symsnap.sys BSOD
Dear all,
I have a file server with Windows 2003 Server SP2.
Before, it is installed with Symantec BE 11d & System Recovery.
Later, we deploy VM and this server become virtualized.
Then, we puchase Symantec BE 2010 and install on another server.
So, we had uninstall the Symantec BE 11d, System Recovery, and install the remote agent through BE 2010 Server.
After that, the server ocassionally Blue Screen.
I found the following in the Memory dump:
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault). The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
use .trap on that value
Else
.trap on the appropriate frame will show where the trap was taken
(on x86, this will be the ebp that goes with the procedure KiTrap)
Endif
kb will then show the corrected stack.
Arguments:
Arg1: 00000008, EXCEPTION_DOUBLE_FAULT
Arg2: 80042000
Arg3: 00000000
Arg4: 00000000
Debugging Details:
------------------
BUGCHECK_STR: 0x7f_8
TSS: 00000028 -- (.tss 0x28)
eax=00000100 ebx=00000001 ecx=00000001 edx=00000000 esi=00000000 edi=8b33dbb8
eip=80a5c158 esp=b903f000 ebp=b903f00c iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
hal!HalpDispatchSoftwareInterrupt+0x8:
80a5c158 9c pushfd
Resetting default scope
DEFAULT_BUCKET_ID: DRIVER_FAULT
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 1
TRAP_FRAME: b903f52c -- (.trap 0xffffffffb903f52c)
ErrCode = 00000000
eax=d2fc2800 ebx=00000001 ecx=0000000f edx=00000000 esi=8b33db40 edi=00000000
eip=808b64a6 esp=b903f5a0 ebp=b903f5dc iopl=0 nv up ei ng nz ac po cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293
nt!CcMapData+0x8c:
808b64a6 8a10 mov dl,byte ptr [eax] ds:0023:d2fc2800=46
Resetting default scope
LAST_CONTROL_TRANSFER: from 80a5c397 to 80a5c158
STACK_TEXT:
b903f00c 80a5c397 00000002 00000000 80a5c3f4 hal!HalpDispatchSoftwareInterrupt+0x8
b903f028 80a5c456 00000000 00000001 b903f064 hal!HalpCheckForSoftwareInterrupt+0x3f
b903f038 80833485 8b33db40 8b33dbe8 00000001 hal!KfLowerIrql+0x62
b903f064 80829a62 8b3006a8 00000000 882260d0 nt!KiSwapThread+0x305
b903f0ac f7b5950e b903f1fc 00000000 00000000 nt!KeWaitForSingleObject+0x346
b903f260 8081df65 8b395328 882260d0 882260d0 Ntfs!NtfsFsdRead+0x22c
b903f274 f76e6d28 00000000 8b595030 8b2daa10 nt!IofCallDriver+0x45
b903f2a0 8081df65 8b3e5860 882260d0 882260d0 fltmgr!FltpDispatch+0x152
b903f2b4 f787e5bb 882262cc 8b2da958 8b5e0580 nt!IofCallDriver+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
b903f2d8 f787bcfc 882262a8 882260d0 8b400958 symsnap+0x85bb
b903f2ec 8081df65 8b2da958 882260d0 882262f0 symsnap+0x5cfc
b903f300 bab368e1 8b3ee3a8 8b2bd568 8b651008 nt!IofCallDriver+0x45
b903f314 8081df65 8b425c20 882260d0 882260d0 SYMEVENT+0x78e1
b903f328 f76e6d28 00482000 8b595030 882262e8 nt!IofCallDriver+0x45
b903f354 8081df65 8b3ee3a8 882260d0 8822630c fltmgr!FltpDispatch+0x152
b903f368 f77a8eb9 f77a8e12 00000000 8b36e800 nt!IofCallDriver+0x45
b903f3c8 8081df65 8ac4b818 882260d0 882260d0 lgtosync+0x1eb9
b903f3dc 8081e4ed 8b33db40 8a1f67e0 c0697e10 nt!IofCallDriver+0x45
b903f3f4 8085114a 8b596b0d 8a1f6818 8a1f67f8 nt!IoPageRead+0x109
b903f490 8085ea66 00000001 d2fc2800 8a1f67e0 nt!MiDispatchFault+0xece
b903f514 8088c798 00000000 d2fc2800 00000000 nt!MmAccessFault+0x89e
b903f514 808b64a6 00000000 d2fc2800 00000000 nt!KiTrap0E+0xdc
b903f5dc f7b90f2d 8b596bc8 b903f60c 00000400 nt!CcMapData+0x8c
b903f5fc f7b8e494 b903fc9c 8b3006a8 00482800 Ntfs!NtfsMapStream+0x4b
b903f670 f7b90df0 b903fc9c 8b395408 e3df1ce0 Ntfs!NtfsReadMftRecord+0x86
b903f6a8 f7b90fac b903fc9c 8b395408 e3df1ce0 Ntfs!NtfsReadFileRecord+0x7a
b903f6e0 f7b4f8a8 b903fc9c e3df1cd8 e3df1ce0 Ntfs!NtfsLookupInFileRecord+0x37
b903f7f0 f7b50674 b903fc9c e3df1da0 00000000 Ntfs!NtfsLookupAllocation+0xdd
b903f9c0 f7b5082c b903fc9c 8a303db8 e3df1da0 Ntfs!NtfsPrepareBuffers+0x25d
b903fb9c f7b51156 b903fc9c 8a303db8 e3df1da0 Ntfs!NtfsNonCachedIo+0x1ee
b903fc88 f7b51079 b903fc9c 8a303db8 00000001 Ntfs!NtfsCommonRead+0xaf5
b903fe34 8081df65 8b395328 8a303db8 8a303db8 Ntfs!NtfsFsdRead+0x113
b903fe48 f76e6d28 00000000 8b595030 8b2daa10 nt!IofCallDriver+0x45
b903fe74 8081df65 8b3e5860 8a303db8 8a303db8 fltmgr!FltpDispatch+0x152
b903fe88 f787e5bb 8a303fb4 8b2da958 8b5e0580 nt!IofCallDriver+0x45
b903feac f787bcfc 8a303f90 8a303db8 8b400958 symsnap+0x85bb
b903fec0 8081df65 8b2da958 8a303db8 8a303fd8 symsnap+0x5cfc
b903fed4 bab368e1 8b3ee3a8 8b2bd568 8b651008 nt!IofCallDriver+0x45
b903fee8 8081df65 8b425c20 8a303db8 8a303db8 SYMEVENT+0x78e1
b903fefc f76e6d28 00000000 8b595030 8a303fd0 nt!IofCallDriver+0x45
b903ff28 8081df65 8b3ee3a8 8a303db8 8a303ff4 fltmgr!FltpDispatch+0x152
b903ff3c f77a8eb9 f77a8e12 00000000 8b36e800 nt!IofCallDriver+0x45
b903ff9c 8081df65 8ac4b818 8a303db8 8a303db8 lgtosync+0x1eb9
b903ffb0 8081e4ed 8b33db40 8a235cd0 c06b3800 nt!IofCallDriver+0x45
b903ffc8 8085114a 8b36650d 8a235d08 8a235ce8 nt!IoPageRead+0x109
b9040064 8085ea66 00000001 d6700000 8a235cd0 nt!MiDispatchFault+0xece
b90400e8 80859290 00000000 d6700000 00000000 nt!MmAccessFault+0x89e
b9040124 808b53ed d6700000 00000000 89bc87c0 nt!MmCheckCachedPageState+0x4f8
b90401b0 f7b50f03 88156f28 b9040274 00000100 nt!CcCopyRead+0x3e7
b9040298 f7b51079 8a17def8 89bc87a8 00000001 Ntfs!NtfsCommonRead+0xc14
b904033c 8081df65 8b395328 89bc87a8 89bc87a8 Ntfs!NtfsFsdRead+0x113
b9040350 f76e6d28 00000000 8b595030 8b2daa10 nt!IofCallDriver+0x45
b904037c 8081df65 8b3e5860 89bc87a8 89bc87a8 fltmgr!FltpDispatch+0x152
b9040390 f787e5bb 89bc89a4 8b2da958 8b5e0580 nt!IofCallDriver+0x45
b90403b4 f787bcfc 89bc8980 89bc87a8 8b400958 symsnap+0x85bb
b90403c8 8081df65 8b2da958 89bc87a8 89bc89c8 symsnap+0x5cfc
b90403dc bab368e1 8b3ee3a8 8b2bd568 8b651008 nt!IofCallDriver+0x45
b90403f0 8081df65 8b425c20 89bc87a8 89bc87a8 SYMEVENT+0x78e1
b9040404 f76e6d28 88156f28 8b595030 89bc89c0 nt!IofCallDriver+0x45
b9040430 8081df65 8b3ee3a8 89bc87a8 89bc89e4 fltmgr!FltpDispatch+0x152
b9040444 f77a8eb9 f77a8e12 89bc87a8 8b36e800 nt!IofCallDriver+0x45
b90404a4 8081df65 8ac4b818 89bc87a8 89bc87a8 lgtosync+0x1eb9
b90404b8 808f5437 89bc89c8 89bc87a8 88156f28 nt!IofCallDriver+0x45
b90404cc 808f25eb 8ac4b818 89bc87a8 88156f28 nt!IopSynchronousServiceTail+0x10b
b9040564 8088978c 8000455c 00000000 00000000 nt!NtReadFile+0x5d5
b9040564 8082f4e1 8000455c 00000000 00000000 nt!KiFastCallEntry+0xfc
b9040600 bab97083 8000455c 00000000 00000000 nt!ZwReadFile+0x11
b9040690 bab68cff e10b9760 e4228010 00000100 savrt+0x46083
b90406b4 bab7fc8c e4228010 00000100 bab79c0c savrt+0x17cff
b90406c0 bab79c0c e4187f50 e4228010 00000100 savrt+0x2ec8c
b90406e8 bab79ddd e4187f40 00000000 00000000 savrt+0x28c0c
b9040754 bab74d3c e4228008 e4187f40 00000002 savrt+0x28ddd
b9040798 bab6aa59 e4b57470 e94d5008 e4187f40 savrt+0x23d3c
00000000 00000000 00000000 00000000 00000000 savrt+0x19a59
STACK_COMMAND: .tss 0x28 ; kb
FOLLOWUP_IP:
symsnap+85bb
f787e5bb 8bd8 mov ebx,eax
SYMBOL_STACK_INDEX: 9
SYMBOL_NAME: symsnap+85bb
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: symsnap
IMAGE_NAME: symsnap.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 49cc173e
FAILURE_BUCKET_ID: 0x7f_8_symsnap+85bb
BUCKET_ID: 0x7f_8_symsnap+85bb
Followup: MachineOwner
---------
I try to search symsnap.sys but this file does not exists in the server now.
Could someone help give some advise on this issue?
Ivan
I have uninstall the NAV 10.0 and the server run fine now.
I don't know if it is related, but the server does not BSOD in these days.
All I have to do is to keep monitoring.
Ivan