2000 Server Reboots itself after logging in VIA RDP

Ok, this problem has really stumped me and a couple of my friends that I have passed this along to.  I have a Windows 2000  Server (SP3).  If you log in VIA RDP one time, it's fine.  You can pretty much administer it remotely .   If you log out, and then log back in ( doesn't matter how much time you give it ) The server reboots.  Just flat out reboots.  Then you can log in just fine VIA RDP.  But after you log out, and try to get back in, it just reboots.  Now, for the weird thing.  If I log in VIA RDP from a 2003 Server, it doesn't reboot.  Log in, Log out and it's fine.  You log in with anything below that, it's toast.  I've tried loggin in with 2000 pro, and XP pro and it reboots also.  But, with 2003 it's just fine.  Below is the bug check log, found  no solutions really  pertaining to the problem and a fix.  

BugCheck 7F, {8, 0, 0, 0}

Probably caused by : ntkrnlmp.exe ( nt!KeInvalidAccessAllowed+f )

Followup: MachineOwner

1: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
kb will then show the corrected stack.
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:



LAST_CONTROL_TRANSFER:  from 00000000 to 80468ecf

00000000 00000000 00000000 00000000 00000000 nt!KeInvalidAccessAllowed+0xf

80468ecf ebef             jmp     nt!KeInvalidAccessAllowed (80468ec0)


FOLLOWUP_NAME:  MachineOwner

SYMBOL_NAME:  nt!KeInvalidAccessAllowed+f


IMAGE_NAME:  ntkrnlmp.exe



FAILURE_BUCKET_ID:  0x7f_8_nt!KeInvalidAccessAllowed+f

BUCKET_ID:  0x7f_8_nt!KeInvalidAccessAllowed+f

Followup: MachineOwner

1: kd> !thread
THREAD 88a07020  Cid 3d8.750  Teb: 7ffdd000  Win32Thread: a2016a58 RUNNING
IRP List:
    88902bc8: (0006,01b4) Flags: 00000884  Mdl: 00000000
    888fca88: (0006,01b4) Flags: 00000884  Mdl: 00000000
Not impersonating
Owning Process 88919300
Wait Start TickCount    11522      
Context Switch Count    8                   LargeStack
UserTime                  0:00:00.0000
KernelTime                0:00:00.0015
Start Address 0x5ffc022a
Stack Init bed78000 Current bed75c54 Base bed78000 Limit bed75000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr  Args to Child
00000000 00000000 00000000 00000000 00000000 nt!KeInvalidAccessAllowed+0xf
Who is Participating?
PAQed with points refunded (500)

EE Admin
Have you tried Unchecking the Automatically Reboot? System properties> Advanced> Startup and Revovery settings. I would also make sure you have all of the latest updates for that server.

You get DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO and it is hardware error at the intel CPU

Could paste the output of the windbg command here and maybe your problem is related to multiple culprit.

lm tn
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.


It sounds like maybe you have a bad file in Licensing or the Terminal Services.
I would lean toward licensing though.
You may want to try and remove Terminal Server Licensing and Terminal Services and perform a re-installation.
This should replace any files that could cause this problem.

Do you get a STOP error code before it reboots?  
Do you get anything in your Event Viewer (application or system log) ?
BugCheck 7F, {8, 0, 0, 0}
Bugcheck code 7F with BP1 value 8 (ie double fault.). This is definitely hardware error at CPU or motherboard. The windbg dubug report shows that DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO. Hence it is hardware problem at CPU.

This case is similar to the following O/S case which is suspected to be CPU problem
If you want to pursue the root cause, attach 4 to 5 minidumps at any webspace.
carlkidwellAuthor Commented:
Ok, I was able to resolve this.  This is a really tricky problem.  Although this gave a hardware error code, it was actually Software.  The Fix is below

MS04-032      Security Update for Microsoft Windows
(KB 822789) :

Error Message: You receive a "Stop 0x0000007F" error message or your computer unexpectedly restarts

Scenario: You installed a MS04-032 on a Windows 2000 Server running Terminal Services and a Symantec antivirus program, or another application that installs a kernel driver, under Windows NT/2000/XP/2003 32-bit. When trying to connect to this server through the Remote Desktop Connection or another Terminal Service client, i.e. the Citrix client, the server unexpectedly restarts or encounters a blue screen with a STOP message similar to:

STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)


This problem occurs because there is a limited amount of kernel space available for kernel drivers. If the operating system runs out of kernel space, then the computer displays a blue screen error message.

Older Intel drivers
If you are using Symantec AntiVirus 9.x, this may be caused by an older version of the Intel® Application Accelerator driver, Intelata.sys. To update the driver, please contact the Patch Management Team.

WARNING: Do not install an Application Accelerator driver unless the Intelata.sys driver already exists on your computer. Also, make sure that you install the correct version for your chipset. For help with verifying the correct version please contact the Patch Management Team.

Windows 2000 kernel space
The limit is 12 KB for kernel drivers.

Windows 2000 running NTFS
Windows 2000 running NTFS examines the available kernel stack before processing an I/O request. If NTFS determines that there is insufficient stack space, then an exception error results. If there is not enough stack space for processing the exception, then a stack overflow occurs and the system double-faults, resulting in a blue screen with a STOP message.

Symantec or Norton real-time protection
When Symantec AntiVirus or Norton AntiVirus file system real-time protection examines a file for viruses, it requests file access from the corresponding file system. These requests for file IO can add to kernel stack consumption.

To prevent file system real-time protection from using additional kernel stack in a low stack situation, an internal configuration value named KStackMinFree was added and is configurable through the Windows registry. This value is supported in Norton AntiVirus Corporate Edition 7.61 build 21 (released in October, 2001) and all later builds.

The KStackMinFree registry value
The KStackMinFree registry value specifies a minimum amount of kernel stack that must be free for file system real-time protection to request file IO from the file system. If the KStackMinFree value is present in the registry, then file system real-time protection calculates the amount of available stack space before doing any file IO. If the available kernel stack is less than the value in the registry, then file system real-time protection will not do any IO and will not scan the file.

Note: File system real-time protection only skips files that are accessed by trusted kernel components (Ring 0). If files are accessed by user mode components (non-Ring 0), then file system real-time protection examines the files for viruses.

Adding the KStackMinFree value is a two-step process

Modify the registry by adding the KStackMinFree value.
Stop and then restart the antivirus service for changes to take effect.
To modify the registry by adding the KStackMinFree value in Norton AntiVirus 7.6 or Symantec AntiVirus 8.x

Run Regedit.exe to open the Windows registry.
Browse to the registry key for your software version:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Norton AntiVirus NT\Auto-Protect\InternalSettings
Under InternalSettings create a new DWORD value named KStackMinFree .
Right-click the KStackMinFree value, and then click Modify.
Set the Base to Hexadecimal, and type 2200 in the Value field.
Windows 2000/XP users can automatically create the KStackMinFree value at 2200 by downloading and importing the SAVCE8_KStackMinFree.reg file.

Symantec recommends a range between 8.0 KB and 8.5 KB (Hex 2000-2200), though each environment is different and it may take some experimenting to find the right value. Other possible values are defined in the following chart.

Required minimum available kernel memory
 HEX Value
5.0 KB
5.5 KB
6.0 KB
6.5 KB
7.0 KB
7.5 KB
8.0 KB
8.5 KB (recommended)
9.0 KB


If the value is set too low, then a stack overflow can occur and the system will stop responding.
If the value is set too high, then file scans will be skipped unnecessarily.
If the registry value is not present, set to 0, or greater than 0x2400, then file system real-time protection behaves normally.

To restart the antivirus service

To open the Services window, do one of the following:
In Windows NT 4 Control Panel, double-click Services .
In Windows 2000/XP Control Panel, double-click Administrative Tools , and then double-click Services .
Locate the antivirus service.
The service name varies depending on the Symantec product that is installed, but will be one of the following:
Norton AntiVirus Client
Norton AntiVirus Server
Symantec AntiVirus Client
Symantec AntiVirus Server
Stop and then restart the appropriate antivirus service.

Changes to the KStackMinFree value take effect after the service is restarted.

Thanks for all your help!!!
Wayne BarronAuthor, Web DeveloperCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:
[Accept: carlkidwell] (Accept: Comment made on http:Q_21406264.html#13969547 as Answer)

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer
Agreed for Accepting carlkidwell.  Please Accept this answer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.