Vista - System (PID 4) "eat" the whole memory

Some 25% of the switch on times my Dell D620 Vista enterprise laptop hangs
after a couple of minutes. Investigation with Process Explorer shows that
process System (PID 4) keep 50% of cpu and "eat" the whole memory (2 GB) in
a couple of minutes thus freezing the PC. Further investigations shows that
the offending thread seems to be the driver ndis.sys which use 50% of the
CPU. After one (sometimes two) hard reboot (few seconds on the power switch
button) I can use the PC. The PC SW is fully updated.
Any suggestion?

"Riccardo" <Riccardo@nospam.com> wrote...
> Some 25% of the switch on times my Dell D620 Vista enterprise laptop hangs
> after a couple of minutes. Investigation with Process Explorer shows that
> process System (PID 4) keep 50% of cpu and "eat" the whole memory (2 GB)
> in a couple of minutes thus freezing the PC. Further investigations shows
> that the offending thread seems to be the driver ndis.sys which use 50% of
> the CPU. After one (sometimes two) hard reboot (few seconds on the power
> switch button) I can use the PC. The PC SW is fully updated.

Hi Riccardo,

As you have seen, the "System" process (PID 4) is actually the NT Kernel. As
such, it is outside the usual user-mode process space, but it's called
"System" in Task Manager and some other tools, as a convenient name.

NDIS.SYS is obviously the NDIS driver. It is a standard part of Windows,
since NT 3.1. NDIS.SYS implements the NDIS layer between the network
protocol stack and the Network Card drivers. So you would have TCP/IP above
NDIS, and the specific driver for your NIC hardware below NDIS (eg an Intel
82566 Driver, a Broadcom BMC4401 driver, a RealTek RTL816 driver etc):

(top of stack)
Applications
Winsock
TDI
TCP/IP
NDIS
NIC Driver
Network Card hardware
(bottom of stack)

NDIS.SYS is some of the most heavily exercised code on the planet - every
Windows machine connected to a network hammers this driver continuously. So
although it is *possible* there may be a new, undiscovered memory leak or
infinite loop in NDIS ... it seems unlikely. It's more likely that something
else above or below NDIS, is putting it into a troubled state. A couple of
possibilities:

- the network card driver you have might not be fully Vista-compatible. Can
you tell us what kind of machine you have, and what brand and model network
card?

- there may be excessive network activity. What you're describing sounds a
bit like a denial-of-service attack maybe someone is hammering your network
address with half-closed TCP/IP sessions, or just a packet storm which is
causing a large number of Interrupts. If you are on a corporate LAN, check
with your network guys to see if there is any abnormal network activity. Or,
while the machine is in the problem state, go to a command prompt and run a
command like "netstat -ano" to see if there are an unusually large number of
network sessions active. Alternatively, run Task Manager, go to the Network
tab and watch the network utilisation. If NDIS is maxed out, it is possible
the network utilisation will be very high. If it is not an outside attack,
you may be infected with a bot or rootkit, which is generating a lot of
outbound network traffic, so run an antivirus and anti-spyware tool as well.
Or maybe some app on the machine is hammering the network as part of its
normal operations (database synchronisation, etc).

Other folks may have extra ideas for you; hope this helps a bit,
--
Andrew McLaren
amclar (at) optusnet dot com dot au

Thank you Andrew for your suggestions, at least now I know where I should
look. My network adapter are "Broadcom NetXtreme 57xx Gigabit Controller"
and "Intel PRO/Wireless 3945ABG Network connection" but I got the freezing
problem without any connection to the net (phisical cable or WiFi). Actually
my suspect is now on ntkrnlpa.exe thread which, during the freezing process,
get the highest value (> 1000) in CSwitch Delta of System:4 properties in
Process explorer.
Ciao,
Riccardo



"Andrew McLaren" <andrew@fakeaddress.com> wrote in message
news:888E973D-B3A5-436A-A583-5CB0D5ABC497@microsoft.com...
> "Riccardo" <Riccardo@nospam.com> wrote...
>> Some 25% of the switch on times my Dell D620 Vista enterprise laptop
>> hangs after a couple of minutes. Investigation with Process Explorer
>> shows that process System (PID 4) keep 50% of cpu and "eat" the whole
>> memory (2 GB) in a couple of minutes thus freezing the PC. Further
>> investigations shows that the offending thread seems to be the driver
>> ndis.sys which use 50% of the CPU. After one (sometimes two) hard reboot
>> (few seconds on the power switch button) I can use the PC. The PC SW is
>> fully updated.
>
> Hi Riccardo,
>
> As you have seen, the "System" process (PID 4) is actually the NT Kernel.
> As such, it is outside the usual user-mode process space, but it's called
> "System" in Task Manager and some other tools, as a convenient name.
>
> NDIS.SYS is obviously the NDIS driver. It is a standard part of Windows,
> since NT 3.1. NDIS.SYS implements the NDIS layer between the network
> protocol stack and the Network Card drivers. So you would have TCP/IP
> above NDIS, and the specific driver for your NIC hardware below NDIS (eg
> an Intel 82566 Driver, a Broadcom BMC4401 driver, a RealTek RTL816 driver
> etc):
>
> (top of stack)
> Applications
> Winsock
> TDI
> TCP/IP
> NDIS
> NIC Driver
> Network Card hardware
> (bottom of stack)
>
> NDIS.SYS is some of the most heavily exercised code on the planet - every
> Windows machine connected to a network hammers this driver continuously.
> So although it is *possible* there may be a new, undiscovered memory leak
> or infinite loop in NDIS ... it seems unlikely. It's more likely that
> something else above or below NDIS, is putting it into a troubled state. A
> couple of possibilities:
>
> - the network card driver you have might not be fully Vista-compatible.
> Can you tell us what kind of machine you have, and what brand and model
> network card?
>
> - there may be excessive network activity. What you're describing sounds a
> bit like a denial-of-service attack maybe someone is hammering your
> network address with half-closed TCP/IP sessions, or just a packet storm
> which is causing a large number of Interrupts. If you are on a corporate
> LAN, check with your network guys to see if there is any abnormal network
> activity. Or, while the machine is in the problem state, go to a command
> prompt and run a command like "netstat -ano" to see if there are an
> unusually large number of network sessions active. Alternatively, run Task
> Manager, go to the Network tab and watch the network utilisation. If NDIS
> is maxed out, it is possible the network utilisation will be very high. If
> it is not an outside attack, you may be infected with a bot or rootkit,
> which is generating a lot of outbound network traffic, so run an antivirus
> and anti-spyware tool as well. Or maybe some app on the machine is
> hammering the network as part of its normal operations (database
> synchronisation, etc).
>
> Other folks may have extra ideas for you; hope this helps a bit,
> --
> Andrew McLaren
> amclar (at) optusnet dot com dot au
>

Andrew McLaren andrew@fakeaddress.com posted to
microsoft.public.windows.vista.general:

> "Riccardo" <Riccardo@nospam.com> wrote...
>> Some 25% of the switch on times my Dell D620 Vista enterprise
>> laptop hangs after a couple of minutes. Investigation with Process
>> Explorer shows that process System (PID 4) keep 50% of cpu and
>> "eat" the whole memory (2 GB) in a couple of minutes thus freezing
>> the PC. Further investigations shows that the offending thread
>> seems to be the driver ndis.sys which use 50% of the CPU. After one
>> (sometimes two) hard reboot (few seconds on the power switch
>> button) I can use the PC. The PC SW is fully updated.
>
> Hi Riccardo,
>
> As you have seen, the "System" process (PID 4) is actually the NT
> Kernel. As such, it is outside the usual user-mode process space,
> but it's called "System" in Task Manager and some other tools, as a
> convenient name.
>
> NDIS.SYS is obviously the NDIS driver. It is a standard part of
> Windows, since NT 3.1. NDIS.SYS implements the NDIS layer between
> the network protocol stack and the Network Card drivers. So you
> would have TCP/IP above NDIS, and the specific driver for your NIC
> hardware below NDIS (eg an Intel 82566 Driver, a Broadcom BMC4401
> driver, a RealTek RTL816 driver etc):
>
> (top of stack)
> Applications
> Winsock
> TDI
> TCP/IP
> NDIS
> NIC Driver
> Network Card hardware
> (bottom of stack)
>
> NDIS.SYS is some of the most heavily exercised code on the planet -
> every Windows machine connected to a network hammers this driver
> continuously. So although it is *possible* there may be a new,
> undiscovered memory leak or infinite loop in NDIS ... it seems
> unlikely. It's more likely that something else above or below NDIS,
> is putting it into a troubled state. A couple of possibilities:
>
> - the network card driver you have might not be fully
> Vista-compatible. Can you tell us what kind of machine you have, and
> what brand and model network card?
>
> - there may be excessive network activity. What you're describing
> sounds a bit like a denial-of-service attack maybe someone is
> hammering your network address with half-closed TCP/IP sessions, or
> just a packet storm which is causing a large number of Interrupts.
> If you are on a corporate LAN, check with your network guys to see
> if there is any abnormal network activity. Or, while the machine is
> in the problem state, go to a command prompt and run a command like
> "netstat -ano" to see if there are an unusually large number of
> network sessions active. Alternatively, run Task Manager, go to the
> Network tab and watch the network utilisation. If NDIS is maxed out,
> it is possible the network utilisation will be very high. If it is
> not an outside attack, you may be infected with a bot or rootkit,
> which is generating a lot of outbound network traffic, so run an
> antivirus and anti-spyware tool as well. Or maybe some app on the
> machine is hammering the network as part of its normal operations
> (database synchronisation, etc).
>
> Other folks may have extra ideas for you; hope this helps a bit,

Much agreed, also try SFC, your ndis driver level may have been
corrupted.

Thak you, no integrity violation spotted by SFC. (Un)Fortunately I don't get
any more freezing so no much debug, my best bet is now on some bug on disk
sharing without any net connection.
Ciao,
Riccardo


<quiettechblue@yahoo.com> wrote in message
news:eM6U5H35HHA.5316@TK2MSFTNGP04.phx.gbl...
>
> Much agreed, also try SFC, your ndis driver level may have been
> corrupted.

"Riccardo" <Riccardo@nospam.com> wrote in message
news:%23pWzsSw5HHA.5268@TK2MSFTNGP02.phx.gbl...
> Thank you Andrew for your suggestions, at least now I know where I should
> look. My network adapter are "Broadcom NetXtreme 57xx Gigabit Controller"
> and "Intel PRO/Wireless 3945ABG Network connection" but I got the freezing
> problem without any connection to the net (phisical cable or WiFi).
> Actually my suspect is now on ntkrnlpa.exe thread which, during the
> freezing process, get the highest value (> 1000) in CSwitch Delta of
> System:4 properties in Process explorer.

A high CSwitch dfelta would indicate a high rate of context switched - so
the thread is very busy - could indicate a high number fo interrupts or else
some very active thread in the kernel.

Unfortunately, I don't recognise it as a "well-known" problem in Vista - I
think you'll just have to keep debugging and investigating.

If it was my machine I'd try booting in safe mode to see if same problem
occurs; and possibly also toggle ACPI support or a few other settings to see
if they are relevant. But it's pretty hide-and-seek stuff ...

Good luck with it!

--
Andrew McLaren
amclar (at) optusnet dot com dot au

Hi Riccardo,

I can tell you that I am experiencing the exact same problem. Had it
for a few weeks now on a rarely used Core2Duo HP NC8430 laptop running
Vista Ultimate. Its made worse by being an intermittent problem. Do
you experience that as well, or do you have it on every boot?

I have just started working through the troubleshooting and will post
my result here when/if I get any wiser on this.

regards
Lars


--
Larswa
------------------------------------------------------------------------
Larswa's Profile: http://forums.techarena.in/member.php?userid=30022
View this thread: http://forums.techarena.in/showthread.php?t=807657

http://forums.techarena.in

Yeah ... I nailed it.

I had the same two NIC's installed on my laptop as you did, and I could
boot into safe mode (with network) and they worked every time. When not
in safe mode, I got the problem 8/10 times or so it seems.

So I booted into safe mode ... disables all NIC's. The builtin plus my
two VMWare virtual NIC's, and the problem went away. Permanently.

Then I started enabling one NIC after the other ... and rebooted a
couple times after each re-enabling.

It turns out that it was the wireless NIC that caused the problem, so
back into safe mode, where I deleted the NIC. Answered yes to removing
the driver. Vista instantly discovered the NIC again, and reinstalled
the drivers.

Since then (5 reboots) I havent been able to recreate the problem.

Sweeeeet.

Hope that helps someone with a similar problem.

regards
Lars


--
Larswa
------------------------------------------------------------------------
Larswa's Profile: http://forums.techarena.in/member.php?userid=30022
View this thread: http://forums.techarena.in/showthread.php?t=807657

http://forums.techarena.in

Hmm .. It was too early to celebrate. It definitely was the NIC, but
after removing it and letting it reinstall, and a few restarts later ..
the problem is back. Disabling the NIC fixes it. But I can't seem to
uninstall it completely. Annoying.


--
Larswa
------------------------------------------------------------------------
Larswa's Profile: http://forums.techarena.in/member.php?userid=30022
View this thread: http://forums.techarena.in/showthread.php?t=807657

http://forums.techarena.in

Just for the record, it looks like it was due to the presence of two network
drives in absence of any network connections. I removed the net drives and
everything looks fine (although with little statistic).
Riccardo

"Riccardo" <Riccardo@xxxxxx> wrote in message
news:e2xadQ75HHA.1148@xxxxxx