Jump to content

Mr Snrub

  • Content Count

  • Joined

  • Last visited

  • Donations


Everything posted by Mr Snrub

  1. See, if you wait long enough someone smarter than me comes along. Story of my life
  2. For easily reproducible issues it can be quicker to do simple "one at a time" tests, so considered part of root cause analysis (even if it rules the component out by the problem still being present without its presence). Experience Smarter people than me might be able to, but due to the way device and filter drivers work it's more of a "go with your gut" from me
  3. Did you test uninstalling Symantec AV? The dump still has it loaded, with those modules from 2006 present... The pool tagging just confirms what we suspected - the nonpaged pool is exhausted through allocations to "Irp ", which is from I/O request packets. The I/Os themselves are completed, but the pool allocations not freed, most likley due to some driver. The I/Os also seem to be aimed at the various USB root hubs, which is why I also asked about any USB devices that may have been connected to the system recently. If I was a betting man, I would say it's Symantec AV causing the problem from
  4. I believe Release To World is scheduled for October 22nd.
  5. I don't know how conclusive it is, but I tried launching \Windows\explorer.exe from my Vista x64 partition whilst booted into Windows 7 x64, and it just throws error 0xc0000142 immediately - I had no intention of trying to replace any system/shell DLLs to test further. Personally the taskbar in Windows 7 has really grown on me, and I no longer miss the quicklaunch bar.
  6. While we wait for the dump with pool tagging enabled... Nonpaged (or nonpageable) pool memory is for dynamic memory allocations in the kernel that cannot be paged out to disk - drivers have to use this pool for data that must be available at all times, as an page fault (request for a virtual page not resident in physical RAM, but in the page file on disk) is not allowed when they have control.This is the classic IRQL_NOT_LESS_THAN_OR_EQUAL bugcheck, if the driver developer makes this assumption. Because the nonpaged pool region has to take physical memory, and is a subset of the 2GB kernel sp
  7. Nonpaged pool totally exhausted, something has leaked.The output from !poolused 7 will be long - it is sorted in descending order in nonpaged bytes, so the first few lines are the most interesting. This will give a clue as to the pooltags used for the allocations, and maybe a direct indicator as to who might have made them. AV filter drivers are common leakers of pool memory - what AV do you have installed? My comment on SP3 was intended as: "why isn't SP3 installed?"
  8. I think given the speed of Vista installation on a newly-created partition, it's a quick format used in that GUI stage. When I use a completely brand-spanking-new hard disk and first partition it, I tend to do a full format, and that's the only time I do. During Vista or Win7 setup, at the partition selection/setup stage, I hit Shift-F10 to get the command prompt up and use format from there before selecting the target partition. Newly created partitions on a brand new disk - full format. Existing partition which contains data - quick format.
  9. Actually, it might be some system resource getting exhausted... as you found, csrss.exe was the critical process that got killed: The line I think of interest, and its breakdown: And the "failed at" address is the module address in the thread that raised the exception (the process, csrss.exe): I would guess the page in the virtual address space for csrss.exe was paged out to disk, then at some point a context switch occurred to continue executing which incurred the inpage operation - but when pulling the data from disk the I/O failed, making the thread go boom, which terminates the process,
  10. No worries, I see this a lot due to the unfortunate naming.OT - you know the 5th Edition of Windows Internals is out now, covering NT 6? Waiting for my copy to arrive
  11. The .DEFAULT key under HKEY_USERS is actually used by the Local System user account, it has nothing to do with interactive or default users.The NTUSER.DAT in the Default User profile (on disk, not in the registry) is the template user profile registry hive used when users log on for the first time.
  12. There is a reference to AntiVir in there too (though not in the list of running processes at the time of the report - maybe tested and removed?). If you have more than one of Prevx, Avast! and AntiVir in the Add/Remove Programs list, uninstall (don't just disable) all but 1 to ensure the kernel filter drivers are not loaded. If the problem continues after a reboot, use Process Explorer to hover the mouse over the svchost.exe with high CPU utilization and the tooltip will show the services hosted by the process. Make a note of the list of services, then from an elevated command prompt you can e
  13. No worries, glad you got it sorted out File association is one of the things I think became a little trickier rather than more intuitive with Vista.
  14. @Glen9999: By far the best mitigation you have already mentioned - running as a standard user rather than Administrator. The vast majority of malicious activity in my experience has been through social engineering and users not understanding the implications of clicking flashy things on the screen - reduce the user's power and the system becomes more secure implicitly. This has much more value when NTFS is used as the file system, otherwise there is no way to protect the OS files from any user able to log on (I've not seen first-hand any malware employing alternate data streams or locking down
  15. How about the Windows key, does that now bring up the Start menu? If you enter C: in the Start/Search (or Start/Run) fields, does a window open up with the contents of that volume?
  16. By "explorer" do you mean the desktop & icons, or you can now successfully start an explorer.exe process and get a window up, or you can click on your user name from the Start menu and actually get a window up in which you can navigate between folders?And when you say you cannot enter any of your drives but can see the properties (through the right-click context menu?), do you get any error when you double-click on a drive letter, or does nothing happen, or does the window process hang?
  17. Creating a new user account is always a useful test, as the Administrator account is already present, only disabled.Having a new, never-logged-on-before and non-well-known-GUID user account log on is a useful method of determining between a user profile and a system issue. So is the desktop back for all users, or just when you log on as this new test user?
  18. Can you create a new user account and log on as that user to verify if they have the same problem? Also, did I read correctly that if you boot from the Vista DVD you get nothing but the blue-ish background and a mouse pointer, you don't even get any menu at all?
  19. To be honest, if you just reinstalled the day before, I would wipe & start over, given how quick the installation is. It might save you a lot of headaches in the long run.
  20. It sounds like one or more of the many shell DLLs has a problem, or maybe some shell extension - did you do any kind of "takeown" under %systemroot%, or clean up of the WinSxS folder at some point in the past? Was the installation vLite'd? Or was there some custom/unattended installation used? I see a fair bit of file recovery being done in your Component Based Servicing log...
  21. Is there anything special about the location of gallery.exe? Is it on a removable drive, a UNC path, a folder with a custom ACL? I would test by renaming gallery.exe to temp.exe, then copy notepad.exe to where gallery.exe was and go through the test again - if the second Notepad entry appears then it would appear to be something up with gallery.exe itself (and you could afterwards close the Notepad-that-is-gallery.exe, delete it and rename temp.exe back to gallery.exe).
  22. As would every malware author out there, I bet.So the logged-on user isn't an admin, and each of the programs called from the batch file is attempting to run elevated (hence the multiple prompts) from a batch file that was not launched elevated... this is expected behaviour. The only way I would expect a user to be able to select such an option and not have privilege issues would be if a call was being made to a service running under a privileged user account - then the idea would be that the service does the job on behalf of the user (hopefully in a secured, non-exploitable manner). Similar t
  23. Admittedly I'm doing this test on Win7, not Vista, but the principle should be the same...I created a file on my desktop named test.gal, then copied Notepad.exe to gallery.exe on my desktop. I double-clicked test.gal and got prompted with the following: I selected the second option and clicked OK, then I got the "Open with" dialogue window: (The list of programs is built from apps registered in Windows through an installer, so it's unlikely to be the same on any 2 machines.)I clicked the Browse button and navigated to my Desktop folder, then double-clicked on the gallery.exe icon - I was ret
  24. Bit of a change from August 2008, now looks like this: Main machines for myself and my wife were upgraded to Core i7 w/12GB - my wife likes to play with rendering in Poser, and I play with games and virtual machines so we get the use of the RAM. My wife's old machine now acts as the server, Virtual Server replaced with Hyper-V and the web server finally migrated from a virtual W2K3 SP2 to virtual W2K8 SP2. With the higher-spec, Hyper-V capable server it made sense to set up a domain and run the DC as 1 virtual machine and a separate virtual machine for a file (and Squeezebox) server. The host
  25. Well poking the registry directly should be a last resort - it's only a database which has APIs specifically to update it in a controlled manner.If you double-click a .gal file, do you get prompted to select a program with which to open the file? If nothing at all happens, do you have and "Open with" option if you right-click the file?
  • Create New...