Re: Question About Kernal Dumps, system crashing

Tech-Archive recommends: Speed Up your PC by fixing your registry

i ran the memory tests for a couple of hours, it did mulitple passes... since
it's production i didn't want to keep it down, wanted to try everything else
first. I cut it off, wanting to see if re-installing trend-micro worked.
Well, it did work and all is well. It made it through the night without any
issues.

Thank you very much for your assistance

"Jim Behning SBS MVP" wrote:

You have already run an overnight memory test? Running a single pass
will not do. I have found it takes 2 or more passes to find some bad
memory. That is why overnight is recommended. A quick single pass
might find a totally toast stick but subtle messed up ram can take a
good while to dig out. I have even substituted ram in to a server so I
could test the ram one stick at a time in another box until I found
the one stick of 4 that was bad. With a fast processor, single stick
tests run 20-30 times goes sort of fast. Real slow if you are trying
to test all 4 sticks at once. Part two of that is if you are testing
multiple sticks you do not know which one is really bad. I was also
thinking ECC ram can be slightly more challenging to test but last
stick I test out bad was an ECC stick.

On Fri, 14 Mar 2008 18:04:00 -0700, Steve
<Steve@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

I opened a ticket with ASUS about the RAID controller, LSI Logic does not
support or provide drivers for their embedded controllers, referred me to
ASUS. The only other things i could do at the moment are un-install,
re-install trend-micro and run the MS memory tests. i did both and all seems
well. i hope the backup runs through all of its processes tonight.

AL stated i should turn off verification for backups since i am backing up
to a network drive. The SBS Backup wizard does not provide an option to turn
off verification. I found a registry setting, but do not want to mess with
that without verifying it's ok, what the settings are.

Somewhere along the way sql2000 was installed, with a service pack, and sbs
monitoring made the transition. Sharepoint somehow did not. During startup i
get errors, but when i start sharepoint under services it starts and
functions. the best practice analyzer points out that sharepoint is not
running under sql. Something is corrupt there, but doubt it has anything to
do with the nightly crashes. Unless it might have something to do with my
crashes, i will address that issue later on.

Thanks for your assistance.




"Jim Behning SBS MVP" wrote:

I doubt it is Trend but you could always uninstall the Trend client
from the server for the afternoon/night to see if there is any
difference. I once had an unknown memory leak that turned out to be
the Trend client on the server. An uninstall, reboot and reinstall
fixed the memory leak caused by the Trend client. But your dump
analysis keeps pointing to your raid.

On Fri, 14 Mar 2008 06:12:01 -0700, Steve
<Steve@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

I applied all of the patches and updates from trend and hotfix from MS, etc
as explained in my previous message. Again, the server crashed at precisely
1:03am. Following are the messages generated, also the backup log showing
what it was doing (verification process), and the debug results...

Wondering if NTRTSCAN is having issues processing a 49GB backup file during
the verification process? The backup files reside on a network drive.

This is the event written upon logging on after crash.

Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 3/14/2008
Time: 5:37:43 AM
User: N/A
Computer: domainSERVER
Description:
Error code 1000007f, parameter1 00000008, parameter2 f7727fe0, parameter3
00000000, parameter4 00000000.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 53 79 73 74 65 6d 20 45 System E
0008: 72 72 6f 72 20 20 45 72 rror Er
0010: 72 6f 72 20 63 6f 64 65 ror code
0018: 20 31 30 30 30 30 30 37 1000007
0020: 66 20 20 50 61 72 61 6d f Param
0028: 65 74 65 72 73 20 30 30 eters 00
0030: 30 30 30 30 30 38 2c 20 000008,
0038: 66 37 37 32 37 66 65 30 f7727fe0
0040: 2c 20 30 30 30 30 30 30 , 000000
0048: 30 30 2c 20 30 30 30 30 00, 0000
0050: 30 30 30 30 0000

This is the event written upon reboot after crash.

Event Type: Error
Event Source: EventLog
Event Category: None
Event ID: 6008
Date: 3/14/2008
Time: 1:07:31 AM
User: N/A
Computer: domainSERVER
Description:
The previous system shutdown at 1:03:48 AM on 3/14/2008 was unexpected.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: d8 07 03 00 05 00 0e 00 Ø.......
0008: 01 00 03 00 30 00 49 01 ....0.I.
0010: d8 07 03 00 05 00 0e 00 Ø.......
0018: 05 00 03 00 30 00 49 01 ....0.I.

This is the Backup activity taking place before crash:


Backup Type: Normal

Backup started on 3/13/2008 at 9:55 PM.
Backup completed on 3/14/2008 at 12:25 AM.
Directories: 2225
Files: 31631
Bytes: 49,006,705,583
Time: 2 hours, 30 minutes, and 39 seconds
Backup of "domainSERVER\Microsoft Information Store\First Storage Group"
Backup set #3 on media #1
Backup description: "SBS Backup created on 3/13/2008 at 9:00 PM"
Media name: "Small Business Server Backup (05).bkf created 3/13/2008 at 9:00
PM"

Backup Type: Normal

Backup started on 3/14/2008 at 12:25 AM.
Backup completed on 3/14/2008 at 12:53 AM.
Directories: 4
Files: 6
Bytes: 9,063,604,912
Time: 27 minutes and 19 seconds
Backup (via shadow copy) of "System State"
Backup set #4 on media #1
Backup description: "SBS Backup created on 3/13/2008 at 9:00 PM"
Media name: "Small Business Server Backup (05).bkf created 3/13/2008 at 9:00
PM"

Backup Type: Copy

Backup started on 3/14/2008 at 12:53 AM.
Backup completed on 3/14/2008 at 12:56 AM.
Directories: 292
Files: 2883
Bytes: 637,955,229
Time: 3 minutes and 0 seconds

----------------------

The NEXT operation would have been to verify status: (copied from latest
complete backup log) (System crashes during this operation)

Verify Status
Operation: Verify After Backup
Active backup destination: File
Active backup destination: \\Admin\SBS Backup\Backup Files\Small Business
Server Backup (01).bkf

Verify of "C:"
Backup set #1 on media #1
Backup description: "SBS Backup created on 3/7/2008 at 9:00 PM"
Verify started on 3/8/2008 at 1:36 AM.
Verify completed on 3/8/2008 at 1:50 AM.
Directories: 4353
Files: 39340
Different: 0
Bytes: 8,769,399,819
Time: 14 minutes and 29 seconds

DEBUGGER RESULTS from MINIDUMP

Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\Minidump\Mini031408-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is:
SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free
x86 compatible
Product: LanManNt, suite: SmallBusiness TerminalServer
SmallBusinessRestricted SingleUserTS
Built by: 3790.srv03_sp2_gdr.070304-2240
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Fri Mar 14 01:04:51.359 2008 (GMT-4)
System Uptime: 0 days 6:16:45.472
Loading Kernel Symbols
.................................................................................................................
Loading User Symbols
Loading unloaded module list
..
Unable to load image MegaIDE.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for MegaIDE.sys
*** ERROR: Module load completed but symbols could not be loaded for
MegaIDE.sys
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1000007F, {8, f7727fe0, 0, 0}

Unable to load image TmPreFlt.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for TmPreFlt.sys
*** ERROR: Module load completed but symbols could not be loaded for
TmPreFlt.sys
*** WARNING: Unable to verify timestamp for VSApiNt.sys
*** ERROR: Module load completed but symbols could not be loaded for
VSApiNt.sys
*** WARNING: Unable to verify timestamp for TmXPFlt.sys
*** ERROR: Module load completed but symbols could not be loaded for
TmXPFlt.sys


Probably caused by : MegaIDE.sys ( MegaIDE+4429 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
*
*
* Bugcheck Analysis
*
*
*
*******************************************************************************

UNEXPECTED_KERNEL_MODE_TRAP_M (1000007f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: f7727fe0
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------

BUGCHECK_STR: 0x7f_8

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

PROCESS_NAME: NTRtScan.exe

CURRENT_IRQL: 6

TRAP_FRAME: b82cfd68 -- (.trap 0xffffffffb82cfd68)
ErrCode = 00000000
eax=c310d400 ebx=0000000e ecx=0000000f edx=00000000 esi=894f3370 edi=00000000
eip=808b64a6 esp=b82cfddc ebp=b82cfe18 iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293
nt!CcMapData+0x8c:
808b64a6 8a10 mov dl,byte ptr [eax]
ds:0023:c310d400=??
Resetting default scope

LAST_CONTROL_TRANSFER: from f725b264 to f725b429




"Dave Nickason [SBS MVP]" wrote:

Do you have Trend set to update at midnight? Or anything going on with
Trend that could be causing this? Is your Trend software up to date? (I
always like AV as a possibility for otherwise unexplained software issues.
Not just Trend, but anybody - AV is often the cause).

You could try reinstalling that driver, checking the ASUS support web site,
or contacting their tech support.
.

Relevant Pages

  • Saving Fax Console to reinstall after a full wipe restore
    ... to paste-overwrite back into the renewed windows installation. ... to Full backup vs Full image. ... 512 kilobyte secondary memory cache ... Secondary IDE Channel [Controller] ...
    (microsoft.public.windowsxp.hardware)
  • Re: Backup/Restore program (s), etc/misc info;
    ... to Full backup vs Full image. ... 512 kilobyte secondary memory cache ... Network Drives: ... Secondary IDE Channel [Controller] ...
    (microsoft.public.windowsxp.hardware)
  • Re: Saving Fax Console to reinstall after a full wipe restore
    ... I've never managed to restore my old fax msg store in three ... separate backup apps, one of which is bound to work (and has proved to ... 512 kilobyte secondary memory cache ... Secondary IDE Channel [Controller] ...
    (microsoft.public.windowsxp.hardware)
  • Re: Backup/Restore program (s), etc/misc info;
    ... backup all, including OS XP Home, but something in addition to ntbackup, in ... 512 kilobyte secondary memory cache ... Network Drives: ... Secondary IDE Channel [Controller] ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: Question About Kernal Dumps, system crashing
    ... You have already run an overnight memory test? ... I have even substituted ram in to a server so I ... i hope the backup runs through all of its processes tonight. ... This means a trap occurred in kernel mode, and it's a trap of a kind ...
    (microsoft.public.windows.server.sbs)