If you are following this blog for a long time you probably know about my previous posts related to ISA or TMG crashing and about the fact that 95% of the time is not an issue caused by ISA/TMG. Well, this is just another crash where the first blame goes to ISA/TMG, in this particular case, ISA. The first argument is: is ISA that is triggering the error on event viewer. True statement as we see below:
Event Type: Error Event Source: Microsoft ISA Server 2006 Event Category: None Event ID: 1000 Time: 17:31:40 User: N/A Description: Faulting application wspsrv.exe, version 5.0.5723.516, stamp 4a880d39, faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address 0x1078b242.
Still doesn't mean that it’s an ISA issue though, but I’m okay of looking for help with ISA folks first, it’s normal. If there is a crash we should also have a dump and if we don’t, use DebugDiag (the newer version that I showed yesterday) to attach to the crashed process and get the dump. Let’s see the dump for this particular scenario:
FAULTING_IP: AkrFiltr+b992 1203b992 ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 1203b992 (<Unloaded_AkrFiltr.dll>+0x0000b992) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter: 00000000 Parameter: 1203b992 Attempt to read from address 1203b992
FAULTING_MODULE: 7c800000 ntdll DEBUG_FLR_IMAGE_TIMESTAMP: 48ebaac7 ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 1203b992 READ_ADDRESS: 1203b992
FOLLOWUP_IP: AkrFiltr+b992 1203b992 ?? ??? FAULTING_THREAD: 00000fb0 BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_WRONG_SYMBOLS PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR LAST_CONTROL_TRANSFER: from 00000000 to 1203b992
STACK_TEXT: 123ffc9c 00000000 1204109a 123ffd04 120d2110 <Unloaded_AkrFiltr.dll>+0xb992
FAILED_INSTRUCTION_ADDRESS: AkrFiltr+b992 1203b992 ?? ??? SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: AkrFiltr+b992 FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: AkrFiltr.dll STACK_COMMAND: ~40s; .ecxr ; kb BUCKET_ID: WRONG_SYMBOLS FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_c0000005_AkrFiltr.dll!Unloaded Followup: MachineOwner
This is a pretty straight forward stack and as a matter of fact a pretty straight forward dump. This module was causing the service to crash due an access violation (c0000005), as a result the whole process was going down. The solution was provided by the third party vendor owner of this module (an update).
For more references about crashes on ISA Server also see:
Good one Yuri
It's similar to a problem I've had between ISA Server and McAfee SmartFilter - uilson76.wordpress.com/.../isa-server-2006-vs-smartfilter-4-2 - in portuguese