[THIN] Re: OT - debugging windows
- From: "cherie.watts Watts" <cherie.watts@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Tue, 29 Mar 2005 11:36:58 +1000
Awesome choice...BSOD or Open season on viruses...
Go Trend or Mcafee
On Fri, 25 Mar 2005 17:01:01 -0600, Nick Gage <nickg@xxxxxxxxxxx> wrote:
> All,
>
> This is NAV. I used to work for MS and we saw this all the time. If you
> uninstall NAV, the BSOD will go away, but you will be vunerable.
>
> Thanks!
>
> Nick
>
>
> -----Original Message-----
> From: Rick Mack [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Rick Mack
> Sent: Friday, March 25, 2005 4:50 PM
> To: thin@xxxxxxxxxxxxx
> Subject: RE: [THIN] Re: OT - debugging windows
>
> Hi Adam,
>
> Sorry, didn't state things at all clearly.
>
> I agree that it's definitely the TCP/IP stack. The whole thing is
> sufficiently rare that chances are it could be a hardware/NIC driver issue.
>
> But, the Symantec driver is sitting there right in the middle of things.
> Until it's out of the way you're not going to get a clear view of the
> problem. And there's a possibility it could be part of the problem.
>
> regards,
>
> Rick
>
> Ulrich Mack
> Volante Systems
> Level 2, 30 Little Cribb Street
> Coronation Drive Office Park
> Milton Qld 4064
> tel: +61 7 32431847
> fax: +61 7 32431992
> rmack@xxxxxxxxxxxxxx
>
> _____
>
> From: thin-bounce@xxxxxxxxxxxxx on behalf of Adam.Baum@xxxxxxxxxxxxxx
> Sent: Sat 26/03/2005 1:17 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: OT - debugging windows
>
> Hmm...I was reading the issue as being with the NIC or something since the
> last few entries in the debug log point to TCP and N100325. The memory
> referenced is in the 804xxxxxx range and the only thing I see in that range
> are network calls.
>
> adam
>
> |---------+---------------------------->
> | | "Rick Mack" |
> | | <Rick.Mack@volant|
> | | e.com.au> |
> | | Sent by: |
> | | thin-bounce@freel|
> | | ists.org |
> | | |
> | | |
> | | 03/25/2005 02:37 |
> | | AM |
> | | Please respond to|
> | | thin |
> | | |
> |---------+---------------------------->
>
> >---------------------------------------------------------------------------
> ---------------------------------------------------|
> |
> |
> | To: <thin@xxxxxxxxxxxxx>
> |
> | cc:
> |
> | Subject: [THIN] Re: OT - debugging windows
> |
>
> >---------------------------------------------------------------------------
> ---------------------------------------------------|
>
> Hi Adam,
>
> Symtdi.sys is a component of symantec nortons antivirus.
>
> I'd be tempted to uninstall it but don't bother trying to do it via
> add/remove programs because it won't uninstall properly. See Symantec
> knowledgebase article Document ID:2004040815592148 for details.
>
> regards,
>
> Rick
>
> Ulrich Mack
> Volante Systems
> Level 2, 30 Little Cribb Street
> Coronation Drive Office Park
> Milton Qld 4064
> tel: +61 7 32431847
> fax: +61 7 32431992
> rmack@xxxxxxxxxxxxxx
>
> ________________________________
>
> From: thin-bounce@xxxxxxxxxxxxx on behalf of Adam.Baum@xxxxxxxxxxxxxx
> Sent: Fri 25/03/2005 6:07 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Re: OT - debugging windows
>
> Output is:
>
> 1: kd> !analyze -v
> ****************************************************************************
> ***
>
> *
> *
> * Bugcheck Analysis
> *
> *
> *
> ****************************************************************************
> ***
>
> IRQL_NOT_LESS_OR_EQUAL (a)
> An attempt was made to access a pageable (or completely invalid) address at
> an
> interrupt request level (IRQL) that is too high. This is usually
> caused by drivers using improper addresses.
> If a kernel debugger is available get the stack backtrace.
> Arguments:
> Arg1: c0000000, memory referenced
> Arg2: 00000002, IRQL
> Arg3: 00000000, value 0 = read operation, 1 = write operation
> Arg4: 804f9ce7, address which referenced memory
>
> Debugging Details:
> ------------------
>
> READ_ADDRESS: c0000000 Nonpaged pool
>
> CURRENT_IRQL: 2
>
> FAULTING_IP:
> nt!MmBuildMdlForNonPagedPool+7f
> 804f9ce7 8b0c16 mov ecx,[esi+edx]
>
> DEFAULT_BUCKET_ID: DRIVER_FAULT
>
> BUGCHECK_STR: 0xA
>
> LAST_CONTROL_TRANSFER: from b9e9ea4a to 804f9ce7
>
> TRAP_FRAME: f78ae74c -- (.trap fffffffff78ae74c)
> ErrCode = 00000000
> eax=8897ede8 ebx=8897ee08 ecx=00000000 edx=8897ee04 esi=376811fc
> edi=00000000
> eip=804f9ce7 esp=f78ae7c0 ebp=f78ae7cc iopl=0 nv up ei pl nz na po
> cy
> cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000
> efl=00010207
> nt!MmBuildMdlForNonPagedPool+0x7f:
> 804f9ce7 8b0c16 mov ecx,[esi+edx]
> ds:0023:c0000000=????????
> Resetting default scope
>
> STACK_TEXT:
> f78ae7cc b9e9ea4a 8897ede8 892710a8 8897ede8
> nt!MmBuildMdlForNonPagedPool+0x7f
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> f78ae7e4 b9eb6e5d 00000000 00000080 f78ae828
> SYMTDI!ACMRegisterFilterModule+0x2332
> f78ae81c b9e90a36 876375e0 876373d8 00000000
> SYMTDI!DisconnectTCPSession+0x2f2
> f78ae84c b9eb3177 896b7a58 00000000 00000000 SYMTDI+0x5a36
> f78ae86c b9eb30e5 896b7a58 896b7a58 f78ae8ac SYMTDI!rHeapFree+0x180f
> f78ae87c 804f0154 894ea758 8827e990 896b7a58 SYMTDI!rHeapFree+0x177d
> f78ae8ac b9ecec54 886aa1d8 87636008 00000002 nt!IopfCompleteRequest+0xa0
> f78ae8c4 b9ed47df 8827e990 00000000 00000000
> tcpip!TCPDataRequestComplete+0xa4
> f78ae8d4 b9ed4882 8827e990 00000000 00000000 tcpip!TCPRequestComplete+0xf
> f78ae8f0 b9ed7074 87636008 f78aea2c 00000000 tcpip!CompleteConnReq+0x86
> f78ae970 b9ecf63f 894dfa90 4264650a 4c05a8c0 tcpip!TCPRcv+0xd6d
> f78ae9d0 b9ecf8dd 00000020 894dfa90 00000000 tcpip!DeliverToUser+0x17b
> f78aea84 b9ecdf0f 894dfa90 893e74ac 0000001c tcpip!IPRcvPacket+0x66c
> f78aeac4 b9ecdf81 00000000 893df058 893e748a
> tcpip!ARPRcvIndicationNew+0x147
> f78aeb00 f7273540 893a3008 00000000 893fe580 tcpip!ARPRcvPacket+0x66
> f78aeb54 ba93a12e 89700ad0 f78aeb74 00000001
> NDIS!ethFilterDprIndicateReceivePacket+0x1cc
> f78aecbc ba93a2ee 013fe008 00000000 89700ad0 n100325+0xa12e
> f78aece4 f7264025 003fe008 f772f980 893fe3f8 n100325+0xa2ee
> f78aecf8 804efd70 893fe3f8 893fe3e4 00000000 NDIS!ndisMDpcX+0x1d
> f78aed50 804e61f7 00000000 0000000e 00000000 nt!KiRetireDpcList+0xc8
>
> FOLLOWUP_IP:
> SYMTDI!ACMRegisterFilterModule+2332
> b9e9ea4a b9a85eecb9 mov ecx,0xb9ec5ea8
>
> SYMBOL_STACK_INDEX: 1
>
> FOLLOWUP_NAME: MachineOwner
>
> SYMBOL_NAME: SYMTDI!ACMRegisterFilterModule+2332
>
> MODULE_NAME: SYMTDI
>
> IMAGE_NAME: SYMTDI.SYS
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 4050ed2d
>
> STACK_COMMAND: .trap fffffffff78ae74c ; kb
>
> FAILURE_BUCKET_ID: 0xA_SYMTDI!ACMRegisterFilterModule+2332
>
> BUCKET_ID: 0xA_SYMTDI!ACMRegisterFilterModule+2332
>
> Followup: MachineOwner
> ---------
>
> Looks like something with the network aspects of this server, but I can't
> tell if the problem is in tcpip or the nic driver.
>
> adam
>
> |---------+----------------------------->
> | | Berdt van der |
> | | Lingen |
> | | <berdtvanderlingen|
> | | @gmail.com> |
> | | Sent by: |
> | | thin-bounce@freeli|
> | | sts.org |
> | | |
> | | |
> | | 03/24/2005 12:09 |
> | | PM |
> | | Please respond to |
> | | thin |
> | | |
> |---------+----------------------------->
>
> >---------------------------------------------------------------------------
> ---------------------------------------------------|
>
> |
> |
> | To: thin@xxxxxxxxxxxxx
> |
> | cc:
> |
> | Subject: [THIN] Re: OT - debugging windows
> |
>
> >---------------------------------------------------------------------------
> ---------------------------------------------------|
>
> > Use !analyze -v to get detailed debugging information.
> >
> > BugCheck A, {c0000000, 2, 0, 804f9ce7}
> >
> > *** ERROR: Symbol file could not be found. Defaulted to export symbols
> for
> > SYMTDI.SYS -
> > *** ERROR: Module load completed but symbols could not be loaded for
> > n100325.sys
> > Probably caused by : SYMTDI.SYS ( SYMTDI!ACMRegisterFilterModule+2332 )
>
> What's the output of analyze -v?
> Are you running Norton / Symantec software?
>
> regards,
>
> Berdt
> ********************************************************
> This Weeks Sponsor: RTO Software TScale
> TScale provides a cost-effective way to improve performance, capacity and
> stability for thin-client servers like Citrix MetaFrame or Microsoft
> Terminal Services running Windows NT, 2000 or 2003.
> http://www.rtosoft.com/enter.asp?id=296
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community - Excellent SBC Search Capabilities!
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>
> ********************************************************
> This Weeks Sponsor: RTO Software TScale
> TScale provides a cost-effective way to improve performance, capacity and
> stability for thin-client servers like Citrix MetaFrame or Microsoft
> Terminal Services running Windows NT, 2000 or 2003.
> http://www.rtosoft.com/enter.asp?id=296
> **********************************************************
> Useful Thin Client Computing Links are available at:
> http://thin.net/links.cfm
> ThinWiki community - Excellent SBC Search Capabilities!
> http://www.thinwiki.com
> ***********************************************************
> For Archives, to Unsubscribe, Subscribe or
> set Digest or Vacation mode use the below link:
> http://thin.net/citrixlist.cfm
>
> ############################################################################
> #########
>
> This e-mail, including all attachments, may be confidential or privileged.
> Confidentiality or privilege is not waived or lost because this e-mail has
> been sent to you in error. If you are not the intended recipient any use,
> disclosure or copying of this e-mail is prohibited. If you have received
> it in error please notify the sender immediately by reply e-mail and
> destroy all copies of this e-mail and any attachments. All liability for
> direct and indirect loss arising from this e-mail and any attachments is
> hereby disclaimed to the extent permitted by law.
> ############################################################################
> #########
>
> (See attached file: winmail.dat)
>
> ############################################################################
> #########
>
> This e-mail, including all attachments, may be confidential or privileged.
> Confidentiality or privilege is not waived or lost because this e-mail has
> been sent to you in error. If you are not the intended recipient any use,
> disclosure or copying of this e-mail is prohibited. If you have received it
> in error please notify the sender immediately by reply e-mail and destroy
> all copies of this e-mail and any attachments. All liability for direct and
> indirect loss arising from this e-mail and any attachments is hereby
> disclaimed to the extent permitted by law.
>
> ############################################################################
> #########
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.308 / Virus Database: 266.8.1 - Release Date: 3/23/2005
>
>
>
********************************************************
This Weeks Sponsor: RTO Software TScale
TScale provides a cost-effective way to improve performance, capacity and
stability for thin-client servers like Citrix MetaFrame or Microsoft Terminal
Services running Windows NT, 2000 or 2003.
http://www.rtosoft.com/enter.asp?id=296
**********************************************************
Useful Thin Client Computing Links are available at:
http://thin.net/links.cfm
ThinWiki community - Excellent SBC Search Capabilities!
http://www.thinwiki.com
***********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thin.net/citrixlist.cfm
Other related posts:
