We received Event ID:333 "An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read in, or write out, or flush, one of the files that contain the system's image of the Registry." On Windows 2003 R2 terminal server running SEP 12.1.

We could reproduced the issue by simply running a SEP scan. We notice all user registry hives from everyone that has logged in are loaded into the registry's HKEY User directory for scanning. Depending on how many users have logged into the server, this can quickly add up. When this happens, it causes the registry memory to become so low that it fails to write any new data to the registry until the server is restarted. [more]

The first event logged would generally state that the system's available memory for the registry was low. After that, Event ID: 333 would be logged about every 30 seconds.

We found this article that helped resolve this issue http://www.symantec.com/connect/forums/event-id-333. In the article are some memory pool settings in the registry with a link to: http://support.microsoft.com/default.aspx?scid=kb;EN-US;312362.

In the article, it states for PagedPoolMax, "Setting the value at 60 informs the Memory Manager to start the trimming process at 60 percent of PagedPoolMax rather than the default setting of 80 percent. If a threshold of 60 percent is not enough to handle spikes in activity, reduce this setting to 50 percent or 40 percent."

During our testing, the value of 60 still exhibited the low resource issue. Setting the PagedPoolMax value to 40 (decimal) along with the other TCP chimney settings stopped the registry errors from Symantec scans.