Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Archive for the ‘Troubleshooting Tools’ Category

« Previous Entries

A Perfmon View of Bad Blocks

Posted by William Diaz on March 6, 2013


In the past week or so a couple workstations were brought to my attention in different offices that were exhibiting poor performance. Suspicious of disk bottlenecks, I remotely connected perfmon physical disk counters to both and saw a excessive time spent writing to the disk and the current disk queue length spiking when the workstations were logged on but idle. Here is a snapshot of both PCs:

SNAGHTMLd73c7e6

SNAGHTMLd76e6fa

Looking at the System event logs revealed numerous Errors with Source as disk and Event ID 7, otherwise known as bad blocks. On one of the problem workstations the print spooler kept on shutting down after starting it. If system files or program critical files are resident across these bad blocks on the disk, performance issues or otherwise abnormal behavior is bound to ensue. Run a Chkdsk to attempt to resolve.

Posted in Troubleshooting Tools | Tagged: | Leave a Comment »

A Recent and Quick Encounter with “Ransomware”

Posted by William Diaz on October 21, 2012


While browsing the Internet last night from one of my home PCs, I was suddenly hit with the following full screen warning: “THE FBI Federal Bureau of Investigations. ATTENTION! Your PC is blocked due to at least one of the reasons specified below…”

Ransomware

Posted in Troubleshooting, Troubleshooting Tools | Tagged: | 1 Comment »

The Case of the Slowly Opening Or Unresponsive Office Files

Posted by William Diaz on August 15, 2012


After a recent security update for our XP workstations, a couple complaints came in where user’s were having difficulty opening Microsoft Office files across the network. In some cases, the file would open, but only after a delay of a few minutes. In other cases, the file would not open at all, causing the Office application (Word, Excel) to become unresponsive and hung up. The files were not ridiculously large, and opening the same files locally did not present a problem. Identifying the cause was a simple matter of turning to Process Explorer and examining the stack of the working program thread:

image

You can see the stack growing with a couple dozen calls to some component named GKExcel.dll. Turning on the Lower Pane to view DLLs (View > Lower Pane View > DLLs), I can see it is described as Microsoft Component, but the description is too generic to make out the purpose:

image

However, one of the functions may allude to what its purpose is and how it got here. Searching FValidateExcelFile takes me to this MS KB article Excel workbooks may open slowly over the network:

After you install MS11-021 and the Office File Validation (OFV) Add-in for Microsoft Office 2003 (KB 2501584), workbooks stored in a network location open more slowly over the network in Excel 2003 than they did without the OFV installed. The decrease in performance depends on the size of the workbook and bandwidth of the network, and in some scenarios, can seem to cause Excel to crash.

The issue is not specific to Excel, however. Word files were taking several minutes to open as well. Resolving is a simple matter of uninstalling the Microsoft Office File Validation Add-in or modifying the registry to make an exception for the application opening the file. To do this:

  • Go to HKCU\Software\Policies\Microsoft\Office\<ver>\<application>\Security.
  • Create a new key called FileValidation
  • Create a DWORD value called EnableOnLoad with a value of 0

If uninstalling across the enterprise, then: msiexec / x {90140000-2005-0000-0000-0000000FF1CE} / quiet.

Posted in Office, Troubleshooting, Troubleshooting Tools | Tagged: , , | Leave a Comment »

The Case of the Missing Task Manager and Registry Editor part II (Windows Advanced ToolKit Malware)

Posted by William Diaz on June 28, 2012


I was originally introduced to this by co-worker who wanted me to look at someone’s netbook and wrote about it here. The malware-scareware program had already been removed from the system, but the damaged it done had been left behind. Cleaning it up manually, though, would not be too difficult. As pointed out, its counters the user attempt to stop it by taking advantage of a built in process that Windows uses for debugging applications by pointing the Task Manager and Regedit to its own fake anti-virus process. Further, it also counters anti-malware utilities and virus security suites by creating reg keys and using the same Debugger string to point to svchost.exe, which is not able to run other executables. The key to getting access to the registry and the task manager directly was to use AutoRuns.

As it happened, a couple days ago the wife starts complaining that she keeps getting persistent firewall popups. I told her to click allow and let me sleep. Then she mentioned another popup that she says is scanning the system and finding virus. This sounds like classic scareware and when I take a look I see this:

Posted in Troubleshooting, Troubleshooting Tools | Tagged: | Leave a Comment »

Making My Unusable USB Stick Usable Again

Posted by William Diaz on June 11, 2012


I had a USB flash device that just stopped working suddenly. When I plugged it in, the following message popped up in Windows: “You need to format the disk in drive before you can use it.”

SNAGHTMLa4832c8

That was odd because earlier it was formatted with FAT32 and seemed to be working normally (copied files to it). Luckily, I didn’t have anything important stored on it, clicked Format disk and was the presented with the format options and selected Start.

Read the rest of this entry »

Posted in Troubleshooting, Troubleshooting Tools | 4 Comments »

The Case of the Missing Task Manager and Registry Editor

Posted by William Diaz on June 5, 2012


I was recently given a netbook to look at after it was hit by some malware. The malware exe had already been removed but it left a few common system utilities like the Task Manager and the Windows Registry Editor in a dysfunctional state. Furthermore, popular anti-malware utilities and anti-virus utilities were also not able to run. For example, trying to run taskmgr.exe or regedit produced the following error: “Windows cannot find ‘C:\Windows\system32\taskmgr.exe’…

image

Read the rest of this entry »

Posted in Troubleshooting, Troubleshooting Tools | Tagged: , | 3 Comments »

The Case of the Rebooting Workstation

Posted by William Diaz on June 1, 2012


This was initially described as a log off each time the user opened Outlook. This was the first time I heard of Outlook logging someone off their system when it was opened. This sparked my curiosity, of course, so I asked the techs working on this to leave it alone until I had a chance to look after hours. I started by connecting remotely to the Windows Event Viewer for the problem workstation to see if anything obvious stood out. After about a minute, the MMC console became hung and I could no longer browse events. I thought maybe the workstation became disconnected from the network, so I waited and tried again a few minutes later. I resumed browsing the event logs … only to get disconnected again. Logging in via RDP or VNC was also a no go, as I was getting disconnected after about 2 minutes, barely enough time to get pass the initial desktop and application loading and analyze what was happening. My next approach was to query the workstation for all the running processes via PsList from SysInternals (using the Front End for PsTools); maybe something might stand out and allude to what was happening:

image

Read the rest of this entry »

Posted in Troubleshooting, Troubleshooting Tools | Tagged: , , , , | 2 Comments »

Troubleshooting Excessive Interrupts & DPCs

Posted by William Diaz on May 14, 2012


After logging onto my main home PC and opening IE, I noticed lag while repositioning the window around the screen. I opened the Task Manager, sorted by the CPU column and saw no single process reporting excessive usage:
image
Nor was the hard disk light blinking or solid. However, looking at the Performance tab revealed two of the CPU cores hovering around 100%:

Read the rest of this entry »

Posted in Troubleshooting, Troubleshooting Tools | Tagged: | Leave a Comment »

The Case of the Runtime Error (or Check Your Time Zones & DST Settings)

Posted by William Diaz on May 7, 2012


One of our helpdesk technician’s in a remote office reached out to me recently and asked me to assist with an application that suddenly started crashing on him with the following error: “Microsoft Visual C++ Runtime Library. Runtime Error! This application has requested the Runtime to terminate it in an unusual way…”
image

Posted in Troubleshooting, Troubleshooting Tools | Tagged: , , , | Leave a Comment »

Recovering Text From A Unresponsive Application

Posted by William Diaz on May 2, 2012


A couple weeks ago a co-worker asked me if it was possible to recover text from a hung application. The user had spent a good amount of time typing into text field and upon trying to submit the information, IE became hung and would not recover. The user didn’t want to have to retype everything from scratch again. The short answer to this is yes. The long answer is “Yes, if you can be patient.” I have never actually needed to perform this myself because it’s not always that practical and, to be honest, the task can be somewhat tedious. But if you really need to recover text and Word didn’t auto-recover or Outlook lost the draft after you clicked send, or IE is in the process of a “GUI crash”, then turn to the power of the dump.

The idea here is if the application is still running but stalled, it still resides in memory, along with anything you typed into it. When you dump the process, you are dumping its presence in memory to a file that you can pick apart. Dumping a hung process is simple enough. On an XP system, open Process Explorer, right-click the process, and choose Create Dump. In Vista & Windows 7, this option is now built into the Task Manager. You can then copy the dump to a system where WinDbg is installed to open it.

Posted in Troubleshooting Tools | Tagged: , , | Leave a Comment »

« Previous Entries
 
Follow

Get every new post delivered to your Inbox.