Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1001 Source: SaveDump

The computer has rebooted from a bugcheck. The bugcheck was : <bugcheck code> (<bug check details>). Microsoft Windows NT (v15.1381). A dump was saved in: <dump file>.
When a "Blue Screen of Death" occurs, by default Windows NT Server 4.0 is set to write event log messages (the Write an event to the system log" check box that is located in the Recovery section of the Startup/Shutdown tab in System properties). This will cause an event log message to be written to the system log.

There are many potential reasons for this errors. The most relevant part is the bugcheck code. Event ID 1000 from Save Dump source is quite similar and contains information about various bugcheck codes. See the link below to event id 1000.

Bugcheck 0x0000009c - See ME329284.
Bugcheck 0x000000c5 - See the link for Error code 0x000000c5.
Bugcheck 0x0000008e - See Error code 0x0000008e.
Bugcheck 0x0000001e - See Error code 0x0000001e.
Bugcheck 0x10000050 - See Error code 0x10000050.
Bugcheck 0x1000008e - See Error code 0x1000008e.
Bugcheck 0x00000124 - See Error code 0x00000124.
Bugcheck 0x000000f7 - See Error code 0x000000f7.
Bugcheck 0x100000d1 - See Error code 0x000000D1.
Bugcheck 0x00000024 - See Error code 0x00000024.
Bugcheck 0x1000000a - One user getting this error message determined that it was caused by fault memory modules. Dumpchk.exe was used to export the content of the dump file (see ME315271 for usage details).
As per ME952185, on a Windows 2003 Server, this problem can occur because of a synchronization issue in the Redirected Driver Buffering SubSystem (Rdbss.sys) driver. When this issue occurs, the Rdbss.sys driver tries to free a structure that was already freed. A hotfix is available. See the article for more details.
See ME235496 to find out how to enable a "Memory.dmp" file capture using the Graphical User Interface or the Registry.

See the link to "Interpreting Bug Check Codes" for details on this problem.

ME314084 shows you how to gather information after a memory dump in Windows XP.

Error in Mspfltex.sys module if the Network Address Translation (NAT) driver on an Internet Security and Acceleration (ISA) Server-based server is stopped and the data that is being sent outbound is larger than the Maximum Transmission Unit (MTU) setting. See ME293161 for a fix.

If you also receive event id 2021 with the folowing description: "The server was unable to allocate a work item 1 times in the last 60 seconds", then you should increase the number of system pages for the Internet Information Server in the registry. See ME145882 for more details.

See the link to "Memtest86" for a memory test tool for x86 architecture computers. You can use this tool to see if your RAM has any flaws.

See the links to MSW2KDB, "Stop Messages" and "EventID 1001 from source SaveDump" for additional information on this event.
- Bugcheck: 0x00000054 (Error code 0x00000054) - See "JSI Tip 4486".

See ME315271 to find out how to use dumpchk.exe to check a memory dump file.
Article ME315263 describes how to read the small memory dump files that Windows creates for debugging and provides the tools to do that.

In my case, it turned out to be my Antivirus, namely Protector Plus. After the removal of the Antivirus the problem never appeared.
Bugcheck 0x000000d1 - This error can also be caused by a problem in the Mrxsmb.sys driver. Refer to Microsoft Knowledge Base Article - ME816036.
For bugcheck 0x00000054 see ME313169.
Stop using the hibernation and suspend feature might help.
For bugcheck 0x000000d1 (DRIVER_IRQL_NOT_LESS_OR_EQUAL) an updated driver might be the solution. The faulty driver usually is listed on the blue screen if Startup And Recovery is not set to Automatically Reboot. See ME293077.

You can also find more information about the faulty driver using Kernel Debugger and WinDbg Debugger (from Microsoft Platform SDK) to manually analyze your memory dump files.

For some drivers the following Microsoft articles can also help:
- Aspi32.sys and Cdr4vsd.sys (Adaptec) - ME237468
- Ino_fltr.sys (Inoculan Cheyenne) - ME247421
- Shiva VPN Client (Intel) - ME268474
- blackdrv.sys (BlackICE Network ICE) - ME269279
- Cpqteam.sys (compaq Ethernet network adapter and teaming driver) - ME302400
- Altnd5.sys (Alteon Gigabit network adapter driver) - ME329876  

Windows 2000 comes also with Driver Verifier, a tool to troubleshoot driver issues. See ME244617.

Other information about bugcheck 0x000000d1 can be found in the following Microsoft articles:
ME278945 - Error Messages Occur When You Attempt to Synchronize Exchange Server Mail
ME255594 - Error in Tcpip.sys During Session Setup or in the Middle of a Data Stream
ME260956 - Error Caused by Dlc.sys
ME276545 - Error in Serial.sys When Serial Device or Driver Verifier Is in Use
ME278945 - Error Messages Occur When You Attempt to Synchronize Exchange Server Mail
ME281292 - Error Message in Ipnat.sys
ME282825 - Error Message Appears on Clustered Server After You Move Resources Node to Node
ME294442 - Error in Atmlane.sys
ME300460 - Error Message When You Use IP-in-IP Tunnel
ME309660 - FtDisk May Cause Error Message When You Shut Down Your Computer
ME311975 - Error When You Dial a 9 for an Outside Telephone Line to Connect to ISP
ME329703 - Error Messages in Qafilter.sys or Qsfilter.sys with Third-Party Quota Management Tool

For bugcheck 0x000000B8 (ATTEMPTED_SWITCH_FROM_DPC) see ME287582 - Error Message Occurs After You Install Tivoli Storage Manager.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.