You install Symantec Endpoint Protection. After the installation, the computer unexpectedly restarts or encounters a blue screen with a STOP message similar to the following:
STOP 0x0000007f (0x00000008, 0x00000000, 0x00000000, 0x00000000)
A common configuration for this situation is a Windows Server with Terminal Services in Remote Administration Mode with a combination of, but not exclusive to, any of the following applications: Symantec Endpoint Protection, St. Bernard Open File Manager, Quota Manager, Legato RepliStor, or other "filter drivers" that register with the Kernel Stack.
This problem occurs because there is a limited amount of kernel space available for kernel drivers. If the operating system runs out of kernel space, then the computer displays a blue screen error message.
Windows Server 2003 kernel stack size
The limit is 12 KB for kernel drivers.
Windows Server 2003 running NTFS
Windows 2003 running NTFS examines the available kernel stack before processing an I/O request. If NTFS determines that there is insufficient stack space, then an exception error results. If there is not enough stack space for processing the exception, then a stack overflow occurs and the system double-faults, resulting in a blue screen with a STOP message.
Symantec Endpoint Protection Auto-Protect
When Symantec Endpoint Protection Auto-Protect examines a file for viruses, it requests file access from the corresponding file system. These requests for file IO can add to kernel stack consumption. To prevent Auto-Protect from using additional kernel stack in a low stack situation, an internal configuration value named KStackMinFree was added and is configurable through the Windows registry.
The KStackMinFree registry value
The KStackMinFree registry value specifies a minimum amount of kernel stack that must be free for File System Realtime Protection or Auto-Protect to request file IO from the file system. If the KStackMinFree value is present in the registry, then File System Realtime Protection or Auto-Protect calculates the amount of available stack space before doing any file IO. If the available kernel stack is less than the value in the registry, then File System Realtime Protection or Auto-Protect will not do any IO and will not scan the file.
Note: Auto-Protect only skips files that are accessed by trusted kernel components (Ring 0). If files are accessed by user mode components (non-Ring 0), then File System Realtime Protection or Auto-Protect examines the files for viruses.
Adding the KStackMinFree value is a two-step process
WARNING: We strongly recommend that you back up the registry before making any changes. Incorrect changes to the registry could result in permanent data loss or damaged files. Modify only the keys that are specified. See the documents How to back up the Windows registry and How to use the Windows Registry editor before proceeding.
To fix this problem, use the following steps.
Modify the registry by adding the KStackMinFree value in Symantec Endpoint Protection 12.1.2 or later
Changes to the KStackMinFree value take should effect after the service is restarted.
Recommended size for the KStackMinFree value
Symantec recommends a range between 8.0 KB and 8.5 KB (Hex 2000-2200), though each environment is different and it may take some experimenting to find the right value. Other possible values are defined in the following chart.
|Required minimum available kernel memory||Hex value|
|8.5 KB (recommended)||0x2200|
For more information, read the following Microsoft Knowledge Base articles:
822789, You Receive a "Stop 0x0000007F" Error Message or Your Computer Unexpectedly Restarts
137539, General Causes of STOP 0x0000007F Errors
276069, "STOP 0x0000007F" on Windows 2000 with InoculateIT Enterprise Edition Installed
303268, "STOP 0x0000007F" on Windows 2000 Using Veritas Netbackup with Open File Manager Software
317214, Terminal Server Unexpectedly Restarts or You Receive STOP Error 0x0000007F
300225, "Stop 0x0000007f" Error Message May Be Displayed When the WQuinn QuotaAdvisor 4.1 Program Is Installed
835281, You receive a "STOP 0x0000007F" error message and your Windows 2000-based computer restarts