A common configuration for this situation is a Windows Server with Terminal Services in Remote Administration Mode with a combination of, but not exclusive to, any of the following applications: Symantec Endpoint Protection, St. Bernard Open File Manager, Quota Manager, Legato RepliStor, or other "filter drivers" that register with the Kernel Stack.
This problem occurs because there is a limited amount of kernel space available for kernel drivers. If the operating system runs out of kernel space, then the computer displays a blue screen error message.
Windows Server 2003 kernel stack size The limit is 12 KB for kernel drivers.
Windows Server 2003 running NTFS Windows 2003 running NTFS examines the available kernel stack before processing an I/O request. If NTFS determines that there is insufficient stack space, then an exception error results. If there is not enough stack space for processing the exception, then a stack overflow occurs and the system double-faults, resulting in a blue screen with a STOP message.
Symantec Endpoint Protection Auto-Protect When Symantec Endpoint Protection Auto-Protect examines a file for viruses, it requests file access from the corresponding file system. These requests for file IO can add to kernel stack consumption. To prevent Auto-Protect from using additional kernel stack in a low stack situation, an internal configuration value named KStackMinFree was added and is configurable through the Windows registry.
The KStackMinFree registry value The KStackMinFree registry value specifies a minimum amount of kernel stack that must be free for File System Realtime Protection or Auto-Protect to request file IO from the file system. If the KStackMinFree value is present in the registry, then File System Realtime Protection or Auto-Protect calculates the amount of available stack space before doing any file IO. If the available kernel stack is less than the value in the registry, then File System Realtime Protection or Auto-Protect will not do any IO and will not scan the file.
Note: Auto-Protect only skips files that are accessed by trusted kernel components (Ring 0). If files are accessed by user mode components (non-Ring 0), then File System Realtime Protection or Auto-Protect examines the files for viruses.
Adding the KStackMinFree value is a two-step process
Modify the registry by adding the KStackMinFree value.
Stop and then restart the Symantec Endpoint Protection service for changes to take effect. If the problem persists, restart the computer. After you restart the computer, confirm that the changes that you made to the KStackMinFree value are still present.
Right-click the RealTimeScan key, and then click New > DWORD Value.
Type KStackMinFree for the name of the new value.
Right-click the KStackMinFree value, and then click Modify.
Set the Base to Hexadecimal, and then type 2200 in the Value field.
Restart the computer
Changes to the KStackMinFree value take should effect after the service is restarted.
Recommended size for the KStackMinFree value
Symantec recommends a range between 8.0 KB and 8.5 KB (Hex 2000-2200), though each environment is different and it may take some experimenting to find the right value. Other possible values are defined in the following chart.
Required minimum available kernel memory
8.5 KB (recommended)
If the value is set too low, then a stack overflow can occur and the system will stop responding.
If the value is set too high, then file scans will be skipped unnecessarily.
If the registry value is set to 0, or greater than 0x2400, then File System Realtime Protection or Auto-Protect behaves normally.
The limit is 0x2400
This scenario provides slightly less protection because Auto-Protect loads later during the startup process. Use your best judgement to determine if this setting is appropriate for your environment
While this problem is most prominent in 32-bit environments, 64-bit Operating Systems are not immune. The Kernel Stack Size on 64-bit Operating Systems is 24KB and drivers other than the SEP drivers can still cause a 64-bit thread stack to overflow. Contact the 3rd party vendor for a solution in cases such as these.
For more information, read the following Microsoft Knowledge Base articles: