Symantec Antivirus Software Blue Screen Workaround; Terminal Services Printer Bug Fix

Symantec Antivirus Software Blue Screen Workaround Symantec AntiVirus Corporate Edition 8.0 can cause all versions of Windows XP, Windows 2000, and Windows NT to crash. In one case, a system crashes with a stop code of 0x0000007F and the message UNEXPECTED_KERNEL_MODE_TRAP. In the second case, the system might simply restart with no warning message. According to the Microsoft article "You Receive a 'Stop 0x0000007F' Error Message or Your Computer Unexpectedly Restarts (http://support.microsoft.com/?kbid=822789), both failure scenarios occur on systems running a combination of Symantec's antivirus package and NSI's Double-Take realtime replication software, as well as on systems running NAV alone or with other applications.

The problem shows up when Symantec's kernel mode scanning driver is unable to allocate buffer space when it calls the file system to map a portion of a disk file in memory. When a system has insufficient kernel mode memory, NTFS can't allocate the requested buffer and sometimes can't allocate enough memory to indicate the buffer request failed. In this situation, the system crashes with the 0x07F Stop message. The system crash, which can affect a variety of kernel mode drivers, is most likely to happen on systems with 128MB or less, and on systems that perform a large amount of I/O.

NSI's Dave Demlow, Vice President of Product Management, points out that the crash/restart is “not caused by the Double-Take software, and does not occur on systems that run Double-Take alone or with other third-party applications.” In response to the Symantec bug, says Demlow, “NSI software has added additional defensive code to Double-Take that detects if other third-party products have consumed excessive amounts of file system stack space and will temporarily suspend Double-Take operations and log a system event in an attempt to prevent the lack of file system stack space from causing a blue screen. It is also worth noting that Microsoft has made improvements in Windows Server 2003 and Windows 2000 SP4 that address the core file system stack space issue and further reduce the chance of this problem occurring.”

Symantec has a workaround you can implement to avoid the system crash/restart by ensuring that the real-time filter driver asks NTFS to map a file only when an adequate amount of kernel memory is in reserve. By default, Win2K has a lower limit of 12KB of kernel mode memory, and in some cases this amount is insufficient. Symantec has implemented a new registry value entry that instructs the antiviral driver not to call the file system in low memory situations. When you add the registry value KstackMinFree, the antivirus driver checks the amount of available kernel memory before calling NTFS to map a file. The antivirus driver calls NTFS only when the system has KstackMinFree kilobytes of available memory. If the amount of free kernel memory falls below this threshold, the filter drivers skip the file scan.

If you use Symantec Antivirus Corporate Edition, you can implement this control manually, with a registry script that runs locally, or by using Group Policy. To implement the change manually, start your favorite registry editor and locate the HKEY_LOCAL_MACHINESOFTWARESymantecNorton AntiVirus NTAuto-ProtectInternalSettings registry subkey. Add the value entry KstackMinFree, of data type REG_DWORD, with a hexadecimal value of 2200. You can set this value as low as 5KB (0x1400) and as high as 9KB (0x2400), depending on your standard system configuration. A KstackMinFree value that's too low can cause a stack overflow and hang the system. If the value is too high, the filter driver will skip files when it doesn't need to. If you set this value to 0 or greater than 0x2400, the real-time drivers does not check available kernel memory before requesting a file from the file system.

To activate the change, you must either reboot the system or restart the antivirus scanning service. Symantec's services might be listed in the Services list as Norton AntiVirus Client, Norton AntiVirus Server, Symantec AntiVirus Client, or Symantec AntiVirus Server, depending on the product that's installed.

Note: You can download a registry script from Symantec that adds KstackMinFree with a default value of 0x2200 at http://service1.symantec.com/support/ent-security.nsf/949e46314f0916a0852565d00073bbfd. Symantec also states that this memory condition affects only the scanning of files the OS kernel accesses, but not the scanning of user-mode files---meaning that the real-time driver always scans files accessed in user mode.

Post-Win2K SP4 Terminal Services Printer Bug Fix
Win2K SP4 introduces new problems with Win2K Server Terminal Services servers. Among the problems is one that occurs when the print spooler stops unexpectedly. You can track the print spooler's failures by events that indicate the service stopped unexpectedly and by the presence of a drwatsn32.log file in the All Users profile directory (by default, drive:Documents and SettingsAll UsersDocumentsDrWatson). When the print spooler dies this way, the terminal server slows down noticeably and you see that two processes, spoolsv.exe and winlogon.exe, are consuming most of the CPU time. Microsoft Product Support Services (PSS) has a bug fix that contains updates to 30 Win2K files; the most recent updates have a file release date of June 11. When you call PSS, cite the Microsoft article "Spooler Failure Causes High CPU Usage in the Winlogon.exe and Spoolsv.exe Processes on a Windows 2000 Terminal Server" (http://support.microsoft.com/?kbid=822834) as a reference.