According to KB820729, Connections_Refused means that the “Kernel Non Paged Pool memory has dropped below 20MB and HTTP.SYS has stopped receiving new connections”.
Connections_Refused | The kernel NonPagedPool memory has dropped below 20MB and http.sys has stopped receiving new connections |
HTTP.SYS is basically telling us “someone is using up a lot of NPP memory, and for protective reasons, I am going to stop accepting requests”. We need to figure out what driver is using up all the NPP memory and address it, and the Connections_Refused should naturally go away because NPP memory will not be under pressure.
Here’s a table summarizing the nonpaged pool limits across different version of Windows:
| 32-bit | 64-bit |
XP, Server 2003 | up to 1.2GB RAM: 32-256 MB | min( ~400K/MB of RAM, 128GB) |
> 1.2GB RAM: 256MB |
Vista, Server 2008, | min( ~75% of RAM, 2GB) | min(~75% of RAM, 128GB) |
Windows 7, Server 2008 R2 |
Tracking Pool Leaks
Poolmon is the tool that helps us in troubleshoot kernel NPP issues.
C:\windows\system32>poolmon.exe -b
We see that top most entry in the list is consuming most of the memory. Tag for the driver is “Leak”. After identifying the guilty tag in the left column, in this case ‘Leak’, the next
step is finding the driver that’s using it. Since the tags are stored in the driver image, you can do that by scanning driver images for the tag in question.
The
Strings utility from Sysinternals dumps printable strings in the files you specify and since most device driver images are in the %Systemroot%\System32\Drivers directory, you can open a command prompt, change to that directory and execute “strings * | findstr <tag>”.
C:\windows\system32\drivers>strings * | findstr Leak
After you’ve found a match, you can dump the driver’s version information with the Sysinternals
Sigcheck utility.
C:\windows\system32\drivers>sigcheck myfault.sys
Note: The driver causing the issue here was a tool written to reproduce the leak scenario and we have rightly identified that. In real life scenarios, we will find the actual driver causing the NPP leak.
References:
Most of the information in this post is derived and compiled from “Pushing the Limits of Windows: Paged and Nonpaged Pool” by Mark Russinovich
and “HOWTO
iagnose IIS6 failing to accept connections due to Connections_Refused” by David Wang
How to find pool tags that are used by third-party drivers
Error logging in HTTP API
Downloads:
“Poolmon” shipped along with Windows Support tools
“Strings” utility from sysinternals
“Sigcheck” utility from sysinternals
IP卡
狗仔卡
发表于 2016-3-21 13:44:39
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡