Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 2011 Source: Srv

Source
Level
Description
The Server's configuration parameter "IRPStackSize" is too small for the server to use a local device. Please increase the value of this parameter.
Comments
 
In my case, I had several applications running on my Windows XP laptop and my log started to fill with these events. The laptop was also very slow. Using the Microsoft Task Manager I identified several processes that were using an unusual amount of memory for what they did, such as my mobile phone synchronization application (using close to 1 GB of RAM). I killed the process, shut down all the applications and the problem was gone.

* * *

As per Microsoft, IBM AntiVirus 3.01N (Build 301.590) may cause this behavior.

This error can also appear on Windows NT Server or Terminal Server prior to SP 4. See the link.
If you use McAfee Virusscan v8.0 or v8.5, go to EV100082 (McAfee Support) and search for document ID KB47899 (or just enter 47899 in the Ask field). McAfee is silly enough not to make a direct link available.
I believe that the IRPStackSize value (which is case-sensitive, according to ME177078) is not present by default on Windows XP. I have read in the Symantec KB (linked to from ME177078) that removing the value entirely allows Windows to control the IRP stack size.
If you see this event after installing Norton AntiVirus, the default Windows settings for IRPStackSize have been changed. See EV100081 on how to restore IRPStackSize to Windows default setting.
As per Microsoft: "The server is configured with too many file system filter drivers (for example, Quota and anti-virus) and/or too many devices, or the irpstacksize parameter is set to less than the default of 15 stack frames. The irpstacksize represents the number of kernel modules that can store information in the input/output (I/O) Request Packet (IRP). The IRP is used to track I/O requests in the kernel". See MSW2KDB for more details.

Depending on the hardware configuration of the specific computer, the default value may not be large enough for the SRV service to properly administer shared folders on some of the physical drives. See ME225782 for more information.

Installing Exchange Server 5.5 Service Pack 1 (SP1) on a computer running clustering services provided by Windows NT 4.0 Service Pack 4 (SP4) release candidate is not recommended. Setup may not work because the IrpStackSize parameter is too small. See ME200490 for more details.

See the link to Veritas Support Document ID: 244156 - EV100080 for additional information on this event.


Same message could appear with Norton Antivirus 7.6 Corporate Edition on Windows 2000 Server. See ME177078.
Any software that uses a file system filter driver will cause the system to use more IRP stack.  Accordingly, this event may be seen after installing open file backup agents, antivirus software, quota software, replication software, etc.
From a newsgroup post: "Windows XP, Windows 2000, and Windows NT all have an IRPStackSize value that controls how much physical storage space and RAM are available to new applications, and some new software installs incorrectly set this value. This value ranges from 11 to 50 for Windows 2000 and Windows XP and from 0x4 to 0xC (4-12) for Windows NT. ME177078 has more details on the default values for the IRPStackSize key. If you set this value to a value smaller than the defauls value, you will receive an error message indicating that the system does not have enough server storage. As a result, clients will not be able to access network shares and this event will appear in the System log.

To set the IRPStackSize back to the default value (15 Windows 2000 and XP, 0x4 for NT), perform the following steps:
  1. Start the registry editor (e.g., regedit.exe).
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \lanmanserver\parameters.
  3. Double-click IRPStackSize (or if this registry setting does not exist, create it of type DWORD and ensure the case is correct).
  4. Change the base to decimal (or HEXAdecimal in some cases), set the value to the default value for your OS, and click OK.
  5. Reboot the computer or restart the "Server" service".

See ME106167 for additional information.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...