Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 2021 Source: Srv

The server was unable to allocate a work item <number> times in the last <number> seconds.
This event was logged on a Windows Server 2003 R2 on which McAfee AntiVirus Enterprise 8.0i (patch level 0) was installed. Beside event 2021, we also received events 2019, 2022 and 6004, which were also caused by McAfee.

Workaround: After deactivating the services, the events disappeared.
Resolution: Update McAfee to the latest patch level to resolve this problem.
This problem may occur if the following conditions are true:
1.The cache line size of the CPU is less than 0x80.
2.The IRPStackSize parameter for the Server service is set to a value that ranges from 33 through 38.
3.The load on the Server service increases to a point where the Server service must allocate extra work items.
See ME924749 for a hotfix applicable to Microsoft Windows Server 2003.

According to Microsoft this event may occur if the default system pages of 10, 000 are not enough for the server due to many pages being locked down during transmission. To work around this problem, increase the number of system pages for the server in the registry. See ME145882 for information on how to do that.

See ME923360 for additional information about this event.
As per Microsoft: "This issue may occur if a non-Microsoft program that is installed on your computer uses an outdated kernel-mode filter driver". See ME822219 to fix this problem.

See ME304101 and the link to "EventID 2021 from source NCP Server" for additional information on this event.
Going to Network Properties, under the Services tab, and then opening up the properties for the Server service and setting that to optimize throughput for file sharing instead of minimizing memory used eliminated the problem on our Windows NT 4 Terminal Server.
As per Microsoft: "The entry in the HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\MaxWorkItems  value is not large enough to provide efficient server operation. This value determines the maximum number of receive Buffers that a server can allocate. If this limit is reached, server performance may be degraded.".

The ME216171 article "Server Performance Degrades During Work Item Allocation"  has been removed from Microsoft's site. See the link below for an alternate article.

As per ME317249, this behavior occurs because the Server service is unable to keep up with the demand for network work items that are queued by the network layer of the input/output (IO) stream. In simpler terms, the Server service cannot process the requested network I/O items to the hard disk quickly enough to prevent the Server service from running out of resources. Many different issues can cause this problem. When you troubleshoot this issue, investigate all components in the I/O path, from the network adapter to the hard disk drive array.

While ME216171 is not available anymore, ME221790 offers details about the very same issue.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.