Windows Server 2003 0x00000035 random server reboots

Posted on 2009-02-12
Medium Priority
Last Modified: 2013-12-09
I am trying to get a handle on an odd issue I am experiencing with our DFS folders and Symantec AV.
If we copy from \\domain\dfs\share1 to \\domain\dfs\share2 everything works without issue. If however we move data between the same folders the server instantly reboots.


The following are two excerts from mini dumps we recovered after the server reboots


This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(c8c.1258): Access violation - code c0000005 (first/second chance not available)
eax=00000001 ebx=00000000 ecx=01bf5648 edx=69583548 esi=01bd72b0 edi=80090006
eip=65930a03 esp=06ddf7b8 ebp=06ddff40 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
Unable to load image D:\program files\sav\SymProtectStorage.dll, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SymProtectStorage.dll
*** ERROR: Module load completed but symbols could not be loaded for SymProtectStorage.dll



*** WARNING: Unable to verify timestamp for mssmbios.sys
Unable to load image fltmgr.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for fltmgr.sys
Unable to load image \??\C:\Program Files\Symantec\SYMEVENT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Unable to load image Mup.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for Mup.sys
Probably caused by : SYMEVENT.SYS ( SYMEVENT+7652 )

Occasionally after the reboot we received a stop code 0x00000035 which a quick google points us at Microsoft KB http://support.microsoft.com/kb/906866
Having made the changes and reboot we still get the same error messages. We tried to disable all Symantec services however this still caused the same error.
Any advice anyone has on this would be greatly appreciated as its causing us a number of issues when we are working on the network.

Posting this to the Symantec forums was useless and I really need to try and get some understanding as to why this happns on my network.
Question by:bisleyboy
  • 6
  • 3
  • 2
  • +1
LVL 24

Expert Comment

ID: 23622520
First Symantec is crap.  I say this because of experience with it in my data center and client data centers.
It locked up all my servers which was tracked down because the program causes a memory leak and eventually locks the machine.
I would suggest trying to stop all services related to Symantec and test to see if reboots still occur.

Author Comment

ID: 23631561
Ryansoto - that isnt really a constructive comment. Symantec works for the most part without issue. The problems are, i believe, based around the permissions and linking into different aspects of the drivers.
LVL 23

Accepted Solution

Mohamed Osama earned 1500 total points
ID: 23642511
Make sure you have the latest version of Symantec AV installed, along with their driver file SYMEVENT.SYS updated.
hope this helps.


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 23648860
Hi Admin3k,

Thanks for the advice - We have updated Symevent on all the servers and im trying to find some time to test but unfortunately my client is 24x7x365 so arranging downtime for the servers can be tricky!

Author Comment

ID: 23710507
Having had no planned window of maintenance I have had the same issue again.

Logged in as Administrator renaming \\domain.local\dfs\LonProfiles\<username> to \\domain.local\dfs\LonProfiles\<username>_old crashed the server and it rebooted
LVL 20

Expert Comment

ID: 23752052
so...you dont know if symantec is the problem or not?
My advice is to force the removal of symatec. assuming this is a client and not the symantec server.
This should speed up your troubleshooting time by narrowing down if sav is causing the issue.
download cleanwipe from the following location.
follow the steps to raname the file from .txt to .exe
test and post back
LVL 20

Expert Comment

ID: 23769409
any updates?

Author Comment

ID: 24184692
Hi Jimmy

sorry for the lack of reply.

Servers had been behaving pretty well recently (maybe we just werent copying much around or had got used to how to move data without tempting fate) until another engineer came in and unknowingly deleted a profile caused one of the dfs servers to reboot.

Unfortunately as most of the servers are the only server on each site they are also running Symantec Server for that site so removal of the whole server isnt top of my todo list at the moment.

I do have one server (the hub for all DFS traffic) that I am going to look at removing SAV off at some point.

I am also toying with the process of upgrading from SAV10.2 to SEP 11 and see if that fixes my issues just need to plan this for 7 sites
LVL 20

Expert Comment

ID: 24186836
i would recomend post ponning the upgrade to sep11 until you have tested and installed the latest MR and MPs.
But you can go ahead and close the question if you would like and request a refund

Author Comment

ID: 24187195
That's a good thought to patch the servers - the big issue i have is scheduling the relevant downtime on the network. its very much a "fix the problem but you cant do it out of hours because we cant organise paying you in time and we cant do it in hours because people need to work on the systems"
LVL 23

Expert Comment

by:Mohamed Osama
ID: 24188270
I also think it will turn out to be Symantec related, not to bash any product or vendors, but I actively encourage my clients to avoid Symantec products if possible, especially with complex setups &  critical servers.
also not to be mentioning the obvious,  DFS best practices


Author Closing Comment

ID: 31546011
Finally convinced work to go for SEP as we had to renew our license this week. Will be looking to deploy this in the next couple of weeks.

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Learn about cloud computing and its benefits for small business owners.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question