2003 Server restarts everyday - reason unknown

[Pavel Simsalek]

Hello,
could anyone help me identifing cause for almost everydays server restart?
It's a HP blade server with W2K3 Server SP2. It's a file server where
Services for UNIX is installed and shares some data with NFS.

There's nothing in the eventlog before and after the restart what may be the
cause.
When i logon after the restart i could only see error message (serious
error...) and in the dump file there are some things like:

Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntkrnlpa.exe

Unable to load image \??\C:\WINDOWS\system32\drivers\nfssvr.sys, Win32 error
0n2
*** WARNING: Unable to verify timestamp for nfssvr.sys

BugCheck 1000007E, {c0000005, b89bb8ec, b9a43b14, b9a43810}
Probably caused by : nfssvr.sys ( nfssvr!IsCallerFileOwner+238 )

Thanks

 

[Meinolf Weber]

Hello Pavel,

Check out the memory.dmp file for more information:
http://www.networkworld.com/news/2005/041105-windows-crash.html?t5&story=041105-windows-crash

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> BugCheck 1000007E, {c0000005, b89bb8ec, b9a43b14, b9a43810} Probably
> caused by : nfssvr.sys (
>

 

[Pavel Simsalek]

Thanks for reply Mainolf,

I have already checked the dump file.

Here is the output of analyze:
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: b873b8ec, The address that the exception occurred at
Arg3: b93c3b14, Exception Record Address
Arg4: b93c3810, Context Record Address

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx"
referenced memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nfssvr!DsSjisToEuc+23232
b873b8ec 8b4004 mov eax,dword ptr [eax+4]

EXCEPTION_RECORD: b93c3b14 -- (.exr 0xffffffffb93c3b14)
ExceptionAddress: b873b8ec (nfssvr!DsSjisToEuc+0x00023232)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000004
Attempt to read from address 00000004

CONTEXT: b93c3810 -- (.cxr 0xffffffffb93c3810)
eax=00000000 ebx=e24fcd38 ecx=00013642 edx=e10aab08 esi=e24fcd20 edi=00000000
eip=b873b8ec esp=b93c3bdc ebp=b93c3bfc iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nfssvr!DsSjisToEuc+0x23232:
b873b8ec 8b4004 mov eax,dword ptr [eax+4]
ds:0023:00000004=????????
Resetting default scope
PROCESS_NAME: System
CURRENT_IRQL: 0
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced
memory at "0x%08lx". The memory could not be "%s".

READ_ADDRESS: 00000004
BUGCHECK_STR: 0x7E
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from b870cdb0 to b873b8ec
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be
wrong.
b93c3bfc b870cdb0 000003e9 00000064 000003e9 nfssvr!DsSjisToEuc+0x23232
b93c3c40 b872e435 e2b55000 00100000 e2b55000 nfssvr!DsSleep+0x1d5e4
b93c3d0c b8720a4d e2b55000 00000003 87de86f0 nfssvr!DsSjisToEuc+0x15d7b
b93c3d58 b872ec29 880c8eb0 88067d98 01de872c nfssvr!DsSjisToEuc+0x8393
b93c3dac 80949b7c 0000000f 00000000 00000000 nfssvr!DsSjisToEuc+0x1656f
b93c3ddc 8088e062 b97002ac 0000000f 00000000 nt!PspSystemThreadStartup+0x2e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

FOLLOWUP_IP:
nfssvr!DsSjisToEuc+23232
b873b8ec 8b4004 mov eax,dword ptr [eax+4]

SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nfssvr!DsSjisToEuc+23232
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nfssvr
IMAGE_NAME: nfssvr.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 3fb2b5ea
STACK_COMMAND: .cxr 0xffffffffb93c3810 kb
FAILURE_BUCKET_ID: 0x7E_nfssvr!DsSjisToEuc+23232
BUCKET_ID: 0x7E_nfssvr!DsSjisToEuc+23232
Followup: MachineOwner


Here is the detail about nfssvr.sys from lmv:
b86ed000 b8754400 nfssvr (export symbols) nfssvr.sys
Loaded symbol image file: nfssvr.sys
Image path: \??\C:\WINDOWS\system32\drivers\nfssvr.sys
Image name: nfssvr.sys
Timestamp: Wed Nov 12 23:36:26 2003 (3FB2B5EA)
CheckSum: 0007688E
ImageSize: 00067400
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

Seems there is something wrong with the NFS (Services for UNIX) but i have
the last version and all patches.

 

[Carl Gross]

Do you have any other server software running on it, like Antivirus software?
I have SBS 2003 and put our antivirus server (Symatec CE) on it and it would
restart at least once a day. I even just put an antivirus client on it and
got the same results, so check out antivirus servers and clients. If
everyone around has antivirus, your server should be pretty clean unless you
casually browse with it.

"Pavel Simsalek" wrote:

> Hello,
> could anyone help me identifing cause for almost everydays server restart?
> It's a HP blade server with W2K3 Server SP2. It's a file server where
> Services for UNIX is installed and shares some data with NFS.
>
> There's nothing in the eventlog before and after the restart what may be the
> cause.
> When i logon after the restart i could only see error message (serious
> error...) and in the dump file there are some things like:
>
> Unable to load image \WINDOWS\system32\ntkrnlpa.exe, Win32 error 0n2
> *** WARNING: Unable to verify timestamp for ntkrnlpa.exe
>
> Unable to load image \??\C:\WINDOWS\system32\drivers\nfssvr.sys, Win32 error
> 0n2
> *** WARNING: Unable to verify timestamp for nfssvr.sys
>
> BugCheck 1000007E, {c0000005, b89bb8ec, b9a43b14, b9a43810}
> Probably caused by : nfssvr.sys ( nfssvr!IsCallerFileOwner+238 )
>
> Thanks
>