Process Explorer : Process Explorer Interferes with Service Deletion

September 1, 2015, 6:47 pm

≫ Next: Troubleshooting : Need help with Ntoskrnl thread causing high CPU

≪ Previous: Process Explorer : Process explorer crash with system rights

$

0

0

Author: ChaosEngine
Subject: Process Explorer Interferes with Service Deletion
Posted: 02 September 2015 at 1:47am

Like I stated above it was just a suggestion to get the install process to work correctly until you found a fix for the issue, not an argument.

---

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

September 1, 2015, 6:55 pm

≫ Next: PsTools : PSshutdown problem in Win2008

≪ Previous: Process Explorer : Process Explorer Interferes with Service Deletion

$

0

0

Author: OverVascoPT
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 02 September 2015 at 1:55am

Hi. Thank you for everything.

Can you please tell me how can I solve this CPU Spikes in idle?

And if it's not asking to much could you please tell me how did you read the information I've sent you. Maybe a printscreen with that. I don't doubt of your capacity, but I'm really interested in learn more about this. To understand how to read it.

Thank you again.

OverVasco

PsTools : PSshutdown problem in Win2008

September 1, 2015, 9:18 pm

≫ Next: Troubleshooting : 50% cpu service wmiprvse.exe

≪ Previous: Troubleshooting : Need help with Ntoskrnl thread causing high CPU

$

0

0

Author: BBman
Subject: PSshutdown problem in Win2008
Posted: 02 September 2015 at 4:18am

Dear all,

 

I found when i use psshutdown against a list of computers, there are many estblished connections from the local machine to the various remote workstations. I found the new psshutdown process is slow to access the other workstations..

 

ie.

system 4 tcp WOL-PC 61234 remote-pc1 microsoft-ds establsihed

system 4 tcp WOL-PC 61212 remote-pc2 microsoft-ds establsihed

 

I need to close the connections, so that the preformance of psshutdown resume. but why? how to make it closed by default after the command completed. THanks!

Troubleshooting : 50% cpu service wmiprvse.exe

September 1, 2015, 10:04 pm

≫ Next: Troubleshooting : Need help with Ntoskrnl thread causing high CPU

≪ Previous: PsTools : PSshutdown problem in Win2008

$

0

0

Author: MagicAndre1981
Subject: 50% cpu service wmiprvse.exe
Posted: 02 September 2015 at 5:04am

capture a xperf trace and share it:

http://forum.sysinternals.com/profsvc-using-significant-cpu-wbemcoredll_topic30521_post143023.html#143023

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

September 1, 2015, 10:07 pm

≫ Next: Process Monitor : Use-After-Free in Process Monitor

≪ Previous: Troubleshooting : 50% cpu service wmiprvse.exe

$

0

0

Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 02 September 2015 at 5:07am

Open task scheduler and disable the Idle Maintenance task.

Microsoft explained here in a video how to read the ETL files:

https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-42-WPT-CPU-Analysis

Process Monitor : Use-After-Free in Process Monitor

September 1, 2015, 11:52 pm

≫ Next: Process Explorer : Upgrade to Win 10, PE only works when run as Admin

≪ Previous: Troubleshooting : Need help with Ntoskrnl thread causing high CPU

$

0

0

Author: ariccio
Subject: Use-After-Free in Process Monitor
Posted: 02 September 2015 at 6:52am

I'm not sure what exactly is going on, but Procmon crashed on me a few times, and I was able to reproduce under application verifier. It seemed to be triggered by a Windows Defender scan completing.

Debugging info:

```

=======================================

VERIFIER STOP 0000000000000013: pid 0x1668: First chance access violation for current stack trace. 

0000005DB18EA77E : Invalid address causing the exception.

00007FF65AAAB535 : Code address executing the invalid access.

0000005DC9DA7FB0 : Exception record.

0000005DC9DA7AC0 : Context record.

=======================================

This verifier stop is continuable.

After debugging it use `go' to continue.

=======================================

(1668.1eb4): Break instruction exception - code 80000003 (first chance)

vrfcore!VerifierStopMessageEx+0x6d0:

00007ffb`326a2190 cc              int     3

1:010> !analyze -v

*******************************************************************************

*                                                                             *

*                        Exception Analysis                                   *

*                                                                             *

*******************************************************************************

APPLICATION_VERIFIER_HEAPS_FIRST_CHANCE_ACCESS_VIOLATION (13)

First chance access violation for current stack trace.

This is the most common application verifier stop. Typically it is caused by a

buffer overrun error. The heap verifier places a non-accessible page at the end

of a heap allocation and a buffer overrun will cause an exception by

touching this page. To debug this stop identify the access address that caused

the exception and then use the following debugger command:

    !heap -p -a ACCESS_ADDRESS

This command will give details about the nature of the error and what heap block is

overrun. It will also give the stack trace for the block allocation.

There are several other causes for this stop. For example accessing a heap block

after being freed. The same debugger command will be useful for this case too. 

Arguments:

Arg1: 0000005db18ea77e, Invalid address causing the exception. 

Arg2: 00007ff65aaab535, Code address executing the invalid access. 

Arg3: 0000005dc9da7fb0, Exception record. 

Arg4: 0000005dc9da7ac0, Context record. 

FAULTING_IP: 

Procmon+3b535

00007ff6`5aaab535 6642837c42fe00  cmp     word ptr [rdx+r8*2-2],0

EXCEPTION_RECORD:  0000005dc9da7fb0 -- (.exr 0x5dc9da7fb0)

ExceptionAddress: 00007ff65aaab535 (Procmon+0x000000000003b535)

   ExceptionCode: c0000005 (Access violation)

  ExceptionFlags: 00000000

NumberParameters: 2

   Parameter[0]: 0000000000000000

   Parameter[1]: 0000005db18ea77e

Attempt to read from address 0000005db18ea77e

FAULTING_THREAD:  0000184c

DEFAULT_BUCKET_ID:  STATUS_BREAKPOINT_AVRF

PROCESS_NAME:  Procmon.exe

CONTEXT:  0000005dc9da7ac0 -- (.cxr 0x5dc9da7ac0)

rax=0000000000000007 rbx=0000005dc9da8268 rcx=0000005dc9da8268

rdx=0000005db132a780 rsi=0000005db1318999 rdi=0000000000000026

rip=00007ff65aaab535 rsp=0000005dc9da81f0 rbp=0000005dc9da83a0

 r8=00000000002e0000  r9=0000005db131a758 r10=0000005db132a780

r11=000000000000ffff r12=0000000000000000 r13=00007ff65aa70000

r14=0000005db131a758 r15=00000000ffffffff

iopl=0         nv up ei pl nz na po nc

cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206

Procmon+0x3b535:

00007ff6`5aaab535 6642837c42fe00  cmp     word ptr [rdx+r8*2-2],0 ds:0000005d`b18ea77e=????

Resetting default scope

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

EXCEPTION_PARAMETER1:  0000000000000000

NTGLOBALFLAG:  2000100

APPLICATION_VERIFIER_FLAGS:  80001041

APPLICATION_VERIFIER_LOADED: 1

APP:  procmon.exe

ANALYSIS_VERSION: 10.0.10240.9 amd64fre

BUGCHECK_STR:  STATUS_BREAKPOINT_AVRF

LAST_CONTROL_TRANSFER:  from 00007ffb326a8540 to 00007ffb326a2190

STACK_TEXT:  

0000005d`c9da6ce0 00007ffb`326a8540 : bad1bad1`bad1bad1 bad1bad1`bad1bad1 bad1bad1`bad1bad1 bad1bad1`bad1bad1 : vrfcore!VerifierStopMessageEx+0x6d0

0000005d`c9da7040 00007ffb`2e955f92 : bad1bad1`bad1bad1 bad1bad1`bad1bad1 bad1bad1`bad1bad1 bad1bad1`bad1bad1 : vrfcore!VfCoreRedirectedStopMessage+0x90

0000005d`c9da70d0 00007ffb`48237075 : 00007ffb`2e955ef0 00007ffb`2e9e5070 bad1bad1`bad1bad1 00007ffb`2e9e5050 : verifier!VerifierStopMessage+0xa2

0000005d`c9da7180 00007ffb`2e9c26c5 : 0000005d`c9da7fb0 00007ffb`2e9c3c30 0000005d`b18ea77e 0000005d`c9da7360 : ntdll!RtlApplicationVerifierStop+0x105

0000005d`c9da71e0 00007ffb`2e9c4606 : 0000005d`c9da7fb0 00007ffb`2e9c3c30 0000005d`d03c4fe0 bad1bad1`bad1bad1 : vfbasics!VerifierStopMessage+0x245

0000005d`c9da7240 00007ffb`2e9c3c4a : 0000005d`c9da7360 0000005d`d03c4fe0 bad1bad1`bad1bad1 bad1bad1`bad1bad1 : vfbasics!AVrfpCheckFirstChanceException+0x136

0000005d`c9da72d0 00007ffb`481d22c7 : 00007ffb`482b2128 bad1bad1`bad1bad1 bad1bad1`bad1bad1 0000005d`b1318999 : vfbasics!AVrfpVectoredExceptionHandler+0x1a

0000005d`c9da7320 00007ffb`481838fe : 0000005d`c9da7fb0 0000005d`c9da7ac0 bad1bad1`bad1ba00 bad1bad1`77aca12f : ntdll!RtlpCallVectoredHandlers+0x113

0000005d`c9da73c0 00007ffb`4820544a : 00000000`00000000 00000000`00000000 0000005d`c9da8268 00000000`00000000 : ntdll!RtlDispatchException+0x6e

0000005d`c9da7ac0 00007ff6`5aaab535 : 00000000`00000000 00000000`0000a910 0000005d`f5953e50 00007ffb`2e9c6c89 : ntdll!KiUserExceptionDispatch+0x3a

0000005d`c9da81f0 00007ff6`5aa9d790 : 00007ff6`5ab12f38 00007ff6`5aa81d39 0000005d`c9da82d0 0000005d`c9da83a0 : Procmon+0x3b535

0000005d`c9da8230 00007ff6`5aa9b1f5 : 0000005d`c9da85c8 0000005d`c9da82d0 0000005d`b1318999 00007ffb`2e954658 : Procmon+0x2d790

0000005d`c9da82a0 00007ff6`5aa81c7f : 0000005d`c9da8658 00000000`0000013c 00000000`0000013d 00007ff6`5ab106d4 : Procmon+0x2b1f5

0000005d`c9da8540 00007ff6`5aa82010 : 00000000`0057093c 0000005d`c9da8658 0000005d`c9da9ee0 00000000`00000000 : Procmon+0x11c7f

0000005d`c9da85b0 00007ff6`5aac94f6 : 00000000`0057093c 0000005d`ba0aa700 0000005d`c9da9ee0 00000000`00000000 : Procmon+0x12010

0000005d`c9da8650 00007ffb`479600dc : 00007ffb`47753b80 00007ffb`2e9c7759 ffffffff`a8010ebf 00000000`00000000 : Procmon+0x594f6

0000005d`c9da9b90 00007ffb`4795f845 : 0000005d`d24bcdd0 00007ff6`5aac8920 00000000`0057093c 00000000`0000004e : USER32!UserCallWinProcCheckWow+0x1fc

0000005d`c9da9c80 00007ffb`4795f5ab : 00000000`40000000 00000000`00570900 00000000`000003f9 0000005d`d24bcdd0 : USER32!SendMessageWorker+0x235

0000005d`c9da9d10 00007ffb`43b258b2 : 0000005d`d5b64d60 00000000`00000000 0000005d`c9da9e19 00000000`0057093c : USER32!SendMessageW+0xfb

0000005d`c9da9d70 00007ffb`43b2485e : 0000005d`d5a31fd8 0000005d`c9daab90 00000000`00000000 0000005d`c9daa040 : COMCTL32!CCSendNotify+0xf2

0000005d`c9da9e80 00007ffb`43b212e5 : 0000037f`000004f8 00007ffb`00000001 00000000`00001000 00000000`00000000 : COMCTL32!CLVItemStore::OnGetItem+0x27e

0000005d`c9daa050 00007ffb`43b1f17f : 00000000`00000000 00000000`001b0334 00000000`00000000 00000000`00001073 : COMCTL32!CListView::WndProc+0x2e5

0000005d`c9daa250 00007ffb`479600dc : 00000000`00000000 00000000`00001073 00000000`00000001 00000000`ffffffff : COMCTL32!CListView::s_WndProc+0x6f

0000005d`c9daa2c0 00007ffb`4795f991 : 0000005d`c9daa5f0 00007ffb`43b1f110 00000000`001b0334 00007ffb`43b1f110 : USER32!UserCallWinProcCheckWow+0x1fc

0000005d`c9daa3b0 00007ffb`43b2a9af : 0000005d`c9daa5f0 00000000`00001073 00000000`00000000 00000000`00000001 : USER32!CallWindowProcW+0x91

0000005d`c9daa400 00007ffb`43b2a8d5 : 0000005d`c9daa5f0 00000000`00000001 0000005d`c9daa5f0 00007ffb`476123c2 : COMCTL32!CallNextSubclassProc+0x29f

0000005d`c9daa4d0 00007ffb`43b2a5c2 : 0000005d`d5be8f80 0000005d`c9daab90 00000000`0006e79e 0000005d`d5a31000 : COMCTL32!CallNextSubclassProc+0x1c5

0000005d`c9daa5a0 00007ffb`479600dc : 00000000`0037d980 00000000`00000000 00000000`00000001 00000000`ffffffff : COMCTL32!MasterSubclassProc+0xa2

0000005d`c9daa640 00007ffb`4795f991 : 00000000`00001073 00007ffb`43b2a520 00000000`001b0334 00007ffb`43b2a520 : USER32!UserCallWinProcCheckWow+0x1fc

0000005d`c9daa730 00007ff6`5aa9a6d8 : 00000000`00001073 0000005d`c9daa819 00000000`001b0334 0000005d`c9daab90 : USER32!CallWindowProcW+0x91

0000005d`c9daa780 00007ffb`479600dc : 00000000`ffffffff 00000000`00000000 00000000`00000001 00000000`ffffffff : Procmon+0x2a6d8

0000005d`c9daa880 00007ffb`4795f845 : 0000005d`d2489930 00007ff6`5aa9a350 00000000`001b0334 00000000`00001073 : USER32!UserCallWinProcCheckWow+0x1fc

0000005d`c9daa970 00007ffb`4795f5ab : 00000000`40000000 00000000`45102000 00000000`0006e79e 0000005d`d2489930 : USER32!SendMessageWorker+0x235

0000005d`c9daaa00 00007ff6`5aa98f9d : 00007ff6`5ab55240 ffffffff`a8010ebf 0000005d`c9daab60 0000005d`c9dae5d0 : USER32!SendMessageW+0xfb

0000005d`c9daaa60 00007ff6`5aac95c0 : 00000000`0057093c 00000000`0057093c 0000005d`c9dae5d0 00000000`00000001 : Procmon+0x28f9d

0000005d`c9dacd60 00007ffb`479600dc : 00000000`0057093c 00000000`00000000 00000000`00000001 00007ffb`42ec8d80 : Procmon+0x595c0

0000005d`c9dae2a0 00007ffb`4795f845 : 0000005d`d24bcdd0 00007ff6`5aac8920 00000000`0057093c 00000000`0000002b : USER32!UserCallWinProcCheckWow+0x1fc

0000005d`c9dae390 00007ffb`4795f5ab : 00000000`40000000 00007ffb`43b2a600 00000000`000003f9 0000005d`d24bcdd0 : USER32!SendMessageWorker+0x235

0000005d`c9dae420 00007ffb`43ae1079 : 00000000`00000000 00000000`00000000 0000005d`c9dae580 0000005d`d5b74fd0 : USER32!SendMessageW+0xfb

0000005d`c9dae480 00007ffb`43b18593 : 0000005d`c9daea80 00000000`00000000 0000005d`c9daea80 0000005d`c9daea80 : COMCTL32!CLVReportView::v_DrawItem+0x7f9

0000005d`c9dae940 00007ffb`43b16bb9 : 00000000`0006e79e 00000000`0006e79e 0000005d`c9daeb10 0000005d`d5b64d00 : COMCTL32!CLVDrawItemManager::DrawItem+0x297

0000005d`c9daea10 00007ffb`43b175aa : 00000000`00000001 0000005d`d07e2df8 00000000`00000000 0000005d`d5b6efd0 : COMCTL32!CLVDrawManager::_PaintItems+0x245

0000005d`c9daec50 00007ffb`43b17753 : 0000005d`cd8d01a0 0000005d`d5b6efd0 ffffffff`a8010ebf 0000005d`d5b6efd0 : COMCTL32!CLVDrawManager::_PaintWorkArea+0xc6

0000005d`c9daecd0 00007ffb`43b1784e : 0000005d`d5b6efd0 00000000`00000000 00000000`00000000 0000005d`d5b6efd0 : COMCTL32!CLVDrawManager::_OnPaintWorkAreas+0x123

0000005d`c9daed60 00007ffb`43b17bdd : 00000000`00000001 00000000`ffffffff 00000000`0000000f 00007ffb`00000001 : COMCTL32!CLVDrawManager::_OnPaint+0xb6

0000005d`c9daee10 00007ffb`43b216b9 : 00000000`0000000f 0000005d`c9daef40 00000000`00000000 00000000`00000000 : COMCTL32!CLVDrawManager::OnPaint+0x65

0000005d`c9daee40 00007ffb`43b1f17f : 00000000`00000000 00000000`001b0334 00000000`00000000 00000000`0000000f : COMCTL32!CListView::WndProc+0x6b9

0000005d`c9daf040 00007ffb`479600dc : 00000000`00000000 00000000`0000000f 00000000`00000001 00000000`ffffffff : COMCTL32!CListView::s_WndProc+0x6f

0000005d`c9daf0b0 00007ffb`4795f991 : 0000005d`c9daf3e0 00007ffb`43b1f110 00000000`001b0334 00007ffb`43b1f110 : USER32!UserCallWinProcCheckWow+0x1fc

0000005d`c9daf1a0 00007ffb`43b2a9af : 0000005d`c9daf3e0 00000000`0000000f 00000000`00000000 00000000`00000001 : USER32!CallWindowProcW+0x91

0000005d`c9daf1f0 00007ffb`43b2a8d5 : 0000005d`c9daf3e0 00000000`00000001 0000005d`c9daf3e0 00000000`00000000 : COMCTL32!CallNextSubclassProc+0x29f

0000005d`c9daf2c0 00007ffb`43b2a5c2 : 00000000`000001d0 00000000`00000000 00000000`00000000 0000005d`d5c97ec0 : COMCTL32!CallNextSubclassProc+0x1c5

0000005d`c9daf390 00007ffb`479600dc : 00007ff6`5a4be800 00000000`002d08d0 00000000`00000410 00007ffb`4795f5ab : COMCTL32!MasterSubclassProc+0xa2

0000005d`c9daf430 00007ffb`4795f991 : 00000000`0000000f 00007ffb`43b2a520 00000000`001b0334 00007ffb`43b2a520 : USER32!UserCallWinProcCheckWow+0x1fc

0000005d`c9daf520 00007ff6`5aa9a6d8 : 00000000`0000000f 0000005d`c9daf609 00000000`001b0334 00000000`00000000 : USER32!CallWindowProcW+0x91

0000005d`c9daf570 00007ffb`479600dc : 00000000`001b0334 00000000`00000000 00000000`00000001 00007ffb`42ec8d80 : Procmon+0x2a6d8

0000005d`c9daf670 00007ffb`4795fe52 : 00000000`00000000 00007ff6`5aa9a350 00000000`001b0334 00000000`00000000 : USER32!UserCallWinProcCheckWow+0x1fc

0000005d`c9daf760 00007ffb`4796d3fe : 00007ffb`48203410 00000000`00000000 0000005d`c9daf878 00000000`ffffffff : USER32!DispatchClientMessage+0xa2

0000005d`c9daf7c0 00007ffb`482053e4 : 00000000`00000000 00000000`00000000 00000000`00000048 00000000`00000001 : USER32!_fnDWORD+0x3e

0000005d`c9daf820 00007ffb`4797ffba : 00007ffb`4795fca7 0000005d`d24bcdd0 00007ff6`5aac8920 00000000`0057093c : ntdll!KiUserCallbackDispatcherContinue

0000005d`c9daf8a8 00007ffb`4795fca7 : 0000005d`d24bcdd0 00007ff6`5aac8920 00000000`0057093c 00007ffb`47962a54 : USER32!NtUserDispatchMessage+0xa

0000005d`c9daf8b0 00007ffb`4796212f : 00000000`0000012c 00000000`00000000 00000000`00000001 00007ff6`5aac8920 : USER32!DispatchMessageWorker+0x247

0000005d`c9daf930 00007ff6`5aaddd3a : 00000000`0057093c 0000005d`c9dafa90 00000000`0000012c 00000000`0000012c : USER32!IsDialogMessageW+0x10f

0000005d`c9daf990 00007ff6`5aaf32a0 : 00000000`00000000 00007ff6`5aa70000 00000000`0000000a 00000000`0000000a : Procmon+0x6dd3a

0000005d`c9dafe00 00007ffb`45902d92 : 00000000`00000000 00007ff6`5aaf3144 00007ff6`5a4bd000 00000000`00000000 : Procmon+0x832a0

0000005d`c9dafe40 00007ffb`48179f64 : 00007ffb`45902d70 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22

0000005d`c9dafe70 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34

FOLLOWUP_IP: 

Procmon+3b535

00007ff6`5aaab535 6642837c42fe00  cmp     word ptr [rdx+r8*2-2],0

SYMBOL_STACK_INDEX:  a

SYMBOL_NAME:  procmon+3b535

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Procmon

IMAGE_NAME:  Procmon64.exe

DEBUG_FLR_IMAGE_TIMESTAMP:  5563bffd

STACK_COMMAND:  ~10s ; kb

BUCKET_ID:  STATUS_BREAKPOINT_AVRF_procmon+3b535

PRIMARY_PROBLEM_CLASS:  STATUS_BREAKPOINT_AVRF_procmon+3b535

FAILURE_PROBLEM_CLASS:  STATUS_BREAKPOINT_AVRF

FAILURE_EXCEPTION_CODE:  80000003

FAILURE_IMAGE_NAME:  Procmon64.exe

FAILURE_FUNCTION_NAME:  Unknown

FAILURE_SYMBOL_NAME:  Procmon64.exe!Unknown

FAILURE_BUCKET_ID:  STATUS_BREAKPOINT_AVRF_80000003_Procmon64.exe!Unknown

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:status_breakpoint_avrf_80000003_procmon64.exe!unknown

FAILURE_ID_HASH:  {8b9526c7-151c-5bc7-3873-011c18b6e162}

Followup:     MachineOwner

---------

1:010> !heap -p -a 0000005db18ea77e

    address 0000005db18ea77e found in

    _DPH_HEAP_ROOT @ 5dd47e1000

    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)

                                 5dd47fbc30:       5db18cf000            1d000

    00007ffb4825c493 ntdll!RtlDebugFreeHeap+0x0000000000000047

    00007ffb482150e9 ntdll!RtlpFreeHeap+0x00000000000792a9

    00007ffb4819a996 ntdll!RtlFreeHeap+0x0000000000000106

    00007ffb326ac146 vrfcore!VfCoreRtlFreeHeap+0x0000000000000036

    00007ffb2e9d0699 vfbasics!AVrfpRtlFreeHeap+0x0000000000000119

    00007ffb2e9d2229 vfbasics!AVrfpHeapFree+0x0000000000000109

    00007ff65aab1252 Procmon+0x0000000000041252

    00007ff65aaf224f Procmon+0x000000000008224f

    00007ff65aaf23f6 Procmon+0x00000000000823f6

    00007ffb2e9da4dd vfbasics!AVrfpStandardThreadFunction+0x000000000000004d

    00007ffb45902d92 KERNEL32!BaseThreadInitThunk+0x0000000000000022

    00007ffb48179f64 ntdll!RtlUserThreadStart+0x0000000000000034

 

1:010> k

 # Child-SP          RetAddr           Call Site

00 0000005d`c9da6ce0 00007ffb`326a8540 vrfcore!VerifierStopMessageEx+0x6d0

01 0000005d`c9da7040 00007ffb`2e955f92 vrfcore!VfCoreRedirectedStopMessage+0x90

02 0000005d`c9da70d0 00007ffb`48237075 verifier!VerifierStopMessage+0xa2

03 0000005d`c9da7180 00007ffb`2e9c26c5 ntdll!RtlApplicationVerifierStop+0x105

04 0000005d`c9da71e0 00007ffb`2e9c4606 vfbasics!VerifierStopMessage+0x245

05 0000005d`c9da7240 00007ffb`2e9c3c4a vfbasics!AVrfpCheckFirstChanceException+0x136

06 0000005d`c9da72d0 00007ffb`481d22c7 vfbasics!AVrfpVectoredExceptionHandler+0x1a

07 0000005d`c9da7320 00007ffb`481838fe ntdll!RtlpCallVectoredHandlers+0x113

08 0000005d`c9da73c0 00007ffb`4820544a ntdll!RtlDispatchException+0x6e

09 0000005d`c9da7ac0 00007ff6`5aaab535 ntdll!KiUserExceptionDispatch+0x3a

0a 0000005d`c9da81f0 00007ff6`5aa9d790 Procmon+0x3b535

0b 0000005d`c9da8230 00007ff6`5aa9b1f5 Procmon+0x2d790

0c 0000005d`c9da82a0 00007ff6`5aa81c7f Procmon+0x2b1f5

0d 0000005d`c9da8540 00007ff6`5aa82010 Procmon+0x11c7f

0e 0000005d`c9da85b0 00007ff6`5aac94f6 Procmon+0x12010

0f 0000005d`c9da8650 00007ffb`479600dc Procmon+0x594f6

10 0000005d`c9da9b90 00007ffb`4795f845 USER32!UserCallWinProcCheckWow+0x1fc

11 0000005d`c9da9c80 00007ffb`4795f5ab USER32!SendMessageWorker+0x235

12 0000005d`c9da9d10 00007ffb`43b258b2 USER32!SendMessageW+0xfb

13 0000005d`c9da9d70 00007ffb`43b2485e COMCTL32!CCSendNotify+0xf2

14 0000005d`c9da9e80 00007ffb`43b212e5 COMCTL32!CLVItemStore::OnGetItem+0x27e

15 0000005d`c9daa050 00007ffb`43b1f17f COMCTL32!CListView::WndProc+0x2e5

16 0000005d`c9daa250 00007ffb`479600dc COMCTL32!CListView::s_WndProc+0x6f

17 0000005d`c9daa2c0 00007ffb`4795f991 USER32!UserCallWinProcCheckWow+0x1fc

18 0000005d`c9daa3b0 00007ffb`43b2a9af USER32!CallWindowProcW+0x91

19 0000005d`c9daa400 00007ffb`43b2a8d5 COMCTL32!CallNextSubclassProc+0x29f

1a 0000005d`c9daa4d0 00007ffb`43b2a5c2 COMCTL32!CallNextSubclassProc+0x1c5

1b 0000005d`c9daa5a0 00007ffb`479600dc COMCTL32!MasterSubclassProc+0xa2

1c 0000005d`c9daa640 00007ffb`4795f991 USER32!UserCallWinProcCheckWow+0x1fc

1d 0000005d`c9daa730 00007ff6`5aa9a6d8 USER32!CallWindowProcW+0x91

1e 0000005d`c9daa780 00007ffb`479600dc Procmon+0x2a6d8

1f 0000005d`c9daa880 00007ffb`4795f845 USER32!UserCallWinProcCheckWow+0x1fc

20 0000005d`c9daa970 00007ffb`4795f5ab USER32!SendMessageWorker+0x235

21 0000005d`c9daaa00 00007ff6`5aa98f9d USER32!SendMessageW+0xfb

22 0000005d`c9daaa60 00007ff6`5aac95c0 Procmon+0x28f9d

23 0000005d`c9dacd60 00007ffb`479600dc Procmon+0x595c0

24 0000005d`c9dae2a0 00007ffb`4795f845 USER32!UserCallWinProcCheckWow+0x1fc

25 0000005d`c9dae390 00007ffb`4795f5ab USER32!SendMessageWorker+0x235

26 0000005d`c9dae420 00007ffb`43ae1079 USER32!SendMessageW+0xfb

27 0000005d`c9dae480 00007ffb`43b18593 COMCTL32!CLVReportView::v_DrawItem+0x7f9

28 0000005d`c9dae940 00007ffb`43b16bb9 COMCTL32!CLVDrawItemManager::DrawItem+0x297

29 0000005d`c9daea10 00007ffb`43b175aa COMCTL32!CLVDrawManager::_PaintItems+0x245

2a 0000005d`c9daec50 00007ffb`43b17753 COMCTL32!CLVDrawManager::_PaintWorkArea+0xc6

2b 0000005d`c9daecd0 00007ffb`43b1784e COMCTL32!CLVDrawManager::_OnPaintWorkAreas+0x123

2c 0000005d`c9daed60 00007ffb`43b17bdd COMCTL32!CLVDrawManager::_OnPaint+0xb6

2d 0000005d`c9daee10 00007ffb`43b216b9 COMCTL32!CLVDrawManager::OnPaint+0x65

2e 0000005d`c9daee40 00007ffb`43b1f17f COMCTL32!CListView::WndProc+0x6b9

2f 0000005d`c9daf040 00007ffb`479600dc COMCTL32!CListView::s_WndProc+0x6f

30 0000005d`c9daf0b0 00007ffb`4795f991 USER32!UserCallWinProcCheckWow+0x1fc

31 0000005d`c9daf1a0 00007ffb`43b2a9af USER32!CallWindowProcW+0x91

32 0000005d`c9daf1f0 00007ffb`43b2a8d5 COMCTL32!CallNextSubclassProc+0x29f

33 0000005d`c9daf2c0 00007ffb`43b2a5c2 COMCTL32!CallNextSubclassProc+0x1c5

34 0000005d`c9daf390 00007ffb`479600dc COMCTL32!MasterSubclassProc+0xa2

35 0000005d`c9daf430 00007ffb`4795f991 USER32!UserCallWinProcCheckWow+0x1fc

36 0000005d`c9daf520 00007ff6`5aa9a6d8 USER32!CallWindowProcW+0x91

37 0000005d`c9daf570 00007ffb`479600dc Procmon+0x2a6d8

38 0000005d`c9daf670 00007ffb`4795fe52 USER32!UserCallWinProcCheckWow+0x1fc

39 0000005d`c9daf760 00007ffb`4796d3fe USER32!DispatchClientMessage+0xa2

3a 0000005d`c9daf7c0 00007ffb`482053e4 USER32!_fnDWORD+0x3e

3b 0000005d`c9daf820 00007ffb`4797ffba ntdll!KiUserCallbackDispatcherContinue

3c 0000005d`c9daf8a8 00007ffb`4795fca7 USER32!NtUserDispatchMessage+0xa

3d 0000005d`c9daf8b0 00007ffb`4796212f USER32!DispatchMessageWorker+0x247

3e 0000005d`c9daf930 00007ff6`5aaddd3a USER32!IsDialogMessageW+0x10f

3f 0000005d`c9daf990 00007ff6`5aaf32a0 Procmon+0x6dd3a

40 0000005d`c9dafe00 00007ffb`45902d92 Procmon+0x832a0

41 0000005d`c9dafe40 00007ffb`48179f64 KERNEL32!BaseThreadInitThunk+0x22

42 0000005d`c9dafe70 00000000`00000000 ntdll!RtlUserThreadStart+0x34

```

Sidenote: why aren't symbols for Sysinternals publicly available?

Process Explorer : Upgrade to Win 10, PE only works when run as Admin

September 2, 2015, 1:43 pm

≫ Next: Process Explorer : Svchost.exe is sometimes eating up the CPU

≪ Previous: Process Monitor : Use-After-Free in Process Monitor

$

0

0

Author: ChaosEngine
Subject: Upgrade to Win 10, PE only works when run as Admin
Posted: 02 September 2015 at 8:43pm

You could try a clean boot to check and see if there are any software conflicts causing the issue? 

https://support.microsoft.com/en-gb/kb/929135#bookmark-what%20is%20causing%20the%20issue

After that I would consider doing a clean install of win 10, making sure of course that you have a good backup of all the files you want to keep!

http://www.howtogeek.com/224342/how-to-clean-install-windows-10/

Process Explorer : Svchost.exe is sometimes eating up the CPU

September 2, 2015, 2:50 pm

≫ Next: Process Explorer : Upgrade to Win 10, PE only works when run as Admin

≪ Previous: Process Explorer : Upgrade to Win 10, PE only works when run as Admin

$

0

0

Author: Bellzemos
Subject: Svchost.exe is sometimes eating up the CPU
Posted: 02 September 2015 at 9:50pm

MagicAndre1981 wrote: When you look at the Threads of a service, you see a column which shows the owning service.

Where can I see that? Please tell me, thank you!

---

Process Explorer : Upgrade to Win 10, PE only works when run as Admin

September 2, 2015, 3:22 pm

≫ Next: Process Explorer : Upgrade to Win 10, PE only works when run as Admin

≪ Previous: Process Explorer : Svchost.exe is sometimes eating up the CPU

$

0

0

Author: The Chump
Subject: Upgrade to Win 10, PE only works when run as Admin
Posted: 02 September 2015 at 10:22pm

Thanks for the clean boot link. MsConfig, there's a blast from the past...
Several re-boots later and the culprit appears to be the "Lenovo Onekey Theater Application" in Startup.
I've no idea what it does, or why it needs to crash an apparently random bunch of apps.
Ho hum.

Thanks

Alex

Process Explorer : Upgrade to Win 10, PE only works when run as Admin

September 2, 2015, 5:16 pm

≫ Next: Internals : Kernel debugging examples not working

≪ Previous: Process Explorer : Upgrade to Win 10, PE only works when run as Admin

$

0

0

Author: ChaosEngine
Subject: Upgrade to Win 10, PE only works when run as Admin
Posted: 03 September 2015 at 12:16am

You're welcome, glad you was able to fix it. ;)

Internals : Kernel debugging examples not working

September 2, 2015, 6:27 pm

≫ Next: BgInfo : Remove Biginfo

≪ Previous: Process Explorer : Upgrade to Win 10, PE only works when run as Admin

$

0

0

Author: NathanPhillips
Subject: Kernel debugging examples not working
Posted: 03 September 2015 at 1:27am

Exactly what I'm seeing! Thanks Andre.

BgInfo : Remove Biginfo

September 2, 2015, 10:02 pm

≫ Next: Process Explorer : Svchost.exe is sometimes eating up the CPU

≪ Previous: Internals : Kernel debugging examples not working

$

0

0

Author: WindowsStar
Subject: Remove Biginfo
Posted: 03 September 2015 at 5:02am

I assume you did not install it? or don't realize that all you have to do is delete the folder it is in. There is no fancy installer or uninstaller. To install you just create a folder and put the files in the folder and then launch the BGInfo.exe however you like. So to uninstall just delete the folder and remove how the software is launched. -WS

Process Explorer : Svchost.exe is sometimes eating up the CPU

September 2, 2015, 10:03 pm

≫ Next: Troubleshooting : 50% cpu service wmiprvse.exe

≪ Previous: BgInfo : Remove Biginfo

$

0

0

Author: MagicAndre1981
Subject: Svchost.exe is sometimes eating up the CPU
Posted: 03 September 2015 at 5:03am

click on the "Threads" tab, here you see the a column which shows which service ones the thread

Troubleshooting : 50% cpu service wmiprvse.exe

September 2, 2015, 10:07 pm

≫ Next: Troubleshooting : 50% cpu service wmiprvse.exe

≪ Previous: Process Explorer : Svchost.exe is sometimes eating up the CPU

$

0

0

Author: MagicAndre1981
Subject: 50% cpu service wmiprvse.exe
Posted: 03 September 2015 at 5:07am

it looks like the "C:\Windows\system32\ServerManager.exe" queries a lot of Eventlog entries and this causes the cpu usage.

Troubleshooting : 50% cpu service wmiprvse.exe

September 2, 2015, 11:55 pm

≫ Next: Troubleshooting : 50% cpu service wmiprvse.exe

≪ Previous: Troubleshooting : 50% cpu service wmiprvse.exe

$

0

0

Author: Andreas2k
Subject: 50% cpu service wmiprvse.exe
Posted: 03 September 2015 at 6:55am

Hi,

Ok, so how to find out whats keeping servermanager doing these queries?

I have a Splunk "agent" installed, but I have disabled this one so its not running.

 

/Regards

Andreas

---

Troubleshooting : 50% cpu service wmiprvse.exe

September 3, 2015, 12:07 am

≫ Next: BgInfo : BGInfo works great on Windows 10!

≪ Previous: Troubleshooting : 50% cpu service wmiprvse.exe

$

0

0

Author: Andreas2k
Subject: 50% cpu service wmiprvse.exe
Posted: 03 September 2015 at 7:07am

Andreas2k wrote: Hi, Ok, so how to find out whats keeping servermanager doing these queries? I have a Splunk "agent" installed, but I have disabled this one so its not running.   /Regards Andreas

 

Hi again,

 

I can see that C:\Windows\System32\winevt\Logs\Security.evtx eventlog file is 128MB in size, not sure if this is very big, and if I check another domain controller server its the same size.

 

/Regards

Andreas

BgInfo : BGInfo works great on Windows 10!

September 3, 2015, 12:21 pm

≫ Next: Miscellaneous Utilities : Procdump fails with "access denied"

≪ Previous: Troubleshooting : 50% cpu service wmiprvse.exe

$

0

0

Author: KhunRoger
Subject: BGInfo works great on Windows 10!
Posted: 03 September 2015 at 7:21pm

I have no idea what you are talking about, but I will also add my name to the list of people who would like BGinfo to display "Windows 10" when on a Windows 10 machine.

Miscellaneous Utilities : Procdump fails with "access denied"

September 3, 2015, 12:55 pm

≫ Next: Miscellaneous Utilities : Procdump fails with "access denied"

≪ Previous: BgInfo : BGInfo works great on Windows 10!

$

0

0

Author: artisticcheese
Subject: Procdump fails with "access denied"
Posted: 03 September 2015 at 7:55pm

Hello,

I have process I need to make full memory dump of and TaskManager and ProccessExplorer both fail to do that. I thought procdump will be able to do that but it fails with error message during memory write (about 30s or so into it). This happens only when private memory reaches about 4 GB+ in size, for smaller files it works fine. I suspect it has something to do with timing. 

Procdump file version is version 7.01

PS C:\windows\system32> procdump -ma 9416 d:\mem.dmp

ProcDump v7.1 - Writes process dump files

Copyright (C) 2009-2014 Mark Russinovich

Sysinternals - www.sysinternals.com

With contributions from Andrew Richards

[15:52:19] Dump 1 initiated: d:\mem.dmp

[15:52:25] Dump 1 writing: Estimated dump file size is 7884 MB.

[15:54:10] Dump 1 error: Error writing dump file: 0x80070005

Error 0x80070005 (-2147024891): Access is denied.

[15:54:10] Dump count not reached.

Edited by artisticcheese - 10 hours 33 minutes ago at 8:57pm

Miscellaneous Utilities : Procdump fails with "access denied"

September 3, 2015, 2:01 pm

≫ Next: Process Monitor : Monitoring requests of IP address, Mac Address etc

≪ Previous: Miscellaneous Utilities : Procdump fails with "access denied"

$

0

0

Author: artisticcheese
Subject: Procdump fails with "access denied"
Posted: 03 September 2015 at 9:01pm

I guess it's result of application pool "ping maximum response time" which is 90s.

Process Monitor : Monitoring requests of IP address, Mac Address etc

September 3, 2015, 3:56 pm

≫ Next: Process Explorer : Svchost.exe is sometimes eating up the CPU

≪ Previous: Miscellaneous Utilities : Procdump fails with "access denied"

$

0

0

Author: dangertom
Subject: Monitoring requests of IP address, Mac Address etc
Posted: 03 September 2015 at 10:56pm

Hello guys,

is there any chance in Process Monitor to find requests from webpages about my ip address, mac adress, cpu id or hardware id? And if so, how could I use filter to simplify the view from all events?

Does anyone got experience in this field?

Thanks a lot!

Kind regards