Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Posts Tagged ‘Process Monitor’

« Previous Entries

IE 9 Reset Deletes Favorites?

Posted by William Diaz on December 13, 2012


While speaking with a user a few days ago, she mentioned she called the help desk to try and resolve an IE issue and the technician decided to run a reset of IE. After restarting IE, she noticed her favorites had gone missing. To confirm, I fired up one of firm imaged Windows 7 PCs and was able to reproduce. This was a surprise to me because I had never seen this behavior in our old XP environment (we are still relatively new to the Windows 7 platform). Microsoft even clearly states that a reset should preserve favorites in this Microsoft article:

Settings and items that are maintained

  • Favorites

  • Feeds and Web Slices

  • Content Advisor settings

  • Pre-approved ActiveX controls

  • Temporary Internet file (cache) path settings

  • Certificate information

  • Internet Programs (e‑mail, instant messenger, and other programs associated with Internet use)

  • Internet connection, proxy, and VPN settings

  • Default web browser setting

  • Toolbars are not restored

Not surprisingly, I could not reproduce this issue on my non-firm imaged “vanilla” Windows 7 workstation. To find the cause, I turned to Process Monitor and ran a trace of IE when I selected the Reset button in the Advanced tab of Internet Options. The trace was over 20k operations and I had no idea what I was looking for. Looking at the operations on the .lnk as they got deleted (CloseFile operation) was not going to tell me why the links were getting deleted. A file summary might help, however. My guess was that IE was reading a file somewhere to decide how to handle some of reset parameters. To quickly get a list of files, I used Tools > File summary and quickly saw what IE was performing most of its read operations on:

image

I navigated to C:\Program Files (x86)\Internet Explorer\CUSTOM and opened the INSTALL.INS file. I scanned the text file and spotted a suspect: FavoritesDelete=0x708F

image

Sure this was the cause, I deleted that line, opened IE, imported a few links, ran the Reset in IE again, closed, opened, and saw this time the IE Favorites were not deleted. Some quick research shows that the custom.ins file is deployed when the Internet Explorer Admin Kit is used to customize settings when IE is installed.

Another clue would be the log created after the IE Reset was done as it writes the changes in the brndlog.txt file (number 3 in the file summary image above):

image
image

Posted in Troubleshooting | Tagged: , | Leave a Comment »

The Case of the Runtime Error (or Check Your Time Zones & DST Settings)

Posted by William Diaz on May 7, 2012


One of our helpdesk technician’s in a remote office reached out to me recently and asked me to assist with an application that suddenly started crashing on him with the following error: “Microsoft Visual C++ Runtime Library. Runtime Error! This application has requested the Runtime to terminate it in an unusual way…”
image

Posted in Troubleshooting, Troubleshooting Tools | Tagged: , , , | Leave a Comment »

Quickly Configure Symbol Information for Process Monitor & Process Explorer

Posted by William Diaz on May 1, 2012


I often find myself running Process Monitor and Process Explorer on user workstations. But to get the most of either of these tools, you really need to configure symbols so you can accurately read thread and stack information when doing a deeper analysis of a process. This can often be a nuisance because I am a cut and paste type of guy and even after doing it numerous times, I still have trouble recalling the Microsoft symbol path. On top of that, many times I run these tools with the user connected so speed is a necessity. To work around that, I decided to write a small script that I can run from a file server that will do it for me. Run the script before your start either tool.

There is one prerequisite, however: you need the full dbghelp.dll from the Windows Debugging Tools as the debug help DLL in system32 is not sufficient. If you are running on both 32 and 64 bit systems, you will need to get both the 64 bit and 32 bit versions. Store them away on network share and modify the script below to look to that share. In my case, we are still a mixed environment so I renamed the 32 bit dbghelp to dbghelp32.dll while the 64 bit version remains unchanged and created two different scripts. The respective DLL will copied into a folder C:\DbgHelp on the local system .

I also added a 5 second duration for new open and close processes and threads.

const HKEY_CURRENT_USER = &H80000001
strComputer = "."
 
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
 
‘Process Explorer 64
 
strKeyPath = "Software\Sysinternals\Process Explorer"
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath

strValueName = "DbgHelpPath"
strValue = "C:\DbgHelp\dbghelp.dll"
oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue

strValueName = "SymbolPath"
strValue = "http://msdl.microsoft.com/download/symbols"
oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue

strValueName = "HighlightDuration"
dwValue = 5000
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue

‘Process Monitor 64

strKeyPath = "Software\Sysinternals\Process Monitor"
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath

strValueName = "DbgHelpPath"
strValue = "C:\DbgHelp\dbghelp.dll"
oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue

strValueName = "SymbolPath"
strValue = "http://msdl.microsoft.com/download/symbols"
oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue

‘Copy full dbghelp.dll 64 bit to folder DbgHelp.

Set oFSO = CreateObject("Scripting.FileSystemObject")
 
If Not oFSO.FolderExists( "C:\DbgHelp") Then
Set objFolder = oFSO.CreateFolder("C:\DbgHelp")
End If

Set FSO = CreateObject("Scripting.FileSystemObject")
FSO.CopyFile "\\Server1\TechTools\dbghelp.dll", "C:\DbgHelp\"

Posted in Troubleshooting Tools | Tagged: , | Leave a Comment »

Investigating & Resolving Message Delays in Outlook with WinDbg

Posted by William Diaz on May 1, 2012


The problem starts after the user has had their Windows profile recreated but continues to experience some Outlook performance issues. Each time she clicks the New button in Outlook to create a new message, there is a 5 to 10 second delay before the blank message opens. There is also a 10+ second delay after she clicks send and Outlook becomes unresponsive for that time. I connect to her and quickly look at the Office Outlook registry for any unapproved 3rd party add-ins and see nothing out of the ordinary. I decide to dump the Outlook process when the hang is encounter and turn to Process Explorer. This is a simple matter of right-clicking the process and choosing Create Dump when it is in an unresponsive state. Actually, I collect two dumps, the other with Procdump in hang mode. I do this to ensure that the dumps are consistent; if the dumps are not similar then I may need to collect more until a pattern emerges.

I copied the dumps to my workstation and opened them with WinDbg and run the !analyze –v –hang command. The stack for both dumps are similar. With the exception of the NRTExchn component (our DMS add-in for Outlook), these are all MS modules. Normally, this wouldn’t excite me but something stands out like a sore thumb as I move up the stack, the presence of msi.dll in the stack of the current examine thread.

Read the rest of this entry »

Posted in Office, Troubleshooting, Troubleshooting Tools | Tagged: , , , , | Leave a Comment »

Citrix Receiver Excessive Registry Polling?

Posted by William Diaz on April 4, 2012


While running Process Monitor on my primary workstation, I noticed repetitive registry operations coming from Citrix Receiver application on the same keys:
image
How repetitive? 13,000+ registry operations per minute on my idle workstation with no active Citrix connections:
image
This applies to the Windows 7 client. I don’t see the same activity for the Windows XP client.

I recalled a reading in the Windows Internals 5th Edition:

“Because the registry implements the RegNotifyChangeKey function that applications can use to request notification of registry changes without polling for them, when you launch Process Monitor on a system that’s idle you should not see repetitive accesses to the same registry keys or values. Any such activity identifies a poorly written application that unnecessarily affects a system’s overall performance.”

I don’t know the internals of the Receiver application, but this leaves me wondering if there is some room for improvement by implementing RegNotifyChangeKey to make it less “noisy”.

Posted in Uncategorized | Tagged: , | Leave a Comment »

Unraveling and Resolving An Outlook Crash with Process Monitor

Posted by William Diaz on March 2, 2012


While trying to import documents into our document management system via Outlook, Outlook would just abruptly close on the user. I started the initial troubleshooting by disabling a couple 3rd party add-ins in HKLM and HKCU\Software\Microsoft\Office\Outlook\Addins that were not part of the normal image. This can be done by modifying the load behavior of the add-in (see this MSDN article for details), but this had no effect on correcting the behavior. I thought about capturing a crash dump of Outlook but decided to not waste any time there because, at this point, with the add-ins disabled, I likely was not going to see anything but the document management modules in the dump.

Instead, I turned to Process Monitor; perhaps it might reveal what Outlook was doing just before it crashed and give me some important clues. I set a filter to monitor only outlook.exe, dragged an item into the document management space in Outlook and waited for it to crash after clicking Save. Afterwards, I scrolled to end of the log, working my way up. I also added a filter to only include registry activity and then process and thread activity so I could quickly see where Outlook was crashing: Read the rest of this entry »

Posted in Office, Troubleshooting | Tagged: , , | Leave a Comment »

The Case of the Missing Visio Menu Bar

Posted by William Diaz on March 1, 2012


When opening Visio, the user didn’t see the common Menu Bar one normally see in Microsoft Office products before 2007. The menu bar contains the literal menu options like File, Edit, View, Insert, so on. There was also the presence of a 3rd party toolbar that didn’t look like it was properly functioning:
image
Perhaps the Menu bar was disabled. This can be checked by right-clicking in the menu bar area and selecting Customize, then Toolbars.
Read the rest of this entry »

Posted in Office, Troubleshooting, Troubleshooting Tools | Tagged: | Leave a Comment »

Resolve Symbols in Process Explorer-Monitor Without Installing the Debugging Tools

Posted by William Diaz on January 31, 2012


Sometimes when you are troubleshooting with Process Explorer, it’s helpful to be able to view functions in threads to isolate a problem. The same goes for Process Monitor when viewing the Stack tab in the properties of an operation. By default, Process Explorer and Process Monitor will point to the dbghelp.dll in the windows\system32 folder, but this is a stripped down version and doesn’t support symbol server functionality. Instead, you need the dbghelp.dll from the Windows Debugging Tools to properly resolve symbols, otherwise you will encounter the Process Explorer Warning box when you click the Threads tab in process properties:
image
Read the rest of this entry »

Posted in Uncategorized | Tagged: , , | Leave a Comment »

The Case of the IE Hangs and Missing PNG Images (or Killing Two Birds with One Stone)

Posted by William Diaz on January 9, 2012


The initial issue I was asked to look at started with Internet Explorer failing to gracefully exit. Instead, it would just hang and required manual intervention via the Task Manager to kill the iexplore.exe process. I connected remotely to the workstation and ran Process Explorer so I could examine IE’s threads for anything out of the ordinary. Sure enough, I saw the presence of a .tmp file:
Read the rest of this entry »

Posted in Troubleshooting | Tagged: , , , , , | 5 Comments »

The Case of the Missing SharePoint “Connect to Outlook” Action

Posted by William Diaz on December 1, 2011


This one originally came to me as a complaint from a single user about his inability to connect one of his SharePoint calendars to Outlook 2003. In most SharePoint lists, there is an Actions menu that should contain this option:
image
Often, this problem is resolved by installing the SharePoint Services Support for Office and/or simply repairing Office. You can also find a good guide to troubleshooting this issue here. But none of these options were resolving the issue. Additionally, as I began to investigate to see if the problem could be recreated on various tech workstations, I realized that the impact was not isolated to a single workstation, but almost all workstations in our helpdesk. Of the systems that were not affected, one of them resided on my desk, a lab PC that had since departed from the standard Windows XP Pro image we deploy firm-wide. Read the rest of this entry »

Posted in Office, Troubleshooting | Tagged: , , , | Leave a Comment »

« Previous Entries
 
Follow

Get every new post delivered to your Inbox.