Blue screen with "STOP 0x0000007f" and first parameter 0x00000008 error

book

Article ID: 178199

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You install Symantec Endpoint Protection. After the installation, the computer unexpectedly restarts or encounters a blue screen with a STOP message similar to the following:

STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)
UNEXPECTED_KERNEL_MODE_TRAP

A common configuration for this situation is a Windows Server with Terminal Services in Remote Administration Mode with a combination of, but not exclusive to, any of the following applications: Symantec Endpoint Protection, St. Bernard Open File Manager, Quota Manager, Legato RepliStor, or other "filter drivers" that register with the Kernel Stack.
 

Resolution

This problem occurs because there is a limited amount of kernel space available for kernel drivers. If the operating system runs out of kernel space, then the computer displays a blue screen error message.

Windows Server 2003 kernel stack size
The limit is 12 KB for kernel drivers.

Windows Server 2003 running NTFS
Windows 2003 running NTFS examines the available kernel stack before processing an I/O request. If NTFS determines that there is insufficient stack space, then an exception error results. If there is not enough stack space for processing the exception, then a stack overflow occurs and the system double-faults, resulting in a blue screen with a STOP message.

Symantec Endpoint Protection Auto-Protect
When Symantec Endpoint Protection Auto-Protect examines a file for viruses, it requests file access from the corresponding file system. These requests for file IO can add to kernel stack consumption. To prevent Auto-Protect from using additional kernel stack in a low stack situation, an internal configuration value named KStackMinFree was added and is configurable through the Windows registry.

The KStackMinFree registry value
The KStackMinFree registry value specifies a minimum amount of kernel stack that must be free for File System Realtime Protection or Auto-Protect to request file IO from the file system. If the KStackMinFree value is present in the registry, then File System Realtime Protection or Auto-Protect calculates the amount of available stack space before doing any file IO. If the available kernel stack is less than the value in the registry, then File System Realtime Protection or Auto-Protect will not do any IO and will not scan the file.

Note: Auto-Protect only skips files that are accessed by trusted kernel components (Ring 0). If files are accessed by user mode components (non-Ring 0), then File System Realtime Protection or Auto-Protect examines the files for viruses.

Adding the KStackMinFree value is a two-step process

  1. Modify the registry by adding the KStackMinFree value.
  2. Stop and then restart the Symantec Endpoint Protection service for changes to take effect.
    If the problem persists, restart the computer. After you restart the computer, confirm that the changes that you made to the KStackMinFree value are still present.


WARNING: We strongly recommend that you back up the registry before making any changes. Incorrect changes to the registry could result in permanent data loss or damaged files. Modify only the keys that are specified. See the documents How to back up the Windows registry and How to use the Windows Registry editor before proceeding.

To fix this problem, use the following steps.

Modify the registry by adding the KStackMinFree value in Symantec Endpoint Protection 12.1.2 or later

  1. In the Registry Editor, go to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Storages\Filesystem\RealTimeScan
     
  2. Right-click the RealTimeScan key, and then click New > DWORD Value.
  3. Type KStackMinFree for the name of the new value.
  4. Right-click the KStackMinFree value, and then click Modify.
  5. Set the Base to Hexadecimal, and then type 2200 in the Value field.
  6. Click OK.
  7. Restart the computer

Changes to the KStackMinFree value take should effect after the service is restarted.


Recommended size for the KStackMinFree value

Symantec recommends a range between 8.0 KB and 8.5 KB (Hex 2000-2200), though each environment is different and it may take some experimenting to find the right value. Other possible values are defined in the following chart.
 

Required minimum available kernel memory Hex value
5.0 KB 0x1400
5.5 KB 0x1600
6.0 KB 0x1800
6.5 KB 0x1a00
7.0 KB 0x1c00
7.5 KB 0x1e00
8.0 KB 0x2000
8.5 KB (recommended) 0x2200
9.0 KB 0x2400


Notes:

  • If the value is set too low, then a stack overflow can occur and the system will stop responding.
  • If the value is set too high, then file scans will be skipped unnecessarily.
  • If the registry value is set to 0, or greater than 0x2400, then File System Realtime Protection or Auto-Protect behaves normally.
  • The limit is 0x2400
  • This scenario provides slightly less protection because Auto-Protect loads later during the startup process. Use your best judgement to determine if this setting is appropriate for your environment
  • While this problem is most prominent in 32-bit environments, 64-bit Operating Systems are not immune. The Kernel Stack Size on 64-bit Operating Systems is 24KB and drivers other than the SEP drivers can still cause a 64-bit thread stack to overflow. Contact the 3rd party vendor for a solution in cases such as these.


References

For more information, read the following Microsoft Knowledge Base articles:

822789, You Receive a "Stop 0x0000007F" Error Message or Your Computer Unexpectedly Restarts
137539, General Causes of STOP 0x0000007F Errors
276069, "STOP 0x0000007F" on Windows 2000 with InoculateIT Enterprise Edition Installed
303268, "STOP 0x0000007F" on Windows 2000 Using Veritas Netbackup with Open File Manager Software
317214, Terminal Server Unexpectedly Restarts or You Receive STOP Error 0x0000007F
300225, "Stop 0x0000007f" Error Message May Be Displayed When the WQuinn QuotaAdvisor 4.1 Program Is Installed
835281, You receive a "STOP 0x0000007F" error message and your Windows 2000-based computer restarts