• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

A couple of times a week I get a Blue Screen of Death System Crash - PAGE_FAULT_IN_NONPAGED_AREA.

Here is what I know so far:

  • No hardware problems - I have run complete diagnostics from manufacturer.
  • Crashes appear random, sometimes when no applications are loaded and I am away from machine.
  • Running current version of NIS, fully updated.
  • Windows XP SP 3, fully patched and up to date.
  • Ran Dell Computer's Crash Analysis Tool - this points to NavEx15.sys (This tool is known to be unreliable sometimes so I don't put much stock in its findings)
  • SYMEVENT.SYS is version 11.6.0.24
  • I ran Debugging Tools for Windows to analyze two recent memory dumps, both have same result:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [c:\windows\minidump\Mini042909-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: c:\i386
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Apr 29 12:34:37.328 2009 (GMT-5)
System Uptime: 0 days 0:16:58.032
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.....
Loading User Symbols
Loading unloaded module list
..............................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 10000050, {eaf33000, 0, 8a74e3de, 1}


Could not read faulting driver name
Unable to load image SYMEVENT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : SYMEVENT.SYS ( SYMEVENT+14479 )

Followup: MachineOwner
---------

Does anyone have a solution?

Is there any additional information I should gather?

Replies

Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

A couple of times a week I get a Blue Screen of Death System Crash - PAGE_FAULT_IN_NONPAGED_AREA.

Here is what I know so far:

  • No hardware problems - I have run complete diagnostics from manufacturer.
  • Crashes appear random, sometimes when no applications are loaded and I am away from machine.
  • Running current version of NIS, fully updated.
  • Windows XP SP 3, fully patched and up to date.
  • Ran Dell Computer's Crash Analysis Tool - this points to NavEx15.sys (This tool is known to be unreliable sometimes so I don't put much stock in its findings)
  • SYMEVENT.SYS is version 11.6.0.24
  • I ran Debugging Tools for Windows to analyze two recent memory dumps, both have same result:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [c:\windows\minidump\Mini042909-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: c:\i386
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Apr 29 12:34:37.328 2009 (GMT-5)
System Uptime: 0 days 0:16:58.032
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.....
Loading User Symbols
Loading unloaded module list
..............................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 10000050, {eaf33000, 0, 8a74e3de, 1}


Could not read faulting driver name
Unable to load image SYMEVENT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS
Probably caused by : SYMEVENT.SYS ( SYMEVENT+14479 )

Followup: MachineOwner
---------

Does anyone have a solution?

Is there any additional information I should gather?

Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

Here is a verbose version of the Debugger Dump (from my first post):

******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: eaf33000, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: 8a74e3de, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000001, (reserved) Debugging Details: ------------------ Could not read faulting driver name READ_ADDRESS: eaf33000 FAULTING_IP: +fc 8a74e3de 668b08 mov cx,word ptr [eax] MM_INTERNAL_CODE: 1 CUSTOMER_CRASH_COUNT: 2 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: mscorsvw.exe LAST_CONTROL_TRANSFER: from 805d00bc to 8a74e3de STACK_TEXT: WARNING: Frame IP not in any known module. Following frames may be wrong. a7545b1c 805d00bc 87b64c90 0000155c a7545b5c 0x8a74e3de a7545b3c 805b1421 87b64c90 0000155c a7545b5c nt!PsCallImageNotifyRoutines+0x36 a7545b84 805b1efe 87caf008 6d6d0000 a7545c54 nt!MiMapViewOfImageSection+0x4c1 a7545be0 805b22c3 00000004 87b5ee90 a7545c54 nt!MmMapViewOfSection+0x13c a7545c70 af382479 00000234 ffffffff 0012ca10 nt!NtMapViewOfSection+0x2bd a7545d34 8054162c 00000234 ffffffff 0012ca10 SYMEVENT+0x14479 a7545d34 00000023 00000234 ffffffff 0012ca10 nt!KiFastCallEntry+0xfc 00000000 00000000 00000000 00000000 00000000 0x23 STACK_COMMAND: kb FOLLOWUP_IP: SYMEVENT+14479 af382479 ?? ??? SYMBOL_STACK_INDEX: 5 SYMBOL_NAME: SYMEVENT+14479 FOLLOWUP_NAME: MachineOwner MODULE_NAME: SYMEVENT IMAGE_NAME: SYMEVENT.SYS DEBUG_FLR_IMAGE_TIMESTAMP: 49934f4c FAILURE_BUCKET_ID: 0x50_SYMEVENT+14479 BUCKET_ID: 0x50_SYMEVENT+14479 Followup: MachineOwner ---------

 
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

LPD, which Norton product and version do you have installed? The exact version number can be found by going to Help & Support -> About.

Do you have any other 'background' type applications running such as FileMon or some other security software?

Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

Norton Internet Securty

Version 16.5.0.134

Current SKU: 10725608

Family SKU: 10751697

Media SKU: 14125637

No FileMon running that I know of.  I checked that before by looking in  Services  and did not see it listed.  Checked Task Manager Processes did not see it there either.

No other security software running.  Couple of years ago had the Microsoft security suite (forgot the name, like everyone else, lol) but that was completely uninstalled before I loaded NIS two years ago.

Message Edited by LPD on 04-30-2009 01:35 PM
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

LPD, thanks for the additional information. You reported that SYMEVENT.SYS was version 11.6.0.24, if you have NIS 16.5, you should have a newer version than that (12 point something.) Can you reverify your SymEvent version number? If it really is the 11.6.0 version, your best course of action is probably to uninstall the product, run the Norton Removal Tool, and reinstall.
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

Reese - I did a full system search for SYMEVENT.SYS and found three copies:

  • version 11.6.0.24   in  C:\I386
  • version 12.7.0.4   in C:\Program Files\Symantec
  • version 12.7.0.4   in C:\WINDOWS\SYSTEM32\DRIVERS

I'm not sure which is the active version but I doubt that it is the one in C:\I386.  I replaced the C:\I386 copy with one of the newer ones and re-analyzed the memory dump in the debugger.  The debugger uses C:\I386 as the imagePath and the debugger does not have complete symbols for SYMEVENT.SYS but can now report with exported (public) symbols and offsets.  Here is the improved dump which appears to show SYSEVENT calling into the OS right before the crash.

Loading Dump File [c:\windows\minidump\Mini042909-02.dmp]
Mini Kernel Dump File: Only registers and stack trace are available

Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: c:\i386
Windows XP Kernel Version 2600 (Service Pack 3) MP (2 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_gdr.090206-1234
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720
Debug session time: Wed Apr 29 12:34:37.328 2009 (GMT-5)
System Uptime: 0 days 0:16:58.032
Loading Kernel Symbols
...............................................................
................................................................
................................................................
.....
Loading User Symbols
Loading unloaded module list
..............................................
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 10000050, {eaf33000, 0, 8a74e3de, 1}


Could not read faulting driver name
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SYMEVENT.SYS -
Probably caused by : SYMEVENT.SYS ( SYMEVENT!SYMEvent_GetVMDataPtr+1199 )

Followup: MachineOwner
---------

1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: eaf33000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 8a74e3de, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------


Could not read faulting driver name

READ_ADDRESS: eaf33000

FAULTING_IP:
+fc
8a74e3de 668b08 mov cx,word ptr [eax]

MM_INTERNAL_CODE: 1

CUSTOMER_CRASH_COUNT: 2

DEFAULT_BUCKET_ID: DRIVER_FAULT

BUGCHECK_STR: 0x50

PROCESS_NAME: mscorsvw.exe

LAST_CONTROL_TRANSFER: from 805d00bc to 8a74e3de

STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
a7545b1c 805d00bc 87b64c90 0000155c a7545b5c 0x8a74e3de
a7545b3c 805b1421 87b64c90 0000155c a7545b5c nt!PsCallImageNotifyRoutines+0x36
a7545b84 805b1efe 87caf008 6d6d0000 a7545c54 nt!MiMapViewOfImageSection+0x4c1
a7545be0 805b22c3 00000004 87b5ee90 a7545c54 nt!MmMapViewOfSection+0x13c
a7545c70 af382479 00000234 ffffffff 0012ca10 nt!NtMapViewOfSection+0x2bd
a7545d34 8054162c 00000234 ffffffff 0012ca10 SYMEVENT!SYMEvent_GetVMDataPtr+0x1199
a7545d34 00000023 00000234 ffffffff 0012ca10 nt!KiFastCallEntry+0xfc
00000000 00000000 00000000 00000000 00000000 0x23


STACK_COMMAND: kb

FOLLOWUP_IP:
SYMEVENT!SYMEvent_GetVMDataPtr+1199
af382479 e96e020000 jmp SYMEVENT!SYMEvent_GetVMDataPtr+0x140c (af3826ec)

SYMBOL_STACK_INDEX: 5

SYMBOL_NAME: SYMEVENT!SYMEvent_GetVMDataPtr+1199

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: SYMEVENT

IMAGE_NAME: SYMEVENT.SYS

DEBUG_FLR_IMAGE_TIMESTAMP: 49934f4c

FAILURE_BUCKET_ID: 0x50_SYMEVENT!SYMEvent_GetVMDataPtr+1199

BUCKET_ID: 0x50_SYMEVENT!SYMEvent_GetVMDataPtr+1199

Followup: MachineOwner
---------

 What should I do next?  (I'll be checking back frequently, would love to resolve this before the weekend.  thanks)

 
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

LPD,

That's better, more like I expected. I don't know why you have one in your I386 folder but, as you noted, it probably wasn't active.

First, this may be a legitimate SymEvent issue but frequently SymEvent is just passing data through and the preceeding driver on the stack is really the culprit. From the stack trace that you've provided, this doesn't seem like the case.

Second, mini-dumps are rarely useful for solving the problem. Since this seems to be fairly reproducable for you, can you switch to generating at least a kernel dump?

Third, provide the kernel dump (or mini-dump if you're unable or unwilling to provide the kernel dump) to us for further investigation?

Fourth, when these crashes occur, are you allowing them to be submitted to Microsoft for analysis? If not, you probably should. I've looked at Microsoft's data for this crash and it seems to be very uncommon. 

Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

I switched my settings to Kernel Dump yesterday morning.  I have not had a crash since (not uncommon, this is very random, sometimes a couple a day) but expect one at any time.   I'd be glad to send the kernel dump to Symantec if there is a secure (non-public way to do that), so I need instructions on how to do that.

Yes, I have been submitting to Microsoft each time it occurs. Unfortunately it is always little comfort to the patient to know his or her illness is rare.

Thanks, let me know how to submit a kernel dump and I'll send after the next crash.

Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash


LPD wrote:
...let me know how to submit a kernel dump and I'll send after the next crash.

Hi LPD,

When you have the dump, please email me (my address is listed on my profile) with the dump size when compressed, and I will send you upload information. Thanks!

Tony Weiss | Norton Forums Global Community Manager | Symantec Corporation
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

I too have the same problem. Repeated system crashes caused by SYMEVENT.SYS. In each case, WinDbg reports a Page Fault in a NonPaged Area.  My most recent crash occurred less than an hour ago and generated a 218MB memory dump file. Over the last five months, this crash has occurred at least a dozen times.
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

Additional Information: I am running SYMEVENT.SYS version 12.7.0.4.   When this problem occurs, it generally happens just after a second process has just began executing.  It has occurred just as SQL Server has started an automated backup. It has also happened when I began running SQL Server Management Studio 2008 and Visual Studio 2008.
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

alchokem, do you know what bucket id or faulting address is reported? This may, or may not, be the same issue as LPD, but without that information or details from the blue screen, it's hard to know for certain.
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

Thanks for the feedback... As it turns out, my problem is identical to LPD's. Faulting Bucket_ID is the same.

Here's the analysis of my crash dump.

------------------------------------------------------------------------------------------------------------------------------------------

Use !analyze -v to get detailed debugging information.

BugCheck 50, {e81e6000, 0, 89c0a3de, 1}


Could not read faulting driver name
Unable to load image \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS, Win32 error 0n2
*** WARNING: Unable to verify timestamp for SYMEVENT.SYS
*** ERROR: Module load completed but symbols could not be loaded for SYMEVENT.SYS


Probably caused by : SYMEVENT.SYS ( SYMEVENT+14479 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except,
it must be protected by a Probe.  Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: e81e6000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 89c0a3de, If non-zero, the instruction address which referenced the bad memory
    address.
Arg4: 00000001, (reserved)

Debugging Details:
------------------


Could not read faulting driver name



READ_ADDRESS:  e81e6000

FAULTING_IP:
+ffffffff89c0a3de
89c0a3de ??              ???

MM_INTERNAL_CODE:  1

CUSTOMER_CRASH_COUNT:  2

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

TRAP_FRAME:  a92e7404 -- (.trap 0xffffffffa92e7404)
ErrCode = 00000000
eax=e81e6000 ebx=00000000 ecx=8056d5f0 edx=e81e5ee8 esi=89c11940 edi=00000001
eip=89c0a3de esp=a92e7478 ebp=a92e7600 iopl=0         nv up ei ng nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
89c0a3de ??              ???
Resetting default scope

LAST_CONTROL_TRANSFER:  from 805241a0 to 80533806

STACK_TEXT: 
a92e73a0 805241a0 00000050 e81e6000 00000000 nt!KeBugCheckEx+0x1b
a92e73ec 804e1718 00000000 e81e6000 00000000 nt!MmAccessFault+0x6f5
a92e73ec 89c0a3de 00000000 e81e6000 00000000 nt!KiTrap0E+0xcc
WARNING: Frame IP not in any known module. Following frames may be wrong.
a92e7474 89c0d768 e81e5ee8 0000005c 80561488 0x89c0a3de
a92e7600 8062dadf 8748def0 0000151c a92e7640 0x89c0d768
a92e7620 805f1dda 8748def0 0000151c a92e7640 nt!PsCallImageNotifyRoutines+0x36
a92e7664 8057d8d3 873e2008 0b2f0000 a92e7734 nt!MiMapViewOfImageSection+0x471
a92e76c0 80573d90 00000018 87253e90 a92e7734 nt!MmMapViewOfSection+0x13c
a92e7750 ad62c479 00000910 ffffffff 0012d5cc nt!NtMapViewOfSection+0x2bd
a92e7814 804de7ec 00000910 ffffffff 0012d5cc SYMEVENT+0x14479
a92e7814 3b910023 00000910 ffffffff 0012d5cc nt!KiFastCallEntry+0xf8
055d0000 00000000 00000000 00000000 00000000 0x3b910023


STACK_COMMAND:  kb

FOLLOWUP_IP:
SYMEVENT+14479
ad62c479 ??              ???

SYMBOL_STACK_INDEX:  9

SYMBOL_NAME:  SYMEVENT+14479

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: SYMEVENT

IMAGE_NAME:  SYMEVENT.SYS

DEBUG_FLR_IMAGE_TIMESTAMP:  49934f4c

FAILURE_BUCKET_ID:  0x50_SYMEVENT+14479

BUCKET_ID:  0x50_SYMEVENT+14479

Followup: MachineOwner
---------

 

Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

I have a kernel dump which I would be more than happy to pass along related to this latest crash which I've described.
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

Alchokem - I'm still waiting for my system to crash again so I can send Symantec the dump, which should be any day now.  Perhaps you can send Tony Weiss (Symantec) the size of the dump and he can send you upload instructions.  (see early post by Tony on this thread for his email).
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

LPD, I notified Tony as such letting him know that I had a compressed crash dump. Haven't received a response as of yet.
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash


alchokem wrote:
LPD, I notified Tony as such letting him know that I had a compressed crash dump. Haven't received a response as of yet.

Hi alchokem, I apologize, I just noticed this post. Please see the email I sent to you earlier today, which contains upload information. Thanks!

Tony Weiss | Norton Forums Global Community Manager | Symantec Corporation
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

alchokem, we've received the files. The team is, unfortunately, busy on another task at the moment so it probably will be about a week before they can analyze them. Thanks for your support on this.Message Edited by reese_anschultz on 05-08-2009 10:47 AM
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

Great, glad you got them.  If I can be of further help, please let me know.
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

Tony & Reese,

My system has been unusually stable this week, no crashes this past week.  It is very random, sometimes I get a couple a day.  I will also send a kernel dump after the next crash, hopefully before the team gets started.

Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

Tony,

My system crashed, I have a kernel dump.  I sent you an email requested upload instructions.

Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

Tony,

Its been a couple weeks now since you have had core dumps from two of us.  Has there been any progress in figuring out what the problem is and a fix?

Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

I'm sorry, we haven't heard back from that team. I just pinged them about it again.
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

Ok, nudging the team seems to have helped. They've analyzed the crash and as I suspected, SymEvent is simply passing the data through in this case. We can't see any other suspicious software involved either and believe that this is an operating system issue. We will be passing this to Microsoft for their own research.
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

Thanks for the update.  Here is some additional information:

I do not get the crashes if the Anti-Virus portion of NIS is turned off.

One of the crashes corrupted a Visual Studio 2008 project file I was working on.  After a reboot I opened the file in Visual Studio and the system crashed again.  I rebooted again, turned off Anti-Virus, and opened the same file again in Visual Studio, this time no crash, instead it gave me a message that an error occurred while trying to open the file and that it was not going to proceed.

Therefore, I do think that SymEvent is doing more than passing data through, it is preventing programs like VS from successfully trapping errors on their own threads and handling  them.

From my viewpoint these crashes don't occur unless SysEvent is involved so how is this an OS problem?

Is there a way to instruct SymEvent to stop monitoring specific programs?

Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

No, there is no way to disable SymEvent from monitoring specific applications' access.

When you say that anti-virus is turned off, do you mean the real-time protection -- auto-protect?

There may, indeed, be a problem in SymEvent and I've asked the team to revisit the dump but it also may be that SymEvent is exposing some other issue. At this point I can't say which it is.

Edit: added missing word 'can't'

Message Edited by reese_anschultz on 05-28-2009 10:49 AM
Reese AnschultzSenior Software Quality Assurance Manager, Symantec Corporation
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash


reese_anschultz wrote:

No, there is no way to disable SymEvent from monitoring specific applications' access.

When you say that anti-virus is turned off, do you mean the real-time protection -- auto-protect?

There may, indeed, be a problem in SymEvent and I've asked the team to revisit the dump but it also may be that SymEvent is exposing some other issue. At this point I say which it is.


Just to elaborate on what reese is saying.

I'm assuming that you are "programming" with visual studio.  It is not unlikely that some routine of yours is encroaching on territory in a way that triggers the AV response.  Moreover, it is possible that the AV response itself is bumping into more code, probably by trying to delete what it considers malware or by restricting its actions.  If some component of your program is anticipating a routine or code that AV is not allowing it access to, that will trigger an error code.  And if you are not properly trapping error codes, that could produce a crash.

But nothing in the above scenario makes it the fault of NAV, which is merely doing what it is supposed to do.

mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

Reese,  not sure what you call it but its on the main panel  labeled "AntiVirus" with an On-Off slider next to it.  When that is turned off the "Advanced Protection" is turned off automatically.  Maybe its something in the "Advanced Protection" and not "AntiVirus".

Mijcar, there is not a program doing something wrong here.  I was not testing or running a developed application here, just loading a solution file into VS.  I was not in debug mode or anything like that.  Even if I was, and I wasn't trapping errors, they would fall through and be caught by VS.  Its rather difficult in a pure "managed" C# .NET program to crash a system anyway but I digress. The point is that the system only crashes with NIS AntiVirus (or perhaps Advanced Protection) is active.

Please note, as I stated a couple of weeks ago, these crashes appear random and happen even if VS is not run (or never loaded).  So this should not be viewed as NIS + VS issue.  It just seems to happen more frequently with VS running.

Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

LPD -

Run into the same problems on my system running VS2008.  Have you defragged the hard drive recently?  This fixed the problem on my system but may not on yours; just know that there were no errors after that.  Let us know how this progresses for you.  Thanks.

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash


LPD wrote:
Please note, as I stated a couple of weeks ago, these crashes appear random and happen even if VS is not run (or never loaded).  So this should not be viewed as NIS + VS issue.  It just seems to happen more frequently with VS running.

LPD, my apologies for forgetting this.  I am just reading too many posts.

I haven't been able to let ago of this, I now remember, because of the intriguing connection.  As you said, this should not be viewed as an NIS + VS issue because it happens even when you are not using VS.

But!  (I feel like some dramatic, mysterious music is appropriate here.)  But it is so far an NIS + VS presence issue.  That is, the problem seems to occur because VS is on your system, whether or not you are using it.

Of course, that could be totally wrong.  Certainly it is at least as likely that the problem is something like this:

NIS + 3rd party unknown app =  critical mass

critical mass + unknown stimulus = crash

Use of VS makes unknown stimulus more likely.

But before exploring the last option, I have to ask the question, is it possible that even when not being used, VS does things in the background, such as checking for updates, auto updates, etc, that could conceivably account for the issues?  Now I know that once I installed Visual Basic on my system, it appeared to integrate with a number of Visual Basic resources in other software, for example Visual Basic sub-apps, macros, etc, in MS Office.  So when Office invoked a macro editor, I was now working in the larger domain of Office plus my own Visual Basic.  Is it possible something like this is happening on your computer.  Some program invokes its own VS component, which in turn links to your suite?  Heaven knows I'm reaching here; but it's always hard for me to let go of a puzzle.

As I said, I think the last option is probably the most likely.  My guess would be some single compoent in your Windows system, when invoked by the 3rd party app or your Visual Studio, is not what NIS expects or "likes" and that that interaction is where the problem lies.  If it doesn't happen for NIS users without VS installed, then it is likely to be an MS Windows component that is modified by the VS installation.  Opinions?  Suggestions?

mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash


mijcar wrote:
That is, the problem seems to occur because VS is on your system, whether or not you are using it.

Actually we don't know that as a fact yet.


mijcar wrote:

So when Office invoked a macro editor, I was now working in the larger domain of Office plus my own Visual Basic.  Is it possible something like this is happening on your computer.


No, I don't think so.  At one time VS2003 ran a service, I think called Machine Debug Monitor, but they go away from that.  As for Office, VS components like that are only loaded on demand when needed, so they don't play any more of a part than a JPG file sitting on your hard drive would.  I don't use the Office components anyway.

This has to be at a lower level, I think kernel level, not at an application level.  When an application is started it is given a process thread with related privileges and resources, like specific blocks of memory to play in. If an application misbehaves the OS simple throws an exception.  If the application catches it, it deals with it. The application may terminate by design but either way that's the end of the exception.  Otherwise, if the application does not catch it the Windows launcher catches it, kills the processing threads, any child threads, and takes back the allocated resources.  Sometimes if an application really misbehaves the OS might just kill it outright. But what we have here, I my opinion, is a problem at a kernel level of execution, the same level drivers and many services work at.  I assume the level SymEvent works at.  At that level when something badly goes wrong and its not caught the system has to crash.

Visual Studio is just another application so when you run your development application within it, it just creates a new child thread, launches its debugger on it, the debugger runs your application.  If anything is not caught it falls back to VS and if VS doesn't handle something correctly then it dies too.  It does not run at the kernel level.  Since I don't have knowledge of what SymEvent does or exactly how the OS operates and interacts with it I am unqualified to take this further.  Either Symantec and/or Microsoft will have to figure this one out.

dbrisendline may have a temporary workaround but I don't have high hopes for that since I don't think there is any correlation between page faults and how NTFS organizes disk storage.   I ran ChkDsk before, since that can cause page faults, but all was well.  If it was the case the kernel memory dumps would point to NTFS as the problem, one would think. Anyway, I'm defragmenting my disk as suggested.

If something changes I'll keep you posted.

Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

LPD,

I am sure I am getting more out of this than you are.  I just want to thank you for persisting and sharing everything you know.

And for your persistence and patience.

mijN360 2013, v.20.1.0.24; Win7 Pro, SP1 (32 bit), IE 9, Firefox 14, No other active securityware
Kudos0

Re: Getting PAGE_FAULT_IN_NONPAGED_AREA System Crash

In reading the latest posts, there has been a lot of discusiion that this is a VS2008 issue or an OS issue.  I couldn't disagree more.  As LPD points out, turning off Norton's AutoProtect eliminated his problem. In my case, turning off AutoProtect dramatically reduced the number of these errors but did not eliminate them entirely.  While LPD has seen these errors occur while working with VS2008, I have had similar experiences while running SQL Server Management Studio 2008.  As soon as I would invoke SSMS 2008, down the machine would go with another symevent crash. So, I agree with LPD...it certainly does not appear to be tied to either the OS or a specific application such as VS2008.  To eiliminate the problem totally, I've had to deinstall virtually every Symantec product I own because they all, in one way or another, are dependent upon symevent.sys.  This includes not only Norton AntiVirus but Save and Restore and pcAnywhere to name a few.  Doing this has eliminated the symevent.sys driver from my system and as one would expect no more BSOD's are occurring.

Symantec, please take a closer look.  This error began occuring in December of last year for me.  I had been running fine up until that point.  My system configuration at that time included WIndows XP SP3, SSMS 2008 and VS2008 and all coexisted without issue with your products.

I would also add that as far as hardware issues which often are blamed as the culprit, I have implemented the following recommended solutions, none of which has resolved this problem.

   - Replaced the power supply.

   - Replace all System memory.

   - Replaced my graphics card and drivers

   - Rebuilt my system twice.

   - Replaced the CMOS battery.

   - Stress-tested my system with MemTest86+ and Hot Cpu Tester.  In each case, no errors were reported.

This thread is closed from further comment. Please visit the forum to start a new thread.