[THIN] Re: OT - debugging windows




FYI.

KNOWN SYMANTEC AND WINDOWS ISSUE
There is a known issue with Symantec and Windows NT, 2000, and XP that
could cause the server to restart or blue screen.
This issue, most likely seen when using terminal services to access the
server, is caused by a problem with Windows kernel
consumption when Symantec is scanning files. The problem can be avoided by
editing a registry key. Use extreme caution in
editing Windows registry, because incorrect changes to the registry could
result in permanent data loss or damaged files.
Modify only the key that is specified.

Click Start>Run.
Run Regedit.exe to open the Windows registry.

Browse to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Norton AntiVirus
NT\Auto-Protect\InternalSettings

With InternalSettings highlighted, pull down New, and choose DWORD value.
Type KStackMinFree as the new DWORD value.
Right-click the KStackMinFree value, and then click Modify. Set the Base to
Hexadecimal, and type 2200 in the Value data field.

To restart the antivirus service:
Click Start>Program>Administrative Tools>Services.
Locate the Symantec Antivirus service.
Stop and then restart the antivirus service.

Changes to the KStackMinFree value take effect after the service is
restarted.
                                                                   
 Kind regards,                                                     
 Jeremy                                                            
                                                                   
                                                                   
 Jeremy Saunders                                                   
 Senior Technical Specialist                                       
 âITS - passionate about winningâ                                  
                                                                   
 IBM Logicalis (Integrated                                         
 Technology Services)                                              
 Level 2, 1060 Hay Street                                          
 West Perth, WA 6005, AUSTRALIA                                    
                                                                   
                                                                   
 Visit us at                                                       
 http://www.ibm.com/services/au/its                                
                                                                   
 Phone:Â 08 9261 8412               Fax:ÂÂÂÂÂ; 08 9261 8536         
 Mobile:Â TBA                       E-mail:                        
                                    jeremy.saunders@xxxxxxxxxxx    
                                                                   
                                                                   
                                                                   











                                                                           
             "Nick Gage"                                                   
             <nickg@xxxxxxxxxx                                             
             t>                                                         To 
             Sent by:                  <thin@xxxxxxxxxxxxx>                
             thin-bounce@freel                                          cc 
             ists.org                                                      
                                                                   Subject 
                                       [THIN] Re: OT - debugging windows   
             26/03/2005 07:01                                              
             AM                                                            
                                                                           
                                                                           
             Please respond to                                             
                   thin                                                    
                                                                           
                                                                           




All,

This is NAV.  I used to work for MS and we saw this all the time.  If you
uninstall NAV, the BSOD will go away, but you will be vunerable.

Thanks!

Nick


-----Original Message-----
From: Rick Mack [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Rick Mack
Sent: Friday, March 25, 2005 4:50 PM
To: thin@xxxxxxxxxxxxx
Subject: RE: [THIN] Re: OT - debugging windows


Hi Adam,

Sorry, didn't state things at all clearly.

I agree that it's definitely the TCP/IP stack. The whole thing is
sufficiently rare that chances are it could be a hardware/NIC driver issue.


But, the Symantec driver is sitting there right in the middle of things.
Until it's out of the way you're not going to get a clear view of the
problem. And there's a possibility it could be part of the problem.

regards,

Rick


Ulrich Mack
Volante Systems
Level 2, 30 Little Cribb Street
Coronation Drive Office Park
Milton Qld 4064
tel: +61 7 32431847
fax: +61 7 32431992
rmack@xxxxxxxxxxxxxx

  _____

From: thin-bounce@xxxxxxxxxxxxx on behalf of Adam.Baum@xxxxxxxxxxxxxx
Sent: Sat 26/03/2005 1:17 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT - debugging windows



Hmm...I was reading the issue as being with the NIC or something since the
last few entries in the debug log point to TCP and N100325.  The memory
referenced is in the 804xxxxxx range and the only thing I see in that range
are network calls.

adam



|---------+---------------------------->
|         |           "Rick Mack"      |
|         |           <Rick.Mack@volant|
|         |           e.com.au>        |
|         |           Sent by:         |
|         |           thin-bounce@freel|
|         |           ists.org         |
|         |                            |
|         |                            |
|         |           03/25/2005 02:37 |
|         |           AM               |
|         |           Please respond to|
|         |           thin             |
|         |                            |
|---------+---------------------------->

>---------------------------------------------------------------------------

---------------------------------------------------|
  |
|
  |       To:       <thin@xxxxxxxxxxxxx>
|
  |       cc:
|
  |       Subject:  [THIN] Re: OT - debugging windows
|

>---------------------------------------------------------------------------

---------------------------------------------------|




Hi Adam,

Symtdi.sys is a component of symantec nortons antivirus.

I'd be tempted to uninstall it but don't bother trying to do it via
add/remove programs because it won't uninstall properly. See Symantec
knowledgebase article Document ID:2004040815592148 for details.

regards,

Rick

Ulrich Mack
Volante Systems
Level 2, 30 Little Cribb Street
Coronation Drive Office Park
Milton Qld 4064
tel: +61 7 32431847
fax: +61 7 32431992
rmack@xxxxxxxxxxxxxx

________________________________

From: thin-bounce@xxxxxxxxxxxxx on behalf of Adam.Baum@xxxxxxxxxxxxxx
Sent: Fri 25/03/2005 6:07 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: OT - debugging windows



Output is:

1: kd> !analyze -v
****************************************************************************

***

*
*
*                        Bugcheck Analysis
*
*
*
****************************************************************************

***


IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at
an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: c0000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 804f9ce7, address which referenced memory

Debugging Details:
------------------


READ_ADDRESS:  c0000000 Nonpaged pool

CURRENT_IRQL:  2

FAULTING_IP:
nt!MmBuildMdlForNonPagedPool+7f
804f9ce7 8b0c16           mov     ecx,[esi+edx]

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0xA

LAST_CONTROL_TRANSFER:  from b9e9ea4a to 804f9ce7

TRAP_FRAME:  f78ae74c -- (.trap fffffffff78ae74c)
ErrCode = 00000000
eax=8897ede8 ebx=8897ee08 ecx=00000000 edx=8897ee04 esi=376811fc
edi=00000000
eip=804f9ce7 esp=f78ae7c0 ebp=f78ae7cc iopl=0         nv up ei pl nz na po
cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000
efl=00010207
nt!MmBuildMdlForNonPagedPool+0x7f:
804f9ce7 8b0c16           mov     ecx,[esi+edx]
ds:0023:c0000000=????????
Resetting default scope

STACK_TEXT:
f78ae7cc b9e9ea4a 8897ede8 892710a8 8897ede8
nt!MmBuildMdlForNonPagedPool+0x7f
WARNING: Stack unwind information not available. Following frames may be
wrong.
f78ae7e4 b9eb6e5d 00000000 00000080 f78ae828
SYMTDI!ACMRegisterFilterModule+0x2332
f78ae81c b9e90a36 876375e0 876373d8 00000000
SYMTDI!DisconnectTCPSession+0x2f2
f78ae84c b9eb3177 896b7a58 00000000 00000000 SYMTDI+0x5a36
f78ae86c b9eb30e5 896b7a58 896b7a58 f78ae8ac SYMTDI!rHeapFree+0x180f
f78ae87c 804f0154 894ea758 8827e990 896b7a58 SYMTDI!rHeapFree+0x177d
f78ae8ac b9ecec54 886aa1d8 87636008 00000002 nt!IopfCompleteRequest+0xa0
f78ae8c4 b9ed47df 8827e990 00000000 00000000
tcpip!TCPDataRequestComplete+0xa4
f78ae8d4 b9ed4882 8827e990 00000000 00000000 tcpip!TCPRequestComplete+0xf
f78ae8f0 b9ed7074 87636008 f78aea2c 00000000 tcpip!CompleteConnReq+0x86
f78ae970 b9ecf63f 894dfa90 4264650a 4c05a8c0 tcpip!TCPRcv+0xd6d
f78ae9d0 b9ecf8dd 00000020 894dfa90 00000000 tcpip!DeliverToUser+0x17b
f78aea84 b9ecdf0f 894dfa90 893e74ac 0000001c tcpip!IPRcvPacket+0x66c
f78aeac4 b9ecdf81 00000000 893df058 893e748a
tcpip!ARPRcvIndicationNew+0x147
f78aeb00 f7273540 893a3008 00000000 893fe580 tcpip!ARPRcvPacket+0x66
f78aeb54 ba93a12e 89700ad0 f78aeb74 00000001
NDIS!ethFilterDprIndicateReceivePacket+0x1cc
f78aecbc ba93a2ee 013fe008 00000000 89700ad0 n100325+0xa12e
f78aece4 f7264025 003fe008 f772f980 893fe3f8 n100325+0xa2ee
f78aecf8 804efd70 893fe3f8 893fe3e4 00000000 NDIS!ndisMDpcX+0x1d
f78aed50 804e61f7 00000000 0000000e 00000000 nt!KiRetireDpcList+0xc8


FOLLOWUP_IP:
SYMTDI!ACMRegisterFilterModule+2332
b9e9ea4a b9a85eecb9       mov     ecx,0xb9ec5ea8

SYMBOL_STACK_INDEX:  1

FOLLOWUP_NAME:  MachineOwner

SYMBOL_NAME:  SYMTDI!ACMRegisterFilterModule+2332

MODULE_NAME:  SYMTDI

IMAGE_NAME:  SYMTDI.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  4050ed2d

STACK_COMMAND:  .trap fffffffff78ae74c ; kb

FAILURE_BUCKET_ID:  0xA_SYMTDI!ACMRegisterFilterModule+2332

BUCKET_ID:  0xA_SYMTDI!ACMRegisterFilterModule+2332

Followup: MachineOwner
---------


Looks like something with the network aspects of this server, but I can't
tell if the problem is in tcpip or the nic driver.

adam




|---------+----------------------------->
|         |           Berdt van der     |
|         |           Lingen            |
|         |           <berdtvanderlingen|
|         |           @gmail.com>       |
|         |           Sent by:          |
|         |           thin-bounce@freeli|
|         |           sts.org           |
|         |                             |
|         |                             |
|         |           03/24/2005 12:09  |
|         |           PM                |
|         |           Please respond to |
|         |           thin              |
|         |                             |
|---------+----------------------------->

>---------------------------------------------------------------------------

---------------------------------------------------|

  |
|
  |       To:       thin@xxxxxxxxxxxxx
|
  |       cc:
|
  |       Subject:  [THIN] Re: OT - debugging windows
|

>---------------------------------------------------------------------------

---------------------------------------------------|





> Use !analyze -v to get detailed debugging information.
>
> BugCheck A, {c0000000, 2, 0, 804f9ce7}
>
> *** ERROR: Symbol file could not be found.  Defaulted to export symbols
for
> SYMTDI.SYS -
> *** ERROR: Module load completed but symbols could not be loaded for
> n100325.sys
> Probably caused by : SYMTDI.SYS ( SYMTDI!ACMRegisterFilterModule+2332 )

What's the output of analyze -v?
Are you running Norton / Symantec software?

regards,

Berdt
********************************************************
This Weeks Sponsor: RTO Software TScale
TScale provides a cost-effective way to improve performance, capacity and
stability for thin-client servers like Citrix MetaFrame or Microsoft
Terminal Services running Windows NT, 2000 or 2003.
http://www.rtosoft.com/enter.asp?id=296
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm



********************************************************
This Weeks Sponsor: RTO Software TScale
TScale provides a cost-effective way to improve performance, capacity and
stability for thin-client servers like Citrix MetaFrame or Microsoft
Terminal Services running Windows NT, 2000 or 2003.
http://www.rtosoft.com/enter.asp?id=296
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm



############################################################################

#########

This e-mail, including all attachments, may be confidential or privileged.
Confidentiality or privilege is not waived or lost because this e-mail has
been sent to you in error.  If you are not the intended recipient any use,
disclosure or copying of this e-mail is prohibited.  If you have received
it in error please notify the sender immediately by reply e-mail and
destroy all copies of this e-mail and any attachments.  All liability for
direct and indirect loss arising from this e-mail and any attachments is
hereby disclaimed to the extent permitted by law.
############################################################################

#########

(See attached file: winmail.dat)


############################################################################

#########

This e-mail, including all attachments, may be confidential or privileged.
Confidentiality or privilege is not waived or lost because this e-mail has
been sent to you in error. If you are not the intended recipient any use,
disclosure or copying of this e-mail is prohibited. If you have received it
in error please notify the sender immediately by reply e-mail and destroy
all copies of this e-mail and any attachments. All liability for direct and
indirect loss arising from this e-mail and any attachments is hereby
disclaimed to the extent permitted by law.

############################################################################

#########


--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.8.1 - Release Date: 3/23/2005


(See attached file: winmail.dat)

Other related posts: