday.

Author Comment

ID: 22719126
so, i rebooted the server, and got a blue screen at the stage of "preparing computer settings"
what i did is enter safe mode, run again the verifier with standard settings, and rebooted - this time successfully.
as to the initial issue - i am steel at the same place.
LVL 39

Expert Comment

ID: 22747517
So, you have the latest versions of video, chipset, AV, and backup software?
LVL 39

Expert Comment

ID: 22747526
Another thing we might do is look at the AV logs to see what the AV software is trying to do.

Author Closing Comment

ID: 31521252
Well, finally, and for more reasons (issue of slow backups), I upgraded the anti virus software. I don't really know for sure that the problem is solved but i think so. It is also possible that the crash was enhanced due to a disk problem (during the period the raid entered the spare disk to array). Thanks for advice.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

596 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question