Solved

win 2003 DC has been crashing for a few days now Event ID 7 KDC

Posted on 2011-03-08
21
477 Views
Last Modified: 2012-05-11
I have removed antivirus software run all possible updates.  I am now getting and error event ID 7 KDC.  No credentials were changed on the server.  I ran a Netdiag and DCDiag:

           Yes          KB947864
           Yes          KB947864-IE7
           Yes          KB948496
           Yes          KB948590
           Yes          KB948881
           Yes          KB949014
           Yes          KB950759
           Yes          KB950759-IE7
           Yes          KB950760
           Yes          KB950762
           Yes          KB950974
           Yes          KB951066
           Yes          KB951072-v2
           Yes          KB951698
           Yes          KB951746
           Yes          KB951748
           Yes          KB952004
           Yes          KB952069
           Yes          KB952954
           Yes          KB953298
           Yes          KB953838-IE7
           Yes          KB953839
           Yes          KB954155
           Yes          KB954211
           Yes          KB954600
           Yes          KB955069
           Yes          KB955759
           Yes          KB955839
           Yes          KB956390-IE7
           Yes          KB956391
           Yes          KB956572
           Yes          KB956802
           Yes          KB956803
           Yes          KB956841
           Yes          KB956844
           Yes          KB957095
           Yes          KB957097
           Yes          KB958469
           Yes          KB958644
           Yes          KB958687
           Yes          KB958690
           Yes          KB958869
           Yes          KB959426
           Yes          KB960225
           Yes          KB960715
           Yes          KB960803
           Yes          KB960859
           Yes          KB961063
           Yes          KB961371
           Yes          KB961371-v2
           Yes          KB961373
           Yes          KB961501
           Yes          KB963027-IE7
           Yes          KB967715
           Yes          KB967723
           Yes          KB968389
           Yes          KB968537
           Yes          KB968816
           Yes          KB969059
           Yes          KB969805
           Yes          KB969897-IE7
           Yes          KB969898
           Yes          KB969947
           Yes          KB970238
           Yes          KB970430
           Yes          KB970653-v3
           Yes          KB971029
           Yes          KB971032
           Yes          KB971468
           Yes          KB971486
           Yes          KB971557
           Yes          KB971633
           Yes          KB971657
           Yes          KB971737
           Yes          KB971961
           Yes          KB972260-IE7
           Yes          KB972270
           Yes          KB973037
           Yes          KB973346
           Yes          KB973354
           Yes          KB973507
           Yes          KB973525
           Yes          KB973540
           Yes          KB973687
           Yes          KB973815
           Yes          KB973869
           Yes          KB973904
           Yes          KB974112
           Yes          KB974318
           Yes          KB974392
           Yes          KB974571
           Yes          KB975025
           Yes          KB975467
           Yes          KB975558_WM8
           Yes          KB975560
           Yes          KB975562
           Yes          KB975713
           Yes          KB976098-v2
           Yes          KB976325-IE7
           Yes          KB977165
           Yes          KB977290
           Yes          KB977816
           Yes          KB977914
           Yes          KB978037
           Yes          KB978207-IE7
           Yes          KB978251
           Yes          KB978262
           Yes          KB978338
           Yes          KB978542
           Yes          KB978601
           Yes          KB978695
           Yes          KB978706
           Yes          KB979306
           Yes          KB979309
           Yes          KB979482
           Yes          KB979559
           Yes          KB979683
           Yes          KB979687
           Yes          KB979907
           Yes          KB980182-IE7
           Yes          KB980195
           Yes          KB980218
           Yes          KB980232
           Yes          KB980436
           Yes          KB981322
           Yes          KB981349
           Yes          KB981550
           Yes          KB981793
           Yes          KB981957
           Yes          KB982132
           Yes          KB982214
           Yes          KB982381-IE7
           Yes          KB982802
           Yes          Q147222
           No           ServicePackUninstall


Netcard queries test . . . . . . . : Passed

    Information of Netcard drivers:

    ---------------------------------------------------------------------------
    Description: Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
    Device: \DEVICE\{A7A8A517-0E0F-4AE1-BE12-676F08C161D1}

    Media State:                     Connected

    Device State:                    Connected
    Connect Time:                    00:15:36
    Media Speed:                     1 Gbps

    Packets Sent:                    4998
    Bytes Sent (Optional):           1034600

    Packets Received:                11051
    Directed Pkts Recd (Optional):   5338
    Bytes Received (Optional):       1079618
    Directed Bytes Recd (Optional):  1079618

    ---------------------------------------------------------------------------
    [PASS] - At least one netcard is in the 'Connected' state.



Per interface results:

    Adapter : Local Area Connection 14
        Adapter ID . . . . . . . . : {A7A8A517-0E0F-4AE1-BE12-676F08C161D1}

        Netcard queries test . . . : Passed


Global results:


Domain membership test . . . . . . : Passed
    Machine is a . . . . . . . . . : Domain Controller
    Netbios Domain name. . . . . . : ORSIDR
    Dns domain name. . . . . . . . : orsidr.com
    Dns forest name. . . . . . . . : orsidr.com
    Domain Guid. . . . . . . . . . : {EAE0DB12-F34B-44FE-97AF-4ABAD3ED9C15}
    Domain Sid . . . . . . . . . . : S-1-5-21-80237615-1967807905-355810188
    Logon User . . . . . . . . . . : administrator
    Logon Domain . . . . . . . . . : ORSIDR


NetBT transports test. . . . . . . : Passed
    List of NetBt transports currently configured:
        NetBT_Tcpip_{A7A8A517-0E0F-4AE1-BE12-676F08C161D1}
    1 NetBt transport currently configured.


Kerberos test. . . . . . . . . . . : Passed

    Find DC in domain 'ORSIDR':
    Found this DC in domain 'ORSIDR':
        DC. . . . . . . . . . . : \\orsid-dc.orsidr.com
        Address . . . . . . . . : \\123.1.1.9
        Domain Guid . . . . . . : {EAE0DB12-F34B-44FE-97AF-4ABAD3ED9C15}
        Domain Name . . . . . . : orsidr.com
        Forest Name . . . . . . : orsidr.com
        DC Site Name. . . . . . : Default-First-Site-Name
        Our Site Name . . . . . : Default-First-Site-Name
        Flags . . . . . . . . . : DS KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS
_FOREST CLOSE_SITE 0x8

    Cached Tickets:


The command completed successfully

C:\Documents and Settings\Administrator.ORSIDR>DCdiag

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\ORSID-DC
      Starting test: Connectivity
         ......................... ORSID-DC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\ORSID-DC
      Starting test: Replications
         ......................... ORSID-DC passed test Replications
      Starting test: NCSecDesc
         ......................... ORSID-DC passed test NCSecDesc
      Starting test: NetLogons
         ......................... ORSID-DC passed test NetLogons
      Starting test: Advertising
         ......................... ORSID-DC passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... ORSID-DC passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... ORSID-DC passed test RidManager
      Starting test: MachineAccount
         ......................... ORSID-DC passed test MachineAccount
      Starting test: Services
         ......................... ORSID-DC passed test Services
      Starting test: ObjectsReplicated
         ......................... ORSID-DC passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... ORSID-DC passed test frssysvol
      Starting test: frsevent
         ......................... ORSID-DC passed test frsevent
      Starting test: kccevent
         ......................... ORSID-DC passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC0000007
            Time Generated: 03/08/2011   09:27:33
            Event String: The Security Account Manager failed a KDC request
         An Error Event occured.  EventID: 0xC0000007
            Time Generated: 03/08/2011   09:27:33
            Event String: The Security Account Manager failed a KDC request
         ......................... ORSID-DC failed test systemlog

      Starting test: VerifyReferences
         ......................... ORSID-DC passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : orsidr
      Starting test: CrossRefValidation
         ......................... orsidr passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... orsidr passed test CheckSDRefDom

   Running enterprise tests on : orsidr.com
      Starting test: Intersite
         ......................... orsidr.com passed test Intersite
      Starting test: FsmoCheck
         ......................... orsidr.com passed test FsmoCheck

I have run hardware tests and find no errors.  I also see and event ID 34 Disk: The driver disabled the write cache on device \Device\Harddisk0\DR0  (warning, not error)

And I get event ID 17: One or more Terminal Server Licensing certificates on server ORSID-DC are corrupt.  Terminal Server Licensing will only issue temporary licenses until the server is reactivated.  See Terminal Server Licensing help topic for more information.

I would assume all of these are related to the same issue.  Any ideas?
0
Comment
Question by:rikermv
  • 11
  • 10
21 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 35131238
Is the KDC service running and set to Automatic startup?

0
 

Author Comment

by:rikermv
ID: 35140667
Yes it is running and set to automatic
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35140761
Is this a multi-domain forest?  If so, move the Infrastructure Master role to a non-GC domain controller.

Other than that, if it's a single domain forest, simply reboot this server.

0
 

Author Comment

by:rikermv
ID: 35148188
it is not a multi domain forest.  I have rebooted the server.  What I am now seeing is a memory leak.  I have uninstalled the av and I have been running the poolmon the problem is the main hog of all the np mem has a tag that says NONE???  I will be running tests on the system mem tonight and post results tomorrow.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35148357
If you look at task manager can you see any specific service/process eating memory?

0
 

Author Comment

by:rikermv
ID: 35149612
a pic of my task mgr
OK the NAV and Spybot were just added today so that I can make sure the machine isnt infected.  Beyond that, there doesnt appear to be anything hogging mem.  The system requires a restart almost daily.  
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35149746
Do any of those processes continue to consume memory and never drop?
0
 

Author Comment

by:rikermv
ID: 35155718
Ok so I have been monitoring the poolmon.  The process with Tag "None"  is currently the only thing growing.  Everything else seems fine.  What kind of process would be Tagged None?  I have posted pics, but the quality seems to be horrible here.  The pic looks fine on my end.  Anyway possibly a virus?  Spybot, Malwarebytes, and NAV all come up empty though.  ANy ideas?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35155748
Not sure - but it could certainly be a possibility.

If you use Process Explorer, can you find it based on PID?

0
 

Author Comment

by:rikermv
ID: 35160227

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini030711-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*c:\symbols* http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: LanManNt, suite: TerminalServer
Built by: 3790.srv03_sp2_gdr.101019-0340
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Mon Mar  7 14:35:51.687 2011 (UTC - 4:00)
System Uptime: 0 days 0:02:54.312
Loading Kernel Symbols
...............................................................
.........................................
Loading User Symbols
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007E, {c0000005, 80882323, f47bfc88, f47bf984}

Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 80882323, The address that the exception occurred at
Arg3: f47bfc88, Exception Record Address
Arg4: f47bf984, Context Record Address

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!memcpy+33
80882323 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

EXCEPTION_RECORD:  f47bfc88 -- (.exr 0xfffffffff47bfc88)
ExceptionAddress: 80882323 (nt!memcpy+0x00000033)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00843000
Attempt to write to address 00843000

CONTEXT:  f47bf984 -- (.cxr 0xfffffffff47bf984)
eax=88a1d000 ebx=00000000 ecx=00056000 edx=00000000 esi=888c5000 edi=00843000
eip=80882323 esp=f47bfd50 ebp=f47bfd58 iopl=0         nv up ei pl nz ac po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010212
nt!memcpy+0x33:
80882323 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  00843000

WRITE_ADDRESS:  00843000

FOLLOWUP_IP:
nt!memcpy+33
80882323 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

BUGCHECK_STR:  0x7E

EXCEPTION_DOESNOT_MATCH_CODE:  This indicates a hardware error.
Instruction at 80882323 does not read/write to 00843000

EXCEPTION_STR:  0x0

LAST_CONTROL_TRANSFER:  from 897437f2 to 80882323

STACK_TEXT:  
f47bfd58 897437f2 00830000 888b2000 0016b000 nt!memcpy+0x33
WARNING: Frame IP not in any known module. Following frames may be wrong.
f47bfdac 80949c88 00000e8c 00000000 00000000 0x897437f2
f47bfddc 8088e0e2 89743886 00000e8c 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  0x7E_CODE_ADDRESS_MISMATCH_ANALYSIS_INCONCLUSIVE

BUCKET_ID:  0x7E_CODE_ADDRESS_MISMATCH_ANALYSIS_INCONCLUSIVE

Followup: MachineOwner
---------

Copy of a minidump
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 51

Expert Comment

by:Netman66
ID: 35161173
Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )


Wow - that's a useful debug trace!  LOL

Looks like hardware perhaps?  Interesting trace though.  I'm going to study it a bit.
0
 

Author Comment

by:rikermv
ID: 35162280
Great debug trace coupled with the NONE tag in the Poolmon.....yeah this is fun.  
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35162291
Rootkit perhaps?

Would you mind if I sent this internally to MS (can you send me the dump file)?  My alias here at gmail.

0
 

Author Comment

by:rikermv
ID: 35166655
sent you the dmp from {removed for spamming reasons}









Edit: Removed OP's email address to protect from spammers - Netman66
0
 

Author Comment

by:rikermv
ID: 35172426
any news? or ideas?
0
 

Author Comment

by:rikermv
ID: 35181950

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: srv*c:\symbols* http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: LanManNt, suite: TerminalServer
Built by: 3790.srv03_sp2_gdr.101019-0340
Machine Name:
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Mon Mar  7 14:35:51.687 2011 (UTC - 4:00)
System Uptime: 0 days 0:02:54.312
Loading Kernel Symbols
...............................................................
.........................................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd600c).  Type ".hh dbgerr001" for details
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 7E, {c0000005, 80882323, f47bfc88, f47bf984}

Page 75f49 not present in the dump file. Type ".hh dbgerr004" for details
Page 707da not present in the dump file. Type ".hh dbgerr004" for details
Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 80882323, The address that the exception occurred at
Arg3: f47bfc88, Exception Record Address
Arg4: f47bf984, Context Record Address

Debugging Details:
------------------

Page 75f49 not present in the dump file. Type ".hh dbgerr004" for details
Page 707da not present in the dump file. Type ".hh dbgerr004" for details

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!memcpy+33
80882323 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

EXCEPTION_RECORD:  f47bfc88 -- (.exr 0xfffffffff47bfc88)
ExceptionAddress: 80882323 (nt!memcpy+0x00000033)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00843000
Attempt to write to address 00843000

CONTEXT:  f47bf984 -- (.cxr 0xfffffffff47bf984)
eax=88a1d000 ebx=00000000 ecx=00056000 edx=00000000 esi=888c5000 edi=00843000
eip=80882323 esp=f47bfd50 ebp=f47bfd58 iopl=0         nv up ei pl nz ac po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010212
nt!memcpy+0x33:
80882323 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
Resetting default scope

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  register.exe

CURRENT_IRQL:  0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  00843000

WRITE_ADDRESS:  00843000

FOLLOWUP_IP:
nt!memcpy+33
80882323 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

BUGCHECK_STR:  0x7E

EXCEPTION_DOESNOT_MATCH_CODE:  This indicates a hardware error.
Instruction at 80882323 does not read/write to 00843000

LAST_CONTROL_TRANSFER:  from 897437f2 to 80882323

STACK_TEXT:  
f47bfd58 897437f2 00830000 888b2000 0016b000 nt!memcpy+0x33
WARNING: Frame IP not in any known module. Following frames may be wrong.
f47bfdac 80949c88 00000e8c 00000000 00000000 0x897437f2
f47bfddc 8088e0e2 89743886 00000e8c 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16


STACK_COMMAND:  kb

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  0x7E_CODE_ADDRESS_MISMATCH_ANALYSIS_INCONCLUSIVE

BUCKET_ID:  0x7E_CODE_ADDRESS_MISMATCH_ANALYSIS_INCONCLUSIVE

Followup: MachineOwner
---------



Note the register.exe as Driver_Fault
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 250 total points
ID: 35185150
Interesting, yes.

Please check this out and report on what you find.

http://www.spywareremove.com/removeregisterexe.html
0
 

Author Comment

by:rikermv
ID: 35206238
ok its def no that.  I scanned it with several malwarew scanners and nothing.  I also went through the registry and nothing.  Moving right along....It would appear that this is unsolvable.  I am going to wipe out the server and reinstall.  Oh what a mess.  This is the DC and the GC along with the Terminal server.....Thank you for all your help Netman66.  You went above and beyond!
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35206408
Agreed.  This may be the only way to solve this, unfortunately.

I attempted to send the dump to my internal contact at Microsoft, only to find out his wife passed away recently and he is on leave.  

Sorry I couldn't get more traction on this for you.

0
 

Author Comment

by:rikermv
ID: 35233653
I was able to identify the dirver and program that caused the leak.  Using the prefetch files I traced the register.exe to an old installation of Palm One Desktop software that a user attempted to install via remote desktop.  i suppose he was trying to sync his contacts...grrrrrr!  Removed the software and edited registry to remove all traces and Bam!  No more leak.  I suppose the NONE ID from poolmon was due to the fact that the software had been unistalled a while ago.  unfortunately it left some traces that caused major issues.  
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35233799
Wow!  Nice investigative work.

Glad you got it taken care of.

0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now