Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

WinXP: Random BSODs since SEP 12 install -- WCA blames SEP

Created: 02 May 2011 • Updated: 02 May 2011 | 8 comments
Chuck Lavin's picture

Hi --

I installed the SEP 12 client on an upgraded PC running Windows XP Pro SP3. The PC had several hardware upgrades; at the time, Windows XP was reinstalled and SEP 12 was installed to replace SEP 11. This was about three months ago.

Since then, this PC has been throwing BSODs at random. It may blow up once one week, twice the next, not again for ten or twelve days, then once the following week … although this past week it has been blowing up with increasing frequency. The BSODs seem to have no relationship with the machine’s load or what apps are running at the time. (In fact, this morning it BSODed while idle on the desktop with no apps running, then BSODed while rebooting, then BSODed while it was running the SEP Support Tool (after the reboot)).

After the computer reboots from the BSOD, it leaves an error in the event log similar to this:

Event Type:       Error
Event Source:    System Error
Event Category:(102)
Event ID:           1003
Date:                4/30/2011
Time:                5:32:27 PM
User:                N/A
Computer:         TAZ1

Description:

Error code 10000050, parameter1 e996b000, parameter2 00000000, parameter3 8a6c93de, parameter4 00000001.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 53 79 73 74 65 6d 20 45   System E
0008: 72 72 6f 72 20 20 45 72   rror  Er
0010: 72 6f 72 20 63 6f 64 65   ror code
0018: 20 31 30 30 30 30 30 35    1000005
0020: 30 20 20 50 61 72 61 6d   0  Param
0028: 65 74 65 72 73 20 65 39   eters e9
0030: 39 36 62 30 30 30 2c 20   96b000,
0038: 30 30 30 30 30 30 30 30   00000000
0040: 2c 20 38 61 36 63 39 33   , 8a6c93
0048: 64 65 2c 20 30 30 30 30   de, 0000
0050: 30 30 30 31               0001   

 

The event category, event ID and error code are always the same. The parameters change with every crash.

Every time the computer reboots after one of these BSODs, Windows Crash Analysis reports that the crash was caused by a problem with the antivirus software.

We have verified that the PC is running the latest BIOS and driver files for all critical system components (chipset, SATA, video, mobo components, LAN, etc.). We have uninstalled, cleaned up and reinstalled SEP twice on this PC. All Windows updates have been applied. The WCA report’s suggestion to “update your antivirus program” has been verified – the PC is running the latest available versions of all program components as well as virus signatures.

The other WCA report suggestion to verify that there is only one AV program running has also been confirmed. This PC ran SEP 11 – and only SEP 11 – before this. Now it’s running only SEP 12. And during one of the SEP 12 reinstalls we performed a complete manual removal of all Symantec software per the KB article instructions.

The PC recently passed a 9.5-hour memtest run that reported 0 memory errors.

No fewer than ten different virus/malware/rootkit/Trojan detection programs – including SEP 12, the SEP Support Tool and the SEP Power Eraser – have pronounced this PC clean several times each. These scans have been performed in normal mode, diagnostic startup mode, Safe mode … The worst that any program has reported have been “trackware” cookies. In fact, between 5 p.m. on Friday and 11 a.m. today, this PC did nothing but run scans. And while the PC was running in Safe Mode, it didn’t crash once.

Every startup service and program has been scrutinized, and over the past several weeks many of the less useful (or even unwanted) ones have been removed. This PC is running a lot leaner than it was, and yet the BSODs seem to be increasing in frequency.

The Registry has also been scanned, not only for malware but also for all those things that can cause a PC to misbehave.

The SEP 12 Support Tool found nothing wrong with the SEP installation the first time I ran it. The second time, when I selected the rootkit/reboot option, the PC BSODed shortly after the PC rebooted. The third time I ran the Support Tool, again with the rootkit/reboot option, it ran through and reported nothing amiss.

In addition to Windows Crash Analyses going back almost three months that all insist that the problem is with the antivirus software, SEP’s own behavior leads me to suspect that maybe all those WCA reports are on to something. When I run the PC in Safe mode, the SEP shield in the System Tray shows a problem and SEP complains that File System Auto-Protect is malfunctioning. In this state, we’ve done just about everything that has caused BSODs in the past and the PC has not crashed once. Only when the machine is running in Normal Mode – and SEP reports that there are no problems – do we seem to open ourselves up to random BSODs.

I need to get to the bottom of this, and I’m out of things to try (or to try to fix). How do I get this PC to behave?

Thanks,
CL
 

Comments 8 CommentsJump to latest comment

Thomas K's picture

You never mention what version of SEP 12 you are running. If it is not the latest (RU1), then I would upgrade. If you are on the latest, you should open a support case with Symantec. Be prepared to provide the full memory dump, so the the engineers can get to the root cause of the BSOD.

 

Thomas

Thomas K's picture

It would be best if you opened a case with Symantec support for this issue. Be prepared to provide a full memory dump, so that the engineers can get to the root cause of the BSOD.

Chuck Lavin's picture

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [c:\windows\MEMORY.DMP]
Kernel Summary Dump File: Only kernel address space is available

Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.101209-1647
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Sun May  8 10:56:50.347 2011 (UTC - 4:00)
System Uptime: 0 days 1:59:33.473
Loading Kernel Symbols
...............................................................
................................................................
..............................
Loading User Symbols
PEB is paged out (Peb.Ldr = 7ffd400c).  Type ".hh dbgerr001" for details
Loading unloaded module list
.................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 50, {ea4c3000, 0, 8a7233de, 1}

*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : SYMEVENT.SYS ( SYMEVENT+14569 )

Followup: MachineOwner
---------

0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ea4c3000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 8a7233de, If non-zero, the instruction address which referenced the bad memory
 address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------

READ_ADDRESS:  ea4c3000 Paged pool

FAULTING_IP:
+32b2faf00e9dfc0
8a7233de 668b08          mov     cx,word ptr [eax]

MM_INTERNAL_CODE:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  mscorsvw.exe

TRAP_FRAME:  a8710920 -- (.trap 0xffffffffa8710920)
ErrCode = 00000000
eax=ea4c3000 ebx=00000000 ecx=e1be8816 edx=ea4c2ed0 esi=8a72a940 edi=00000001
eip=8a7233de esp=a8710994 ebp=a8710b1c iopl=0         nv up ei ng nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010282
8a7233de 668b08          mov     cx,word ptr [eax]        ds:0023:ea4c3000=????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 8052039a to 804f9f43

STACK_TEXT: 
a87108a0 8052039a 00000050 ea4c3000 00000000 nt!KeBugCheckEx+0x1b
a8710908 805445f0 00000000 ea4c3000 00000000 nt!MmAccessFault+0x9a8
a8710908 8a7233de 00000000 ea4c3000 00000000 nt!KiTrap0E+0xd0
WARNING: Frame IP not in any known module. Following frames may be wrong.
a8710b1c 805d00f4 892aada0 00001174 a8710b5c 0x8a7233de
a8710b3c 805b1455 892aada0 00001174 a8710b5c nt!PsCallImageNotifyRoutines+0x36
a8710b84 805b1f32 87cd6e08 60c40000 a8710c54 nt!MiMapViewOfImageSection+0x4c1
a8710be0 805b22f7 00000018 884c1110 a8710c54 nt!MmMapViewOfSection+0x13c
a8710c70 ae445569 00000200 ffffffff 0012c768 nt!NtMapViewOfSection+0x2bd
a8710d34 8054167c 00000200 ffffffff 0012c768 SYMEVENT+0x14569
a8710d34 00000023 00000200 ffffffff 0012c768 nt!KiFastCallEntry+0xfc
00000000 00000000 00000000 00000000 00000000 0x23

STACK_COMMAND:  kb

FOLLOWUP_IP:
SYMEVENT+14569
ae445569 e96e020000      jmp     SYMEVENT+0x147dc (ae4457dc)

SYMBOL_STACK_INDEX:  8

SYMBOL_NAME:  SYMEVENT+14569

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: SYMEVENT

IMAGE_NAME:  SYMEVENT.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4a428942

FAILURE_BUCKET_ID:  0x50_SYMEVENT+14569

BUCKET_ID:  0x50_SYMEVENT+14569

Followup: MachineOwner
---------

Thomas K's picture

Your bugcheck points to  PROCESS_NAME:  mscorsvw.exe

Check this Microsoft link for a possible solution.

http://social.technet.microsoft.com/Forums/en/w7it...

 

Chuck Lavin's picture

 That's interesting ...

This PC shows the .NET Runtime Optimization Service v2.0.50727_X86 (the service that supposedly runs c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe) as Disabled.

A search for mscorsvw.exe revealed a second copy in C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe, this one run by the Microsoft .NET Framework NGEN v4.0.30319_X86 service. And this one was running. I read (either in the thread you provided or in another article I found) that this problem can be mitigated by changing this service to Manual. I did that and stopped it; let's see what happens.

The thread you sent me to mentions that this is most probably due to defective memory. But this computer ran memtest86 for over 9 hours a week ago without a single crash and without a single memory error.

Why does Windows Crash Analysis repeatedly blame “the antivirus software” any time this machine crashes?

Thanks for the info.

CL
 

Thomas K's picture

Hi Chuck,

I am not an expert on memory dump analysis, so like I said earlier, lets get the support engineers looking at your dump file.

Support -

Online Portal - https://mysupport.symantec.com/

Phone - http://www.symantec.com/business/support/contact_t...

 

Best,

Thomas

 

Go_Beavs's picture

If you suspect SEP is the main culprit in your machines BSOD the best thing to do is open up a support case with a COMPLETE memory dump in hand.  You currently have a kernel memory dump which does not have quite as much information as a complete memory dump.

http://www.symantec.com/business/support/index?page=content&id=TECH104660&key=51882