Blue screen crash with STOP Error 0x8E after installing Symantec Endpoint Protection

Article:TECH181336  |  Created: 2012-02-13  |  Updated: 2013-10-02  |  Article URL http://www.symantec.com/docs/TECH181336
Article Type
Technical Solution

Product(s)

Issue



Windows 2003 Servers crash after installing Symantec Endpoint Protection (SEP) 11.x or 12.1.x with a BugCheck 8E error. The memory dump seems to indicate that SymEvent.sys, a Symantec Driver is involved in the crash.

The Faulting Instruction Pointer (FAULTING_IP) points to win32k!xxxRedrawWindow+4c


Error



Debugging tools for Windows will show the following errors:

  • BugCheck 8E
  • KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)

 

Debugging tools for Windows Crashdump analysis will show Registers and Stack output such as the below:

 

FAULTING_IP: 

win32k!xxxRedrawWindow+4c

bf8a248e f6461e40        test    byte ptr [esi+1Eh],40h

 

TRAP_FRAME:  a8a07a90 -- (.trap 0xffffffffa8a07a90)

ErrCode = 00000000

eax=00000001 ebx=00000000 ecx=0000029d edx=00000001 esi=00000000 edi=bc3442f0

eip=bf8a248e esp=a8a07b04 ebp=a8a07b1c iopl=0         nv up ei ng nz na pe nc

cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286

win32k!xxxRedrawWindow+0x4c:

bf8a248e f6461e40        test    byte ptr [esi+1Eh],40h     ds:0023:0000001e=??

Resetting default scope

 

DEFAULT_BUCKET_ID:  DRIVER_FAULT

 

BUGCHECK_STR:  0x8E

 

PROCESS_NAME:  csrss.exe

 

CURRENT_IRQL:  0

 

LAST_CONTROL_TRANSFER:  from 8085b8bb to 8087cc0a

 

STACK_TEXT:  

a8a0765c 8085b8bb 0000008e c0000005 bf8a248e nt!KeBugCheckEx+0x1b

a8a07a20 8083435c a8a07a3c 00000000 a8a07a90 nt!KiDispatchException+0x3a2

a8a07a88 80834310 a8a07b1c bf8a248e badb0d00 nt!CommonDispatchException+0x4a

a8a07a9c bf85d5c7 00000000 00000000 bc3442b0 nt!Kei386EoiHelper+0x186

a8a07b1c bf84a582 00000000 bc3442f0 00000000 win32k!xxxEndDeferWindowPosEx+0x29d

a8a07b78 bf83c80d 00000000 a8a07be0 bf8b7f7b win32k!xxxDestroyWindow+0x21e

a8a07b84 bf8b7f7b be114b60 bc4b7f28 bc4b7ea8 win32k!HMDestroyUnlockedObject+0x1c

a8a07b98 bf8b8377 feff2648 00000000 00000000 win32k!DestroyThreadsObjects+0x72

a8a07be0 bf8b6bd1 00000001 a8a07c08 bf8b7a2e win32k!xxxDestroyThreadInfo+0x23e

a8a07bec bf8b7a2e feff2648 00000001 00000000 win32k!UserThreadCallout+0x4b

a8a07c08 8091f173 feff2648 00000001 feff2648 win32k!W32pThreadCallout+0x3a

a8a07c94 8092257c 00000000 00000000 feff2648 nt!PspExitThread+0x3b2

a8a07cac 809217c4 feff2648 00000000 00000001 nt!PspTerminateThreadByPointer+0x4b

a8a07cd0 f62879e9 fffffffe 00000000 8a1a6218 nt!NtTerminateThread+0x87

a8a07d40 8a1a6236 e4cba1c8 fffffffe 00000000 SYMEVENT!

WARNING: Frame IP not in any known module. Following frames may be wrong.

a8a07d54 8083387f fffffffe 00000000 0122ffdc 0x8a1a6236

a8a07d54 7c94845c fffffffe 00000000 0122ffdc nt!KiFastCallEntry+0xfc

0122ffc8 7c947a99 7c95fcb7 fffffffe 00000000 ntdll!KiFastSystemCallRet

0122ffcc 7c95fcb7 fffffffe 00000000 0122ffe8 ntdll!ZwTerminateThread+0xc

0122ffdc 75984b3a 00000000 00000000 759758c5 ntdll!RtlExitUserThread+0x26

0122ffe8 759758c5 00000000 00000004 00000000 winsrv!UserExitWorkerThread+0xe

0122fff4 00000000 00000000 00000000 00000000 winsrv!StartCreateSystemThreads+0x26

 


Solution



This is a known problem in the Server Operating System's Win32k.sys driver.

Please see Microsoft's Technet article  blogs.technet.com/b/dip/archive/2011/10/12/win2003sp2-stop-0x8e-in-win32k-xxxredrawwindow-0x4c.aspx for information.

The Technet article links to Security Update MS11-077 which contains a fix for this problem. See: support.microsoft.com/kb/2567053




Article URL http://www.symantec.com/docs/TECH181336


Terms of use for this information are found in Legal Notices