Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Archive for the ‘Troubleshooting Tools’ Category

Login Issue and Mandatory Profiles

Posted by William Diaz on October 4, 2013

An interesting little quickie. After moving to mandatory profiles in a Citrix environment, a particular ActiveX web application would no longer allow logins. There was no error message of any kind and it continued to work in another Citrix environment without mandatory profiles. I fired up Process Monitor and ran a little trace of Internet Explorer to capture everything that happened after I clicked login. Nothing interesting really stood out but there might be some hope in an activity log activity I saw occurring with the application:


Opening the log showed:

[W]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failure while trying to acquire the crypto context/container (GetLastError() -2146893788, (The profile for the user is a temporary profile.)) Thu Oct 03 22:46:00 2013
[I]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failed while initializing the crypto context (GetLastError()=-2146893788 (The profile for the user is a temporary profile.)), I will try and re/generate a brand new container Thu Oct 03 22:46:00 2013
[E]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failure, can’t acquire, nor create a new container (2) (GetLastError() -2146893788, (The profile for the user is a temporary profile.)) Thu Oct 03 22:46:00 2013


Some quick research pointed me to RSACryptoServiceProvider fails when used with mandatory profiles. In short:

RSACryptoServiceProvider calls CryptAcquireContext API ( behind the scenes to get a handle to a key container within a CSP (Cryptographic Service Provider). CryptAcquireContext will fail with NTE_TEMPORARY_PROFILE error when called from a mandatory profile.

Mandatory profiles are read-only user profiles. Since changes to the mandatory profile cannot be saved, PKI design doesn’t allow this operation, and CryptAcquireContext prevents this scenario by failing.


Posted in Troubleshooting Tools | Tagged: | Leave a Comment »

Some CCM Client Workstations Failing to Install Updates

Posted by William Diaz on October 2, 2013

While browsing various reports for workstation compliancy, I noticed that several reports and/or updates failed to install on a large number of computers. Although we don’t expect complete 100% compliancy with thousands of workstation in our environment, there was some sort of mystery going on here because many of the updates that failed to install were along the same computers, i.e. they were not just random computers across the various reports. For example, below is a report for various updates that were missing from generally the same number of computers and computer names:


After some research in the CCM logs, I noticed a repetitive theme in the C:\Windows\SysWOW64\CCM\Logs\UpdatesDeployment.log: “Install not allow as another job is still in progress”:


Using the SCCM Client Center utility, we compared the time in the logs to the Advertisement > Execution History in the SCCM Client Center and saw nothing that was actually trying to install at that time. Out of ideas, I decided to delete root\CCM namespace (also accomplished with the SCCM Client Center utility) on a few of the problem workstations in the reports above. After a few minutes, I noticed the CCM Cache in C:\Windows\Syswow64\CCM\Cache was rebuilt, pulling several pending updates. The next step was to wait for the SCCM service windows to pass. The next day when I came in, I remotely checked the workstation Event Setup logs and saw that several (sometimes dozens) of various pending updates had successfully installed.

Knowing that we had a problem with the CCM namespace, I followed up with some more research. My digging around eventually led me to what might have been an update that was advertised to these computers but likely pulled before it could be deployed. Specifically, what I found was that each update gets an unique update ID. To the CCM agent, this property is known as the AssignmentID, which resides in the instance of the CCM_DeploymentTaskEx1 of the root\CCM\SoftwareUpdates\DeploymentAgent namespace. I went around to several workstation in the SCCM reports and ran wbemtest.exe and saw the same assignmentId(s) across all the computers in the reports:

Read the rest of this entry »

Posted in Troubleshooting, Troubleshooting Tools | Leave a Comment »

The Case of Google Earth Interrupting Internet Connectivity

Posted by William Diaz on September 11, 2013

So today I received another complaint of Google Earth causing Internet Connectivity problems. In the past, I had ignored these because I was never able to recreate the issue as I did not have enough information on the method being used to cause it. This time I was a little bit more determined so I had one of the helpdesk techs show me first hand what was happening and armed with that I went off to install Google Earth on a lab and attempt to recreate. The steps to recreate are rather straight forward, just do a few searches and lots of zooming or scrolling in Google Earth until. At some point, the telltale sign that Internet connectivity had been lost would be indicated when when the Tour Guide pane became blank:


When operating normally, the Tour Guide pane displays images relevant to the place you are searching or viewing. At this point, any browser would also fail to connect to any external resource, e.g. the Internet, returning a page not found or other connectivity failure message. After what seemed like a couple minutes, connectivity would then be restored.

Some troubleshooting was already attempted earlier by pointing the browser to an unmanaged (free-for-all) proxy, which avoided the problem. My guess at that point was that our TMG was somehow cutting the connection for the workstation for some amount of time. Why? I also assumed that Google Earth is simple saturating the TMG with too many requests. Think about it, every search, zoom, scroll, and pan is basically a file-image request. Keep on doing that in a short period and you are likely to trigger some hardware or software appliance that a DoS attack is taking place. To backup my hypothesis, I turned to my latest and favorite tool, Network Monitor. I started a trace, reproduced the issue, and stopped the trace. The capture was fairly large so I needed to set a filter. Some quick searching through the standard filters revealed a filter for Http error (Load Filters > HTTP > http Error). After applying the filter, I could see the issue:


502 Bad gateway – Proxy Error (The number of HTTP requests per minute exceeded the configured limit). Some quick research pointed to this Forefront TMG article Overview of flood mitigation. In short, TMG rules may have to be modified or created to bypass flood mitigation for Google Earth. Currently, these are the two servers Google recommends for bypass:


This is also known to be an issue for home and small offices that are not behind a proxy. In those cases, it is likely the router’s firewall-DoS configuration that is the culprit.

Posted in Troubleshooting Tools | Tagged: | Leave a Comment »

Some Quick Troubleshooting with IE Developer Debug Tools

Posted by William Diaz on August 29, 2013

I probably spent too much time trying to figure this one out, especially considering I have used the IE Developer Tools (F12) to troubleshoot IE issues in the past, and the fix would have been amazingly fast if I had employed this resource at first. The problem was that a user was unable to view patent images from a website. In the past, this site had used different file formats to send the pages to the browser, such as TIFF. However, regardless of the TIFF viewer application installed, the pages would not render in the browser. Instead there was a red x displayed indicating the image could not be loaded.

After about half an hour of troubleshooting, I went to F12, selected the Script tab in the Developer tools to see what the javascript wanted to do and saw my answer near the bottom of the script:


The webpage was not trying to deliver a TIFF file. Instead, it was wanted to send a PDF. The fix? Change the PDF application (Adobe in this case) to display PDFs in the browser. I also should have avoided listening to the user insisting that the problem was with TIFFs.

Posted in Troubleshooting Tools | Tagged: | Leave a Comment »

A Little Netmon Goes a Long Way

Posted by William Diaz on August 13, 2013

You don’t necessarily need to be a network guru to use Microsoft Network Monitor. I have used it more than a few times to troubleshoot client side applications that fail to connect to external resources for whatever reason. For example, a user unable to logon to a some external server, receiving the follow error: “The remote server returned an error: (502) Bade Gateway

7-25-2013 6-16-51 PM

I tried the site myself with Netmon capturing a trace and saw the remote server was trying to establish a secure connection through a port other than common 443:


And here where printing from a remote app was failing to pass through our TMG proxy:


Read the rest of this entry »

Posted in Troubleshooting Tools | Tagged: | Leave a Comment »

Failure Connecting to Printer

Posted by William Diaz on July 9, 2013

I have only seen a handful of these previously and encountered another one recently, so with time permitting I decided to look at it more in-depth. The issue was that on one particular workstation, regardless of the account being used, we were unable to connect to a particular model of printer. Navigating to the printer server share, right-clicking the printer and selecting Connect resulted in the following error: “Connect to Printer. Windows cannot connect to the printer.


The details stated that the “Operation failed with error 0x00000057.” Looking up that status code was of no help, it simply states ERROR_INVALID_PARAMETER.

The error may also present itself as: “Printer driver was not installed. operation could not be completed (error 0x00000057).”


Initial troubleshooting involved deleting the printer and going into the Print Management console and selecting the related print drivers and deleting them. This requires admin permissions and you must stop and start the spooler to unhook any drivers hooked by the spooler process. This does two things, it purges the drivers from C:\Windows\System32\DriverStore\FileRepository and cleans the registry of the printer and print driver references. In this case, this failed to correct the problem.

Read the rest of this entry »

Posted in Troubleshooting, Troubleshooting Tools | Tagged: | 1 Comment »

A Perfmon View of Bad Blocks

Posted by William Diaz on March 6, 2013

In the past week or so a couple workstations were brought to my attention in different offices that were exhibiting poor performance. Suspicious of disk bottlenecks, I remotely connected perfmon physical disk counters to both and saw a excessive time spent writing to the disk and the current disk queue length spiking when the workstations were logged on but idle. Here is a snapshot of both PCs:



Looking at the System event logs revealed numerous Errors with Source as disk and Event ID 7, otherwise known as bad blocks. On one of the problem workstations the print spooler kept on shutting down after starting it. If system files or program critical files are resident across these bad blocks on the disk, performance issues or otherwise abnormal behavior is bound to ensue. Run a Chkdsk to attempt to resolve.

Posted in Troubleshooting Tools | Tagged: | Leave a Comment »

A Recent and Quick Encounter with “Ransomware”

Posted by William Diaz on October 21, 2012

While browsing the Internet last night from one of my home PCs, I was suddenly hit with the following full screen warning: “THE FBI Federal Bureau of Investigations. ATTENTION! Your PC is blocked due to at least one of the reasons specified below…”


Posted in Troubleshooting, Troubleshooting Tools | Tagged: | 1 Comment »

The Case of the Slowly Opening Or Unresponsive Office Files

Posted by William Diaz on August 15, 2012

After a recent security update for our XP workstations, a couple complaints came in where user’s were having difficulty opening Microsoft Office files across the network. In some cases, the file would open, but only after a delay of a few minutes. In other cases, the file would not open at all, causing the Office application (Word, Excel) to become unresponsive and hung up. The files were not ridiculously large, and opening the same files locally did not present a problem. Identifying the cause was a simple matter of turning to Process Explorer and examining the stack of the working program thread:


You can see the stack growing with a couple dozen calls to some component named GKExcel.dll. Turning on the Lower Pane to view DLLs (View > Lower Pane View > DLLs), I can see it is described as Microsoft Component, but the description is too generic to make out the purpose:


However, one of the functions may allude to what its purpose is and how it got here. Searching FValidateExcelFile takes me to this MS KB article Excel workbooks may open slowly over the network:

After you install MS11-021 and the Office File Validation (OFV) Add-in for Microsoft Office 2003 (KB 2501584), workbooks stored in a network location open more slowly over the network in Excel 2003 than they did without the OFV installed. The decrease in performance depends on the size of the workbook and bandwidth of the network, and in some scenarios, can seem to cause Excel to crash.

The issue is not specific to Excel, however. Word files were taking several minutes to open as well. Resolving is a simple matter of uninstalling the Microsoft Office File Validation Add-in or modifying the registry to make an exception for the application opening the file. To do this:

  • Go to HKCU\Software\Policies\Microsoft\Office\<ver>\<application>\Security.
  • Create a new key called FileValidation
  • Create a DWORD value called EnableOnLoad with a value of 0

If uninstalling across the enterprise, then: msiexec / x {90140000-2005-0000-0000-0000000FF1CE} / quiet.

Posted in Office, Troubleshooting, Troubleshooting Tools | Tagged: , , | Leave a Comment »

The Case of the Missing Task Manager and Registry Editor part II (Windows Advanced ToolKit Malware)

Posted by William Diaz on June 28, 2012

I was originally introduced to this by co-worker who wanted me to look at someone’s netbook and wrote about it here. The malware-scareware program had already been removed from the system, but the damaged it done had been left behind. Cleaning it up manually, though, would not be too difficult. As pointed out, its counters the user attempt to stop it by taking advantage of a built in process that Windows uses for debugging applications by pointing the Task Manager and Regedit to its own fake anti-virus process. Further, it also counters anti-malware utilities and virus security suites by creating reg keys and using the same Debugger string to point to svchost.exe, which is not able to run other executables. The key to getting access to the registry and the task manager directly was to use AutoRuns.

As it happened, a couple days ago the wife starts complaining that she keeps getting persistent firewall popups. I told her to click allow and let me sleep. Then she mentioned another popup that she says is scanning the system and finding virus. This sounds like classic scareware and when I take a look I see this:

Posted in Troubleshooting, Troubleshooting Tools | Tagged: | Leave a Comment »