Remote Performance Monitor Changes Under Windows NT 4.0 SP3

Last reviewed: February 3, 1998
Article ID: Q169902
The information in this article applies to:
  • Microsoft Commercial Internet System version 1.0

SYMPTOMS

When you use Performance Monitor to remotely monitor a computer, you may receive a STOP 0xC000021A error message during normal operation sometime after you install the Microsoft Windows NT Service Pack 3 (SP3).

CAUSE

When you use Performance Monitor to remotely monitor a computer, the initiating computer attaches to the target computer's Winlogon process via RPC. The Winlogon process has a perflib component in it for collecting data. The shared data is passed from the performance DLL to Winlogon on the target computer. The performance DLLs sometimes function incorrectly and overwrite their buffers. In the case of remote monitoring, this overwrite occurs in the context of the Winlogon process on the target computer, causing an access violation to occur. This compromises the Winlogon subsystem (security is then potentially breached) which forces Windows NT to jump into kernel and bugcheck.

RESOLUTION

Fix the extensible performance counter so that it does not overwrite its buffers.

The performance DLLs export (make available to other modules) three functions: Open, Collect, and Close. For more information, see "Creating the Performance DLL" in the Win32 SDK documentation.

NOTE: Usually the Collect function causes the above problem.

As another workaround, you can configure Windows NT to write a guard page on either side of the shared memory buffer with various levels of checking. This technology was enabled by default up to SP3, but caused too many page faults for large counters, significantly degrading system performance. In SP3, the guard pages and checking are turned off by default.

To enable this guard page technology, create the value under the registry sub-key using the following procedure.

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

Start Registry Editor (Regedt32.exe) and go to the following sub-key:

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Perflib

   Value: ExtCounterTestLevel
   Type: REG_DWORD
   Data: 2

   The ExtCounterTestLevel value can range from 1 to 4:
   1 - Most extensive testing, can be expensive.
   2 - Basic testing.
   3 - No testing.
   4 - Don't even allocate a guard page (default from SP3 onwards).

After you enter the value, exit Registry Editor and reboot the computer.

STATUS

Microsoft has confirmed this to be a problem with the extensible Performance Monitor (Perfmon) counter, Siccntrs.dll, included with Microsoft Commercial Internet System version 1.0. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.


Additional query words: running out of resources
Keywords : kbinterop kbtool Buglist1.00
Version : 1.00
Platform : winnt
Issue type : kbbug
Solution Type : kbpending


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: February 3, 1998
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.