Video Screencast Help

SYMEVENT.SYS & BSOD

Created: 05 Feb 2013 | 5 comments

Anyone ever see this?

This is a Windows 2003 Server and used as Terminal Server:

Ran WINDBG and this is what we got:

 

Use !analyze -v to get detailed debugging information.

BugCheck 8E, {c0000005, bf8a1a8e, 8f5aea90, 0}

Page 11a50c not present in the dump file. Type ".hh dbgerr004" for details
Page 11a62f not present in the dump file. Type ".hh dbgerr004" for details
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : SYMEVENT.SYS ( SYMEVENT+14a39 )

Followup: MachineOwner

---------

2: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: bf8a1a8e, The address that the exception occurred at
Arg3: 8f5aea90, Trap Frame
Arg4: 00000000

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
win32k!xxxRedrawWindow+4c
bf8a1a8e f6461e40        test    byte ptr [esi+1Eh],40h

TRAP_FRAME:  8f5aea90 -- (.trap 0xffffffff8f5aea90)
ErrCode = 00000000
eax=00000001 ebx=00000000 ecx=0000029d edx=00000001 esi=00000000 edi=bc3471d8
eip=bf8a1a8e esp=8f5aeb04 ebp=8f5aeb1c iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
win32k!xxxRedrawWindow+0x4c:
bf8a1a8e f6461e40        test    byte ptr [esi+1Eh],40h     ds:0023:0000001e=??
Resetting default scope

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  csrss.exe

CURRENT_IRQL:  0

LAST_CONTROL_TRANSFER:  from 8082d868 to 80827cb3

STACK_TEXT: 
8f5ae65c 8082d868 0000008e c0000005 bf8a1a8e nt!KeBugCheckEx+0x1b
8f5aea20 8088a31a 8f5aea3c 00000000 8f5aea90 nt!KiDispatchException+0x3a2
8f5aea88 8088a2ce 8f5aeb1c bf8a1a8e badb0d00 nt!CommonDispatchException+0x4a
8f5aea9c bf85cbb8 00000000 00000000 bc347198 nt!Kei386EoiHelper+0x186
8f5aeb1c bf849b65 00000000 bc3471d8 00000000 win32k!xxxEndDeferWindowPosEx+0x29d
8f5aeb78 bf83bf6f 00000000 8f5aebe0 bf8b758f win32k!xxxDestroyWindow+0x21e
8f5aeb84 bf8b758f be115b20 bc675da0 bc675d20 win32k!HMDestroyUnlockedObject+0x1c
8f5aeb98 bf8b798b 86ef5da8 00000000 00000000 win32k!DestroyThreadsObjects+0x72
8f5aebe0 bf8b61f0 00000001 8f5aec08 bf8b7042 win32k!xxxDestroyThreadInfo+0x23e
8f5aebec bf8b7042 86ef5da8 00000001 00000000 win32k!UserThreadCallout+0x4b
8f5aec08 8094bc44 86ef5da8 00000001 86ef5da8 win32k!W32pThreadCallout+0x3a
8f5aec94 8094bfd7 00000000 00000000 86ef5da8 nt!PspExitThread+0x3b2
8f5aecac 8094c329 86ef5da8 00000000 00000001 nt!PspTerminateThreadByPointer+0x4b
8f5aecd0 b9e74a39 fffffffe 00000000 8afdb598 nt!NtTerminateThread+0x71
WARNING: Stack unwind information not available. Following frames may be wrong.
8f5aed54 8088983c fffffffe 00000000 0120ffdc SYMEVENT+0x14a39
8f5aed54 0016d428 fffffffe 00000000 0120ffdc nt!KiFastCallEntry+0xfc
0000003b 00000000 00000000 00000000 00000000 0x16d428

STACK_COMMAND:  kb

FOLLOWUP_IP:
SYMEVENT+14a39
b9e74a39 e98e030000      jmp     SYMEVENT+0x14dcc (b9e74dcc)

SYMBOL_STACK_INDEX:  e

SYMBOL_NAME:  SYMEVENT+14a39

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: SYMEVENT

IMAGE_NAME:  SYMEVENT.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4d8bcd70

FAILURE_BUCKET_ID:  0x8E_SYMEVENT+14a39

BUCKET_ID:  0x8E_SYMEVENT+14a39

Followup: MachineOwner

*******************Looks fine now*************************

 

 

Comments 5 CommentsJump to latest comment

SebastianZ's picture

What SEP verison are you using? You can try updating the Symevent files:

http://www.symantec.com/docs/TECH98521

.Brian's picture

It you have the dump file, open a case with Symantec so they can analyse it.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

usacc23's picture

Thanks Guys, I have enough information now, I can run with it. As always I appreciate your assistance.

JS@support's picture

Hi,

There are many fixes have been done with latest SEP release.

You can think to make the upgrade if issue still persist.

Mithun Sanghavi's picture

Hello,

Check these Threads with similar issue- 

https://www-secure.symantec.com/connect/forums/bluescreen-symeventsys

https://www-secure.symantec.com/connect/forums/symeventsys-stop-error-0x7f-windows-server-2003

Hope that helps!

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.