cluberti

I'm still working on it, but it appears so far that the process is in an actual graceful exit routine, meaning something told the process to exit (and it's already gone off of the stack) - I'm wondering if there is any software on the machine, other than DEP, that is checking or regulating the launching of applications. There are LOTS of 3rd party .dll's loaded in the process I have dumped (notepad) which strikes me that one or more could be a potential issue, but so far it appears the application that called the exit routine (it wasn't notepad) has already closed (or it's being called by a hook into the process by another process, which is actually highly likely here).

http://www.autopatcher.com/

That's where your problem started . Is there any reason you are using riprep? Most people who have RIS experience will tell you to stay away from riprep like the plague, and automate a risetup image instead. Unless you absolutely NEED to use riprep, I would strongly recommend against it. Otherwise you're going to need to do some hacking of Windows files to get those SATA drivers to work, if they'll even work at all.

It's still a driver issue, likely the ethernet driver. When you get a STOP 0xD1, what happened is that a driver attempted to access a page or a set of pages of kernel memory that was paged to disk (likely in kernel paged pool). It did so at an IRQ level of DPC Dispatch (or higher), which will immediately cause a bugcheck, as this is a no-no. Any time something running at a dispatch interrupt level or higher attempts to access kernel memory that is non-resident (paged out), this invokes the scheduler. This is strictly NOT ALLOWED in kernel, and the box will bugcheck. This is NOT a Windows problem, but a driver problem - Windows is crashing to make sure that the kernel doesn't become corrupted due to the invalid access caused by the driver. Contact the vendor to get a driver that doesn't have this problem .

I would strongly suggest running perfmon with the following Process counters while burning a disc to see exactly what is happening: Private Bytes Virtual Bytes Working Set Do this for "All Instances" and see what you get - do any processes use a large amount for any of these three counters while you are burning a disc? I'm betting it will be the process for your CD burning software, as it does not happen otherwise. Note that 1GB of RAM on an x64 system is quite low, and you should have at least 2-4GB of RAM at a minimum to achieve optimum performance in Windows XP x64, from personal experience.

If you would please, run "~*kb" with the dump loaded, and post the output.

There are some issues in using a remote file in the GUI run once portion - if perhaps you made a local file that instead did the same thing, would it work properly in this way?

Here are the instructions for configuring userdump to gather information on the notepad.exe process, since you did state the error occurs when starting notepad: 1. Download the userdump executable, located here: http://www.microsoft.com/downloads/details...;DisplayLang=en 2. Double-click the downloaded .exe file to extract the userdump installation files. By default, these will extract to C:\kktools\userdump8.0. Please click "Yes", then "Unzip" to extract the files. 3. Double-click the "setup.exe" file located in C:\kktools\userdump8.0\x86 to install the userdump utility. Please select the defaults when possible, and make certain to select the "Enable dump on process termination" feature when prompted. You may need to reboot the machine at this point for the installation to complete successfully. 4. Create a folder called C:\userdump. 5. Once installed, you will find a new icon in your control panel called "Process Dump". Please open this utility. 6. When the userdump window opens, please click the "New" button. 7. Please enter notepad.exe in the "Application name:" dialog box, and click "OK". 8. Click on the new listing for "notepad.exe", and click the "Rules" button. 9. Select the "Use custom rules" radio button. 10. Type "C:\userdump" (minus the quotes) in the "Dump file folder" dialog box. 11. Click the "All Exceptions" box. 12. Please click the "Dump on Process Termination" box. 13. Click the "OK" button. 14. Click the "Apply" button, then click "OK". The next time notepad (notepad.exe) crashes, you will now have a .dmp file (or series of .dmp files) in C:\userdump. This will help us determine what caused the process to crash.

If the error doesn't happen in safe mode, this means that it's a driver or running application (background or service) causing this. Use msconfig or autoruns (from sysinternals) to disable all non-Microsoft startup items and services, and reboot. See if the problem recurs then - if not, use trial and error to see which service or startup application causes the issue when re-enabled. If you've got all non-Microsoft services and startup items disabled and the issue still occurs, then it's a driver or Data Execution Prevention causing the error.

Pick an application to monitor (since you mentioned firefox, let's monitor firefox) and do the following: 1. Download the userdump executable, located here: http://www.microsoft.com/downloads/details...;DisplayLang=en 2. Double-click the downloaded .exe file to extract the userdump installation files. By default, these will extract to C:\kktools\userdump8.0. Please click "Yes", then "Unzip" to extract the files. 3. Double-click the "setup.exe" file located in C:\kktools\userdump8.0\x86 to install the userdump utility. Please select the defaults when possible, and make certain to select the "Enable dump on process termination" feature when prompted. You may need to reboot the machine at this point for the installation to complete successfully. 4. Create a folder called C:\userdump. 5. Once installed, you will find a new icon in your control panel called "Process Dump". Please open this utility. 6. When the userdump window opens, please click the "New" button. 7. Please enter firefox.exe in the "Application name:" dialog box, and click "OK". 8. Click on the new listing for "firefox.exe", and click the "Rules" button. 9. Select the "Use custom rules" radio button. 10. Type "C:\userdump" (minus the quotes) in the "Dump file folder" dialog box. 11. Click the "All Exceptions" box. 12. Please click the "Dump on Process Termination" box. 13. Click the "OK" button. 14. Click the "Apply" button, then click "OK". The next time firefox.exe crashes, you will now have a .dmp file (or series of .dmp files) in C:\userdump. This will help us determine what caused the process to crash.

I think that getting a complete memory dump from the machine the next time the apps start to freeze (but before the keyboard goes south) would be the best way to see if it's hardware or software. Follow these steps to enable complete memory dumps on your machine - note that this requires the use of a PS/2 keyboard, USB keyboards do not work on XP for this process: 1. Create or set the following registry value: Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters Value: CrashOnCtrlScroll Type: REG_DWORD Data: 1 Refer to the following Knowledge Base article for more information on this registry key: 244139 Windows Feature Allows a Memory.dmp File to Be Generated with Keyboard http://support.microsoft.com/?id=244139 2. Right-Click on the "My Computer" icon on the desktop and select "Properties"; this will open the "System Properties" window. Go to the "Advanced" tab and click "Performance Options". Click "Change" under "Virtual Memory". Set the pagefile to be located on the partition where the OS is installed, and set it to be equal to Physical RAM + 50 MB. 3. Also in the "System Properties" window, click on the "Advanced" tab, then click "Startup and Recovery". Make sure "Complete Memory Dump" is selected. You can change the location of the memory dump file to a different local partition if you do not have enough room on the partition where the OS is installed. 4. You will need to reboot for these changes to take effect. 5. The next time that the machine starts exhibiting the problems, hold down the RIGHT CTRL key and press the SCROLL LOCK key twice to cause the machine to bugcheck (STOP 0xE2) and create the memory.dmp file. If this works and the machine generates a complete dump file, it's likely software and not hardware (and analysis of the memory.dmp file that was just generated should pinpoint the culprit). However, if the machine hangs while generating the dump file, we can be quite certain that hardware is at fault. I believe it will be software, but it is possible there is bad hardware. This should give us a good idea of which to look at as the culprit.

If you're still getting 2019s, let me know and I'll assist you in using a poolmon script to garner the culprit (hint - it's almost always the antivirus). By the way, have you updated symevent.sys on that machine to the latest version? Symevent.sys is Symantec Antivirus' kernel-mode filter driver, and they do update it regularly to deal with issues that arise (including kernel memory usage issues, etc). Also, if you're running Symantec Antivirus, check to see if you have a file on your system called symtdi.sys - if you do, that's the likely culprit. Uninstall the Email Scanning components of SAV to get rid of that little nasty file - it's known to cause kernel memory leaks in nonpaged pool (those 2019s you're getting indicate a leak or a huge increase at intervals in nonpaged pool). Symevent.sys: http://service1.symantec.com/SUPPORT/ent-s...998092408260848 Symtdi.sys: http://service1.symantec.com/SUPPORT/ent-s...ment&seg=hm

The SYSTEM process is a display of system kernel-level activity, which means it's most likely a driver running in kernel. Since antivirus software filter drivers run in kernel, these are a BIG no-no on a RIS server in general, or at least not against the RIS volume running the SIS-groveler service (also done via a kernel filter driver). A/V on a RIS server saps performance, can cause I/O lockups, system instability, crashes, and other oddball behavior. Again I'll say it - if you run real-time A/V on servers that are heavily used, you WILL eventually have load issues. Especially if you use those nasty /3GB or /PAE switches (or heaven forbid, both at the same time - yuck!).

It depends on your agreement with Microsoft, but downgrades are possible with certain volume licensing agreements. If you've got a contract with Microsoft, you should have a TAM you can contact to assist you with this. If not, contact the sales department to get you in touch with someone who can determine your license and whether or not this is permissable, and if so, make it happen for you.

Remember that running applications on the system have no concept of virtual and physical memory - everything is controlled by the NT memory manager, and each application will see it's own 2GB (or 3GB) "memory" space, which is actually virtual address space mapped to RAM or the paging file by the NT memory manager as required and appropriate. Therefore, if you've got an application (or a set of applications) that request and/or use a large amount of virtual address space, these errors can occur (the memory manager will always try to keep at least 4MB of RAM free at all times, and will allow the use of most or all of the rest of physical RAM if necessary and safe to do so). Remember that the memory manager will ultimately do what an application requests with regards to "memory" allocations and usage, and this can cause problems even if an application only actually uses a fraction of any virtual address space it has requested for running code. There are rules the memory manager follows when determining the memory layout of the system kernel and running apps, and a good resource on this is the book "Windows Internals, 4th Edition" if you really want to know the ins and outs of how this works. Virtual memory errors generally mean a system that is overloaded (and needs more RAM), or an application or set of applications requesting large amounts or using large amounts of virtual address space, which is mapped to virtual memory (the paging file). Ultimately, this will be something you have to address either by adding more physical RAM to lessen the load on virtual memory, or use perfmon to single out the application (or set of applications) using inordinate amounts of virtual address space, and get those updated from the vendor (or replaced, if upgrade or fix is not possible from the vendor). Again, the most important thing to remember is that even though Windows generates the error, it is not a Windows issue - you either need more RAM or need to resolve the issue(s) in the application(s) running on the system (or both!).

I would then suggest running perfmon in the background while your system is running, with the following "Process" counters selected for All Instances: Virtual Bytes Private Bytes Working Set If you've got any process using an inordinate amount of virtual memory, you should see it here.

Perfmon?

You've got it - the next time it happens and the machine restarts, you should have a memory.dmp file in your Windows directory that is the size of physical RAM (or close to it).

That STOP 0x7E error is showing some kind of access denied by a kernel-mode thread, so it's possible you have a driver issue. Would you be able to configure your machine for a complete memory dump so it can be analyzed? The memory.dmp file should tell what driver or process is causing the crashes...

The issue appears to be in one of three modules, although I suspect that it is going to be caused by sptd.sys or prosync1.sys, since I do know that Daemon Tools (where sptd.sys comes from) has issues when installed on a machine with StarForce (where prosync1.sys comes from, it's some software protection driver, likely installed with a game you have installed for copy protection), so it could be that prosync1.sys causes sptd.sys to terminate, causing csrss.exe to terminate, or the problem is indeed inside sptd.sys. I also see AVG 7 making a pool allocation in the stack right before the issue occurs, so it may be attempting to scan one of these two drivers as well, causing the issue, although it's not as likely as it being a problem with having Daemon tools and StarForce on the same machine - just something to consider. I'd say uninstall your antivirus as a test, and if that does not stop the CSRSS bugchecks, upgrade Daemon tools to the latest version or remove either the StarForce drivers or the Daemon Tools software. I can't help you too much more, as I don't have source access for any of those binaries . Here's the debug notes, for reference: ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* CRITICAL_OBJECT_TERMINATION (f4) A process or thread crucial to system operation has unexpectedly exited or been terminated. Several processes and threads are necessary for the operation of the system; when they are terminated (for any reason), the system can no longer function. Arguments: Arg1: 00000003, Process Arg2: 8689e610, Terminating object Arg3: 8689e784, Process image file name Arg4: 805f9f88, Explanatory message (ascii) Debugging Details: ------------------ PROCESS_OBJECT: 8689e610 IMAGE_NAME: csrss.exe DEBUG_FLR_IMAGE_TIMESTAMP: 41107c1f MODULE_NAME: csrss FAULTING_MODULE: 4a680000 csrss PROCESS_NAME: csrss.exe EXCEPTION_RECORD: f6ddd9d8 -- (.exr 0xfffffffff6ddd9d8) .exr 0xfffffffff6ddd9d8 ExceptionAddress: 75b76aad (winsrv!wsprintfW) ExceptionCode: c0000006 (In-page I/O error) ExceptionFlags: 00000000 NumberParameters: 3 Parameter[0]: 00000000 Parameter[1]: 75b76aad Parameter[2]: c0000185 Inpage operation failed at 75b76aad, due to I/O error c0000185 EXCEPTION_CODE: (NTSTATUS) 0xc0000185 - The I/O device reported an I/O error. DEFAULT_BUCKET_ID: DRIVER_FAULT ERROR_CODE: (NTSTATUS) 0xc0000006 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The required data was not placed into memory because of an I/O error status of "0x%08lx". IO_ERROR: (NTSTATUS) 0xc0000185 - The I/O device reported an I/O error. EXCEPTION_STR: 0xc0000006_c0000185 FAULTING_IP: winsrv!wsprintfW+0 75b76aad ?? ??? BUGCHECK_STR: 0xF4_IOERR_C0000185 STACK_TEXT: f6ddd520 8062c359 000000f4 00000003 8689e610 nt!KeBugCheckEx+0x1b f6ddd544 805f9f46 805f9f88 8689e610 8689e784 nt!PspCatchCriticalBreak+0x75 f6ddd574 804de7ec 8689e858 c0000006 f6ddd9b0 nt!NtTerminateProcess+0x7d f6ddd574 804ddae1 8689e858 c0000006 f6ddd9b0 nt!KiFastCallEntry+0xf8 f6ddd5f4 8051d696 ffffffff c0000006 f6ddd9f8 nt!ZwTerminateProcess+0x11 f6ddd9b0 805064c2 f6ddd9d8 00000000 f6dddd64 nt!KiDispatchException+0x3a0 f6dddd34 804e206b 0052f240 0052f260 00000000 nt!KiRaiseException+0x175 f6dddd50 804de7ec 0052f240 0052f260 00000000 nt!NtRaiseException+0x31 f6dddd50 75b76aad 0052f240 0052f260 00000000 nt!KiFastCallEntry+0xf8 0052f528 75b7a641 00170c28 75b7aeb0 75b6bf9c winsrv!wsprintfW 0052fe9c 75b7b006 0016a0b8 0000000c 00000001 winsrv!GetHardErrorText+0x733 0052febc 75b7b1d3 00000000 0052feec 00000000 winsrv!UserHardErrorEx+0xe9 0052fed0 75b447a0 00000000 0052feec 00000005 winsrv!UserHardError+0x12 0052fff4 00000000 00000080 00000000 00000000 CSRSRV!CsrApiRequestThread+0x18a --------- Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp2_gdr.050301-1519 Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055a420 Debug session time: Mon Aug 21 13:22:38.203 2006 (GMT-4) System Uptime: 0 days 0:31:14.769 !THREAD 868efda8 Cid 04b0.04d0 Teb: 7ffdb000 Win32Thread: e18e3eb0 RUNNING on processor 0 Not impersonating DeviceMap e1004420 Owning Process 8689e610 Image: csrss.exe Wait Start TickCount 119985 Ticks: 0 Context Switch Count 1625 LargeStack UserTime 00:00:00.0171 KernelTime 00:00:00.0078 Win32 Start Address 0x00009321 LPC Server thread working on message Id 9321 Start Address CSRSRV!CsrApiRequestThread (0x75b44616) Stack Init f6dde000 Current f6ddd6ac Base f6dde000 Limit f6ddb000 Call 0 Priority 13 BasePriority 13 PriorityDecrement 0 DecrementCount 16 ChildEBP RetAddr Args to Child f6ddd520 8062c359 000000f4 00000003 8689e610 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo]) (CONV: stdcall) f6ddd544 805f9f46 805f9f88 8689e610 8689e784 nt!PspCatchCriticalBreak+0x75 (FPO: [Non-Fpo]) (CONV: stdcall) f6ddd574 804de7ec 8689e858 c0000006 f6ddd9b0 nt!NtTerminateProcess+0x7d (FPO: [Non-Fpo]) (CONV: stdcall) f6ddd574 804ddae1 8689e858 c0000006 f6ddd9b0 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f6ddd584) f6ddd5f4 8051d696 ffffffff c0000006 f6ddd9f8 nt!ZwTerminateProcess+0x11 (FPO: [2,0,0]) f6ddd9b0 805064c2 f6ddd9d8 00000000 f6dddd64 nt!KiDispatchException+0x3a0 (FPO: [Non-Fpo]) (CONV: stdcall) f6dddd34 804e206b 0052f240 0052f260 00000000 nt!KiRaiseException+0x175 (FPO: [Non-Fpo]) (CONV: stdcall) f6dddd50 804de7ec 0052f240 0052f260 00000000 nt!NtRaiseException+0x31 f6dddd50 75b76aad 0052f240 0052f260 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ f6dddd64) 0052f528 75b7a641 00170c28 75b7aeb0 75b6bf9c winsrv!wsprintfW 0052fe9c 75b7b006 0016a0b8 0000000c 00000001 winsrv!GetHardErrorText+0x733 (FPO: [Non-Fpo]) (CONV: stdcall) 0052febc 75b7b1d3 00000000 0052feec 00000000 winsrv!UserHardErrorEx+0xe9 (FPO: [Non-Fpo]) (CONV: stdcall) 0052fed0 75b447a0 00000000 0052feec 00000005 winsrv!UserHardError+0x12 (FPO: [Non-Fpo]) (CONV: stdcall) 0052fff4 00000000 00000080 00000000 00000000 CSRSRV!CsrApiRequestThread+0x18a (FPO: [Non-Fpo]) (CONV: stdcall) !THREAD 8650c558 Cid 0700.0b08 Teb: 7ff7e000 Win32Thread: 00000000 WAIT: (WrLpcReply) UserMode Non-Alertable 8650c74c Semaphore Limit 0x1 Waiting for reply to LPC MessageId 00003e76: Current LPC port e351f378 Not impersonating DeviceMap e1004420 Owning Process 866bf020 Image: svchost.exe Wait Start TickCount 33371 Ticks: 86614 (0:00:22:33.343) Context Switch Count 2 UserTime 00:00:00.0000 KernelTime 00:00:00.0000 Win32 Start Address SSDPAPI!GetNotificationLoop (0x74f02555) Start Address kernel32!BaseThreadStartThunk (0x7c810659) Stack Init b1210000 Current b120fc50 Base b1210000 Limit b120d000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0 Kernel stack not resident. ChildEBP RetAddr Args to Child b120fc68 804dc0f7 8650c5c8 8650c558 804dc143 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b120fc74 804dc143 8650c74c 8650c720 8650c558 nt!KiSwapThread+0x46 (FPO: [0,0,0]) (CONV: fastcall) b120fc9c 8057719a 00000001 00000011 00000001 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo]) (CONV: stdcall) b120fd50 804de7ec 00001308 0281d010 0281d010 nt!NtRequestWaitReplyPort+0x63d (FPO: [Non-Fpo]) (CONV: stdcall) b120fd50 7c90eb94 00001308 0281d010 0281d010 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b120fd64) 0208fb10 7c90e3ed 77e7c968 00001308 0281d010 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) 0208fb14 77e7c968 00001308 0281d010 0281d010 ntdll!ZwRequestWaitReplyPort+0xc (FPO: [3,0,0]) 0208fb60 77e7a716 0281d048 0208fb80 77e7a747 RPCRT4!LRPC_CCALL::SendReceive+0x228 (FPO: [Non-Fpo]) (CONV: thiscall) 0208fb6c 77e7a747 0208fb9c 74f01830 0208ff78 RPCRT4!I_RpcSendReceive+0x24 (FPO: [Non-Fpo]) (CONV: stdcall) 0208fb80 77ef3675 0208fbc8 0281d05c 00000000 RPCRT4!NdrSendReceive+0x2b (FPO: [Non-Fpo]) (CONV: stdcall) 0208ff5c 74f0500d 74f01830 74f015fc 0208ff78 RPCRT4!NdrClientCall2+0x222 (FPO: [Non-Fpo]) (CONV: cdecl) 0208ff70 74f02586 02823d98 0208ff98 00000000 SSDPAPI!GetNotificationRpc+0x1b (FPO: [Non-Fpo]) (CONV: stdcall) 0208ffb4 7c80b683 02823d98 00000000 00000000 SSDPAPI!GetNotificationLoop+0x31 (FPO: [Non-Fpo]) (CONV: stdcall) 0208ffec 00000000 74f02555 02823d98 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo]) (CONV: stdcall) !THREAD 865ed020 Cid 0224.0b00 Teb: 7ffda000 Win32Thread: 00000000 WAIT: (Executive) KernelMode Non-Alertable b0b23a54 NotificationEvent IRP List: 8636f008: (0006,0268) Flags: 00000901 Mdl: 8677a6c0 Not impersonating DeviceMap e1004420 Owning Process 863cb8d8 Image: dfrgntfs.exe Wait Start TickCount 119731 Ticks: 254 (0:00:00:03.968) Context Switch Count 758 UserTime 00:00:00.0031 KernelTime 00:00:00.0203 Win32 Start Address DfrgNtfs!DefragThread (0x01016b44) Start Address kernel32!BaseThreadStartThunk (0x7c810659) Stack Init b0b24000 Current b0b2399c Base b0b24000 Limit b0b21000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 0 ChildEBP RetAddr Args to Child b0b239b4 804dc0f7 865ed090 865ed020 804dc143 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b0b239c0 804dc143 8636f008 8668b7a8 8668b7a8 nt!KiSwapThread+0x46 (FPO: [0,0,0]) (CONV: fastcall) b0b239e8 f7223ea8 00000000 00000000 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo]) (CONV: stdcall) b0b23a08 f7233fa0 8668b7a8 8636f24c 8636f008 Ntfs!NtfsWaitSync+0x1c (FPO: [Non-Fpo]) (CONV: stdcall) b0b23a1c f722fd61 8668b7a8 8636f008 86d78100 Ntfs!NtfsVolumeDasdIo+0x5c (FPO: [Non-Fpo]) (CONV: stdcall) b0b23af8 f7225fbf 8668b7a8 8636f008 00000001 Ntfs!NtfsCommonRead+0x23d (FPO: [Non-Fpo]) (CONV: stdcall) b0b23b98 f74118a8 86d78020 8636f008 864ace00 Ntfs!NtfsFsdRead+0x22d (FPO: [Non-Fpo]) (CONV: stdcall) [b]b0b23bc8 804e37f7 86f8a8e0 86d78020 8636f008 sptd+0x148a8[/b] b0b23c7c 8056a101 8636f24c 8636f008 864ace00 nt!IopfCallDriver+0x31 (FPO: [0,0,0]) (CONV: fastcall) b0b23be4 804e37f7 86d79ba8 8636f008 86ec23b8 nt!IopSynchronousServiceTail+0x60 (FPO: [Non-Fpo]) (CONV: stdcall) b0b23c08 f72f1b2f 86ab6428 8636f008 00000000 nt!IopfCallDriver+0x31 (FPO: [0,0,0]) (CONV: fastcall) b0b23c1c f72f1ffb b0b23c34 f7a569f0 86f19270 fltmgr!FltpPassThrough+0xf9 (FPO: [Non-Fpo]) (CONV: stdcall) b0b23c4c 804e37f7 86ab6830 8636f008 8636f008 fltmgr!FltpDispatch+0xf3 (FPO: [Non-Fpo]) (CONV: stdcall) b0b23c5c f7a5645c 865ed230 86a33358 8636f008 nt!IopfCallDriver+0x31 (FPO: [0,0,0]) (CONV: fastcall) [b]b0b23c90 805714ba 86a3edf0 8636f008 864ace00 avg7rsw!AvgWrapAllocatePoolWithTag+0x6e[/b] b0b23d38 804de7ec 00000144 00000000 00000000 nt!NtReadFile+0x580 (FPO: [Non-Fpo]) (CONV: stdcall) b0b23d38 7c90eb94 00000144 00000000 00000000 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b0b23d64) 00cbf0c8 7c90e288 7c801999 00000144 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) 00cbf0cc 7c801999 00000144 00000000 00000000 ntdll!NtReadFile+0xc (FPO: [9,0,0]) 00cbf134 0100551b 00000144 0018ac00 00001000 kernel32!ReadFile+0x10d (FPO: [Non-Fpo]) (CONV: stdcall) 00cbf32c 01014f28 00000144 00000043 00000000 DfrgNtfs!DasdReadClusters+0x141 (FPO: [Non-Fpo]) (CONV: stdcall) 00cbf3a8 0101615e 0018ac00 00195d78 00190d68 DfrgNtfs!GetFrs+0x2e8 (FPO: [Non-Fpo]) (CONV: stdcall) 00cbf568 01016c1e 00000000 00000000 774ec8c4 DfrgNtfs!ScanNtfs+0x4f0 (FPO: [Non-Fpo]) (CONV: stdcall) 00cbffb4 7c80b683 00000000 00000000 774ec8c4 DfrgNtfs!DefragThread+0xda (FPO: [Non-Fpo]) (CONV: stdcall) 00cbffec 00000000 01016b44 00000000 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo]) (CONV: stdcall) Irp is active with 2 stacks 3 is current (= 0x863ad8c8) Mdl=8677a6c0: No System Buffer: Thread 00000000: Irp is completed. Pending has been returned cmd flg cl Device File Completion-Context [ 0, 0] 0 0 00000000 00000000 00000000-00000000 Args: 00000000 00000000 00000000 00000000 [ f, 0] 0 0 86f16a38 00000000 f79f8761-865fb648 [b] \Driver\viasraid prosync1[/b] Args: 00000000 00000000 00000000 00000000 Notification Event: 00000000 [ f, 0] = IRP_MJ_INTERNAL_DEVICE_CONTROL, IRP_MN_??? File Object: 00000000 lmvm avg7rsw start end module name f7a56000 f7a570c0 avg7rsw (deferred) Image path: \SystemRoot\System32\Drivers\avg7rsw.sys Image name: avg7rsw.sys Timestamp: Sun Sep 18 20:09:31 2005 (432E01BB) CheckSum: 00003D42 ImageSize: 000010C0 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 lmvm sptd start end module name f73fd000 f74cd000 sptd (deferred) Image path: sptd.sys Image name: sptd.sys Timestamp: Sat Dec 03 08:59:59 2005 (4391A4DF) CheckSum: 0009EF44 ImageSize: 000D0000 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 lmvm prosync1 start end module name f79f8000 f79f9b20 prosync1 (deferred) Image path: prosync1.sys Image name: prosync1.sys Timestamp: Sat Sep 06 08:22:06 2003 (3F59D16E) CheckSum: 00009139 ImageSize: 00001B20 File version: 1.5.0.0 Product version: 3.3.0.0 File flags: 0 (Mask 3F) File OS: 40000 NT Base File type: 3.0 Driver File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Protection Technology ProductName: StarForce Protection System InternalName: prosync1 OriginalFilename: prosync1.sys ProductVersion: 3.3 FileVersion: 1.5 FileDescription: StarForce Protection Synchronization Driver LegalCopyright: © Protection Technology, 2000-2003 Comments: Visit us at www.star-force.com

Also, is the server service running when the box is rebooted? Are there any errors regarding the shares in the event log? If the server service isn't running, or has an issue when starting, you can see this behavior.

Well, my steps should've fixed the DHCP and DCOM errors, but the last error is stating it can't find a file. If you run filemon when trying to start that service (grab it from www.sysinternals.com), do you see what file it is failing to find?

1. Click Start > Run and type in "dcomcnfg" 2. Browse to Console Root > Component Services > Computers > My Computer > DCOM Config 3. Right-click on the "netman" object on the right-hand side, and select "Properties" 4. Click the "Security" tab, and select "Customize" under the "Launch and Activation Permissions" section, then click the "Edit" button 5. Click the "Add" button 6. Type "Network Service", then click "OK" 7. Grant the 'Network Service' account in the list 'Allow' permissions for both 'Local Launch' and 'Local Activation' in the permissions list below Restart your machine, and those errors should go away.

Mr Snrub is correct - and I'm aware it's a Microsoft service, I work for them. However, just like dllhost.exe, it's simply a container that can run 3rd party code in a service context - therefore, it's likely you have software installed using the SNMP provider in the OS, and that is what is causing the problem (and as the design of the service is such, it looks to the uninitiated that the service is causing it, which is not correct).

What SNMP software is installed? There are some issues with older HP and IBM software containing SNMP components and some of the recent Windows updates - if you are running any software such as this, it'll have to be updated to work properly with the changes the new updates from Microsoft bring about.