Remote Performance Monitor Changes Under Windows NT 4.0 SP3

• Microsoft Commercial Internet System version 1.0

SYMPTOMS

When you use Performance Monitor to remotely monitor a computer, you may receive a STOP 0xC000021A error message during normal operation sometime after you install the Microsoft Windows NT Service Pack 3 (SP3).

CAUSE

When you use Performance Monitor to remotely monitor a computer, the initiating computer attaches to the target computer's Winlogon process via RPC. The Winlogon process has a perflib component in it for collecting data. The shared data is passed from the performance DLL to Winlogon on the target computer. The performance DLLs sometimes function incorrectly and overwrite their buffers. In the case of remote monitoring, this overwrite occurs in the context of the Winlogon process on the target computer, causing an access violation to occur. This compromises the Winlogon subsystem (security is then potentially breached) which forces Windows NT to jump into kernel and bugcheck.

RESOLUTION

Fix the extensible performance counter so that it does not overwrite its buffers.

The performance DLLs export (make available to other modules) three functions: Open, Collect, and Close. For more information, see "Creating the Performance DLL" in the Win32 SDK documentation.

NOTE: Usually the Collect function causes the above problem.

As another workaround, you can configure Windows NT to write a guard page on either side of the shared memory buffer with various levels of checking. This technology was enabled by default up to SP3, but caused too many page faults for large counters, significantly degrading system performance. In SP3, the guard pages and checking are turned off by default.

To enable this guard page technology, create the value under the registry sub-key using the following procedure.

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

Start Registry Editor (Regedt32.exe) and go to the following sub-key:

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Perflib

   Value: ExtCounterTestLevel
   Type: REG_DWORD
   Data: 2

   The ExtCounterTestLevel value can range from 1 to 4:
   1 - Most extensive testing, can be expensive.
   2 - Basic testing.
   3 - No testing.
   4 - Don't even allocate a guard page (default from SP3 onwards).

STATUS

Microsoft has confirmed this to be a problem with the extensible Performance Monitor (Perfmon) counter, Siccntrs.dll, included with Microsoft Commercial Internet System version 1.0. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.