Increasing NonPagedPoolSize past the computed maximum?

I wish to increase the NonPagedPoolSize (typically set via HKLM\CurrentControlSet\Control\Session Manager\Memory Management\NonPagedPoolSize) past the size allowed by the maximum computed by Windows. It caps the size set by the registry value to a value computed internally based on the amount of RAM. For a 384 MB system, the computed maximum is about 130 MB.

My reason for doing this is to keep nearly 1,000 “embedded” (no KVM) Windows NT systems going for six more months. The customer has Symantec AntiVirus 9.0 installed on them, which uses a shocking amount of NonPaged pool. In January, the SAV defintions caused it to use 81 MB or NonPaged pool, but that has increased steadily over the last 10 months, and it is now at a shocking 123 MB. The systems only have 385 MB, so the computed maximum nonpaged pool size is 133 MB. My drivers need about 12 MB, and Windows needs 10 MB or so. So, we’re at the point that when the system boots, we’re able to come up, SAV gobbles 95% of the pool, and then at that point, we can no longer allocate (and free) even small 1 KB buffers, and we even lose the ability to log into Windows.

The obvious solution is to stop running SAV, but the customer isn’t comfortable with that (although it is on a closed network). Adding RAM to the systems is problematic because the 1,000 systems are spread throughout North America, so doing such a project would be extremely expensive in manpower and travel, plus it would take many months to complete.

Another obvious solution is to get SAV to use old defintions (which used less RAM), and that is the path the customer is working on, but they’re currently having trouble doing so on their SAV servers. But that will probably be the ultimate solution with my current thinking.

Later versions of SAV move to paged pool and use much less of it (about 30 MB paged pool), but those newer versions won’t run on Windows NT.

And yes, we’re aware of all of the reasons for not running Windows NT, but the customer is already upgrading the systems to Windows 2003, but that project won’t be completed for about six months, and this is an urgent issue right now. So, we don’t need to get into various ways to get off WinNT, the reasons for doing so, and so on.

Thanks for any advice!

Can you replace SAV with something cheaper, better, and a smaller footprint?
NOD32 is may work though I’m not sure about NT.

Gary G. Little

H (952) 223-1349

C (952) 454-4629

xxxxx@comcast.net

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Taed Wynnell
Sent: Friday, October 15, 2010 2:09 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Increasing NonPagedPoolSize past the computed maximum?

I wish to increase the NonPagedPoolSize (typically set via
HKLM\CurrentControlSet\Control\Session Manager\Memory
Management\NonPagedPoolSize) past the size allowed by the maximum computed
by Windows. It caps the size set by the registry value to a value computed
internally based on the amount of RAM. For a 384 MB system, the computed
maximum is about 130 MB.

My reason for doing this is to keep nearly 1,000 “embedded” (no KVM) Windows
NT systems going for six more months. The customer has Symantec AntiVirus
9.0 installed on them, which uses a shocking amount of NonPaged pool. In
January, the SAV defintions caused it to use 81 MB or NonPaged pool, but
that has increased steadily over the last 10 months, and it is now at a
shocking 123 MB. The systems only have 385 MB, so the computed maximum
nonpaged pool size is 133 MB. My drivers need about 12 MB, and Windows
needs 10 MB or so. So, we’re at the point that when the system boots, we’re
able to come up, SAV gobbles 95% of the pool, and then at that point, we can
no longer allocate (and free) even small 1 KB buffers, and we even lose the
ability to log into Windows.

The obvious solution is to stop running SAV, but the customer isn’t
comfortable with that (although it is on a closed network). Adding RAM to
the systems is problematic because the 1,000 systems are spread throughout
North America, so doing such a project would be extremely expensive in
manpower and travel, plus it would take many months to complete.

Another obvious solution is to get SAV to use old defintions (which used
less RAM), and that is the path the customer is working on, but they’re
currently having trouble doing so on their SAV servers. But that will
probably be the ultimate solution with my current thinking.

Later versions of SAV move to paged pool and use much less of it (about 30
MB paged pool), but those newer versions won’t run on Windows NT.

And yes, we’re aware of all of the reasons for not running Windows NT, but
the customer is already upgrading the systems to Windows 2003, but that
project won’t be completed for about six months, and this is an urgent issue
right now. So, we don’t need to get into various ways to get off WinNT, the
reasons for doing so, and so on.

Thanks for any advice!

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Well, given that all your options are bad, I’d certainly try the npp thing,
though I don’t imagine that your results will improve.

Failing that, if they can’t currently logon, who cares about the AV, and
going through the expense and trouble to use old definitions under these
circumstances just seems silly to me.

I know that you already know this, but they pretty clearly need to replace
their systems. Also, might rolling out 2k3 make the problem worse? I
mean, I would assume that it uses more memory than NT, just like every
version of Windows and just about everything else has/does. That is, I’m
confused as to what relief there will be in six months.

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gary G. Little
Sent: Friday, October 15, 2010 4:00 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Increasing NonPagedPoolSize past the computed maximum?

Can you replace SAV with something cheaper, better, and a smaller footprint?
NOD32 is may work though I’m not sure about NT.

Gary G. Little

H (952) 223-1349

C (952) 454-4629

xxxxx@comcast.net

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Taed Wynnell
Sent: Friday, October 15, 2010 2:09 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Increasing NonPagedPoolSize past the computed maximum?

I wish to increase the NonPagedPoolSize (typically set via
HKLM\CurrentControlSet\Control\Session Manager\Memory
Management\NonPagedPoolSize) past the size allowed by the maximum computed
by Windows. It caps the size set by the registry value to a value computed
internally based on the amount of RAM. For a 384 MB system, the computed
maximum is about 130 MB.

My reason for doing this is to keep nearly 1,000 “embedded” (no KVM) Windows
NT systems going for six more months. The customer has Symantec AntiVirus
9.0 installed on them, which uses a shocking amount of NonPaged pool. In
January, the SAV defintions caused it to use 81 MB or NonPaged pool, but
that has increased steadily over the last 10 months, and it is now at a
shocking 123 MB. The systems only have 385 MB, so the computed maximum
nonpaged pool size is 133 MB. My drivers need about 12 MB, and Windows
needs 10 MB or so. So, we’re at the point that when the system boots, we’re
able to come up, SAV gobbles 95% of the pool, and then at that point, we can
no longer allocate (and free) even small 1 KB buffers, and we even lose the
ability to log into Windows.

The obvious solution is to stop running SAV, but the customer isn’t
comfortable with that (although it is on a closed network). Adding RAM to
the systems is problematic because the 1,000 systems are spread throughout
North America, so doing such a project would be extremely expensive in
manpower and travel, plus it would take many months to complete.

Another obvious solution is to get SAV to use old defintions (which used
less RAM), and that is the path the customer is working on, but they’re
currently having trouble doing so on their SAV servers. But that will
probably be the ultimate solution with my current thinking.

Later versions of SAV move to paged pool and use much less of it (about 30
MB paged pool), but those newer versions won’t run on Windows NT.

And yes, we’re aware of all of the reasons for not running Windows NT, but
the customer is already upgrading the systems to Windows 2003, but that
project won’t be completed for about six months, and this is an urgent issue
right now. So, we don’t need to get into various ways to get off WinNT, the
reasons for doing so, and so on.

Thanks for any advice!

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Maximum nonpaged pool is hard-limited to 128 MiB in NT4 x86, which is most
likely what you are seeing. The only way to lift this hard-coded limit
would involve patching the kernel, no registry setting or amount of RAM
can achieve this.
Windows XP and Server 2003 x86-32 would, by the way, impose the same hard
limit on systems with less than 512 MiB of RAM.

On Fri, 15 Oct 2010 22:09:10 +0300, Taed Wynnell
wrote:
> I wish to increase the NonPagedPoolSize (typically set via
> HKLM\CurrentControlSet\Control\Session Manager\Memory
> Management\NonPagedPoolSize) past the size allowed by the maximum
> computed by Windows. It caps the size set by the registry value to a
> value computed internally based on the amount of RAM. For a 384 MB
> system, the computed maximum is about 130 MB.
>
> My reason for doing this is to keep nearly 1,000 “embedded” (no KVM)
> Windows NT systems going for six more months. The customer has Symantec
> AntiVirus 9.0 installed on them, which uses a shocking amount of
> NonPaged pool. In January, the SAV defintions caused it to use 81 MB or
> NonPaged pool, but that has increased steadily over the last 10 months,
> and it is now at a shocking 123 MB. The systems only have 385 MB, so
> the computed maximum nonpaged pool size is 133 MB. My drivers need
> about 12 MB, and Windows needs 10 MB or so. So, we’re at the point that
> when the system boots, we’re able to come up, SAV gobbles 95% of the
> pool, and then at that point, we can no longer allocate (and free) even
> small 1 KB buffers, and we even lose the ability to log into Windows.
>
> The obvious solution is to stop running SAV, but the customer isn’t
> comfortable with that (although it is on a closed network). Adding RAM
> to the systems is problematic because the 1,000 systems are spread
> throughout North America, so doing such a project would be extremely
> expensive in manpower and travel, plus it would take many months to
> complete.
>
> Another obvious solution is to get SAV to use old defintions (which used
> less RAM), and that is the path the customer is working on, but they’re
> currently having trouble doing so on their SAV servers. But that will
> probably be the ultimate solution with my current thinking.
>
> Later versions of SAV move to paged pool and use much less of it (about
> 30 MB paged pool), but those newer versions won’t run on Windows NT.
>
> And yes, we’re aware of all of the reasons for not running Windows NT,
> but the customer is already upgrading the systems to Windows 2003, but
> that project won’t be completed for about six months, and this is an
> urgent issue right now. So, we don’t need to get into various ways to
> get off WinNT, the reasons for doing so, and so on.
>
> Thanks for any advice!

Hi Taed,

My, my, my… over the years you’ve brought us MANY interesting problems.

Hmmmm…

Leveraging off what Mr. Bremer said, have you disassembled the code (in NTOS) to see where the limit is imposed? Given that it’s NT V4 you SHOULD be able to just WHACK it with a patch. Very ugly, and not recommended for the faint of heart, but you know what you’re doing, after all.

Peter
OSR

Hi,
I have same problem with Symantec Antivirus 9 on W2k and WinXP.
Symptoms can differ:

• user can’t logon;
• broken network connection;
• some apps crash;
• no sound :);
• printers disappear.

If i disable one of symantec drivers all working fine.
Well, i’m going to change antivirus to Symantec Endpoint Protection 11.
But, if there is a way increase nonpaged pool size in Win2k and WinXP, it can helps me in transient period.

P.S: sorry for my English.

It won’t really help Symantec will increase its usage in many cases.
Sorry but Symantec and McAfee are in many ways worse than what they
claim to protect against.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“xxxxx@mail.ru” wrote in message
news:xxxxx@ntdev:

> Hi,
> I have same problem with Symantec Antivirus 9 on W2k and WinXP.
> Symptoms can differ:
> - user can’t logon;
> - broken network connection;
> - some apps crash;
> - no sound :);
> - printers disappear.
>
> If i disable one of symantec drivers all working fine.
> Well, i’m going to change antivirus to Symantec Endpoint Protection 11.
> But, if there is a way increase nonpaged pool size in Win2k and WinXP, it can helps me in transient period.
>
> P.S: sorry for my English.

I would switch to better AV in terms of stability and memory consumption. Make research for customer and suggest a better option (Eset is very stable, dunno about resources usage).

I do not agree. There are things about Symantec/Norton antivirus & firewall
software that could be better, but I find my systems stable without any
problems. I do not use AV on any test system where I may have to use windbg
since I know that many use techniques that interfere with debugging.

I know many have had bad experiences with those products, but recent
releases seem to be much better, more stable, and effective (as much as
signatures permit). They also have behavioral analysis that attempts to
find viral code before signatures are created. They do have a large
signature group in several parts of the world so that an attack in Europe
will cause signatures to be ready by the time those of us in the U.S.A.
start using our computers. That capability should not be ignored. I also
like how the Norton line checks every few minutes for signature updates
instead of only doing them every few hours.

If you want ‘free’ Microsoft has a free AV package. It is, from what I
understand, adequate but does Microsoft invest as much in it as Symantec? I
really doubt it, but I do use it on systems I consider low use and don’t
contain my personal files.

“Don Burn” wrote in message news:xxxxx@ntdev…
> It won’t really help Symantec will increase its usage in many cases.
> Sorry but Symantec and McAfee are in many ways worse than what they claim
> to protect against.
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> “xxxxx@mail.ru” wrote in message
> news:xxxxx@ntdev:
>
>> Hi,
>> I have same problem with Symantec Antivirus 9 on W2k and WinXP.
>> Symptoms can differ:
>> - user can’t logon;
>> - broken network connection;
>> - some apps crash;
>> - no sound :);
>> - printers disappear.
>>
>> If i disable one of symantec drivers all working fine.
>> Well, i’m going to change antivirus to Symantec Endpoint Protection 11.
>> But, if there is a way increase nonpaged pool size in Win2k and WinXP, it
>> can helps me in transient period.
>>
>> P.S: sorry for my English.
>
>

>>I know many have had bad experiences with those products, but recent releases seem to be much better, more stable, and effective (as much as signatures permit)<<

Yes, but in this context, “latest release” means that you most likely you cannot install in on old system …

>I would switch to better AV in terms of stability and memory consumption. Make
research for customer and suggest a better option

(Eset is very stable, dunno about resources usage).

As you understand, a better AV solution *must* have enough resources (CPU and memory) or it won’t be effective at all.
Watching behavior is expensive. So eventually you can end with the machine split to “user” and “supervisor” parts, including CPUs, memory, network interfaces and so on.
It can be hadware-assisted like AMT $$ - or just combine two “normal” PCs together
in one box (like RAID). Given today’s prices, it can be even cheaper than pure software.
And the “supervisor” part probably won’t run Windows
– pa

You’re in luck because we just found a great solution yesterday. It turns out that Symantec recognized that badness as a bug and fixed it in SAV 9.0.7. It went from using 123 MB of nonpaged pool in 9.0.6 to just 25 MB of paged pool in 9.0.7.

The details are here. Despite it only mentioning Win2003, the release covers WinNT and other OSes. You’ll probably have to go through SAV Support to get SAV 9.0.7.

http://service1.symantec.com/SUPPORT/ent-security.nsf/56a352136542087e882573410063494c/4388217666cc97d9882574b0005f71bc?OpenDocument
Windows Server 2003 SP2 runs out of NonPaged Pool memory when using Symantec AntiVirus 9.0.5 client
Situation:
Computer runs out of NonPaged Pool memory on Windows Server 2003 SP2 when installed with Symantec AntiVirus 9.0.5 client. The SavE pool tag uses more than expected of the NonPaged Pool memory.
Solution:
This problem is fixed in Symantec AntiVirus 9.0.7 (MR7). For information about how to obtain the latest build of Symantec AntiVirus or Symantec Client Security, read Obtaining an upgrade or update for Symantec AntiVirus Corporate Edition or Symantec Client Security.
With the release of Symantec AntiVirus 9.0.7 (MR7), the SavE pool tag will use Paged Pool memory instead of NonPaged Pool memory.

>It went from using 123 MB of nonpaged pool in 9.0.6 to just 25 MB of paged
pool in 9.0.7.

Wow.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@vertical.com
Sent: Thursday, November 04, 2010 1:38 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Increasing NonPagedPoolSize past the computed maximum?

You’re in luck because we just found a great solution yesterday. It turns
out that Symantec recognized that badness as a bug and fixed it in SAV
9.0.7. It went from using 123 MB of nonpaged pool in 9.0.6 to just 25 MB of
paged pool in 9.0.7.

The details are here. Despite it only mentioning Win2003, the release
covers WinNT and other OSes. You’ll probably have to go through SAV Support
to get SAV 9.0.7.

http://service1.symantec.com/SUPPORT/ent-security.nsf/56a352136542087e882573
410063494c/4388217666cc97d9882574b0005f71bc?OpenDocument
Windows Server 2003 SP2 runs out of NonPaged Pool memory when using Symantec
AntiVirus 9.0.5 client
Situation:
Computer runs out of NonPaged Pool memory on Windows Server 2003 SP2 when
installed with Symantec AntiVirus 9.0.5 client. The SavE pool tag uses more
than expected of the NonPaged Pool memory.
Solution:
This problem is fixed in Symantec AntiVirus 9.0.7 (MR7). For information
about how to obtain the latest build of Symantec AntiVirus or Symantec
Client Security, read Obtaining an upgrade or update for Symantec AntiVirus
Corporate Edition or Symantec Client Security.
With the release of Symantec AntiVirus 9.0.7 (MR7), the SavE pool tag will
use Paged Pool memory instead of NonPaged Pool memory.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

>It went from using 123 MB of nonpaged pool in 9.0.6 to just 25 MB of paged pool in 9.0.7.

Wow. <<

I hope it can still catch up something (I mean, viruses)