locked
Avast Anti-Virus causing crash error event ID 6008 RRS feed

  • Question

  • I just installed the trial version of Avast for WHS and my system is crashing with error 6008? Any ideas or resolutions for this issue?
    Monday, April 6, 2009 4:14 AM

Answers

  • Apopilot77,

    System crashed because aswEngin.sys was trying to dereference a null pointer. The process name is aswServ.exe which is a part of Avast antivirus, and I believe aswEngin.sys is the kernel component of the software (to confirm, you can check the installation package and see if it contains aswEngin.sys). But I don't know how you can pass this to Avast. Hope the company provides a way for users to report issues. For now, you will be ok if you uninstall the software.

    Friday, April 10, 2009 4:01 PM

All replies

  • I just installed the trial version of Avast for WHS and my system is crashing with error 6008? Any ideas or resolutions for this issue?

    If Avast is causing problems with the Windows Home Server after an install and the server was running fine prior, you should check with Avast or in their forums.

    Thank you
    Lara Jones [MSFT] | Program Manager
    Community Support and Beta | Windows Home Server Team
    Windows Home Server Team Blog
    Connect Windows Home Server
    Windows Home Server
    Monday, April 6, 2009 5:16 AM
    Moderator
  • Let me know if you get this figured out I had the same issue
    Monday, April 6, 2009 5:10 PM
  • Start a command prompt and enter "net helpmsg 6008" and it will tell you what 6008 means.


    C:\>net helpmsg 6008

    The specified file is not in the defined EFS export format.



    To get details about the crash, you need to install WinDBG and analyze the crash dump. The crash may or may not be caused by Avast, and WinDBG will tell you what happened.

    Monday, April 6, 2009 6:44 PM
  • How do I debug this issue. My server is crashing and ERROR 6008 is coming up at least three times a day.
    Tuesday, April 7, 2009 4:02 AM
  • How do I debug this issue. My server is crashing and ERROR 6008 is coming up at least three times a day.

    You can get information here: http://www.microsoft.com/whdc/devtools/debugging/default.mspx but unless you are a developer, the analysis of the dump file won't make much sense. It may point to a binary or driver at which point you can search on it but unless you know how to analyze the stack yourself, it won't tell you much except that that particular binary/symbol is causing a problem.

    Your dump file is in C:\Windows or %windir% but if you've never used windbg or analyzed a crash dump, I strongly suggest you skip this part and either submit a bug or contact Avast.
    Lara Jones [MSFT] | Program Manager
    Community Support and Beta | Windows Home Server Team
    Windows Home Server Team Blog
    Connect Windows Home Server
    Windows Home Server
    Tuesday, April 7, 2009 4:39 AM
    Moderator
  • If you have never analyzed a memory dump, then it's difficult for you get details of the crash on your own. However, to only get the stack is not too hard.

    1. Make sure the dump file type for your machine is configured to either "Complete memory dump" or "Kernel memory dump". (http://books.google.com/books?id=5QXg6Dhe_0cC&pg=PA896&lpg=PA896&dq=how+to+configure+kernel+memory+dump+type&source=bl&ots=TbFqZBm_yv&sig=bI5YHFmtNnnxWOUoGG3J4rMKgoc&hl=en&ei=xujaSZHHAaKUtgOJhunFBg&sa=X&oi=book_result&ct=result&resnum=3)

    2. Install WinDBG from http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx#a

    3. Run WinDBG, then goto "File -> Open crash dump". The dump file is %windir%\memory.dmp.

    4. Enter "!analyze -v" from WinDBG command prompt, and copy paste the output here.

    I believe this is an Avast related bug, but let's see what WinDBG has to say before coming to a conclusion.
    Tuesday, April 7, 2009 5:59 AM
  • Symbols will not resolve based on the instructions above as the symbol server has not been set and symbols have not been downloaded. The !analyze -v will point to wrong symbols.  Please see this page:

    http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx#a


    You either need to use the symbol server or have symbols available locally.

    Thank you
    Lara Jones [MSFT] | Program Manager
    Community Support and Beta | Windows Home Server Team
    Windows Home Server Team Blog
    Connect Windows Home Server
    Windows Home Server
    Tuesday, April 7, 2009 2:43 PM
    Moderator
  • Alright, do a ".symfix" then "!analyze -v"

    Tuesday, April 7, 2009 6:38 PM
  • Ok. I will do all this however I would like to know why Microsoft does not specify what error 6008 is? Avast came back to me and stated it is not their software.
    Wednesday, April 8, 2009 4:59 AM
  • I thought about this again and realized that 6008 may not be related to the system crash. When your machine crashes, the system does not even have a chance to update the event log. So 6008 could be errors from other applications.
    As for who causes the crash, any conclusion would be premature without analyzing the dump file. Let's wait and see what you can find out from the dump.
    Wednesday, April 8, 2009 5:47 AM
  • To be honest, this is not the place to analyze a dump. There will usually be no useful (i.e. fixes the problem, or even explains the problem in a useful way) information that someone not intimately familiar with the code will be able to extract, and nobody here has any sort of access to that code.

    The original poster should submit a bug report on Connect , including logs from their server collected using the Windows Home Server toolkit.

    If the original poster and EKDA want to pursue the dump analysis in addition to filing a bug report (which is much more likely to result in some useful information, because the WHS team will get a chance to look into the issue), please find a way to exchange contact information and do so off-line.
    I'm not on the WHS team, I just post a lot. :)
    Wednesday, April 8, 2009 12:17 PM
    Moderator
  • Ok. I will do all this however I would like to know why Microsoft does not specify what error 6008 is? Avast came back to me and stated it is not their software.

    If you right click on the event in the event log and select properties, it should provide you with more information regarding the error;however, if the machine is simply shutting down/crashing the event log more than likely isn't going to name the offending app. It will only write to the event log after it comes back up that it shut down.

    Thank you
    Lara Jones [MSFT] | Program Manager
    Community Support and Beta | Windows Home Server Team
    Windows Home Server Team Blog
    Connect Windows Home Server
    Windows Home Server
    Wednesday, April 8, 2009 12:51 PM
    Moderator
  • I agree with Ken that this shouldn't be the place to analyze a dump. My original intention was NOT to submit bug on Connect unless it is WHS related, or WHS team would be analyzing problems in third party software.

    Apopilot77, could you give me your contact info? I can help you to look at this dump.
    Wednesday, April 8, 2009 5:23 PM
  • I have inserted the error information below. This occurred 1 second after Avast started its daily scan.

    Second, if this is not the place to analyze a dump then where is it? I have spent thousands of dollars investing in WHS hardware and moving my families, pictures, videos, musics, documents over to my server. I appreciate the assistance of the folks here who are trying to help.

    Event Type: Error
    Event Source: EventLog
    Event Category: None
    Event ID: 6008
    Date:  4/7/2009
    Time:  1:02:14 PM
    User:  N/A
    Computer: SERVER
    Description:
    The previous system shutdown at 1:00:01 PM on 4/7/2009 was unexpected.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 000407d9 00070002 0000000d 00ea0001
    0010: 000407d9 00070002 00000012 00ea0001

    Wednesday, April 8, 2009 5:26 PM
  • I have inserted the error information below. This occurred 1 second after Avast started its daily scan.

    Second, if this is not the place to analyze a dump then where is it? I have spent thousands of dollars investing in WHS hardware and moving my families, pictures, videos, musics, documents over to my server. I appreciate the assistance of the folks here who are trying to help.

    Event Type: Error
    Event Source: EventLog
    Event Category: None
    Event ID: 6008
    Date:  4/7/2009
    Time:  1:02:14 PM
    User:  N/A
    Computer: SERVER
    Description:
    The previous system shutdown at 1:00:01 PM on 4/7/2009 was unexpected.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 000407d9 00070002 0000000d 00ea0001
    0010: 000407d9 00070002 00000012 00ea0001

    This is what I would point out to Avast: the system crashed 1 second after Avast started its scan. I think they might have been confused by the Windows event log ID rather than an Avast error.

    Thanks

     

    Lara Jones [MSFT] | Program Manager
    Community Support and Beta | Windows Home Server Team
    Windows Home Server Team Blog
    Connect Windows Home Server
    Windows Home Server
    Wednesday, April 8, 2009 6:06 PM
    Moderator
  • Here is what I found after running the debugger. However, I could not figure out where to put the .symfix.


    -------------------------------------------------------------------------------------------------------------------------------------

    IRQL_NOT_LESS_OR_EQUAL (a)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If a kernel debugger is available get the stack backtrace.
    Arguments:
    Arg1: 00000004, memory referenced
    Arg2: d0000002, IRQL
    Arg3: 00000000, bitfield :
     bit 0 : value 0 = read operation, 1 = write operation
     bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
    Arg4: 808610f7, address which referenced memory

    Debugging Details:
    ------------------

    *************************************************************************
    ***                                                                   ***
    ***                                                                   ***
    ***    Your debugger is not using the correct symbols                 ***
    ***                                                                   ***
    ***    In order for this command to work properly, your symbol path   ***
    ***    must point to .pdb files that have full type information.      ***
    ***                                                                   ***
    ***    Certain .pdb files (such as the public OS symbols) do not      ***
    ***    contain the required information.  Contact the group that      ***
    ***    provided you with these symbols if you need this command to    ***
    ***    work.                                                          ***
    ***                                                                   ***
    ***    Type referenced: kernel32!pNlsUserInfo                         ***
    ***                                                                   ***
    *************************************************************************
    *************************************************************************
    ***                                                                   ***
    ***                                                                   ***
    ***    Your debugger is not using the correct symbols                 ***
    ***                                                                   ***
    ***    In order for this command to work properly, your symbol path   ***
    ***    must point to .pdb files that have full type information.      ***
    ***                                                                   ***
    ***    Certain .pdb files (such as the public OS symbols) do not      ***
    ***    contain the required information.  Contact the group that      ***
    ***    provided you with these symbols if you need this command to    ***
    ***    work.                                                          ***
    ***                                                                   ***
    ***    Type referenced: kernel32!pNlsUserInfo                         ***
    ***                                                                   ***
    *************************************************************************

    READ_ADDRESS:  00000004

    CURRENT_IRQL:  2

    FAULTING_IP:
    nt!MiRemovePageByColor+7d
    808610f7 8b5104          mov     edx,dword ptr [ecx+4]

    DEFAULT_BUCKET_ID:  DRIVER_FAULT

    BUGCHECK_STR:  0xA

    PROCESS_NAME:  aswServ.exe

    TRAP_FRAME:  ecc93b18 -- (.trap 0xffffffffecc93b18)
    ErrCode = 00000000
    eax=00000001 ebx=00000000 ecx=00000000 edx=00000006 esi=81729608 edi=858a0a00
    eip=808610f7 esp=ecc93b8c ebp=ecc93bac iopl=0         nv up ei pl nz na pe nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
    nt!MiRemovePageByColor+0x7d:
    808610f7 8b5104          mov     edx,dword ptr [ecx+4] ds:0023:00000004=????????
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from 808610f7 to 80886a99

    STACK_TEXT: 
    ecc93b18 808610f7 badb0d00 00000006 8092d465 nt!KiTrap0E+0x2a1
    ecc93bac 8084b523 000004c0 c0005780 84436c68 nt!MiRemovePageByColor+0x7d
    ecc93bdc 8084c389 e28d7dd8 00002000 8578e7b8 nt!MiResolveMappedFileFault+0x515
    ecc93c20 8084cdbc 00000000 00af0000 c0005780 nt!MiResolveProtoPteFault+0x1f9
    ecc93ccc 8085a905 00000000 00af0000 81733d34 nt!MiDispatchFault+0x972
    ecc93d4c 808868d0 00000000 00af0000 00000001 nt!MmAccessFault+0xe63
    ecc93d4c 7c342ff0 00000000 00af0000 00000001 nt!KiTrap0E+0xd8
    0289dd1c 64085917 0289ddd8 00af0000 00000004 MSVCR71!UnwindUpVec+0x50 [F:\VS70Builds\3052\vc\crtbld\crt\src\intel\memcpy.asm @ 305]
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0289dd3c 642aeb57 00000000 00000000 0289ddd8 aswCmnB!CGenericFile::seekreadin+0x56
    0289e400 642a8b2a 0289e6d4 0289e428 00000007 aswEngin!avscanScanReal+0x33ba
    0289e694 642a9cc2 03e5f008 0289f58c 0289e6d4 aswEngin!avfilesScanReal+0x476f
    0289e78c 642a9eea 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5907
    0289e8a4 642aa71d 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b2f
    0289e958 642a9ed3 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x6362
    0289ea70 642aa6c5 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b18
    0289eb24 642a9ed3 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x630a
    0289ec3c 642aa6c5 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b18
    0289ecf0 642a9ed3 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x630a
    0289ee08 642aa6c5 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b18
    0289eebc 642a9ed3 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x630a
    0289efd4 642aa6c5 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b18
    0289f088 642a9ed3 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x630a
    0289f1a0 642aa6c5 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b18
    0289f254 642a9ed3 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x630a
    0289f36c 642aa6c5 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b18
    0289f420 642a9ed3 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x630a
    0289f538 642a2861 03e5f008 0289f58c 00000000 aswEngin!avfilesScanReal+0x5b18
    0289f650 648053b6 03e5f008 03cdaef0 0289fb30 aswEngin!avfilesScanRealMulti+0x36c
    0289f6c0 7c829f59 7c829e17 00170a28 c0000034 aswTask!ARConstructListFromString+0x856
    0289f798 77e4fab8 00150000 00000000 00170a28 ntdll!RtlFreeHeap+0x70f
    7c829f59 ff909090 bcffffff ce7c8448 ff7c8448 kernel32!BaseDllReadWriteIniFile+0x20b
    7c829f7d 408b0000 68408b30 909090c3 ff8b9090 0xff909090
    7c829f81 68408b30 909090c3 ff8b9090 56ec8b55 0x408b0000
    7c829f85 909090c3 ff8b9090 56ec8b55 ff08758b 0x68408b30
    7c829f89 ff8b9090 56ec8b55 ff08758b e8561446 0x909090c3
    7c829f8d 56ec8b55 ff08758b e8561446 00000020 0xff8b9090
    7c829f91 ff08758b e8561446 00000020 08463b66 0x56ec8b55
    7c829f95 e8561446 00000020 08463b66 4623830f 0xff08758b
    7c829f99 00000000 08463b66 4623830f 558b0000 0xe8561446


    STACK_COMMAND:  kb

    FOLLOWUP_IP:
    nt!MiRemovePageByColor+7d
    808610f7 8b5104          mov     edx,dword ptr [ecx+4]

    SYMBOL_STACK_INDEX:  1

    SYMBOL_NAME:  nt!MiRemovePageByColor+7d

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: nt

    DEBUG_FLR_IMAGE_TIMESTAMP:  48a2ac79

    IMAGE_NAME:  memory_corruption

    FAILURE_BUCKET_ID:  0xA_nt!MiRemovePageByColor+7d

    BUCKET_ID:  0xA_nt!MiRemovePageByColor+7d

    Followup: MachineOwner
    ---------

     

    Thursday, April 9, 2009 2:56 AM
  • Here is what I found after running the debugger. However, I could not figure out where to put the .symfix.


    -------------------------------------------------------------------------------------------------------------------------------------

    IRQL_NOT_LESS_OR_EQUAL (a)
    An attempt was made to access a pageable (or completely invalid) address at an
    interrupt request level (IRQL) that is too high.  This is usually
    caused by drivers using improper addresses.
    If a kernel debugger is available get the stack backtrace.
    Arguments:
    Arg1: 00000004, memory referenced
    Arg2: d0000002, IRQL
    Arg3: 00000000, bitfield :
     bit 0 : value 0 = read operation, 1 = write operation
     bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
    Arg4: 808610f7, address which referenced memory

    STACK_COMMAND:  kb

    FOLLOWUP_IP:
    nt!MiRemovePageByColor+7d
    808610f7 8b5104          mov     edx,dword ptr [ecx+4]

    SYMBOL_STACK_INDEX:  1

    SYMBOL_NAME:  nt!MiRemovePageByColor+7d

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: nt

    DEBUG_FLR_IMAGE_TIMESTAMP:  48a2ac79

    IMAGE_NAME:  memory_corruption

    FAILURE_BUCKET_ID:  0xA_nt!MiRemovePageByColor+7d

    BUCKET_ID:  0xA_nt!MiRemovePageByColor+7d

    Followup: MachineOwner
    ---------

     


    Before you type !analyze -v, you need to set the symbols under file>symbol file path by either setting the symbol server using the web server or downloading them to your local machine and pointing winDBG to that path. Did you do that?  If you did, then you

    1. Type ".symfix" and hit enter
    2. Type ".reload" and hit enter
    3. Type "!analyze -v" and hit enter

    When the analysis is done, click on the highlighted item to bring up more information at the bottom of the screen. If the dump file points to memory corruption again, please set your dumps to full dumps and submit a bug to Microsoft as we will have to analyze the stack. Connect will not allow you to attach the dump file but once we have the bug, we will provide you with an alternate location to upload.

    Also, is this a home built machine or a HP MediaSmart Server and if it is a HP, have you upgraded the memory? If this is a home built server, and the analysis points to memory corruption after fixing the symbols, please download and run a memtest as this will rule out memory.

    Thanks

    Lara Jones [MSFT] | Program Manager
    Community Support and Beta | Windows Home Server Team
    Windows Home Server Team Blog
    Connect Windows Home Server
    Windows Home Server
    Thursday, April 9, 2009 2:25 PM
    Moderator
  • I had the same problem with Avast and when I replaced it with avg I had no more 6008 error. And btw could anyone try to explain those dump things a little simplier. I am not a hardcore computer programmer! www.pcterritory.net
    Friday, April 10, 2009 3:01 AM
  • Apopilot77,

    System crashed because aswEngin.sys was trying to dereference a null pointer. The process name is aswServ.exe which is a part of Avast antivirus, and I believe aswEngin.sys is the kernel component of the software (to confirm, you can check the installation package and see if it contains aswEngin.sys). But I don't know how you can pass this to Avast. Hope the company provides a way for users to report issues. For now, you will be ok if you uninstall the software.

    Friday, April 10, 2009 4:01 PM

  • Also, is this a home built machine or a HP MediaSmart Server and if it is a HP, have you upgraded the memory? If this is a home built server, and the analysis points to memory corruption after fixing the symbols, please download and run a memtest as this will rule out memory.



    This is probably not hardware related. From the responses to this thread, there are three people hitting the same problem and it's less likely they all have bad memory.
    Friday, April 10, 2009 4:10 PM

  • Also, is this a home built machine or a HP MediaSmart Server and if it is a HP, have you upgraded the memory? If this is a home built server, and the analysis points to memory corruption after fixing the symbols, please download and run a memtest as this will rule out memory.



    This is probably not hardware related. From the responses to this thread, there are three people hitting the same problem and it's less likely they all have bad memory.

    I figured as much but I had to be sure.
    Lara Jones [MSFT] | Program Manager
    Community Support and Beta | Windows Home Server Team
    Windows Home Server Team Blog
    Connect Windows Home Server
    Windows Home Server
    Friday, April 10, 2009 4:18 PM
    Moderator
  • EKDA and Lara,

     Thank you for your posts. Avast has finally returned an email and asked me to send two mini-dump files over. I have run memtest with no errors. This is a home built server with no major issues until now.
     Is there another WHS antivirus program that monitors AV on all the computers on my network?

    Thank you,

    Abe
    Saturday, April 11, 2009 2:00 AM
  • EKDA and Lara,

     Thank you for your posts. Avast has finally returned an email and asked me to send two mini-dump files over. I have run memtest with no errors. This is a home built server with no major issues until now.
     Is there another WHS antivirus program that monitors AV on all the computers on my network?

    Thank you,

    Abe
    No.  avast! is the only one.
    Saturday, April 11, 2009 4:56 AM
    Moderator
  • Here is a Minidump file which returned an error 0f 6008 2 minutes after avast started its 6:00 a.m. daily scan. At 6:13 a.m I had a SYSTEM ERROR 102//1003.
    +++++++++++++++++++++++++++++++++++++++

    ADDITIONAL_DEBUG_TEXT: 
    Use '!findthebuild' command to search for the target build information.
    If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

    MODULE_NAME: nt

    FAULTING_MODULE: 80800000 nt

    DEBUG_FLR_IMAGE_TIMESTAMP:  48a2ac79

    BUGCHECK_STR:  0x4E_99

    CUSTOMER_CRASH_COUNT:  2

    DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

    CURRENT_IRQL:  0

    LAST_CONTROL_TRANSFER:  from 8084e4dd to 80826de7

    STACK_TEXT: 
    WARNING: Stack unwind information not available. Following frames may be wrong.
    ec83cb60 8084e4dd 0000004e 00000099 00000000 nt+0x26de7
    ec83cb8c 808608ed 858be008 ffffffff e374a398 nt+0x4e4dd
    ec83cba4 80861534 01000000 8084b5d6 000004c0 nt+0x608ed
    ec83cbdc 8084c389 ffdff120 00008000 857f9388 nt+0x61534
    ec83cc20 8084cdbc 00000000 02e03000 c0017018 nt+0x4c389
    ec83cccc 8085a905 00000000 02e03000 81a01b1c nt+0x4cdbc
    ec83cd4c 808868d0 00000000 02e03000 00000001 nt+0x5a905
    ec83cd64 7c342ff0 badb0d00 00000002 00000000 nt+0x868d0
    ec83cd68 badb0d00 00000002 00000000 00000000 0x7c342ff0
    ec83cd6c 00000000 00000000 00000000 00000000 0xbadb0d00


    STACK_COMMAND:  kb

    FOLLOWUP_IP:
    nt+26de7
    80826de7 5d              pop     ebp

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  nt+26de7

    FOLLOWUP_NAME:  MachineOwner

    IMAGE_NAME:  ntoskrnl.exe

    BUCKET_ID:  WRONG_SYMBOLS

    Followup: MachineOwner
    ---------


    _______________________________________________________

    Monday, April 13, 2009 5:55 PM
  • Apopilot77,

    Investigating a minidump is usually more difficult and hard to come to a conclusion as the file contains very limited information. Also, your KD doesn't seem to have right symbol path configured, so the stack it shows is likely to be wrong.

    BUCKET_ID:  WRONG_SYMBOLS

    Could you configure your system to create "Kernel memory dump", instead of minidump, and repro?
    Tuesday, April 14, 2009 12:31 AM
  • Sure I will do that. However, over the past two days after I uninstalled AVAST I do not have an error or a crash stop error.

    I do get TERMD and SCHANNEL Errors which do not cause system instability. Are these normal?

    Thanks,

    Abe
    Wednesday, April 15, 2009 3:39 AM
  • I am not familiar with TERM and SCHANNEL. Sorry. But I wouldn't worry too much if you don't get those errors all the time.
    Wednesday, April 15, 2009 4:00 PM
  • Yes the errors have ended. It is terrible to see these issues when a piece of software is installed.

    Wednesday, April 15, 2009 5:21 PM
  • Sure I will do that. However, over the past two days after I uninstalled AVAST I do not have an error or a crash stop error.

    I do get TERMD and SCHANNEL Errors which do not cause system instability. Are these normal?

    Thanks,

    Abe

    Are you referring to TermServDevices errors? These happen when you TS into the server i.e. RDP into the administrator's desktop and if you right click on the error and select "properties", you will see that the server is attempting to locate drivers for items that are installed on your client (usually printers). You can ignore these errors or under "options">"local resources" you can uncheck the "printers" box and these errors will no longer show up in the event log.

    As for the schannel error, is this still being logged or did it go away after the system was updated to Power Pack 2?
    Lara Jones [MSFT] | Program Manager
    Community Support and Beta | Windows Home Server Team
    Windows Home Server Team Blog
    Connect Windows Home Server
    Windows Home Server
    Wednesday, April 15, 2009 5:56 PM
    Moderator
  • Lara,

     1.) The schannel errors still exist and are being logged after PowerPack 2.

     2.) The TermDD errors have the following when I right click and select properities. In your response you stated under "options" "local resources" I can uncheck the Printer box. Are you referring to options under EVENT VIEWER? This path I can not find.

    The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

    3.) I came home today and noticed the original error 6008 was back. I also notices when I loggedin a category 102 (1003) error. I followed the procedure you mentioned above and the debugger came back with the following:

    ADDITIONAL_DEBUG_TEXT: 
    Use '!findthebuild' command to search for the target build information.
    If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

    MODULE_NAME: nt

    FAULTING_MODULE: 80800000 nt

    DEBUG_FLR_IMAGE_TIMESTAMP:  49c21e7e

    READ_ADDRESS: unable to get nt!MmSpecialPoolStart
    unable to get nt!MmSpecialPoolEnd
    unable to get nt!MmPoolCodeStart
    unable to get nt!MmPoolCodeEnd
     00000004

    CURRENT_IRQL:  0

    FAULTING_IP:
    nt+610f7
    808610f7 8b5104          mov     edx,dword ptr [ecx+4]

    CUSTOMER_CRASH_COUNT:  1

    DEFAULT_BUCKET_ID:  DRIVER_FAULT_SERVER_MINIDUMP

    BUGCHECK_STR:  0xA

    LAST_CONTROL_TRANSFER:  from 8084a590 to 808610f7

    STACK_TEXT: 
    WARNING: Stack unwind information not available. Following frames may be wrong.
    f67fb93c 8084a590 c0000808 c0600000 84115db0 nt+0x610f7
    f67fb95c 8085a849 00101000 c0000808 84115268 nt+0x4a590
    f67fb9cc 808868d0 00000000 00101000 00000000 nt+0x5a849
    f67fb9e4 8098a76b badb0d00 fffff000 f67fba20 nt+0x868d0
    f67fba60 80985c51 000fd200 00008000 00000004 nt+0x18a76b
    f67fbd4c 80883938 00000005 000fd200 00008000 nt+0x185c51
    f67fbd64 7c82860c badb0d00 00e3ea24 00000000 nt+0x83938
    f67fbd68 badb0d00 00e3ea24 00000000 00000000 0x7c82860c
    f67fbd6c 00e3ea24 00000000 00000000 00000000 0xbadb0d00
    f67fbd70 00000000 00000000 00000000 00000000 0xe3ea24


    STACK_COMMAND:  kb

    FOLLOWUP_IP:
    nt+610f7
    808610f7 8b5104          mov     edx,dword ptr [ecx+4]

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  nt+610f7

    FOLLOWUP_NAME:  MachineOwner

    IMAGE_NAME:  ntoskrnl.exe

    BUCKET_ID:  WRONG_SYMBOLS

    Followup: MachineOwner
    ---------

    Thanks,

    Abe

    Thursday, April 16, 2009 3:07 AM
  • Abe,

    Did your system crash again and is this the KD stack from the crash? If so, something else is wrong with your machine. 
    BTW, is your system still configured to create mini dump?
    Thursday, April 16, 2009 6:14 PM
  • Lara,

     1.) The schannel errors still exist and are being logged after PowerPack 2.

     2.) The TermDD errors have the following when I right click and select properities. In your response you stated under "options" "local resources" I can uncheck the Printer box. Are you referring to options under EVENT VIEWER? This path I can not find.

    The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

    3.) I came home today and noticed the original error 6008 was back. I also notices when I loggedin a category 102 (1003) error. I followed the procedure you mentioned above and the debugger came back with the following:

    ADDITIONAL_DEBUG_TEXT: 
    Use '!findthebuild' command to search for the target build information.
    If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

    MODULE_NAME: nt

    FOLLOWUP_NAME:  MachineOwner

    IMAGE_NAME:  ntoskrnl.exe

    BUCKET_ID:  WRONG_SYMBOLS

    Followup: MachineOwner
    ---------

    Thanks,

    Abe


    #1 you can file a bug for this. It is related to a certificate error.
    #2 This is not the exact same event ID I was mentioning; however, the option I was providing instructions for is not in the event viewer but part of the remote desktop dialogue window prior to connecting to the server.
    #3 Your symbols are wrong. You need to set the symbol server.

    To use the Microsoft Symbol Server

    1.

    Make sure you have installed the latest version of Debugging Tools for Windows.

    2.

    Start a debugging session.

    3.

    Decide where to store the downloaded symbols (the "downstream store"). This can be a local drive or a UNC path.

    4.

    Set the debugger symbol path as follows, substituting your downstream store path for DownstreamStore.

    SRV*DownstreamStore*http://msdl.microsoft.com/download/symbols


    Lara Jones [MSFT] | Program Manager
    Community Support and Beta | Windows Home Server Team
    Windows Home Server Team Blog
    Connect Windows Home Server
    Windows Home Server
    Thursday, April 16, 2009 7:17 PM
    Moderator
  • EKDA,

     This crash happened before I chanded it to a KD.

    Lara,

    1.) How do I submit a bug?

    2.) I will try to figure out this symbol server path you stated above?

    Abe
    Monday, April 20, 2009 3:55 AM


  • Lara,

    1.) How do I submit a bug?

     

    1. Register on Connect if you have not already registered
    2. Join the Windows Home Server Program
    3. Click on the feedback link
    4. Search in feedback (this is required in order to submit a bug) click on the submit feedback button
    5. Select the Power Pack 2 feedback form
    6. Enter the appropriate data and include client and server CABs.
    7. You will not be able to attach the dumpfile but we will provide an alternate upload location once you submit the bug.

      Thanks!

    Lara Jones [MSFT] | Program Manager
    Community Support and Beta | Windows Home Server Team
    Windows Home Server Team Blog
    Connect Windows Home Server
    Windows Home Server
    Monday, April 20, 2009 3:21 PM
    Moderator
  • Lara,

     I have submitted my first bug report. I submitted the CAB number from my WHS. 624000065

    Abe
    Monday, April 20, 2009 6:29 PM