• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Blue Screen - STOP 0x0000008E in SYMEVENT.SYS

My Computer running XP SP3 just blue screened when I opened the Services control panel.  According to the dumpchk.exe program that comes with the "Debugging Tools for Windows" the probably cause was:

 

SYMEVENT.SYS ( SYMEVENT+14339 )

 

 

Here's the rest of the details:

 

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 805aeae5, The address that the exception occurred at
Arg3: 964edb40, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced
memory at "0x%08lx". The memory could not be "%s".

FAULTING_IP:
nt!MiGetNextNode+1b
805aeae5 8b480c          mov     ecx,dword ptr [eax+0Ch]

TRAP_FRAME:  964edb40 -- (.trap 0xffffffff964edb40)
ErrCode = 00000000
eax=ffffffff ebx=89114a38 ecx=88f4a628 edx=89114a64 esi=89114948 edi=88f4a628
eip=805aeae5 esp=964edbb4 ebp=964edbcc iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
nt!MiGetNextNode+0x1b:
805aeae5 8b480c          mov     ecx,dword ptr [eax+0Ch] ds:0023:0000000b=??????
??
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  svchost.exe

LAST_CONTROL_TRANSFER:  from 805a54da to 805aeae5

STACK_TEXT:
964edbb0 805a54da 89114948 88cf2020 7c97b178 nt!MiGetNextNode+0x1b
964edbcc 805c8913 89114948 7ff77000 88cf2020 nt!MmDeleteTeb+0x4e
964edc90 805c8be0 00000000 00000000 88cf2020 nt!PspExitThread+0x5b9
964edcb0 805c8f20 88cf2020 00000000 c0000001 nt!PspTerminateThreadByPointer+0x52

964edcd0 b5d64339 00000000 00000000 8a38f008 nt!NtTerminateThread+0x70
WARNING: Stack unwind information not available. Following frames may be wrong.
964edd54 8053d648 00000000 00000000 044fffb4 SYMEVENT+0x14339
964edd54 7ff77000 00000000 00000000 044fffb4 nt!KiFastCallEntry+0xf8
0000003b 00000000 00000000 00000000 00000000 0x7ff77000


STACK_COMMAND:  kb
FOLLOWUP_IP:
SYMEVENT+14339
b5d64339 ??              ???

SYMBOL_STACK_INDEX:  5

SYMBOL_NAME:  SYMEVENT+14339

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: SYMEVENT

IMAGE_NAME:  SYMEVENT.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  489790a0

FAILURE_BUCKET_ID:  0x8E_SYMEVENT+14339

BUCKET_ID:  0x8E_SYMEVENT+14339

Followup: MachineOwner
---------

Replies

Kudos0

Re: Blue Screen - STOP 0x0000008E in SYMEVENT.SYS

Did you let Windows submit this crash to Microsoft? When you get cases like this, that's the best thing that you can do. We regularly query Microsoft's Online Crash Analysis (OCA) database for issues like this.
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: Blue Screen - STOP 0x0000008E in SYMEVENT.SYS

Yes I did, but when I did I just got a help page telling me to disable any newly installed drivers though.  So I didn't think they actually did anything with it.

I actually got the Blue Screen when opening the services.msc control panel. Not sure why though since I've done that plenty of times before and a few times after and never saw that error before.

BTW this isn't the first crash I've seen for symevent.sys, but the last one was in March of 2008, so at least it doesn't happen very often.

Kudos0

Re: Blue Screen - STOP 0x0000008E in SYMEVENT.SYS

SymEvent has been known to crash on occasion, but more often than not, it is just a victim of some other driver's problem. Due to SymEvent's location on the stack, the Microsoft analysis tools first point to SymEvent until we look at the crash and tell Microsoft to look one more step up the stack Thanks for the information.

Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: Blue Screen - STOP 0x0000008E in SYMEVENT.SYS

Morac, do you happen to have SuperAntispyware installed? While I was looking at some of the data from Microsoft, I noticed that SuperAntispyware seems to be disproportionally common for this issue. There may be some interoperability issue that we have to look into.Message Edited by reese_anschultz on 02-09-2009 11:40 AM
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: Blue Screen - STOP 0x0000008E in SYMEVENT.SYS

SUPERAntiSpyware does hook NtTerminateProcess by default (since it doesn't hook anything else, so this is somewhat ineffective at protecting it from being terminated).
Kudos0

Re: Blue Screen - STOP 0x0000008E in SYMEVENT.SYS

No I don't have SuperAntispyware installed.  Actually I've never heard of it.

In case you are interested in what I did right before the crash.  I noticed I had two uninstall entries in the Add/Remove control panel for Microsoft's UPHClean.  I had upgraded UPHClean a while ago and I guess it didn't remove the old entry so I figured I'd uninstall both entries and reinstall the same version I already had installed.

I did so and then went to check to  if it was running in services.msc and then the machine blue screened.  I'm not sure why that would happen.  UPHClean runs as a service, but it's not a driver and I have been running it for years.  I guess it's possible it's unrelated or maybe it had something to do with removing the service and then adding it again.

I did install Raxco's Perfect Disk 10 on Jan 30rd.  That does install a driver, but I would think that if there was a problem with that drive it would have blue screened a few times since then since I've run it a few times.  Plus I had been running Perfect Disk 9 for over a year with no issues.

Message Edited by Morac on 02-09-2009 10:16 PM
Kudos0

Re: Blue Screen - STOP 0x0000008E in SYMEVENT.SYS

UPHClean actually dynamically loads a driver called uphcleanhlp.sys which hooks the kernel function NtUnloadKey.
Kudos0

Re: Blue Screen - STOP 0x0000008E in SYMEVENT.SYS

Interesting I was not aware of that.  In that case, the uphcleanhlp.sys driver would have been loaded, then unloaded then loaded again.  Shortly later a blue screen occurred.

This thread is closed from further comment. Please visit the forum to start a new thread.