When software that uses Transport Driver Interface (TDI) drivers, such as some antivirus software, is installed on a Windows Server 2008 system or on Windows Vista Service Pack 1 (SP1) system, the handle count of the system process keeps increasing. This problem occurs if the Windows Server 2008 system or the Windows Vista Service Pack 1 (SP1) system is running on a computer that has multiple processors. If this issue occurs for some time, the computer begins to run out of system resources. Therefore, any new Ancillary Function Driver for WinSock (AFD) connection to this computer fails.
Additionally, the following problems may occur if the computer is a domain controller:
User authentication fails.
Sysvol replication fails.
Events 404 and 408 appear in the DNS server log.
One of the following Netlogon events occurs:
Netlogon event 5775
Netlogon event 5792
Netlogon event 5792
Netlogon event 5719
For example, the following is a sample event when Netlogon event 5775 occurs:
This problem occurs because of a race condition in which the Tdx.sys driver does not send a disconnect input/output request packet (IRP) indication to the afd.sys driver. When this occurs, the reference count on the AFD socket is not decremented. Eventually, the AFD connection is orphaned. The process that owns the orphaned AFD connection is also orphaned.
After the issue occurs for some time, all available ports are consumed. Therefore, many orphaned processes appear. When resources become exhausted, the problem occurs that the "Symptoms" section describes.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.
To apply this hotfix, you must have Windows Vista Service Pack 1 or Windows Server 2008 installed on the computer.
You have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other previously released hotfixes.
To use this hotfix, you do not have to make any changes to the registry.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Windows Vista and Windows Server 2008 file information note
The .manifest files and the .mum files that are installed in each environment are listed separately in the "Additional file information for Windows Server 2008 and for Windows Vista" section. These files and their associated .cat (security catalog) files are critical to maintaining the state of the updated component. The .cat files are signed with a Microsoft digital signature. The attributes of these security files are not listed.
For all supported x86-based versions of Windows Vista and Windows Server 2008
For all supported x64-based versions of Windows Vista and Windows Server 2008
For all supported Itanium-based versions of Windows Server 2008
To work around this problem, use one of the following methods:
Run the computer in Single Processor mode. To do this, follow these steps:
Open the Msconfig.exe utility.
On the Boot tab, click Advanced Options.
Click to select the Number of Processors check box, and then select 1 in the next box.
Click OK, and then click OK again.
Restart the computer.
Uninstall the TDI-based driver according to the instructions from the driver manufacturer.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
This problem most commonly occurs on domain controllers that are running the Microsoft System Center Operations Manager agent. The agent makes repeated local queries to LSASS on port 389. The queries cause the number of orphaned connections to increase rapidly. Because of this, the domain controller fails after a few days.
Additional file information for Windows Vista and Windows Server 2008
Additional files for all supported x86-based versions of Windows Vista and Windows Server 2008