Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Posts Tagged ‘Process Monitor’

The Case of the Missing Image Preview Tiles

Posted by William Diaz on January 23, 2020

I have been out of it for sometime now, often tied up with one thing or the other and have not been able to contribute recently. But here is a quicky on an often overlooked part of Process Monitor, specifically the basic logging it does for Network Activity.

In this particular case, when using the Insert Online Pictures option available in a new Outlook message, after selecting one of the categories in the initial image window, a series of grayed-out tiles are presented instead of the actual image preview tiles:


I fired up Process Monitor and reproduced the issue, filtering for processes only from Outlook.exe. While quickly scrolling through the events, I noticed a couple entries for Network Activity with an obvious clue as to what was blocking the image previews. I further isolated these events by removing activity for File, Registry, and Process Activity, keeping only Network:


You can see that after hitting the initial IP (52.109…) for what looks to be, a disconnect takes place with path from, which is our firewall returning a false-positive for what it suspects to be adult content. To verify this was the case, I changed  Outlook to use a legacy proxy server (this is done via IE > Internet Options > Connection Settings) that we still keep around and was able to see the image preview tiles after performing the process again. The next course of action would be to modify the company firewall to allow the traffic.


Posted in Office, Troubleshooting Tools | Tagged: , | Leave a Comment »

The Case of the Dysfunctional Adobe PDF Plugin

Posted by William Diaz on November 1, 2018

A while back we had decided to transition to a new PDF software application. Although we did pilot it, once it went into our production environment, the wider user audience found that there were too many issues with the new product and we decided to go back to Adobe Acrobat. Soon after, we began to receive complaints that working with PDFs from the Internet in IE was at times dysfunctional. Specifically, opening or trying edit form-fillable PDFs would result in a generic “Error opening URL to submit this form.”

Additionally, it was noticed the Acrobat PDF Toolbar in IE stopped working and clicking on it did nothing.

The first thing to check was that the toolbar add-on module was actually loaded into the browser. This can be done from Internet Options > Programs > Manage add-ons. And, yes, it seems to be there and enabled:

How about the actual DLL itself? Where this resides can be gathered from the bottom portion of the Manage add-ons window by clicking on More information:

Sure, enough, the DLL was present in C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64.

For a deeper dig, I fire up Process Explorer and set a filter to only look at iexplorer.exe processes. I clicked on the dysfunctional toolbar a couple times and stopped the trace. I further filtered the results using Count Occurrences from the Tools menu and focused on No Such File results as there were only a handful and if a dependency was missing, it should be easily spotted here. I quickly spotted the issue and knew what the problem was:

The Acrobat add-on for IE supports both 32bit and 64bit process modes for IE. However, the More information link above can only show you the path for the 64bit module if both are present. When I looked in the 32bit module path C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX I could see that AcroIEFavClient.dll (the Adobe PDF Toolbar for IE) was missing from this path.

To verify this was the issue, I grabbed the 32bit DLL from a working computer and performed a file copy procedure using PSExec to the computer with the issue as this type of file copy has to be done as the system account because of the access permissions set on the folder (psexec -i -s cmd.exe). I fired up IE and was able to successfully run the toolbar. Additionally, the errors being seen when working with online PDFs also cleared up.

My guess was that somewhere between removing Acrobat PDF, installing its replacement, removing the replacement, and finally redeploying Acrobat created some contention during one of the file install operations and that dll went MIA. The quick fix for the user was simply to run a repair of Acrobat PDF via Programs & Features. Additionally, we setup a repair deployment to run using SCCM if AcroIEFavClient.dll was not present in C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX.

Posted in Troubleshooting, Troubleshooting Tools | Tagged: , | 1 Comment »

The Case of the Broken Windows Photo Viewer

Posted by William Diaz on September 9, 2016

A co-worker of mine was troubleshooting an issue where a user was unable to open images in the Windows Photo Viewer. Whenever she would try to view an image, the Photo Viewer would open but the image would never load; instead the image was replaced by the spinning blue circle. There was no issue opening the image with other image viewers. To troubleshoot, I fired up Process Monitor and captured a trace of the activity for a few seconds while trying to open the image.

Before starting, its worth noting that the Windows Photo Viewer is not an exclusive process that runs out of C:\Program Files (x86)\Windows Photo Viewer. It is actually executed by dllhost.exe, a host processes that is used by other processes (in this case explorer.exe) to launch code. If something were to go awry with hosted code, then it would only affect that instance of the host process and not explorer, which might crash the desktop.

After a few seconds of capture, I stopped collecting activity, went to Tools > Count Occurrences > Column: Result. My guess was that the Windows Photo Viewer was looking for something that it needed to properly load the images but could not find it. I selected the PATH NOT FOUND value and applied it. There I could see that dllhost.exe was unable to locate some files in C:\Windows\System32\spool\drivers\color.


I looked at a couple other systems and saw that this folder existed and was populated with the missing files the COM surrogate was looking for. I wasn’t sure how, why, who deleted this folder but I copied it to the problem computer, opened an image with Windows Photo Viewer and it was working.

Posted in Inside Windows, Troubleshooting | Tagged: | Leave a Comment »

ODT Setup Packager Error

Posted by William Diaz on February 16, 2016

Recently I needed to update my Office 2013 App-V 5 package. This is done via the Microsoft ODT tool by first downloading the content and then packaging using the /packager command. The download went fine, but upon running the packager phase the command would immediately go straight back to the prompt, which is an indication that something went wrong because the packager phase usually takes a good 10 minutes to run. I checked and double-checked the xml files used to build the package but it looked good. Troubleshooting the ODT setup is pretty straight forward, however; simply locate the setup logs in %temp%. They are named by computer name name + date.log. In my case, I kept encounter the following line in the logs:

02/12/2016 15:00:31.828    SETUP (0x1cc8)    0xc40        Click-To-Run Telemetry    ami7s    Monitorable    TryLaunchClient::HandleStateAction: C2R Client Install Process returned code 17003   
02/12/2016 15:00:31.828    SETUP (0x1cc8)    0xc40        Click-To-Run Telemetry    apx75    Monitorable    TryLaunchClient::HandleStateAction: C2R Client returned failing error code 17003   
02/12/2016 15:00:31.828    SETUP (0x1cc8)    0xc40        Click-To-Run Telemetry    aqdyq    Monitorable    TryHandleClientError::HandleStateAction: Another Scenario Running. Showing Error UI.   
02/12/2016 15:00:31.828    SETUP (0x1cc8)    0xc40        Click-To-Run Telemetry    aoh9g    Medium    TryShowUI::HandleStateAction: Failure has occured, admin has disabled failure UI.   
02/12/2016 15:00:31.828    SETUP (0x1cc8)    0xc40        Click-To-Run Telemetry    ami7r    Medium    TryShowUI::HandleStateAction: Showed Failure UI. Couldn’t start Office installation  We’re sorry, but we could not start your Office installation. Another installation is in progress. Please try again later.     
02/12/2016 15:00:31.828    SETUP (0x1cc8)    0xc40        Click-To-Run    aoh72    Medium    ExitBootStateMachine::HandleStateAction: Bootstrapper workflow exiting with result: 0x0   
02/12/2016 15:00:31.828    SETUP (0x1cc8)    0xc40        Click-To-Run Telemetry    aoh9z    Medium    AdminBootstrapper::Main: Installation came back with 17003.   
02/12/2016 15:00:31.829    SETUP (0x1cc8)    0xc40        Logging Liblet    aqc99    Medium    Logging liblet uninitializing.   

This wasn’t completely unexpected as I have used this computer previously to create my Office 2013 App-V packages. But I had never encountered it so I was not sure where to look to clean up the previous install. Enter Process Monitor. I fired it up, reproduced the issue, stopped the trace. Although the trace was only a few seconds, this will likely result in thousands or ten of thousands of operations being captured. This “noise” can quickly be cleaned up, though, using filters. I figured the likely culprit would be in the registry, so I started with limiting results to RegQueryKey. From there, I filtered for the only processes involved. With ODT, this is setup.exe which then calls OfficeClickToRun.exe.


From here, I could see HKEY_CURRENT_USER\Software\Microsoft\Office\15.0 was being touched. Note, that whatever version of Office you are packaging should not be installed on the machine where you are doing the packaging so any key created here would have been done by the ODT setup.


Simply delete this key and run setup /packager again.

Posted in Office, Troubleshooting | Tagged: | Leave a Comment »

Login Issue and Mandatory Profiles

Posted by William Diaz on October 4, 2013

An interesting little quickie. After moving to mandatory profiles in a Citrix environment, a particular ActiveX web application would no longer allow logins. There was no error message of any kind and it continued to work in another Citrix environment without mandatory profiles. I fired up Process Monitor and ran a little trace of Internet Explorer to capture everything that happened after I clicked login. Nothing interesting really stood out but there might be some hope in an activity log activity I saw occurring with the application:


Opening the log showed:

[W]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failure while trying to acquire the crypto context/container (GetLastError() -2146893788, (The profile for the user is a temporary profile.)) Thu Oct 03 22:46:00 2013
[I]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failed while initializing the crypto context (GetLastError()=-2146893788 (The profile for the user is a temporary profile.)), I will try and re/generate a brand new container Thu Oct 03 22:46:00 2013
[E]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failure, can’t acquire, nor create a new container (2) (GetLastError() -2146893788, (The profile for the user is a temporary profile.)) Thu Oct 03 22:46:00 2013


Some quick research pointed me to RSACryptoServiceProvider fails when used with mandatory profiles. In short:

RSACryptoServiceProvider calls CryptAcquireContext API ( behind the scenes to get a handle to a key container within a CSP (Cryptographic Service Provider). CryptAcquireContext will fail with NTE_TEMPORARY_PROFILE error when called from a mandatory profile.

Mandatory profiles are read-only user profiles. Since changes to the mandatory profile cannot be saved, PKI design doesn’t allow this operation, and CryptAcquireContext prevents this scenario by failing.

Posted in Troubleshooting Tools | Tagged: | Leave a Comment »

IE 9 Reset Deletes Favorites?

Posted by William Diaz on December 13, 2012

While speaking with a user a few days ago, she mentioned she called the help desk to try and resolve an IE issue and the technician decided to run a reset of IE. After restarting IE, she noticed her favorites had gone missing. To confirm, I fired up one of firm imaged Windows 7 PCs and was able to reproduce. This was a surprise to me because I had never seen this behavior in our old XP environment (we are still relatively new to the Windows 7 platform). Microsoft even clearly states that a reset should preserve favorites in this Microsoft article:

Settings and items that are maintained

  • Favorites

  • Feeds and Web Slices

  • Content Advisor settings

  • Pre-approved ActiveX controls

  • Temporary Internet file (cache) path settings

  • Certificate information

  • Internet Programs (e‑mail, instant messenger, and other programs associated with Internet use)

  • Internet connection, proxy, and VPN settings

  • Default web browser setting

  • Toolbars are not restored

Not surprisingly, I could not reproduce this issue on my non-firm imaged “vanilla” Windows 7 workstation. To find the cause, I turned to Process Monitor and ran a trace of IE when I selected the Reset button in the Advanced tab of Internet Options. The trace was over 20k operations and I had no idea what I was looking for. Looking at the operations on the .lnk as they got deleted (CloseFile operation) was not going to tell me why the links were getting deleted. A file summary might help, however. My guess was that IE was reading a file somewhere to decide how to handle some of reset parameters. To quickly get a list of files, I used Tools > File summary and quickly saw what IE was performing most of its read operations on:


I navigated to C:\Program Files (x86)\Internet Explorer\CUSTOM and opened the INSTALL.INS file. I scanned the text file and spotted a suspect: FavoritesDelete=0x708F


Sure this was the cause, I deleted that line, opened IE, imported a few links, ran the Reset in IE again, closed, opened, and saw this time the IE Favorites were not deleted. Some quick research shows that the custom.ins file is deployed when the Internet Explorer Admin Kit is used to customize settings when IE is installed.

Another clue would be the log created after the IE Reset was done as it writes the changes in the brndlog.txt file (number 3 in the file summary image above):


Posted in Troubleshooting | Tagged: , | Leave a Comment »

The Case of the Runtime Error (or Check Your Time Zones & DST Settings)

Posted by William Diaz on May 7, 2012

One of our helpdesk technician’s in a remote office reached out to me recently and asked me to assist with an application that suddenly started crashing on him with the following error: “Microsoft Visual C++ Runtime Library. Runtime Error! This application has requested the Runtime to terminate it in an unusual way…”

Posted in Troubleshooting, Troubleshooting Tools | Tagged: , , , | 1 Comment »

Quickly Configure Symbol Information for Process Monitor & Process Explorer

Posted by William Diaz on May 1, 2012

I often find myself running Process Monitor and Process Explorer on user workstations. But to get the most of either of these tools, you really need to configure symbols so you can accurately read thread and stack information when doing a deeper analysis of a process. This can often be a nuisance because I am a cut and paste type of guy and even after doing it numerous times, I still have trouble recalling the Microsoft symbol path. On top of that, many times I run these tools with the user connected so speed is a necessity. To work around that, I decided to write a small script that I can run from a file server that will do it for me. Run the script before your start either tool.

There is one prerequisite, however: you need the full dbghelp.dll from the Windows Debugging Tools as the debug help DLL in system32 is not sufficient. If you are running on both 32 and 64 bit systems, you will need to get both the 64 bit and 32 bit versions. Store them away on network share and modify the script below to look to that share. In my case, we are still a mixed environment so I renamed the 32 bit dbghelp to dbghelp32.dll while the 64 bit version remains unchanged and created two different scripts. The respective DLL will copied into a folder C:\DbgHelp on the local system .

I also added a 5 second duration for new open and close processes and threads.

const HKEY_CURRENT_USER = &H80000001
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
‘Process Explorer 64
strKeyPath = "Software\Sysinternals\Process Explorer"
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath

strValueName = "DbgHelpPath"
strValue = "C:\DbgHelp\dbghelp.dll"
oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue

strValueName = "SymbolPath"
strValue = ""
oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue

strValueName = "HighlightDuration"
dwValue = 5000
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue

‘Process Monitor 64

strKeyPath = "Software\Sysinternals\Process Monitor"
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath

strValueName = "DbgHelpPath"
strValue = "C:\DbgHelp\dbghelp.dll"
oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue

strValueName = "SymbolPath"
strValue = ""
oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue

‘Copy full dbghelp.dll 64 bit to folder DbgHelp.

Set oFSO = CreateObject("Scripting.FileSystemObject")
If Not oFSO.FolderExists( "C:\DbgHelp") Then
Set objFolder = oFSO.CreateFolder("C:\DbgHelp")
End If

Set FSO = CreateObject("Scripting.FileSystemObject")
FSO.CopyFile "\\Server1\TechTools\dbghelp.dll", "C:\DbgHelp\"

Posted in Troubleshooting Tools | Tagged: , | Leave a Comment »

Investigating & Resolving Message Delays in Outlook with WinDbg

Posted by William Diaz on May 1, 2012

The problem starts after the user has had their Windows profile recreated but continues to experience some Outlook performance issues. Each time she clicks the New button in Outlook to create a new message, there is a 5 to 10 second delay before the blank message opens. There is also a 10+ second delay after she clicks send and Outlook becomes unresponsive for that time. I connect to her and quickly look at the Office Outlook registry for any unapproved 3rd party add-ins and see nothing out of the ordinary. I decide to dump the Outlook process when the hang is encounter and turn to Process Explorer. This is a simple matter of right-clicking the process and choosing Create Dump when it is in an unresponsive state. Actually, I collect two dumps, the other with Procdump in hang mode. I do this to ensure that the dumps are consistent; if the dumps are not similar then I may need to collect more until a pattern emerges.

I copied the dumps to my workstation and opened them with WinDbg and run the !analyze –v –hang command. The stack for both dumps are similar. With the exception of the NRTExchn component (our DMS add-in for Outlook), these are all MS modules. Normally, this wouldn’t excite me but something stands out like a sore thumb as I move up the stack, the presence of msi.dll in the stack of the current examine thread.

Read the rest of this entry »

Posted in Office, Troubleshooting, Troubleshooting Tools | Tagged: , , , , | Leave a Comment »

Citrix Receiver Excessive Registry Polling?

Posted by William Diaz on April 4, 2012

While running Process Monitor on my primary workstation, I noticed repetitive registry operations coming from Citrix Receiver application on the same keys:
How repetitive? 13,000+ registry operations per minute on my idle workstation with no active Citrix connections:
This applies to the Windows 7 client. I don’t see the same activity for the Windows XP client.

I recalled a reading in the Windows Internals 5th Edition:

“Because the registry implements the RegNotifyChangeKey function that applications can use to request notification of registry changes without polling for them, when you launch Process Monitor on a system that’s idle you should not see repetitive accesses to the same registry keys or values. Any such activity identifies a poorly written application that unnecessarily affects a system’s overall performance.”

I don’t know the internals of the Receiver application, but this leaves me wondering if there is some room for improvement by implementing RegNotifyChangeKey to make it less “noisy”.

Posted in Uncategorized | Tagged: , | Leave a Comment »