KnowledgeBase Archive

An Archive of Early Microsoft KnowledgeBase Articles

View on GitHub

Q173060: Performance Monitor Counters Cause Stop or Error Messages

Article: Q173060
Product(s): Microsoft Windows NT
Version(s): WinNT:4.0
Operating System(s): 
Keyword(s): kbtool
Last Modified: 09-AUG-2001

-------------------------------------------------------------------------------
The information in this article applies to:

- Microsoft Windows NT Workstation version 4.0 
- Microsoft Windows NT Server version 4.0 
-------------------------------------------------------------------------------

IMPORTANT: This article contains information about editing the registry.
Before you edit the registry, you should first make a backup copy of the
registry files (System.dat and User.dat). Both are hidden files in the
Windows folder.

SYMPTOMS
========

When you use Performance Monitor to monitor a computer (either locally or from a
remote computer), the following blue screen STOP message may be produced on the
computer being monitored:

  STOP:0xC000021A (0xe1638608, 0xc0000005, 0x00000000, 0x00000000).

-or-

You get the following message every time you click the + (plus) button while
monitoring locally in Performance Monitor:

  WinLogon.exe App. Error - The instruction at x77f648e2 referenced memory at
  x001cce35. The memory could not be read. Click OK to terminate the app.

NOTE: Actual memory locations will vary.

CAUSE
=====

When you use Performance Monitor to monitor a computer remotely, the initiating
computer attaches to the target computer's Winlogon process through RPC. The
Winlogon process has a perflib component in it for collecting data. The shared
data is passed from the performance counters' .DLL to Winlogon on the target
computer. The performance counters' DLLs sometimes overwrite their buffers. In
the case of remote monitoring, this overwrite occurs in the context of the
Winlogon process on the target computer, which causes it to have an access
violation, compromises the Winlogon subsystem (which may create a breach of
security), and forces Windows NT into kernel mode to start checking for bugs.

The performance counter DLLs make three functions available to other modules:
Open, Collect, and Close. It is usually the Collect function that causes the
problem.


RESOLUTION
==========

Have the malfunctioning extensible Performance Counter fixed so that it does not
overwrite its buffers.

-or-

Disable the malfunctioning performance counter's .dll by renaming or removing its
entry from the Windows NT registry.

To locate all extensible performance counters, use Exctrlst.exe, which is part of
the Windows NT 4.0 Resource Kit. You can run Exctrlst.exe locally or remotely to
bring up a list of all of the extensible counters found in the computer's
registry.

The counter's registry entries are located at the following key:

Hkey_Local_Machine\System\CurrentControlSet\Services\
Service_Name\Performance\Library.

NOTE: The above registry key is one path; it has been wrapped for readability.

To disable an extensible counter .dll:

WARNING: Using Registry Editor incorrectly can cause serious problems that may
require you to reinstall Windows. Microsoft cannot guarantee that problems
resulting from the incorrect use of Registry Editor can be solved. Use Registry
Editor at your own risk.

For information about how to edit the registry, view the Changing Keys and Values
online Help topic in Registry Editor (Regedit.exe). Note that you should make a
backup copy of the registry files (System.dat and User.dat) before you edit the
registry.

1. Start Registry Editor using RegEdt32.exe.

2. At each performance entry listed by Exctrlst.exe, select the Library value
  and modify the library name by prefixing it with two x's. For example, if the
  library name is OrigLib.dll, change it to xxOrigLib.dll

3. When you have changed each performance entry under the
  CurrentControlSet\Services key, restart Perfmon to see if it works.

4. If Perfmon works, repeat steps 1 and 2, restoring the original library name,
  changing a new one, and trying Perfmon after each change to see which library
  causes the problem.

  - or -

1. If Exctrlst.exe is unavailable, start the Registry Editor using RegEdt32.exe.

2. Under the HKEY_LOCAL_MACHINE subtree, go to the following subkey:

  System\CurrentControlSet\Services

3. Click Find Key on the View menu.

4. Type "performance" as the search string, then search down from there.

5. To disable an extensible counter DLL when you find a performance entry,
  select the Library value and modify the library name by prefixing it with two
  x's: for example, if the library name is OrigLib.dll, change it to
  xxOrigLib.dll.

6. When you have changed each performance entry under the
  CurrentControlSet\Services key, restart Perfmon to see whether it works. If
  it does, then repeat steps 4 and 5, restoring each original library name and
  trying Perfmon after each change to see which library causes the problem.

For more information see "Creating the Performance DLL" in the Win32 SDK

For more information on performance counters, see the following article in the
Microsoft Knowledge Base:

ARTICLE-ID: Q152513
TITLE : Troubleshooting Performance Monitor Counter Problems.

- or -

If you prefer, you can also solve this problem by configuring Windows NT to write
a guard page on either side of the shared memory buffer with various levels of
checking. This setting was enabled by default in early Windows NT service packs.
The guard pages caused too many page faults for large counters, however, which
degraded system performance significantly. In Service Pack 3, the guard pages
and checking were turned off by default.

To enable the guard page setting, use the following steps:

WARNING: Using Registry Editor incorrectly can cause serious problems that may
require you to reinstall Windows. Microsoft cannot guarantee that problems
resulting from the incorrect use of Registry Editor can be solved. Use Registry
Editor at your own risk.

For information about how to edit the registry, view the Changing Keys and Values
online Help topic in Registry Editor (Regedit.exe). Note that you should make a
backup copy of the registry files (System.dat and User.dat) before you edit the
registry.

1. Start Registry Editor (Regedt32.exe) and go to the following sub-key:

  HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\ 
  \CurrentVersion\Perflib

  NOTE: The above registry key is one path; it has been wrapped for
  readability.

  Value: ExtCounterTestLevel
  Type: REG_DWORD
  Data: 2

2. Select the desired ExtCounterTestLevel value. You can choose a value ranging
  from 1 to 4:

  1. Most extensive testing, can be expensive.

  2. Basic testing.

  3. No testing.

  4. Don't even allocate a guard page (default from SP3 onwards).

3. Once this is entered, restart the system.

Additional query words: 0xc21A perfmon c000021a 0xc000021a
======================================================================
Keywords          : kbtool 
Technology        : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400
Version           : WinNT:4.0
Issue type        : kbprb

=============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Copyright Microsoft Corporation 1986-2002.