IMPORTANT: Updated information available here.
The BackupAssist help desk has had several reports of various Blue Screen of Death (BSOD) errors occurring either during or around the scheduled time of backup.
The known causes of a small number of these errors are directly related to BackupAssist, which are issues that our development team is working hard at resolving.
We have recently discovered, with the help of some of our Resellers, that one of these BSOD issues is caused by a process called ekrn.exe, which belongs to the NOD32 Anti-virus application.
We discovered this by debugging the crash dump file that is generated by Windows whenever a BSOD error occurs. The default location of the crash dump file is %SystemRoot%\MEMORY.DMP
Examining a crash dump basically involves the following:
1. Download and install the Windows debugging tools from here.
2. Open WinDbg from the Start Menu > Programs > Windows Debugging Tools
3. Go to File > Open Crash Dump and locate the relevant Crash Dump File
4. Enter !analyze -v
For full instructions on how to examine a crash dump file refer to the following Microsoft Technet article: http://blogs.technet.com/b/deploymentguys/archive/2008/08/01/working-with-crashdumps-debugger-101.aspx. You may, for instance, need to specify a Symbol File Path as described in this article.
If the BSOD error you experience is related to NOD32 Anti-virus you will see a debugging output similar to the following after running the !analyze –v command.
FAULTING_IP: +3266623163373862 00000000`7518385e ?? ???
LAST_CONTROL_TRANSFER: from fffff80001a5e26e to fffff80001a5e4d0
fffffa60`066c1a68 fffff800`01a5e26e : 00000000`0000004a 00000000`7518385e 00000000`00000001 00000000`00000000 : nt!KeBugCheckEx
fffffa60`066c1a70 fffff800`01a5e184 : 00000000`00000000 fffffa60`066c1ca0 00000000`04ecf120 00000000`011da474 : nt!KiBugCheckDispatch+0x6e
fffffa60`066c1bb0 00000000`7518385e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0x209
00000000`04ecf0a8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x7518385e
fffff800`01a5e184 4883ec50 sub rsp,50h
If the following are listed along with the ntkrnlmp.exe process, the crash was most likely caused by the observed incompatibility with NOD (ekrn.exe is related to NOD32).
FAILURE_BUCKET_ID: X64_RAISED_IRQL_FAULT_ekrn.exe_nt!KiSystemServiceExit+209 and
As mentioned, this crash may occur during the backup so it’s easy to label BackupAssist as the culprit. We have attempted to try and stop the NOD32 services with a script, however even running as a domain administrator we receive ‘Access is denied’ errors. Upon researching this further, stopping the service seems to be quite a common issue experienced by NOD32 users.
Note: Our reseller has confirmed that fully uninstalling NOD32 on his system that the BSOD errors relating to this have ceased.
We do apologize for any inconvenience to those users which are experiencing BSOD issues. If you’re wanting confirmation of what may be causing your system to blue screen, please forward the crash dump file through to firstname.lastname@example.org and we’ll take a look at this for you to let you know if it’s a specific BackupAssist issue or not.