At this point, we usually need to open a case with Microsoft to further analyze the operating system problems. Since we have confirmed that no network-related third-party software is installed in the system, we can basically reach the conclusion that the problem is caused by TCP resource leaks on the operating system. For example, netstat will increase the reference to a port when it enumerates port information:
Windows afd drivers#
Besides TcpCreateListener, the other 0x35 references may be reference leaks or references that other drivers or software has added when they perform operations on this structure. In this case, the TCP resource corresponding to port 80 obviously has more than 0x36 references. Once the reference count of an object is 0, the corresponding routine will release that object. After the object is used, DeReference is invoked to reduce the corresponding reference count. Before operations are performed on each object, the system will try AddReference to avoid memory access violations caused by the release of that object when it is being used. To figure this out, we directly check the TCP resource reference.īasically, resource object management has been implemented in Windows. Therefore, the more important issue is why the TCP resource hasn't been released. tcpip.sys will only invoke the afd.sys callback routine to release resources and trigger the signal after the corresponding TCP resource is released. We know that the Windows AFD resource is strongly associated with the TCP resource. Even if we kill the application, a zombie process exists.
Windows afd driver#
Memory Dump Analysisįrom the dump file, we can clearly see that the httpd.exe process of the Apache service does not exit because the Afd.sys driver is still waiting for a completion signal.īecause the AFD resource cannot be released, the application continues to wait. We have to reproduce the problem and capture the memory dump for further analysis. So far, all our general methods have failed to solve this problem. At the same time, we confirmed that the patch was the latest version.
Windows afd install#
Check the Windows patch version and install the latest patch.Īfter trying these steps, the problem still existed. Disable the advanced features of the network interface controller (NIC), especially TCP Chimney and RSS.
![windows afd windows afd](https://optionsglazing.co.uk/wp-content/uploads/2019/03/Internal-front-door-view-1152x1536.jpg)
Uninstall unnecessary third-party software, especially security software where the Filter driver or the WFP callout driver has been added.Ģ. However, we still provide the following empirical suggestions just in case:ġ. It seems that this problem is caused by the application itself.
![windows afd windows afd](https://www.winsocketdotnetworkprogramming.com/winsock2programming/winsock2advancedrawsocket11_files/image001.png)
We have never previously heard of any known issues that prevent the Apache service from being stopped. No operations could fix this problem, until we restarted the machine.
![windows afd windows afd](https://ichef.bbci.co.uk/news/1024/branded_news/141D0/production/_97848328_afdpostergetty18sepberlin.jpg)
When we tried to stop this Apache service, it continued to be in the pending or stopping status. ProblemĪ service was deployed on Windows Server 2008 R2 SP1 by using Apache. In this article, we use a case to explain the implementation of Windows TCP/IP in NDIS.
Windows afd how to#
The previous article describes the Windows NDIS architecture and how to troubleshoot network problems under this architecture. This is the second article of the Windows Networking troubleshooting series.