kdschool
asked on
IIS 7.5 Event log error WAS 5009 how to troubleshoot this error?
I had a event over the weekend. this occurred one time there is a warning then error. Has not re-occurred since two days now.
System log showed two errors.
A process serving application pool 'DefaultAppPool' terminated unexpectedly. The process id was '3276'. The process exit code was '0xc0000005'.
then Error
The World Wide Web Publishing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
Then it self corrected. The site was not available apparently for just a about 10 minutes during this.
How can I figure out what caused this and prevent it from re-occurring?
In the application log there is also one error close to same time.
Faulting application name: svchost.exe_WAS, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000002141770
Faulting process id: 0x2354
Faulting application start time: 0x01d079943d0ec2c7
Faulting application path: C:\Windows\system32\svchos
Faulting module path: unknown
Report Id: b06263e2-e6e8-11e4-b1ea-e4
System log showed two errors.
A process serving application pool 'DefaultAppPool' terminated unexpectedly. The process id was '3276'. The process exit code was '0xc0000005'.
then Error
The World Wide Web Publishing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
Then it self corrected. The site was not available apparently for just a about 10 minutes during this.
How can I figure out what caused this and prevent it from re-occurring?
In the application log there is also one error close to same time.
Faulting application name: svchost.exe_WAS, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000002141770
Faulting process id: 0x2354
Faulting application start time: 0x01d079943d0ec2c7
Faulting application path: C:\Windows\system32\svchos
Faulting module path: unknown
Report Id: b06263e2-e6e8-11e4-b1ea-e4
ASKER
In the http failed requests logs same date about one hour before the error occured someone tried to access a old pages that has an old sql asp connection string in it that is no longer used. Could that have caused this? Should I remove that connection from the connection folder since that application no longer is in use?
Run McAfee but no scans run on this date/time
Where can I find the error report that you mention above?
Run McAfee but no scans run on this date/time
Where can I find the error report that you mention above?
You should, without a doubt, remove the old ASP content. You could use URL Rewriting or Redirection to push the user to the correct URL.
I don't think the hit on the old ASP page caused the issue.
From the actual HTTP logs (not the failed request logs) what activity, if any, occurred a bit before during and after the time of the crash? What hits were recorded in the logs? Do you have http logging enabled?
Does McAfee have a real-time scan function?
Point 3a in my post above points you to an article that walks you thru reviewing the Error Reports.
Dan
I don't think the hit on the old ASP page caused the issue.
From the actual HTTP logs (not the failed request logs) what activity, if any, occurred a bit before during and after the time of the crash? What hits were recorded in the logs? Do you have http logging enabled?
Does McAfee have a real-time scan function?
Point 3a in my post above points you to an article that walks you thru reviewing the Error Reports.
Dan
ASKER
The system log error is in this time format 5:56:22 PM that converts to 17:56 PM miliarty time like the http logs. These are the only logged events prior to this time at 17:14. The next sequence is after 18:00 or after the event.
#Version: 1.0
#Date: 2015-04-19 17:14:05
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2015-04-19 17:14:05 xxx.xx.xxx.xxx GET /SafCom/QTakes/CDrivingReq
2015-04-19 17:14:05 xxx.xx.xxx.xxx GET /images/IncursionIdwithcir
2015-04-19 17:14:05 xxx.xx.xxx.xxx GET /favicon.ico - 80 - 199.82.127.249 Mozilla/4.0+(compatible;+M
#Version: 1.0
#Date: 2015-04-19 17:14:05
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken
2015-04-19 17:14:05 xxx.xx.xxx.xxx GET /SafCom/QTakes/CDrivingReq
2015-04-19 17:14:05 xxx.xx.xxx.xxx GET /images/IncursionIdwithcir
2015-04-19 17:14:05 xxx.xx.xxx.xxx GET /favicon.ico - 80 - 199.82.127.249 Mozilla/4.0+(compatible;+M
ASKER
Also the errors are from the system and application logs. The link you gave me is for windows vista and I dont have that option under my control panel.
If you go into the Control Panel, then Action Center, then View archived messages... do you find any Error Reports listed there?
If yes, view the report with ID: b06263e2-e6e8-11e4-b1ea-e4
Essentially, you have a AppPool that is full on crashing, normally an admin would attach a debugger to watch the AppPool for a crash, and when it does, create a dump file which can be further analyzed.
2 more questions:
1. how many applications (websites) are using the default app pool?
2. have you tried creating a new AppPool and moving just this website to the new AppPool?
Dan
If yes, view the report with ID: b06263e2-e6e8-11e4-b1ea-e4
Essentially, you have a AppPool that is full on crashing, normally an admin would attach a debugger to watch the AppPool for a crash, and when it does, create a dump file which can be further analyzed.
2 more questions:
1. how many applications (websites) are using the default app pool?
2. have you tried creating a new AppPool and moving just this website to the new AppPool?
Dan
ASKER
There is only one website on this server and the server is new. It has four 300 GB hard drives and very fast dual 8 core processor. This error only occured one time on 4/19 and to date no other errors in the logs they are clean. I don't know what you mean by a full app pool? There are a lot of historical files I can remove if necessary to prevent this from re-occuring. Is there a size restriction for an application pool? The old server had just as many files and much less memory that ran this same default app pool. Is there a tool I could buy that would help me analzye what is going on? Moving an app pool seems like it might have some big consequences? What about recycling the web site so the processes are gently corrected if something is wrong. Also the logs were error free until I installed the last 11 windows updates. There was a license issue and I could not install them until that was corrected. Those were installed on 4/16.
No archived messages in that file.
No archived messages in that file.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You gave me valuble information still no reoccurance will read up on all this and see if occurs again.
So, some questions:
1. is there anything in the HTTP logs that correspond to the time the above error occurred?
2. is there anything else in the event logs that occurs around this time?
3. have you reviewed the report that was generated? See: Report Id: b06263e2-e6e8-11e4-b1ea-e4
3a. link: http://blogs.technet.com/b/arykhus/archive/2008/12/11/finding-useful-crash-data-and-windows-error-reporting-wer.aspx
4. do you have AV software running scans at this time?
Dan