Blue screen with "STOP 0x0000007f" error on Windows 2003/XP/2000/NT

Article:TECH99708  |  Created: 2002-01-12  |  Updated: 2013-10-22  |  Article URL http://www.symantec.com/docs/TECH99708
Article Type
Technical Solution


Environment

Issue



You install Symantec AntiVirus on a computer that runs Windows 2003/XP/2000/NT. After the installation, the computer unexpectedly restarts or encounters a blue screen with a STOP message similar to the following:

STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)
UNEXPECTED_KERNEL_MODE_TRAP

You may see the following message in the Event Log: "Event ID: 1005. Source: SAVRT: Symantec AntiVirus Auto-Protect could not scan file <path><filename> for viruses due to low kernel stack."

A common configuration for this situation is a Windows 2000 Server with Terminal Services in Remote Administration Mode with a combination of any of the following applications: Symantec AntiVirus Corporate Edition, St. Bernard Open File Manager, Quota Manager, Legato RepliStor, or other "filter drivers" that register with the Kernel Stack.

 


Solution



This problem occurs because there is a limited amount of kernel space available for kernel drivers. If the operating system runs out of kernel space, then the computer displays a blue screen error message.

To fix this problem, do all of the procedures and all of the steps within each procedure. Do the procedures and steps in the order in which they appear.

Windows 2000 hotfix
Microsoft released a hotfix to fix this problem on computers that run Windows 2000.
For details, read the Microsoft Knowledge Base document You receive a "0x0000007F" stop error on a Windows 2000-based computer (838804).

Older Intel drivers
If you use Symantec AntiVirus 9.x, this may be caused by an older version of the Intel® Application Accelerator driver, Intelata.sys. To update the driver, read the Intel Application Accelerator page on the Intel Web site.

 


WARNING: Do not install an Application Accelerator driver unless the Intelata.sys driver already exists on your computer. Also, make sure that you install the correct version for your chipset. To verify this, read the Intel page Which ATA/SATA Drivers Work with My Chipset?
 




Windows 2000 kernel space
The limit is 12 KB for kernel drivers.

Windows 2000 running NTFS
Windows 2000 running NTFS examines the available kernel stack before processing an I/O request. If NTFS determines that there is insufficient stack space, then an exception error results. If there is not enough stack space for processing the exception, then a stack overflow occurs and the system double-faults, resulting in a blue screen with a STOP message.

Symantec File System Realtime Protection or Auto-Protect
When Symantec AntiVirus File System Realtime Protection or Auto-Protect examines a file for viruses, it requests file access from the corresponding file system. These requests for file IO can add to kernel stack consumption.

To prevent File System Realtime Protection or Auto-Protect from using additional kernel stack in a low stack situation, an internal configuration value named KStackMinFree was added and is configurable through the Windows registry.

The KStackMinFree registry value
The KStackMinFree registry value specifies a minimum amount of kernel stack that must be free for File System Realtime Protection or Auto-Protect to request file IO from the file system. If the KStackMinFree value is present in the registry, then File System Realtime Protection or Auto-Protect calculates the amount of available stack space before doing any file IO. If the available kernel stack is less than the value in the registry, then File System Realtime Protection or Auto-Protect will not do any IO and will not scan the file.

 


Note: File System Realtime Protection or Auto-Protect only skips files that are accessed by trusted kernel components (Ring 0). If files are accessed by user mode components (non-Ring 0), then File System Realtime Protection or Auto-Protect examines the files for viruses.
 



Adding the KStackMinFree value is a two-step process

  1. Modify the registry by adding the KStackMinFree value.
  2. Stop and then restart the Symantec AntiVirus service for changes to take effect.
    If the problem persists, restart the computer. After you restart the computer, confirm that the changes that you made to the KStackMinFree value are still present.


 


WARNING: We strongly recommend that you back up the registry before making any changes. Incorrect changes to the registry could result in permanent data loss or damaged files. Modify only the keys that are specified. See the documents How to back up the Windows registry and How to use the Windows Registry editor before proceeding.
 


To modify the registry by adding the KStackMinFree value in Symantec Endpoint Protection 12.1.2 or later

  1. In the Registry Editor, go to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan

  2. Right-click the RealTimeScan key, and then click New > DWORD Value.
  3. Type KStackMinFree for the name of the new value.
  4. Right-click the KStackMinFree value, and then click Modify.
  5. Set the Base to Hexadecimal, and then type 2200 in the Value field.
  6. Click OK.
  7. Restart the computer
     


To modify the registry by adding the KStackMinFree value in Symantec AntiVirus 9.x or later

  1. In the Registry Editor, go to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\Filesystem\RealTimeScan
    ( 64-bit machine will be
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\INTEL\LANDesk\VirusProtect6\CurrentVersion\Storages\Filesystem\RealTimeScan)
  2. Right-click the RealTimeScan key, and then click New > DWORD Value.
  3. Type KStackMinFree for the name of the new value.
  4. Right-click the KStackMinFree value, and then click Modify.
  5. Set the Base to Hexadecimal, and then type 2200 in the Value field.
  6. Click OK.
  7. Restart the Symantec AntiVirus service.
    If the problem persists, restart the computer. After you restart the computer, confirm that the changes that you made to the KStackMinFree value are still present.
     

Windows 2003/XP/2000 users can automatically create the KStackMinFree value at 2200 by downloading and importing the attached SAVCE9_KStackMinFree.reg file.

To modify the registry by adding the KStackMinFree value in Symantec AntiVirus 8.x

  1. In the Registry Editor, go to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Norton AntiVirus NT\Auto-Protect\InternalSettings

  2. Right-click the InternalSettings key, and then click New > DWORD value.
  3. Type KStackMinFree for the name of the new value.
  4. Right-click the KStackMinFree value, and then click Modify.
  5. Set the Base to Hexadecimal, and type 2200 in the Value field.
  6. Click OK.
  7. Restart the Symantec AntiVirus service.
    If the problem persists, restart the computer. After you restart the computer, confirm that the changes that you made to the KStackMinFree value are still present.
     

Windows 2003/XP/2000 users can automatically create the KStackMinFree value at 2200 by downloading and importing the SAVCE8_KStackMinFree.reg file.

To restart the Symantec AntiVirus service

  1. To open the Services window, do one of the following:
    • In Windows 2000/XP/2003 Control Panel, double-click Administrative Tools, and then double-click Services.
    • In Windows NT 4 Control Panel, double-click Services.
  2. Locate the antivirus service.
    The service name varies depending on the Symantec product that is installed, but will be one of the following:
    • Symantec AntiVirus Client
    • Symantec AntiVirus Server
    • Symantec AntiVirus
  3. Stop and then restart the correct antivirus service.


Changes to the KStackMinFree value take should effect after the service is restarted.


Recommended size for the KStackMinFree value
Symantec recommends a range between 8.0 KB and 8.5 KB (Hex 2000-2200), though each environment is different and it may take some experimenting to find the right value. Other possible values are defined in the following chart.

 

Required minimum available kernel memory Hex value
5.0 KB 0x1400
5.5 KB 0x1600
6.0 KB 0x1800
6.5 KB 0x1a00
7.0 KB 0x1c00
7.5 KB 0x1e00
8.0 KB 0x2000
8.5 KB (recommended) 0x2200
9.0 KB 0x2400


 


Notes:

  • If the value is set too low, then a stack overflow can occur and the system will stop responding.
  • If the value is set too high, then file scans will be skipped unnecessarily.
  • If the registry value is set to 0, or greater than 0x2400, then File System Realtime Protection or Auto-Protect behaves normally.
  • The limit is 0x2400


 




If the problem persists in Symantec AntiVirus 9.x or later, you can change the Auto-Protect Startup option to work around the problem.

To change the Auto-Protect Startup option to Symantec AntiVirus start

  1. Start Symantec AntiVirus.
  2. Click Configure > File System Auto-Protect.
  3. Click Advanced.
  4. In the Startup options section, click Symantec AntiVirus start.
  5. Click OK.
  6. Restart the computer.


 


Note: This scenario provides slightly less protection because Auto-Protect loads later during the startup process. Use your best judgement to determine if this setting is appropriate for your environment.
 






References
For more information, read the following Microsoft Knowledge Base articles:

822789, You Receive a "Stop 0x0000007F" Error Message or Your Computer Unexpectedly Restarts
137539, General Causes of STOP 0x0000007F Errors
276069, "STOP 0x0000007F" on Windows 2000 with InoculateIT Enterprise Edition Installed
303268, "STOP 0x0000007F" on Windows 2000 Using Veritas Netbackup with Open File Manager Software
317214, Terminal Server Unexpectedly Restarts or You Receive STOP Error 0x0000007F
300225, "Stop 0x0000007f" Error Message May Be Displayed When the WQuinn QuotaAdvisor 4.1 Program Is Installed
835281, You receive a "STOP 0x0000007F" error message and your Windows 2000-based computer restarts



 


Supplemental Materials

Value369595; 372934; 372431; 1-4TQPI

Legacy ID



2002071208532048


Article URL http://www.symantec.com/docs/TECH99708


Terms of use for this information are found in Legal Notices