Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Posts Tagged ‘Process Explorer’

Isolating Disk Activity To A Process

Posted by William Diaz on September 21, 2011

The other night I noticed the hard drive light on my laptop was solid for several minutes, indicating some fairly aggressive disk file IO. There were no open applications and I didn’t have any scheduled services running, not even the Windows 7 defrag (yeah, I still like to do everything manually). I also had a virtual Windows XP machine running inside Windows 7 but there were no open applications there, either. A knee-jerk reaction of mine when I see this is to open the Task Manager and look for any processes that are using an excessive amount of CPU time, but there were none, and the system remained mostly idle with respect to the CPU counter in both Windows 7 and the virtual machine it was hosting.

To see what was causing the unknown disk IO, I started by adding a few more columns to the Windows 7 Task manager: I/O Read, I/O Writes, I/O Read Bytes, and I/O Write Bytes. I sorted the columns by both read bytes and write bytes and the process using the most disk IO was the vpc.exe process, the Virtual PC:
Read the rest of this entry »

Posted in Inside Windows | Tagged: , | 1 Comment »

Zero Day Malware Cleaning with the Sysinternals Tools

Posted by William Diaz on August 18, 2011

Slides from Mark’s highly-rated Blackhat US 2011 presentation on how to use the Sysinternals tools to hunt down and eliminate malware.

Posted in Troubleshooting Tools | Tagged: , , , | Leave a Comment »

Inside Windows – Rundll32.exe

Posted by William Diaz on July 1, 2011

In an earlier blog, I spoke about Windows services and how they are hosted by svchost.exe so that functionality within these dll files can be executed. But what about non-Windows services? How do they execute functions within dynamic link libraries without the need to execute the program that it belongs to? By using the rundll32.exe process (commonly described as Run DLL as an App). An example can be easily demonstrated by opening any Control Panel extension such as the Internet Explorer options panel for IE (inetcpl.cpl).

When rundll32.exe starts, it looks into shell32.dll and launches the function (or executes the code) that is responsible for opening the Internet options panel with no need for Internet Explorer to open. You can see this by adding the Command Line column to the Windows Task Manager:
Read the rest of this entry »

Posted in Inside Windows | Tagged: | Leave a Comment »

Inside Windows – svchost.exe

Posted by William Diaz on July 1, 2011

Think of svchost.exe as a container for all the various services that run in Windows. An example of some these services are the Windows Task Scheduler, the DNS service, and the Plug & Play service. It use to be that all these services ran as programs (.exe) but Microsoft eventually decided to start moving all this functionality into the Dynamic Link Libraries (.dll), where they could run more efficiently. The only problem with this is that dlls cannot be launched like programs, they need to run from within an executable, hence the creation of the generic service host process.

Because svchost.exe is host to many services, you often see half a dozen or more svchost.exe’s running in the Windows Task Manager:
Read the rest of this entry »

Posted in Inside Windows | Tagged: | Leave a Comment »

Know the Stack (or More Hang Analysis Using Process Explorer)

Posted by William Diaz on April 28, 2011

A few moments after opening Outlook, the user complains of unresponsiveness. We start by running Process Explorer. Process Explorer is “self-contained”, so there is no installation required. You can run it directly from SysInternals Live: I also have it on our lab so I ran it from there:
Read the rest of this entry »

Posted in Troubleshooting | Tagged: , , | 1 Comment »

The Case of the Print to PDF Hangs

Posted by William Diaz on April 4, 2011

One morning I started hearing a few reports of cases where users were not able to print to the BullZip PDF software printing device. After a wait of 5 minutes, the BullZip printer would return the following error: “An error occurred. Error 1008: Ghostscript timed out – Make PDF

Read the rest of this entry »

Posted in Troubleshooting | Tagged: , , , | Leave a Comment »

The Case of the Outlook Send Email Hangs

Posted by William Diaz on February 3, 2011

Process Explorer can often times give you clues to hung processes. Simply open the hung process and go to the Threads tab. Take this case here where Outlook was hanging and showing significant CPU usage while trying to send an email. I started by identifying the hung thread. In this case, CPU time and CSwitch Delta columns make this obvious. Select the thread and double-click it or click the Stack button to see the state of the stack. The stack reads from bottom to top. Look at the most recent frames for clues to the problem. In this case, mshtml.dll stands out:
Read the rest of this entry »

Posted in Troubleshooting | Tagged: , , | 2 Comments »

54 68 65 20 43 61 73 65 20 6f 66 20 74 68 65 20 4d 79 73 74 65 72 69 6f 75 73 20 53 79 73 74 65 6d 20 44 65 6c 61 79 73

Posted by William Diaz on November 14, 2010

The complaint: Excel would hang while opening. When it finally did come to life, it would keep getting hung doing almost any task. Often, these issues are troubleshot in a predictable manner: Repair Office, Uninstall Office, Reinstall Office, and, finally, take a shotgun to the user’s Windows profile and blow it away. Personally, I frown on these approaches; they only serve to make the user start from scratch while doing nothing in revealing the problem. Another downside to this approach is you may be dealing with something impacting several users/workstations, each being handled independently of an identical issue by the tech in the next cubicle. And, being that the problem was related to the user profile, specifically in HKCU, it is likely each one would have resulted in a Windows Profile recreation. If you have had to recreate a profile, these can be timely since not all setting’s in today’s large enterprise environments are copied into the roaming profile (think folder exemptions, for example). Read the rest of this entry »

Posted in Troubleshooting | Tagged: , , , | Leave a Comment »

Manual Discovery and Removal of Malware

Posted by William Diaz on October 6, 2010

If you have not had a chance, set aside some time to watch Advanced Malware Cleaning, an excellent webcast by Mark Russinovich. I used some of the techniques from that presentation to identify and remove malware on systems I have come across.

In the case here, the user would open Internet Explorer but was not able to connect to the Internet. This would happen a couple times a day. The problem was tracked down to the Proxy field not populating with the office ISA address and the field remained grayed out so it could not be toggled on directly. The issue could be worked around temporarily by editing the registry to enable the proxy but at some point it was getting removed again. I was already suspicious that this was related to malware because each day the user logged on, the virus protectionsuite would catch the same Dlls’ attempting to downloaded to the system and being deleted.

I would be using Process Explorer and Autoruns as my tools. Here were the first things I noticed:
Read the rest of this entry »

Posted in Troubleshooting | Tagged: , , , | Leave a Comment »

Outlook 2007/2010 File Delete Quirk

Posted by William Diaz on July 20, 2010

I ran into this one when troubleshooting The Case of the Crashing Email with a different version of Outlook. I created a test folder to save the crashing email message attachments. When I was done, I went to delete the folder and received: “Error Deleting File or Folder. Cannot delete filename. It is being used by another person or program…”
Read the rest of this entry »

Posted in Troubleshooting, Troubleshooting Tools | Tagged: , | Leave a Comment »