IIS 7 & IIS 8
app pool crashing access violation exception (0xC0000005)
Last post Jan 20, 2011 06:14 PM by HCamper
Jan 10, 2011 03:05 PM|LINK
IIS 7.5, server 2008 r2, classic asp and asp .net 2.0, 3.5 website same server, different app pools. The past 4 weeks thousands of these errors 'C0000005' are occurring. I know from IIS debug diag tool that 'C0000005' is an access violation error. Below
is the top line from my debug diag report.
In w3wp__PID__6656__Date__01_08_2011__Time_01_42_46AM__281__First Chance Access Violation.dmp the assembly instruction at
asp!CActiveScriptEngine::GetApplication+27 in \\?\C:\Windows\System32\inetsrv\asp.dll from
Microsoft Corporation has caused an access violation exception (0xC0000005) when trying to
read from memory location 0x00000000 on thread
BELOW is the faulting module.
recent events: server was being brute forced by hackers all of Dec and probably earlier, they weren't able to gain access but did get a virus on and blasted out spam. insatlled AVG and about the 17 or 22 latest patches. after that the app pool started
crashing and the server has crashed a couple times since then. I am in no mans land as I am a developer and not a sys admin but I have to assume many roles. So I'm reaching out for help.
sometimes I will see hundreds of these 'C0000005' scriptengine errors in the event log in a matter of seconds and other times just a few times an hour.
Thank you for your help
app pool crashes
c0000005 access violation exception exceptions
Jan 11, 2011 01:51 AM|LINK
Must be anti virus software tha lock file access hence crash IIS application pool.
Please try to disable live protection and check your website.
Jan 11, 2011 11:48 AM|LINK
I am see that your trying to deal with a lot of problems.
Question you said that you installed "AVG" what "AVG" is this the retail,freeware,server version?
You may need to provide exceptions of the "AVG" for some of the server processes.
Post the information back to this thread.
I would suggest that you copy all the data and developer projects off the server (backup). Just to be safe.
I would suggest that get information for the patches that were installed
and see if they are related to errors.
You can find the information at Technet and Scurity for what are possible problems related to patches
You may based on the Technet information provides decide to uninstall some of the patches.
It will take some time to get back to normal.
Jan 12, 2011 08:43 AM|LINK
Please check IIS configuration to see if additional ISAP Filter installed, you can refer to:
Checking ISAPI Filter Status (IIS 6.0)
If there is additional ISAPI Filter , you can remove it temporary to see if address issue.
Also, try disable
ASP server-side script debugging to see if it helps.
Jan 12, 2011 01:34 PM|LINK
Thank you Mr. HCamper for responding,
AVG File server 2011 server version. I added the the 2 app pool websites as exceptions but the ScriptEngine errors just keep coming.
I did some more research on our test server which has the same website and app pool as the live site and it has been throwing these script engine errors for the past year, the event logs on the test server went back to 3/2010. Same thing has been happening
on the live server but the previous developers didn't notice or did nothing about them and now I'm stuck trying to figure out what the heck is causing them. The company has been growing the past year adding new customers to the web application and I suspect
that is exposing a pre-existing problem that's been ongoing. Since 12/22/2010 over 5,600 of these script engine errors have been thrown.
Script Engine Exception. A ScriptEngine threw exception 'C0000005' in 'IActiveScript::SetScriptState()' from 'CActiveScriptEngine::ReuseEngine()'..
Script Engine Exception. A ScriptEngine threw exception 'C0000005' in 'IActiveScript::SetScriptSite()' from 'CActiveScriptEngine::Init()'..
The past week & a half around 1am these ScriptEngine errors will get thrown in the hundreds and then the next 5 hours or so exactly once an hour to the second, then variable times throughout the rest of the day until 1am rolls around again. I scheduled
an app pool recycle at 23:55 and an IIS Reset at 4am, increased rapid rail to 200 times in 5 minutes which I think I have to increase even more. I'm running out of options.
Jan 12, 2011 01:52 PM|LINK
Based on the CA script message this in "Human" is a Custom Action.
You need to get the developers or there support staff to help in this case.
The Custom action is used in installers and Devlopers to make sure
the Redistributables,Runtime libraries are on the system to run an application.
Example a CA event is to deplay the Visual Studio 2008 runtime.
If this is part of one of the developed applications this could be the source.
If the application again from the developer was not correctly deployed this happens.
Another wrinkle check your task library
you find that the CA Event is part
of Program Compatability Agent
Running the deploy again on exach restart
to fix a programming,installer flaw.
I know this is a lot to digest.
I do not see a simple one item fix
You have at least two causes on going.
If you have more questions post back to this thread.
Jan 12, 2011 01:54 PM|LINK
Based on the times you listed the first
place to look at is Task Library.
Jan 12, 2011 02:21 PM|LINK
Thank you for responding Mr. Tang
Looks like only 1 ISAPI filter is installed for the offending website. ASP.Net_2.0.50727.0 C:\Windows\Microsoft.NET\Framework\v2.0.50727 aspnet_filter.dll Local
I'm not sure how to disable ASP server-side script debugging in IIS 7.5. I have to research how to do that.
Jan 12, 2011 05:08 PM|LINK
I'm not sure if this is related or not to my problem. But in procmon I'm getting hundreds of BUFFER OVERFLOWS on a bunch of different asp pages for my IIS worker processes serving the app pool that is crashing. A line from procmon follows:
Date & Time: 1/12/2011 12:57:57 PM
Event Class: File System
Result: BUFFER OVERFLOW
Path: *path removed*\*page name removed*.asp
Information: Owner, Group, DACL
Jan 12, 2011 06:50 PM|LINK
The messages look like some portion
of an application have gone missing.
Maybe the application has absolute paths to some
resource like the CA Custom script before
that is not presenent.
May be you could take the web server logs and using logparser
find what the request is and then find the path from that.
It is looking hopeful.