Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3729
  • Last Modified:

Windows 2003 Server and Event ID 2019

Server just started locking up around every 2 days starting May 3. It was freshly rebuilt last March of this year. I am now monitoring and watching the server and can see the memory usage climbing. I am aware that this error is caused by a memory leak and can be related to a Print Spooler/driver issue, Norton and McAfee and Arcserve. Nothing has changed on this server since the rebuild.

Componants and Configurations
- Stand-alone server running Windows 2003 Server w/ SP1
- Dell server with Pentium 4, 2.8 GHZ
- Server has 2 GB RAM
- not running is a Active Directory enviroment
- SQL Server 2000, SP4
- The only application: a medical application called Stolas (uses SQL database)
- Panda Antivirus - Server, BusinesSecure edition, latest updates
- Arcserve 11.1 -performing nightly backups. Tape drive is internal to the server

ERROR:
Event ID 2019
Source: Srv
Error Description: The server was unable to allocate from the system nonpaged pool because the pool was empty.

I'm finding that I need to run performance monitor and/or start and stop services to see if the memory leak stops.

Does anyone have any experience with troubleshooting this issue? If I need to run Performance monitor, how should I set it up?
0
agieryic
Asked:
agieryic
  • 4
  • 3
  • 2
  • +1
2 Solutions
 
pjedmondCommented:
http://www.chicagotech.net/wineventid.htm#Event%20ID%202019,%202020,%202021%202022%20Windows%20cannot%20logon%20you%20because%20the%20profile%20cannot%20be%20loaded%20Insufficient%20system%20resources%20exist%20to%20complete%20the%20requested%20service%20Not%20enough%20storage%20available%20to%20process%20this%20command

indicates that you have the right idea.

Microsoft seems to be blaming symantec for this type of problem on Win2000, and I'd guess that it also applies to W2K3:

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q272568

I notice that you state that you are using Panda, but many of the anti-virus solutions out there use exactly the same anti-virus engine, licenced from a very small group of suppliers, so it may have somethign to do with that. This is particularly the case, because AV software links very closely with the inards of the operating systems.

http://www.jsifaq.com/SUBR/tip8600/rh8671.htm

Funnily enough associated with McAfee AV, this time on Win 2K3 server.

http://www.eventid.net/display.asp?eventid=2019&eventno=661&source=Srv&phase=1

anlso gives a number of interesting links. With respect to trouble shooting this type of problem it recommends:

Poolmon.exe (from Microsoft) (It's part of the support tools for 2K3) available here:

http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en

and it gives you a command line capability to view what is happening with the pool memory. If you run the command every 2 or 3 hours or so, and store the output in a file, you can then analyse at your leisure.

HTH:)
0
 
pjedmondCommented:
Nice little article to give you a flavour for the problem:)
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
agieryicAuthor Commented:
I'll look into this and get back to you. thanks
0
 
agieryicAuthor Commented:
I am already aware of the articles you mentioned and were helpful with the theory of this issue.
Here's what I've done so far:
- I stopped all Computer Associates Arcserve 11.1 services (I believe 8 in all). The following morning, the server was again inaccessable. After rebooting the server, I checked the eventvwr logs and it was popilated with Event ID: 2019 errors which started around 1:30 am.
NOTE: none of the Event ID: 2019 errors started at or around the same time, no pattern.
- After the server restarted, I again stopped all the Arcserve services and in addition, I stopped all the Panda Antivirus services (around 6 total). This was two days ago and the server has been up since. I will continue to leave these services off for an other day just to be sure. I'll also watch the memory growth.

When I called Panda, they were not aware of the Event ID: 2019 error. As a matter of fact, I have this Server based Antivirus program installed on a dozen other networks with no memory leaks.

At last check this morning, the server is using 1095MB of memory with SQL2000 taking up around 770MB (which is probably very normal. I would estimate with a healthy server that after at least 2 days of server uptime, the server memory peak should have stabalized. the "WindowsITPro" site "pjedmone" mentioned had good inforamtion that I will try

Does anyone have any additional thoughts?
0
 
agieryicAuthor Commented:
Two days later the server locked up again. When I restarted the server. the Event Viewer was full of Event ID: 2017. Having Panda Antivirus and Arcserve services shut off were not the culprit. All services are running again.

Last night, memory usage was around 1100 MB's. I restarted the server to avoid the possibility of the server being locked up again when the staff trys to access the server 7am. After I rebooted the server, remote controlled back into the server, opened task manager and added "handles" to the columns. The memory usages always starts around 375 MB's and slowly climbs upward. The "system" process had the highest handle count of 2,072. I left the remote session open

This morning at 7:45 am, the server is still up and I still have my remote session going. Memory usage is up to 935 MB's, the "system" process is up to 2,418 handles - but interestingly, the "WinIPConfig.exe" process is up to 2,497 handles. Last night, it was only 302 handles.
I always thought WinIPConfig.exe was a Windows 98 process.

The server will eventually lock up again unless I proactively reboot it to refresh memory later today. My thought is that SQL2000 may have something to do with the issue.

anyone have any thoughts?
0
 
oBdACommented:
You should look further into this "winipconfig.exe" business. This has nothing lost on a Server 2003, and even if copied from a Win9x machine, it should not be running unless someone started it manually.
Which account has started this process? Could be that despite the antivurs software (none of it is perfect), you caught some malware.

0
 
ansh_guptaCommented:
Poolmon will be the best solution for this. Run poolmon and check nonpaged and paged pool usage. In that you will be able to find the faulty driver. This is one of the simplest issues to be resolved by poolmon.

0
 
ansh_guptaCommented:
0
 
agieryicAuthor Commented:
The issue was caused by hacking software. the winipconfig.exe file along with 4 other files were not Microsoft files. I eneded up placing a call into Microsoft to run their tools which helped determine all the bogus files that caued the high memory, high handles and locking the server everyday.  I would like to give the points to the person who led me to the article about the task manager's "high handles". I'll need to read thru all these urls and determine who provided it
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now