Posted by William Diaz on June 11, 2012
I had a USB flash device that just stopped working suddenly. When I plugged it in, the following message popped up in Windows: “You need to format the disk in drive before you can use it.”
That was odd because earlier it was formatted with FAT32 and seemed to be working normally (copied files to it). Luckily, I didn’t have anything important stored on it, clicked Format disk and was the presented with the format options and selected Start.
Posted in Troubleshooting, Troubleshooting Tools | 57 Comments »
Posted by William Diaz on June 5, 2012
I was recently given a netbook to look at after it was hit by some malware. The malware exe had already been removed but it left a few common system utilities like the Task Manager and the Windows Registry Editor in a dysfunctional state. Furthermore, popular anti-malware utilities and anti-virus utilities were also not able to run. For example, trying to run taskmgr.exe or regedit produced the following error: “Windows cannot find ‘C:\Windows\system32\taskmgr.exe’…”
Posted in Troubleshooting, Troubleshooting Tools | Tagged: Autoruns, Malware | 3 Comments »
Posted by William Diaz on June 1, 2012
This was initially described as a log off each time the user opened Outlook. This was the first time I heard of Outlook logging someone off their system when it was opened. This sparked my curiosity, of course, so I asked the techs working on this to leave it alone until I had a chance to look after hours. I started by connecting remotely to the Windows Event Viewer for the problem workstation to see if anything obvious stood out. After about a minute, the MMC console became hung and I could no longer browse events. I thought maybe the workstation became disconnected from the network, so I waited and tried again a few minutes later. I resumed browsing the event logs … only to get disconnected again. Logging in via RDP or VNC was also a no go, as I was getting disconnected after about 2 minutes, barely enough time to get pass the initial desktop and application loading and analyze what was happening. My next approach was to query the workstation for all the running processes via PsList from SysInternals (using the Front End for PsTools); maybe something might stand out and allude to what was happening:
Posted in Troubleshooting, Troubleshooting Tools | Tagged: Autoruns, Crash, Dump, Malware, WinDbg | 2 Comments »
Posted by William Diaz on May 14, 2012
After logging onto my main home PC and opening IE, I noticed lag while repositioning the window around the screen. I opened the Task Manager, sorted by the CPU column and saw no single process reporting excessive usage: 
Nor was the hard disk light blinking or solid. However, looking at the Performance tab revealed two of the CPU cores hovering around 100%:
Posted in Troubleshooting, Troubleshooting Tools | Tagged: Performance | Leave a Comment »
Posted by William Diaz on May 7, 2012
One of our helpdesk technician’s in a remote office reached out to me recently and asked me to assist with an application that suddenly started crashing on him with the following error: “Microsoft Visual C++ Runtime Library. Runtime Error! This application has requested the Runtime to terminate it in an unusual way…” 
Posted in Troubleshooting, Troubleshooting Tools | Tagged: Crash, Dump, Process Monitor, WinDbg | 1 Comment »
Posted by William Diaz on May 2, 2012
A couple weeks ago a co-worker asked me if it was possible to recover text from a hung application. The user had spent a good amount of time typing into text field and upon trying to submit the information, IE became hung and would not recover. The user didn’t want to have to retype everything from scratch again. The short answer to this is yes. The long answer is “Yes, if you can be patient.” I have never actually needed to perform this myself because it’s not always that practical and, to be honest, the task can be somewhat tedious. But if you really need to recover text and Word didn’t auto-recover or Outlook lost the draft after you clicked send, or IE is in the process of a “GUI crash”, then turn to the power of the dump.
The idea here is if the application is still running but stalled, it still resides in memory, along with anything you typed into it. When you dump the process, you are dumping its presence in memory to a file that you can pick apart. Dumping a hung process is simple enough. On an XP system, open Process Explorer, right-click the process, and choose Create Dump. In Vista & Windows 7, this option is now built into the Task Manager. You can then copy the dump to a system where WinDbg is installed to open it.
Posted in Troubleshooting Tools | Tagged: Dump, Hang, WinDbg | Leave a Comment »
Posted by William Diaz on May 1, 2012
I often find myself running Process Monitor and Process Explorer on user workstations. But to get the most of either of these tools, you really need to configure symbols so you can accurately read thread and stack information when doing a deeper analysis of a process. This can often be a nuisance because I am a cut and paste type of guy and even after doing it numerous times, I still have trouble recalling the Microsoft symbol path. On top of that, many times I run these tools with the user connected so speed is a necessity. To work around that, I decided to write a small script that I can run from a file server that will do it for me. Run the script before your start either tool.
There is one prerequisite, however: you need the full dbghelp.dll from the Windows Debugging Tools as the debug help DLL in system32 is not sufficient. If you are running on both 32 and 64 bit systems, you will need to get both the 64 bit and 32 bit versions. Store them away on network share and modify the script below to look to that share. In my case, we are still a mixed environment so I renamed the 32 bit dbghelp to dbghelp32.dll while the 64 bit version remains unchanged and created two different scripts. The respective DLL will copied into a folder C:\DbgHelp on the local system .
I also added a 5 second duration for new open and close processes and threads.
|
const HKEY_CURRENT_USER = &H80000001 strValueName = "DbgHelpPath" strValueName = "SymbolPath" strValueName = "HighlightDuration" ‘Process Monitor 64 strKeyPath = "Software\Sysinternals\Process Monitor" strValueName = "DbgHelpPath" strValueName = "SymbolPath" ‘Copy full dbghelp.dll 64 bit to folder DbgHelp. Set oFSO = CreateObject("Scripting.FileSystemObject") Set FSO = CreateObject("Scripting.FileSystemObject") |
Posted in Troubleshooting Tools | Tagged: Process Explorer, Process Monitor | Leave a Comment »
Posted by William Diaz on May 1, 2012
The problem starts after the user has had their Windows profile recreated but continues to experience some Outlook performance issues. Each time she clicks the New button in Outlook to create a new message, there is a 5 to 10 second delay before the blank message opens. There is also a 10+ second delay after she clicks send and Outlook becomes unresponsive for that time. I connect to her and quickly look at the Office Outlook registry for any unapproved 3rd party add-ins and see nothing out of the ordinary. I decide to dump the Outlook process when the hang is encounter and turn to Process Explorer. This is a simple matter of right-clicking the process and choosing Create Dump when it is in an unresponsive state. Actually, I collect two dumps, the other with Procdump in hang mode. I do this to ensure that the dumps are consistent; if the dumps are not similar then I may need to collect more until a pattern emerges.
I copied the dumps to my workstation and opened them with WinDbg and run the !analyze –v –hang command. The stack for both dumps are similar. With the exception of the NRTExchn component (our DMS add-in for Outlook), these are all MS modules. Normally, this wouldn’t excite me but something stands out like a sore thumb as I move up the stack, the presence of msi.dll in the stack of the current examine thread.
Posted in Office, Troubleshooting, Troubleshooting Tools | Tagged: Hang, Outlook, Process Explorer, Process Monitor, WinDbg | Leave a Comment »
Posted by William Diaz on April 4, 2012
In addition to local processes locking up files and preventing their usage by other processes, files can also become locked by remote processes, too. Finding the remote system that has a handle(s) on the file can be a little bit more more involved. I mean this literally: a little a bit more involved. Knowing which tools to use or where to look can make this task just as simple as isolating it to a local process as outlined in part I.
This example is a recreation of an issue I encountered while working on a workstation remotely. It manifested itself as a failure to logon as the user: “Windows cannot load the locally stored profile…”
Posted in Troubleshooting Tools | Tagged: Process Explorer, TCPView | 1 Comment »
Posted by William Diaz on April 3, 2012
Every now and then some app somewhere is going to hook into some user file and prevent it from loading when its host application is opening up, resulting in some kind of error. A common one is when opening Outlook: “The file C:\Documents and Settings\username\Local Settings\Application Data\Microsoft\Outlook\outlook.ost is in use and could not be accessed. Close any application that is using this file, and then try again.” 
Posted in Troubleshooting Tools | Tagged: Outlook, Process Explorer | 1 Comment »
Windows Explored 