cluberti

The commit charge is the peak amount of RAM and pagefile space that has ever been in use since boot (obviously the current numbers reflect approximately the current commit). Having a high peak value just means you had a lot of virtual address space in the kernel and running apps that were committed to either RAM or pagefile. For it to be similar every boot is actually pretty normal, honestly.

You could try - I'm not sure what would happen, honestly, but I would build up a VM in Virtual PC or VMWare and try installing the hotfix package on a W2K VM with the folders removed to see what happens.

I'm pretty sure TAiN was suggesting connecting the USB modem to the computer via an ethernet cable rather than a USB cable as a test.

I always lock my machine, it's just habit.

Not really, just a regular boot. I guess it's good nothing is technically broken, but it's gotta be a little frustrating. As to it being a Windows problem, it is possible. However, I have 4 laptops, 2 IBM/Lenovo Thinkpads, a Dell, and a Compaq x64, and none of these have the issue. It is possible it's a Windows problem, yes, but it's more likely it's a hardware driver issue - if it really was a Windows problem, it should happen to everyone .

Does the machine have a setting for legacy USB? If so, you might want to make sure it's disabled. Also, is this a SATA or PATA IDE disk drive that you're installing to?

Actually yes, but I'm not getting involved in this. Good to see your installer finally worked. Closing thread.

Yeah, I'd put it back. I just wanted to make sure it wasn't interfering. At this point, it's hard to say what the problem is, other than it appears that we're in Ntfs waiting on I/O to a file (WINDOWS\SYSTEM32\MSDTC\KTMRMTMCONTAINER00000000000000000002) and an event has been signaled we're waiting on. Usually cases like these end up being more of a live debug, so I'm thinking that if you can reproduce the problem after running msconfig to disable everything non-Microsoft, that it'll be something at the actual driver level (underneath Windows) that will be very difficult to catch. At least I can say with a fair amount of certainty that it'll be down in an actual device driver (likely the disk controller).

The first IRP shows us trying to write to the file on the filesystem, but we also see a second IRP in the antivirus driver which is working on the file at the same time. Have we tried completely removing NOD32 to see if the behavior changes at all?

Well, first question - how much free space do you have on that C: drive?

Do they both use the same DNS servers, or are the DNS zones separated on multiple servers? I've seen this done before, but it would have been so much easier if they weren't doing routing as well (multiple NICs in a windows box is bad news mostly, especially multi-homed DCs).

I extracted the hotfix, and sure enough - they're there. They appear to contain files from the SP for those specific versions of Windows.

C:\Documents and Settings\All Users is now C:\Users\Public in Vista. Everything else is pretty much the same.

There's nothing above and beyond this to "troubleshoot" problems, just report them. If you have a driver or service slowing boot down, you need to figure out if it's a Microsoft driver or service or something non-Microsoft first. Once you've figured that out, consider using msconfig to disable that driver or service to see if the boot time improves - if so, there's not a whole heck of a lot that can be done other than running Process Monitor in boot logging mode to get a little more info (but I do stress "little"), and making sure you have the latest version of whatever it is slowing boot down installed and configured properly.

OK - two more commands: "!fileobj 86b2c028" and "!fileobj 88ec0b58" I need to figure out whether the write to disk is pending due to the NOD32 amon.sys driver, or if they're completely unrelated.

Great - same thing as previous, but now add "!irp 86db1de0", "!irp 86cff100", and "lmvm amon"

Take a look in Event Viewer under Applications and Services Logs > Microsoft > Windows > Diagnostics-Performance > Operational

It only shows up because you crashed it with the keyboard (hence, i8042prt). You can't use !analyze -v on a manual crash . Anyway, run the same commands, but this time, also run the commands ".thread 8893bd78", ".reload /user", and "!thread 8893bd78" in that order.

Does the problem / error message only occur on one client accessing the file server, or does it affect all clients hitting the file server? Also, if you look in the system event log on the client or the file server, do you see any 2011, 2012, 2019, 2020, 2021, or 2022 events?

It'd be really great if you could tell us exactly which bugcheck code you get, or even better, configure your box for a complete memory dump so we can all look the next time this happens.

Gotta agree with geek here - if you configure the BIOS to boot from floppy, you have a known good DOS or Win9x boot floppy, and THAT fails, it's not the fault of the OS...

Remember that Windows programs know nothing about RAM (even the kernel executive) - they all use their 2GB or 3GB of virtual address space, and the NT memory manager maps those pages of VA into RAM or into the paging file. If you have a lot of RAM, manually configuring a small pagefile will bias the memory manager towards keeping pages in RAM, and it won't be able to page out much. This is a double-edged sword though, in that if a crash occurs you'll have little or no data about it, and if you need to commit more pages from running programs than you have RAM and pagefile to handle, bad things will happen...

I've not ever seen those after slipping SP4 - only on multiboot MSDN DVDs. If that's not a multiboot from MSDN, that's NOT normal .

You are NOT safe by just visiting only sites you trust, so trusting that the purveyor of the sites you visit is not going to get hacked or inadvertently serve up malicious content unintended, or trusting that Firefox will protect you, is very naive. Ultimately, using Windows and IE makes you a bigger target, but there are millions of us that use these products daily without infections or malware or spyware ever getting on our machines. How can this be? Security is not something you buy, or a product you use, it is something you practice. Use whatever makes you happy, but blanket statements like use Firefox over IE in the hopes of gaining security is just foolish. Use Firefox if you like it's features, use IE if you like those more. Or, use something like Opera or another browser if you want to use that - but all browsers can be secured (even IE) to similar levels, and the user is then the portal through which problems do, or do not, arise.

Can you also post a screenie of the actual error dialog? And a better way to give service output would be to open a command prompt and type "sc query > c:\services.txt", then open services.txt and paste that in here (the services.msc only shows user-mode services, it won't show kernel-mode or boot services).