NCSA Log Format May Cause Access Violation in IIS 4.0

Article translations Article translations
Article ID: 191415
This article was previously published under Q191415
This article has been archived. It is offered "as is" and will no longer be updated.
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
For more information about IIS 7.0, visit the following Microsoft Web site:
Expand all | Collapse all


An access violation occurs in Internet Information Server (IIS) 4.0 (Inetinfo.exe), which generates a Dr. Watson log similar to the following:

State Dump for Thread Id 0x13b
eax=49433ee1 ebx=0325f39c ecx=0000018f edx=6c724f3d esi=01acf35d
eip=68414f8d esp=0325f1d4 ebp=0325f310 iopl=0         nv up ei pl nz ac po
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000

function: STR::AppendCRLF
        68414f6b 8d85d0feffff     lea     eax,[ebp+0xfffffed0]
        68414f71 6810164168       push    0x68411610
        68414f76 50               push    eax
        68414f77 ff1554114168     call    dword ptr [68411154]
        68414f7d 8b5510           mov     edx,[ebp+0x10]
        68414f80 8bc8             mov     ecx,eax
        68414f82 8b45fc           mov     eax,[ebp-0x4]
        68414f85 83c414           add     esp,0x14
        68414f88 03c1             add     eax,ecx
        68414f8a 894d14           mov     [ebp+0x14],ecx
FAULT ->68414f8d 3b02             cmp     eax,[edx]
        68414f8f 771a             ja      STR::AppendCRLF+0x2b0b
        68414f91 8bfb             mov     edi,ebx
        68414f93 8bd9             mov     ebx,ecx
        68414f95 8db5d0feffff     lea     esi,[ebp+0xfffffed0]
        68414f9b c1e902           shr     ecx,0x2
        68414f9e f3a5            rep  movsd ds:01acf35d=4e504f54
        68414fa0 8bcb             mov     ecx,ebx
        68414fa2 83e103           and     ecx,0x3
        68414fa5 f3a4             rep     movsb         ds:01acf35d=54
        68414fa7 3b02             cmp     eax,[edx]
        68414fa9 760e             jbe     STR::AppendCRLF+0x2b19

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0325f310 263d3046 59544943 31463525 6c724f3d 0000018f
iislog!STR::AppendCRLF (FPO: Non-FPO

This happens when the NCSA log format is used by selecting "Enable Logging" on the Web Site property page, and the Active Log Format is set to "NCSA Common Log File Format".


This problem is caused by a problem in Iislog.dll, which tries to access an invalid memory address that results in the above access violation.

This problem can be seen when an invalid client request is sent to the IIS server. The IIS server responds with an error 400 (invalid parameter error) to such requests.


To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack


To work around this problem, do the following:
  1. Disable logging for the Web site that has the problem.
  2. Use W3C Extended Log Format for IIS logging.


Microsoft has confirmed this to be a problem in Internet Information Server version 4.0. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.


Article ID: 191415 - Last Review: October 26, 2013 - Revision: 6.0
kbnosurvey kbarchive kbhotfixserver kbbug kbfix kbqfe KB191415

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from