Event ID 333 description is An I/O operation initiated by the Registry failed unrecoverable. The Registry could not read in, write out, or flush, one of the files that contain the system’s image of the Registry.

 This means that the image of the registry held in memory could not be written to disk. Windows uses what is called the lazy writer to periodically write modified pages of memory to disk. When the lazy writer fails, an event ID 333 is recorded in the System event log.

The symptoms that might accompany the event ID 333 error include:

  • Server hangs: Your server may completely stop responding to keyboard or mouse movements and appears completely locked up, requiring a hard reboot.
  • Server sluggishness: The server is extremely slow to respond at the console, and processing information is significantly delayed.
  • Delayed Terminal Services connections: Users trying to log on to a terminal server could experience slow or delayed logons. Once they log on, they may be able to work without a slow experience; however, the logon takes several minutes instead of a few seconds.

Generally, event ID 333 can be classified into one of three categories:

  • Memory resource depletion: At the time the lazy writer attempted to write the modified pages in cache to disk, there weren’t enough resources to complete the operation. Often this type of problem is accompanied by either an event ID 2020 or 2019.
  • Disk was too busy or inaccessible: Sometimes a busy disk might not respond quickly enough to handle the lazy writer’s request to commit modified pages of memory to disk.
  • Registry bloat: The registry suddenly grows in size, which makes it increasingly difficult for the lazy writer to commit the changes to disk, commonly occurring on terminal servers.

Especially frustrating is how the events continue to flood the System event log (many times per minute) until the server is rebooted. All it takes is one time for the lazy writer to fail for the event flooding to begin. Although the condition that caused the lazy writer to fail might have been brief (such as a short spike in memory usage), event ID 333 continues to be logged even during normal memory utilization. The event is still logged because the system recognizes that a failure to sync the registry has occurred and the registry version contained in memory is out of sync with the version on disk. As a result, the number and frequency of event ID 333 messages isn’t a good indicator of the problem’s severity. By default the lazy writer tries to flush to disk every five seconds.

Event ID 333 Troubleshooting
When troubleshooting event ID 333 errors, first you must determine which general category the error falls into. It’s useful to check the System event log for other event IDs that accompany the 333 error, such as event ID 2020, which indicates a lack of paged pool memory, or event ID 2019, which indicates a leak in nonpaged pool memory.

Use these tools to assist in further diagnosing event ID 333 messages:

  • Performance Monitor: The counters to track are the system, memory, disk, and process objects.
    • Memory object: Look for a rise in nonpaged or paged memory.
    • Process object: Look for continuous rises in a process’s handles just prior to the event ID 333’s being logged.
    • System object: The %Registry Quota In Use counter can be useful in displaying how much of the allowed registry quota is being utilized. The higher the percentage, the more likely that the problem is related to a growing registry.
    • Physical disk: Look for increases in the Avg Disk Queue Length counter, which tracks the average number of read and write requests to the selected disk. If this counter spikes during the problem, start investigating the filter drivers (i.e., antivirus or backup software) on your system.
  • Poolmon.exe: This tool, which is included in the Windows Debugging Tools, is used to track kernel pool memory usage by pool-allocation tag name. Using poolmon.exe can halve your troubleshooting time by enabling you to find the tag that’s leaking memory.
  • Dureg.exe: This tool lets you view the size of the entire registry per hive. Dureg.exe is great for finding which registry hive is consuming the most space, which helps to determine what software might be causing the problem.

Leave a Reply