Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Posts Tagged ‘Process Monitor’

The Case of the Broken Windows Photo Viewer

Posted by William Diaz on September 9, 2016


A co-worker of mine was troubleshooting an issue where a user was unable to open images in the Windows Photo Viewer. Whenever she would try to view an image, the Photo Viewer would open but the image would never load; instead the image was replaced by the spinning blue circle. There was no issue opening the image with other image viewers. To troubleshoot, I fired up Process Monitor and captured a trace of the activity for a few seconds while trying to open the image.

Before starting, its worth noting that the Windows Photo Viewer is not an exclusive process that runs out of C:\Program Files (x86)\Windows Photo Viewer. It is actually executed by dllhost.exe, a host processes that is used by other processes (in this case explorer.exe) to launch code. If something were to go awry with hosted code, then it would only affect that instance of the host process and not explorer, which might crash the desktop.

After a few seconds of capture, I stopped collecting activity, went to Tools > Count Occurrences > Column: Result. My guess was that the Windows Photo Viewer was looking for something that it needed to properly load the images but could not find it. I selected the PATH NOT FOUND value and applied it. There I could see that dllhost.exe was unable to locate some files in C:\Windows\System32\spool\drivers\color.

image

I looked at a couple other systems and saw that this folder existed and was populated with the missing files the COM surrogate was looking for. I wasn’t sure how, why, who deleted this folder but I copied it to the problem computer, opened an image with Windows Photo Viewer and it was working.

Posted in Inside Windows, Troubleshooting | Tagged: | Leave a Comment »

ODT Setup Packager Error

Posted by William Diaz on February 16, 2016


Recently I needed to update my Office 2013 App-V 5 package. This is done via the Microsoft ODT tool by first downloading the content and then packaging using the /packager command. The download went fine, but upon running the packager phase the command would immediately go straight back to the prompt, which is an indication that something went wrong because the packager phase usually takes a good 10 minutes to run. I checked and double-checked the xml files used to build the package but it looked good. Troubleshooting the ODT setup is pretty straight forward, however; simply locate the setup logs in %temp%. They are named by computer name name + date.log. In my case, I kept encounter the following line in the logs:

02/12/2016 15:00:31.828    SETUP (0x1cc8)    0xc40        Click-To-Run Telemetry    ami7s    Monitorable    TryLaunchClient::HandleStateAction: C2R Client Install Process returned code 17003   
02/12/2016 15:00:31.828    SETUP (0x1cc8)    0xc40        Click-To-Run Telemetry    apx75    Monitorable    TryLaunchClient::HandleStateAction: C2R Client returned failing error code 17003   
02/12/2016 15:00:31.828    SETUP (0x1cc8)    0xc40        Click-To-Run Telemetry    aqdyq    Monitorable    TryHandleClientError::HandleStateAction: Another Scenario Running. Showing Error UI.   
02/12/2016 15:00:31.828    SETUP (0x1cc8)    0xc40        Click-To-Run Telemetry    aoh9g    Medium    TryShowUI::HandleStateAction: Failure has occured, admin has disabled failure UI.   
02/12/2016 15:00:31.828    SETUP (0x1cc8)    0xc40        Click-To-Run Telemetry    ami7r    Medium    TryShowUI::HandleStateAction: Showed Failure UI. Couldn’t start Office installation  We’re sorry, but we could not start your Office installation. Another installation is in progress. Please try again later.     
02/12/2016 15:00:31.828    SETUP (0x1cc8)    0xc40        Click-To-Run    aoh72    Medium    ExitBootStateMachine::HandleStateAction: Bootstrapper workflow exiting with result: 0x0   
02/12/2016 15:00:31.828    SETUP (0x1cc8)    0xc40        Click-To-Run Telemetry    aoh9z    Medium    AdminBootstrapper::Main: Installation came back with 17003.   
02/12/2016 15:00:31.829    SETUP (0x1cc8)    0xc40        Logging Liblet    aqc99    Medium    Logging liblet uninitializing.   

This wasn’t completely unexpected as I have used this computer previously to create my Office 2013 App-V packages. But I had never encountered it so I was not sure where to look to clean up the previous install. Enter Process Monitor. I fired it up, reproduced the issue, stopped the trace. Although the trace was only a few seconds, this will likely result in thousands or ten of thousands of operations being captured. This “noise” can quickly be cleaned up, though, using filters. I figured the likely culprit would be in the registry, so I started with limiting results to RegQueryKey. From there, I filtered for the only processes involved. With ODT, this is setup.exe which then calls OfficeClickToRun.exe.

image

From here, I could see HKEY_CURRENT_USER\Software\Microsoft\Office\15.0 was being touched. Note, that whatever version of Office you are packaging should not be installed on the machine where you are doing the packaging so any key created here would have been done by the ODT setup.

image

Simply delete this key and run setup /packager again.

Posted in Office, Troubleshooting | Tagged: | Leave a Comment »

Login Issue and Mandatory Profiles

Posted by William Diaz on October 4, 2013


An interesting little quickie. After moving to mandatory profiles in a Citrix environment, a particular ActiveX web application would no longer allow logins. There was no error message of any kind and it continued to work in another Citrix environment without mandatory profiles. I fired up Process Monitor and ran a little trace of Internet Explorer to capture everything that happened after I clicked login. Nothing interesting really stood out but there might be some hope in an activity log activity I saw occurring with the application:

SNAGHTMLab68c01

Opening the log showed:

[W]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failure while trying to acquire the crypto context/container (GetLastError() -2146893788, (The profile for the user is a temporary profile.)) Thu Oct 03 22:46:00 2013
[I]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failed while initializing the crypto context (GetLastError()=-2146893788 (The profile for the user is a temporary profile.)), I will try and re/generate a brand new container Thu Oct 03 22:46:00 2013
[E]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failure, can’t acquire, nor create a new container (2) (GetLastError() -2146893788, (The profile for the user is a temporary profile.)) Thu Oct 03 22:46:00 2013

 

Some quick research pointed me to RSACryptoServiceProvider fails when used with mandatory profiles. In short:

RSACryptoServiceProvider calls CryptAcquireContext API (http://msdn2.microsoft.com/en-us/library/aa379886.aspx) behind the scenes to get a handle to a key container within a CSP (Cryptographic Service Provider). CryptAcquireContext will fail with NTE_TEMPORARY_PROFILE error when called from a mandatory profile.

Mandatory profiles are read-only user profiles. Since changes to the mandatory profile cannot be saved, PKI design doesn’t allow this operation, and CryptAcquireContext prevents this scenario by failing.

Posted in Troubleshooting Tools | Tagged: | Leave a Comment »

IE 9 Reset Deletes Favorites?

Posted by William Diaz on December 13, 2012


While speaking with a user a few days ago, she mentioned she called the help desk to try and resolve an IE issue and the technician decided to run a reset of IE. After restarting IE, she noticed her favorites had gone missing. To confirm, I fired up one of firm imaged Windows 7 PCs and was able to reproduce. This was a surprise to me because I had never seen this behavior in our old XP environment (we are still relatively new to the Windows 7 platform). Microsoft even clearly states that a reset should preserve favorites in this Microsoft article:

Settings and items that are maintained

  • Favorites

  • Feeds and Web Slices

  • Content Advisor settings

  • Pre-approved ActiveX controls

  • Temporary Internet file (cache) path settings

  • Certificate information

  • Internet Programs (e‑mail, instant messenger, and other programs associated with Internet use)

  • Internet connection, proxy, and VPN settings

  • Default web browser setting

  • Toolbars are not restored

Not surprisingly, I could not reproduce this issue on my non-firm imaged “vanilla” Windows 7 workstation. To find the cause, I turned to Process Monitor and ran a trace of IE when I selected the Reset button in the Advanced tab of Internet Options. The trace was over 20k operations and I had no idea what I was looking for. Looking at the operations on the .lnk as they got deleted (CloseFile operation) was not going to tell me why the links were getting deleted. A file summary might help, however. My guess was that IE was reading a file somewhere to decide how to handle some of reset parameters. To quickly get a list of files, I used Tools > File summary and quickly saw what IE was performing most of its read operations on:

image

I navigated to C:\Program Files (x86)\Internet Explorer\CUSTOM and opened the INSTALL.INS file. I scanned the text file and spotted a suspect: FavoritesDelete=0x708F

image

Sure this was the cause, I deleted that line, opened IE, imported a few links, ran the Reset in IE again, closed, opened, and saw this time the IE Favorites were not deleted. Some quick research shows that the custom.ins file is deployed when the Internet Explorer Admin Kit is used to customize settings when IE is installed.

Another clue would be the log created after the IE Reset was done as it writes the changes in the brndlog.txt file (number 3 in the file summary image above):

image
image

Posted in Troubleshooting | Tagged: , | Leave a Comment »

The Case of the Runtime Error (or Check Your Time Zones & DST Settings)

Posted by William Diaz on May 7, 2012


One of our helpdesk technician’s in a remote office reached out to me recently and asked me to assist with an application that suddenly started crashing on him with the following error: “Microsoft Visual C++ Runtime Library. Runtime Error! This application has requested the Runtime to terminate it in an unusual way…”
image

Posted in Troubleshooting, Troubleshooting Tools | Tagged: , , , | Leave a Comment »

Quickly Configure Symbol Information for Process Monitor & Process Explorer

Posted by William Diaz on May 1, 2012


I often find myself running Process Monitor and Process Explorer on user workstations. But to get the most of either of these tools, you really need to configure symbols so you can accurately read thread and stack information when doing a deeper analysis of a process. This can often be a nuisance because I am a cut and paste type of guy and even after doing it numerous times, I still have trouble recalling the Microsoft symbol path. On top of that, many times I run these tools with the user connected so speed is a necessity. To work around that, I decided to write a small script that I can run from a file server that will do it for me. Run the script before your start either tool.

There is one prerequisite, however: you need the full dbghelp.dll from the Windows Debugging Tools as the debug help DLL in system32 is not sufficient. If you are running on both 32 and 64 bit systems, you will need to get both the 64 bit and 32 bit versions. Store them away on network share and modify the script below to look to that share. In my case, we are still a mixed environment so I renamed the 32 bit dbghelp to dbghelp32.dll while the 64 bit version remains unchanged and created two different scripts. The respective DLL will copied into a folder C:\DbgHelp on the local system .

I also added a 5 second duration for new open and close processes and threads.

const HKEY_CURRENT_USER = &H80000001
strComputer = "."
 
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
 
‘Process Explorer 64
 
strKeyPath = "Software\Sysinternals\Process Explorer"
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath

strValueName = "DbgHelpPath"
strValue = "C:\DbgHelp\dbghelp.dll"
oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue

strValueName = "SymbolPath"
strValue = "http://msdl.microsoft.com/download/symbols"
oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue

strValueName = "HighlightDuration"
dwValue = 5000
oReg.SetDWORDValue HKEY_CURRENT_USER,strKeyPath,strValueName,dwValue

‘Process Monitor 64

strKeyPath = "Software\Sysinternals\Process Monitor"
oReg.CreateKey HKEY_CURRENT_USER,strKeyPath

strValueName = "DbgHelpPath"
strValue = "C:\DbgHelp\dbghelp.dll"
oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue

strValueName = "SymbolPath"
strValue = "http://msdl.microsoft.com/download/symbols"
oReg.SetStringValue HKEY_CURRENT_USER,strKeyPath,strValueName,strValue

‘Copy full dbghelp.dll 64 bit to folder DbgHelp.

Set oFSO = CreateObject("Scripting.FileSystemObject")
 
If Not oFSO.FolderExists( "C:\DbgHelp") Then
Set objFolder = oFSO.CreateFolder("C:\DbgHelp")
End If

Set FSO = CreateObject("Scripting.FileSystemObject")
FSO.CopyFile "\\Server1\TechTools\dbghelp.dll", "C:\DbgHelp\"

Posted in Troubleshooting Tools | Tagged: , | Leave a Comment »

Investigating & Resolving Message Delays in Outlook with WinDbg

Posted by William Diaz on May 1, 2012


The problem starts after the user has had their Windows profile recreated but continues to experience some Outlook performance issues. Each time she clicks the New button in Outlook to create a new message, there is a 5 to 10 second delay before the blank message opens. There is also a 10+ second delay after she clicks send and Outlook becomes unresponsive for that time. I connect to her and quickly look at the Office Outlook registry for any unapproved 3rd party add-ins and see nothing out of the ordinary. I decide to dump the Outlook process when the hang is encounter and turn to Process Explorer. This is a simple matter of right-clicking the process and choosing Create Dump when it is in an unresponsive state. Actually, I collect two dumps, the other with Procdump in hang mode. I do this to ensure that the dumps are consistent; if the dumps are not similar then I may need to collect more until a pattern emerges.

I copied the dumps to my workstation and opened them with WinDbg and run the !analyze –v –hang command. The stack for both dumps are similar. With the exception of the NRTExchn component (our DMS add-in for Outlook), these are all MS modules. Normally, this wouldn’t excite me but something stands out like a sore thumb as I move up the stack, the presence of msi.dll in the stack of the current examine thread.

Read the rest of this entry »

Posted in Office, Troubleshooting, Troubleshooting Tools | Tagged: , , , , | Leave a Comment »

Citrix Receiver Excessive Registry Polling?

Posted by William Diaz on April 4, 2012


While running Process Monitor on my primary workstation, I noticed repetitive registry operations coming from Citrix Receiver application on the same keys:
image
How repetitive? 13,000+ registry operations per minute on my idle workstation with no active Citrix connections:
image
This applies to the Windows 7 client. I don’t see the same activity for the Windows XP client.

I recalled a reading in the Windows Internals 5th Edition:

“Because the registry implements the RegNotifyChangeKey function that applications can use to request notification of registry changes without polling for them, when you launch Process Monitor on a system that’s idle you should not see repetitive accesses to the same registry keys or values. Any such activity identifies a poorly written application that unnecessarily affects a system’s overall performance.”

I don’t know the internals of the Receiver application, but this leaves me wondering if there is some room for improvement by implementing RegNotifyChangeKey to make it less “noisy”.

Posted in Uncategorized | Tagged: , | Leave a Comment »

Unraveling and Resolving An Outlook Crash with Process Monitor

Posted by William Diaz on March 2, 2012


While trying to import documents into our document management system via Outlook, Outlook would just abruptly close on the user. I started the initial troubleshooting by disabling a couple 3rd party add-ins in HKLM and HKCU\Software\Microsoft\Office\Outlook\Addins that were not part of the normal image. This can be done by modifying the load behavior of the add-in (see this MSDN article for details), but this had no effect on correcting the behavior. I thought about capturing a crash dump of Outlook but decided to not waste any time there because, at this point, with the add-ins disabled, I likely was not going to see anything but the document management modules in the dump.

Instead, I turned to Process Monitor; perhaps it might reveal what Outlook was doing just before it crashed and give me some important clues. I set a filter to monitor only outlook.exe, dragged an item into the document management space in Outlook and waited for it to crash after clicking Save. Afterwards, I scrolled to end of the log, working my way up. I also added a filter to only include registry activity and then process and thread activity so I could quickly see where Outlook was crashing: Read the rest of this entry »

Posted in Office, Troubleshooting | Tagged: , , | Leave a Comment »

The Case of the Missing Visio Menu Bar

Posted by William Diaz on March 1, 2012


When opening Visio, the user didn’t see the common Menu Bar one normally see in Microsoft Office products before 2007. The menu bar contains the literal menu options like File, Edit, View, Insert, so on. There was also the presence of a 3rd party toolbar that didn’t look like it was properly functioning:
image
Perhaps the Menu bar was disabled. This can be checked by right-clicking in the menu bar area and selecting Customize, then Toolbars.
Read the rest of this entry »

Posted in Office, Troubleshooting, Troubleshooting Tools | Tagged: | Leave a Comment »