We see numerous complaints about missing printers. This will happen when the Windows print spooler (spoolersv.exe) is not running and we often see this complaint with those setup with personal HP 1020/1022 printers. While attempting to print PDFs, or after printing PDFs, the print spooler is crashing. The drwtsn32.log and user.dmp files in C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson all point to the same culprit, the HP ZSR.dll print driver.mHere is an excerpt from the drwtsn32.log: Read the rest of this entry »
Archive for July, 2010
HP 1020 1022 Print Drivers Crashing the Print Spooler
Posted by William Diaz on July 21, 2010
Posted in Troubleshooting | Tagged: Crash, Dr Watson, PDF, Printing | Leave a Comment »
Outlook 2007/2010 File Delete Quirk
Posted by William Diaz on July 20, 2010
I ran into this one when troubleshooting The Case of the Crashing Email with a different version of Outlook. I created a test folder to save the crashing email message attachments. When I was done, I went to delete the folder and received: “Error Deleting File or Folder. Cannot delete filename. It is being used by another person or program…”
Read the rest of this entry »
Posted in Troubleshooting, Troubleshooting Tools | Tagged: Outlook, Process Explorer | Leave a Comment »
Forcing a System Crash on a Unresponsive PC
Posted by William Diaz on July 20, 2010
This one comes in handy when a Windows based PC experiences a so-called “hard hang” and you need to force it to bug check and produce a dump for debug purposes. From the Windows registry:
-
For USB keyboards go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbdhid\Parameters, create a DWORD value named CrashOnCtrlScroll equal to 11
-
For PS/2 keyboards go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters, create a DWORD value named CrashOnCtrlScroll equal to 1
You will need to reboot afterwards. A crash can now be initiated by holding down the right CTRL key and pressing the Scroll Lock key twice. Read the rest of this entry »
Posted in Troubleshooting | Tagged: Dump, Hang, WinDbg | 1 Comment »
Advanced Malware Cleaning
Posted by William Diaz on July 18, 2010
This is an excellent webcast by Mark Russinovich on how to use various tools (mainly those from SysInternals) to detect and clean malware. You can find it here: http://technet.microsoft.com/en-us/sysinternals/gg618529
Posted in Troubleshooting, Troubleshooting Tools | Tagged: Malware | Leave a Comment »
Using the Debug Diagnostic 1.1 Tool to Troubleshoot Application Crashes
Posted by William Diaz on July 18, 2010
In cases where the post-mortem default debugger, e.g. Dr Watson in XP, fails to capture a user mode dump of a crashing process or service, you need to be a bit proactive and attach to the crashing application. You can do this a number of ways, such as using ADPlus or WinDbg from the Windows Debugging Tools, but this may not be practical on a user’s workstation (big foot print, invasive, process does not run transparently). Also, the crash may be too random to recreate quickly or at will.
In these circumstances, Debug Diagnostics comes in very useful. It has a small foot print, runs as a Windows service, can be quickly setup via rules, and the GUI can then be closed and left to wait for the target process to crash. Afterwards, a dump can be retrieved from the system remotely, and impact on the user remains minimal. Additionally, Debug Diagnostics can also analyze the dump created and find a solution on-line.
Outlined is a basic setup, attaching Debug Diagnostics to crashing instances of Internet Explorer. In the example here, I am creating a crash rule for a specific process:
Posted in Troubleshooting, Troubleshooting Tools | Tagged: Crash, Dump, Hang | 1 Comment »
“My Computer” Taking Too Long to Open
Posted by William Diaz on July 18, 2010
I have run into this a couple times on different workstation and thought I would share with you how the culprit was identified and resolved. The problem manifested itself as the “My Computer” the window getting hung after opening. The delay would range anywhere from 30 seconds to a couple minutes. The same would also happen for “Printers and Faxes” and “Scanners and Cameras”.
I started by connecting to the workstation Event Viewer remotely and saw a few instances of a WIA error: “The Windows Image Acquisition (WIA) service terminated unexpectedly…” I checked WIA service and saw it was stopped. Since the service does not necessarily need to be running if the devices are not in use, it didn’t really raise any eyebrows. However, an attempt was made to start the service, but it failed. Some quick research pointed to the possibility that the Windows Image Acquisition service was failing due to a driver issue with a connected image device. I eventually came across this Microsoft KB article: Enable Logging of Wiadebug.log in Windows XP.
The information describes a method to enable WIA trace logging. The article points out that this can be used by developers for troubleshooting drivers during development, but I figured why not use it to troubleshoot the WIA service itself. Read the rest of this entry »
Posted in Troubleshooting | Tagged: Hang, Performance | Leave a Comment »
The Case of the Temporary Registry Profiles
Posted by William Diaz on July 9, 2010
After getting hooked on Mark Russinovich’s blogs, I came across this, an excellent read: http://blogs.technet.com/b/markrussinovich/archive/2009/08/10/3272210.aspx.
We ran into this issue ourselves and it had everyone stumped until I found this blog post. Demonstrates the power of Process Monitor and specifically the boot logging feature.
Posted in Troubleshooting, Troubleshooting Tools | Tagged: Process Monitor | 1 Comment »
The Case of the Hidden Scheduled Tasks
Posted by William Diaz on July 9, 2010
This case provided a good opportunity to use Sysinternal’s Autoruns to detect and remove some malware that had found its way onto one of our workstations. What was happening was that some unknown process on this workstation was going out to the Internet at the same time every hour and attempting to download a suspicious executable named Zl0.exe and drop in it the local temp folder for the user, which by default is C:\Documents and Settings\username\Local Settings\TEMP\ for Windows XP (actually, we redirect this to a custom folder).
We knew this because our virus protection had been configured to stop all unknown exe files from writing to or starting from from this location. The attempt to download the file was stopped by the host intrusion detection but the process responsible for trying to download it was undetected.
Before starting, I verified Zl0.exe was, in fact, malware by searching it on the Internet. A quick scan of the system’s running processes with Process Explorer didn’t reveal anything out of the ordinary. Since the download was taking place each hour, I assumed the Windows Task Scheduler job was involved. The Task Scheduler is actually a service hosted within svchost.exe, along with many other services, so killing the process was not really practical. Another advantage to relying on the Task Scheduler was that the suspicious process could be started by a legitimate process, run, attempt to do what it wants to do, stop, and when you go to investigate with process monitoring utilities, it is not detected.
To confirm my suspicion, I opened the Task Scheduler. However, there were no abnormal scheduled jobs, even after checking the View Hidden Tasks from the Advanced menu:
Posted in Troubleshooting Tools | Tagged: Autoruns, Malware | Leave a Comment »
Printing Headers and Footers in IE 7 and IE 8
Posted by William Diaz on July 8, 2010
Every now and then the need arises where a user needs to print a web page with a custom header and for filing or reference purposes. We are still pretty much running on an Internet Explorer 7 platform (sigh) so this can be somewhat cryptic as IE 7 uses codes to determine what and where header and footer information is printed. Header/Footer codes are accessed from the File > Page Setup menu in IE: Read the rest of this entry »
Posted in Inside Windows | Tagged: Internet Explorer, Printing | Leave a Comment »
Outlook Express Compact Messages Prompt
Posted by William Diaz on July 8, 2010
Every now and then someone would complain about this message appearing after logon: “To free up disk space, Outlook Express can compact messages…”
The problem was that they failed to complain to the right person. Eventually, one of my co-workers encountered it and asked me to investigate. We thought it odd because we used Outlook, not Outlook Express. To quickly identify the culprit, I turned to Process Explorer from SysInternals and used the Find Window’s Process menu icon. Simply drag the crosshairs over the window in question and Process Explorer highlights the process. You can see below the process identified was WindowsSearch.exe: Read the rest of this entry »
Posted in Inside Windows, Troubleshooting | Tagged: Process Explorer | Leave a Comment »
Windows Explored 