computer rebooted from a bugcheck....

Hi all,
My NT server always rebooted from bug check in every week…one week
one time…
Every week must have someone phone me tell me the server down…i’m
very tired about this…
I had tried many many,but still can’t find any solution.
Can anyone help me?

Config:
NT server 4.0
Option Pack 4.0
Service Pack 6a
norton antivirus 5.0

The event log show out:
Time:11:50pm
Source:NAVAP
event:1001
Detail:System memory is running very low. Norton AntiVirus Auto-Protect may
not be able to function properly.

Time:12:04am
Source:eventlog
event:6008
Detail:The previous system shutdown at 11:47:26 PM on 8/23/01 was
unexpected.

Time:12:04
Source:SysMgmt
event:4188
Detail:The Compaq System Management Driver has detected that the system
encountered an NT bugcheck prior to this boot. The bugcheck data was:
STOP: 0x0000001E (0xC000009A, 0x801698A3, 0x00000000, 0x80E1A740).

Time:12:05
Source:Save Dump
Event:1001
Detail:The computer has rebooted from a bugcheck. The bugcheck was:
0x0000001e (0xc000009a, 0x801698a3, 0x00000000, 0x80e1a740). Microsoft
Windows NT [v15.1381]. A dump was saved in: C:\WINNT\MEMORY.DMP.

I had already check the memory.dmp
The result is:
Filename . . . . . . .C:\WINNT\MEMORY.DMP
Signature. . . . . . .PAGE
ValidDump. . . . . . .DUMP
MajorVersion . . . . .free system
MinorVersion . . . . .1381
DirectoryTableBase . .0x00030000
PfnDataBase. . . . . .0x8fe7c000
PsLoadedModuleList . .0x80155380
PsActiveProcessHead. .0x80155278
MachineImageType . . .i386
NumberProcessors . . .2
BugCheckCode . . . . .0x0000001e
BugCheckParameter1 . .0xc000009a
BugCheckParameter2 . .0x801698a3
BugCheckParameter3 . .0x00000000
BugCheckParameter4 . .0x80e1a740

ExceptionCode. . . . .0x80000003
ExceptionFlags . . . .0x00000001
ExceptionAddress . . .0x8011ac9c

NumberOfRuns . . . . .0x3
NumberOfPages. . . . .0xff99
Run #1
BasePage . . . . . .0x1
PageCount. . . . . .0x9e
Run #2
BasePage . . . . . .0x100
PageCount. . . . . .0xeff
Run #3
BasePage . . . . . .0x1000
PageCount. . . . . .0xeffc

Then i use the Pstat to check the address:
Here is a part of the result:

ModuleName Load Addr Code Data Paged LinkDate

ntoskrnl.exe 80100000 292672 44288 442048 Wed Jun 13 17:09:36 2001
hal.dll 80001000 25184 4384 9920 Fri Feb 12 13:19:02 1999
CpqSmgrK.sys 80012000 4448 32 0 Mon Aug 28 09:02:09 2000
cpqarray.sys 80014000 31136 32 0 Mon Aug 06 12:56:04 2001
SCSIPORT.SYS 801e0000 9856 32 17248 Wed Jun 27 14:42:34 2001
atapi.sys 801e9000 22496 1088 0 Tue May 11 17:07:16 1999
cpq32fs2.sys 801f0000 64608 2112 0 Tue Apr 25 13:20:50 2000
symc810.sys 80201000 16000 3552 0 Wed May 12 17:18:12 1999
Disk.sys 80207000 3328 0 7072 Fri Feb 12 13:44:14 1999
CLASS2.SYS 8020b000 7264 0 1696 Thu Jun 03 15:42:45 1999
QAFilter.sys 8020f000 4288 704 66304 Wed Feb 02 13:32:37 2000
intlfxsr.sys 8001d000 576 224 288 Tue Mar 09 20:20:44 1999
Ntfs.sys 80222000 69120 5952 276576 Thu Aug 26 09:50:36 1999
Floppy.SYS f3ef0000 1088 672 7968 Tue Jun 12 16:40:05 2001
Cdrom.SYS f3f00000 12672 32 3072 Fri Feb 12 13:44:05 1999

*the exception address seems point to the ntoskernel

But i still can’t find any solution to solve it.please help me.

Thanks alot.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Hi,

The exception code corresponding to the unhandled kernel exception is
0xC000009A, which is STATUS_INSUFFICIENT_RESOURCES.
In addition, you have this entry in the event log:
>Detail:System memory is running very low. Norton AntiVirus Auto-Protect
may
>not be able to function properly.
Also, the error occurs periodically each week.

So, it is very likely that you have a kernel memory leak. You should first
check the Kernel memory behaviour in the task manager to see if it is
increasing.
Otherwise, you can also check with the kernel debugger. Use !vm and then
!poolused 2 in to find which tags are leaking memory and then have the
owning driver fix their leaks.

-Sebastien

From: xxxxx@hongkong.com
Reply-To: “File Systems Developers”
>To: “File Systems Developers”
>Subject: [ntfsd] computer rebooted from a bugcheck…
>Date: Fri, 24 Aug 2001 2:24:6
>
>Hi all,
>My NT server always rebooted from bug check in every week…one week
>one time…
>Every week must have someone phone me tell me the server down…i’m
>very tired about this…
>I had tried many many,but still can’t find any solution.
>Can anyone help me?
>
>Config:
>NT server 4.0
>Option Pack 4.0
>Service Pack 6a
>norton antivirus 5.0
>
>The event log show out:
>Time:11:50pm
>Source:NAVAP
>event:1001
>Detail:System memory is running very low. Norton AntiVirus Auto-Protect may
>not be able to function properly.
>
>Time:12:04am
>Source:eventlog
>event:6008
>Detail:The previous system shutdown at 11:47:26 PM on 8/23/01 was
>unexpected.
>
>Time:12:04
>Source:SysMgmt
>event:4188
>Detail:The Compaq System Management Driver has detected that the system
>encountered an NT bugcheck prior to this boot. The bugcheck data was:
>STOP: 0x0000001E (0xC000009A, 0x801698A3, 0x00000000, 0x80E1A740).
>
>Time:12:05
>Source:Save Dump
>Event:1001
>Detail:The computer has rebooted from a bugcheck. The bugcheck was:
>0x0000001e (0xc000009a, 0x801698a3, 0x00000000, 0x80e1a740). Microsoft
>Windows NT [v15.1381]. A dump was saved in: C:\WINNT\MEMORY.DMP.
>
>I had already check the memory.dmp
>The result is:
>Filename . . . . . . .C:\WINNT\MEMORY.DMP
>Signature. . . . . . .PAGE
>ValidDump. . . . . . .DUMP
>MajorVersion . . . . .free system
>MinorVersion . . . . .1381
>DirectoryTableBase . .0x00030000
>PfnDataBase. . . . . .0x8fe7c000
>PsLoadedModuleList . .0x80155380
>PsActiveProcessHead. .0x80155278
>MachineImageType . . .i386
>NumberProcessors . . .2
>BugCheckCode . . . . .0x0000001e
>BugCheckParameter1 . .0xc000009a
>BugCheckParameter2 . .0x801698a3
>BugCheckParameter3 . .0x00000000
>BugCheckParameter4 . .0x80e1a740
>
>ExceptionCode. . . . .0x80000003
>ExceptionFlags . . . .0x00000001
>ExceptionAddress . . .0x8011ac9c
>
>NumberOfRuns . . . . .0x3
>NumberOfPages. . . . .0xff99
>Run #1
> BasePage . . . . . .0x1
> PageCount. . . . . .0x9e
>Run #2
> BasePage . . . . . .0x100
> PageCount. . . . . .0xeff
>Run #3
> BasePage . . . . . .0x1000
> PageCount. . . . . .0xeffc
>
>Then i use the Pstat to check the address:
>Here is a part of the result:
>
> ModuleName Load Addr Code Data Paged LinkDate
>------------------------------------------------------------------------------
>ntoskrnl.exe 80100000 292672 44288 442048 Wed Jun 13 17:09:36 2001
>hal.dll 80001000 25184 4384 9920 Fri Feb 12 13:19:02 1999
>CpqSmgrK.sys 80012000 4448 32 0 Mon Aug 28 09:02:09 2000
>cpqarray.sys 80014000 31136 32 0 Mon Aug 06 12:56:04 2001
>SCSIPORT.SYS 801e0000 9856 32 17248 Wed Jun 27 14:42:34 2001
>atapi.sys 801e9000 22496 1088 0 Tue May 11 17:07:16 1999
>cpq32fs2.sys 801f0000 64608 2112 0 Tue Apr 25 13:20:50 2000
>symc810.sys 80201000 16000 3552 0 Wed May 12 17:18:12 1999
> Disk.sys 80207000 3328 0 7072 Fri Feb 12 13:44:14 1999
> CLASS2.SYS 8020b000 7264 0 1696 Thu Jun 03 15:42:45 1999
>QAFilter.sys 8020f000 4288 704 66304 Wed Feb 02 13:32:37 2000
>intlfxsr.sys 8001d000 576 224 288 Tue Mar 09 20:20:44 1999
> Ntfs.sys 80222000 69120 5952 276576 Thu Aug 26 09:50:36 1999
> Floppy.SYS f3ef0000 1088 672 7968 Tue Jun 12 16:40:05 2001
> Cdrom.SYS f3f00000 12672 32 3072 Fri Feb 12 13:44:05 1999
>
>*the exception address seems point to the ntoskernel
>
>But i still can’t find any solution to solve it.please help me.
>
>Thanks alot.
>
>—
>You are currently subscribed to ntfsd as: xxxxx@hotmail.com
>To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

_________________________________________________________________
Téléchargez MSN Explorer gratuitement à l’adresse
http://explorer.msn.fr/intl.asp


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Contact product support at http://support.microsoft.com

FYI anti-virus software has been responisble for many crashes in the
past. I would verify you are running the latest fixes for it and for
your other 3rd party drivers.

-----Original Message-----
From: xxxxx@hongkong.com [mailto:xxxxx@hongkong.com]
Sent: Thursday, August 23, 2001 5:00 PM
To: File Systems Developers
Subject: [ntfsd] computer rebooted from a bugcheck…

Hi all,
My NT server always rebooted from bug check in every week…one
week
one time…
Every week must have someone phone me tell me the server down…i’m

very tired about this…
I had tried many many,but still can’t find any solution.
Can anyone help me?

Config:
NT server 4.0
Option Pack 4.0
Service Pack 6a
norton antivirus 5.0

The event log show out:
Time:11:50pm
Source:NAVAP
event:1001
Detail:System memory is running very low. Norton AntiVirus Auto-Protect
may
not be able to function properly.

Time:12:04am
Source:eventlog
event:6008
Detail:The previous system shutdown at 11:47:26 PM on 8/23/01 was
unexpected.

Time:12:04
Source:SysMgmt
event:4188
Detail:The Compaq System Management Driver has detected that the system
encountered an NT bugcheck prior to this boot. The bugcheck data was:
STOP: 0x0000001E (0xC000009A, 0x801698A3, 0x00000000, 0x80E1A740).

Time:12:05
Source:Save Dump
Event:1001
Detail:The computer has rebooted from a bugcheck. The bugcheck was:
0x0000001e (0xc000009a, 0x801698a3, 0x00000000, 0x80e1a740). Microsoft
Windows NT [v15.1381]. A dump was saved in: C:\WINNT\MEMORY.DMP.

I had already check the memory.dmp
The result is:
Filename . . . . . . .C:\WINNT\MEMORY.DMP
Signature. . . . . . .PAGE
ValidDump. . . . . . .DUMP
MajorVersion . . . . .free system
MinorVersion . . . . .1381
DirectoryTableBase . .0x00030000
PfnDataBase. . . . . .0x8fe7c000
PsLoadedModuleList . .0x80155380
PsActiveProcessHead. .0x80155278
MachineImageType . . .i386
NumberProcessors . . .2
BugCheckCode . . . . .0x0000001e
BugCheckParameter1 . .0xc000009a
BugCheckParameter2 . .0x801698a3
BugCheckParameter3 . .0x00000000
BugCheckParameter4 . .0x80e1a740

ExceptionCode. . . . .0x80000003
ExceptionFlags . . . .0x00000001
ExceptionAddress . . .0x8011ac9c

NumberOfRuns . . . . .0x3
NumberOfPages. . . . .0xff99
Run #1
BasePage . . . . . .0x1
PageCount. . . . . .0x9e
Run #2
BasePage . . . . . .0x100
PageCount. . . . . .0xeff
Run #3
BasePage . . . . . .0x1000
PageCount. . . . . .0xeffc

Then i use the Pstat to check the address:
Here is a part of the result:

ModuleName Load Addr Code Data Paged LinkDate


ntoskrnl.exe 80100000 292672 44288 442048 Wed Jun 13 17:09:36 2001
hal.dll 80001000 25184 4384 9920 Fri Feb 12 13:19:02 1999
CpqSmgrK.sys 80012000 4448 32 0 Mon Aug 28 09:02:09 2000
cpqarray.sys 80014000 31136 32 0 Mon Aug 06 12:56:04 2001
SCSIPORT.SYS 801e0000 9856 32 17248 Wed Jun 27 14:42:34 2001
atapi.sys 801e9000 22496 1088 0 Tue May 11 17:07:16 1999
cpq32fs2.sys 801f0000 64608 2112 0 Tue Apr 25 13:20:50 2000
symc810.sys 80201000 16000 3552 0 Wed May 12 17:18:12 1999
Disk.sys 80207000 3328 0 7072 Fri Feb 12 13:44:14 1999
CLASS2.SYS 8020b000 7264 0 1696 Thu Jun 03 15:42:45 1999
QAFilter.sys 8020f000 4288 704 66304 Wed Feb 02 13:32:37 2000
intlfxsr.sys 8001d000 576 224 288 Tue Mar 09 20:20:44 1999
Ntfs.sys 80222000 69120 5952 276576 Thu Aug 26 09:50:36 1999
Floppy.SYS f3ef0000 1088 672 7968 Tue Jun 12 16:40:05 2001
Cdrom.SYS f3f00000 12672 32 3072 Fri Feb 12 13:44:05 1999

*the exception address seems point to the ntoskernel

But i still can’t find any solution to solve it.please help me.

Thanks alot.


You are currently subscribed to ntfsd as: xxxxx@microsoft.com
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Thanks your helpfull.
Would you mind i ask a foolish question?
Is “!vm” and “!poolused” is a utility that for dubug?
If yes.Where can i find it?
Sorry to waste your time.
Thanks.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Since your original post went to the file system developer’s email list,
most people on the list just assume that you have a kernel debugger attached
to your system. This is usually the case when someone is developing a file
system kernel driver, as most of the list participants are.

Apparently you aren’t developing a file system kernel driver, but you want
to figure out why you are continually getting these blue screens that halt
operation of your server and force you to reboot.

When you have a kernel debugger attached to your server (via a special
serial cable), the kernel debugger allows you to execute the “!vm” and
“!poolused” commands. The kernel debugger is a software application
(Microsoft’s windbg) running on a separate computer and this computer should
be attached via serial cable to your server that keeps running out of
memory. Then when the system bugchecks you can use these commands to get an
idea of which driver is using all of the kernel memory up.

First download the latest windbg program from microsoft. The program can be
found at http://www.microsoft.com/ddk/debugging/ (version 3.0.20.0). Install
this on a machine that can serve as a debugger machine for your server (but
don’t install on your server, your server cannot act as the debugger
machine). Start up windbg after it is installed and read the help sections
“Introduction to Deugging” and “Installation and Setup”. Believe it or not,
this documentation is pretty good and should be all the information you need
to get your target and host computer setup for debugging.

Just a word of caution. What you are attempting to do is not an easy task.
There are many potential detours along the way. As originally suggested, it
would be well worth the expense to upgrade your antivirus software (and any
other third party software) prior to beginning this debugging journey.

Good luck to you,

Brad

p.s. !vm will give you “summary information about virtual memory use
statistics” on your server system, it will not tell you which driver is
using the kernel memory, only ‘where’ that memory is being used.

!poolused will give you “memory use summaries, based on the tag used for
each pool allocation” on your server system, it will not tell you which
driver is using the kernel memory, but it will tell you the ‘pool tag’ that
is associated with the allocations. If the bad driver leaking the memory is
not using a pool tag, the pool tag will not be displayed. If the bad driver
leaking the memory is using a pool tag, your next task will be to figure out
which driver is using that pool tag.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of xxxxx@hongkong.com
Sent: Saturday, August 25, 2001 3:47 AM
To: File Systems Developers
Subject: [ntfsd] Re: computer rebooted from a bugcheck…

Thanks your helpfull.
Would you mind i ask a foolish question?
Is “!vm” and “!poolused” is a utility that for dubug?
If yes.Where can i find it?
Sorry to waste your time.
Thanks.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

!poolused is a command of WinDbg’s command line.
It is a kernel memory leak detector.

Max

----- Original Message -----
From:
To: “File Systems Developers”
Sent: Saturday, August 25, 2001 3:47 AM
Subject: [ntfsd] Re: computer rebooted from a bugcheck…

> Thanks your helpfull.
> Would you mind i ask a foolish question?
> Is “!vm” and “!poolused” is a utility that for dubug?
> If yes.Where can i find it?
> Sorry to waste your time.
> Thanks.
>
> —
> You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com
>


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com

Thanks all.
I will try my best.


You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com