IIS Resets itself several times each day

TheMSsForum.com: The Microsoft Software Forum

Good morning,
We set up a new IIS that we believed to be set up identically to our last
IIS Server. However, the new IIS crashes and restarts several times a day. I
ran iisstate with the following results. Any advice on how to proceed would
be greatly appreciated.

***********************
Starting new log output
IISState version 3.3.1

Mon Apr 02 10:33:38 2007

OS = Windows 2000
Executable: inetinfo.exe
PID = 2772

Note: Thread times are formatted as HH:MM:SS.ms

***********************


IIS has crashed...
Beginning Analysis
DLL (!FunctionName) that failed: ntdll!RtlFreeHeap




Thread ID: 11
System Thread ID: aa4
Kernel Time: 0:0:0.468
User Time: 0:0:0.421
*** WARNING: Unable to verify checksum for C:\Program Files\RSA
Security\RSAWebAgent\WebID\IISWebAgentIF.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Program Files\RSA Security\RSAWebAgent\WebID\IISWebAgentIF.dll -
Thread Type: HTTP Listener
# ChildEBP RetAddr
00 0110fa30 100060c1 ntdll!RtlFreeHeap+0x197
WARNING: Stack unwind information not available. Following frames may be
wrong.
01 0110fa4c 100456a1 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0x5071
02 0110fa68 100324f5 IISWebAgentIF!GetFilterVersion+0x155a4
03 0110fa74 100144a6 IISWebAgentIF!GetFilterVersion+0x23f8
04 0110fa90 10023419 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0x13456
05 0110facc 100125cf IISWebAgentIF!
CRepositoryAPI::GetVirtualServer_CachePermSettings+0x203
06 0110fae0 10001e20 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0x1157f
07 0110fc18 10030210 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0xdd0
08 0110fc38 100300fa IISWebAgentIF!GetFilterVersion+0x113
09 0110fc70 65f30abe IISWebAgentIF!HttpFilterProc+0x21
0a 0110fca4 65f2d92a w3svc!HTTP_FILTER::NotifyPreProcHeaderFilters+0x4c
0b 0110fcfc 65f026b0 w3svc!HTTP_REQUEST::Parse+0x380
0c 0110fd40 65f025a4 w3svc!HTTP_REQ_BASE::OnCompleteRequest+0x36
0d 0110fd80 65f02501 w3svc!HTTP_REQ_BASE::UnWrapRequest+0x1f4
0e 0110fda0 65f023b8 w3svc!HTTP_REQ_BASE::OnFillClientReq+0x7a
0f 0110ff18 65f01d97 w3svc!HTTP_REQUEST::DoWork+0x99
10 0110ff38 65f047ef w3svc!CLIENT_CONN::DoWork+0x1aa
11 0110ff4c 6d701a22 w3svc!W3Completion+0x43
12 0110ff80 6d7029a6 ISATQ!AtqpProcessContext+0x266
13 0110ffb4 7c57b396 ISATQ!AtqPoolThread+0x1a8
14 0110ffec 00000000 KERNEL32!BaseThreadStart+0x52
Closing open log file C:\iisstate\output\IISState-2772.log
Opened log file 'C:\iisstate\output\IISState-2772.log'

***********************
Starting new log output
IISState version 3.3.1

Mon Apr 02 10:33:41 2007

OS = Windows 2000
Executable: inetinfo.exe
PID = 2772

Note: Thread times are formatted as HH:MM:SS.ms

***********************




Thread ID: 0
System Thread ID: d1c
Kernel Time: 0:0:0.31
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 0006f89c 7c586351 ntdll!ZwReadFile+0xb
01 0006f910 7c2dd578 KERNEL32!ReadFile+0x181
02 0006f93c 7c2dd61e ADVAPI32!ObjectCloseAuditAlarmA+0x2f
03 0006f9b8 7c2d1e18 ADVAPI32!ObjectDeleteAuditAlarmW+0x4
04 0006fbf4 01002884 ADVAPI32!`string'
05 0006fd30 01001e94 inetinfo!StartDispatchTable+0x2f1
06 0006ff70 01002fbf inetinfo!main+0x654
07 0006ffc0 7c5989a5 inetinfo!mainCRTStartup+0xff
08 0006fff0 00000000 KERNEL32!BaseProcessStart+0x3d




Thread ID: 1
System Thread ID: cc8
Kernel Time: 0:0:0.187
User Time: 0:0:0.62
Thread Type: Other
# ChildEBP RetAddr
00 005dfd1c 7c59a072 ntdll!ZwWaitForSingleObject+0xb
01 005dfd44 7c57b3e9 KERNEL32!WaitForSingleObjectEx+0x71
02 005dfd54 6e6f1685 KERNEL32!WaitForSingleObject+0xf
03 005dfd70 01002440 iisadmin!ServiceEntry+0x156
04 005dffa4 7c2dcf43 inetinfo!InetinfoStartService+0x2bd
05 005dffec 00000000 ADVAPI32!
AccessCheckByTypeResultListAndAuditAlarmByHandleW+0x2f




Thread ID: 2
System Thread ID: 6dc
Kernel Time: 0:0:0.109
User Time: 0:0:0.46
Thread Type: Other
# ChildEBP RetAddr
00 0071fe5c 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
01 0071feac 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
02 0071ff08 77e41706 USER32!__ClientExtTextOutW+0x3f
03 0071ff24 6e5a5a7c USER32!__ClientGetTextExtentPointW+0x48
04 0071ff78 78008593 IisRTL!SchedulerWorkerThread+0xa7
05 0071ffb4 7c57b396 MSVCRT!_endthreadex+0x98
06 0071ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 3
System Thread ID: a80
Kernel Time: 0:0:0.93
User Time: 0:0:0.15
Thread Type: Other
# ChildEBP RetAddr
00 0075fe5c 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
01 0075feac 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
02 0075ff08 77e41706 USER32!__ClientExtTextOutW+0x3f
03 0075ff24 6e5a5a7c USER32!__ClientGetTextExtentPointW+0x48
04 0075ff78 78008593 IisRTL!SchedulerWorkerThread+0xa7
05 0075ffb4 7c57b396 MSVCRT!_endthreadex+0x98
06 0075ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 4
System Thread ID: b00
Kernel Time: 0:0:0.93
User Time: 0:0:0.62
Thread Type: Other
# ChildEBP RetAddr
00 0079fe5c 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
01 0079feac 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
02 0079ff08 77e41706 USER32!__ClientExtTextOutW+0x3f
03 0079ff24 6e5a5a7c USER32!__ClientGetTextExtentPointW+0x48
04 0079ff78 78008593 IisRTL!SchedulerWorkerThread+0xa7
05 0079ffb4 7c57b396 MSVCRT!_endthreadex+0x98
06 0079ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 5
System Thread ID: b50
Kernel Time: 0:0:0.93
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 007dfe5c 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
01 007dfeac 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
02 007dff08 77e41706 USER32!__ClientExtTextOutW+0x3f
03 007dff24 6e5a5a7c USER32!__ClientGetTextExtentPointW+0x48
04 007dff78 78008593 IisRTL!SchedulerWorkerThread+0xa7
05 007dffb4 7c57b396 MSVCRT!_endthreadex+0x98
06 007dffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 6
System Thread ID: ad8
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 00c2fe24 77d595d9 ntdll!ZwReplyWaitReceivePortEx+0xb
01 00c2ff74 77d58e4a RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x74
02 00c2ff78 77d3aeed RPCRT4!RecvLotsaCallsWrapper+0x9
03 00c2ffa8 77d37de8 RPCRT4!BaseCachedThreadRoutine+0x4f
04 00c2ffb4 7c57b396 RPCRT4!ThreadStartRoutine+0x18
05 00c2ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 7
System Thread ID: 9f0
Kernel Time: 0:0:0.437
User Time: 0:0:0.46
Thread Type: Other
# ChildEBP RetAddr
00 00ebfc1c 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
01 00ebfc6c 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
02 00ebfcc8 77e41706 USER32!__ClientExtTextOutW+0x3f
03 00ebfce4 769c71e0 USER32!__ClientGetTextExtentPointW+0x48
04 00ebfd30 65f0cfd8 INFOCOMM!IIS_SERVICE::StartServiceOperation+0x209
05 00ebfd70 01002440 w3svc!ServiceEntry+0x1b5
06 00ebffa4 7c2dcf43 inetinfo!InetinfoStartService+0x2bd
07 00ebffec 00000000 ADVAPI32!
AccessCheckByTypeResultListAndAuditAlarmByHandleW+0x2f




Thread ID: 8
System Thread ID: ac8
Kernel Time: 0:0:0.156
User Time: 0:0:0.31
Thread Type: SMTP Service Worker Thread
# ChildEBP RetAddr
00 00effc1c 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
01 00effc6c 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
02 00effcc8 77e41706 USER32!__ClientExtTextOutW+0x3f
03 00effce4 769c71e0 USER32!__ClientGetTextExtentPointW+0x48
04 00effd30 6b561a78 INFOCOMM!IIS_SERVICE::StartServiceOperation+0x209
05 00effd70 01002440 SMTPSVC!ServiceEntry+0x136
06 00efffa4 7c2dcf43 inetinfo!InetinfoStartService+0x2bd
07 00efffec 00000000 ADVAPI32!
AccessCheckByTypeResultListAndAuditAlarmByHandleW+0x2f




Thread ID: 9
System Thread ID: ac4
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: HTTP Listener
# ChildEBP RetAddr
00 0108ff5c 7c585433 ntdll!NtRemoveIoCompletion+0xb
01 0108ff88 6d7029ef KERNEL32!GetQueuedCompletionStatus+0x27
02 0108ffb4 7c57b396 ISATQ!I_AtqOplockThreadFunc+0x32
03 0108ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 10
System Thread ID: ab0
Kernel Time: 0:0:0.203
User Time: 0:0:0.281
Thread Type: HTTP Listener
# ChildEBP RetAddr
00 010cff50 7c585433 ntdll!NtRemoveIoCompletion+0xb
01 010cff7c 6d702957 KERNEL32!GetQueuedCompletionStatus+0x27
02 010cffb4 7c57b396 ISATQ!AtqPoolThread+0x40
03 010cffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 11
System Thread ID: aa4
Kernel Time: 0:0:0.468
User Time: 0:0:0.421
Thread Type: HTTP Listener
# ChildEBP RetAddr
00 0110fa30 100060c1 ntdll!RtlFreeHeap+0x197
WARNING: Stack unwind information not available. Following frames may be
wrong.
01 0110fa4c 100456a1 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0x5071
02 0110fa68 100324f5 IISWebAgentIF!GetFilterVersion+0x155a4
03 0110fa74 100144a6 IISWebAgentIF!GetFilterVersion+0x23f8
04 0110fa90 10023419 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0x13456
05 0110facc 100125cf IISWebAgentIF!
CRepositoryAPI::GetVirtualServer_CachePermSettings+0x203
06 0110fae0 10001e20 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0x1157f
07 0110fc18 10030210 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0xdd0
08 0110fc38 100300fa IISWebAgentIF!GetFilterVersion+0x113
09 0110fc70 65f30abe IISWebAgentIF!HttpFilterProc+0x21
0a 0110fca4 65f2d92a w3svc!HTTP_FILTER::NotifyPreProcHeaderFilters+0x4c
0b 0110fcfc 65f026b0 w3svc!HTTP_REQUEST::Parse+0x380
0c 0110fd40 65f025a4 w3svc!HTTP_REQ_BASE::OnCompleteRequest+0x36
0d 0110fd80 65f02501 w3svc!HTTP_REQ_BASE::UnWrapRequest+0x1f4
0e 0110fda0 65f023b8 w3svc!HTTP_REQ_BASE::OnFillClientReq+0x7a
0f 0110ff18 65f01d97 w3svc!HTTP_REQUEST::DoWork+0x99
10 0110ff38 65f047ef w3svc!CLIENT_CONN::DoWork+0x1aa
11 0110ff4c 6d701a22 w3svc!W3Completion+0x43
12 0110ff80 6d7029a6 ISATQ!AtqpProcessContext+0x266
13 0110ffb4 7c57b396 ISATQ!AtqPoolThread+0x1a8
14 0110ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 12
System Thread ID: aa8
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 0128feb8 7c585433 ntdll!NtRemoveIoCompletion+0xb
01 0128fee4 77d818ff KERNEL32!GetQueuedCompletionStatus+0x27
02 0128ff20 77d51484 RPCRT4!COMMON_ProcessCalls+0x9e
03 0128ff74 77d512bd RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0x99
04 0128ff78 77d3aeed RPCRT4!ProcessIOEventsWrapper+0x9
05 0128ffa8 77d37de8 RPCRT4!BaseCachedThreadRoutine+0x4f
06 0128ffb4 7c57b396 RPCRT4!ThreadStartRoutine+0x18
07 0128ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 13
System Thread ID: a9c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 0161fd20 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
01 0161fd70 7c59a150 KERNEL32!WaitForMultipleObjectsEx+0xea
02 0161fd88 778322b2 KERNEL32!WaitForMultipleObjects+0x17
03 0161ffb4 7c57b396 RTUTILS!TraceServerThread+0xde
04 0161ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 14
System Thread ID: a98
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 0165ff20 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
01 0165ff70 7c59a150 KERNEL32!WaitForMultipleObjectsEx+0xea
02 0165ff88 701224fa KERNEL32!WaitForMultipleObjects+0x17
03 0165ffb4 7c57b396 exstrace!RegNotifyThread+0x6f
04 0165ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 15
System Thread ID: 9e8
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 0169ff24 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
01 0169ff74 7c59a150 KERNEL32!WaitForMultipleObjectsEx+0xea
02 0169ff8c 70121e6a KERNEL32!WaitForMultipleObjects+0x17
03 0169ffb4 7c57b396 exstrace!WriteTraceThread+0x2f
04 0169ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 16
System Thread ID: a84
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 0189ff64 7c59a072 ntdll!ZwWaitForSingleObject+0xb
01 0189ff8c 7c57b3e9 KERNEL32!WaitForSingleObjectEx+0x71
02 0189ff9c 6ff2841e KERNEL32!WaitForSingleObject+0xf
03 0189ffb4 7c57b396 FCACHDLL!CScheduleThread::ScheduleThread+0x22
04 0189ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 17
System Thread ID: a78
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: SMTP Service Worker Thread
# ChildEBP RetAddr
00 019dff18 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
01 019dff68 7c59a150 KERNEL32!WaitForMultipleObjectsEx+0xea
02 019dff80 6b57b026 KERNEL32!WaitForMultipleObjects+0x17
03 019dffb4 7c57b396 SMTPSVC!TcpRegNotifyThread+0x136
04 019dffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 18
System Thread ID: 968
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: SMTP Service Worker Thread
# ChildEBP RetAddr
00 01a1ff68 7c59a072 ntdll!ZwWaitForSingleObject+0xb
01 01a1ff90 7c57b3e9 KERNEL32!WaitForSingleObjectEx+0x71
02 01a1ffa0 6b57ae5a KERNEL32!WaitForSingleObject+0xf
03 01a1ffb4 7c57b396 SMTPSVC!FreeLibThread+0x1d
04 01a1ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 19
System Thread ID: 948
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: HTTP Compression Thread
# ChildEBP RetAddr
00 01adff5c 7c59a072 ntdll!ZwWaitForSingleObject+0xb
01 01adff84 7c57b3e9 KERNEL32!WaitForSingleObjectEx+0x71
02 01adff94 732c3366 KERNEL32!WaitForSingleObject+0xf
03 01adffb4 7c57b396 compfilt!CompressionThread+0x29
04 01adffc0 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 20
System Thread ID: 92c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\WINNT\system32\sdmsg.dll -
Thread Type: Other
# ChildEBP RetAddr
00 01c5ff58 7c2f0020 ntdll!ZwNotifyChangeKey+0xb
01 01c5ff94 67de1017 ADVAPI32!LsapApiConvertPrivilegesToRights+0xb2
WARNING: Stack unwind information not available. Following frames may be
wrong.
02 01c5ffec 00000000 sdmsg+0x1017




Thread ID: 21
System Thread ID: 9bc
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\WINNT\system32\ACECLNT.dll -
Thread Type: Other
# ChildEBP RetAddr
00 01ebff00 7c59a072 ntdll!ZwWaitForSingleObject+0xb
01 01ebff28 7c57b3e9 KERNEL32!WaitForSingleObjectEx+0x71
02 01ebff38 67fd4a6b KERNEL32!WaitForSingleObject+0xf
WARNING: Stack unwind information not available. Following frames may be
wrong.
03 01ebff80 67fe12a5 ACECLNT!AceShutdown+0x2377
04 01ebffb4 7c57b396 ACECLNT!AceCloseAuth+0x69a7
05 01ebffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 22
System Thread ID: a90
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 01efff30 7c59a072 ntdll!ZwWaitForSingleObject+0xb
01 01efff58 7c57b3e9 KERNEL32!WaitForSingleObjectEx+0x71
02 01efff68 67fd4a6b KERNEL32!WaitForSingleObject+0xf
WARNING: Stack unwind information not available. Following frames may be
wrong.
03 01efffb4 7c57b396 ACECLNT!AceShutdown+0x2377
04 01efffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 23
System Thread ID: bec
Kernel Time: 0:0:0.15
User Time: 0:0:0.15
Thread Type: Other
# ChildEBP RetAddr
00 01f3fe70 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
01 01f3fec0 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
02 01f3ff1c 77e41706 USER32!__ClientExtTextOutW+0x3f
03 01f3ff38 65f09ccb USER32!__ClientGetTextExtentPointW+0x48
04 01f3ff7c 78008454 w3svc!CMTACallbackThread::Thread+0x42
05 01f3ffb4 7c57b396 MSVCRT!_endthread+0xc6
06 01f3ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 24
System Thread ID: d74
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 01f7fea8 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
01 01f7fef8 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
02 01f7ff54 77e41706 USER32!__ClientExtTextOutW+0x3f
03 01f7ff70 65f09d47 USER32!__ClientGetTextExtentPointW+0x48
04 01f7ffb4 7c57b396 w3svc!OleHackThread+0x88
05 01f7ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 25
System Thread ID: cfc
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 01fffce0 74fd1394 ntdll!ZwWaitForSingleObject+0xb
01 01fffd1c 74fd3c59 msafd!SockWaitForSingleObject+0x1a8
02 01fffe08 750312f5 msafd!WSPSelect+0x24e
03 01fffe6c 6e2b3b6e WS2_32!select+0xe7
04 01ffffb4 7c57b396 inetsloc!SocketListenThread+0x51
05 01ffffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 26
System Thread ID: d08
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made

# ChildEBP RetAddr
00 0203fe24 77d595d9 ntdll!ZwReplyWaitReceivePortEx+0xb
01 0203ff74 77d58e4a RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x74
02 0203ff78 77d3aeed RPCRT4!RecvLotsaCallsWrapper+0x9
03 0203ffa8 77d37de8 RPCRT4!BaseCachedThreadRoutine+0x4f
04 0203ffb4 7c57b396 RPCRT4!ThreadStartRoutine+0x18
05 0203ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 27
System Thread ID: d90
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: HTTP Listener
# ChildEBP RetAddr
00 0207fdfc 74fd1394 ntdll!ZwWaitForSingleObject+0xb
01 0207fe38 74fd3c59 msafd!SockWaitForSingleObject+0x1a8
02 0207ff24 750312f5 msafd!WSPSelect+0x24e
03 0207ff88 6d7075bd WS2_32!select+0xe7
04 0207ffb0 6d70791b ISATQ!ATQ_BMON_SET::BmonThreadFunc+0x22
05 0207ffb4 7c57b396 ISATQ!BmonThreadFunc+0x9
06 0207ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 28
System Thread ID: aec
Kernel Time: 0:0:0.62
User Time: 0:0:0.31
Thread Type: HTTP Listener
# ChildEBP RetAddr
00 0256ff50 7c585433 ntdll!NtRemoveIoCompletion+0xb
01 0256ff7c 6d702957 KERNEL32!GetQueuedCompletionStatus+0x27
02 0256ffb4 7c57b396 ISATQ!AtqPoolThread+0x40
03 0256ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 29
System Thread ID: 408
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Idle ASP thread
# ChildEBP RetAddr
00 025bff08 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
01 025bff58 7c59a150 KERNEL32!WaitForMultipleObjectsEx+0xea
02 025bff70 787f67ee KERNEL32!WaitForMultipleObjects+0x17
03 025bffb4 7c57b396 comsvcs!CEventDispatcher::PushEvents+0x4e
04 025bffc0 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 30
System Thread ID: 958
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

Remote call is either to a MTA object or object not initialized. Also,
possible utility thread.
DCOM call being made to Process ID: 3300
Waiting on thread id: ffffffff

# ChildEBP RetAddr
00 025ffb68 77d4f214 ntdll!NtRequestWaitReplyPort+0xb
01 025ffb94 77d3b7a6 RPCRT4!LRPC_CCALL::SendReceive+0x124
02 025ffba0 7cef6bee RPCRT4!I_RpcSendReceive+0x2c
03 025ffbc0 7cef6ab9 ole32!ThreadSendReceive+0xef
04 025ffbd8 7cef3ab6 ole32!
CRpcChannelBuffer::SwitchAptAndDispatchCall+0x14f
05 025ffc18 7cef692d ole32!CRpcChannelBuffer::SendReceive2+0x96
06 025ffc28 7ce3cc2d ole32!CRpcChannelBuffer::SendReceive+0x11
07 025ffc88 7ce87f7f ole32!CAptRpcChnl::SendReceive+0xa9
08 025ffce0 77d91337 ole32!CCtxComChnl::SendReceive+0x124
09 025ffcfc 77d93b47 RPCRT4!NdrProxySendReceive+0x4c
0a 025fff44 77d96f9c RPCRT4!NdrClientCall2+0x4f5
0b 025fff60 77d792ab RPCRT4!ObjectStublessClient+0x76
0c 025fff70 787f6732 RPCRT4!ObjectStubless+0xf
0d 025fffb4 7c57b396 comsvcs!
CEventDispatcher::GetEventServerInfoThread+0x152
0e 025fffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 31
System Thread ID: d20
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Idle ASP thread
# ChildEBP RetAddr
00 0268fd54 7c59a072 ntdll!ZwWaitForSingleObject+0xb
01 0268fd7c 7c57b3e9 KERNEL32!WaitForSingleObjectEx+0x71
02 0268fd8c 7878e785 KERNEL32!WaitForSingleObject+0xf
03 0268ffb4 7c57b396 comsvcs!PingThread+0xf5
04 0268ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 32
System Thread ID: a7c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 026dff88 7cdf4a9b ntdll!ZwWaitForMultipleObjects+0xb
01 026dffb4 7c57b396 NETAPI32!NetbiosWaiter+0x71
02 026dffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 33
System Thread ID: 750
Kernel Time: 0:0:0.93
User Time: 0:0:0.125
Thread Type: HTTP Listener
# ChildEBP RetAddr
00 0273ff50 7c585433 ntdll!NtRemoveIoCompletion+0xb
01 0273ff7c 6d702957 KERNEL32!GetQueuedCompletionStatus+0x27
02 0273ffb4 7c57b396 ISATQ!AtqPoolThread+0x40
03 0273ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 34
System Thread ID: 964
Kernel Time: 0:0:0.0
User Time: 0:0:0.31
Thread Type: HTTP Listener
# ChildEBP RetAddr
00 0277ff50 7c585433 ntdll!NtRemoveIoCompletion+0xb
01 0277ff7c 6d702957 KERNEL32!GetQueuedCompletionStatus+0x27
02 0277ffb4 7c57b396 ISATQ!AtqPoolThread+0x40
03 0277ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 35
System Thread ID: d64
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made
# ChildEBP RetAddr
00 0325ff74 77d3af61 ntdll!ZwDelayExecution+0xb
01 0325ffa8 77d37de8 RPCRT4!BaseCachedThreadRoutine+0xc3
02 0325ffb4 7c57b396 RPCRT4!ThreadStartRoutine+0x18
03 0325ffec 00000000 KERNEL32!BaseThreadStart+0x52




Thread ID: 36
System Thread ID: 67c
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Other
# ChildEBP RetAddr
00 03d2ff48 7757932f ntdll!ZwWaitForMultipleObjects+0xb
01 03d2ffb4 7c57b396 WINMM!timeThread+0x73
02 03d2ffc0 0110e890 KERNEL32!BaseThreadStart+0x52
WARNING: Frame IP not in any known module. Following frames may be wrong.
03 606e7da8 f8830cc4 0x110e890
04 8318558b 00000000 0xf8830cc4




Thread ID: 37
System Thread ID: d24
Kernel Time: 0:0:0.0
User Time: 0:0:0.0
Thread Type: Possible ASP page. Possible DCOM activity
Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
Continuing with other analysis.

No remote call being made
# ChildEBP RetAddr
00 044ffe24 77d595d9 ntdll!ZwReplyWaitReceivePortEx+0xb
01 044fff74 77d58e4a RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x74
02 044fff78 77d3afbd RPCRT4!RecvLotsaCallsWrapper+0x9
03 044fffa8 77d37de8 RPCRT4!BaseCachedThreadRoutine+0x11f
04 044fffb4 7c57b396 RPCRT4!ThreadStartRoutine+0x18
05 044fffec 00000000 KERNEL32!BaseThreadStart+0x52

Closing open log file C:\iisstate\output\IISState-2772.log
Top

Re: IIS Resets itself several times each day by Ken

Ken
Mon Apr 02 21:50:49 CDT 2007

Seems like a bug in IISWebAgentIF.dll

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken


"Richard Haskell" <rhaskell@nospam.com> wrote in message
news:6e6839d9f3b24a5eb458f2e7d55326bf@ureader.com...
> Good morning,
> We set up a new IIS that we believed to be set up identically to our last
> IIS Server. However, the new IIS crashes and restarts several times a day.
> I
> ran iisstate with the following results. Any advice on how to proceed
> would
> be greatly appreciated.
>
> ***********************
> Starting new log output
> IISState version 3.3.1
>
> Mon Apr 02 10:33:38 2007
>
> OS = Windows 2000
> Executable: inetinfo.exe
> PID = 2772
>
> Note: Thread times are formatted as HH:MM:SS.ms
>
> ***********************
>
>
> IIS has crashed...
> Beginning Analysis
> DLL (!FunctionName) that failed: ntdll!RtlFreeHeap
>
>
>
>
> Thread ID: 11
> System Thread ID: aa4
> Kernel Time: 0:0:0.468
> User Time: 0:0:0.421
> *** WARNING: Unable to verify checksum for C:\Program Files\RSA
> Security\RSAWebAgent\WebID\IISWebAgentIF.dll
> *** ERROR: Symbol file could not be found. Defaulted to export symbols
> for
> C:\Program Files\RSA Security\RSAWebAgent\WebID\IISWebAgentIF.dll -
> Thread Type: HTTP Listener
> # ChildEBP RetAddr
> 00 0110fa30 100060c1 ntdll!RtlFreeHeap+0x197
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> 01 0110fa4c 100456a1 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0x5071
> 02 0110fa68 100324f5 IISWebAgentIF!GetFilterVersion+0x155a4
> 03 0110fa74 100144a6 IISWebAgentIF!GetFilterVersion+0x23f8
> 04 0110fa90 10023419 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0x13456
> 05 0110facc 100125cf IISWebAgentIF!
> CRepositoryAPI::GetVirtualServer_CachePermSettings+0x203
> 06 0110fae0 10001e20 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0x1157f
> 07 0110fc18 10030210 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0xdd0
> 08 0110fc38 100300fa IISWebAgentIF!GetFilterVersion+0x113
> 09 0110fc70 65f30abe IISWebAgentIF!HttpFilterProc+0x21
> 0a 0110fca4 65f2d92a w3svc!HTTP_FILTER::NotifyPreProcHeaderFilters+0x4c
> 0b 0110fcfc 65f026b0 w3svc!HTTP_REQUEST::Parse+0x380
> 0c 0110fd40 65f025a4 w3svc!HTTP_REQ_BASE::OnCompleteRequest+0x36
> 0d 0110fd80 65f02501 w3svc!HTTP_REQ_BASE::UnWrapRequest+0x1f4
> 0e 0110fda0 65f023b8 w3svc!HTTP_REQ_BASE::OnFillClientReq+0x7a
> 0f 0110ff18 65f01d97 w3svc!HTTP_REQUEST::DoWork+0x99
> 10 0110ff38 65f047ef w3svc!CLIENT_CONN::DoWork+0x1aa
> 11 0110ff4c 6d701a22 w3svc!W3Completion+0x43
> 12 0110ff80 6d7029a6 ISATQ!AtqpProcessContext+0x266
> 13 0110ffb4 7c57b396 ISATQ!AtqPoolThread+0x1a8
> 14 0110ffec 00000000 KERNEL32!BaseThreadStart+0x52
> Closing open log file C:\iisstate\output\IISState-2772.log
> Opened log file 'C:\iisstate\output\IISState-2772.log'
>
> ***********************
> Starting new log output
> IISState version 3.3.1
>
> Mon Apr 02 10:33:41 2007
>
> OS = Windows 2000
> Executable: inetinfo.exe
> PID = 2772
>
> Note: Thread times are formatted as HH:MM:SS.ms
>
> ***********************
>
>
>
>
> Thread ID: 0
> System Thread ID: d1c
> Kernel Time: 0:0:0.31
> User Time: 0:0:0.0
> Thread Type: Other
> # ChildEBP RetAddr
> 00 0006f89c 7c586351 ntdll!ZwReadFile+0xb
> 01 0006f910 7c2dd578 KERNEL32!ReadFile+0x181
> 02 0006f93c 7c2dd61e ADVAPI32!ObjectCloseAuditAlarmA+0x2f
> 03 0006f9b8 7c2d1e18 ADVAPI32!ObjectDeleteAuditAlarmW+0x4
> 04 0006fbf4 01002884 ADVAPI32!`string'
> 05 0006fd30 01001e94 inetinfo!StartDispatchTable+0x2f1
> 06 0006ff70 01002fbf inetinfo!main+0x654
> 07 0006ffc0 7c5989a5 inetinfo!mainCRTStartup+0xff
> 08 0006fff0 00000000 KERNEL32!BaseProcessStart+0x3d
>
>
>
>
> Thread ID: 1
> System Thread ID: cc8
> Kernel Time: 0:0:0.187
> User Time: 0:0:0.62
> Thread Type: Other
> # ChildEBP RetAddr
> 00 005dfd1c 7c59a072 ntdll!ZwWaitForSingleObject+0xb
> 01 005dfd44 7c57b3e9 KERNEL32!WaitForSingleObjectEx+0x71
> 02 005dfd54 6e6f1685 KERNEL32!WaitForSingleObject+0xf
> 03 005dfd70 01002440 iisadmin!ServiceEntry+0x156
> 04 005dffa4 7c2dcf43 inetinfo!InetinfoStartService+0x2bd
> 05 005dffec 00000000 ADVAPI32!
> AccessCheckByTypeResultListAndAuditAlarmByHandleW+0x2f
>
>
>
>
> Thread ID: 2
> System Thread ID: 6dc
> Kernel Time: 0:0:0.109
> User Time: 0:0:0.46
> Thread Type: Other
> # ChildEBP RetAddr
> 00 0071fe5c 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
> 01 0071feac 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
> 02 0071ff08 77e41706 USER32!__ClientExtTextOutW+0x3f
> 03 0071ff24 6e5a5a7c USER32!__ClientGetTextExtentPointW+0x48
> 04 0071ff78 78008593 IisRTL!SchedulerWorkerThread+0xa7
> 05 0071ffb4 7c57b396 MSVCRT!_endthreadex+0x98
> 06 0071ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 3
> System Thread ID: a80
> Kernel Time: 0:0:0.93
> User Time: 0:0:0.15
> Thread Type: Other
> # ChildEBP RetAddr
> 00 0075fe5c 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
> 01 0075feac 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
> 02 0075ff08 77e41706 USER32!__ClientExtTextOutW+0x3f
> 03 0075ff24 6e5a5a7c USER32!__ClientGetTextExtentPointW+0x48
> 04 0075ff78 78008593 IisRTL!SchedulerWorkerThread+0xa7
> 05 0075ffb4 7c57b396 MSVCRT!_endthreadex+0x98
> 06 0075ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 4
> System Thread ID: b00
> Kernel Time: 0:0:0.93
> User Time: 0:0:0.62
> Thread Type: Other
> # ChildEBP RetAddr
> 00 0079fe5c 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
> 01 0079feac 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
> 02 0079ff08 77e41706 USER32!__ClientExtTextOutW+0x3f
> 03 0079ff24 6e5a5a7c USER32!__ClientGetTextExtentPointW+0x48
> 04 0079ff78 78008593 IisRTL!SchedulerWorkerThread+0xa7
> 05 0079ffb4 7c57b396 MSVCRT!_endthreadex+0x98
> 06 0079ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 5
> System Thread ID: b50
> Kernel Time: 0:0:0.93
> User Time: 0:0:0.0
> Thread Type: Other
> # ChildEBP RetAddr
> 00 007dfe5c 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
> 01 007dfeac 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
> 02 007dff08 77e41706 USER32!__ClientExtTextOutW+0x3f
> 03 007dff24 6e5a5a7c USER32!__ClientGetTextExtentPointW+0x48
> 04 007dff78 78008593 IisRTL!SchedulerWorkerThread+0xa7
> 05 007dffb4 7c57b396 MSVCRT!_endthreadex+0x98
> 06 007dffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 6
> System Thread ID: ad8
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Possible ASP page. Possible DCOM activity
> Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
> Continuing with other analysis.
>
> No remote call being made
>
> # ChildEBP RetAddr
> 00 00c2fe24 77d595d9 ntdll!ZwReplyWaitReceivePortEx+0xb
> 01 00c2ff74 77d58e4a RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x74
> 02 00c2ff78 77d3aeed RPCRT4!RecvLotsaCallsWrapper+0x9
> 03 00c2ffa8 77d37de8 RPCRT4!BaseCachedThreadRoutine+0x4f
> 04 00c2ffb4 7c57b396 RPCRT4!ThreadStartRoutine+0x18
> 05 00c2ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 7
> System Thread ID: 9f0
> Kernel Time: 0:0:0.437
> User Time: 0:0:0.46
> Thread Type: Other
> # ChildEBP RetAddr
> 00 00ebfc1c 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
> 01 00ebfc6c 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
> 02 00ebfcc8 77e41706 USER32!__ClientExtTextOutW+0x3f
> 03 00ebfce4 769c71e0 USER32!__ClientGetTextExtentPointW+0x48
> 04 00ebfd30 65f0cfd8 INFOCOMM!IIS_SERVICE::StartServiceOperation+0x209
> 05 00ebfd70 01002440 w3svc!ServiceEntry+0x1b5
> 06 00ebffa4 7c2dcf43 inetinfo!InetinfoStartService+0x2bd
> 07 00ebffec 00000000 ADVAPI32!
> AccessCheckByTypeResultListAndAuditAlarmByHandleW+0x2f
>
>
>
>
> Thread ID: 8
> System Thread ID: ac8
> Kernel Time: 0:0:0.156
> User Time: 0:0:0.31
> Thread Type: SMTP Service Worker Thread
> # ChildEBP RetAddr
> 00 00effc1c 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
> 01 00effc6c 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
> 02 00effcc8 77e41706 USER32!__ClientExtTextOutW+0x3f
> 03 00effce4 769c71e0 USER32!__ClientGetTextExtentPointW+0x48
> 04 00effd30 6b561a78 INFOCOMM!IIS_SERVICE::StartServiceOperation+0x209
> 05 00effd70 01002440 SMTPSVC!ServiceEntry+0x136
> 06 00efffa4 7c2dcf43 inetinfo!InetinfoStartService+0x2bd
> 07 00efffec 00000000 ADVAPI32!
> AccessCheckByTypeResultListAndAuditAlarmByHandleW+0x2f
>
>
>
>
> Thread ID: 9
> System Thread ID: ac4
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: HTTP Listener
> # ChildEBP RetAddr
> 00 0108ff5c 7c585433 ntdll!NtRemoveIoCompletion+0xb
> 01 0108ff88 6d7029ef KERNEL32!GetQueuedCompletionStatus+0x27
> 02 0108ffb4 7c57b396 ISATQ!I_AtqOplockThreadFunc+0x32
> 03 0108ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 10
> System Thread ID: ab0
> Kernel Time: 0:0:0.203
> User Time: 0:0:0.281
> Thread Type: HTTP Listener
> # ChildEBP RetAddr
> 00 010cff50 7c585433 ntdll!NtRemoveIoCompletion+0xb
> 01 010cff7c 6d702957 KERNEL32!GetQueuedCompletionStatus+0x27
> 02 010cffb4 7c57b396 ISATQ!AtqPoolThread+0x40
> 03 010cffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 11
> System Thread ID: aa4
> Kernel Time: 0:0:0.468
> User Time: 0:0:0.421
> Thread Type: HTTP Listener
> # ChildEBP RetAddr
> 00 0110fa30 100060c1 ntdll!RtlFreeHeap+0x197
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> 01 0110fa4c 100456a1 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0x5071
> 02 0110fa68 100324f5 IISWebAgentIF!GetFilterVersion+0x155a4
> 03 0110fa74 100144a6 IISWebAgentIF!GetFilterVersion+0x23f8
> 04 0110fa90 10023419 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0x13456
> 05 0110facc 100125cf IISWebAgentIF!
> CRepositoryAPI::GetVirtualServer_CachePermSettings+0x203
> 06 0110fae0 10001e20 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0x1157f
> 07 0110fc18 10030210 IISWebAgentIF!CReadWriteDLL::~CReadWriteDLL+0xdd0
> 08 0110fc38 100300fa IISWebAgentIF!GetFilterVersion+0x113
> 09 0110fc70 65f30abe IISWebAgentIF!HttpFilterProc+0x21
> 0a 0110fca4 65f2d92a w3svc!HTTP_FILTER::NotifyPreProcHeaderFilters+0x4c
> 0b 0110fcfc 65f026b0 w3svc!HTTP_REQUEST::Parse+0x380
> 0c 0110fd40 65f025a4 w3svc!HTTP_REQ_BASE::OnCompleteRequest+0x36
> 0d 0110fd80 65f02501 w3svc!HTTP_REQ_BASE::UnWrapRequest+0x1f4
> 0e 0110fda0 65f023b8 w3svc!HTTP_REQ_BASE::OnFillClientReq+0x7a
> 0f 0110ff18 65f01d97 w3svc!HTTP_REQUEST::DoWork+0x99
> 10 0110ff38 65f047ef w3svc!CLIENT_CONN::DoWork+0x1aa
> 11 0110ff4c 6d701a22 w3svc!W3Completion+0x43
> 12 0110ff80 6d7029a6 ISATQ!AtqpProcessContext+0x266
> 13 0110ffb4 7c57b396 ISATQ!AtqPoolThread+0x1a8
> 14 0110ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 12
> System Thread ID: aa8
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Possible ASP page. Possible DCOM activity
> Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
> Continuing with other analysis.
>
> No remote call being made
>
> # ChildEBP RetAddr
> 00 0128feb8 7c585433 ntdll!NtRemoveIoCompletion+0xb
> 01 0128fee4 77d818ff KERNEL32!GetQueuedCompletionStatus+0x27
> 02 0128ff20 77d51484 RPCRT4!COMMON_ProcessCalls+0x9e
> 03 0128ff74 77d512bd RPCRT4!LOADABLE_TRANSPORT::ProcessIOEvents+0x99
> 04 0128ff78 77d3aeed RPCRT4!ProcessIOEventsWrapper+0x9
> 05 0128ffa8 77d37de8 RPCRT4!BaseCachedThreadRoutine+0x4f
> 06 0128ffb4 7c57b396 RPCRT4!ThreadStartRoutine+0x18
> 07 0128ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 13
> System Thread ID: a9c
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Other
> # ChildEBP RetAddr
> 00 0161fd20 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
> 01 0161fd70 7c59a150 KERNEL32!WaitForMultipleObjectsEx+0xea
> 02 0161fd88 778322b2 KERNEL32!WaitForMultipleObjects+0x17
> 03 0161ffb4 7c57b396 RTUTILS!TraceServerThread+0xde
> 04 0161ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 14
> System Thread ID: a98
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Other
> # ChildEBP RetAddr
> 00 0165ff20 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
> 01 0165ff70 7c59a150 KERNEL32!WaitForMultipleObjectsEx+0xea
> 02 0165ff88 701224fa KERNEL32!WaitForMultipleObjects+0x17
> 03 0165ffb4 7c57b396 exstrace!RegNotifyThread+0x6f
> 04 0165ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 15
> System Thread ID: 9e8
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Other
> # ChildEBP RetAddr
> 00 0169ff24 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
> 01 0169ff74 7c59a150 KERNEL32!WaitForMultipleObjectsEx+0xea
> 02 0169ff8c 70121e6a KERNEL32!WaitForMultipleObjects+0x17
> 03 0169ffb4 7c57b396 exstrace!WriteTraceThread+0x2f
> 04 0169ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 16
> System Thread ID: a84
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Other
> # ChildEBP RetAddr
> 00 0189ff64 7c59a072 ntdll!ZwWaitForSingleObject+0xb
> 01 0189ff8c 7c57b3e9 KERNEL32!WaitForSingleObjectEx+0x71
> 02 0189ff9c 6ff2841e KERNEL32!WaitForSingleObject+0xf
> 03 0189ffb4 7c57b396 FCACHDLL!CScheduleThread::ScheduleThread+0x22
> 04 0189ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 17
> System Thread ID: a78
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: SMTP Service Worker Thread
> # ChildEBP RetAddr
> 00 019dff18 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
> 01 019dff68 7c59a150 KERNEL32!WaitForMultipleObjectsEx+0xea
> 02 019dff80 6b57b026 KERNEL32!WaitForMultipleObjects+0x17
> 03 019dffb4 7c57b396 SMTPSVC!TcpRegNotifyThread+0x136
> 04 019dffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 18
> System Thread ID: 968
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: SMTP Service Worker Thread
> # ChildEBP RetAddr
> 00 01a1ff68 7c59a072 ntdll!ZwWaitForSingleObject+0xb
> 01 01a1ff90 7c57b3e9 KERNEL32!WaitForSingleObjectEx+0x71
> 02 01a1ffa0 6b57ae5a KERNEL32!WaitForSingleObject+0xf
> 03 01a1ffb4 7c57b396 SMTPSVC!FreeLibThread+0x1d
> 04 01a1ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 19
> System Thread ID: 948
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: HTTP Compression Thread
> # ChildEBP RetAddr
> 00 01adff5c 7c59a072 ntdll!ZwWaitForSingleObject+0xb
> 01 01adff84 7c57b3e9 KERNEL32!WaitForSingleObjectEx+0x71
> 02 01adff94 732c3366 KERNEL32!WaitForSingleObject+0xf
> 03 01adffb4 7c57b396 compfilt!CompressionThread+0x29
> 04 01adffc0 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 20
> System Thread ID: 92c
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> *** ERROR: Symbol file could not be found. Defaulted to export symbols
> for
> C:\WINNT\system32\sdmsg.dll -
> Thread Type: Other
> # ChildEBP RetAddr
> 00 01c5ff58 7c2f0020 ntdll!ZwNotifyChangeKey+0xb
> 01 01c5ff94 67de1017 ADVAPI32!LsapApiConvertPrivilegesToRights+0xb2
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> 02 01c5ffec 00000000 sdmsg+0x1017
>
>
>
>
> Thread ID: 21
> System Thread ID: 9bc
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> *** ERROR: Symbol file could not be found. Defaulted to export symbols
> for
> C:\WINNT\system32\ACECLNT.dll -
> Thread Type: Other
> # ChildEBP RetAddr
> 00 01ebff00 7c59a072 ntdll!ZwWaitForSingleObject+0xb
> 01 01ebff28 7c57b3e9 KERNEL32!WaitForSingleObjectEx+0x71
> 02 01ebff38 67fd4a6b KERNEL32!WaitForSingleObject+0xf
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> 03 01ebff80 67fe12a5 ACECLNT!AceShutdown+0x2377
> 04 01ebffb4 7c57b396 ACECLNT!AceCloseAuth+0x69a7
> 05 01ebffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 22
> System Thread ID: a90
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Other
> # ChildEBP RetAddr
> 00 01efff30 7c59a072 ntdll!ZwWaitForSingleObject+0xb
> 01 01efff58 7c57b3e9 KERNEL32!WaitForSingleObjectEx+0x71
> 02 01efff68 67fd4a6b KERNEL32!WaitForSingleObject+0xf
> WARNING: Stack unwind information not available. Following frames may be
> wrong.
> 03 01efffb4 7c57b396 ACECLNT!AceShutdown+0x2377
> 04 01efffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 23
> System Thread ID: bec
> Kernel Time: 0:0:0.15
> User Time: 0:0:0.15
> Thread Type: Other
> # ChildEBP RetAddr
> 00 01f3fe70 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
> 01 01f3fec0 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
> 02 01f3ff1c 77e41706 USER32!__ClientExtTextOutW+0x3f
> 03 01f3ff38 65f09ccb USER32!__ClientGetTextExtentPointW+0x48
> 04 01f3ff7c 78008454 w3svc!CMTACallbackThread::Thread+0x42
> 05 01f3ffb4 7c57b396 MSVCRT!_endthread+0xc6
> 06 01f3ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 24
> System Thread ID: d74
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Other
> # ChildEBP RetAddr
> 00 01f7fea8 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
> 01 01f7fef8 77e4169f KERNEL32!WaitForMultipleObjectsEx+0xea
> 02 01f7ff54 77e41706 USER32!__ClientExtTextOutW+0x3f
> 03 01f7ff70 65f09d47 USER32!__ClientGetTextExtentPointW+0x48
> 04 01f7ffb4 7c57b396 w3svc!OleHackThread+0x88
> 05 01f7ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 25
> System Thread ID: cfc
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Other
> # ChildEBP RetAddr
> 00 01fffce0 74fd1394 ntdll!ZwWaitForSingleObject+0xb
> 01 01fffd1c 74fd3c59 msafd!SockWaitForSingleObject+0x1a8
> 02 01fffe08 750312f5 msafd!WSPSelect+0x24e
> 03 01fffe6c 6e2b3b6e WS2_32!select+0xe7
> 04 01ffffb4 7c57b396 inetsloc!SocketListenThread+0x51
> 05 01ffffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 26
> System Thread ID: d08
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Possible ASP page. Possible DCOM activity
> Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
> Continuing with other analysis.
>
> No remote call being made
>
> # ChildEBP RetAddr
> 00 0203fe24 77d595d9 ntdll!ZwReplyWaitReceivePortEx+0xb
> 01 0203ff74 77d58e4a RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x74
> 02 0203ff78 77d3aeed RPCRT4!RecvLotsaCallsWrapper+0x9
> 03 0203ffa8 77d37de8 RPCRT4!BaseCachedThreadRoutine+0x4f
> 04 0203ffb4 7c57b396 RPCRT4!ThreadStartRoutine+0x18
> 05 0203ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 27
> System Thread ID: d90
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: HTTP Listener
> # ChildEBP RetAddr
> 00 0207fdfc 74fd1394 ntdll!ZwWaitForSingleObject+0xb
> 01 0207fe38 74fd3c59 msafd!SockWaitForSingleObject+0x1a8
> 02 0207ff24 750312f5 msafd!WSPSelect+0x24e
> 03 0207ff88 6d7075bd WS2_32!select+0xe7
> 04 0207ffb0 6d70791b ISATQ!ATQ_BMON_SET::BmonThreadFunc+0x22
> 05 0207ffb4 7c57b396 ISATQ!BmonThreadFunc+0x9
> 06 0207ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 28
> System Thread ID: aec
> Kernel Time: 0:0:0.62
> User Time: 0:0:0.31
> Thread Type: HTTP Listener
> # ChildEBP RetAddr
> 00 0256ff50 7c585433 ntdll!NtRemoveIoCompletion+0xb
> 01 0256ff7c 6d702957 KERNEL32!GetQueuedCompletionStatus+0x27
> 02 0256ffb4 7c57b396 ISATQ!AtqPoolThread+0x40
> 03 0256ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 29
> System Thread ID: 408
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Idle ASP thread
> # ChildEBP RetAddr
> 00 025bff08 7c59a23d ntdll!ZwWaitForMultipleObjects+0xb
> 01 025bff58 7c59a150 KERNEL32!WaitForMultipleObjectsEx+0xea
> 02 025bff70 787f67ee KERNEL32!WaitForMultipleObjects+0x17
> 03 025bffb4 7c57b396 comsvcs!CEventDispatcher::PushEvents+0x4e
> 04 025bffc0 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 30
> System Thread ID: 958
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Possible ASP page. Possible DCOM activity
> Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
> Continuing with other analysis.
>
> Remote call is either to a MTA object or object not initialized. Also,
> possible utility thread.
> DCOM call being made to Process ID: 3300
> Waiting on thread id: ffffffff
>
> # ChildEBP RetAddr
> 00 025ffb68 77d4f214 ntdll!NtRequestWaitReplyPort+0xb
> 01 025ffb94 77d3b7a6 RPCRT4!LRPC_CCALL::SendReceive+0x124
> 02 025ffba0 7cef6bee RPCRT4!I_RpcSendReceive+0x2c
> 03 025ffbc0 7cef6ab9 ole32!ThreadSendReceive+0xef
> 04 025ffbd8 7cef3ab6 ole32!
> CRpcChannelBuffer::SwitchAptAndDispatchCall+0x14f
> 05 025ffc18 7cef692d ole32!CRpcChannelBuffer::SendReceive2+0x96
> 06 025ffc28 7ce3cc2d ole32!CRpcChannelBuffer::SendReceive+0x11
> 07 025ffc88 7ce87f7f ole32!CAptRpcChnl::SendReceive+0xa9
> 08 025ffce0 77d91337 ole32!CCtxComChnl::SendReceive+0x124
> 09 025ffcfc 77d93b47 RPCRT4!NdrProxySendReceive+0x4c
> 0a 025fff44 77d96f9c RPCRT4!NdrClientCall2+0x4f5
> 0b 025fff60 77d792ab RPCRT4!ObjectStublessClient+0x76
> 0c 025fff70 787f6732 RPCRT4!ObjectStubless+0xf
> 0d 025fffb4 7c57b396 comsvcs!
> CEventDispatcher::GetEventServerInfoThread+0x152
> 0e 025fffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 31
> System Thread ID: d20
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Idle ASP thread
> # ChildEBP RetAddr
> 00 0268fd54 7c59a072 ntdll!ZwWaitForSingleObject+0xb
> 01 0268fd7c 7c57b3e9 KERNEL32!WaitForSingleObjectEx+0x71
> 02 0268fd8c 7878e785 KERNEL32!WaitForSingleObject+0xf
> 03 0268ffb4 7c57b396 comsvcs!PingThread+0xf5
> 04 0268ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 32
> System Thread ID: a7c
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Other
> # ChildEBP RetAddr
> 00 026dff88 7cdf4a9b ntdll!ZwWaitForMultipleObjects+0xb
> 01 026dffb4 7c57b396 NETAPI32!NetbiosWaiter+0x71
> 02 026dffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 33
> System Thread ID: 750
> Kernel Time: 0:0:0.93
> User Time: 0:0:0.125
> Thread Type: HTTP Listener
> # ChildEBP RetAddr
> 00 0273ff50 7c585433 ntdll!NtRemoveIoCompletion+0xb
> 01 0273ff7c 6d702957 KERNEL32!GetQueuedCompletionStatus+0x27
> 02 0273ffb4 7c57b396 ISATQ!AtqPoolThread+0x40
> 03 0273ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 34
> System Thread ID: 964
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.31
> Thread Type: HTTP Listener
> # ChildEBP RetAddr
> 00 0277ff50 7c585433 ntdll!NtRemoveIoCompletion+0xb
> 01 0277ff7c 6d702957 KERNEL32!GetQueuedCompletionStatus+0x27
> 02 0277ffb4 7c57b396 ISATQ!AtqPoolThread+0x40
> 03 0277ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 35
> System Thread ID: d64
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Possible ASP page. Possible DCOM activity
> Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
> Continuing with other analysis.
>
> No remote call being made
> # ChildEBP RetAddr
> 00 0325ff74 77d3af61 ntdll!ZwDelayExecution+0xb
> 01 0325ffa8 77d37de8 RPCRT4!BaseCachedThreadRoutine+0xc3
> 02 0325ffb4 7c57b396 RPCRT4!ThreadStartRoutine+0x18
> 03 0325ffec 00000000 KERNEL32!BaseThreadStart+0x52
>
>
>
>
> Thread ID: 36
> System Thread ID: 67c
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Other
> # ChildEBP RetAddr
> 00 03d2ff48 7757932f ntdll!ZwWaitForMultipleObjects+0xb
> 01 03d2ffb4 7c57b396 WINMM!timeThread+0x73
> 02 03d2ffc0 0110e890 KERNEL32!BaseThreadStart+0x52
> WARNING: Frame IP not in any known module. Following frames may be wrong.
> 03 606e7da8 f8830cc4 0x110e890
> 04 8318558b 00000000 0xf8830cc4
>
>
>
>
> Thread ID: 37
> System Thread ID: d24
> Kernel Time: 0:0:0.0
> User Time: 0:0:0.0
> Thread Type: Possible ASP page. Possible DCOM activity
> Executing Page: ASP.dll symbols not found. Unable to locate ASP page.
> Continuing with other analysis.
>
> No remote call being made
> # ChildEBP RetAddr
> 00 044ffe24 77d595d9 ntdll!ZwReplyWaitReceivePortEx+0xb
> 01 044fff74 77d58e4a RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x74
> 02 044fff78 77d3afbd RPCRT4!RecvLotsaCallsWrapper+0x9
> 03 044fffa8 77d37de8 RPCRT4!BaseCachedThreadRoutine+0x11f
> 04 044fffb4 7c57b396 RPCRT4!ThreadStartRoutine+0x18
> 05 044fffec 00000000 KERNEL32!BaseThreadStart+0x52
>
> Closing open log file C:\iisstate\output\IISState-2772.log

Top