Hi, Can anyone help please.. I really don't know wjhy my server is restarting at night..! many days I come at morning to see the server restarted (not every day) and I don't know the reason.. appreciate if you help.. here is the full eventlog in different format (I am trying to be sweet!). Event Log as XML Event Log as TXT Event Log as EVTX Event Log as CSV Jassim Rahma

Is it virtual server or physical server?

Hello, there is no much information to extract from event viewer logs. Possible that you are experiencing BSODs. To check that, check that if there is dump files under c:\windows\minidumps or full dump named c:\windows\MEMORY.DMP. If you have dump files then you have BSODs. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Hi, If you did encounter BSOD, you may analyze them with Debugging Tools by yourself. You can install it and it’s Symbol Packages from the following link: http://www.microsoft.com/whdc/Devtools/Debugging/default.mspx WinDbg will tell you the possible cause. For more information, please read Microsoft KB Article: How to read the small memory dump files that Windows creates for debugging http://support.microsoft.com/kb/315263 Collect Minidump Files ================= 1. Click "Start", input "SYSDM.CPL" (without quotation marks) in the “Search” bar and press “Enter”. 2. Switch to the "Advanced" tab and click the "Settings" button under "Startup and Recovery". 3. Under "Write debugging information" section, make sure the "Small memory dump (128KB)" option is selected. 4. Make sure "%SystemRoot%\Minidump" is in the "Small dump directory" open box and click “OK”. If the Blue Screen appears again, please refer to the following steps to collect memory dump files: 1. Click “Start”, type “%SystemRoot%\Minidump" (without quotation marks) in “Search” bar and press “Enter”. 2. Go to your Desktop, right-click on it and create a new folder named "Dump". 3. Copy all the memory dump files (looks like [Mini092008-01.dmp]) in Minidump to this folder. If no clue can be found, you may contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request. To troubleshoot this kind of kernel crash issue, we need to debug the crashed system dump. Unfortunately, debugging is beyond what we can do in the forum. Please be advised that contacting phone support will be a charged call. To obtain the phone numbers for specific technology request please take a look at the web site listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607 Regards, Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

it is NOT a virtual server. It's a psychical server. I check the folders, I have the MEMORY.DMP in c:\windows\ and it's 400MB Last Modified 2nd Nov 2011 In C:\windows\Minidump I have a Mini110211-01.dmp 157KB Last Modified 2nd Nov 2011 Jassim Rahma

Hi, If you did encounter BSOD, you may analyze them with Debugging Tools by yourself. You can install it and it’s Symbol Packages from the following link: http://www.microsoft.com/whdc/Devtools/Debugging/default.mspx WinDbg will tell you the possible cause. For more information, please read Microsoft KB Article: How to read the small memory dump files that Windows creates for debugging http://support.microsoft.com/kb/315263 Collect Minidump Files ================= 1. Click "Start", input "SYSDM.CPL" (without quotation marks) in the “Search” bar and press “Enter”. 2. Switch to the "Advanced" tab and click the "Settings" button under "Startup and Recovery". 3. Under "Write debugging information" section, make sure the "Small memory dump (128KB)" option is selected. 4. Make sure "%SystemRoot%\Minidump" is in the "Small dump directory" open box and click “OK”. If the Blue Screen appears again, please refer to the following steps to collect memory dump files: 1. Click “Start”, type “%SystemRoot%\Minidump" (without quotation marks) in “Search” bar and press “Enter”. 2. Go to your Desktop, right-click on it and create a new folder named "Dump". 3. Copy all the memory dump files (looks like [Mini092008-01.dmp]) in Minidump to this folder. If no clue can be found, you may contact Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request. To troubleshoot this kind of kernel crash issue, we need to debug the crashed system dump. Unfortunately, debugging is beyond what we can do in the forum. Please be advised that contacting phone support will be a charged call. To obtain the phone numbers for specific technology request please take a look at the web site listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607 Regards, Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

it is NOT a virtual server. It's a psychical server. I check the folders, I have the MEMORY.DMP in c:\windows\ and it's 400MB Last Modified 2nd Nov 2011 In C:\windows\Minidump I have a Mini110211-01.dmp 157KB Last Modified 2nd Nov 2011 Jassim Rahma So, the restart is due to BSODs as these files are created automatically when BSODs occur. Please use Microsoft Skydrive to upload dump file (c:\windows\minidumps). Once done, post a link here. It is possible that you have hardware problems as there is only a dump for 2nd Nov 2011. You can also contact Microsoft CSS for assistance. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

here is the file link: http://www.rmc.bh/temp\Mini110211-01.zip Jassim Rahma

****************************************************************************** * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 81c7277d, The address that the exception occurred at Arg3: 8d597c0c, Exception Record Address Arg4: 8d597908, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: nt!MiDeleteImageMerge+8 81c7277d f6401c20 test byte ptr [eax+1Ch],20h EXCEPTION_RECORD: 8d597c0c -- (.exr 0xffffffff8d597c0c) ExceptionAddress: 81c7277d (nt!MiDeleteImageMerge+0x00000008) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 0000001c Attempt to read from address 0000001c CONTEXT: 8d597908 -- (.cxr 0xffffffff8d597908) eax=00000000 ebx=00000000 ecx=b394c4e8 edx=81b42700 esi=00000000 edi=88e624f0 eip=81c7277d esp=8d597cd4 ebp=8d597cd8 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 nt!MiDeleteImageMerge+0x8: 81c7277d f6401c20 test byte ptr [eax+1Ch],20h ds:0023:0000001c=?? Resetting default scope CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE PROCESS_NAME: System CURRENT_IRQL: 0 ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 0000001c READ_ADDRESS: GetPointerFromAddress: unable to read from 81b77868 Unable to read MiSystemVaType memory at 81b57420 0000001c FOLLOWUP_IP: nt!MiDeleteImageMerge+8 81c7277d f6401c20 test byte ptr [eax+1Ch],20h BUGCHECK_STR: 0x7E LAST_CONTROL_TRANSFER: from 81c7275c to 81c7277d STACK_TEXT: 8d597cd8 81c7275c 00000000 88e624f0 81b78d00 nt!MiDeleteImageMerge+0x8 8d597d00 81a9dc3f 00000000 00000000 00000000 nt!MiSegmentDelete+0x1b0 8d597d50 81a9ddc0 84be8508 00000000 00000000 nt!MiProcessDereferenceList+0x33 8d597d7c 81c15fe2 00000000 441a20eb 00000000 nt!MiDereferenceSegmentThread+0xc1 8d597dc0 81a7eefe 81a9dcfd 00000000 00000000 nt!PspSystemThreadStartup+0x9d 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: nt!MiDeleteImageMerge+8 FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt DEBUG_FLR_IMAGE_TIMESTAMP: 4dfb5603 STACK_COMMAND: .cxr 0xffffffff8d597908 ; kb IMAGE_NAME: memory_corruption FAILURE_BUCKET_ID: 0x7E_nt!MiDeleteImageMerge+8 BUCKET_ID: 0x7E_nt!MiDeleteImageMerge+8 Followup: MachineOwner --------- ------------------------------------------------------------------------------------------------------------- Bug Check Code 0x1000007E: http://msdn.microsoft.com/en-us/library/ff557196(v=VS.85).aspx 0xC0000005: STATUS_ACCESS_VIOLATION indicates a memory access violation occurred. I would suspect a RAM issue. Please use memtest86+ to check if all is okay with your RAM. If an error was detected then replace the faulty RAM or contact your manufacturer Technical Support. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

so what can I do?Jassim Rahma

so what can I do? Jassim Rahma You had to see my reply at the end: "Bug Check Code 0x1000007E: http://msdn.microsoft.com/en-us/library/ff557196(v=VS.85).aspx 0xC0000005: STATUS_ACCESS_VIOLATION indicates a memory access violation occurred. I would suspect a RAM issue. Please use memtest86+ to check if all is okay with your RAM. If an error was detected then replace the faulty RAM or contact your manufacturer Technical Support." This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer

Thanks. I will check that... Jassim Rahma

its not an easy task to analyze the memory dump file so please seek assistance form Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request. To troubleshoot this kind of kernel crash issue, we need to debug the crashed system dump. Unfortunately, debugging is beyond what we can do in the forum. Please be advised that contacting phone support will be a charged call. To obtain the phone numbers for specific technology request please take a look at the web site listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607 http://www.virmansec.com/blogs/skhairuddin

its not an easy task to analyze the memory dump file so please seek assistance form Microsoft Customer Service and Support (CSS) via telephone so that a dedicated Support Professional can assist with your request. To troubleshoot this kind of kernel crash issue, we need to debug the crashed system dump. Unfortunately, debugging is beyond what we can do in the forum. Please be advised that contacting phone support will be a charged call. To obtain the phone numbers for specific technology request please take a look at the web site listed below: http://support.microsoft.com/default.aspx?scid=fh;EN-US;OfferProPhone#faq607 http://www.virmansec.com/blogs/skhairuddin

so what can I do? Jassim Rahma You had to see my reply at the end: "Bug Check Code 0x1000007E: http://msdn.microsoft.com/en-us/library/ff557196(v=VS.85).aspx 0xC0000005: STATUS_ACCESS_VIOLATION indicates a memory access violation occurred. I would suspect a RAM issue. Please use memtest86+ to check if all is okay with your RAM. If an error was detected then replace the faulty RAM or contact your manufacturer Technical Support." This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator Microsoft Certified IT Professional: Server Administrator Microsoft Certified Trainer