We help IT Professionals succeed at work.

Windows Server 2003 0x00000035 random server reboots

Medium Priority
Last Modified: 2013-12-09
I am trying to get a handle on an odd issue I am experiencing with our DFS folders and Symantec AV.
If we copy from \\domain\dfs\share1 to \\domain\dfs\share2 everything works without issue. If however we move data between the same folders the server instantly reboots.


The following are two excerts from mini dumps we recovered after the server reboots


This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(c8c.1258): Access violation - code c0000005 (first/second chance not available)
eax=00000001 ebx=00000000 ecx=01bf5648 edx=69583548 esi=01bd72b0 edi=80090006
eip=65930a03 esp=06ddf7b8 ebp=06ddff40 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
Unable to load image D:\program files\sav\SymProtectStorage.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SymProtectStorage.dll
*** ERROR: Module load completed but symbols could not be loaded for SymProtectStorage.dll



*** WARNING: Unable to verify timestamp for mssmbios.sys
Unable to load image fltmgr.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for fltmgr.sys
Unable to load image \??\C:\Program Files\Symantec\SYMEVENT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Unable to load image Mup.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Mup.sys
Probably caused by : SYMEVENT.SYS ( SYMEVENT+7652 )

Occasionally after the reboot we received a stop code 0x00000035 which a quick google points us at Microsoft KB http://support.microsoft.com/kb/906866
Having made the changes and reboot we still get the same error messages. We tried to disable all Symantec services however this still caused the same error.
Any advice anyone has on this would be greatly appreciated as its causing us a number of issues when we are working on the network.

Posting this to the Symantec forums was useless and I really need to try and get some understanding as to why this happns on my network.
Watch Question

First Symantec is crap.  I say this because of experience with it in my data center and client data centers.
It locked up all my servers which was tracked down because the program causes a memory leak and eventually locks the machine.
I would suggest trying to stop all services related to Symantec and test to see if reboots still occur.


Ryansoto - that isnt really a constructive comment. Symantec works for the most part without issue. The problems are, i believe, based around the permissions and linking into different aspects of the drivers.
Senior IT Consultant
Make sure you have the latest version of Symantec AV installed, along with their driver file SYMEVENT.SYS updated.
hope this helps.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Hi Admin3k,

Thanks for the advice - We have updated Symevent on all the servers and im trying to find some time to test but unfortunately my client is 24x7x365 so arranging downtime for the servers can be tricky!


Having had no planned window of maintenance I have had the same issue again.

Logged in as Administrator renaming \\domain.local\dfs\LonProfiles\<username> to \\domain.local\dfs\LonProfiles\<username>_old crashed the server and it rebooted

so...you dont know if symantec is the problem or not?
My advice is to force the removal of symatec. assuming this is a client and not the symantec server.
This should speed up your troubleshooting time by narrowing down if sav is causing the issue.
download cleanwipe from the following location.
follow the steps to raname the file from .txt to .exe
test and post back

any updates?


Hi Jimmy

sorry for the lack of reply.

Servers had been behaving pretty well recently (maybe we just werent copying much around or had got used to how to move data without tempting fate) until another engineer came in and unknowingly deleted a profile caused one of the dfs servers to reboot.

Unfortunately as most of the servers are the only server on each site they are also running Symantec Server for that site so removal of the whole server isnt top of my todo list at the moment.

I do have one server (the hub for all DFS traffic) that I am going to look at removing SAV off at some point.

I am also toying with the process of upgrading from SAV10.2 to SEP 11 and see if that fixes my issues just need to plan this for 7 sites

i would recomend post ponning the upgrade to sep11 until you have tested and installed the latest MR and MPs.
But you can go ahead and close the question if you would like and request a refund


That's a good thought to patch the servers - the big issue i have is scheduling the relevant downtime on the network. its very much a "fix the problem but you cant do it out of hours because we cant organise paying you in time and we cant do it in hours because people need to work on the systems"
Mohamed OsamaSenior IT Consultant

I also think it will turn out to be Symantec related, not to bash any product or vendors, but I actively encourage my clients to avoid Symantec products if possible, especially with complex setups &  critical servers.
also not to be mentioning the obvious,  DFS best practices


Finally convinced work to go for SEP as we had to renew our license this week. Will be looking to deploy this in the next couple of weeks.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.