Microsoft KB Archive/169902

{| The information in this article applies to:
 * width="100%"|
 * Microsoft Commercial Internet System version 1.0

SYMPTOMS
When you use Performance Monitor to remotely monitor a computer, you may receive a STOP 0xC000021A error message during normal operation sometime after you install the Microsoft Windows NT Service Pack 3 (SP3).

CAUSE
When you use Performance Monitor to remotely monitor a computer, the initiating computer attaches to the target computer's Winlogon process via RPC. The Winlogon process has a perflib component in it for collecting data. The shared data is passed from the performance DLL to Winlogon on the target computer. The performance DLLs sometimes function incorrectly and overwrite their buffers. In the case of remote monitoring, this overwrite occurs in the context of the Winlogon process on the target computer, causing an access violation to occur. This compromises the Winlogon subsystem (security is then potentially breached) which forces Windows NT to jump into kernel and bugcheck.

RESOLUTION
Fix the extensible performance counter so that it does not overwrite its buffers.

The performance DLLs export (make available to other modules) three functions: Open, Collect, and Close. For more information, see "Creating the Performance DLL" in the Win32 SDK documentation.

NOTE: Usually the Collect function causes the above problem.

As another workaround, you can configure Windows NT to write a guard page on either side of the shared memory buffer with various levels of checking. This technology was enabled by default up to SP3, but caused too many page faults for large counters, significantly degrading system performance. In SP3, the guard pages and checking are turned off by default.

To enable this guard page technology, create the value under the registry sub-key using the following procedure.

WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

Start Registry Editor (Regedt32.exe) and go to the following sub-key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Perflib

Value: ExtCounterTestLevel Type: REG_DWORD Data: 2

The ExtCounterTestLevel value can range from 1 to 4: 1 - Most extensive testing, can be expensive. 2 - Basic testing. 3 - No testing. 4 - Don't even allocate a guard page (default from SP3 onwards). After you enter the value, exit Registry Editor and reboot the computer.

STATUS
Microsoft has confirmed this to be a problem with the extensible Performance Monitor (Perfmon) counter, Siccntrs.dll, included with Microsoft Commercial Internet System version 1.0. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.
 * }

-

Last reviewed: July 1, 1998

© 1998 Microsoft Corporation. All rights reserved. Terms of Use.