2000  Server Reboots itself after logging in VIA RDP

Posted on 2005-04-28
Last Modified: 2008-01-09
Ok, this problem has really stumped me and a couple of my friends that I have passed this along to.  I have a Windows 2000  Server (SP3).  If you log in VIA RDP one time, it's fine.  You can pretty much administer it remotely .   If you log out, and then log back in ( doesn't matter how much time you give it ) The server reboots.  Just flat out reboots.  Then you can log in just fine VIA RDP.  But after you log out, and try to get back in, it just reboots.  Now, for the weird thing.  If I log in VIA RDP from a 2003 Server, it doesn't reboot.  Log in, Log out and it's fine.  You log in with anything below that, it's toast.  I've tried loggin in with 2000 pro, and XP pro and it reboots also.  But, with 2003 it's just fine.  Below is the bug check log, found  no solutions really  pertaining to the problem and a fix.  

BugCheck 7F, {8, 0, 0, 0}

Probably caused by : ntkrnlmp.exe ( nt!KeInvalidAccessAllowed+f )

Followup: MachineOwner

1: kd> !analyze -v
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *

This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).  The first number in the
bugcheck params is the number of the trap (8 = double fault, etc)
Consult an Intel x86 family manual to learn more about what these
traps are. Here is a *portion* of those codes:
If kv shows a taskGate
        use .tss on the part before the colon, then kv.
Else if kv shows a trapframe
        use .trap on that value
        .trap on the appropriate frame will show where the trap was taken
        (on x86, this will be the ebp that goes with the procedure KiTrap)
kb will then show the corrected stack.
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:



LAST_CONTROL_TRANSFER:  from 00000000 to 80468ecf

00000000 00000000 00000000 00000000 00000000 nt!KeInvalidAccessAllowed+0xf

80468ecf ebef             jmp     nt!KeInvalidAccessAllowed (80468ec0)


FOLLOWUP_NAME:  MachineOwner

SYMBOL_NAME:  nt!KeInvalidAccessAllowed+f


IMAGE_NAME:  ntkrnlmp.exe



FAILURE_BUCKET_ID:  0x7f_8_nt!KeInvalidAccessAllowed+f

BUCKET_ID:  0x7f_8_nt!KeInvalidAccessAllowed+f

Followup: MachineOwner

1: kd> !thread
THREAD 88a07020  Cid 3d8.750  Teb: 7ffdd000  Win32Thread: a2016a58 RUNNING
IRP List:
    88902bc8: (0006,01b4) Flags: 00000884  Mdl: 00000000
    888fca88: (0006,01b4) Flags: 00000884  Mdl: 00000000
Not impersonating
Owning Process 88919300
Wait Start TickCount    11522      
Context Switch Count    8                   LargeStack
UserTime                  0:00:00.0000
KernelTime                0:00:00.0015
Start Address 0x5ffc022a
Stack Init bed78000 Current bed75c54 Base bed78000 Limit bed75000 Call 0
Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0

ChildEBP RetAddr  Args to Child
00000000 00000000 00000000 00000000 00000000 nt!KeInvalidAccessAllowed+0xf
Question by:carlkidwell
    LVL 16

    Expert Comment

    Have you tried Unchecking the Automatically Reboot? System properties> Advanced> Startup and Revovery settings. I would also make sure you have all of the latest updates for that server.

    LVL 20

    Expert Comment

    You get DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO and it is hardware error at the intel CPU

    Could paste the output of the windbg command here and maybe your problem is related to multiple culprit.

    lm tn
    LVL 1

    Expert Comment


    It sounds like maybe you have a bad file in Licensing or the Terminal Services.
    I would lean toward licensing though.
    You may want to try and remove Terminal Server Licensing and Terminal Services and perform a re-installation.
    This should replace any files that could cause this problem.

    Do you get a STOP error code before it reboots?  
    Do you get anything in your Event Viewer (application or system log) ?
    LVL 20

    Expert Comment

    BugCheck 7F, {8, 0, 0, 0}
    Bugcheck code 7F with BP1 value 8 (ie double fault.). This is definitely hardware error at CPU or motherboard. The windbg dubug report shows that DEFAULT_BUCKET_ID:  INTEL_CPU_MICROCODE_ZERO. Hence it is hardware problem at CPU.

    This case is similar to the following O/S case which is suspected to be CPU problem
    LVL 20

    Expert Comment

    If you want to pursue the root cause, attach 4 to 5 minidumps at any webspace.

    Author Comment

    Ok, I was able to resolve this.  This is a really tricky problem.  Although this gave a hardware error code, it was actually Software.  The Fix is below

    MS04-032      Security Update for Microsoft Windows
    (KB 822789) :

    Error Message: You receive a "Stop 0x0000007F" error message or your computer unexpectedly restarts

    Scenario: You installed a MS04-032 on a Windows 2000 Server running Terminal Services and a Symantec antivirus program, or another application that installs a kernel driver, under Windows NT/2000/XP/2003 32-bit. When trying to connect to this server through the Remote Desktop Connection or another Terminal Service client, i.e. the Citrix client, the server unexpectedly restarts or encounters a blue screen with a STOP message similar to:

    STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)


    This problem occurs because there is a limited amount of kernel space available for kernel drivers. If the operating system runs out of kernel space, then the computer displays a blue screen error message.

    Older Intel drivers
    If you are using Symantec AntiVirus 9.x, this may be caused by an older version of the Intel® Application Accelerator driver, Intelata.sys. To update the driver, please contact the Patch Management Team.

    WARNING: Do not install an Application Accelerator driver unless the Intelata.sys driver already exists on your computer. Also, make sure that you install the correct version for your chipset. For help with verifying the correct version please contact the Patch Management Team.

    Windows 2000 kernel space
    The limit is 12 KB for kernel drivers.

    Windows 2000 running NTFS
    Windows 2000 running NTFS examines the available kernel stack before processing an I/O request. If NTFS determines that there is insufficient stack space, then an exception error results. If there is not enough stack space for processing the exception, then a stack overflow occurs and the system double-faults, resulting in a blue screen with a STOP message.

    Symantec or Norton real-time protection
    When Symantec AntiVirus or Norton AntiVirus file system real-time protection examines a file for viruses, it requests file access from the corresponding file system. These requests for file IO can add to kernel stack consumption.

    To prevent file system real-time protection from using additional kernel stack in a low stack situation, an internal configuration value named KStackMinFree was added and is configurable through the Windows registry. This value is supported in Norton AntiVirus Corporate Edition 7.61 build 21 (released in October, 2001) and all later builds.

    The KStackMinFree registry value
    The KStackMinFree registry value specifies a minimum amount of kernel stack that must be free for file system real-time protection to request file IO from the file system. If the KStackMinFree value is present in the registry, then file system real-time protection calculates the amount of available stack space before doing any file IO. If the available kernel stack is less than the value in the registry, then file system real-time protection will not do any IO and will not scan the file.

    Note: File system real-time protection only skips files that are accessed by trusted kernel components (Ring 0). If files are accessed by user mode components (non-Ring 0), then file system real-time protection examines the files for viruses.

    Adding the KStackMinFree value is a two-step process

    Modify the registry by adding the KStackMinFree value.
    Stop and then restart the antivirus service for changes to take effect.
    To modify the registry by adding the KStackMinFree value in Norton AntiVirus 7.6 or Symantec AntiVirus 8.x

    Run Regedit.exe to open the Windows registry.
    Browse to the registry key for your software version:

    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Norton AntiVirus NT\Auto-Protect\InternalSettings
    Under InternalSettings create a new DWORD value named KStackMinFree .
    Right-click the KStackMinFree value, and then click Modify.
    Set the Base to Hexadecimal, and type 2200 in the Value field.
    Windows 2000/XP users can automatically create the KStackMinFree value at 2200 by downloading and importing the SAVCE8_KStackMinFree.reg file.

    Symantec recommends a range between 8.0 KB and 8.5 KB (Hex 2000-2200), though each environment is different and it may take some experimenting to find the right value. Other possible values are defined in the following chart.

    Required minimum available kernel memory
     HEX Value
    5.0 KB
    5.5 KB
    6.0 KB
    6.5 KB
    7.0 KB
    7.5 KB
    8.0 KB
    8.5 KB (recommended)
    9.0 KB


    If the value is set too low, then a stack overflow can occur and the system will stop responding.
    If the value is set too high, then file scans will be skipped unnecessarily.
    If the registry value is not present, set to 0, or greater than 0x2400, then file system real-time protection behaves normally.

    To restart the antivirus service

    To open the Services window, do one of the following:
    In Windows NT 4 Control Panel, double-click Services .
    In Windows 2000/XP Control Panel, double-click Administrative Tools , and then double-click Services .
    Locate the antivirus service.
    The service name varies depending on the Symantec product that is installed, but will be one of the following:
    Norton AntiVirus Client
    Norton AntiVirus Server
    Symantec AntiVirus Client
    Symantec AntiVirus Server
    Stop and then restart the appropriate antivirus service.

    Changes to the KStackMinFree value take effect after the service is restarted.

    Thanks for all your help!!!
    LVL 30

    Expert Comment

    by:Wayne Barron
    No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
    I will leave the following recommendation for this question in the Cleanup topic area:
    [Accept: carlkidwell] (Accept: Comment made on http:Q_21406264.html#13969547 as Answer)

    Any objections should be posted here in the next 4 days. After that time, the question will be closed.

    EE Cleanup Volunteer
    LVL 1

    Expert Comment

    Agreed for Accepting carlkidwell.  Please Accept this answer
    LVL 1

    Accepted Solution

    PAQed with points refunded (500)

    EE Admin

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now