Vista SP1 with Antivirus Installed on Multiple CPU Systems Eats All Resources

SP2 comes to fix the issue

  Windows Vista
Microsoft has warned customers of a problem affecting both Windows Vista Service Pack 1 and Windows Server 2008 RTM/SP1, where the two operating systems in combination with some antivirus software, and running on machines with multiple processors, can eat all the system resources available to them. In such scenarios, customers with affected computers will run out of resources. The Redmond company explained that the problem was related to how third-party software, but especially antivirus products, uses Transport Driver Interface (TDI) drivers. In case the software solutions leverage TDI while installed on Vista SP1 or Windows Server 2008 running on computers with multiple CPUs, users will observe that the handle count of the system process increases continuously.

“There is a potential problem on Windows Server 2008 and Windows Vista SP1 multi-CPU systems that have software installed that use Transport Driver Interface (TDI) drivers. Anti-virus software is an example of such software. Many newer anti-virus software versions take advantage of our Windows Filtering Platform (WFP), new for Windows Vista and Windows Server 2008, but some may still rely on TDI. Software that uses WFP will not hit this resource depletion issue,” revealed Mike Platts, support escalation engineer at Microsoft.

The software giant explained that the problems affected only the first service pack for Vista and Windows Server 2008, and published KB961775 to help customers deal with eventual issues. A specific update is not available; however, a hotfix is in place, but needs to be accessed directly from the company. Still, affected customers can also download and install Windows Vista SP2 or Windows Server 2008 SP2, as Microsoft has resolved the glitch in the latest service pack for the two operating systems.

The company indicated that in case all system resources are depleted, users will notice that all new Ancillary Function Driver for WinSock (AFD) connections will fail. Still, there are additional symptoms described in the KB article:

“User authentication fails
Sysvol replication fails
One of the following Netlogon events occurs:
Netlogon event 5775
Netlogon event 5792
Netlogon event 5792
Netlogon event 5719

For example, the following is a sample event when Netlogon event 5775 occurs:
Log Name: System
Source: NETLOGON
Event ID: 5775
Level: Error
Keywords: Classic
Description:
The dynamic deletion of the DNS record '<record name>. 600 IN SRV 0 100 389 <computer name>.' failed on the following DNS server:
DNS server IP address: <IP address>
Returned Response Code (RCODE): 5
Returned Status Code: 10055
USER ACTION
To prevent remote computers from connecting unnecessarily to the domain controller, delete the record manually or troubleshoot the failure to dynamically delete the record. To learn more about debugging DNS, see Help and Support Center.

ADDITIONAL DATA
Error Value: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.”

Windows Server 2008 Service Pack 2 and Windows Vista Service Pack 2 - Five Language Standalone DVD ISO (KB948465) is available for download here.

Windows Server 2008 Service Pack 2 and Windows Vista Service Pack 2 - Five Language Standalone (KB948465) is available for download
here.

Windows Server 2008 Service Pack 2 and Windows Vista Service Pack 2 - Five Language Standalone for x64-based systems (KB948465) is available for download
here.

1 Comment

By    10 Aug 2009, 14:56 GMT