Server 2008 x64 crashing

I have a 2008 server that has crashed 5 times this morning. The event logs
show nothing right before the crash to point me in the right direction. All
I have to go on is the Blue Screen. I am currently downloading the symbols
needed to analyze a server 2008 crash file. Once I get that downloaded I
might know more but I need some preliminary help on this. To start I want
to make everyone aware, no hardware changes were made recently, no driver
updates or installs were done recently, and no windows updates were done
recently. Here is the BSOD info:



SYSTEM_SERVICE_EXCEPTION



STOP: 0X0000003B (0x00000000C0000005, 0XFFFFFA6008B18726,
0XFFFFFA600BBC4B30, 0x0000000000000000)



VSApiNt.sys - Address FFFFFA6008B18726 base at FFFFFA6008A0E000, DateStamp
4ad30768



Any help would be appreciated.

Here is my crash analysis:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\Temp\AGRADC2-926-Crash.DMP]
Kernel Summary Dump File: Only kernel address space is available

WARNING: Inaccessible path: 'D:\I386'
Symbol search path is:
SRV*c:\temp\symbolstore*http://msdl.microsoft.com/download/symbols
Executable search path is: D:\I386
Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (8
procs) Free x64
Product: LanManNt, suite: TerminalServer SingleUserTS
Built by: 6001.18304.amd64fre.vistasp1_gdr.090805-0102
Machine Name:
Kernel base = 0xfffff800`01a06000 PsLoadedModuleList = 0xfffff800`01bcbdb0
Debug session time: Thu Nov 19 09:26:47.649 2009 (GMT-6)
System Uptime: 0 days 1:20:02.331
Loading Kernel Symbols
.................................................. ..............
.................................................. ...............
..................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
details
Loading unloaded module list
..............
************************************************** *****************************
*
*
* Bugcheck Analysis
*
*
*
************************************************** *****************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffffa6008b18726, fffffa600bbc4b30, 0}

*** ERROR: Symbol file could not be found. Defaulted to export symbols for
VSApiNt.sys -
*** ERROR: Module load completed but symbols could not be loaded for
TmXPFlt.sys
Page c74fc not present in the dump file. Type ".hh dbgerr004" for details
Page c7dea not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
details
PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
details
Probably caused by : VSApiNt.sys ( VSApiNt!VSScanVirusInMemory+4eb6 )

Followup: MachineOwner
---------

1: kd> !analyze -v
************************************************** *****************************
*
*
* Bugcheck Analysis
*
*
*
************************************************** *****************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffffa6008b18726, Address of the exception record for the exception
that caused the bugcheck
Arg3: fffffa600bbc4b30, Address of the context record for the exception that
caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

Page c74fc not present in the dump file. Type ".hh dbgerr004" for details
Page c7dea not present in the dump file. Type ".hh dbgerr004" for details
PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
details
PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
details

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
VSApiNt!VSScanVirusInMemory+4eb6
fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]

CONTEXT: fffffa600bbc4b30 -- (.cxr 0xfffffa600bbc4b30)
rax=fffff88016a84940 rbx=fffff88027e7d040 rcx=fffff880263c6520
rdx=0000000000000007 rsi=0000000000000030 rdi=0000000000000000
rip=fffffa6008b18726 rsp=fffffa600bbc5390 rbp=0000000000000007
r8=00000000876402c0 r9=fffffffff528975c r10=fffff8803113c036
r11=fffffa600bbc5380 r12=0000000000005389 r13=0000000000000030
r14=000000000030f000 r15=fffff88027e7d040
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b
efl=00010246
VSApiNt!VSScanVirusInMemory+0x4eb6:
fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]
ds:002b:00000000`876402e0=????????
Resetting default scope

DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT

BUGCHECK_STR: 0x3B

PROCESS_NAME: Ntrtscan.exe

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffffa6008b18a22 to fffffa6008b18726

STACK_TEXT:
fffffa60`0bbc5390 fffffa60`08b18a22 : 00000000`00000001 fffff880`00000001
fffff880`00000000 fffffa60`0bbc5450 : VSApiNt!VSScanVirusInMemory+0x4eb6
fffffa60`0bbc5420 fffffa60`08b19a96 : fffff880`25e218a8 fffff880`27e7d040
00000000`00000001 fffff880`27e7d040 : VSApiNt!VSScanVirusInMemory+0x51b2
fffffa60`0bbc5450 fffffa60`08b19c71 : 00000000`00000001 fffff880`171d7038
fffff880`171d7038 00000000`00000001 : VSApiNt!VSScanVirusInMemory+0x6226
fffffa60`0bbc5480 fffffa60`08b1a16e : fffff880`171d7038 fffff880`17b3a0c8
fffffa60`0bbc5580 00000000`00304329 : VSApiNt!VSScanVirusInMemory+0x6401
fffffa60`0bbc54c0 fffffa60`08b1b95f : fffff880`17b3a068 fffff880`0c45c6d0
00000000`00304329 fffffa60`0bbc5580 : VSApiNt!VSScanVirusInMemory+0x68fe
fffffa60`0bbc5540 fffffa60`08b1bb29 : 00000000`00000002 fffff880`27e7d040
fffff880`003041fb fffff880`27e7d040 : VSApiNt!VSScanVirusInMemory+0x80ef
fffffa60`0bbc5570 fffffa60`08b1d4a2 : fffff880`0c45c6d0 fffff880`00304323
fffffa60`0bbc5620 72657355`00000001 : VSApiNt!VSScanVirusInMemory+0x82b9
fffffa60`0bbc55c0 fffffa60`08b14561 : fffff880`0cd59030 fffff880`17125030
fffff880`096fefa0 00000000`000000b3 : VSApiNt!VSScanVirusInMemory+0x9c32
fffffa60`0bbc55f0 fffffa60`08a4d4a3 : fffff880`27e7d040 fffff880`0cd59030
00000000`0000024d fffffa60`08ae2887 : VSApiNt!VSScanVirusInMemory+0xcf1
fffffa60`0bbc5620 fffffa60`08a4c27d : 00000000`00000000 00000000`00000000
fffffa60`0bbc5718 00000000`0000177f : VSApiNt+0x3f4a3
fffffa60`0bbc56c0 fffffa60`08b9a44e : fffff880`00000000 fffffa80`00000001
fffff880`0c45c6d0 00000000`00002000 : VSApiNt+0x3e27d
fffffa60`0bbc57c0 fffffa60`08859460 : fffff880`2ad8b048 fffffa80`145c3328
fffff880`2ad8b120 fffff880`0c45c6d0 : VSApiNt!VSVirusScanFileW+0x18e
fffffa60`0bbc5840 fffffa60`0885a433 : fffffa80`00000001 fffffa80`145c3328
00000000`00000000 fffffa60`0bbc5890 : TmXPFlt+0x1c460
fffffa60`0bbc5880 fffffa60`088527f1 : fffffa80`13798c10 00000000`048788d0
00000000`ffffffff fffff880`001f0003 : TmXPFlt+0x1d433
fffffa60`0bbc5920 fffffa60`088586fb : 00000000`c00000bb fffffa60`0bbc59b8
fffffa60`0bbc59b0 fffffa60`0bbc5a30 : TmXPFlt+0x157f1
fffffa60`0bbc5960 fffffa60`0884122d : 00000000`00000000 fffffa60`0bbc5ca0
00000000`00000001 fffffa80`100f8b00 : TmXPFlt+0x1b6fb
fffffa60`0bbc5990 fffff800`01cdf4aa : fffffa80`13bc86b0 fffffa80`13bc86b0
00000000`00000001 fffff880`263e2701 : TmXPFlt+0x422d
fffffa60`0bbc59f0 fffff800`01cf8416 : 00000000`048787b8 00000000`000004e0
00000000`00000000 00000000`04878850 : nt!IopXxxControlFile+0x5da
fffffa60`0bbc5b40 fffff800`01a5a173 : fffffa80`145f0060 00000000`04878798
fffffa60`0bbc5bc8 00000000`000003e4 : nt!NtDeviceIoControlFile+0x56
fffffa60`0bbc5bb0 00000000`77415aea : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`04878788 00000000`00000000 : 00000000`00000000 00000000`00000000
00000000`00000000 00000000`00000000 : 0x77415aea


FOLLOWUP_IP:
VSApiNt!VSScanVirusInMemory+4eb6
fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: VSApiNt!VSScanVirusInMemory+4eb6

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: VSApiNt

IMAGE_NAME: VSApiNt.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 4ad30768

STACK_COMMAND: .cxr 0xfffffa600bbc4b30 ; kb

FAILURE_BUCKET_ID: X64_0x3B_VSApiNt!VSScanVirusInMemory+4eb6

BUCKET_ID: X64_0x3B_VSApiNt!VSScanVirusInMemory+4eb6

Followup: MachineOwner
---------


"Zachary" <> wrote in message
news:...
>I have a 2008 server that has crashed 5 times this morning. The event logs
>show nothing right before the crash to point me in the right direction.
>All I have to go on is the Blue Screen. I am currently downloading the
>symbols needed to analyze a server 2008 crash file. Once I get that
>downloaded I might know more but I need some preliminary help on this. To
>start I want to make everyone aware, no hardware changes were made
>recently, no driver updates or installs were done recently, and no windows
>updates were done recently. Here is the BSOD info:
>
>
>
> SYSTEM_SERVICE_EXCEPTION
>
>
>
> STOP: 0X0000003B (0x00000000C0000005, 0XFFFFFA6008B18726,
> 0XFFFFFA600BBC4B30, 0x0000000000000000)
>
>
>
> VSApiNt.sys - Address FFFFFA6008B18726 base at FFFFFA6008A0E000, DateStamp
> 4ad30768
>
>
>
> Any help would be appreciated.
>
>

I contacted Trend Micro and we rolled back the trend micro scan engine and
we are monitoring the situation.

"Zachary" <> wrote in message
news:...
> Here is my crash analysis:
>
> Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
> Copyright (c) Microsoft Corporation. All rights reserved.
>
>
> Loading Dump File [C:\Temp\AGRADC2-926-Crash.DMP]
> Kernel Summary Dump File: Only kernel address space is available
>
> WARNING: Inaccessible path: 'D:\I386'
> Symbol search path is:
> SRV*c:\temp\symbolstore*http://msdl.microsoft.com/download/symbols
> Executable search path is: D:\I386
> Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP
> (8 procs) Free x64
> Product: LanManNt, suite: TerminalServer SingleUserTS
> Built by: 6001.18304.amd64fre.vistasp1_gdr.090805-0102
> Machine Name:
> Kernel base = 0xfffff800`01a06000 PsLoadedModuleList = 0xfffff800`01bcbdb0
> Debug session time: Thu Nov 19 09:26:47.649 2009 (GMT-6)
> System Uptime: 0 days 1:20:02.331
> Loading Kernel Symbols
> .................................................. .............
> .................................................. ..............
> .................
> Loading User Symbols
> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
> details
> Loading unloaded module list
> .............
> ************************************************** *****************************
> * *
> * Bugcheck Analysis *
> * *
> ************************************************** *****************************
>
> Use !analyze -v to get detailed debugging information.
>
> BugCheck 3B, {c0000005, fffffa6008b18726, fffffa600bbc4b30, 0}
>
> *** ERROR: Symbol file could not be found. Defaulted to export symbols
> for VSApiNt.sys -
> *** ERROR: Module load completed but symbols could not be loaded for
> TmXPFlt.sys
> Page c74fc not present in the dump file. Type ".hh dbgerr004" for details
> Page c7dea not present in the dump file. Type ".hh dbgerr004" for details
> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
> details
> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
> details
> Probably caused by : VSApiNt.sys ( VSApiNt!VSScanVirusInMemory+4eb6 )
>
> Followup: MachineOwner
> ---------
>
> 1: kd> !analyze -v
> ************************************************** *****************************
> * *
> * Bugcheck Analysis *
> * *
> ************************************************** *****************************
>
> SYSTEM_SERVICE_EXCEPTION (3b)
> An exception happened while executing a system service routine.
> Arguments:
> Arg1: 00000000c0000005, Exception code that caused the bugcheck
> Arg2: fffffa6008b18726, Address of the exception record for the exception
> that caused the bugcheck
> Arg3: fffffa600bbc4b30, Address of the context record for the exception
> that caused the bugcheck
> Arg4: 0000000000000000, zero.
>
> Debugging Details:
> ------------------
>
> Page c74fc not present in the dump file. Type ".hh dbgerr004" for details
> Page c7dea not present in the dump file. Type ".hh dbgerr004" for details
> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
> details
> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
> details
>
> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
> referenced memory at "0x%08lx". The memory could not be "%s".
>
> FAULTING_IP:
> VSApiNt!VSScanVirusInMemory+4eb6
> fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]
>
> CONTEXT: fffffa600bbc4b30 -- (.cxr 0xfffffa600bbc4b30)
> rax=fffff88016a84940 rbx=fffff88027e7d040 rcx=fffff880263c6520
> rdx=0000000000000007 rsi=0000000000000030 rdi=0000000000000000
> rip=fffffa6008b18726 rsp=fffffa600bbc5390 rbp=0000000000000007
> r8=00000000876402c0 r9=fffffffff528975c r10=fffff8803113c036
> r11=fffffa600bbc5380 r12=0000000000005389 r13=0000000000000030
> r14=000000000030f000 r15=fffff88027e7d040
> iopl=0 nv up ei pl zr na po nc
> cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
> VSApiNt!VSScanVirusInMemory+0x4eb6:
> fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]
> ds:002b:00000000`876402e0=????????
> Resetting default scope
>
> DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
>
> BUGCHECK_STR: 0x3B
>
> PROCESS_NAME: Ntrtscan.exe
>
> CURRENT_IRQL: 0
>
> LAST_CONTROL_TRANSFER: from fffffa6008b18a22 to fffffa6008b18726
>
> STACK_TEXT:
> fffffa60`0bbc5390 fffffa60`08b18a22 : 00000000`00000001 fffff880`00000001
> fffff880`00000000 fffffa60`0bbc5450 : VSApiNt!VSScanVirusInMemory+0x4eb6
> fffffa60`0bbc5420 fffffa60`08b19a96 : fffff880`25e218a8 fffff880`27e7d040
> 00000000`00000001 fffff880`27e7d040 : VSApiNt!VSScanVirusInMemory+0x51b2
> fffffa60`0bbc5450 fffffa60`08b19c71 : 00000000`00000001 fffff880`171d7038
> fffff880`171d7038 00000000`00000001 : VSApiNt!VSScanVirusInMemory+0x6226
> fffffa60`0bbc5480 fffffa60`08b1a16e : fffff880`171d7038 fffff880`17b3a0c8
> fffffa60`0bbc5580 00000000`00304329 : VSApiNt!VSScanVirusInMemory+0x6401
> fffffa60`0bbc54c0 fffffa60`08b1b95f : fffff880`17b3a068 fffff880`0c45c6d0
> 00000000`00304329 fffffa60`0bbc5580 : VSApiNt!VSScanVirusInMemory+0x68fe
> fffffa60`0bbc5540 fffffa60`08b1bb29 : 00000000`00000002 fffff880`27e7d040
> fffff880`003041fb fffff880`27e7d040 : VSApiNt!VSScanVirusInMemory+0x80ef
> fffffa60`0bbc5570 fffffa60`08b1d4a2 : fffff880`0c45c6d0 fffff880`00304323
> fffffa60`0bbc5620 72657355`00000001 : VSApiNt!VSScanVirusInMemory+0x82b9
> fffffa60`0bbc55c0 fffffa60`08b14561 : fffff880`0cd59030 fffff880`17125030
> fffff880`096fefa0 00000000`000000b3 : VSApiNt!VSScanVirusInMemory+0x9c32
> fffffa60`0bbc55f0 fffffa60`08a4d4a3 : fffff880`27e7d040 fffff880`0cd59030
> 00000000`0000024d fffffa60`08ae2887 : VSApiNt!VSScanVirusInMemory+0xcf1
> fffffa60`0bbc5620 fffffa60`08a4c27d : 00000000`00000000 00000000`00000000
> fffffa60`0bbc5718 00000000`0000177f : VSApiNt+0x3f4a3
> fffffa60`0bbc56c0 fffffa60`08b9a44e : fffff880`00000000 fffffa80`00000001
> fffff880`0c45c6d0 00000000`00002000 : VSApiNt+0x3e27d
> fffffa60`0bbc57c0 fffffa60`08859460 : fffff880`2ad8b048 fffffa80`145c3328
> fffff880`2ad8b120 fffff880`0c45c6d0 : VSApiNt!VSVirusScanFileW+0x18e
> fffffa60`0bbc5840 fffffa60`0885a433 : fffffa80`00000001 fffffa80`145c3328
> 00000000`00000000 fffffa60`0bbc5890 : TmXPFlt+0x1c460
> fffffa60`0bbc5880 fffffa60`088527f1 : fffffa80`13798c10 00000000`048788d0
> 00000000`ffffffff fffff880`001f0003 : TmXPFlt+0x1d433
> fffffa60`0bbc5920 fffffa60`088586fb : 00000000`c00000bb fffffa60`0bbc59b8
> fffffa60`0bbc59b0 fffffa60`0bbc5a30 : TmXPFlt+0x157f1
> fffffa60`0bbc5960 fffffa60`0884122d : 00000000`00000000 fffffa60`0bbc5ca0
> 00000000`00000001 fffffa80`100f8b00 : TmXPFlt+0x1b6fb
> fffffa60`0bbc5990 fffff800`01cdf4aa : fffffa80`13bc86b0 fffffa80`13bc86b0
> 00000000`00000001 fffff880`263e2701 : TmXPFlt+0x422d
> fffffa60`0bbc59f0 fffff800`01cf8416 : 00000000`048787b8 00000000`000004e0
> 00000000`00000000 00000000`04878850 : nt!IopXxxControlFile+0x5da
> fffffa60`0bbc5b40 fffff800`01a5a173 : fffffa80`145f0060 00000000`04878798
> fffffa60`0bbc5bc8 00000000`000003e4 : nt!NtDeviceIoControlFile+0x56
> fffffa60`0bbc5bb0 00000000`77415aea : 00000000`00000000 00000000`00000000
> 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
> 00000000`04878788 00000000`00000000 : 00000000`00000000 00000000`00000000
> 00000000`00000000 00000000`00000000 : 0x77415aea
>
>
> FOLLOWUP_IP:
> VSApiNt!VSScanVirusInMemory+4eb6
> fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]
>
> SYMBOL_STACK_INDEX: 0
>
> SYMBOL_NAME: VSApiNt!VSScanVirusInMemory+4eb6
>
> FOLLOWUP_NAME: MachineOwner
>
> MODULE_NAME: VSApiNt
>
> IMAGE_NAME: VSApiNt.sys
>
> DEBUG_FLR_IMAGE_TIMESTAMP: 4ad30768
>
> STACK_COMMAND: .cxr 0xfffffa600bbc4b30 ; kb
>
> FAILURE_BUCKET_ID: X64_0x3B_VSApiNt!VSScanVirusInMemory+4eb6
>
> BUCKET_ID: X64_0x3B_VSApiNt!VSScanVirusInMemory+4eb6
>
> Followup: MachineOwner
> ---------
>
>
> "Zachary" <> wrote in message
> news:...
>>I have a 2008 server that has crashed 5 times this morning. The event
>>logs show nothing right before the crash to point me in the right
>>direction. All I have to go on is the Blue Screen. I am currently
>>downloading the symbols needed to analyze a server 2008 crash file. Once
>>I get that downloaded I might know more but I need some preliminary help
>>on this. To start I want to make everyone aware, no hardware changes were
>>made recently, no driver updates or installs were done recently, and no
>>windows updates were done recently. Here is the BSOD info:
>>
>>
>>
>> SYSTEM_SERVICE_EXCEPTION
>>
>>
>>
>> STOP: 0X0000003B (0x00000000C0000005, 0XFFFFFA6008B18726,
>> 0XFFFFFA600BBC4B30, 0x0000000000000000)
>>
>>
>>
>> VSApiNt.sys - Address FFFFFA6008B18726 base at FFFFFA6008A0E000,
>> DateStamp 4ad30768
>>
>>
>>
>> Any help would be appreciated.
>>
>>
>
>

---Joe I got the exact same thing on a 2003x64 file server (Dell PE2950).
It crashed yesterday morning during the scheduled scan. Windbg showed pretty
much what you have here. It crashed agin this morning at about the same
time. Ran Windbg on the dump and got the exact same thing. I've uninstalled
Trend Micro for the moment. I'm real interested to see what Trend Micro
tell's you. ---Joe

"Zachary" wrote:

> I contacted Trend Micro and we rolled back the trend micro scan engine and
> we are monitoring the situation.
>
> "Zachary" <> wrote in message
> news:...
> > Here is my crash analysis:
> >
> > Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
> > Copyright (c) Microsoft Corporation. All rights reserved.
> >
> >
> > Loading Dump File [C:\Temp\AGRADC2-926-Crash.DMP]
> > Kernel Summary Dump File: Only kernel address space is available
> >
> > WARNING: Inaccessible path: 'D:\I386'
> > Symbol search path is:
> > SRV*c:\temp\symbolstore*http://msdl.microsoft.com/download/symbols
> > Executable search path is: D:\I386
> > Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP
> > (8 procs) Free x64
> > Product: LanManNt, suite: TerminalServer SingleUserTS
> > Built by: 6001.18304.amd64fre.vistasp1_gdr.090805-0102
> > Machine Name:
> > Kernel base = 0xfffff800`01a06000 PsLoadedModuleList = 0xfffff800`01bcbdb0
> > Debug session time: Thu Nov 19 09:26:47.649 2009 (GMT-6)
> > System Uptime: 0 days 1:20:02.331
> > Loading Kernel Symbols
> > .................................................. .............
> > .................................................. ..............
> > .................
> > Loading User Symbols
> > PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
> > details
> > Loading unloaded module list
> > .............
> > ************************************************** *****************************
> > * *
> > * Bugcheck Analysis *
> > * *
> > ************************************************** *****************************
> >
> > Use !analyze -v to get detailed debugging information.
> >
> > BugCheck 3B, {c0000005, fffffa6008b18726, fffffa600bbc4b30, 0}
> >
> > *** ERROR: Symbol file could not be found. Defaulted to export symbols
> > for VSApiNt.sys -
> > *** ERROR: Module load completed but symbols could not be loaded for
> > TmXPFlt.sys
> > Page c74fc not present in the dump file. Type ".hh dbgerr004" for details
> > Page c7dea not present in the dump file. Type ".hh dbgerr004" for details
> > PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
> > details
> > PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
> > details
> > Probably caused by : VSApiNt.sys ( VSApiNt!VSScanVirusInMemory+4eb6 )
> >
> > Followup: MachineOwner
> > ---------
> >
> > 1: kd> !analyze -v
> > ************************************************** *****************************
> > * *
> > * Bugcheck Analysis *
> > * *
> > ************************************************** *****************************
> >
> > SYSTEM_SERVICE_EXCEPTION (3b)
> > An exception happened while executing a system service routine.
> > Arguments:
> > Arg1: 00000000c0000005, Exception code that caused the bugcheck
> > Arg2: fffffa6008b18726, Address of the exception record for the exception
> > that caused the bugcheck
> > Arg3: fffffa600bbc4b30, Address of the context record for the exception
> > that caused the bugcheck
> > Arg4: 0000000000000000, zero.
> >
> > Debugging Details:
> > ------------------
> >
> > Page c74fc not present in the dump file. Type ".hh dbgerr004" for details
> > Page c7dea not present in the dump file. Type ".hh dbgerr004" for details
> > PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
> > details
> > PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
> > details
> >
> > EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
> > referenced memory at "0x%08lx". The memory could not be "%s".
> >
> > FAULTING_IP:
> > VSApiNt!VSScanVirusInMemory+4eb6
> > fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]
> >
> > CONTEXT: fffffa600bbc4b30 -- (.cxr 0xfffffa600bbc4b30)
> > rax=fffff88016a84940 rbx=fffff88027e7d040 rcx=fffff880263c6520
> > rdx=0000000000000007 rsi=0000000000000030 rdi=0000000000000000
> > rip=fffffa6008b18726 rsp=fffffa600bbc5390 rbp=0000000000000007
> > r8=00000000876402c0 r9=fffffffff528975c r10=fffff8803113c036
> > r11=fffffa600bbc5380 r12=0000000000005389 r13=0000000000000030
> > r14=000000000030f000 r15=fffff88027e7d040
> > iopl=0 nv up ei pl zr na po nc
> > cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
> > VSApiNt!VSScanVirusInMemory+0x4eb6:
> > fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]
> > ds:002b:00000000`876402e0=????????
> > Resetting default scope
> >
> > DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
> >
> > BUGCHECK_STR: 0x3B
> >
> > PROCESS_NAME: Ntrtscan.exe
> >
> > CURRENT_IRQL: 0
> >
> > LAST_CONTROL_TRANSFER: from fffffa6008b18a22 to fffffa6008b18726
> >
> > STACK_TEXT:
> > fffffa60`0bbc5390 fffffa60`08b18a22 : 00000000`00000001 fffff880`00000001
> > fffff880`00000000 fffffa60`0bbc5450 : VSApiNt!VSScanVirusInMemory+0x4eb6
> > fffffa60`0bbc5420 fffffa60`08b19a96 : fffff880`25e218a8 fffff880`27e7d040
> > 00000000`00000001 fffff880`27e7d040 : VSApiNt!VSScanVirusInMemory+0x51b2
> > fffffa60`0bbc5450 fffffa60`08b19c71 : 00000000`00000001 fffff880`171d7038
> > fffff880`171d7038 00000000`00000001 : VSApiNt!VSScanVirusInMemory+0x6226
> > fffffa60`0bbc5480 fffffa60`08b1a16e : fffff880`171d7038 fffff880`17b3a0c8
> > fffffa60`0bbc5580 00000000`00304329 : VSApiNt!VSScanVirusInMemory+0x6401
> > fffffa60`0bbc54c0 fffffa60`08b1b95f : fffff880`17b3a068 fffff880`0c45c6d0
> > 00000000`00304329 fffffa60`0bbc5580 : VSApiNt!VSScanVirusInMemory+0x68fe
> > fffffa60`0bbc5540 fffffa60`08b1bb29 : 00000000`00000002 fffff880`27e7d040
> > fffff880`003041fb fffff880`27e7d040 : VSApiNt!VSScanVirusInMemory+0x80ef
> > fffffa60`0bbc5570 fffffa60`08b1d4a2 : fffff880`0c45c6d0 fffff880`00304323
> > fffffa60`0bbc5620 72657355`00000001 : VSApiNt!VSScanVirusInMemory+0x82b9
> > fffffa60`0bbc55c0 fffffa60`08b14561 : fffff880`0cd59030 fffff880`17125030
> > fffff880`096fefa0 00000000`000000b3 : VSApiNt!VSScanVirusInMemory+0x9c32
> > fffffa60`0bbc55f0 fffffa60`08a4d4a3 : fffff880`27e7d040 fffff880`0cd59030
> > 00000000`0000024d fffffa60`08ae2887 : VSApiNt!VSScanVirusInMemory+0xcf1
> > fffffa60`0bbc5620 fffffa60`08a4c27d : 00000000`00000000 00000000`00000000
> > fffffa60`0bbc5718 00000000`0000177f : VSApiNt+0x3f4a3
> > fffffa60`0bbc56c0 fffffa60`08b9a44e : fffff880`00000000 fffffa80`00000001
> > fffff880`0c45c6d0 00000000`00002000 : VSApiNt+0x3e27d
> > fffffa60`0bbc57c0 fffffa60`08859460 : fffff880`2ad8b048 fffffa80`145c3328
> > fffff880`2ad8b120 fffff880`0c45c6d0 : VSApiNt!VSVirusScanFileW+0x18e
> > fffffa60`0bbc5840 fffffa60`0885a433 : fffffa80`00000001 fffffa80`145c3328
> > 00000000`00000000 fffffa60`0bbc5890 : TmXPFlt+0x1c460
> > fffffa60`0bbc5880 fffffa60`088527f1 : fffffa80`13798c10 00000000`048788d0
> > 00000000`ffffffff fffff880`001f0003 : TmXPFlt+0x1d433
> > fffffa60`0bbc5920 fffffa60`088586fb : 00000000`c00000bb fffffa60`0bbc59b8
> > fffffa60`0bbc59b0 fffffa60`0bbc5a30 : TmXPFlt+0x157f1
> > fffffa60`0bbc5960 fffffa60`0884122d : 00000000`00000000 fffffa60`0bbc5ca0
> > 00000000`00000001 fffffa80`100f8b00 : TmXPFlt+0x1b6fb
> > fffffa60`0bbc5990 fffff800`01cdf4aa : fffffa80`13bc86b0 fffffa80`13bc86b0
> > 00000000`00000001 fffff880`263e2701 : TmXPFlt+0x422d
> > fffffa60`0bbc59f0 fffff800`01cf8416 : 00000000`048787b8 00000000`000004e0
> > 00000000`00000000 00000000`04878850 : nt!IopXxxControlFile+0x5da
> > fffffa60`0bbc5b40 fffff800`01a5a173 : fffffa80`145f0060 00000000`04878798
> > fffffa60`0bbc5bc8 00000000`000003e4 : nt!NtDeviceIoControlFile+0x56
> > fffffa60`0bbc5bb0 00000000`77415aea : 00000000`00000000 00000000`00000000
> > 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
> > 00000000`04878788 00000000`00000000 : 00000000`00000000 00000000`00000000
> > 00000000`00000000 00000000`00000000 : 0x77415aea
> >
> >
> > FOLLOWUP_IP:
> > VSApiNt!VSScanVirusInMemory+4eb6
> > fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]
> >
> > SYMBOL_STACK_INDEX: 0
> >
> > SYMBOL_NAME: VSApiNt!VSScanVirusInMemory+4eb6
> >
> > FOLLOWUP_NAME: MachineOwner
> >
> > MODULE_NAME: VSApiNt
> >
> > IMAGE_NAME: VSApiNt.sys
> >
> > DEBUG_FLR_IMAGE_TIMESTAMP: 4ad30768
> >
> > STACK_COMMAND: .cxr 0xfffffa600bbc4b30 ; kb
> >
> > FAILURE_BUCKET_ID: X64_0x3B_VSApiNt!VSScanVirusInMemory+4eb6
> >
> > BUCKET_ID: X64_0x3B_VSApiNt!VSScanVirusInMemory+4eb6
> >
> > Followup: MachineOwner
> > ---------
> >
> >
> > "Zachary" <> wrote in message
> > news:...
> >>I have a 2008 server that has crashed 5 times this morning. The event
> >>logs show nothing right before the crash to point me in the right
> >>direction. All I have to go on is the Blue Screen. I am currently
> >>downloading the symbols needed to analyze a server 2008 crash file. Once
> >>I get that downloaded I might know more but I need some preliminary help
> >>on this. To start I want to make everyone aware, no hardware changes were
> >>made recently, no driver updates or installs were done recently, and no
> >>windows updates were done recently. Here is the BSOD info:
> >>
> >>
> >>
> >> SYSTEM_SERVICE_EXCEPTION
> >>
> >>
> >>
> >> STOP: 0X0000003B (0x00000000C0000005, 0XFFFFFA6008B18726,
> >> 0XFFFFFA600BBC4B30, 0x0000000000000000)
> >>
> >>
> >>
> >> VSApiNt.sys - Address FFFFFA6008B18726 base at FFFFFA6008A0E000,
> >> DateStamp 4ad30768
> >>
> >>
> >>
> >> Any help would be appreciated.
> >>
> >>
> >
> >
>
>
> .
>

Zachary,

Trend released a new scan engine, version 9.000.1003, on 11/17/09. As of
today, 11/24/09, it is version 9.100.1001. What version of the scan engine
did you have when it crashed?

Gregg Hill



"Zachary" <> wrote in message
news:...
> I contacted Trend Micro and we rolled back the trend micro scan engine and
> we are monitoring the situation.
>
> "Zachary" <> wrote in message
> news:...
>> Here is my crash analysis:
>>
>> Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
>> Copyright (c) Microsoft Corporation. All rights reserved.
>>
>>
>> Loading Dump File [C:\Temp\AGRADC2-926-Crash.DMP]
>> Kernel Summary Dump File: Only kernel address space is available
>>
>> WARNING: Inaccessible path: 'D:\I386'
>> Symbol search path is:
>> SRV*c:\temp\symbolstore*http://msdl.microsoft.com/download/symbols
>> Executable search path is: D:\I386
>> Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP
>> (8 procs) Free x64
>> Product: LanManNt, suite: TerminalServer SingleUserTS
>> Built by: 6001.18304.amd64fre.vistasp1_gdr.090805-0102
>> Machine Name:
>> Kernel base = 0xfffff800`01a06000 PsLoadedModuleList =
>> 0xfffff800`01bcbdb0
>> Debug session time: Thu Nov 19 09:26:47.649 2009 (GMT-6)
>> System Uptime: 0 days 1:20:02.331
>> Loading Kernel Symbols
>> .................................................. .............
>> .................................................. ..............
>> .................
>> Loading User Symbols
>> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
>> details
>> Loading unloaded module list
>> .............
>> ************************************************** *****************************
>> * *
>> * Bugcheck Analysis *
>> * *
>> ************************************************** *****************************
>>
>> Use !analyze -v to get detailed debugging information.
>>
>> BugCheck 3B, {c0000005, fffffa6008b18726, fffffa600bbc4b30, 0}
>>
>> *** ERROR: Symbol file could not be found. Defaulted to export symbols
>> for VSApiNt.sys -
>> *** ERROR: Module load completed but symbols could not be loaded for
>> TmXPFlt.sys
>> Page c74fc not present in the dump file. Type ".hh dbgerr004" for details
>> Page c7dea not present in the dump file. Type ".hh dbgerr004" for details
>> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
>> details
>> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
>> details
>> Probably caused by : VSApiNt.sys ( VSApiNt!VSScanVirusInMemory+4eb6 )
>>
>> Followup: MachineOwner
>> ---------
>>
>> 1: kd> !analyze -v
>> ************************************************** *****************************
>> * *
>> * Bugcheck Analysis *
>> * *
>> ************************************************** *****************************
>>
>> SYSTEM_SERVICE_EXCEPTION (3b)
>> An exception happened while executing a system service routine.
>> Arguments:
>> Arg1: 00000000c0000005, Exception code that caused the bugcheck
>> Arg2: fffffa6008b18726, Address of the exception record for the exception
>> that caused the bugcheck
>> Arg3: fffffa600bbc4b30, Address of the context record for the exception
>> that caused the bugcheck
>> Arg4: 0000000000000000, zero.
>>
>> Debugging Details:
>> ------------------
>>
>> Page c74fc not present in the dump file. Type ".hh dbgerr004" for details
>> Page c7dea not present in the dump file. Type ".hh dbgerr004" for details
>> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
>> details
>> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
>> details
>>
>> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
>> referenced memory at "0x%08lx". The memory could not be "%s".
>>
>> FAULTING_IP:
>> VSApiNt!VSScanVirusInMemory+4eb6
>> fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]
>>
>> CONTEXT: fffffa600bbc4b30 -- (.cxr 0xfffffa600bbc4b30)
>> rax=fffff88016a84940 rbx=fffff88027e7d040 rcx=fffff880263c6520
>> rdx=0000000000000007 rsi=0000000000000030 rdi=0000000000000000
>> rip=fffffa6008b18726 rsp=fffffa600bbc5390 rbp=0000000000000007
>> r8=00000000876402c0 r9=fffffffff528975c r10=fffff8803113c036
>> r11=fffffa600bbc5380 r12=0000000000005389 r13=0000000000000030
>> r14=000000000030f000 r15=fffff88027e7d040
>> iopl=0 nv up ei pl zr na po nc
>> cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
>> VSApiNt!VSScanVirusInMemory+0x4eb6:
>> fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]
>> ds:002b:00000000`876402e0=????????
>> Resetting default scope
>>
>> DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
>>
>> BUGCHECK_STR: 0x3B
>>
>> PROCESS_NAME: Ntrtscan.exe
>>
>> CURRENT_IRQL: 0
>>
>> LAST_CONTROL_TRANSFER: from fffffa6008b18a22 to fffffa6008b18726
>>
>> STACK_TEXT:
>> fffffa60`0bbc5390 fffffa60`08b18a22 : 00000000`00000001 fffff880`00000001
>> fffff880`00000000 fffffa60`0bbc5450 : VSApiNt!VSScanVirusInMemory+0x4eb6
>> fffffa60`0bbc5420 fffffa60`08b19a96 : fffff880`25e218a8 fffff880`27e7d040
>> 00000000`00000001 fffff880`27e7d040 : VSApiNt!VSScanVirusInMemory+0x51b2
>> fffffa60`0bbc5450 fffffa60`08b19c71 : 00000000`00000001 fffff880`171d7038
>> fffff880`171d7038 00000000`00000001 : VSApiNt!VSScanVirusInMemory+0x6226
>> fffffa60`0bbc5480 fffffa60`08b1a16e : fffff880`171d7038 fffff880`17b3a0c8
>> fffffa60`0bbc5580 00000000`00304329 : VSApiNt!VSScanVirusInMemory+0x6401
>> fffffa60`0bbc54c0 fffffa60`08b1b95f : fffff880`17b3a068 fffff880`0c45c6d0
>> 00000000`00304329 fffffa60`0bbc5580 : VSApiNt!VSScanVirusInMemory+0x68fe
>> fffffa60`0bbc5540 fffffa60`08b1bb29 : 00000000`00000002 fffff880`27e7d040
>> fffff880`003041fb fffff880`27e7d040 : VSApiNt!VSScanVirusInMemory+0x80ef
>> fffffa60`0bbc5570 fffffa60`08b1d4a2 : fffff880`0c45c6d0 fffff880`00304323
>> fffffa60`0bbc5620 72657355`00000001 : VSApiNt!VSScanVirusInMemory+0x82b9
>> fffffa60`0bbc55c0 fffffa60`08b14561 : fffff880`0cd59030 fffff880`17125030
>> fffff880`096fefa0 00000000`000000b3 : VSApiNt!VSScanVirusInMemory+0x9c32
>> fffffa60`0bbc55f0 fffffa60`08a4d4a3 : fffff880`27e7d040 fffff880`0cd59030
>> 00000000`0000024d fffffa60`08ae2887 : VSApiNt!VSScanVirusInMemory+0xcf1
>> fffffa60`0bbc5620 fffffa60`08a4c27d : 00000000`00000000 00000000`00000000
>> fffffa60`0bbc5718 00000000`0000177f : VSApiNt+0x3f4a3
>> fffffa60`0bbc56c0 fffffa60`08b9a44e : fffff880`00000000 fffffa80`00000001
>> fffff880`0c45c6d0 00000000`00002000 : VSApiNt+0x3e27d
>> fffffa60`0bbc57c0 fffffa60`08859460 : fffff880`2ad8b048 fffffa80`145c3328
>> fffff880`2ad8b120 fffff880`0c45c6d0 : VSApiNt!VSVirusScanFileW+0x18e
>> fffffa60`0bbc5840 fffffa60`0885a433 : fffffa80`00000001 fffffa80`145c3328
>> 00000000`00000000 fffffa60`0bbc5890 : TmXPFlt+0x1c460
>> fffffa60`0bbc5880 fffffa60`088527f1 : fffffa80`13798c10 00000000`048788d0
>> 00000000`ffffffff fffff880`001f0003 : TmXPFlt+0x1d433
>> fffffa60`0bbc5920 fffffa60`088586fb : 00000000`c00000bb fffffa60`0bbc59b8
>> fffffa60`0bbc59b0 fffffa60`0bbc5a30 : TmXPFlt+0x157f1
>> fffffa60`0bbc5960 fffffa60`0884122d : 00000000`00000000 fffffa60`0bbc5ca0
>> 00000000`00000001 fffffa80`100f8b00 : TmXPFlt+0x1b6fb
>> fffffa60`0bbc5990 fffff800`01cdf4aa : fffffa80`13bc86b0 fffffa80`13bc86b0
>> 00000000`00000001 fffff880`263e2701 : TmXPFlt+0x422d
>> fffffa60`0bbc59f0 fffff800`01cf8416 : 00000000`048787b8 00000000`000004e0
>> 00000000`00000000 00000000`04878850 : nt!IopXxxControlFile+0x5da
>> fffffa60`0bbc5b40 fffff800`01a5a173 : fffffa80`145f0060 00000000`04878798
>> fffffa60`0bbc5bc8 00000000`000003e4 : nt!NtDeviceIoControlFile+0x56
>> fffffa60`0bbc5bb0 00000000`77415aea : 00000000`00000000 00000000`00000000
>> 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
>> 00000000`04878788 00000000`00000000 : 00000000`00000000 00000000`00000000
>> 00000000`00000000 00000000`00000000 : 0x77415aea
>>
>>
>> FOLLOWUP_IP:
>> VSApiNt!VSScanVirusInMemory+4eb6
>> fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]
>>
>> SYMBOL_STACK_INDEX: 0
>>
>> SYMBOL_NAME: VSApiNt!VSScanVirusInMemory+4eb6
>>
>> FOLLOWUP_NAME: MachineOwner
>>
>> MODULE_NAME: VSApiNt
>>
>> IMAGE_NAME: VSApiNt.sys
>>
>> DEBUG_FLR_IMAGE_TIMESTAMP: 4ad30768
>>
>> STACK_COMMAND: .cxr 0xfffffa600bbc4b30 ; kb
>>
>> FAILURE_BUCKET_ID: X64_0x3B_VSApiNt!VSScanVirusInMemory+4eb6
>>
>> BUCKET_ID: X64_0x3B_VSApiNt!VSScanVirusInMemory+4eb6
>>
>> Followup: MachineOwner
>> ---------
>>
>>
>> "Zachary" <> wrote in message
>> news:...
>>>I have a 2008 server that has crashed 5 times this morning. The event
>>>logs show nothing right before the crash to point me in the right
>>>direction. All I have to go on is the Blue Screen. I am currently
>>>downloading the symbols needed to analyze a server 2008 crash file. Once
>>>I get that downloaded I might know more but I need some preliminary help
>>>on this. To start I want to make everyone aware, no hardware changes
>>>were made recently, no driver updates or installs were done recently, and
>>>no windows updates were done recently. Here is the BSOD info:
>>>
>>>
>>>
>>> SYSTEM_SERVICE_EXCEPTION
>>>
>>>
>>>
>>> STOP: 0X0000003B (0x00000000C0000005, 0XFFFFFA6008B18726,
>>> 0XFFFFFA600BBC4B30, 0x0000000000000000)
>>>
>>>
>>>
>>> VSApiNt.sys - Address FFFFFA6008B18726 base at FFFFFA6008A0E000,
>>> DateStamp 4ad30768
>>>
>>>
>>>
>>> Any help would be appreciated.
>>>
>>>
>>
>>
>
>

I just heard back from Trend. The scan engine 9.000.1003 that was released
11/17/09 had the crash problem. They now have 9.100.1001 that is the fix for
that problem.

Gregg Hill



"Zachary" <> wrote in message
news:...
> I contacted Trend Micro and we rolled back the trend micro scan engine and
> we are monitoring the situation.
>
> "Zachary" <> wrote in message
> news:...
>> Here is my crash analysis:
>>
>> Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
>> Copyright (c) Microsoft Corporation. All rights reserved.
>>
>>
>> Loading Dump File [C:\Temp\AGRADC2-926-Crash.DMP]
>> Kernel Summary Dump File: Only kernel address space is available
>>
>> WARNING: Inaccessible path: 'D:\I386'
>> Symbol search path is:
>> SRV*c:\temp\symbolstore*http://msdl.microsoft.com/download/symbols
>> Executable search path is: D:\I386
>> Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP
>> (8 procs) Free x64
>> Product: LanManNt, suite: TerminalServer SingleUserTS
>> Built by: 6001.18304.amd64fre.vistasp1_gdr.090805-0102
>> Machine Name:
>> Kernel base = 0xfffff800`01a06000 PsLoadedModuleList =
>> 0xfffff800`01bcbdb0
>> Debug session time: Thu Nov 19 09:26:47.649 2009 (GMT-6)
>> System Uptime: 0 days 1:20:02.331
>> Loading Kernel Symbols
>> .................................................. .............
>> .................................................. ..............
>> .................
>> Loading User Symbols
>> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
>> details
>> Loading unloaded module list
>> .............
>> ************************************************** *****************************
>> * *
>> * Bugcheck Analysis *
>> * *
>> ************************************************** *****************************
>>
>> Use !analyze -v to get detailed debugging information.
>>
>> BugCheck 3B, {c0000005, fffffa6008b18726, fffffa600bbc4b30, 0}
>>
>> *** ERROR: Symbol file could not be found. Defaulted to export symbols
>> for VSApiNt.sys -
>> *** ERROR: Module load completed but symbols could not be loaded for
>> TmXPFlt.sys
>> Page c74fc not present in the dump file. Type ".hh dbgerr004" for details
>> Page c7dea not present in the dump file. Type ".hh dbgerr004" for details
>> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
>> details
>> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
>> details
>> Probably caused by : VSApiNt.sys ( VSApiNt!VSScanVirusInMemory+4eb6 )
>>
>> Followup: MachineOwner
>> ---------
>>
>> 1: kd> !analyze -v
>> ************************************************** *****************************
>> * *
>> * Bugcheck Analysis *
>> * *
>> ************************************************** *****************************
>>
>> SYSTEM_SERVICE_EXCEPTION (3b)
>> An exception happened while executing a system service routine.
>> Arguments:
>> Arg1: 00000000c0000005, Exception code that caused the bugcheck
>> Arg2: fffffa6008b18726, Address of the exception record for the exception
>> that caused the bugcheck
>> Arg3: fffffa600bbc4b30, Address of the context record for the exception
>> that caused the bugcheck
>> Arg4: 0000000000000000, zero.
>>
>> Debugging Details:
>> ------------------
>>
>> Page c74fc not present in the dump file. Type ".hh dbgerr004" for details
>> Page c7dea not present in the dump file. Type ".hh dbgerr004" for details
>> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
>> details
>> PEB is paged out (Peb.Ldr = 000007ff`fffd5018). Type ".hh dbgerr001" for
>> details
>>
>> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
>> referenced memory at "0x%08lx". The memory could not be "%s".
>>
>> FAULTING_IP:
>> VSApiNt!VSScanVirusInMemory+4eb6
>> fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]
>>
>> CONTEXT: fffffa600bbc4b30 -- (.cxr 0xfffffa600bbc4b30)
>> rax=fffff88016a84940 rbx=fffff88027e7d040 rcx=fffff880263c6520
>> rdx=0000000000000007 rsi=0000000000000030 rdi=0000000000000000
>> rip=fffffa6008b18726 rsp=fffffa600bbc5390 rbp=0000000000000007
>> r8=00000000876402c0 r9=fffffffff528975c r10=fffff8803113c036
>> r11=fffffa600bbc5380 r12=0000000000005389 r13=0000000000000030
>> r14=000000000030f000 r15=fffff88027e7d040
>> iopl=0 nv up ei pl zr na po nc
>> cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
>> VSApiNt!VSScanVirusInMemory+0x4eb6:
>> fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]
>> ds:002b:00000000`876402e0=????????
>> Resetting default scope
>>
>> DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
>>
>> BUGCHECK_STR: 0x3B
>>
>> PROCESS_NAME: Ntrtscan.exe
>>
>> CURRENT_IRQL: 0
>>
>> LAST_CONTROL_TRANSFER: from fffffa6008b18a22 to fffffa6008b18726
>>
>> STACK_TEXT:
>> fffffa60`0bbc5390 fffffa60`08b18a22 : 00000000`00000001 fffff880`00000001
>> fffff880`00000000 fffffa60`0bbc5450 : VSApiNt!VSScanVirusInMemory+0x4eb6
>> fffffa60`0bbc5420 fffffa60`08b19a96 : fffff880`25e218a8 fffff880`27e7d040
>> 00000000`00000001 fffff880`27e7d040 : VSApiNt!VSScanVirusInMemory+0x51b2
>> fffffa60`0bbc5450 fffffa60`08b19c71 : 00000000`00000001 fffff880`171d7038
>> fffff880`171d7038 00000000`00000001 : VSApiNt!VSScanVirusInMemory+0x6226
>> fffffa60`0bbc5480 fffffa60`08b1a16e : fffff880`171d7038 fffff880`17b3a0c8
>> fffffa60`0bbc5580 00000000`00304329 : VSApiNt!VSScanVirusInMemory+0x6401
>> fffffa60`0bbc54c0 fffffa60`08b1b95f : fffff880`17b3a068 fffff880`0c45c6d0
>> 00000000`00304329 fffffa60`0bbc5580 : VSApiNt!VSScanVirusInMemory+0x68fe
>> fffffa60`0bbc5540 fffffa60`08b1bb29 : 00000000`00000002 fffff880`27e7d040
>> fffff880`003041fb fffff880`27e7d040 : VSApiNt!VSScanVirusInMemory+0x80ef
>> fffffa60`0bbc5570 fffffa60`08b1d4a2 : fffff880`0c45c6d0 fffff880`00304323
>> fffffa60`0bbc5620 72657355`00000001 : VSApiNt!VSScanVirusInMemory+0x82b9
>> fffffa60`0bbc55c0 fffffa60`08b14561 : fffff880`0cd59030 fffff880`17125030
>> fffff880`096fefa0 00000000`000000b3 : VSApiNt!VSScanVirusInMemory+0x9c32
>> fffffa60`0bbc55f0 fffffa60`08a4d4a3 : fffff880`27e7d040 fffff880`0cd59030
>> 00000000`0000024d fffffa60`08ae2887 : VSApiNt!VSScanVirusInMemory+0xcf1
>> fffffa60`0bbc5620 fffffa60`08a4c27d : 00000000`00000000 00000000`00000000
>> fffffa60`0bbc5718 00000000`0000177f : VSApiNt+0x3f4a3
>> fffffa60`0bbc56c0 fffffa60`08b9a44e : fffff880`00000000 fffffa80`00000001
>> fffff880`0c45c6d0 00000000`00002000 : VSApiNt+0x3e27d
>> fffffa60`0bbc57c0 fffffa60`08859460 : fffff880`2ad8b048 fffffa80`145c3328
>> fffff880`2ad8b120 fffff880`0c45c6d0 : VSApiNt!VSVirusScanFileW+0x18e
>> fffffa60`0bbc5840 fffffa60`0885a433 : fffffa80`00000001 fffffa80`145c3328
>> 00000000`00000000 fffffa60`0bbc5890 : TmXPFlt+0x1c460
>> fffffa60`0bbc5880 fffffa60`088527f1 : fffffa80`13798c10 00000000`048788d0
>> 00000000`ffffffff fffff880`001f0003 : TmXPFlt+0x1d433
>> fffffa60`0bbc5920 fffffa60`088586fb : 00000000`c00000bb fffffa60`0bbc59b8
>> fffffa60`0bbc59b0 fffffa60`0bbc5a30 : TmXPFlt+0x157f1
>> fffffa60`0bbc5960 fffffa60`0884122d : 00000000`00000000 fffffa60`0bbc5ca0
>> 00000000`00000001 fffffa80`100f8b00 : TmXPFlt+0x1b6fb
>> fffffa60`0bbc5990 fffff800`01cdf4aa : fffffa80`13bc86b0 fffffa80`13bc86b0
>> 00000000`00000001 fffff880`263e2701 : TmXPFlt+0x422d
>> fffffa60`0bbc59f0 fffff800`01cf8416 : 00000000`048787b8 00000000`000004e0
>> 00000000`00000000 00000000`04878850 : nt!IopXxxControlFile+0x5da
>> fffffa60`0bbc5b40 fffff800`01a5a173 : fffffa80`145f0060 00000000`04878798
>> fffffa60`0bbc5bc8 00000000`000003e4 : nt!NtDeviceIoControlFile+0x56
>> fffffa60`0bbc5bb0 00000000`77415aea : 00000000`00000000 00000000`00000000
>> 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
>> 00000000`04878788 00000000`00000000 : 00000000`00000000 00000000`00000000
>> 00000000`00000000 00000000`00000000 : 0x77415aea
>>
>>
>> FOLLOWUP_IP:
>> VSApiNt!VSScanVirusInMemory+4eb6
>> fffffa60`08b18726 458b4820 mov r9d,dword ptr [r8+20h]
>>
>> SYMBOL_STACK_INDEX: 0
>>
>> SYMBOL_NAME: VSApiNt!VSScanVirusInMemory+4eb6
>>
>> FOLLOWUP_NAME: MachineOwner
>>
>> MODULE_NAME: VSApiNt
>>
>> IMAGE_NAME: VSApiNt.sys
>>
>> DEBUG_FLR_IMAGE_TIMESTAMP: 4ad30768
>>
>> STACK_COMMAND: .cxr 0xfffffa600bbc4b30 ; kb
>>
>> FAILURE_BUCKET_ID: X64_0x3B_VSApiNt!VSScanVirusInMemory+4eb6
>>
>> BUCKET_ID: X64_0x3B_VSApiNt!VSScanVirusInMemory+4eb6
>>
>> Followup: MachineOwner
>> ---------
>>
>>
>> "Zachary" <> wrote in message
>> news:...
>>>I have a 2008 server that has crashed 5 times this morning. The event
>>>logs show nothing right before the crash to point me in the right
>>>direction. All I have to go on is the Blue Screen. I am currently
>>>downloading the symbols needed to analyze a server 2008 crash file. Once
>>>I get that downloaded I might know more but I need some preliminary help
>>>on this. To start I want to make everyone aware, no hardware changes
>>>were made recently, no driver updates or installs were done recently, and
>>>no windows updates were done recently. Here is the BSOD info:
>>>
>>>
>>>
>>> SYSTEM_SERVICE_EXCEPTION
>>>
>>>
>>>
>>> STOP: 0X0000003B (0x00000000C0000005, 0XFFFFFA6008B18726,
>>> 0XFFFFFA600BBC4B30, 0x0000000000000000)
>>>
>>>
>>>
>>> VSApiNt.sys - Address FFFFFA6008B18726 base at FFFFFA6008A0E000,
>>> DateStamp 4ad30768
>>>
>>>
>>>
>>> Any help would be appreciated.
>>>
>>>
>>
>>
>
>

"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in
message news:...
>I just heard back from Trend. The scan engine 9.000.1003 that was released
>11/17/09 had the crash problem. They now have 9.100.1001 that is the fix
>for that problem.
>
> Gregg Hill

The sad bit is that exactly the same thing happened with Trend about five
years ago. Their scan engine would cause a spontaneous reboot on SBS Servers
(and perhaps others) whenever a certain "net use" command was executed,
either from the console or in a batch file. The Trend engineers had known
about the issue for several months but forgot to tell their own Help Desk .
.. .

I moved from Symantec to Trend around that time because of their new version
causing so many BSODs. Everyone has problems, I guess. The bummer is that I
love the features of Trend, but they REALLY need to work on their catch
rates.

With the newer versions, having URL filtering and Web Reputation enabled
should keep them away from bad guys. However, for those too-new-to-be-listed
sites, I still recommend a WatchGuard firewall to my clients. AV's inability
to detect new threats is precisely why I like my WatchGuard that won't let
the executable through in the first place, whether from HTTP, HTTPS, FTP, or
SMTP traffic.

The way I look at it, letting it in via the front door, then tackling it and
inspecting it, hoping that you are better at recognition than the bad guy is
at hiding, is not as good as looking through the peephole, seeing it is
executable, flipping the trap door, and dropping it.

I have my WatchGuard set up to allow executables from Microsoft and Trend
Micro (after virus scan from the WG), maybe one or two others, but only to
certain IP addresses, mainly servers. I have bypass passwords that allow
managers to download truly needed executables from sites where they expect
the file but where I don't globally trust the site, and even then, they
still go through the virus scan of the WG (it uses AVG).

Of course, I also have Trend WFBS installed on all computers for threats
from other sources.

The best of both worlds! That is, IF I can convince my clients to buy the
firewall.

Gregg Hill




"Pegasus [MVP]" <> wrote in message
news:#...
>
> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote
> in message news:...
>>I just heard back from Trend. The scan engine 9.000.1003 that was released
>>11/17/09 had the crash problem. They now have 9.100.1001 that is the fix
>>for that problem.
>>
>> Gregg Hill
>
> The sad bit is that exactly the same thing happened with Trend about five
> years ago. Their scan engine would cause a spontaneous reboot on SBS
> Servers (and perhaps others) whenever a certain "net use" command was
> executed, either from the console or in a batch file. The Trend engineers
> had known about the issue for several months but forgot to tell their own
> Help Desk . . .
>