STOP error 0x8E on Windows Server 2003 and Endpoint Protection 12.1

book

Article ID: 164754

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

  • You experience a STOP error 0x8E (KERNEL_MODE_EXCEPTION_NOT_HANDLED) on a physical or virtualized server running a 32-bit version of Windows Server 2003 Service Pack 2 and Symantec Endpoint Protection (SEP) 12.1.
  • The address that the exception occurred at (which usually pinpoints the driver/function that caused the problem) points to win32k.sys (Microsoft's Multi-User Win32 driver).
  • Its call to the xxxDestroyThreadInfo function in the context of process csrss.exe (Microsoft's Client/Server Runtime subsystem) led to the crash.
  • When the crash occurs, there is also a locked thread involving a screensaver process (e.g. "vfinalv1.scr").
  • While SYMEVENT is present in the stack, it is in pass-thru mode and only capturing the process termination event as a result of win32k.sys' function call (the next call in the stack is actually shown to be Nt!TerminateProcess).
  • Win32k.sys is dated June 24, 2015. As this version was released on the day Windows Server 2003 reached End-of-Life (EOL) status, Microsoft will not be issuing any further hotfixes.
  • The issue is very similar (but not identical) to the ones described below:
  1. A Windows Server 2003-based computer restarts unexpectedly and you receive a Stop error message during the terminal session logoff process: 0x0000008E KERNEL_MODE_EXCEPTION_NOT_HANDLED
  2. Blue screen crash with STOP Error 0x8E after installing Symantec Endpoint Protection

Bug Check 0x8E (KERNEL_MODE_EXCEPTION_NOT_HANDLED)

Cause

In this specific scenario, the issue is likely caused by the screensaver.

Environment

SEP 12.1

Resolution

Remove the screensaver and continue to monitor the server for further occurrences.