Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Archive for the ‘Troubleshooting’ Category

Vague Errors and No, You Can’t Be An Admin on Your Workstation

Posted by William Diaz on February 8, 2013


In real estate, its all about location, location, location. In today’s Windows workplace environment its all about security, security, security. Legacy apps present challenges because they want to do things that are not going to work in our environment. For example, this vague error when our user is trying to run an app:
image

Not a lot to go on but our helpdesk was able to get to work by running the app in an elevated state and I knew then that this app obviously wasn’t designed with security in mind. No doubt, the app was trying to modify one or more of its files that was in a location that was locked down by the secure Windows 7 file system. The user wanted to be admin to workaround it. “Sorry, but we can’t give you that kinda juice.” But we could likely change the security permissions on the file and grant Users the right to modify it … assuming that was the case. Taking a look with Process Monitor, I ran the app, set a filter for Access Denied on the file system and got the following:
image

Yep, legacy apps don’t care much for putting stuff inside C:\Windows, but this is bad practice today because standard user accounts will not have the necessary privileges to create and modify any files placed here. The workaround in this case (because the user insists they really need this app) was to change the security permissions of the files the app was trying to write to to give Users Modify permissions:

image

I wish they were all this easy.

Posted in Troubleshooting | Leave a Comment »

Unable to Install (only some) ActiveX Controls

Posted by William Diaz on February 7, 2013


So, we had just validated our latest Windows 7 image and were looking forward to start rolling it out to the next batch of offices. Everything had seemed fine in testing until we hit a little snafu when a user complained that they were unable to access on online training tutorial that required the use of an ActiveX plug-in. Instead of asking the the user to install or run the ActiveX control, it redirected the user to a manual join method, which also failed. The manual join method was just another means of delivering the ActiveX control as a file that could be executed.

I was asked to look and was able to reproduce. This was odd because none of our previous Win 7 images exhibited the problem with this site, which validated that it was not a website issue. I also tested with another page that I knew contained an ActiveX control and was still unable to download the control. The file simply never made it to the system. Actually, I began to suspect that the fact that both sites were internal might be the issue because I was able to go out to the Internet and run a ActiveX test at http://www.pcpitstop.com/testax.asp and also buy visiting Adobe and running an install of Flash Player. So the question was why were some ActiveX controls downloading and others not?

the answer came the next morning when I realized that both ActiveX controls that could not be downloaded were coming from https, secure sites. I didn’t quite recall the setting or where it was (I knew I had come across this in the old WinXP days of Outlook when some users were unable to download calendar appointment files via https hyperlinks in emails) but I knew I could find it with a quick Process Monitor trace and the search phrase “SSL”.

image

The second hit provided my answer in HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLpages. The value was set to 1, which meant it was enabled. The UI setting actually resides in the IE Internet Options Panel under the Advanced tab, Do not save encrypted pages to disk:

SNAGHTML6d5bd2a

When checked, IE will not save files from secure sites to the computer.

As for how it got there, we suspect a Windows update may have enabled it at some point as the new image included several updates that the old image did not. As far as enforcing the setting via group policy to make sure it would not be enabled, this can be found under User Configuration > Admin Templates > Windows Components > Internet Explorer > Internet Control Panel > Advanced Page. This will create a new DWORD with a value of 0 in HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings.

Posted in Troubleshooting | Tagged: | Leave a Comment »

IE 9 Reset Deletes Favorites?

Posted by William Diaz on December 13, 2012


While speaking with a user a few days ago, she mentioned she called the help desk to try and resolve an IE issue and the technician decided to run a reset of IE. After restarting IE, she noticed her favorites had gone missing. To confirm, I fired up one of firm imaged Windows 7 PCs and was able to reproduce. This was a surprise to me because I had never seen this behavior in our old XP environment (we are still relatively new to the Windows 7 platform). Microsoft even clearly states that a reset should preserve favorites in this Microsoft article:

Settings and items that are maintained

  • Favorites

  • Feeds and Web Slices

  • Content Advisor settings

  • Pre-approved ActiveX controls

  • Temporary Internet file (cache) path settings

  • Certificate information

  • Internet Programs (e‑mail, instant messenger, and other programs associated with Internet use)

  • Internet connection, proxy, and VPN settings

  • Default web browser setting

  • Toolbars are not restored

Not surprisingly, I could not reproduce this issue on my non-firm imaged “vanilla” Windows 7 workstation. To find the cause, I turned to Process Monitor and ran a trace of IE when I selected the Reset button in the Advanced tab of Internet Options. The trace was over 20k operations and I had no idea what I was looking for. Looking at the operations on the .lnk as they got deleted (CloseFile operation) was not going to tell me why the links were getting deleted. A file summary might help, however. My guess was that IE was reading a file somewhere to decide how to handle some of reset parameters. To quickly get a list of files, I used Tools > File summary and quickly saw what IE was performing most of its read operations on:

image

I navigated to C:\Program Files (x86)\Internet Explorer\CUSTOM and opened the INSTALL.INS file. I scanned the text file and spotted a suspect: FavoritesDelete=0x708F

image

Sure this was the cause, I deleted that line, opened IE, imported a few links, ran the Reset in IE again, closed, opened, and saw this time the IE Favorites were not deleted. Some quick research shows that the custom.ins file is deployed when the Internet Explorer Admin Kit is used to customize settings when IE is installed.

Another clue would be the log created after the IE Reset was done as it writes the changes in the brndlog.txt file (number 3 in the file summary image above):

image
image

Posted in Troubleshooting | Tagged: , | Leave a Comment »

Windows 7 Black Screen and Mouse Cursor After Logon

Posted by William Diaz on November 6, 2012


We started to see a rash of complaints from users who were encountering a black screen after logging onto their Windows 7 workstations. Except for the mouse cursor nothing else was functional, even the Task Manager couldn’t be started.

 BlkScrn

Most often this was encountered at the first logon of the day after the workstation has been logged out of the previous day and then left idle for several hours. Recovery required that a hard reboot was performed, and afterwards the user could logon normally. I actually encountered this a few times on one of my test workstations and a review of the event logs reveals the following warning message: “The wnlogon notification subscriber < GPClient > is taking too long to handle the event notification event (StartShell).”

image

I’m assuming the StartShell is explorer.exe. In a couple cases, if I let it sit long enough, the desktop might load or the TM would launch, but the overall experience was plagued by various performance issues and errors. A corresponding event follows after 10 minutes: “The winlogon notification subscriber < GPClient > took 600 second(s) to handle the norification event (StartShell).”

image

A brief email to our Microsoft PFE was answered with possible hotfix described here: http://support.microsoft.com/kb/2590550. Results since applying to affected user workstations seems to be promising.

If this doesn’t apply to you, there is also a Mark Russinovich blog on a similar issue he was encountering due to inaccessible mapped drives.

And, finally, another MS Hotfix-KB that you may also want to take examine: http://support.microsoft.com/kb/2525332

Posted in Troubleshooting | Tagged: | Leave a Comment »

A Recent and Quick Encounter with “Ransomware”

Posted by William Diaz on October 21, 2012


While browsing the Internet last night from one of my home PCs, I was suddenly hit with the following full screen warning: “THE FBI Federal Bureau of Investigations. ATTENTION! Your PC is blocked due to at least one of the reasons specified below…”

Ransomware

Posted in Troubleshooting, Troubleshooting Tools | Tagged: | 1 Comment »

Odd IE Behavior Disappears After Attaching Debugger

Posted by William Diaz on October 14, 2012


While deploying Windows 7 to a couple offices a few months ago, we started to receive some complaints of IE exhibiting weird behavior. I had a chance to witness this myself. The issue usually arose when a user would open the browser to perform a search on Google, MSN, or Yahoo. For example, after initially typing into the search box of the search engine for Google, one would begin to see search hits auto-populate normally, but afterwards if you tried to access one of the browser menu options a second time, the browser would “hiccup” and none of the menu options would function. Even odder, if trying to type a search phrase in the MSN search box, the typed characters would show up in the IE address bar. Here is a video of this odd behavior:

 

Eventually, uninstalling IE 9 and reinstalling was enough to resolve, but I wanted to see I could isolate the issue to come particular component. To do this, I started with Dependency Walker and started IE through its debugger. Strangely enough,  the issue with the browser could not be created anytime the debugger was attached. Curious, I did some searching in the DW FAQ and found this:


My application runs better when being profiled by Dependency Walker than when I run it by itself. Why is this?


I’ve had several reports of applications that normally crash, will not crash when being profiled under Dependency Walker. Dependency Walker acts as a debugger when you are profiling your application. This in itself, makes your program run differently.

First, there is the overhead of Dependency Walker that slows the execution of your application down. If your application is crashing due to some race condition, this slow down alone might be enough to avoid the race condition. If this is the case, it is a design issue of the application and you are just getting lucky when it doesn’t crash.

Second, normally when threads block on critical sections, events, semaphores, mutexes, etc., they unblock on a first-in-first-out (FIFO) basis. This is not guaranteed by the OS, but is usually the case. When being run under a debugger, FIFO queues are sometimes randomized, so threads may block and resume in a different order than they would when not running under a debugger. This might be relieving a race condition or altering the execution enough to make things work. Again, the application is just getting lucky when it doesn’t crash.

Finally, applications running under the debugger automatically get a system debug heap. All memory functions are handled slightly different. Allocations are padded with guard bytes to check to see if you are writing outside of a region you have allocated (buffer overrun/underrun). Allocations might also be laid out differently in memory then when not under the debugger. So, if you are writing past the end of a buffer under the debugger, you might be trashing guard bytes, freed memory, or just something not very critical. However, when not running under the debugger, you might be trashing something critical (like a pointer), and your app crashes.

For the debug heap, you can turn this off in Dependency Walker and see if your application crashes when being profiled. If it does then, then you probably suffer a buffer overrun, stray/bad/freed pointer, etc. To do this, start a command prompt. Type "SET _NO_DEBUG_HEAP=1". Then start Dependency Walker from that command line. This should disable the debug heap for that instance of Dependency Walker. Note, this only works on Windows XP and beyond.

We have not encountered the issue since the pilot offices completed their deploys. Perhaps anyone of the various changes that were made to the task sequence corrected whatever was causing this.

Posted in Troubleshooting | Tagged: | Leave a Comment »

Crashing Terminal Session with Latest Citrix Receiver

Posted by William Diaz on August 17, 2012


After installing the latest Citrix Receiver 3.3, one of our techs began to experience crashes of their terminal sessions after about 1-2 minutes. I connected to my lab and installed the latest Citrix Receiver and was able to reproduce. In my case, the following error was generated: “WFICA32.EXE – Application Error. The exception Breakpoint. A breakpoint has been reached…”

CitrixReceiverErr

An error may not always be produced, though, on the desktop. If you examine the Windows Event Viewer > Application logs you should see some type of error, either in the Visual C++ Runtime 2005 or in the actual Citrix module where the fault is being encountered in. For example:

Faulting application wfica32.exe, version 13.1.201.3, faulting module msvcr80.dll, version 8.0.50727.6195, fault address 0x0001574d.

 

Faulting application wfica32.exe, version 13.3.0.55, faulting module vd3dn.dll, version 13.3.0.55, fault address 0x00001021

 

After a little research, the most common culprit seems to be caused by printers that the workstation (XP SP3) cannot resolve to. These often have a status of “Unable to connect” and\or “Printer not found on server”:

image

After removing the offline printers on both the lab and the tech’s workstation, the issue went away. That being said, it might be more practical to downgrade to an earlier version of the Citrix Receiver. It’s not uncommon for network printers to be taken offline in large enterprises or decommissioned. Worse, imagine mobile users who will show all network printers as unable to connect when outside the network and trying to connect remotely to their virtual desktops. This seems specific to only Windows XP clients.

_______________________________________________________________________________________________________________

Update

I ran into this again today issue where this was happening on a user workstation even after the disconnected printers were removed. Crash dumps pointed to hpcui6dn.dll. Using the Windows local print server on the workstation, we could see that the print driver belonged to one the disconnected printers. Apparently, an “orphaned” print driver could cause the problem as well. Resolving was a simple matter of stopping and restarting the print spooler and from the local print server properties selecting Remove for the printer driver that was no longer connected.

Application exception occurred:
        App: C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE (pid=6104)
        When: 12/26/2012 @ 10:57:07.919
        Exception number: c0000005 (access violation)

FAULT ->35257cb2 c4b3029b1db1  les esi,[ebx+0xb11d9b02] ds:0023:b130883a=????????????
        35257cb8 758e             jnz     hpcui6dn+0x157c48 (35257c48)
        35257cba b0f7             mov     al,0xf7
        35257cbc 4f               dec     edi
        35257cbd ad               lodsd
        35257cbe c3               ret
        35257cbf b0b6             mov     al,0xb6
        35257cc1 b9d8812742       mov     ecx,0x422781d8
        35257cc6 852c83           test    [ebx+eax*4],ebp
        35257cc9 3aab84ce5fa5     cmp     ch,[ebx+0xa55fce84]
        35257ccf 5c               pop     esp

*—-> Stack Back Trace <—-*
WARNING: Stack unwind information not available. Following frames may be wrong.
ChildEBP RetAddr  Args to Child             
0012ec39 cf351cdd 1c932e1e 90069193 ff3531b3 hpcui6dn+0x157cb2
140012ec 00000000 00000000 00000000 00000000 0xcf351cdd

Posted in Troubleshooting | Tagged: | 2 Comments »

The Case of the Slowly Opening Or Unresponsive Office Files

Posted by William Diaz on August 15, 2012


After a recent security update for our XP workstations, a couple complaints came in where user’s were having difficulty opening Microsoft Office files across the network. In some cases, the file would open, but only after a delay of a few minutes. In other cases, the file would not open at all, causing the Office application (Word, Excel) to become unresponsive and hung up. The files were not ridiculously large, and opening the same files locally did not present a problem. Identifying the cause was a simple matter of turning to Process Explorer and examining the stack of the working program thread:

image

You can see the stack growing with a couple dozen calls to some component named GKExcel.dll. Turning on the Lower Pane to view DLLs (View > Lower Pane View > DLLs), I can see it is described as Microsoft Component, but the description is too generic to make out the purpose:

image

However, one of the functions may allude to what its purpose is and how it got here. Searching FValidateExcelFile takes me to this MS KB article Excel workbooks may open slowly over the network:

After you install MS11-021 and the Office File Validation (OFV) Add-in for Microsoft Office 2003 (KB 2501584), workbooks stored in a network location open more slowly over the network in Excel 2003 than they did without the OFV installed. The decrease in performance depends on the size of the workbook and bandwidth of the network, and in some scenarios, can seem to cause Excel to crash.

The issue is not specific to Excel, however. Word files were taking several minutes to open as well. Resolving is a simple matter of uninstalling the Microsoft Office File Validation Add-in or modifying the registry to make an exception for the application opening the file. To do this:

  • Go to HKCU\Software\Policies\Microsoft\Office\<ver>\<application>\Security.
  • Create a new key called FileValidation
  • Create a DWORD value called EnableOnLoad with a value of 0

If uninstalling across the enterprise, then: msiexec / x {90140000-2005-0000-0000-0000000FF1CE} / quiet.

Posted in Office, Troubleshooting, Troubleshooting Tools | Tagged: , , | Leave a Comment »

Help! Everything Is Crashing

Posted by William Diaz on July 25, 2012


This is an XP workstation so likely the post-mortem default debugger is capturing the exception. I UNC-navigate to \\computername\Documents and Settings\All Users\Application Data\Microsoft\DrWatson. I grab both the drwtsn32.log and user.dmp files. They have recent time stamps of the day before which means that they were likely created as a result of the issue the user was experiencing. I start by examining the log file, starting from the bottom working my way up. The user’s initial complaint was the IE was crashing when going to various websites. I expected to find iexplore.exe process crashing in the log. A few searches in the text file later, I find IE crashing on that day:

Application exception occurred:
        App: C:\Program Files\Internet Explorer\iexplore.exe (pid=6828)
        When: 7/24/2012 @ 11:28:13.701
        Exception number: c0000005 (access violation)

Read the rest of this entry »

Posted in Troubleshooting | Tagged: , , , , | Leave a Comment »

Get Last Error

Posted by William Diaz on July 14, 2012


Often times when doing some basic crash or hang analysis on a program, !analyze –v is not going to cut it because the heuristics engine is not going to reveal an interesting stack. Or maybe I don’t know what I’m looking for. Or maybe I don’t know advanced WinDbg debug techniques. Or … whatever. I define an “interesting” stack is one that contains unexpected components. If I don’t see it, I usually move on to some other techniques.

One of the things I try when a dump has nothing to offer me is to just take a look at the last error thrown. To do this, simply employ the get last error command, !gle. For example, an Outlook crash (which can be notoriously difficult to analyze even for the advanced Windbg enthusiast) I was asked to examine where the !analyze –v heuristics engine wasn’t telling me anything meaningful (at least to me) and where !gle might help:

Read the rest of this entry »

Posted in Troubleshooting | Tagged: , , | Leave a Comment »