Archive for July, 2012
Posted by William Diaz on July 25, 2012
This is an XP workstation so likely the post-mortem default debugger is capturing the exception. I UNC-navigate to \\computername\Documents and Settings\All Users\Application Data\Microsoft\DrWatson. I grab both the drwtsn32.log and user.dmp files. They have recent time stamps of the day before which means that they were likely created as a result of the issue the user was experiencing. I start by examining the log file, starting from the bottom working my way up. The user’s initial complaint was the IE was crashing when going to various websites. I expected to find iexplore.exe process crashing in the log. A few searches in the text file later, I find IE crashing on that day:
|
Application exception occurred:
App: C:\Program Files\Internet Explorer\iexplore.exe (pid=6828)
When: 7/24/2012 @ 11:28:13.701
Exception number: c0000005 (access violation)
|
Read the rest of this entry »
Posted in Troubleshooting | Tagged: Crash, Dr Watson, Dump, Malware, Process Explorer | Leave a Comment »
Posted by William Diaz on July 14, 2012
Often times when doing some basic crash or hang analysis on a program, !analyze –v is not going to cut it because the heuristics engine is not going to reveal an interesting stack. Or maybe I don’t know what I’m looking for. Or maybe I don’t know advanced WinDbg debug techniques. Or … whatever. I define an “interesting” stack is one that contains unexpected components. If I don’t see it, I usually move on to some other techniques.
One of the things I try when a dump has nothing to offer me is to just take a look at the last error thrown. To do this, simply employ the get last error command, !gle. For example, an Outlook crash (which can be notoriously difficult to analyze even for the advanced Windbg enthusiast) I was asked to examine where the !analyze –v heuristics engine wasn’t telling me anything meaningful (at least to me) and where !gle might help:
Read the rest of this entry »
Posted in Troubleshooting | Tagged: Crash, Dump, WinDbg | Leave a Comment »
Posted by William Diaz on July 13, 2012
After receiving a newly imaged workstation, one of our trainers noticed that the Use Aero Peek to preview the desktop feature was grayed out in the Task Bar properties:
Read the rest of this entry »
Posted in Troubleshooting | 1 Comment »
Posted by William Diaz on July 11, 2012
While troubleshooting some bizarre behavior in IE, I decided the only way to fix the problem was to uninstall IE 9 and reinstall it. To remove IE 9, you go to the Program Features > View installed updates and locate the IE 9 install under Microsoft Windows. One reboot later I ran the IE 9 installer and encountered the generic Windows Internet Explorer 9 failure message: “Internet Explorer did not finish installing…”
Read the rest of this entry »
Posted in Troubleshooting | Tagged: Internet Explorer | 3 Comments »
Posted by William Diaz on July 8, 2012
Just yesterday while taking a tour of my kids Standard User account on one of my Windows 7 system’s, I noticed I was unable to right-click a program and elevate it. The follow error was returned: “This program is blocked by group policy. For more information, contact your system administrator.”
Read the rest of this entry »
Posted in Troubleshooting | Tagged: Malware | 1 Comment »
Posted by William Diaz on July 8, 2012
We disable Outlook PSTs within our organization via group policy. This setting resides in the registry at HKCU\Software\Microsoft\Office\14\Outlook and is enforced with a DWORD value equal to 1. In some cases, though, we allow certain uses to continue to use PSTs. Those who do use PSTs, however, don’t necessarily have the ability to move items into these PSTs. That, too, is also disabled by creating a DWORD called PstDisableGrow in HKCU\Software\Policies\Microsoft\office\14.0\outlook\PST. If the value is to enable this, then you will encounter the following warning or error message when trying to copy or move item(s) into the PST: “Cannot copy the items. You don’t have appropriate permission to perform this operation”
Read the rest of this entry »
Posted in Office, Troubleshooting | Tagged: Outlook | Leave a Comment »
Posted by William Diaz on July 5, 2012
I was recently asked by a tech to look at someone’s system because they were concerned it may have malware installed in it. The reason for their suspicion was because after running Process Explorer they saw that Internet Explorer was being run as a child process of one of the Windows service host processes, svchost.exe:
A quick search on the Internet by the tech lead to a lot of hits referring to malware infection of some sort, which is what originally raised his suspicion. For example, searching “svchost.exe launches iexplore.exe” returns on the first page numerous hits pointing to malware:
A more reasonable explanation for why you sometimes see the Windows service host hosting iexplore.exe is because you likely have launched IE via a URL shortcut before opening IE itself. This is because the URL shortcut isn’t a program itself and needs to leverage the DCOM Server Process Launcher service inside svchost.exe to open Internet Explorer.
Posted in Inside Windows | Tagged: Internet Explorer, Malware | Leave a Comment »
Windows Explored 