Windows Blue Screen Crash and Symantec Antivirus – SYMEVENT.SYS 0x0000007f

A couple of weeks ago I wrote a script called BSODCheck.vbs. This script will remotely check to see if a machine has created a new memory.dmp file. The existence of a new file indicates that a machine has blue screened and crashed.

This script is intended to be run periodically and the results of the script are compared against existing results to let you know if a new dump has been created since the last time the script has run. Well after using this script for a period of weeks I noticed that some of our servers were crashing for no apparent reason.

The first step to resolving this issue was to take a look at the dump files themselves. To do that I needed to copy the dump files to a local directory and examine them with a utility called WinDbg. These debugging tools are available free of cost from Microsoft.

After downloading and installing the debugging tools we need to configure WinDbg to use the correct symbols files.  This is done by clicking “File -> Symbol File Path … ->” then entering the following text in the “Symbol path:” box.

Now that this is configured I can open the memory.dmp files that I copied off of the machines earlier. That is done by clicking “File -> Open Crash Dump …” and browsing to the location of the memory.dmp file.

After the file has been opened I can analyze the crash with the “!analyze –v” command. That command revealed the following crash dump analysis information:

When we look at crash dumps we can keep some things in mind. Most of the time, even though Microsoft has a bad reputation for being unstable, the cause of the crash is not related to Microsoft code at all. So 99% of the time we can exclude code created by Microsoft as the likely culprit of the problem.

In this particular dump analysis we can see that the module that faulted was SYMEVENT.SYS. This file is a driver created by Symantec that is used to scan files for viruses.

I also checked the event log of this machine and it revealed the following stop error:

After Googling for this particular combination of stop error and the faulting module, I found the following link explaining the issue in some detail.

From the article:

Situation:
You install Symantec AntiVirus on a computer that runs Windows 2003/XP/2000/NT. After the installation, the computer unexpectedly restarts or encounters a blue screen with a STOP message similar to the following:

STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)
UNEXPECTED_KERNEL_MODE_TRAP

You may see the following message in the Event Log: “Event ID: 1005. Source: SAVRT: Symantec AntiVirus Auto-Protect could not scan file <path><filename> for viruses due to low kernel stack.”

A common configuration for this situation is a Windows 2000 Server with Terminal Services in Remote Administration Mode with a combination of any of the following applications: Symantec AntiVirus Corporate Edition, St. Bernard Open File Manager, Quota Manager, Legato RepliStor, or other “filter drivers” that register with the Kernel Stack.

Solution:
This problem occurs because there is a limited amount of kernel space available for kernel drivers. If the operating system runs out of kernel space, then the computer displays a blue screen error message.
To fix this problem, do all of the procedures and all of the steps within each procedure. Do the procedures and steps in the order in which they appear.

 

Leave a Comment