Unable to restart server due to registry bloat over 2GB

Hello AskPerf!  Pushing up a blog today to discuss the registry bloat issue that has been recently addressed in the following KB:

Computer cannot be restarted if the registry hives are larger than 2 GB

Symptom

  • You have a computer that is running the x64-based version of Windows 8.1, Windows Server 2012 R2, Windows 8, or Windows Server 2012.
  • The registry hives for the computer are larger than 2 gigabyte (GB).

Cause
This problem occurs because of the 2 GB size limit of the registry hives in x64-based version of Windows.

Resolution
Install this patch to resolve the issue.

 

When you get into this state, you may experience one of the following issues:

  1. You can boot to a stop error.
  2. You can boot and not be able to log in due to the RQL (Registry Quota Limit).
  3. You can boot and be logged in with a temp profile and not be able to install any software due to the RQL.

If this happens, KB2978366should be installed.

With that, the following questions may come to mind:

  • How does this issue occur?
  • How do I prevent this issue in the first place?
  • How do I fix this issue once the hotfix is installed?
  • What happens if I see this problem on another OS version?
  • Are there any tools I can use to troubleshoot this issue?

Question:  How does this issue occur?

Answer:  There are many reasons that cause registry hives/keys to bloat.  Some of the ones we have seen are related to KB2871131, which refers to the “..\Printers\DevModes2” key bloat.  This hotfix does not “fix” the issue, but prevents it from occurring in the first place.  You still have to clean the keys first.  Additionally, there is a known issue with SQL Server 2012 SP1 that can cause the registry to hit the 2GB limit and put the machine in a no-boot state.  Please see KB2793634for more details on this.

Question:How do I prevent this issue in the first place?

Answer:There really is no good answer for this outside of installing the hotfixes noted above, and keeping a close eye out on your registry hives.  You can use Performance Monitor however to monitor the “System\ % Registry Quota In Use” counter.  If this counter gets over 50 %, then you should start investigating what registry keys/hives are growing.

clip_image001

% Registry Quota In Use is the percentage of the Total Registry Quota Allowed that is currently being used by the system.  This counter displays the current percentage value only; it is not an average.

NOTEThe following Registry hives point to their corresponding files:

  • HKLM\BCD00000000 – \Boot\BCD
  • HKLM\COMPONENTS – %windir%\System32\config\Components
  • HKLM\SAM – %windir%\System32\config\SAM
  • HKLM\SECURITY – %windir%\System32\config\SECURITY
  • HKLM\SOFTWARE – %windir%\System32\config\SOFTWARE
  • HKLM\SYSTEM – %windir%\System32\config\SYSTEM
  • HKU\.DEFAULT – %windir%\System32\config\DEFAULT
  • HKCU – %userprofile%\NTUSER.DAT
  • HKLM\HARDWARE – This is dynamic and gets built with the OS boots (volatile hive)
  • HKLM\CLUSTER – %windir%\Cluster\CLUSDB
  • HKU\<SID of local service account> – %systemroot%\ServiceProfiles\LocalService\Ntuser.dat
  • HKU\<SID of network service account> – %systemroot%\ServiceProfiles\NetworkService\Ntuser.dat
  • HKU\<SID of username> – \Users\<username<\Ntuser.dat
  • HKU\<SID of username>\Classes – \Users\<username>\AppData\Local\Microsoft\Windows\Usrclass.dat

Question:  How do I fix this issue once the hotfix is installed?

Answer:  After installing the hotfix, you may need to copy your Registry file to another machine that includes the hotfix.  After you have cleared out the bloated entries (whitespace will remain), then simply load the hive up, and then unload it.  This process will shrink your registry key back down pre-bloat. If a system is unbootable due to registry bloat install the hotfix on another system. Boot the problem system from DVD, copy the bloated registry hive to external storage, put on system with hotfix and use regedit to remove the bloated registry info and whitespace. The hive can then be copied back to problem system to allow it to boot normally.

Question:  What happens if I see this problem on another OS version?

Answer:  Simply copy your hive over to a Win 8/ Server 2012 machine that has this hotfix installed, then follow the steps above.

Question:  Are there any tools I can use to troubleshoot this issue?

Answer:  Sysinternals RU.exe is a good tool to check the sizes of your registry keys/hives, in addition to loading up the hive and clearing out the whitespaces.

Ru (registry usage) reports the registry space usage for the registry key you specify. By default it recurses subkeys to show the total size of a key and its subkeys.

Using Registry Usage (RU)

usage: ru [-c[t]] [-l <levels> | -n | -v] [-q] <absolute path>

usage: ru [-c[t]] [-l <levels> | -n | -v] [-q] -h <hive file> [relative path]

-c Print output as CSV. Specify -ct for tab delimiting.
-h Load the specified hive file, perform the size calculation, then unload it and compress it.
-l Specify subkey depth of information (default is one level).
-n Do not recurse.
-q Quiet (no banner).
-v Show size of all subkeys.

CSV output is formatted as:

Path,CurrentValueCount,CurrentValueSize,ValueCount,KeyCount,KeySize,WriteTime

Example:

The original size of DEFAULT was 1.45 GB.  After I ran RU with the -h switch, it reduced down to 38.48 MB:

Reference

How to Compress "Bloated" Registry Hives

Registry Usage (RU) v1.1

-Blake