I have a strange problem with one of our W2K servers running IIS5 and Hosting Controller.

Several times a day inetinfo.exe goes crazy on CPU time. (As far as I understand, inetinfo.exe is the main process of IIS5.0.)

After reading about a few bugs in IIS5 (http://www.4guysfromrolla.com/webtech/tips/t112999-1.shtml) I tried to set security to "Medium" on all hosted sites and that way force IIS to run user scripts under another process than the main IIS process.

This didn't really make any big difference other than that the server now usually runs for an hour before inetinfo.exe goes crazy and IIS stops responding.

The log file is filled up with about 40 of the following messages just before the server is crashing:

"The service could not bind instance 44"

(starting at 1 and goes up to about 44)

The last message is an information message saying:

"IIS start command received from user
NT3\Administrator. The logged data is the
status code. "

I then have to restart IIS and CPU usage is back to
normal.

This is a Intel Pentium III, with 512 MB RAM and about
40 clients.

I suspect that one of our ASP users has a error in his code making the script loop as described in the link above, and finally crashing IIS. Since it can take from
2 minutes to 4 hours between every crash, I can't imagine anything else.

My question is:
Is there any way I can dig deeper into the log files (which? where can I find them?) and reveal which user
who is running this script?

Time to fire up Perfmon -- I actually like to run Perfmon.exe from NT4 on Win2K -- I hate the screen space taken by the MMC version.

Select the ASP object and look for threads in use and other vars. You will likely see that one of the web pages is taking too long.

Concurrency is an issue under ASP... you shouldn't have a web page that takes more than .3 seconds for a frequent used sites.

You can also turn on execution timing in the IIS logs and see which page is taking so much time...

Good luck..

This update resolves the "Malformed WebDAV Request Can Cause IIS to Exhaust CPU Resources" security vulnerability in Internet Information Services (IIS) 5.0, and is discussed in Microsoft Security Bulletin MS01-016. Download now to prevent a malicious user from temporarily disrupting your Web services

I just saw this security update on Microsofts update page: http://www.windowsupdate.microsoft.com/

I'm not sure if this will help you or not, but I thought I let you know anyways.

zolbian,

I have tried this one. Didn't work :(

We paid $400 :D yesterday to Microsoft Support. For
that amount I really hope they find out what's
happening.

--
erik

Hi,

just following this old thread ;)

Has anyone managed to narrow down which site is using either of the above at any one time?

eg. dllhost.exe runs 99% CPU for 20 minutes.....

inetinfo runs 100% CPU until web services are restarted.....

fair enough a reboot / restart of IIS sorts it, but its hardly practical.....

+1 for Linux me thinks....oh how a simple 'top' command tells a nice story ;)

Cheers,

Did you make sure all sites are set to medium in IIS this helped us a lot when we did this..

We had a lot of problems with IIS and HC for some reason. We have server that can run x2 as many sites with out HC then a server with HC very odd i think but HC all ways says its not them.. LOL

..make sure you have

1. the latest security releases and patches
2. the latest service pack

Top of my head, binding issues normally happen when you have a conflict in the IP Address, Host Header or Port number (or any combination of this)

...ummphh.... on reading your post again ...you mentioned that you're also running hosting controller. Do you also have the reseller function in Hosting Controller enabled??. If yes, its possible that one of the resellers (or System Admin) are trying to create a new site using an invalid binding. If you can try disabling this for awhile, reboot and run the server to see if you're still having any problems.



Good luck

My guess is that Hosting Controller went crazy. We reinstalled
and set all virtual hosts to medium security. However HC is not
exactly "bug free" so we have stopped using it.

Microsoft Support wasn't very responsive :o so the problem was
solved before they got back to us. They had no idea what
had happened and the error log told them nothing.

sound advice guys but not the answer i'm afraid ;)

we obviously ensure all patches are applied the minute they are released and the server in question doesnt have any HC privilages....

Its a general question really.....is it possible to track who's using what processes in windows?

At the minute...the answer is still no....i havent come accross any software capable of doing it properly!

Cheers,

No, it is not possible as far as I know. And believe me, I have
been searching for a solution.

The problem is that IIS doesn't have features like Apache suExec.
All processes run as the IIS user and that makes it impossible to
track. It's not much better with a default installation of Apache,
but at least you are able to see the file name of the script that
is going crazy. In IIS "something is wrong" and that is all the
info you get.

Strange! Must have had a bout of genius or something but we've found the solution!

a product called regmon.... www.sysinternals.com

When you fire this up, you'll see data wizz past you so fast it hardly looks like its worth analysing.....

But! Theres a filter at the top, filter it to just look for your webspace accounts ie. d:\webspace or d:\webs etc....

( just type 'webspace' or similar in the filter box! )

once this is done, the data will be much easier to read and with the task manager open at the same time you can see who is using inetinfo or dllhost at any instance ;) V.good...we've already tracked down a few idiots today....

eg1. some twat with a script called looper.asp which goes into an infinate loop when run....WTF?? !!

Hope this helps !

Cheers,