Hey allen,
I have a strange problem with the sbs server @ work. Every 20 to 40 hours it reboots and i get a stop-fault message after login in.
it a sbs server 2003 standard sp2
with avast sbs suite fully updated
So debugging the memory dump gave me thus result :
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [c:\windows\minidump\Mini010208-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: c:\symbolen
Executable search path is: c:\windows\i386
Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Wed Jan 2 00:08:27.780 2008 (GMT+1)
System Uptime: 1 days 11:43:05.921
Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
Loading Kernel Symbols
...
Loading User Symbols
Loading unloaded module list
..
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 1000008E, {c0000005, 80883770, b7af7ac8, 0}
Unable to load image \SystemRoot\System32\Drivers\aswMonFlt.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for aswMonFlt.SYS
*** ERROR: Module load completed but symbols could not be loaded for aswMonFlt.SYS
Probably caused by : aswMonFlt.SYS ( aswMonFlt+2309 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 80883770, The address that the exception occurred at
Arg3: b7af7ac8, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - De instructie op 0x%08lx verwijst naar geheugen op 0x%08lx. Een lees- of schrijfbewerking op het geheugen is mislukt: The memory could not be %s.
FAULTING_IP:
nt!KiSystemService+26
80883770 668b02 mov ax,word ptr [edx]
TRAP_FRAME: b7af7ac8 -- (.trap 0xffffffffb7af7ac8)
ErrCode = 00000000
eax=b7af7b64 ebx=b9ecc880 ecx=00000400 edx=00000000 esi=b7af7b64 edi=b7af7b64
eip=80883770 esp=b7af7b3c ebp=b7af7b44 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!KiSystemService+0x26:
80883770 668b02 mov ax,word ptr [edx] ds:0023:00000000=0000
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP
BUGCHECK_STR: 0x8E
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 0052004f to 80883770
SYMBOL_ON_RAW_STACK: 1
STACK_ADDR_RAW_STACK_SYMBOL: ffffffffb7af7b4c
STACK_COMMAND: dds B7AF7B4C-0x20 ; kb
STACK_TEXT:
b7af7b2c 00000000
b7af7b30 80883770 nt!KiSystemService+0x26
b7af7b34 00000008
b7af7b38 00010206
b7af7b3c 00000000
b7af7b40 00000000
b7af7b44 b7af8368
b7af7b48 b9ec5309 aswMonFlt+0x2309
b7af7b4c b7af7b64
b7af7b50 00000000
b7af7b54 00000400
b7af7b58 89d8cf84
b7af7b5c b7af8bc8
b7af7b60 88617638
b7af7b64 003a0043
b7af7b68 0057005c
b7af7b6c 004e0049
b7af7b70 004f0044
b7af7b74 00530057
b7af7b78 0053005c
b7af7b7c 00530059
b7af7b80 00450054
b7af7b84 0033004d
b7af7b88 005c0032
b7af7b8c 00420057
b7af7b90 004d0045
b7af7b94 004c005c
b7af7b98 0047004f
b7af7b9c 005c0053
b7af7ba0 00520046
b7af7ba4 004d0041
b7af7ba8 00570045
FOLLOWUP_IP:
aswMonFlt+2309
b9ec5309 ??
SYMBOL_NAME: aswMonFlt+2309
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: aswMonFlt
IMAGE_NAME: aswMonFlt.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 4755699e
FAILURE_BUCKET_ID: 0x8E_aswMonFlt+2309
BUCKET_ID: 0x8E_aswMonFlt+2309
Followup: MachineOwner
---------
aswMonFlt is the problem according to this debug of the dmp.
So i disabled the driver in the register by putting it on 4 instead of 2 to see if the restarts still occur.
What i like to know is, what's this file about and do i put the server in a big security risk by disabling it??
greetings
