Windows Server 2003 0x00000035 random server reboots

Posted on 2009-02-12
Last Modified: 2013-12-09
I am trying to get a handle on an odd issue I am experiencing with our DFS folders and Symantec AV.
If we copy from \\domain\dfs\share1 to \\domain\dfs\share2 everything works without issue. If however we move data between the same folders the server instantly reboots.


The following are two excerts from mini dumps we recovered after the server reboots


This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(c8c.1258): Access violation - code c0000005 (first/second chance not available)
eax=00000001 ebx=00000000 ecx=01bf5648 edx=69583548 esi=01bd72b0 edi=80090006
eip=65930a03 esp=06ddf7b8 ebp=06ddff40 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
Unable to load image D:\program files\sav\SymProtectStorage.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SymProtectStorage.dll
*** ERROR: Module load completed but symbols could not be loaded for SymProtectStorage.dll



*** WARNING: Unable to verify timestamp for mssmbios.sys
Unable to load image fltmgr.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for fltmgr.sys
Unable to load image \??\C:\Program Files\Symantec\SYMEVENT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Unable to load image Mup.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Mup.sys
Probably caused by : SYMEVENT.SYS ( SYMEVENT+7652 )

Occasionally after the reboot we received a stop code 0x00000035 which a quick google points us at Microsoft KB
Having made the changes and reboot we still get the same error messages. We tried to disable all Symantec services however this still caused the same error.
Any advice anyone has on this would be greatly appreciated as its causing us a number of issues when we are working on the network.

Posting this to the Symantec forums was useless and I really need to try and get some understanding as to why this happns on my network.
Question by:bisleyboy
    LVL 24

    Expert Comment

    First Symantec is crap.  I say this because of experience with it in my data center and client data centers.
    It locked up all my servers which was tracked down because the program causes a memory leak and eventually locks the machine.
    I would suggest trying to stop all services related to Symantec and test to see if reboots still occur.

    Author Comment

    Ryansoto - that isnt really a constructive comment. Symantec works for the most part without issue. The problems are, i believe, based around the permissions and linking into different aspects of the drivers.
    LVL 23

    Accepted Solution

    Make sure you have the latest version of Symantec AV installed, along with their driver file SYMEVENT.SYS updated.
    hope this helps.


    Author Comment

    Hi Admin3k,

    Thanks for the advice - We have updated Symevent on all the servers and im trying to find some time to test but unfortunately my client is 24x7x365 so arranging downtime for the servers can be tricky!

    Author Comment

    Having had no planned window of maintenance I have had the same issue again.

    Logged in as Administrator renaming \\domain.local\dfs\LonProfiles\<username> to \\domain.local\dfs\LonProfiles\<username>_old crashed the server and it rebooted
    LVL 20

    Expert Comment

    by:jimmymcp02 dont know if symantec is the problem or not?
    My advice is to force the removal of symatec. assuming this is a client and not the symantec server.
    This should speed up your troubleshooting time by narrowing down if sav is causing the issue.
    download cleanwipe from the following location.
    follow the steps to raname the file from .txt to .exe
    test and post back
    LVL 20

    Expert Comment

    any updates?

    Author Comment

    Hi Jimmy

    sorry for the lack of reply.

    Servers had been behaving pretty well recently (maybe we just werent copying much around or had got used to how to move data without tempting fate) until another engineer came in and unknowingly deleted a profile caused one of the dfs servers to reboot.

    Unfortunately as most of the servers are the only server on each site they are also running Symantec Server for that site so removal of the whole server isnt top of my todo list at the moment.

    I do have one server (the hub for all DFS traffic) that I am going to look at removing SAV off at some point.

    I am also toying with the process of upgrading from SAV10.2 to SEP 11 and see if that fixes my issues just need to plan this for 7 sites
    LVL 20

    Expert Comment

    i would recomend post ponning the upgrade to sep11 until you have tested and installed the latest MR and MPs.
    But you can go ahead and close the question if you would like and request a refund

    Author Comment

    That's a good thought to patch the servers - the big issue i have is scheduling the relevant downtime on the network. its very much a "fix the problem but you cant do it out of hours because we cant organise paying you in time and we cant do it in hours because people need to work on the systems"
    LVL 23

    Expert Comment

    I also think it will turn out to be Symantec related, not to bash any product or vendors, but I actively encourage my clients to avoid Symantec products if possible, especially with complex setups &  critical servers.
    also not to be mentioning the obvious,  DFS best practices


    Author Closing Comment

    Finally convinced work to go for SEP as we had to renew our license this week. Will be looking to deploy this in the next couple of weeks.

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now