Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Archive for August, 2011

The Case Of The Corrupt Download

Posted by William Diaz on August 23, 2011


The following error was being reported while internal users were trying to install the latest Flash Player from Adobe: “Internal error… ABORT: Certificate authentication failed, please re-install to correct the problem. (/0)
8-23-2011 11-48-33 AM
Read the rest of this entry »

Advertisements

Posted in Troubleshooting | Tagged: , | 5 Comments »

Zero Day Malware Cleaning with the Sysinternals Tools

Posted by William Diaz on August 18, 2011


Slides from Mark’s highly-rated Blackhat US 2011 presentation on how to use the Sysinternals tools to hunt down and eliminate malware.

http://download.sysinternals.com/Files/SysinternalsMalwareCleaning.pdf

Posted in Troubleshooting Tools | Tagged: , , , | Leave a Comment »

A GUI for PsTools

Posted by William Diaz on August 4, 2011


One of my co-workers created this graphical user interface for the suite of PsTools from SysInternals.

SNAGHTML81d74d

Check it out here: http://www.davitools.com/fepstools/fepstools.aspx

Posted in Troubleshooting Tools | Tagged: | 1 Comment »

virtualapp/didlogical–No, You Are Not Being Hacked

Posted by William Diaz on August 4, 2011


I came across this the other day while browsing the Credentials Manager in Windows 7:
image
I was a bit alarmed but after a little research I found these credentials are created when you use any of the Windows Live products or Windows XP mode.

Posted in Uncategorized | 2 Comments »

Multiple Instances of msiexec.exe When C-State is Enabled

Posted by William Diaz on August 4, 2011


We recently started seeing a rash of performance issues and various program setup failures on different models of workstations. The problem can be identified as multiple instances of msiexec.exe running along side ccmsetup.exe:
msiexecs
The performance issues I have seen were disk related, while others noted program installation failures. This seems to specific to McAfee HIPS, ccmsetup.exe, permissions and a setting in the BIOS for C-State. C-State throttles the cores on multicore processors based on demand. To workaround, we have been disabling the C-State option under the Performance area in the BIOS.


UPDATE

I believe his TechNet Blog addresses the issue officially: http://blogs.technet.com/b/configurationmgr/archive/2011/10/31/information-regarding-mcafee-access-protection-rule-and-configmgr-2007-ccmexec-exe-behavior.aspx

Posted in Uncategorized | Tagged: | Leave a Comment »

Dumping A Thread to Find An Exception

Posted by William Diaz on August 3, 2011


Before any basic crash analysis, I always turn to the Windows Event view to find signs of problem. In the case here, the problem manifested itself as Outlook crashing when the user opened a particular Outlook form. Looking at the Windows Event Viewer, we see an application event for Outlook:
Read the rest of this entry »

Posted in Office, Troubleshooting | Tagged: , , | Leave a Comment »

Is This What a Defective Hard Drive Behaves Like? (The Case Of The Random Workstation Hangs)

Posted by William Diaz on August 3, 2011


The nature of this problem made it difficult or impossible for the help desk to identify because there was nothing to look at that that would tell the technician what was happening when these calls started coming in. They started as a complaint of general system slowness at random times through out the day and were often being assigned to be looked at overnight, which resulted in zero findings because no one knew what they were looking for and could not experience the issue remotely. And if they did, in fact run across the issue while logged on, they could not do anything anyway because the issue of the stalled workstation appeared as a remote connectivity problem and not necessarily a local hardware issue with the workstation.

As I started to here about these issues, I became interested and kept an ear out for a user or two who was encountering the random hang. Identifying a workstation with the problem actually became rather simple because during the hang, a very specific series of events would kick off after the system resumed from the hung state. Isolating the cause, though, was a lot more involved. That’s because the nature of these issues is often software based, e.g. a system or application process was kicking off, or some low level driver was locking up the system. To assist me in that task of finding the culprit, I used a few tools, starting with the Windows XP Event Viewer, then moving to Process Monitor to collect process trace logs, WinDbg to examine manual crash dumps of the hanging system, Performance Monitor, and finally installing Windows 7 after all else failed to take advantage of its enhanced Event Tracing.

Some background. The workstation hangs for the most part coincided with the then recent deployment of new Dell Optiplex 960 and 980 workstations. The hangs were not “hard hangs”, a type of hang where the system becomes completely unresponsive and needs to be manually rebooted. The hangs being seen could be characterized as “soft” in that the workstation would eventually recover after a certain amount of time, usually between 2-5 minutes. During the hang, the mouse was still active but switching between applications was not possible and all keystrokes or commands became queued during the hang. Once the system recovered, any pending operations were executed immediately afterwards. There was no rhyme or reason to the hangs, they were entirely random and would happen several times a day while any user was logged on.

I connected to the workstations after hours and examined the event logs for anything out of the ordinary. Normally, I am looking for error’s or warnings, and I was specifically focused on the System logs, hoping to see disk warnings indicating there were bad blocks on the hard drive. Not seeing anything there, I turned to the application logs but didn’t see anything that stood out there either. Looking at the other workstation, too, did not reveal anything telling.

With nothing to go on, I turned to the generic Information events and noticed that after each reported instance of hang there were a slew of McLogEvent 257 events:

Read the rest of this entry »

Posted in Troubleshooting | Tagged: , , | Leave a Comment »

Some Strategies for Defeating Malware After the Fact

Posted by William Diaz on August 2, 2011


Here is a quick guide to some methods for defeating malware after you have been infected. I have used all of these myself (with the exception of the Desktops utility mentioned below) to successfully isolate and remove malware after it has found its way onto the computer. Read the rest of this entry »

Posted in Troubleshooting | Tagged: | Leave a Comment »

Outlook 2010 Disables Windows Search Email Indexer … By Design

Posted by William Diaz on August 2, 2011


As more organizations start migrating toward Outlook 2010 and Windows 7, you are bound to start seeing complaints of the Windows Search Email Indexer being disabled:
image
There is no shortage of misinformation on the Internet about the subject that explains how to enable this add-in and regain the missing search functionality. Ignore all of it. This is by design. Windows Search is already part of Vista and Windows 7, and there is nothing wrong with Outlook or Windows. See the details in this Microsoft KB article: http://support.microsoft.com/kb/2385524

Posted in Office | Tagged: | Leave a Comment »

Making Sense of Memory Metrics in the Windows 7 Task Manager

Posted by William Diaz on August 1, 2011


In an earlier blog, I covered memory metrics in the Windows XP Performance tab. Here, I’ll be covering this in Windows 7. Read the rest of this entry »

Posted in Inside Windows | Tagged: | Leave a Comment »