Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
AFDB tag in Poolmon using up non paged memory 1
- Thread starter shorty545
- Start date
afd.sys uses that tag.
Most of the time I've seen non-paged pool leaks in the spooler, it has been caused by version 2 print drivers.
Remove any version 2 drivers and any 3rd part port monitors for good measure, then restart the spooler service.
Version two drivers are found here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-2
If you do not have this key, then you don't have any Version2 drivers. If you do have this key, and drivers listed in the subkey, then uninstall the driver, backup and delete the key, and restart the spooler.....
3rd party port monitors are listed here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors
The standard Port monitors should be:
BJ language Monitor
Local Port
PJL Language Monitor
Standard TCP/IP Port
USB Monitor
and sometimes Microsof Document Imaging Writer Monitor....
Backup the entire Monitors key and delete any subkeys that are not listed above, then restart the spooler...
If anything breaks outright, just restore the keys and restart the spooler...
Since Non-paged pool is in kernel mode and the spooler is allocating all non-paged pool, then I suspect it is a Version 2 driver. Version 2 drivers operate in Kernel mode, whereas Version 3 driver operate ONLY in User mode......
Most of the time I've seen non-paged pool leaks in the spooler, it has been caused by version 2 print drivers.
Remove any version 2 drivers and any 3rd part port monitors for good measure, then restart the spooler service.
Version two drivers are found here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-2
If you do not have this key, then you don't have any Version2 drivers. If you do have this key, and drivers listed in the subkey, then uninstall the driver, backup and delete the key, and restart the spooler.....
3rd party port monitors are listed here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors
The standard Port monitors should be:
BJ language Monitor
Local Port
PJL Language Monitor
Standard TCP/IP Port
USB Monitor
and sometimes Microsof Document Imaging Writer Monitor....
Backup the entire Monitors key and delete any subkeys that are not listed above, then restart the spooler...
If anything breaks outright, just restore the keys and restart the spooler...
Since Non-paged pool is in kernel mode and the spooler is allocating all non-paged pool, then I suspect it is a Version 2 driver. Version 2 drivers operate in Kernel mode, whereas Version 3 driver operate ONLY in User mode......
-
1
- Thread starter
- #3
SgtBeavis,
Under Version 2 print drivers I have the following:
HP LaserJet 5/5m - Standard
Under Version 3 print drivers I have the following:
Canon i550
HP LaserJet 4100 PCL6
HP LaserJet 4200 PCL5e
HP LaserJet 4250 PCL6
HP LaserJet 5100 PCL6
Lexmark E320
Xerox Phaser 8500N PS
Print Monitors are:
BJ Language Monitor
Canon BJ Language Monitor i550
Epson BiD Monitor1
HP LaserJet 5 language Monitor
HP Master Monitor
HP Standard TCP/IP Port
hpzlnt04
Local Port
LPR Port
NetGear Print Server
PJL Language Monitor
Standard TCP/IP Port
USB Monitor
All of the printers are located under HP Standard TCP/IP Port except one the xerox Phaser which is under Standard TCP/IP Port.
I have backed up the folder. Is it safe to assume I can delete the other non-standard monitors?
Are version 3 print drivers OK?
Thanks
Under Version 2 print drivers I have the following:
HP LaserJet 5/5m - Standard
Under Version 3 print drivers I have the following:
Canon i550
HP LaserJet 4100 PCL6
HP LaserJet 4200 PCL5e
HP LaserJet 4250 PCL6
HP LaserJet 5100 PCL6
Lexmark E320
Xerox Phaser 8500N PS
Print Monitors are:
BJ Language Monitor
Canon BJ Language Monitor i550
Epson BiD Monitor1
HP LaserJet 5 language Monitor
HP Master Monitor
HP Standard TCP/IP Port
hpzlnt04
Local Port
LPR Port
NetGear Print Server
PJL Language Monitor
Standard TCP/IP Port
USB Monitor
All of the printers are located under HP Standard TCP/IP Port except one the xerox Phaser which is under Standard TCP/IP Port.
I have backed up the folder. Is it safe to assume I can delete the other non-standard monitors?
Are version 3 print drivers OK?
Thanks
- Thread starter
- #5
- Thread starter
- #6
- Thread starter
- #7
When I restart the print spooler, I notice the afdb tag reduce in byte size in poolmon. I then monitor both the performance log and poolmon. They both tend to increase on a steady basis. They are not the same value, but they both continue to climb.
Could they be relate?
Could they be relate?
I'm not so sure...
afd.sys is a networking driver and shouldn't be loaded by the spooler...
Exactly what counter in perfmon is rising for the spooler?
You may need to get a userdump and perfmon log to track down the offending thread for the spooler. My FTP site is down right now but when I get it back up, I'll be happy to analize the user dump for you, unless you already know how to use the Windows debugger...
afd.sys is a networking driver and shouldn't be loaded by the spooler...
Exactly what counter in perfmon is rising for the spooler?
You may need to get a userdump and perfmon log to track down the offending thread for the spooler. My FTP site is down right now but when I get it back up, I'll be happy to analize the user dump for you, unless you already know how to use the Windows debugger...
- Thread starter
- #9
I'm not sure what afd.sys is or whether it is even related but I can see that it is rising in poolmon, non-paged bytes.
The counter in perfmon is under Process, Pool Nonpaged Bytes. The actual counter that is rising is spoolsv.
I'm not sure how to use the Windows debugger. I would greatly appreciate all the help you can provide. How do I go about getting a userdump and perfmon log?
~Jeremy
The counter in perfmon is under Process, Pool Nonpaged Bytes. The actual counter that is rising is spoolsv.
I'm not sure how to use the Windows debugger. I would greatly appreciate all the help you can provide. How do I go about getting a userdump and perfmon log?
~Jeremy
- Thread starter
- #11
- Thread starter
- #12
You can get info about Userdump and a link to download it from here:
Makes sense to me
"All of the printers are located under HP Standard TCP/IP Port except one the xerox Phaser which is under Standard TCP/IP Port."
afd.sys used to leak if a Winsock program did not correctly post a Receive to collect the incoming data from Winsock. Afd.sys would endlessly buffer the data and use up all non-paged memory. That was fixed in SP3. What is the version of afd.sys on your system?
"All of the printers are located under HP Standard TCP/IP Port except one the xerox Phaser which is under Standard TCP/IP Port."
afd.sys used to leak if a Winsock program did not correctly post a Receive to collect the incoming data from Winsock. Afd.sys would endlessly buffer the data and use up all non-paged memory. That was fixed in SP3. What is the version of afd.sys on your system?
- Thread starter
- #15
- Thread starter
- #16
That's post SP4 update rollup 1, which also has a similar problem under stress. Try this hotfix which updates afd.sys to 5.0.2195.7061. From the cause section:
"Some WinSock applications that perform socket input and output asynchronously may not receive Read indications. This problem might occur on multiprocessor computers in a stressed environment. To determine whether this is the cause of the problem that is described in the "Symptoms" section, examine the Ancillary Function Driver for WinSock file (Afd.sys), version 5.0.2195.7036. Afd.sys is located in the C:\winnt\system32\drivers folder."
XMSRE
MOSMWNMTK
"Some WinSock applications that perform socket input and output asynchronously may not receive Read indications. This problem might occur on multiprocessor computers in a stressed environment. To determine whether this is the cause of the problem that is described in the "Symptoms" section, examine the Ancillary Function Driver for WinSock file (Afd.sys), version 5.0.2195.7036. Afd.sys is located in the C:\winnt\system32\drivers folder."
XMSRE
MOSMWNMTK
- Thread starter
- #18
There is no discernable methodology to the way MS references hotfixes. The issue applies to afd.sys, not exchange 5.5. It was first observered as a slowdown on Ex 5.5, so that's where it ended up I guess. MS could do a lot better job cross-referencing hotfixes, but apparently chooses not to.
actually they do a pretty good job cross referencing. Their bugcheck page (MS internal only) helps keep things straight, but when you are dealing with a massive load of updates, things get screwy and you'll see a file regression... However, during my time there, it was rare to see such regression....
Also, when a group, like the Exchange group, needs a change to something like AFD.SYS, they don't make the change. The Platform guys have to do that. If the Exchange guys note an issue with a platform file, they will open a ticket with platform (in this case, networking) CPR and present them with evidence of a problem. CPR (critical product resolution) will then review and decide whether a problem is severe enough to require fixing. If it needs fixing, then it will be escalated to Redmond where the Platform group will alter the code for a fix. The fix (known as a private) will then be tested (smoked) until they are sure it is ready for release.
It is a bit more convoluted than that, but you get the picture...
BTW, the system MS uses for the ticket tracking, sux. When I left, they were in the process of changing to a new tracking system.
Microsoft Certified Nut.
Also, when a group, like the Exchange group, needs a change to something like AFD.SYS, they don't make the change. The Platform guys have to do that. If the Exchange guys note an issue with a platform file, they will open a ticket with platform (in this case, networking) CPR and present them with evidence of a problem. CPR (critical product resolution) will then review and decide whether a problem is severe enough to require fixing. If it needs fixing, then it will be escalated to Redmond where the Platform group will alter the code for a fix. The fix (known as a private) will then be tested (smoked) until they are sure it is ready for release.
It is a bit more convoluted than that, but you get the picture...
BTW, the system MS uses for the ticket tracking, sux. When I left, they were in the process of changing to a new tracking system.
Microsoft Certified Nut.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question