Random reboots with Win2000 Pro server

Background:

Over the past couple of months I have become increasingly annoyed with the Windows 2000 server I borrowed from work to use at home. This machine provides DHCP services for the other PCs on my home network, and (currently) connects to the Internet through a medium-speed DSL link. As I've installed more software (virus protection, pop-up stoppers, firewalls, web services, you name it) it seems to have become more and more sluggish. Then, several months ago it started something new: it would randomly reboot, more often than not 5 minutes after I leave for work in the morning, and again 1/2 hour after I head for bed at night. Or, it would die as soon as I open a web page, any web page, but never consistently the same web page... ARGH!

What I Did

A thorough Google search suggested several things. Most notably:

This happens to a LOT of people
No one seems to know how to fix it

I discovered that each reboot was logged in the system events database. Here's what the entry looks like:

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000d1 (0x05926008, 0x00000002, 0x00000000, 0xbfec50bc). Microsoft Windows 2000 [v15.2195]. A dump was saved in: C:\WINNT\MEMORY.DMP.

Once the stop code was 0x0000001e (KMODE_EXCEPTION_NOT_HANDLED, by portcls.sys, which is an audio streaming driver); another time it was 0x000000be (ATTEMPTED_WRITE_TO_READONLY_MEMORY). All other times it was 0x000000d1 (DRIVER_IRQL_NOT_LESS_OR_EQUAL).

By turning the automatic reboot on bugcheck feature OFF, the system will generate the infamous BSOD: Blue Screen Of Death. The one important piece the BSOD gives you is the name of the file or application that generated the bugcheck. In my case this was AFD.sys, or Teefer.sys.

According to Microsoft, bugchecks have been associated with afd.sys -- but were supposedly fixed by Service Pack 3. Teefer.sys is associated with Sygate Personal Firewall Pro (which I do have installed). This particular stop code can be produced by dlc.sys (see knowledgebase article 26621). The dlc.sys problem was essentially an "array index out of bounds" error -- which is clearly tangential to the main problem.

Another site (which I can no longer find) provided a lengthy discussion of the problems that arise when applications initiate TCP/IP packets, and don't send the proper acknowledgment to responding applications, I think...

Anyway, all this suggested that background network activity was somehow implicated in my server crashes. Could it be that the Sygate software on my server was designed and tested against a buggy version of afd.sys? And when I upgraded to Service Pack 3 some months ago, the Sygate algorithm was no longer as appropriate for all circumstances, thereby generating other bugchecks?

What IS true, is that my system has not crashed once with the DRIVER_IRQL_NOT_LESS_OR_EQUAL error since I upgraded to Sygate Personal Firewall v5.5 the morning of 11/13/03. The next time it crashes (which it must -- it's a Microsoft product, after all) I'll put a note at the end of this page.

To the right is a chart of the time my system survived each time until the next bugcheck. The final data point (highlighted) indicates how long the system has been up -- if it breaks the 50-hour barrier I'll consider the reboot cure to have been successful.