Event ID - 2027

Event Id2027
SourceServer
DescriptionThe server has detected a potential Denial-of-Service attack caused by consuming all the work-items. Some connections were disconnected to protect against this. If this is not the case, please raise the MaxWorkItems for the server or disable DoS detection. This event will not be logged again for 24 hours.
Event Information According to Microsoft :

Cause :

This event is logged when server has detected a potential Denial-of-Service attack caused by consuming all the work-items.

Resolution :

Raise the MaxWorkItems for the server or disable DoS detection

Denial of service (DoS) attacks are network attacks that are aimed at making a computer or a particular service on a computer unavailable to network users. Before using this procedure, please verify that the server is not experiencing a DoS attack. For more information to help you understand network security and DoS attacks.. If the server is not under a DoS attack, you can use the procedure below to allow the server to keep up with the demand for network work items.

To perform this procedure, you must have membership in Administrators , or you must have been delegated the appropriate authority.

Caution : Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.

To increase MaxWorkItems for the server:
  1. Click Start , click Run , type regedit , and then click OK .
  2. Locate and then click to select the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters
  3. On the Edit menu, point to New , and then click DWORD Value .
  4. Type MaxWorkItems , and then press Enter .
  5. Right-click MaxWorkItems , and then click Modify .
  6. In the Value data box, type the desired value, and then click OK .
Note : The MaxWorkItems value specifies the maximum number of work items that the server is permitted to allocate at one time. If this limit is reached, then the transport must initiate flow control, which can significantly reduce performance. In some cases, this may disallow new connections to be made to the server. There is no set default value for this entry, because it is determined by the computer's hardware configuration and the server, and may have to be adjusted.

Verify :

To perform this procedure, you must have membership in Administrators , or you must have been delegated the appropriate authority.

To verify the Shared Folder (SMB) server is available:
  1. Open an elevated Command Prompt window. Click Start , point to All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator .
  2. Type net config server .
  3. Verify that NetbiosSmb appears under the Server is active on section in the results.
Reference LinksEvent ID 2027 from Server

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.