Riccardo said:
Some 25% of the switch on times my Dell D620 Vista enterprise laptop hangs
after a couple of minutes. Investigation with Process Explorer shows that
process System (PID 4) keep 50% of cpu and "eat" the whole memory (2 GB)
in a couple of minutes thus freezing the PC. Further investigations shows
that the offending thread seems to be the driver ndis.sys which use 50% of
the CPU. After one (sometimes two) hard reboot (few seconds on the power
switch button) I can use the PC. The PC SW is fully updated.
Hi Riccardo,
As you have seen, the "System" process (PID 4) is actually the NT Kernel. As
such, it is outside the usual user-mode process space, but it's called
"System" in Task Manager and some other tools, as a convenient name.
NDIS.SYS is obviously the NDIS driver. It is a standard part of Windows,
since NT 3.1. NDIS.SYS implements the NDIS layer between the network
protocol stack and the Network Card drivers. So you would have TCP/IP above
NDIS, and the specific driver for your NIC hardware below NDIS (eg an Intel
82566 Driver, a Broadcom BMC4401 driver, a RealTek RTL816 driver etc):
(top of stack)
Applications
Winsock
TDI
TCP/IP
NDIS
NIC Driver
Network Card hardware
(bottom of stack)
NDIS.SYS is some of the most heavily exercised code on the planet - every
Windows machine connected to a network hammers this driver continuously. So
although it is *possible* there may be a new, undiscovered memory leak or
infinite loop in NDIS ... it seems unlikely. It's more likely that something
else above or below NDIS, is putting it into a troubled state. A couple of
possibilities:
- the network card driver you have might not be fully Vista-compatible. Can
you tell us what kind of machine you have, and what brand and model network
card?
- there may be excessive network activity. What you're describing sounds a
bit like a denial-of-service attack maybe someone is hammering your network
address with half-closed TCP/IP sessions, or just a packet storm which is
causing a large number of Interrupts. If you are on a corporate LAN, check
with your network guys to see if there is any abnormal network activity. Or,
while the machine is in the problem state, go to a command prompt and run a
command like "netstat -ano" to see if there are an unusually large number of
network sessions active. Alternatively, run Task Manager, go to the Network
tab and watch the network utilisation. If NDIS is maxed out, it is possible
the network utilisation will be very high. If it is not an outside attack,
you may be infected with a bot or rootkit, which is generating a lot of
outbound network traffic, so run an antivirus and anti-spyware tool as well.
Or maybe some app on the machine is hammering the network as part of its
normal operations (database synchronisation, etc).
Other folks may have extra ideas for you; hope this helps a bit,