There are a variety of free process list viewers that will show the parent process id's (windows task manager not included). Grab one of these to see what is starting the NTVDM. This might tell you where it is coming from. Second idea is filemon/regmon (sysinternals) with ntvdm.exe filter to see what it is touching on the system. tim Timothy R. Mangan Founder TMurgent Technologies tmangan@xxxxxxxxxxxx www.tmurgent.com +1 781-492-0403 -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] Sent: Wednesday, August 06, 2003 8:01 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] NTVDM - illegal instruction Any suggestions as to how to debug this ?. W2K Advanced Server,SP3 + T/S. Users have roaming profiles (if this helps) Only seems to affect newly created users.. or previously created users from some OU's Not all users are affected This happens about 20/30 seconds after they login. Also doesn't seem to affect anything for the user I've disabled the kix script (which gets pulled from the usrlogin.cmd) - still no joy. Usrlogin.cmd is now vanilla Tried reapplying the SP.. no joy Rebooted the server. Looked for "rogue" versions of command.com .. couldn't find any Nothing in the GP under logon/logoff scripts To my knowledge there are no 16 bit apps on the box that I call but maybe something else calls something as part of the login process Event Type: Information Event Source: Application Popup Event Category: None Event ID: 26 Date: 06/08/2003 Time: 12:03:17 User: N/A Computer: XXX Description: Application popup: 16 bit MS-DOS Subsystem : C:\WINNT\System32\cmd.exe The NTVDM CPU has encountered an illegal instruction. CS:ec00 IP:8cd2 OP:ff ff ff ff ff Choose 'Close' to terminate the application. Thanks for any pointers Dave Boatman CONFIDENTIALITY NOTICE This communication and the information it contains is intended for the person or organisation to whom it is addressed. Its contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you are not the intended recipient, please contact us immediately. The contents of any attachments in this e-mail may contain software viruses, which could damage your own computer system. While Marlborough Stirling has taken every reasonable precaution to minimise this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should carry out your own virus checking procedure before opening any attachment. Marlborough Stirling plc, Registered No. 3008820, Allen Jones House, Jessop Avenue, Cheltenham, Gloucestershire, GL50 3SH Tel: 01242 547000 Fax: 01242 547100 <http://www.marlborough-stirling.com> <http://www.exchange.co.uk> The following companies are subsidiaries of Marlborough Stirling plc and are registered in England and Wales at the above address: The Marlborough Stirling Group PLC, Registered No. 1855353 Marlborough Stirling Administration Limited, Registered No. 2341195 Exchange FS Group plc, Registered No. 3760381 Exchange FS Limited, Registered No. 2596452 Crisp Computing Limited, Registered No. 1547979 ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs Email Security System. For more information on a proactive email security service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________ ******************************************************** This weeks sponsor - RTOSoft TScale Complaints about applications response time - DO SOMETHING ABOUT IT! TScale 2.0 improves applications response time and increases terminal server capacity. Really get MORE from your existing servers! Free eval: http://www.rtosoft.com/enter.asp?id=130 ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This weeks sponsor - RTOSoft TScale Complaints about applications response time - DO SOMETHING ABOUT IT! TScale 2.0 improves applications response time and increases terminal server capacity. Really get MORE from your existing servers! Free eval: http://www.rtosoft.com/enter.asp?id=130 ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm