Performance Monitor Counters Cause Stop or Error Messages

When you use Performance Monitor to monitor a computer (either locally or from a remote computer), the following blue screen STOP message may be produced on the computer being monitored:

-or-

You get the following message every time you click the + (plus) button while monitoring locally in Performance Monitor:

NOTE: Actual memory locations will vary.

When you use Performance Monitor to monitor a computer remotely, the initiating computer attaches to the target computer's Winlogon process through RPC. The Winlogon process has a perflib component in it for collecting data. The shared data is passed from the performance counters' .DLL to Winlogon on the target computer. The performance counters' DLLs sometimes overwrite their buffers. In the case of remote monitoring, this overwrite occurs in the context of the Winlogon process on the target computer, which causes it to have an access violation, compromises the Winlogon subsystem (which may create a breach of security), and forces Windows NT into kernel mode to start checking for bugs.

The performance counter DLLs make three functions available to other modules: Open, Collect, and Close. It is usually the Collect function that causes the problem.

Have the malfunctioning extensible Performance Counter fixed so that it does not overwrite its buffers.

-or-

Disable the malfunctioning performance counter's .dll by renaming or removing its entry from the Windows NT registry.

To locate all extensible performance counters, use Exctrlst.exe, which is part of the Windows NT 4.0 Resource Kit. You can run Exctrlst.exe locally or remotely to bring up a list of all of the extensible counters found in the computer's registry.

The counter's registry entries are located at the following key:

Hkey_Local_Machine\System\CurrentControlSet\Services\ Service_Name\Performance\Library.

NOTE: The above registry key is one path; it has been wrapped for readability.

To disable an extensible counter .dll:

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the Changing Keys and Values online Help topic in Registry Editor (Regedit.exe). Note that you should make a backup copy of the registry files (System.dat and User.dat) before you edit the registry.

1. Start Registry Editor using RegEdt32.exe.
2. At each performance entry listed by Exctrlst.exe, select the Library value and modify the library name by prefixing it with two x's. For example, if the library name is OrigLib.dll, change it to xxOrigLib.dll
3. When you have changed each performance entry under the CurrentControlSet\Services key, restart Perfmon to see if it works.
4. If Perfmon works, repeat steps 1 and 2, restoring the original library name, changing a new one, and trying Perfmon after each change to see which library causes the problem.
   
   - or -

1. If Exctrlst.exe is unavailable, start the Registry Editor using RegEdt32.exe.
2. Under the HKEY_LOCAL_MACHINE subtree, go to the following subkey:
   System\CurrentControlSet\Servic
3. Click Find Key on the View menu.
4. Type "performance" as the search string, then search down from there.
5. To disable an extensible counter DLL when you find a performance entry, select the Library value and modify the library name by prefixing it with two x's: for example, if the library name is OrigLib.dll, change it to xxOrigLib.dll.
6. When you have changed each performance entry under the CurrentControlSet\Services key, restart Perfmon to see whether it works. If it does, then repeat steps 4 and 5, restoring each original library name and trying Perfmon after each change to see which library causes the problem.

For more information see "Creating the Performance DLL" in the Win32 SDK

For more information on performance counters, see the following article in the Microsoft Knowledge Base:

ARTICLE-ID: 152513  (http://support.microsoft.com/kb/152513/EN-US/ )
TITLE : Troubleshooting Performance Monitor Counter Problems.

- or -

If you prefer, you can also solve this problem by configuring Windows NT to write a guard page on either side of the shared memory buffer with various levels of checking. This setting was enabled by default in early Windows NT service packs. The guard pages caused too many page faults for large counters, however, which degraded system performance significantly. In Service Pack 3, the guard pages and checking were turned off by default.

To enable the guard page setting, use the following steps:

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the Changing Keys and Values online Help topic in Registry Editor (Regedit.exe). Note that you should make a backup copy of the registry files (System.dat and User.dat) before you edit the registry.

1. Start Registry Editor (Regedt32.exe) and go to the following sub-key:
   HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\ \CurrentVersion\Perflib
   
   NOTE: The above registry key is one path; it has been wrapped for readability.
   Value: ExtCounterTestLevel Type: REG_DWORD Data:
2. Select the desired ExtCounterTestLevel value. You can choose a value ranging from 1 to 4:
   
   
   1. Most extensive testing, can be expensive.
   2. Basic testing.
   3. No testing.
   4. Don't even allocate a guard page (default from SP3 onwards).
3. Once this is entered, restart the system.