Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Guides - Privacy & Security Tips
Using Sysinternals Process Monitor to troubleshoot problems in Windows
Message
<blockquote data-quote="viktik" data-source="post: 377921" data-attributes="member: 12848"><p><span style="font-size: 18px"><span style="color: #0059b3"><u>Logging Shutdown </u></span></span></p><p></p><p>You can log all the activity of running processes during shutdown using process monitor.</p><p>It can be used to check whether the shutdown is happening properly or not.</p><p></p><p>[SPOILER="log shutdown events 1"]</p><p></p><p>To do this by just using process monitor you will have to log the bootup procedure. then reboot the system while process monitor is still logging. thus log the shutdown procedure as well.</p><ul> <li data-xf-list-type="ul">start process monitor.<br /> </li> <li data-xf-list-type="ul">Tick "Enable Boot Logging"</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1992813.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Select as shown below</li> <li data-xf-list-type="ul">click "OK" .</li> </ul><p><img src="http://p1.pichost.me/i/74/1992814.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Reboot the system. Don't run any other program. Let it reboot completely. The booting events will be logged and process monitor will continue to log all activities.</li> <li data-xf-list-type="ul">Reboot the system again. This time process monitor will log the shutdown events.</li> <li data-xf-list-type="ul">After system starts, run process monitor.</li> <li data-xf-list-type="ul">This message box will be shown. Click "yes" and save the collected data.</li> </ul><p></p><p></p><p><img src="http://p1.pichost.me/i/74/1992815.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">process monitor will automatically open the saved file.</li> <li data-xf-list-type="ul">The saved file has logged the both the bootup and shutdown events.</li> </ul><p>[/SPOILER]</p><p></p><p></p><p>[SPOILER="log shutdown events 2"]</p><p>Another better way to log shutdown events is by using process monitor and PsExec.exe (command-line utility by sysinternals)</p><p></p><p>PsExec : <a href="https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" target="_blank">https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx</a></p><p></p><p>In this case both the procmon.exe & Psexec.exe is stored in path "C:\temp\sysinternals"</p><p></p><p>To log the shutdown events</p><ul> <li data-xf-list-type="ul">Run CMD.exe as Administrator</li> <li data-xf-list-type="ul">Run PsExec command "C:\temp\sysinternals\PsExec -s -d C:\temp\sysinternals\Procmon.exe /AcceptEula /Quiet /BackingFile C:\Procmon.pml" . PsExec will run the procmon.exe and save the logged events in C:\procmon.pml file. The moment this command is executed successfully the process monitor will start logging events until complete shutdown occurs.</li> <li data-xf-list-type="ul">So shutdown the system to log the shutdown events</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992937.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Start the system<br /> </li> <li data-xf-list-type="ul">Run process monitor</li> <li data-xf-list-type="ul">Open the saved file. In this case from location "C:\procmon.pml"</li> <li data-xf-list-type="ul">You can see all the logged events during shutdown using process monitor.</li> </ul><p>Process tree showing life time of processes during shutdown.</p><p><img src="http://p1.pichost.me/640/74/1992938.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">User installed processes closing early shown in dark green color, which is expected from it.</li> <li data-xf-list-type="ul">Processes by microsoft are running to the end of shutdown which is expected</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992939.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">You may tick "only show processes still running at end of current trace" to see which processes continued running to the end of shutdown</li> <li data-xf-list-type="ul">Its good that antivirus like "360 Total security" and "Comodo internet security" is running till the end of shutdown. This is good for keeping the computer safe from malwares.</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992941.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>[/SPOILER]</p><p></p><p></p><p></p><p><span style="font-size: 18px"><span style="color: #0059b3"><u>Troubleshooting slow bootup</u></span></span></p><p></p><p>Using process monitor you can log all the process activities during bootup.</p><p>Analyzing the logged files you can find out what is causing slow boot.</p><p></p><p>If you found out which application or is causing slow boot then you can takeone of following measures to rectify the problem</p><p></p><ul> <li data-xf-list-type="ul">You can try to do settings in that application which would solve the problem.</li> <li data-xf-list-type="ul">You can remove the autorun entry of faulty applications and dll files which are causing problem. Make sure you do not remove a critical autorun entry which is required to correctly boot the system.<br /> </li> <li data-xf-list-type="ul">You can uninstall the application which is causing the problem if you don't need it</li> </ul><p></p><p>[SPOILER="troubleshoot slow boot"]</p><ul> <li data-xf-list-type="ul">Log the bootup events using process monitor</li> <li data-xf-list-type="ul">Open the saved file</li> </ul><p></p><p><span style="color: #006600"><u>Using process tree</u></span></p><ul> <li data-xf-list-type="ul">Open process tree window</li> <li data-xf-list-type="ul">Expand the life time column</li> </ul><p></p><p>Parent process is responsible for starting all of it child process. If it has to start multiple child process and one of the child process is taking long time to start , then it will cause delayed start of other child process.</p><p></p><ul> <li data-xf-list-type="ul">process "system" with PID 4 is the parent process for "smss" with PID 392<br /> </li> <li data-xf-list-type="ul">proces "smss" with PID 392 is parent process of the child processes "autochk" with PID 412, "smss" with PID 560 and one more "smss" with PID 628</li> <li data-xf-list-type="ul">Similarly process"smss" with PID 560 is the parent process of the child processes "csrss" with PID 568 and "wininit" with PID 636</li> </ul><p></p><p></p><p><img src="http://p1.pichost.me/i/74/1992892.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Dlhost.exe has started with delay. Because of it igfxsrvs.exe & mobsync.exe also got delayed becasue it can only start after Dlhost.exe has started. This is not desired. <br /> </li> <li data-xf-list-type="ul">While other child processes of parent process "svchost" with PID 372 are starting smoothly. this is what bootup should look like.</li> </ul><p><img src="http://p1.pichost.me/640/74/1992963.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Again process "igfxtray" got delayed start. It delayed the start of other child processes of parent process "explorer" with PID 2208.</li> <li data-xf-list-type="ul">Igfxtray started, ran for brief amount of time then exited. It is also not necessary or critical application. So it can be removed from bootup using sysinternals Autoruns.</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992964.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>Autoruns : <a href="https://technet.microsoft.com/en-in/sysinternals/bb963902.aspx" target="_blank">https://technet.microsoft.com/en-in/sysinternals/bb963902.aspx</a></p><p></p><ul> <li data-xf-list-type="ul">Start the Autorun as administrator</li> <li data-xf-list-type="ul">Find "IgfxTray.exe" <br /> </li> <li data-xf-list-type="ul">Untick the entry. Now this application will not load at bootup procedure.</li> <li data-xf-list-type="ul"><span style="color: #b30000">caution : <span style="color: #000000">be very careful when disabling application from autorun entry. Make sure you disable only those ones which not necessary. </span></span></li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992899.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><span style="color: #006600"></span></p><p><span style="color: #006600"><u>Using duration filter</u></span></p><p>One thing you can do is create a duration filter</p><p></p><p><img src="http://p1.pichost.me/640/74/1992972.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Create a filter which will show events which took more than 1 second to complete as shown below</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992973.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">svchost.exe with PID 308 caused file event which took about 30 seconds each. the result was labled CANCELLED. it is complete waste of time. Since svchost.exe is Microsoft application and is critical in running windows OS, it must not be removed from bootup.</li> <li data-xf-list-type="ul">Searchindexer.exe is a search indexer service. It can be safely disabled from Windows services setting.</li> </ul><p><img src="http://p1.pichost.me/640/74/1992975.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">mbamservice.exe and autoupdate.exe ran for brief amount of time then exited.</li> <li data-xf-list-type="ul">Events by these processes took seconds to complete.</li> <li data-xf-list-type="ul">They are not very critical in bootup procedure. So they can be removed from bootup entry by using Autoruns.</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992976.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p><img src="http://p1.pichost.me/640/74/1992977.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><span style="color: #006600"></span></p><p><span style="color: #006600"><u>Counting the occurrences of result</u></span></p><ul> <li data-xf-list-type="ul">As you can see processes are generating events which are leading to results like "NAME NOT FOUND", "BUFFER OVERFLOW" whose counts is very significant to the count of "SUCCESS".</li> <li data-xf-list-type="ul">So applications are generating these events at bootup that is leading to waste of time and system resource. These events comprises of about 18% of result "SUCCESS". So about 18% of events generated by various processes during bootup ends up being complete waste.</li> <li data-xf-list-type="ul">Its all the fault of that software developer and its settings. You can't do much about it</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1992986.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p></p><p>[/SPOILER]</p><p></p><p></p><p></p><p></p><p><span style="font-size: 18px"><span style="color: rgb(0, 89, 179)"><u>Case of FoxitReader consuming computer resources</u></span></span></p><p></p><p>Troubleshooting with process monitor</p><p></p><p>[SPOILER="Foxit reader consuming a lot of system resources"]</p><p></p><p>I logged all the events for a duration of few minutes while running Foxit reader software</p><p></p><p>After monitoring the events i found out that pdf reader named "Foxit reader.exe" is generating a lot of file & registry events. For a pdf reader which has opened few pdf files , these high number of file and registry events compared to others is not good. It is consuming computer resources which could have been used by other processes.</p><p></p><p><img src="http://p1.pichost.me/640/74/1992833.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Continuously generating File I/O operations & Registry operations</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1992834.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Foxitreader.exe is uselessly queries registry keys and files.</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992836.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul">Foxitreader is doing too much registry query on something related to foxitCloudCheckEnable. <br /> </li> <li data-xf-list-type="ul">Reasons could be many. Its registry setting may have gone wrong. It may be missing some files.</li> <li data-xf-list-type="ul">You may update the software to newer version to see if solves the problem. You may reinstall the software. You may try to do settings that can solve this problem. <br /> </li> <li data-xf-list-type="ul">If everything fails the ultimate solution is to uninstall this software and replace with other pdf reader.</li> <li data-xf-list-type="ul">You may report the problems you find to the concerned software developer, so that they may solve the problem in next version.</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1992838.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p><img src="http://p1.pichost.me/640/74/1992837.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul"><span style="color: #b30059"><strong>Solution found</strong></span> : I installed the newer version of FoxitReader.</li> <li data-xf-list-type="ul">As you can see the file and registry events by Foxitreader.exe has reduced significantly.</li> </ul><p><img src="http://p1.pichost.me/640/74/1992839.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><ul> <li data-xf-list-type="ul"><img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /> All activity returns to normal.</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1992840.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p></p><p>[/SPOILER]</p><p></p><p></p><p></p><p><u><span style="font-size: 18px"><span style="color: #0059b3">Troubleshooting Qihu 360 total security 6</span></span></u></p><p></p><p></p><p>[SPOILER="troubleshooting Qihu 360 total security"]</p><p></p><ul> <li data-xf-list-type="ul">Capture the events for few minutes. <br /> </li> <li data-xf-list-type="ul">Stop capturing</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1993471.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><ul> <li data-xf-list-type="ul">Count occurrences of "result"</li> <li data-xf-list-type="ul">Double click "NAME NOT FOUND" to create a filter that will show only events that caused result "NAME NOT FOUND"</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1993472.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><ul> <li data-xf-list-type="ul">Open file summary window</li> <li data-xf-list-type="ul">As you can see below, "C:\windows\system32\lsm.exe" has been searched most</li> <li data-xf-list-type="ul">double click on it to create a filter which will show only events with path "C:\windows\system32\lsm.exe"</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1993473.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><ul> <li data-xf-list-type="ul">Count occurrences of "process name"</li> <li data-xf-list-type="ul">This shows that four processes has been searching for "C:\windows\system32\lsm.exe"</li> <li data-xf-list-type="ul">It means that these individual processes are not the culprit of this problem. The problem lies in some other file that has been loaded in each of these processes. We need to search it</li> <li data-xf-list-type="ul">Double click on "promptService64.exe" to create a filter</li> <li data-xf-list-type="ul">Do not close this window as we will require it later</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1993474.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><ul> <li data-xf-list-type="ul">Right click on "promptservice64.exe" and select "properties"</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1993475.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><ul> <li data-xf-list-type="ul">Goto stack tab. this is where you will find the files that is being executed by the processor.</li> <li data-xf-list-type="ul">All of the files are from Microsoft, except "360FsFlt.sys"</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1993476.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><ul> <li data-xf-list-type="ul">This driver belongs to company "Qihu 360 software"</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1993477.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><ul> <li data-xf-list-type="ul">Now to investigate process OCam.exe double click on it to create a filter</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1993478.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><ul> <li data-xf-list-type="ul">Right click on "ocam.exe" and select properties</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1993479.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><ul> <li data-xf-list-type="ul">Open stack tab</li> <li data-xf-list-type="ul">by searching all the files in execution, i found that all the files are from company Microsoft except "360AvFlt.sys" </li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1993480.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><ul> <li data-xf-list-type="ul">360Avflt.sys is a driver file by company 360.cn which belongs to Qihu 360</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1993481.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><ul> <li data-xf-list-type="ul">To investigate iexplore.exe double click on it to create a filter</li> </ul><p></p><p><img src="http://p1.pichost.me/i/74/1993482.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><ul> <li data-xf-list-type="ul">right click on oexplore.exe and select "properties"</li> </ul><p></p><p></p><p><img src="http://p1.pichost.me/640/74/1993483.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><ul> <li data-xf-list-type="ul">again 360FsFlt.sys is being executed in this process which belongs to company Qihu 360</li> </ul><p></p><p><img src="http://p1.pichost.me/640/74/1993484.jpg" alt="" class="fr-fic fr-dii fr-draggable " style="" /> </p><p></p><ul> <li data-xf-list-type="ul">So we have found the culprit causing the searching of file "C:\windows\system32\lsm.exe" <br /> </li> <li data-xf-list-type="ul">It is company Qihu 360 whose antivirus product 360 total security has been installed n the system.</li> <li data-xf-list-type="ul">I can;t do any setting in Qihu 360 total security to solve this problem</li> <li data-xf-list-type="ul">So the ultimate solution is to uninstall the Qihu 360 total security which in reality solved the problem</li> </ul><p>Here is a youtube demo of this troubleshooting</p><p></p><p>[MEDIA=youtube]8SRsusPcunQ[/MEDIA]</p><p></p><p></p><p>[/SPOILER]</p></blockquote><p></p>
[QUOTE="viktik, post: 377921, member: 12848"] [SIZE=5][COLOR=#0059b3][U]Logging Shutdown [/U][/COLOR][/SIZE] You can log all the activity of running processes during shutdown using process monitor. It can be used to check whether the shutdown is happening properly or not. [SPOILER="log shutdown events 1"] To do this by just using process monitor you will have to log the bootup procedure. then reboot the system while process monitor is still logging. thus log the shutdown procedure as well. [LIST] [*]start process monitor. [*]Tick "Enable Boot Logging" [/LIST] [IMG]http://p1.pichost.me/i/74/1992813.jpg[/IMG] [LIST] [*]Select as shown below [*]click "OK" . [/LIST] [IMG]http://p1.pichost.me/i/74/1992814.jpg[/IMG] [LIST] [*]Reboot the system. Don't run any other program. Let it reboot completely. The booting events will be logged and process monitor will continue to log all activities. [*]Reboot the system again. This time process monitor will log the shutdown events. [*]After system starts, run process monitor. [*]This message box will be shown. Click "yes" and save the collected data. [/LIST] [IMG]http://p1.pichost.me/i/74/1992815.jpg[/IMG] [LIST] [*]process monitor will automatically open the saved file. [*]The saved file has logged the both the bootup and shutdown events. [/LIST] [/SPOILER] [SPOILER="log shutdown events 2"] Another better way to log shutdown events is by using process monitor and PsExec.exe (command-line utility by sysinternals) PsExec : [URL]https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx[/URL] In this case both the procmon.exe & Psexec.exe is stored in path "C:\temp\sysinternals" To log the shutdown events [LIST] [*]Run CMD.exe as Administrator [*]Run PsExec command "C:\temp\sysinternals\PsExec -s -d C:\temp\sysinternals\Procmon.exe /AcceptEula /Quiet /BackingFile C:\Procmon.pml" . PsExec will run the procmon.exe and save the logged events in C:\procmon.pml file. The moment this command is executed successfully the process monitor will start logging events until complete shutdown occurs. [*]So shutdown the system to log the shutdown events [/LIST] [IMG]http://p1.pichost.me/640/74/1992937.jpg[/IMG] [LIST] [*]Start the system [*]Run process monitor [*]Open the saved file. In this case from location "C:\procmon.pml" [*]You can see all the logged events during shutdown using process monitor. [/LIST] Process tree showing life time of processes during shutdown. [IMG]http://p1.pichost.me/640/74/1992938.jpg[/IMG] [LIST] [*]User installed processes closing early shown in dark green color, which is expected from it. [*]Processes by microsoft are running to the end of shutdown which is expected [/LIST] [IMG]http://p1.pichost.me/640/74/1992939.jpg[/IMG] [LIST] [*]You may tick "only show processes still running at end of current trace" to see which processes continued running to the end of shutdown [*]Its good that antivirus like "360 Total security" and "Comodo internet security" is running till the end of shutdown. This is good for keeping the computer safe from malwares. [/LIST] [IMG]http://p1.pichost.me/640/74/1992941.jpg[/IMG] [/SPOILER] [SIZE=5][COLOR=#0059b3][U]Troubleshooting slow bootup[/U][/COLOR][/SIZE] Using process monitor you can log all the process activities during bootup. Analyzing the logged files you can find out what is causing slow boot. If you found out which application or is causing slow boot then you can takeone of following measures to rectify the problem [LIST] [*]You can try to do settings in that application which would solve the problem. [*]You can remove the autorun entry of faulty applications and dll files which are causing problem. Make sure you do not remove a critical autorun entry which is required to correctly boot the system. [*]You can uninstall the application which is causing the problem if you don't need it [/LIST] [SPOILER="troubleshoot slow boot"] [LIST] [*]Log the bootup events using process monitor [*]Open the saved file [/LIST] [COLOR=#006600][U]Using process tree[/U][/COLOR] [LIST] [*]Open process tree window [*]Expand the life time column [/LIST] Parent process is responsible for starting all of it child process. If it has to start multiple child process and one of the child process is taking long time to start , then it will cause delayed start of other child process. [LIST] [*]process "system" with PID 4 is the parent process for "smss" with PID 392 [*]proces "smss" with PID 392 is parent process of the child processes "autochk" with PID 412, "smss" with PID 560 and one more "smss" with PID 628 [*]Similarly process"smss" with PID 560 is the parent process of the child processes "csrss" with PID 568 and "wininit" with PID 636 [/LIST] [IMG]http://p1.pichost.me/i/74/1992892.jpg[/IMG] [LIST] [*]Dlhost.exe has started with delay. Because of it igfxsrvs.exe & mobsync.exe also got delayed becasue it can only start after Dlhost.exe has started. This is not desired. [*]While other child processes of parent process "svchost" with PID 372 are starting smoothly. this is what bootup should look like. [/LIST] [IMG]http://p1.pichost.me/640/74/1992963.jpg[/IMG] [LIST] [*]Again process "igfxtray" got delayed start. It delayed the start of other child processes of parent process "explorer" with PID 2208. [*]Igfxtray started, ran for brief amount of time then exited. It is also not necessary or critical application. So it can be removed from bootup using sysinternals Autoruns. [/LIST] [IMG]http://p1.pichost.me/640/74/1992964.jpg[/IMG] Autoruns : [URL]https://technet.microsoft.com/en-in/sysinternals/bb963902.aspx[/URL] [LIST] [*]Start the Autorun as administrator [*]Find "IgfxTray.exe" [*]Untick the entry. Now this application will not load at bootup procedure. [*][COLOR=#b30000]caution : [COLOR=#000000]be very careful when disabling application from autorun entry. Make sure you disable only those ones which not necessary. [/COLOR][/COLOR] [/LIST] [IMG]http://p1.pichost.me/640/74/1992899.jpg[/IMG] [COLOR=#006600] [U]Using duration filter[/U][/COLOR] One thing you can do is create a duration filter [IMG]http://p1.pichost.me/640/74/1992972.jpg[/IMG] [LIST] [*]Create a filter which will show events which took more than 1 second to complete as shown below [/LIST] [IMG]http://p1.pichost.me/640/74/1992973.jpg[/IMG] [LIST] [*]svchost.exe with PID 308 caused file event which took about 30 seconds each. the result was labled CANCELLED. it is complete waste of time. Since svchost.exe is Microsoft application and is critical in running windows OS, it must not be removed from bootup. [*]Searchindexer.exe is a search indexer service. It can be safely disabled from Windows services setting. [/LIST] [IMG]http://p1.pichost.me/640/74/1992975.jpg[/IMG] [LIST] [*]mbamservice.exe and autoupdate.exe ran for brief amount of time then exited. [*]Events by these processes took seconds to complete. [*]They are not very critical in bootup procedure. So they can be removed from bootup entry by using Autoruns. [/LIST] [IMG]http://p1.pichost.me/640/74/1992976.jpg[/IMG] [IMG]http://p1.pichost.me/640/74/1992977.jpg[/IMG] [COLOR=#006600] [U]Counting the occurrences of result[/U][/COLOR] [LIST] [*]As you can see processes are generating events which are leading to results like "NAME NOT FOUND", "BUFFER OVERFLOW" whose counts is very significant to the count of "SUCCESS". [*]So applications are generating these events at bootup that is leading to waste of time and system resource. These events comprises of about 18% of result "SUCCESS". So about 18% of events generated by various processes during bootup ends up being complete waste. [*]Its all the fault of that software developer and its settings. You can't do much about it [/LIST] [IMG]http://p1.pichost.me/i/74/1992986.jpg[/IMG] [/SPOILER] [SIZE=5][COLOR=rgb(0, 89, 179)][U]Case of FoxitReader consuming computer resources[/U][/COLOR][/SIZE] Troubleshooting with process monitor [SPOILER="Foxit reader consuming a lot of system resources"] I logged all the events for a duration of few minutes while running Foxit reader software After monitoring the events i found out that pdf reader named "Foxit reader.exe" is generating a lot of file & registry events. For a pdf reader which has opened few pdf files , these high number of file and registry events compared to others is not good. It is consuming computer resources which could have been used by other processes. [IMG]http://p1.pichost.me/640/74/1992833.jpg[/IMG] [LIST] [*]Continuously generating File I/O operations & Registry operations [/LIST] [IMG]http://p1.pichost.me/i/74/1992834.jpg[/IMG] [LIST] [*]Foxitreader.exe is uselessly queries registry keys and files. [/LIST] [IMG]http://p1.pichost.me/640/74/1992836.jpg[/IMG] [LIST] [*]Foxitreader is doing too much registry query on something related to foxitCloudCheckEnable. [*]Reasons could be many. Its registry setting may have gone wrong. It may be missing some files. [*]You may update the software to newer version to see if solves the problem. You may reinstall the software. You may try to do settings that can solve this problem. [*]If everything fails the ultimate solution is to uninstall this software and replace with other pdf reader. [*]You may report the problems you find to the concerned software developer, so that they may solve the problem in next version. [/LIST] [IMG]http://p1.pichost.me/640/74/1992838.jpg[/IMG] [IMG]http://p1.pichost.me/640/74/1992837.jpg[/IMG] [LIST] [*][COLOR=#b30059][B]Solution found[/B][/COLOR] : I installed the newer version of FoxitReader. [*]As you can see the file and registry events by Foxitreader.exe has reduced significantly. [/LIST] [IMG]http://p1.pichost.me/640/74/1992839.jpg[/IMG] [LIST] [*]:) All activity returns to normal. [/LIST] [IMG]http://p1.pichost.me/i/74/1992840.jpg[/IMG] [/SPOILER] [SIZE=5][/SIZE] [U][SIZE=5][COLOR=#0059b3]Troubleshooting Qihu 360 total security 6[/COLOR][/SIZE][/U] [SPOILER="troubleshooting Qihu 360 total security"] [LIST] [*]Capture the events for few minutes. [*]Stop capturing [/LIST] [IMG]http://p1.pichost.me/640/74/1993471.jpg[/IMG] [LIST] [*]Count occurrences of "result" [*]Double click "NAME NOT FOUND" to create a filter that will show only events that caused result "NAME NOT FOUND" [/LIST] [IMG]http://p1.pichost.me/i/74/1993472.jpg[/IMG] [LIST] [*]Open file summary window [*]As you can see below, "C:\windows\system32\lsm.exe" has been searched most [*]double click on it to create a filter which will show only events with path "C:\windows\system32\lsm.exe" [/LIST] [IMG]http://p1.pichost.me/640/74/1993473.jpg[/IMG] [LIST] [*]Count occurrences of "process name" [*]This shows that four processes has been searching for "C:\windows\system32\lsm.exe" [*]It means that these individual processes are not the culprit of this problem. The problem lies in some other file that has been loaded in each of these processes. We need to search it [*]Double click on "promptService64.exe" to create a filter [*]Do not close this window as we will require it later [/LIST] [IMG]http://p1.pichost.me/i/74/1993474.jpg[/IMG] [LIST] [*]Right click on "promptservice64.exe" and select "properties" [/LIST] [IMG]http://p1.pichost.me/640/74/1993475.jpg[/IMG] [LIST] [*]Goto stack tab. this is where you will find the files that is being executed by the processor. [*]All of the files are from Microsoft, except "360FsFlt.sys" [/LIST] [IMG]http://p1.pichost.me/640/74/1993476.jpg[/IMG] [LIST] [*]This driver belongs to company "Qihu 360 software" [/LIST] [IMG]http://p1.pichost.me/i/74/1993477.jpg[/IMG] [LIST] [*]Now to investigate process OCam.exe double click on it to create a filter [/LIST] [IMG]http://p1.pichost.me/i/74/1993478.jpg[/IMG] [LIST] [*]Right click on "ocam.exe" and select properties [/LIST] [IMG]http://p1.pichost.me/640/74/1993479.jpg[/IMG] [LIST] [*]Open stack tab [*]by searching all the files in execution, i found that all the files are from company Microsoft except "360AvFlt.sys" [/LIST] [IMG]http://p1.pichost.me/i/74/1993480.jpg[/IMG] [LIST] [*]360Avflt.sys is a driver file by company 360.cn which belongs to Qihu 360 [/LIST] [IMG]http://p1.pichost.me/i/74/1993481.jpg[/IMG] [LIST] [*]To investigate iexplore.exe double click on it to create a filter [/LIST] [IMG]http://p1.pichost.me/i/74/1993482.jpg[/IMG] [LIST] [*]right click on oexplore.exe and select "properties" [/LIST] [IMG]http://p1.pichost.me/640/74/1993483.jpg[/IMG] [LIST] [*]again 360FsFlt.sys is being executed in this process which belongs to company Qihu 360 [/LIST] [IMG]http://p1.pichost.me/640/74/1993484.jpg[/IMG] [LIST] [*]So we have found the culprit causing the searching of file "C:\windows\system32\lsm.exe" [*]It is company Qihu 360 whose antivirus product 360 total security has been installed n the system. [*]I can;t do any setting in Qihu 360 total security to solve this problem [*]So the ultimate solution is to uninstall the Qihu 360 total security which in reality solved the problem [/LIST] Here is a youtube demo of this troubleshooting [MEDIA=youtube]8SRsusPcunQ[/MEDIA] [/SPOILER] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
