Solved

Blue Screen Error.....

Posted on 2009-05-15
29
1,337 Views
Last Modified: 2013-11-22
Hi All,
I m facing a problem regarding the blue screen. I m using windows xp and Symantec AV Endpoint.
Problem this when i connect the USB with the system it appear the following blue screen message.

STOP: 0x0000008E (0xC0000005, 0xF73D149D, 0xF7285748, 0x00000000)
fltmgr.sys - Address F73D149D base at F73BB000, DateStyamp 41107BAD

However when i Disable the AV it's working fine no error appear.Also it in the Cient side and we r using manage AV.

Is anybody solve this probelm ASAP.

0
Comment
Question by:aliwajdan
  • 11
  • 11
  • 4
  • +2
29 Comments
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
Hi,

Which version of endpoint protection are you running ?

You can know this by opening SEP GUI interface ---> Help & Support ---> About


A Symantec Certified Specialist @ your service
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
can you post the minidump ?   rename it to ***.txt first
0
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
I need you to do the following:

1) Run eventvwr.msc and look in the System log for recent errors.

2) Since nobus asked for minidump files, this how to configure Windows to create them upon BSOD:

Go to the Control Panel and follow this steps:

System Icon
Advanced Tab
Startup and Recovery -> Settings
Enable Write an Event to the system log
Disable Automatically Restart

Select the following debugging information:
Small memory dump (64 Kb)
Small Dump Directory : %SystemRoot%\Minidump
Confirm all and restart the computer.

3) Plug the USB again, If the explorer crashed again, do the following:

A. Zip all files inside (%SystemRoot%\Minidump) and attach it here
B. Go to eventviewer and save (application) & (system) by right click and choose "Save Event As". Then attach both of them here

0
 
LVL 1

Author Comment

by:aliwajdan
Comment Utility
I cann't post minidump? and me using Symantec Endpoint 11 version
0
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
I need the complete version number ? 11.0.xxx.xxx

You can know this by opening SEP GUI interface ---> Help & Support ---> About

0
 
LVL 1

Author Comment

by:aliwajdan
Comment Utility
Hi xmachine,
Problem still. I attached the files plz see. Can i redo the changes which u suggested.

I m also trying to attach the zip file but it's give following error.
The extension of one or more files in the archive is not in the list of allowed extensions: Dump/Application Log.evt
0
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
1) I still need the complete version number please, because some old versions had bugs that are similar to your case.

opening SEP GUI interface ---> Help & Support ---> About

2) rename .evt file to .txt, then try uploading it again

3) I can't see any attached file
0
 
LVL 1

Author Comment

by:aliwajdan
Comment Utility
xmachine sorry i don't understand the
"opening SEP GUI interface ---> Help & Support ---> Abou".
Wht u want to say?

I attach the file.
Dump.zip
0
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
1) Go start > all programs > Symantec Endpoint Protection

2) Select "Symantec Endpoint Protection"

3) On the right side, select "Help & Support"

4) Select "About"

5) What is the written version ? 11.0.xxx.xxx
0
 
LVL 1

Author Comment

by:aliwajdan
Comment Utility
Hi xmachine

This is the name and detail of the AV "Symantec Endpoint Protection 11.0"
0
 
LVL 1

Author Comment

by:aliwajdan
Comment Utility
This is the name and detail of the AV "Symantec Endpoint Protection 11.0" and Patch is MR4.
0
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
1) Please download and run this tool:

http://www.resplendence.com/whocrashed

http://www.resplendence.com/download/whocrashedSetup.exe

2) Click on Analyze. Once scanning is finished, just copy the results and paste them here. Or take a snapshot and attach it here.
0
 
LVL 91

Expert Comment

by:nobus
Comment Utility
>>   I cann't post minidump?   <<   why not? READ my 1st comment on how to do it !
0
 
LVL 1

Author Comment

by:aliwajdan
Comment Utility
hi xmachine

Plz See
following  the result after the analyze


Analysis
--------------------------------------------------------------------------------

Crash dump directory: C:\WINDOWS\Minidump

Crash dumps are enabled on your computer.


On Sat 5/16/2009 8:58:32 AM your computer crashed
This was likely caused by the following module: srtsp.sys
Bugcheck code: 0x1000008E (0xC0000005, 0xF73D149D, 0xEE3D1748, 0x0)
Error: KERNEL_MODE_EXCEPTION_NOT_HANDLED_M
file path: C:\WINDOWS\system32\drivers\srtsp.sys
product: AutoProtect
company: Symantec Corporation
description: Symantec AutoProtect



On Fri 5/15/2009 6:26:50 AM your computer crashed
This was likely caused by the following module: srtsp.sys
Bugcheck code: 0x1000008E (0xC0000005, 0xF73D149D, 0xF7285748, 0x0)
Error: KERNEL_MODE_EXCEPTION_NOT_HANDLED_M
file path: C:\WINDOWS\system32\drivers\srtsp.sys
product: AutoProtect
company: Symantec Corporation
description: Symantec AutoProtect




--------------------------------------------------------------------------------
Conclusion
--------------------------------------------------------------------------------

2 crash dumps have been found and analyzed. Note that it's not always possible to state with certainty whether a reported driver is really responsible for crashing your system or that the root cause is in another module. Nonetheless it's suggested you look for updates for the products that these drivers belong to and regularly visit Windows update or enable automatic updates for Windows. In case a piece of malfunctioning hardware is causing trouble, a search with Google on the bug check errors together with the model name and brand of your computer may help you investigate this further.


0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 15

Expert Comment

by:xmachine
Comment Utility
Application control driver that is potentially causing problems. Can you drop to a command prompt and type the following:

sc config sysplant start= disabled

then reboot and try connecting the USB again.
0
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
Try installing the latest patch for SEP on the same computer, and see if you still have the problem:

http://seer.support.veritas.com/downloads/export.asp?ddProduct=54619&file=SEP32_2295To26_clientMSPMSI.exe&source=5&url=/public/english_us_canada/products/symantec_endpoint_protection/11.0/updates/&id=57554

Note: This patch upgrades Symantec Endpoint Protection 11.0 MR4 (11.0.4000.2295) 32-bit Clients to version 11.0 MR4 Maintenence Pack 1a (MR4 MP1a).
0
 
LVL 1

Author Comment

by:aliwajdan
Comment Utility
plz tell me can i change the following values normal before restarting

Select the following debugging information:
Small memory dump (64 Kb)
Small Dump Directory : %SystemRoot%\Minidump
Confirm all and restart the computer.
0
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
you can leave them, we may need to get additional dumps
0
 
LVL 1

Author Comment

by:aliwajdan
Comment Utility
I've run above symantec patch and also give above command. But problem still persist.
0
 
LVL 1

Author Comment

by:aliwajdan
Comment Utility
It's a AV is manage and it's on client side. Mean It has a server.
0
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
Dose this happen to one computer or all ?

if it's only a single case, try re-install SEP again (remove then install)
0
 
LVL 12

Expert Comment

by:John Griffith
Comment Utility

 
Hi -
In your 1st post you told us of a BSOD with a bugcheck = 0x8e (0xc0000005,,) = the kernel threw an exception - a memory access violation.
The interesting thing is that the probable cause was not Symantec, but  the Microsoft filter mgr driver fltmgr.sys, timestamp = 41107BAD = Aug 2004.
I ran the 2 dumps and Symantec was indeed named as the probable cause, but I don't find it to be the actual cause because of these timestamps found -
  • NT Kernel = March 2005
  • DirectX Graphics kernel = August 2004
  • Windows GUI = April 2003
  • Intel Ethernet = March 2003
I believe the BSODs are being caused by a conflict between a brand new 2009 Symantec installation and an XP OS that has had no Windows Updates since 2005.  
Windows Updates need to come in and install.  
Your device drivers need to be uptdated; most appear to be dated 2003-2005 with little exception.  Exactly why there have been no Windows Updates in 4+ years, I cannot say  at this time.
XP Windows Updates
 
Regards. . .
jcgriff2
`

0
 
LVL 15

Expert Comment

by:xmachine
Comment Utility
Thanks jcgriff2 for your input.

@aliwajdan

Can you try updating your windows xp to the latest SP (SP3) and latest patches ?
0
 
LVL 1

Expert Comment

by:gesquivel
Comment Utility
the best way it's install a clean copy of your windows!
because if u have the blue screen u can fix it but then your windows doesn't been repaired 100%.
so i think u will win some time and money formating it.

Gustavo
0
 
LVL 12

Expert Comment

by:John Griffith
Comment Utility
Sorry, but It also could be said that for every problem an XP install could be grounds for a reformat./ re-instsll.
A BSOD does not in any way, shape or form change/ modify the XP OS.  The BSOD sumply occurs in many cases to be softeare related; the rest hardwsre failure.
Please follow the instructions that  provided.
0
 
LVL 1

Author Comment

by:aliwajdan
Comment Utility
Hi All,
Thnx 4 all of ur valueable inputs. First i rply to xmachine that it's only appear in one machine.
2nd to jcgriff2 that we also analyze system regarding the solution of xmachine it cleary show the root and cause of this error (check above my post i posted result).
Do u've any other solution except reinstallation.
Also windows updated regularly and i also reinstall the AV.
If it's problem regarding Windows Updation can u tell me the specific update of windows so i can download it manually.

Ur quick prompt will highly appreciated.
thnx
0
 
LVL 12

Accepted Solution

by:
John Griffith earned 50 total points
Comment Utility
Hi -
I can only tell you taht based on the XP OS drivers that I found ion the dumps taht I analyzed years of Windows Updates are not installed in that system.  The NT Kernel w/ 2005 date tells us this.
Run Belarc Advisor & see what it tells you about Windows Updates -  http://www.belarc.com/free_download.html
 I have analyzed 10,000's kernel dumps in the last year and can say with conviction that a root cause cannot be determined until the OS is updated & stabalized.  
My experience is as a Moderator, Microsoft Support, Tech Support Forum * com member #185203 - screen name = jcgriff2        http://www.techsupportforum.com/members/185203.html
0
 
LVL 1

Author Closing Comment

by:aliwajdan
Comment Utility
I follow all the instructions which passed by the expert and at last i installed complete windows updates. After this the error which occurred due USB solved.
Thnx
0
 
LVL 12

Expert Comment

by:John Griffith
Comment Utility
Hi - Thank you.  I am glad that your system is back up and running.  I do apologize for the typos - very unlike me to allow content out in that manner.  
jcgriff2
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now