If server ruing with Microsoft Widnows Server 2003 SP2 32 bit with Symantec AV and HP Openview agent installed, it may throw bluescreen BSOD with bugcheck 0x27.
Cause:
The server crashed while WebDav was attempting to clean up heap. The pointer to the heap was non-existent generating an Access Violation and this ultimately caused the bugcheck. What is not clear is exactly what caused the heap corruption. The two most likely candidates are SPBBCDrv and radiamsi.
Dump Analysis: Debug
Bugcheck code 00000027
Arguments baad0080 b91f48d8 b91f45d4 80959d23
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_gdr.090805-1438
Machine Name: "Server Name"
Kernel base = 0x80800000 PsLoadedModuleList = 0x808a6ea8
Debug session time: Day Date, time and timezone
System Uptime: show system uptime like 1 days 2:08:09.351
ExceptionAddress: 80959d23 (nt!RtlDestroyHeap+0x00000023)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00ae0050
Attempt to read from address 00ae0050
eax=8b543c4c ebx=00ae0050 ecx=b7913f00 edx=00000000 esi=8b543c4c edi=00ae0000
eip=80959d23 esp=b91f49a0 ebp=b91f49b0 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
nt!RtlDestroyHeap+0x23:
80959d23 8b33 mov esi,dword ptr [ebx] ds:0023:00ae0050=????????
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
b91f49b0 b79153dc 00ae0000 00000000 89aaabf8 nt!RtlDestroyHeap+0x23
b91f49e8 b791566c 89aaabf8 00000000 89aaabf8 mrxdav!MRxDAVOuterStop+0x92
b91f4a28 b791fbd7 01aaabf8 b791eb9a 89fbb1b0 mrxdav!MRxDAVDevFcbXXXControlFile+0x204
b91f4a40 b791ff83 89aaabf8 89fbb1b0 89fbb28c mrxdav!RxXXXControlFileCallthru+0x67
b91f4a64 b790bf72 89aaabf8 00000000 87d08a48 mrxdav!RxCommonDevFCBFsCtl+0x8d
b91f4af4 b791f852 b79130f0 89fbb1b0 87d08a48 mrxdav!RxFsdCommonDispatch+0x320
b91f4b14 b7918fc4 8b543878 89fbb1b0 8b543730 mrxdav!RxFsdDispatch+0xd4
b91f4b88 8081df85 8b543878 89fbb1b0 89fbb1b0 mrxdav!MRxDAVFsdDispatch+0x1f0
b91f4b9c baedf6c1 00000000 8b5414d8 8d09cee0 nt!IofCallDriver+0x45
b91f4bc8 8081df85 8b543730 89fbb1b0 89fbb1b0 fltmgr!FltpFsControl+0xd7 [d:\nt\base\fs\filtermgr\filter\fltmgr.c @ 5657]
b91f4bdc baedf6c1 89fbb1b0 8afc8a18 8d09cee0 nt!IofCallDriver+0x45
b91f4c08 8081df85 8b5414d8 89fbb1b0 89fbb1b0 fltmgr!FltpFsControl+0xd7 [d:\nt\base\fs\filtermgr\filter\fltmgr.c @ 5657]
b91f4c1c f779f598 b91f4c3c f77a2958 8afc8a18 nt!IofCallDriver+0x45
WARNING: Stack unwind information not available. Following frames may be wrong.
b91f4c24 f77a2958 8afc8a18 89fbb1b0 89fbb1b0 radiamsi+0x598
b91f4c3c 8081df85 8afc8a18 89fbb1b0 87d08a48 radiamsi+0x3958
b91f4c50 808f5437 89fbb28c 87d08a48 89fbb1b0 nt!IofCallDriver+0x45
b91f4c64 808f61bf 8afc8a18 89fbb1b0 87d08a48 nt!IopSynchronousServiceTail+0x10b
b91f4d00 808eed3c 0000015c 00000000 00000000 nt!IopXxxControlFile+0x5e5
b91f4d34 808897bc 0000015c 00000000 00000000 nt!NtFsControlFile+0x2a
b91f4d34 7c82860c 0000015c 00000000 00000000 nt!KiFastCallEntry+0xfc
0096ff20 00000000 00000000 00000000 00000000 0x7c82860c
nt!RtlDestroyHeap+0x13:
80959d13 e89c84f1ff call nt!DbgPrint (808721b4)
80959d18 59 pop ecx
80959d19 e98e000000 jmp nt!RtlDestroyHeap+0xac (80959dac)
80959d1e 53 push ebx
80959d1f 8d5f50 lea ebx,[edi+50h]
80959d22 56 push esi
80959d23 8b33 mov esi,dword ptr [ebx]
80959d25 eb1d jmp nt!RtlDestroyHeap+0x44 (80959d44)
80959d27 6800800000 push 8000h
80959d2c 8d4508 lea eax,[ebp+8]
80959d2f 50 push eax
80959d30 8d45fc lea eax,[ebp-4]
!DevObj !DrvObj !DevExt ObjectName
8afc8a18 \FileSystem\RadiaMsi8afc8ad0
8b5414d8 \FileSystem\FltMgr 8b541590
8b543730 \FileSystem\FltMgr 8b5437e8
> 8b543878 \FileSystem\MRxDAV 8b543930 WebDavRedirector
Object: 87d08a48 Type: (8d134ca0) File
ObjectHeader: 87d08a30 (old version)
HandleCount: 1 PointerCount: 3
- HP OpenView Configuration Management Agent, Version: 5.11, Installation date: 12/05/2009, Vendor: Hewlett-Packard Company
Company Name: Hewlett Packard
File Description: Filter Driver
Product Version: (5.1:0.0)
File Version: (5.1:0.13)
File Size (bytes): 30120
File Date: Thu Aug 30 08:09:12 2007
- Symantec ESM 6.5 Agent, Version: 6.5.3000, Install location: C:\Program Files\Symantec\ESM\, Installation date: 21/07/2008, Vendor: Symantec
- Symantec AntiVirus, Version: 10.1.7000.7, Install location: C:\Program Files\Symantec AntiVirus\, Installation date: 14/07/2008, Vendor: Symantec Corporation
Company Name: Symantec Corporation
File Description: SPBBC Driver
Product Version: (2.4:1.1)
File Version: (2.4:1.1)
File Size (bytes): 400216
File Date: Thu Jul 26 19:25:18 2007
Recommendations
1. Implement Page Heap to identify cause of the heap corruption
KB286470 How to use Pageheap.exe in Windows XP, Windows 2000, and Windows Server 2003
Click Here
Gflags.exe –r +hpa
2. Implement special pool to locate the driver causing the pool corruption.
KB188831 How to use the special pool feature to isolate pool damage
Click Here
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
PoolTag REG_DWORD 0x2A
PoolTagOverruns REG_DWORD 0x1
3. Implement Driver Verifier to identify the faulty driver.
KB244617 How to Use Driver Verifier to Troubleshoot Windows Drivers
Click Here
In particular enable the following for all drivers (verifier /flags 27):
0 - Special pool checking
1 - Force IRQL checking
3 - Pool tracking
4 - I/O verification
4. Consider upgrading Symantec and OpenView Configuration Management Agent. There are updates for both these products.
