Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

The Case of the Slowly Opening Or Unresponsive Office Files

Posted by William Diaz on August 15, 2012


After a recent security update for our XP workstations, a couple complaints came in where user’s were having difficulty opening Microsoft Office files across the network. In some cases, the file would open, but only after a delay of a few minutes. In other cases, the file would not open at all, causing the Office application (Word, Excel) to become unresponsive and hung up. The files were not ridiculously large, and opening the same files locally did not present a problem. Identifying the cause was a simple matter of turning to Process Explorer and examining the stack of the working program thread:

image

You can see the stack growing with a couple dozen calls to some component named GKExcel.dll. Turning on the Lower Pane to view DLLs (View > Lower Pane View > DLLs), I can see it is described as Microsoft Component, but the description is too generic to make out the purpose:

image

However, one of the functions may allude to what its purpose is and how it got here. Searching FValidateExcelFile takes me to this MS KB article Excel workbooks may open slowly over the network:

After you install MS11-021 and the Office File Validation (OFV) Add-in for Microsoft Office 2003 (KB 2501584), workbooks stored in a network location open more slowly over the network in Excel 2003 than they did without the OFV installed. The decrease in performance depends on the size of the workbook and bandwidth of the network, and in some scenarios, can seem to cause Excel to crash.

The issue is not specific to Excel, however. Word files were taking several minutes to open as well. Resolving is a simple matter of uninstalling the Microsoft Office File Validation Add-in or modifying the registry to make an exception for the application opening the file. To do this:

  • Go to HKCU\Software\Policies\Microsoft\Office\<ver>\<application>\Security.
  • Create a new key called FileValidation
  • Create a DWORD value called EnableOnLoad with a value of 0

If uninstalling across the enterprise, then: msiexec / x {90140000-2005-0000-0000-0000000FF1CE} / quiet.

Posted in Office, Troubleshooting, Troubleshooting Tools | Tagged: , , | Leave a Comment »

Help! Everything Is Crashing

Posted by William Diaz on July 25, 2012


This is an XP workstation so likely the post-mortem default debugger is capturing the exception. I UNC-navigate to \\computername\Documents and Settings\All Users\Application Data\Microsoft\DrWatson. I grab both the drwtsn32.log and user.dmp files. They have recent time stamps of the day before which means that they were likely created as a result of the issue the user was experiencing. I start by examining the log file, starting from the bottom working my way up. The user’s initial complaint was the IE was crashing when going to various websites. I expected to find iexplore.exe process crashing in the log. A few searches in the text file later, I find IE crashing on that day:

Application exception occurred:
        App: C:\Program Files\Internet Explorer\iexplore.exe (pid=6828)
        When: 7/24/2012 @ 11:28:13.701
        Exception number: c0000005 (access violation)

Read the rest of this entry »

Posted in Troubleshooting | Tagged: , , , , | Leave a Comment »

Get Last Error

Posted by William Diaz on July 14, 2012


Often times when doing some basic crash or hang analysis on a program, !analyze –v is not going to cut it because the heuristics engine is not going to reveal an interesting stack. Or maybe I don’t know what I’m looking for. Or maybe I don’t know advanced WinDbg debug techniques. Or … whatever. I define an “interesting” stack is one that contains unexpected components. If I don’t see it, I usually move on to some other techniques.

One of the things I try when a dump has nothing to offer me is to just take a look at the last error thrown. To do this, simply employ the get last error command, !gle. For example, an Outlook crash (which can be notoriously difficult to analyze even for the advanced Windbg enthusiast) I was asked to examine where the !analyze –v heuristics engine wasn’t telling me anything meaningful (at least to me) and where !gle might help:

Read the rest of this entry »

Posted in Troubleshooting | Tagged: , , | Leave a Comment »

Troubleshooting Disabled or Missing Aero Features

Posted by William Diaz on July 13, 2012


After receiving a newly imaged workstation, one of our trainers noticed that the Use Aero Peek to preview the desktop feature was grayed out in the Task Bar properties:

NoAeroPeek

Read the rest of this entry »

Posted in Troubleshooting | 1 Comment »

Internet Explorer 9 Install Fail

Posted by William Diaz on July 11, 2012


While troubleshooting some bizarre behavior in IE, I decided the only way to fix the problem was to uninstall IE 9 and reinstall it. To remove IE 9, you go to the Program Features > View installed updates and locate the IE 9 install under Microsoft Windows. One reboot later I ran the IE 9 installer and encountered the generic Windows Internet Explorer 9 failure message: “Internet Explorer did not finish installing…”

IE9InstallerFail

Read the rest of this entry »

Posted in Troubleshooting | Tagged: | 3 Comments »

“Run As Administrator” Blocked

Posted by William Diaz on July 8, 2012


Just yesterday while taking a tour of my kids Standard User account on one of my Windows 7 system’s, I noticed I was unable to right-click a program and elevate it. The follow error was returned: “This program is blocked by group policy. For more information, contact your system administrator.”

image

Read the rest of this entry »

Posted in Troubleshooting | Tagged: | 1 Comment »

Sometimes Its Better To Modify Than To Delete

Posted by William Diaz on July 8, 2012


We disable Outlook PSTs within our organization via group policy. This setting resides in the registry at HKCU\Software\Microsoft\Office\14\Outlook and is enforced with a DWORD value equal to 1. In some cases, though, we allow certain uses to continue to use PSTs. Those who do use PSTs, however, don’t necessarily have the ability to move items into these PSTs. That, too, is also disabled by creating a DWORD called PstDisableGrow in HKCU\Software\Policies\Microsoft\office\14.0\outlook\PST. If the value is to enable this, then you will encounter the following warning or error message when trying to copy or move item(s) into the PST: “Cannot copy the items. You don’t have appropriate permission to perform this operation

image

Read the rest of this entry »

Posted in Office, Troubleshooting | Tagged: | Leave a Comment »

No, Its Not Malware

Posted by William Diaz on July 5, 2012


I was recently asked by a tech to look at someone’s system because they were concerned it may have malware installed in it. The reason for their suspicion was because after running Process Explorer they saw that Internet Explorer was being run as a child process of one of the Windows service host processes, svchost.exe:

image

A quick search on the Internet by the tech lead to a lot of hits referring to malware infection of some sort, which is what originally raised his suspicion. For example,  searching “svchost.exe launches iexplore.exe” returns on the first page numerous hits pointing to malware:

image

A more reasonable explanation for why you sometimes see the Windows service host hosting iexplore.exe is because you likely have launched IE via a URL shortcut before opening IE itself. This is because the URL shortcut isn’t a program itself and needs to leverage the DCOM Server Process Launcher service inside svchost.exe to open Internet Explorer.

image

Posted in Inside Windows | Tagged: , | Leave a Comment »

The Case of the Missing Task Manager and Registry Editor part II (Windows Advanced ToolKit Malware)

Posted by William Diaz on June 28, 2012


I was originally introduced to this by co-worker who wanted me to look at someone’s netbook and wrote about it here. The malware-scareware program had already been removed from the system, but the damaged it done had been left behind. Cleaning it up manually, though, would not be too difficult. As pointed out, its counters the user attempt to stop it by taking advantage of a built in process that Windows uses for debugging applications by pointing the Task Manager and Regedit to its own fake anti-virus process. Further, it also counters anti-malware utilities and virus security suites by creating reg keys and using the same Debugger string to point to svchost.exe, which is not able to run other executables. The key to getting access to the registry and the task manager directly was to use AutoRuns.

As it happened, a couple days ago the wife starts complaining that she keeps getting persistent firewall popups. I told her to click allow and let me sleep. Then she mentioned another popup that she says is scanning the system and finding virus. This sounds like classic scareware and when I take a look I see this:

Posted in Troubleshooting, Troubleshooting Tools | Tagged: | Leave a Comment »

When RDP “Disconnects”, It Might Be Crashing

Posted by William Diaz on June 18, 2012


It was reported by a local office technician that over the course of a few days several users were connecting to a site over the web that used Remote Desktop Connection to connect a remote desktop/terminal services session. Shortly after connecting, users complained the their session was being disconnected. The issue was initially troubleshot as possibly a local setting in the OS, such as the IE proxy or maybe the TMG firewall client, but switching to different proxy made no difference. It was then assumed that perhaps our network work was part of the problem. Port issue? Not likely, ports 443 and 3389 are too common and since the users were able to connect initially, this could be eliminated as the cause. Last, the remote site technical support was contacted and asked at what point inactive sessions were being dropped. The answer to that was 1 hour and so this, too, was eliminated as the cause.

Eventually, the issue made it my way, and the first thing I thought was that this was not specifically a “disconnect”. When I think disconnect, I’m thinking along the lines of excessive packet loss or corruption between the client and the server which results in a dropped connection. Another cause for a disconnected application could be that the client app or one of its components that handles the connection is crashing. To confirm my suspicion, I asked the local tech to provide me the name of one of the affected workstations. All the affected workstation were running Windows XP, which meant that if the RDP client was crashing, the post mortem debugger might be capturing this. I navigated across the network to \\computername\c$\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson and saw a recent drwtsn32.log and user dump.

Read the rest of this entry »

Posted in Troubleshooting | Tagged: | Leave a Comment »

« Previous Entries
Next Entries »