System (PID 4) "eat" the whole memory

[Riccardo]

Some 25% of the switch on times my Dell D620 Vista enterprise laptop hangs
after a couple of minutes. Investigation with Process Explorer shows that
process System (PID 4) keep 50% of cpu and "eat" the whole memory (2 GB) in
a couple of minutes thus freezing the PC. Further investigations shows that
the offending thread seems to be the driver ndis.sys which use 50% of the
CPU. After one (sometimes two) hard reboot (few seconds on the power switch
button) I can use the PC. The PC SW is fully updated.
Any suggestion?

 

[Andrew McLaren]

Some 25% of the switch on times my Dell D620 Vista enterprise laptop hangs
after a couple of minutes. Investigation with Process Explorer shows that
process System (PID 4) keep 50% of cpu and "eat" the whole memory (2 GB)
in a couple of minutes thus freezing the PC. Further investigations shows
that the offending thread seems to be the driver ndis.sys which use 50% of
the CPU. After one (sometimes two) hard reboot (few seconds on the power
switch button) I can use the PC. The PC SW is fully updated.

Hi Riccardo,

As you have seen, the "System" process (PID 4) is actually the NT Kernel. As
such, it is outside the usual user-mode process space, but it's called
"System" in Task Manager and some other tools, as a convenient name.

NDIS.SYS is obviously the NDIS driver. It is a standard part of Windows,
since NT 3.1. NDIS.SYS implements the NDIS layer between the network
protocol stack and the Network Card drivers. So you would have TCP/IP above
NDIS, and the specific driver for your NIC hardware below NDIS (eg an Intel
82566 Driver, a Broadcom BMC4401 driver, a RealTek RTL816 driver etc):

(top of stack)
Applications
Winsock
TDI
TCP/IP
NDIS
NIC Driver
Network Card hardware
(bottom of stack)

NDIS.SYS is some of the most heavily exercised code on the planet - every
Windows machine connected to a network hammers this driver continuously. So
although it is *possible* there may be a new, undiscovered memory leak or
infinite loop in NDIS ... it seems unlikely. It's more likely that something
else above or below NDIS, is putting it into a troubled state. A couple of
possibilities:

- the network card driver you have might not be fully Vista-compatible. Can
you tell us what kind of machine you have, and what brand and model network
card?

- there may be excessive network activity. What you're describing sounds a
bit like a denial-of-service attack maybe someone is hammering your network
address with half-closed TCP/IP sessions, or just a packet storm which is
causing a large number of Interrupts. If you are on a corporate LAN, check
with your network guys to see if there is any abnormal network activity. Or,
while the machine is in the problem state, go to a command prompt and run a
command like "netstat -ano" to see if there are an unusually large number of
network sessions active. Alternatively, run Task Manager, go to the Network
tab and watch the network utilisation. If NDIS is maxed out, it is possible
the network utilisation will be very high. If it is not an outside attack,
you may be infected with a bot or rootkit, which is generating a lot of
outbound network traffic, so run an antivirus and anti-spyware tool as well.
Or maybe some app on the machine is hammering the network as part of its
normal operations (database synchronisation, etc).

Other folks may have extra ideas for you; hope this helps a bit,

 

[Riccardo]

Thank you Andrew for your suggestions, at least now I know where I should
look. My network adapter are "Broadcom NetXtreme 57xx Gigabit Controller"
and "Intel PRO/Wireless 3945ABG Network connection" but I got the freezing
problem without any connection to the net (phisical cable or WiFi). Actually
my suspect is now on ntkrnlpa.exe thread which, during the freezing process,
get the highest value (> 1000) in CSwitch Delta of System:4 properties in
Process explorer.
Ciao,
Riccardo

 

[quiettechblue]

Andrew McLaren (e-mail address removed) posted to
microsoft.public.windows.vista.general:

Hi Riccardo,

As you have seen, the "System" process (PID 4) is actually the NT
Kernel. As such, it is outside the usual user-mode process space,
but it's called "System" in Task Manager and some other tools, as a
convenient name.

NDIS.SYS is obviously the NDIS driver. It is a standard part of
Windows, since NT 3.1. NDIS.SYS implements the NDIS layer between
the network protocol stack and the Network Card drivers. So you
would have TCP/IP above NDIS, and the specific driver for your NIC
hardware below NDIS (eg an Intel 82566 Driver, a Broadcom BMC4401
driver, a RealTek RTL816 driver etc):

(top of stack)
Applications
Winsock
TDI
TCP/IP
NDIS
NIC Driver
Network Card hardware
(bottom of stack)

NDIS.SYS is some of the most heavily exercised code on the planet -
every Windows machine connected to a network hammers this driver
continuously. So although it is *possible* there may be a new,
undiscovered memory leak or infinite loop in NDIS ... it seems
unlikely. It's more likely that something else above or below NDIS,
is putting it into a troubled state. A couple of possibilities:

- the network card driver you have might not be fully
Vista-compatible. Can you tell us what kind of machine you have, and
what brand and model network card?

- there may be excessive network activity. What you're describing
sounds a bit like a denial-of-service attack maybe someone is
hammering your network address with half-closed TCP/IP sessions, or
just a packet storm which is causing a large number of Interrupts.
If you are on a corporate LAN, check with your network guys to see
if there is any abnormal network activity. Or, while the machine is
in the problem state, go to a command prompt and run a command like
"netstat -ano" to see if there are an unusually large number of
network sessions active. Alternatively, run Task Manager, go to the
Network tab and watch the network utilisation. If NDIS is maxed out,
it is possible the network utilisation will be very high. If it is
not an outside attack, you may be infected with a bot or rootkit,
which is generating a lot of outbound network traffic, so run an
antivirus and anti-spyware tool as well. Or maybe some app on the
machine is hammering the network as part of its normal operations
(database synchronisation, etc).

Other folks may have extra ideas for you; hope this helps a bit,

Much agreed, also try SFC, your ndis driver level may have been
corrupted.

 

[Riccardo]

Thak you, no integrity violation spotted by SFC. (Un)Fortunately I don't get
any more freezing so no much debug, my best bet is now on some bug on disk
sharing without any net connection.
Ciao,
Riccardo

 

[Andrew McLaren]

Thank you Andrew for your suggestions, at least now I know where I should
look. My network adapter are "Broadcom NetXtreme 57xx Gigabit Controller"
and "Intel PRO/Wireless 3945ABG Network connection" but I got the freezing
problem without any connection to the net (phisical cable or WiFi).
Actually my suspect is now on ntkrnlpa.exe thread which, during the
freezing process, get the highest value (> 1000) in CSwitch Delta of
System:4 properties in Process explorer.

A high CSwitch dfelta would indicate a high rate of context switched - so
the thread is very busy - could indicate a high number fo interrupts or else
some very active thread in the kernel.

Unfortunately, I don't recognise it as a "well-known" problem in Vista - I
think you'll just have to keep debugging and investigating.

If it was my machine I'd try booting in safe mode to see if same problem
occurs; and possibly also toggle ACPI support or a few other settings to see
if they are relevant. But it's pretty hide-and-seek stuff ...

Good luck with it!

 

[Riccardo]

Just for the record, it looks like it was due to the presence of two network
drives in absence of any network connections. I removed the net drives and
everything looks fine (although with little statistic).
Riccardo

 

[Riccardo]

I was thinking to post a confirmation of the solved problem with some more
statistics, when I received the MS "upgrade". It request a reboot and the
problem reappeared (no shared folders now) a second reboot worked. Then I
switched off for a while, now I rebooted and again got the PID 4 problem. I
can now uninstall the "upgrade" but I would like to know what the "upgrade"
was about!
Riccardo

 

[Riccardo]

I'm sorry Riccardo, but I don't quite follow you. What "Upgrade" is
that?

I know that Microsoft released a couple pf updates today. Amongst them
the much famed reliability and performance fix packs that were released
on MS download a couple of weeks ago.

And what does the upgrade have to do with the problem we experienced? I
thought you had nailed it too??


--
Larswa
------------------------------------------------------------------------
Larswa's Profile: http://forums.techarena.in/member.php?userid=30022
View this thread: http://forums.techarena.in/showthread.php?t=807657

http://forums.techarena.in

Hi Larswa,
here is the list (with Ms note) of the update I got today. This time (the
third after the update) switch on was OK (1 over 3). No idea if the update
has anyting to do with the problem I have, it's just statistic/coincidence
who knows!
Ciao,
Riccardo

----------------
Update for Windows Vista (KB938952)
Update type: Recommended
Install this update to resolve a display issue that occurs during language
pack installation and when accessing the Regional and Language Options
control panel. After you install this item, you may have to restart your
computer.

Update for Windows Vista (KB933360)
Installing this update enables your computer to automatically adjust the
computer clock on the correct date in 2007 due to revised Daylight Saving
Time laws in many countries. After you install this item, you may have to
restart your computer.

Update for Windows Vista (KB939159)
Install this update to resolve an issue in the Background Intelligent
Transfer Service (BITS). After you install this item, you may have to
restart your computer.

 

[olaf.brandt]

Hi Riccardo,

I can tell you that I am experiencing the exact same problem. Had it
for a few weeks now on a rarely used Core2Duo HP NC8430 laptop runningVistaUltimate. Its made worse by being an intermittent problem. Do
you experience that as well, or do you have it on every boot?

I have just started working through the troubleshooting and will post
my result here when/if I get any wiser on this.

regards
Lars

--
Larswa
------------------------------------------------------------------------
Larswa's Profile:http://forums.techarena.in/member.php?userid=30022
View this thread:http://forums.techarena.in/showthread.php?t=807657

http://forums.techarena.in

Hi,

I have the same symptoms as described. My system is also a Dell
Latitude D620 with wireless and wired network interfaces. Behavior is
that immediately after reboot my CPU is pegged by the system process
and the memory utilization is 1.5GB and climbs to 2GB where my machine
grinds to a halt. This takes about 60-90 seconds.

My network devices from the Device Manager:
- Broadcom NetXtreme 57xx (5752 actually) Gigabit
- Intel(R) PRO/Wireless 3945ABG Network Connection
- Juniper Network Connect Virtual Adapter

SysInternals process explorer seems to show that one thread in the
System process with a base address showing NDIS!NdisInitializeWrapper
is dominating CPU and massive Ctx switch rates.

I don't believe that a definitive fix was found in this thread.
Please reply/respond if you knwo of one.

Thanks,
Olaf

 

[Guest]

Riccardo,

I had exactly this problem on a Sony with Intel 3945abg WiFi. Go to the
Intel web site and get the latest drivers for this card. There is a bug
documented on the Intel site that exactly matches this problem. I've
installed the latest drivers and not had the problem since. See
http://alquistconsulting.blogspot.com for a full description. It's really
annoying that neither Microsoft update nor Sony update offer this upgrade. It
has taken me months to track this down.

Andrew