Author Topic: Server keeps rebooting  (Read 6665 times)

0 Members and 1 Guest are viewing this topic.

Steven Eijzermans

  • Guest
Server keeps rebooting
« on: January 05, 2008, 01:22:25 PM »
Hey allen,

I have a strange problem with the sbs server @ work. Every 20 to 40 hours it reboots and i get a stop-fault message after login in.

it a sbs server 2003 standard sp2
with avast sbs suite fully updated

So debugging the memory dump gave me thus result :

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [c:\windows\minidump\Mini010208-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: c:\symbolen
Executable search path is: c:\windows\i386
Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: LanManNt, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Wed Jan  2 00:08:27.780 2008 (GMT+1)
System Uptime: 1 days 11:43:05.921
Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

Use !analyze -v to get detailed debugging information.

BugCheck 1000008E, {c0000005, 80883770, b7af7ac8, 0}

Unable to load image \SystemRoot\System32\Drivers\aswMonFlt.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for aswMonFlt.SYS
*** ERROR: Module load completed but symbols could not be loaded for aswMonFlt.SYS

Probably caused by : aswMonFlt.SYS ( aswMonFlt+2309 )

Followup: MachineOwner

0: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
Arg1: c0000005, The exception code that was not handled
Arg2: 80883770, The address that the exception occurred at
Arg3: b7af7ac8, Trap Frame
Arg4: 00000000

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - De instructie op 0x%08lx verwijst naar geheugen op 0x%08lx. Een lees- of schrijfbewerking op het geheugen is mislukt:  The memory could not be %s.

80883770 668b02          mov     ax,word ptr [edx]

TRAP_FRAME:  b7af7ac8 -- (.trap 0xffffffffb7af7ac8)
ErrCode = 00000000
eax=b7af7b64 ebx=b9ecc880 ecx=00000400 edx=00000000 esi=b7af7b64 edi=b7af7b64
eip=80883770 esp=b7af7b3c ebp=b7af7b44 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
80883770 668b02          mov     ax,word ptr [edx]        ds:0023:00000000=0000
Resetting default scope





LAST_CONTROL_TRANSFER:  from 0052004f to 80883770



STACK_COMMAND:  dds B7AF7B4C-0x20 ; kb

b7af7b2c  00000000
b7af7b30  80883770 nt!KiSystemService+0x26
b7af7b34  00000008
b7af7b38  00010206
b7af7b3c  00000000
b7af7b40  00000000
b7af7b44  b7af8368
b7af7b48  b9ec5309 aswMonFlt+0x2309
b7af7b4c  b7af7b64
b7af7b50  00000000
b7af7b54  00000400
b7af7b58  89d8cf84
b7af7b5c  b7af8bc8
b7af7b60  88617638
b7af7b64  003a0043
b7af7b68  0057005c
b7af7b6c  004e0049
b7af7b70  004f0044
b7af7b74  00530057
b7af7b78  0053005c
b7af7b7c  00530059
b7af7b80  00450054
b7af7b84  0033004d
b7af7b88  005c0032
b7af7b8c  00420057
b7af7b90  004d0045
b7af7b94  004c005c
b7af7b98  0047004f
b7af7b9c  005c0053
b7af7ba0  00520046
b7af7ba4  004d0041
b7af7ba8  00570045

b9ec5309 ??              ???

SYMBOL_NAME:  aswMonFlt+2309

FOLLOWUP_NAME:  MachineOwner




FAILURE_BUCKET_ID:  0x8E_aswMonFlt+2309

BUCKET_ID:  0x8E_aswMonFlt+2309

Followup: MachineOwner

aswMonFlt is the problem according to this debug of the dmp.
So i disabled the driver in the register by putting it on 4 instead of 2 to see if the restarts still occur.
What i like to know is, what's this file about and do i put the server in a big security risk by disabling it??