Remove From My Forums

Avast Anti-Virus causing crash error event ID 6008

Question
0

Sign in to vote

I just installed the trial version of Avast for WHS and my system is crashing with error 6008? Any ideas or resolutions for this issue?

Monday, April 6, 2009 4:14 AM

Answers

0

Sign in to vote
Apopilot77,

System crashed because aswEngin.sys was trying to dereference a null pointer. The process name is aswServ.exe which is a part of Avast antivirus, and I believe aswEngin.sys is the kernel component of the software (to confirm, you can check the installation package and see if it contains aswEngin.sys). But I don't know how you can pass this to Avast. Hope the company provides a way for users to report issues. For now, you will be ok if you uninstall the software.
- Marked as answer by Lara JonesModerator Friday, April 10, 2009 4:07 PM
Friday, April 10, 2009 4:01 PM

All replies

0

Sign in to vote
I just installed the trial version of Avast for WHS and my system is crashing with error 6008? Any ideas or resolutions for this issue?

If Avast is causing problems with the Windows Home Server after an install and the server was running fine prior, you should check with Avast or in their forums.

Thank you
Lara Jones [MSFT] | Program Manager
Community Support and Beta | Windows Home Server Team
Windows Home Server Team Blog
Connect Windows Home Server
Windows Home Server
- Proposed as answer by kariya21Moderator Tuesday, April 7, 2009 1:18 AM
Monday, April 6, 2009 5:16 AM

Moderator
0

Sign in to vote

Let me know if you get this figured out I had the same issue

Monday, April 6, 2009 5:10 PM
0

Sign in to vote

Start a command prompt and enter "net helpmsg 6008" and it will tell you what 6008 means.

C:\>net helpmsg 6008

The specified file is not in the defined EFS export format.

To get details about the crash, you need to install WinDBG and analyze the crash dump. The crash may or may not be caused by Avast, and WinDBG will tell you what happened.

Monday, April 6, 2009 6:44 PM
0

Sign in to vote

How do I debug this issue. My server is crashing and ERROR 6008 is coming up at least three times a day.

Tuesday, April 7, 2009 4:02 AM
0

Sign in to vote
How do I debug this issue. My server is crashing and ERROR 6008 is coming up at least three times a day.

You can get information here: http://www.microsoft.com/whdc/devtools/debugging/default.mspx but unless you are a developer, the analysis of the dump file won't make much sense. It may point to a binary or driver at which point you can search on it but unless you know how to analyze the stack yourself, it won't tell you much except that that particular binary/symbol is causing a problem.

Your dump file is in C:\Windows or %windir% but if you've never used windbg or analyzed a crash dump, I strongly suggest you skip this part and either submit a bug or contact Avast.
Lara Jones [MSFT] | Program Manager
Community Support and Beta | Windows Home Server Team
Windows Home Server Team Blog
Connect Windows Home Server
Windows Home Server
- Edited by Lara JonesModerator Tuesday, April 7, 2009 4:41 AM typo
Tuesday, April 7, 2009 4:39 AM

Moderator
0

Sign in to vote

If you have never analyzed a memory dump, then it's difficult for you get details of the crash on your own. However, to only get the stack is not too hard.

1. Make sure the dump file type for your machine is configured to either "Complete memory dump" or "Kernel memory dump". (http://books.google.com/books?id=5QXg6Dhe_0cC&pg=PA896&lpg=PA896&dq=how+to+configure+kernel+memory+dump+type&source=bl&ots=TbFqZBm_yv&sig=bI5YHFmtNnnxWOUoGG3J4rMKgoc&hl=en&ei=xujaSZHHAaKUtgOJhunFBg&sa=X&oi=book_result&ct=result&resnum=3)

2. Install WinDBG from http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx#a

3. Run WinDBG, then goto "File -> Open crash dump". The dump file is %windir%\memory.dmp.

4. Enter "!analyze -v" from WinDBG command prompt, and copy paste the output here.

I believe this is an Avast related bug, but let's see what WinDBG has to say before coming to a conclusion.

Tuesday, April 7, 2009 5:59 AM
0

Sign in to vote

Symbols will not resolve based on the instructions above as the symbol server has not been set and symbols have not been downloaded. The !analyze -v will point to wrong symbols. Please see this page:

http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx#a

You either need to use the symbol server or have symbols available locally.

Thank you
Lara Jones [MSFT] | Program Manager
Community Support and Beta | Windows Home Server Team
Windows Home Server Team Blog
Connect Windows Home Server
Windows Home Server

Tuesday, April 7, 2009 2:43 PM

Moderator
0

Sign in to vote

Alright, do a ".symfix" then "!analyze -v"

Tuesday, April 7, 2009 6:38 PM
0

Sign in to vote

Ok. I will do all this however I would like to know why Microsoft does not specify what error 6008 is? Avast came back to me and stated it is not their software.

Wednesday, April 8, 2009 4:59 AM
0

Sign in to vote

I thought about this again and realized that 6008 may not be related to the system crash. When your machine crashes, the system does not even have a chance to update the event log. So 6008 could be errors from other applications.
As for who causes the crash, any conclusion would be premature without analyzing the dump file. Let's wait and see what you can find out from the dump.

Wednesday, April 8, 2009 5:47 AM
0

Sign in to vote

To be honest, this is not the place to analyze a dump. There will usually be no useful (i.e. fixes the problem, or even explains the problem in a useful way) information that someone not intimately familiar with the code will be able to extract, and nobody here has any sort of access to that code.

The original poster should submit a bug report on Connect , including logs from their server collected using the Windows Home Server toolkit.

If the original poster and EKDA want to pursue the dump analysis in addition to filing a bug report (which is much more likely to result in some useful information, because the WHS team will get a chance to look into the issue), please find a way to exchange contact information and do so off-line.
I'm not on the WHS team, I just post a lot. :)

Wednesday, April 8, 2009 12:17 PM

Moderator
0

Sign in to vote

Ok. I will do all this however I would like to know why Microsoft does not specify what error 6008 is? Avast came back to me and stated it is not their software.

If you right click on the event in the event log and select properties, it should provide you with more information regarding the error;however, if the machine is simply shutting down/crashing the event log more than likely isn't going to name the offending app. It will only write to the event log after it comes back up that it shut down.

Thank you
Lara Jones [MSFT] | Program Manager
Community Support and Beta | Windows Home Server Team
Windows Home Server Team Blog
Connect Windows Home Server
Windows Home Server

Wednesday, April 8, 2009 12:51 PM

Moderator
0

Sign in to vote

I agree with Ken that this shouldn't be the place to analyze a dump. My original intention was NOT to submit bug on Connect unless it is WHS related, or WHS team would be analyzing problems in third party software.

Apopilot77, could you give me your contact info? I can help you to look at this dump.

Wednesday, April 8, 2009 5:23 PM
0

Sign in to vote

I have inserted the error information below. This occurred 1 second after Avast started its daily scan.

Second, if this is not the place to analyze a dump then where is it? I have spent thousands of dollars investing in WHS hardware and moving my families, pictures, videos, musics, documents over to my server. I appreciate the assistance of the folks here who are trying to help.

Event Type: Error
Event Source: EventLog
Event Category: None
Event ID: 6008
Date:  4/7/2009
Time:  1:02:14 PM
User:  N/A
Computer: SERVER
Description:
The previous system shutdown at 1:00:01 PM on 4/7/2009 was unexpected.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 000407d9 00070002 0000000d 00ea0001
0010: 000407d9 00070002 00000012 00ea0001

Wednesday, April 8, 2009 5:26 PM
0

Sign in to vote

I have inserted the error information below. This occurred 1 second after Avast started its daily scan.

Second, if this is not the place to analyze a dump then where is it? I have spent thousands of dollars investing in WHS hardware and moving my families, pictures, videos, musics, documents over to my server. I appreciate the assistance of the folks here who are trying to help.

Event Type: Error
Event Source: EventLog
Event Category: None
Event ID: 6008
Date:  4/7/2009
Time:  1:02:14 PM
User:  N/A
Computer: SERVER
Description:
The previous system shutdown at 1:00:01 PM on 4/7/2009 was unexpected.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 000407d9 00070002 0000000d 00ea0001
0010: 000407d9 00070002 00000012 00ea0001

This is what I would point out to Avast: the system crashed 1 second after Avast started its scan. I think they might have been confused by the Windows event log ID rather than an Avast error.

Thanks

Lara Jones [MSFT] | Program Manager
Community Support and Beta | Windows Home Server Team
Windows Home Server Team Blog
Connect Windows Home Server
Windows Home Server

Wednesday, April 8, 2009 6:06 PM

Moderator
0

Sign in to vote

Here is what I found after running the debugger. However, I could not figure out where to put the .symfix.

-------------------------------------------------------------------------------------------------------------------------------------

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 808610f7, address which referenced memory

Debugging Details:
------------------

*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: kernel32!pNlsUserInfo                         ***
***                                                                   ***
*************************************************************************
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information. Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: kernel32!pNlsUserInfo                         ***
***                                                                   ***
*************************************************************************

READ_ADDRESS: 00000004

CURRENT_IRQL: 2

FAULTING_IP:
nt!MiRemovePageByColor+7d
808610f7 8b5104          mov     edx,dword ptr [ecx+4]

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0xA

PROCESS_NAME: aswServ.exe

TRAP_FRAME: ecc93b18 -- (.trap 0xffffffffecc93b18)
ErrCode = 00000000
eax=00000001 ebx=00000000 ecx=00000000 edx=00000006 esi=81729608 edi=858a0a00
eip=808610f7 esp=ecc93b8c ebp=ecc93bac iopl=0         nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000             efl=00010206
nt!MiRemovePageByColor+0x7d:
808610f7 8b5104          mov     edx,dword ptr [ecx+4] ds:0023:00000004=????????
Resetting default scope

LAST_CONTROL_TRANSFER: from 808610f7 to 80886a99

STACK_TEXT:
ecc93b18 808610f7 badb0d00 00000006 8092d465 nt!KiTrap0E+0x2a1
ecc93bac 8084b523 000004c0 c0005780 84436c68 nt!MiRemovePageByColor+0x7d
ecc93bdc 8084c389 e28d7dd8 00002000 8578e7b8 nt!MiResolveMappedFileFault+0x515
ecc93c20 8084cdbc 00000000 00af0000 c0005780 nt!MiResolveProtoPteFault+0x1f9
ecc93ccc 8085a905 00000000 00af0000 81733d34 nt!MiDispatchFault+0x972
ecc93d4c 808868d0 00000000 00af0000 00000001 nt!MmAccessFault+0xe63
ecc93d4c 7c342ff0 00000000 00af0000 00000001 nt!KiTrap0E+0xd8
0289dd1c 64085917 0289ddd8 00af0000 00000004 MSVCR71!UnwindUpVec+0x50 [F:\VS70Builds\3052\vc\crtbld\crt\src\intel\memcpy.asm @ 305]
WARNING: Stack unwind information not available. Following frames may be wrong.
0289dd3c 642aeb57 00000000 00000000 0289ddd8 aswCmnB!CGenericFile::seekreadin+0x56
0289e400 642a8b2a 0289e6d4 0289e428 00000007 aswEngin!avscanScanReal+0x33ba
0289e694 642a9cc2 03e5f008 0289f58c 0289e6d4 aswEngin!avfilesScanReal+0x476f
0289e78c 642a9eea 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5907
0289e8a4 642aa71d 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b2f
0289e958 642a9ed3 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x6362
0289ea70 642aa6c5 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b18
0289eb24 642a9ed3 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x630a
0289ec3c 642aa6c5 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b18
0289ecf0 642a9ed3 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x630a
0289ee08 642aa6c5 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b18
0289eebc 642a9ed3 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x630a
0289efd4 642aa6c5 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b18
0289f088 642a9ed3 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x630a
0289f1a0 642aa6c5 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b18
0289f254 642a9ed3 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x630a
0289f36c 642aa6c5 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b18
0289f420 642a9ed3 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x630a
0289f538 642a2861 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b18
0289f650 648053b6 03e5f008 03cdaef0 0289fb30 aswEngin!avfilesScanRealMulti+0x36c
0289f6c0 7c829f59 7c829e17 00170a28 c0000034 aswTask!ARConstructListFromString+0x856
0289f798 77e4fab8 00150000 00000000 00170a28 ntdll!RtlFreeHeap+0x70f
7c829f59 ff909090 bcffffff ce7c8448 ff7c8448 kernel32!BaseDllReadWriteIniFile+0x20b
7c829f7d 408b0000 68408b30 909090c3 ff8b9090 0xff909090
7c829f81 68408b30 909090c3 ff8b9090 56ec8b55 0x408b0000
7c829f85 909090c3 ff8b9090 56ec8b55 ff08758b 0x68408b30
7c829f89 ff8b9090 56ec8b55 ff08758b e8561446 0x909090c3
7c829f8d 56ec8b55 ff08758b e8561446 00000020 0xff8b9090
7c829f91 ff08758b e8561446 00000020 08463b66 0x56ec8b55
7c829f95 e8561446 00000020 08463b66 4623830f 0xff08758b
7c829f99 00000000 08463b66 4623830f 558b0000 0xe8561446

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!MiRemovePageByColor+7d
808610f7 8b5104          mov     edx,dword ptr [ecx+4]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!MiRemovePageByColor+7d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP: 48a2ac79

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: 0xA_nt!MiRemovePageByColor+7d

BUCKET_ID: 0xA_nt!MiRemovePageByColor+7d

Followup: MachineOwner
---------

Thursday, April 9, 2009 2:56 AM
0

Sign in to vote
Here is what I found after running the debugger. However, I could not figure out where to put the .symfix.

-------------------------------------------------------------------------------------------------------------------------------------

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000004, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 808610f7, address which referenced memory

STACK_COMMAND: kb

FOLLOWUP_IP:
nt!MiRemovePageByColor+7d
808610f7 8b5104 mov edx,dword ptr [ecx+4]

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: nt!MiRemovePageByColor+7d

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: nt

DEBUG_FLR_IMAGE_TIMESTAMP: 48a2ac79

IMAGE_NAME: memory_corruption

FAILURE_BUCKET_ID: 0xA_nt!MiRemovePageByColor+7d

BUCKET_ID: 0xA_nt!MiRemovePageByColor+7d

Followup: MachineOwner
---------

Before you type !analyze -v, you need to set the symbols under file>symbol file path by either setting the symbol server using the web server or downloading them to your local machine and pointing winDBG to that path. Did you do that? If you did, then you

1. Type ".symfix" and hit enter
2. Type ".reload" and hit enter
3. Type "!analyze -v" and hit enter

When the analysis is done, click on the highlighted item to bring up more information at the bottom of the screen. If the dump file points to memory corruption again, please set your dumps to full dumps and submit a bug to Microsoft as we will have to analyze the stack. Connect will not allow you to attach the dump file but once we have the bug, we will provide you with an alternate location to upload.

Also, is this a home built machine or a HP MediaSmart Server and if it is a HP, have you upgraded the memory? If this is a home built server, and the analysis points to memory corruption after fixing the symbols, please download and run a memtest as this will rule out memory.

Thanks

Lara Jones [MSFT] | Program Manager
Community Support and Beta | Windows Home Server Team
Windows Home Server Team Blog
Connect Windows Home Server
Windows Home Server
- Edited by Lara JonesModerator Thursday, April 9, 2009 2:26 PM typo
Thursday, April 9, 2009 2:25 PM

Moderator
0

Sign in to vote

I had the same problem with Avast and when I replaced it with avg I had no more 6008 error. And btw could anyone try to explain those dump things a little simplier. I am not a hardcore computer programmer! www.pcterritory.net

Friday, April 10, 2009 3:01 AM
0

Sign in to vote
Apopilot77,

System crashed because aswEngin.sys was trying to dereference a null pointer. The process name is aswServ.exe which is a part of Avast antivirus, and I believe aswEngin.sys is the kernel component of the software (to confirm, you can check the installation package and see if it contains aswEngin.sys). But I don't know how you can pass this to Avast. Hope the company provides a way for users to report issues. For now, you will be ok if you uninstall the software.
- Marked as answer by Lara JonesModerator Friday, April 10, 2009 4:07 PM
Friday, April 10, 2009 4:01 PM
0

Sign in to vote

Also, is this a home built machine or a HP MediaSmart Server and if it is a HP, have you upgraded the memory? If this is a home built server, and the analysis points to memory corruption after fixing the symbols, please download and run a memtest as this will rule out memory.

This is probably not hardware related. From the responses to this thread, there are three people hitting the same problem and it's less likely they all have bad memory.

Friday, April 10, 2009 4:10 PM
0

Sign in to vote

Also, is this a home built machine or a HP MediaSmart Server and if it is a HP, have you upgraded the memory? If this is a home built server, and the analysis points to memory corruption after fixing the symbols, please download and run a memtest as this will rule out memory.

This is probably not hardware related. From the responses to this thread, there are three people hitting the same problem and it's less likely they all have bad memory.

I figured as much but I had to be sure.
Lara Jones [MSFT] | Program Manager
Community Support and Beta | Windows Home Server Team
Windows Home Server Team Blog
Connect Windows Home Server
Windows Home Server

Friday, April 10, 2009 4:18 PM

Moderator
0

Sign in to vote

EKDA and Lara,

Thank you for your posts. Avast has finally returned an email and asked me to send two mini-dump files over. I have run memtest with no errors. This is a home built server with no major issues until now.
Is there another WHS antivirus program that monitors AV on all the computers on my network?

Thank you,

Abe

Saturday, April 11, 2009 2:00 AM
0

Sign in to vote

EKDA and Lara,

Thank you for your posts. Avast has finally returned an email and asked me to send two mini-dump files over. I have run memtest with no errors. This is a home built server with no major issues until now.
Is there another WHS antivirus program that monitors AV on all the computers on my network?

Thank you,

Abe
No. avast! is the only one.

Saturday, April 11, 2009 4:56 AM

Moderator
0

Sign in to vote

Here is a Minidump file which returned an error 0f 6008 2 minutes after avast started its 6:00 a.m. daily scan. At 6:13 a.m I had a SYSTEM ERROR 102//1003.
+++++++++++++++++++++++++++++++++++++++

ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

MODULE_NAME: nt

FAULTING_MODULE: 80800000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 48a2ac79

BUGCHECK_STR: 0x4E_99

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from 8084e4dd to 80826de7

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
ec83cb60 8084e4dd 0000004e 00000099 00000000 nt+0x26de7
ec83cb8c 808608ed 858be008 ffffffff e374a398 nt+0x4e4dd
ec83cba4 80861534 01000000 8084b5d6 000004c0 nt+0x608ed
ec83cbdc 8084c389 ffdff120 00008000 857f9388 nt+0x61534
ec83cc20 8084cdbc 00000000 02e03000 c0017018 nt+0x4c389
ec83cccc 8085a905 00000000 02e03000 81a01b1c nt+0x4cdbc
ec83cd4c 808868d0 00000000 02e03000 00000001 nt+0x5a905
ec83cd64 7c342ff0 badb0d00 00000002 00000000 nt+0x868d0
ec83cd68 badb0d00 00000002 00000000 00000000 0x7c342ff0
ec83cd6c 00000000 00000000 00000000 00000000 0xbadb0d00

STACK_COMMAND: kb

FOLLOWUP_IP:
nt+26de7
80826de7 5d pop ebp

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt+26de7

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntoskrnl.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------

_______________________________________________________

Monday, April 13, 2009 5:55 PM
0

Sign in to vote

Apopilot77,

Investigating a minidump is usually more difficult and hard to come to a conclusion as the file contains very limited information. Also, your KD doesn't seem to have right symbol path configured, so the stack it shows is likely to be wrong.

BUCKET_ID: WRONG_SYMBOLS

Could you configure your system to create "Kernel memory dump", instead of minidump, and repro?

Tuesday, April 14, 2009 12:31 AM
0

Sign in to vote

Sure I will do that. However, over the past two days after I uninstalled AVAST I do not have an error or a crash stop error.

I do get TERMD and SCHANNEL Errors which do not cause system instability. Are these normal?

Thanks,

Abe

Wednesday, April 15, 2009 3:39 AM
0

Sign in to vote

I am not familiar with TERM and SCHANNEL. Sorry. But I wouldn't worry too much if you don't get those errors all the time.

Wednesday, April 15, 2009 4:00 PM
0

Sign in to vote

Yes the errors have ended. It is terrible to see these issues when a piece of software is installed.

Wednesday, April 15, 2009 5:21 PM
0

Sign in to vote

Sure I will do that. However, over the past two days after I uninstalled AVAST I do not have an error or a crash stop error.

I do get TERMD and SCHANNEL Errors which do not cause system instability. Are these normal?

Thanks,

Abe

Are you referring to TermServDevices errors? These happen when you TS into the server i.e. RDP into the administrator's desktop and if you right click on the error and select "properties", you will see that the server is attempting to locate drivers for items that are installed on your client (usually printers). You can ignore these errors or under "options">"local resources" you can uncheck the "printers" box and these errors will no longer show up in the event log.

As for the schannel error, is this still being logged or did it go away after the system was updated to Power Pack 2?
Lara Jones [MSFT] | Program Manager
Community Support and Beta | Windows Home Server Team
Windows Home Server Team Blog
Connect Windows Home Server
Windows Home Server

Wednesday, April 15, 2009 5:56 PM

Moderator
0

Sign in to vote

Lara,

1.) The schannel errors still exist and are being logged after PowerPack 2.

2.) The TermDD errors have the following when I right click and select properities. In your response you stated under "options" "local resources" I can uncheck the Printer box. Are you referring to options under EVENT VIEWER? This path I can not find.

The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

3.) I came home today and noticed the original error 6008 was back. I also notices when I loggedin a category 102 (1003) error. I followed the procedure you mentioned above and the debugger came back with the following:

ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

MODULE_NAME: nt

FAULTING_MODULE: 80800000 nt

DEBUG_FLR_IMAGE_TIMESTAMP: 49c21e7e

READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPoolCodeStart
unable to get nt!MmPoolCodeEnd
00000004

CURRENT_IRQL: 0

FAULTING_IP:
nt+610f7
808610f7 8b5104 mov edx,dword ptr [ecx+4]

CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: DRIVER_FAULT_SERVER_MINIDUMP

BUGCHECK_STR: 0xA

LAST_CONTROL_TRANSFER: from 8084a590 to 808610f7

STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
f67fb93c 8084a590 c0000808 c0600000 84115db0 nt+0x610f7
f67fb95c 8085a849 00101000 c0000808 84115268 nt+0x4a590
f67fb9cc 808868d0 00000000 00101000 00000000 nt+0x5a849
f67fb9e4 8098a76b badb0d00 fffff000 f67fba20 nt+0x868d0
f67fba60 80985c51 000fd200 00008000 00000004 nt+0x18a76b
f67fbd4c 80883938 00000005 000fd200 00008000 nt+0x185c51
f67fbd64 7c82860c badb0d00 00e3ea24 00000000 nt+0x83938
f67fbd68 badb0d00 00e3ea24 00000000 00000000 0x7c82860c
f67fbd6c 00e3ea24 00000000 00000000 00000000 0xbadb0d00
f67fbd70 00000000 00000000 00000000 00000000 0xe3ea24

STACK_COMMAND: kb

FOLLOWUP_IP:
nt+610f7
808610f7 8b5104 mov edx,dword ptr [ecx+4]

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: nt+610f7

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntoskrnl.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------

Thanks,

Abe

Thursday, April 16, 2009 3:07 AM
0

Sign in to vote

Abe,

Did your system crash again and is this the KD stack from the crash? If so, something else is wrong with your machine.
BTW, is your system still configured to create mini dump?

Thursday, April 16, 2009 6:14 PM

Lara,

1.) The schannel errors still exist and are being logged after PowerPack 2.

2.) The TermDD errors have the following when I right click and select properities. In your response you stated under "options" "local resources" I can uncheck the Printer box. Are you referring to options under EVENT VIEWER? This path I can not find.

The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

3.) I came home today and noticed the original error 6008 was back. I also notices when I loggedin a category 102 (1003) error. I followed the procedure you mentioned above and the debugger came back with the following:

ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

MODULE_NAME: nt

FOLLOWUP_NAME: MachineOwner

IMAGE_NAME: ntoskrnl.exe

BUCKET_ID: WRONG_SYMBOLS

Followup: MachineOwner
---------

Thanks,

Abe

#1 you can file a bug for this. It is related to a certificate error.
#2 This is not the exact same event ID I was mentioning; however, the option I was providing instructions for is not in the event viewer but part of the remote desktop dialogue window prior to connecting to the server.
#3 Your symbols are wrong. You need to set the symbol server.

To use the Microsoft Symbol Server

1.	Make sure you have installed the latest version of Debugging Tools for Windows.
2.	Start a debugging session.
3.	Decide where to store the downloaded symbols (the "downstream store"). This can be a local drive or a UNC path.
4.	Set the debugger symbol path as follows, substituting your downstream store path for DownstreamStore. SRVDownstreamStorehttp://msdl.microsoft.com/download/symbols

Lara Jones [MSFT] | Program Manager
Community Support and Beta | Windows Home Server Team
Windows Home Server Team Blog
Connect Windows Home Server
Windows Home Server

Thursday, April 16, 2009 7:17 PM

Moderator

0

Sign in to vote

EKDA,

This crash happened before I chanded it to a KD.

Lara,

1.) How do I submit a bug?

2.) I will try to figure out this symbol server path you stated above?

Abe

Monday, April 20, 2009 3:55 AM
0

Sign in to vote
Lara,

1.) How do I submit a bug?

Register on Connect if you have not already registered

Join the Windows Home Server Program

Click on the feedback link

Search in feedback (this is required in order to submit a bug) click on the submit feedback button

Select the Power Pack 2 feedback form

Enter the appropriate data and include client and server CABs.

You will not be able to attach the dumpfile but we will provide an alternate upload location once you submit the bug.

Thanks!

Lara Jones [MSFT] | Program Manager
Community Support and Beta | Windows Home Server Team
Windows Home Server Team Blog
Connect Windows Home Server
Windows Home Server
Monday, April 20, 2009 3:21 PM

Moderator
0

Sign in to vote

Lara,

I have submitted my first bug report. I submitted the CAB number from my WHS. 624000065

Abe

Monday, April 20, 2009 6:29 PM

Answered by:

Avast Anti-Virus causing crash error event ID 6008

Question

Answers

All replies