?
Solved

sbs 2003 server rebooted with error: event id 1003

Posted on 2008-10-04
17
Medium Priority
?
1,750 Views
Last Modified: 2012-06-27
2003 sbs server sp2 rebooted with error : event id 1003, Error code 000000c2, parameter1 00000007, parameter2 0000121a, parameter3 0205000d, parameter4 893064b0.
disk seem to be ok, mo system errors before the crash.
asking for help to find the reason.
is it safe to use verifier.exe? i do not like it because it needs a reboot, which i prefer to avoid.
attaching the dmp file is not allowed.
0
Comment
Question by:gilsolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
  • 2
17 Comments
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22642416
Our troubleshooting hands are pretty much tied without a minidump. There are articles that might be able to help:
Example:
http://support.microsoft.com/kb/890756

A minidump will help us get to the root of the problem quicker.
0
 
LVL 4

Expert Comment

by:asrdias
ID: 22642930
A minidump would help a lot providing you the best help possible.
0
 

Author Comment

by:gilsolutions
ID: 22643540
i renamed the file to .doc and attach it
Mini100408-01.doc
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Expert Comment

by:asrdias
ID: 22644285
Heres a summary;

5: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_CALLER (c2)
The current thread is making a bad pool request.  Typically this is at a bad IRQL level or double freeing the same allocation, etc.
Arguments:
Arg1: 00000007, Attempt to free pool which was already freed
Arg2: 0000121a, (reserved)
Arg3: 0205000d, Memory contents of the pool block
Arg4: 893064b0, Address of the block of pool being deallocated

Debugging Details:
------------------

Failed calling InternetOpenUrl, GLE=12007



POOL_ADDRESS:  893064b0

FREED_POOL_TAG:  VsDi

BUGCHECK_STR:  0xc2_7_VsDi

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

PROCESS_NAME:  VProSvc.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 808927bb to 80827c63

STACK_TEXT:  
9be2fac0 808927bb 000000c2 00000007 0000121a nt!KeBugCheckEx+0x1b
9be2fb28 80892b6f 893064b0 00000000 9be2fb60 nt!ExFreePoolWithTag+0x477
9be2fb38 f721e3ff 893064b0 f721e896 8a0a3c98 nt!ExFreePool+0xf
WARNING: Stack unwind information not available. Following frames may be wrong.
9be2fb60 f721e5f7 8a0a3c58 893064b0 00000001 SymSnap+0x23ff
9be2fb88 f72261c9 8a0a3c58 c000000d 8a2caa10 SymSnap+0x25f7
9be2fbbc f722134d 00000000 00083f94 00000000 SymSnap+0xa1c9
9be2fc24 f7224644 8a2caa10 882c8998 882c8998 SymSnap+0x534d
9be2fc50 808f5437 882c8a08 88fe7930 882c8998 SymSnap+0x8644
9be2fc64 808f61bf 8a2b8df8 882c8998 88fe7930 nt!IopSynchronousServiceTail+0x10b
9be2fd00 808eed08 000007a4 00000000 00000000 nt!IopXxxControlFile+0x5e5
9be2fd34 8088978c 000007a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
9be2fd34 7c8285ec 000007a4 00000000 00000000 nt!KiFastCallEntry+0xfc
01b7e9c8 00000000 00000000 00000000 00000000 0x7c8285ec


STACK_COMMAND:  kb

FOLLOWUP_IP:
SymSnap+23ff
f721e3ff ??              ???

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  SymSnap+23ff

FOLLOWUP_NAME:  wintriag

MODULE_NAME: SymSnap

IMAGE_NAME:  SymSnap.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  4563564c

FAILURE_BUCKET_ID:  0xc2_7_VsDi_SymSnap+23ff

BUCKET_ID:  0xc2_7_VsDi_SymSnap+23ff

Followup: wintriag
---------

5: kd> lmvm SymSnap
start    end        module name
f721c000 f72319a0   SymSnap  T (no symbols)          
    Loaded symbol image file: SymSnap.sys
    Image path: SymSnap.sys
    Image name: SymSnap.sys
    Timestamp:        Tue Nov 21 19:41:00 2006 (4563564C)
    CheckSum:         000253C8
    ImageSize:        000159A0
    Translations:     0000.04b0 0000.04e0 0409.04b0 0409.04e0





The SymSnap module calls nt!ExFreePool and then nt!ExFreePool calls nt!ExFreePoolWithTag causing the crash.
The inicial call comes from SymSnap

In summary update SymSnap.sys or contact the support from the OEM providing that driver.

0
 
LVL 39

Accepted Solution

by:
ChiefIT earned 1500 total points
ID: 22648111
So, I was looking at this:
http://forum.storagecraft.com/Community/forums/p/239/885.aspx

Your problem is between symantec AV (symsnap.sys) and Norton Ghost (VProSvc.exe). They are competing for Non-page pool space and causing a memory leak. Now, what to do????? So, I have to ask myself, why would two norton products fight with one another?

It is my opinion, norton ghost is being comprimised by a virus. As Norton Ghost is trying to reinstall the virus from ghosted data, Norton (Symantec) AV is trying to remove it. After doing battle with one another, they fail in non page pool memory and you get a BSOD.

Temporarily Disable norton ghost and do a Hijackthis. Post the Hijack this log onto this site and see if you have SMITFRAUD and/or TROJAN GENERIC on your server. If so, you will have to clean this and any system resotore type utilities or your ghosted image.

Run a Hijackthis and post it on this website:
**Hijack this download site:
http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

**Then, you can copy and past your results on this page to evaluate it automatically for you:
http://www.hijackthis.de/index.php?langselect=english#anl

0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22648163
Another test is to use poolmon and watch what services are increasing in usage.
0
 

Author Comment

by:gilsolutions
ID: 22656730
thanks for advice,
the vprosvc service here is not of ghost but of "symantec backupexec system recovery" v.6/54(BESR), which, in fact is a ghost like application.
I ran the hijack this as adviced and enclose here the log. I could stop the BESR service but not the vprosvc before running the test.
i cannot see anything wrong on this log. can you? the only change about this server relevant to the issue was an upgrade of the symantec mail security about 2 months ago. The BESR runs more than 2 years on this server.
hijackthis.log
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22657639
You are correct, the hijack this log seems clean:

I had to convey with my favorite link that helps me troubleshoot stop errors:
Pages 46-48 will be what you want to look at:
http://hidev.com/files/2003_STP.pdf

parameter 1 = 0x07
parameter 2 = Reserved  
parameter 3 = Pool header contents  
parameter 4 = Address of the block of pool being freed  

Cause of the error: The current thread attempted to free the pool, which was already freed.

Since symantec is trying to free the space, it may be trying to clean a virus in memory that isn't there.

I don't see why disabling Symantec AV and running verifier would hurt anything.
0
 

Author Comment

by:gilsolutions
ID: 22657791
what do you mean by disabling symantec av and running verifier? leave the server without av protection?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22657853
Disabling the AV is only temporary:

Symantec is trying to free a that memory area and it is already freed. Running Verifyer.exe should look at that address block that was already freed and might fix the issue. With Symantec temporarily out of the way, It might resolve the issue.

0
 

Author Comment

by:gilsolutions
ID: 22657945
i'm not familiar with the verifier. which option you suggest to choose?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22662312
go to the run line and type: verifier

Select "custom settings>>select individual settings>> and enable the top four counters
Those should be
Special pool
pool tracking
IRQL checking
I/O verification

Then select Automatically select ALL drivers on this computer
0
 

Author Comment

by:gilsolutions
ID: 22662807
Thanks,
As it demands reboot, I will be able to do it only on sunday.
0
 

Author Comment

by:gilsolutions
ID: 22719126
so, i rebooted the server, and got a blue screen at the stage of "preparing computer settings"
what i did is enter safe mode, run again the verifier with standard settings, and rebooted - this time successfully.
as to the initial issue - i am steel at the same place.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22747517
So, you have the latest versions of video, chipset, AV, and backup software?
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 22747526
Another thing we might do is look at the AV logs to see what the AV software is trying to do.
0
 

Author Closing Comment

by:gilsolutions
ID: 31521252
Well, finally, and for more reasons (issue of slow backups), I upgraded the anti virus software. I don't really know for sure that the problem is solved but i think so. It is also possible that the crash was enhanced due to a disk problem (during the period the raid entered the spare disk to array). Thanks for advice.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question