Video Screencast Help

0x1000008e KERNEL_MODE_EXCEPTION_NOT_HANDLED corrupted SEP Installation?

Created: 15 Dec 2009 • Updated: 21 May 2010 | 5 comments
Rolf Niedhorn's picture
This issue has been solved. See solution.

Good evening,

all of the sudden we have a bsod on one of our XP machines.

System: DELL OptiPlex 760 USFF
OS: Windows XP SP3
Office: Office 2007 SP2 Small Business
AV: Symantec Endpoint Protection 11 RU5

Bluescreen:

Dump-Datei Time  Bugcheck-String Bugcheck-Code Parameter 1 Parameter 2 Parameter 3 Parameter 4 possible
cause 
adress
Mini121509-01.dmp 15.12.2009 13:06:00 KERNEL_MODE_EXCEPTION_NOT_HANDLED 0x1000008e 0xc000001d 0xa9af68d2 0xa8153ad0 0x00000000 tcpip.sys tcpip.sys+b8d2

A problem has been detected and Windows has been shut down to prevent damage
to your computer.

The problem seems to be caused by the following file: tcpip.sys

KERNEL_MODE_EXCEPTION_NOT_HANDLED

Technical Information:

*** STOP: 0x1000008e (0xc000001d, 0xa9af68d2, 0xa8153ad0, 0x00000000)

*** tcpip.sys - Address 0xa9af68d2 base at 0xa9aeb000 DateStamp 0x485b99ad

After taking a further look at the bugcheck, I found references to the following drivers, belonging to SEP´s firewall component (except ntoskrnl.exe):

ntoskrnl.exe ntoskrnl.exe+296d5 0x804d7000 0x806e5000 0x0020e000 0x4a784394 04.08.2009 14:20:04
SYMTDI.SYS SYMTDI.SYS+13d53 0xa9abe000 0xa9aea480 0x0002c480 0x4a395be6 17.06.2009 21:11:02
tcpip.sys tcpip.sys+b8d2 0xa9aeb000 0xa9b43480 0x00058480 0x485b99ad 20.06.2008 11:51:09
wpsdrvnt.sys wpsdrvnt.sys+5068 0xf7791000 0xf779f000 0x0000e000 0x4ab2d5e4 18.09.2009 00:35:48

Is this due to a corrupted SEP-Client?

My opinion is to uninstall the SEP-Client, reboot the machine and reinstall it.

Would somebody be so kind to look at the attached "debuglog.txt" and confirm my analysis?

regards,

Rolf

 

Comments 5 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

 This can be due to SEP firewall drivers messing up with NIC drivers in a corrupt install.
Did this happen while un-install/Repair/upgrade of SEP ?
Was there anything in the eventviewer what happened before BSOD ?

Definitely it is due SEP Network Threat Protection component not just the firewall but IPS drivers as well

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Rolf Niedhorn's picture

Thank you, Vikram Kumar-SAV to SEP, for your quick answer!

To your questions:

* Did this happen while un-install/Repair/upgrade of SEP ?

No, it´s a normal running system since May. Shortly after Symantec published the german version of RU5, I upgraded from MR4MP2.

The only issue I had was, that this SEP-Client had difficulties in updating definitions, three weeks after the upgrade. So, I decided to remove that client through add/remove programs and re-install it by pushing my package to that machine. Oh, I forgot to mention that I run into the "two instances of SEP under add/remove progams", so I run both installers to remove both instances, before re-installing.

According to my customer, they had the first BSOD last week and two today. Nothing before!

* Was there anything in the eventviewer what happened before BSOD ?

Unfortunately, I can´t give a definite answer, because I wasn´t on-site today. I asked my customer for the minidump to analyse. I visited my customer yesterday for regular maintanace and - therefore - I looked at that machine. As I can say, there was nothing in the eventlog that marked a problem. Now, we retired that machine till January, so I can´t make a RDP session to look in the eventlogs again.

greetings from Hamburg,

Rolf

Rolf Niedhorn (Hamburg, Germany)

NIERO@net e.K.

Vikram Kumar-SAV to SEP's picture

 So it does look like SEP driver corruption at one point of time..My suggestion would be either completely remove SEPM and delete all related files and folders reboot then install SEP
or create a case with support and get a copy of cleanwipe utility run it..it will clean all traces of sep including registry etc then install SEP.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

SOLUTION
Rolf Niedhorn's picture

Good Morning, Vikram Kumar-SAV to SEP,

that`s what I think, too! We totaly agree, so will mark your last post as solution.

But I think that leads to another question beside for a new discussion: Will machines really run fine, after running into that "2 instances" issue, as Symantec´s article say? Now I think, that all whose machines have to be totaly cleaned from all old installations with cleanwipe. Hm?!?

However, I wish a Merry Christmas and a Happy New Year!

regards,

Rolf

Rolf Niedhorn (Hamburg, Germany)

NIERO@net e.K.

Vikram Kumar-SAV to SEP's picture

The SEP drivers sit very deep into the Operating system so in the 2 instance case any drivers going mad can cause BSOD.
However till everything is going fine who cares...

Merry Christmas and Happy New year to you  as well as ballack n klose in your country...

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.