This article provides clarification regarding an occasional condition identified within the SymEvent kernel driver (SymEvnt.sys). In certain environments, specifically during the standard closing of processes, a specific sequence of events can occur that leads to a system restart. This document is intended to help administrators identify this behavior and distinguish it from application-level failures.

Version: 14.3 RU10

The occurrence is due to a timing and coordination defect within the SymEvent kernel driver during the cleanup of a process (e.g., ovcodautil.exe).

When a program closes, one part of the driver releases internal records while another part of the driver still requires them for a final step. Because the information is released too early, the driver attempts to access "freed" memory, leading to a 0x3B stop code or a Win32 error 0n2 (unable to load image).This is a driver-side logic issue; it is not caused by the customer’s application, malware, or misconfiguration.

Engineering is currently finalizing a fix that ensures all internal references to process data are cleared before the memory is released.

Current Status: The updated logic is undergoing stress testing and driver verification to ensure it handles high-activity environments (like server clusters) correctly.

Action: In the interim, if a system restart occurs, the server will typically resume normal operation upon reboot. Users should prepare to apply the driver update once the validated version is released for 14.3 RU10.

This KB will be updated accordingly following our investigation.