cluberti

Well, knowing what kind of computer would be of great help, and also (suspecting it's an HD audio chip, probably from realtek as they are the most common) make sure you've installed the hotfix from 888111.

The question that I'd first consider asking, is do you see a high amount of CPU usage when you are seeing the delays? Also, what video driver are you using?

Always a good method. However, knowing that this is a dll unload failure causing the crash, and that a debugger attached resolves the issue, I'm *pretty* confident that it's the .dll for spysweeper misbehaving. A quick google search brings up others with the same types of problem, with this particular .dll, as well.

You could also consider forcing the use of a screensaver policy, and use a shutdown screensaver, or set it to run as a scheduled task at a specified time.

I think he already posted it, although there's not much we'll be able to do for it on msfn: LOL

Look closely. Computer Configuration > Wndows Settings > Security Settings > Local Policies > User Rights Assignments > "Shut down the system"

Since it's a timing issue, and having a debugger actively attached to a process will slow it down, I'm not entirely surprised. Remove Spysweeper, and you'll probably not have any further incursions. Close the debugger and uninstall spysweeper, reboot, and see if you aren't "cured" .

Have you considered the link at the top of this subforum, titled "Trace Vista boot/shutdown/hibernate/standby/resume issues"?

Go to Admin Tools > Terminal Services Configuration, go to the properties of the RDP-Tcp connection, and click the "Environment" tab. Select the option "Start the following program when the user logs on:", and enter the full path to the executable to run, and the start-in path. Note that the standard explorer.exe will not run, so certain things that are shell-dependant will not work, but in general this should be all you need. If you need group policy processing to occur (this is actually launched when the shell is invoked, so you may need to do this), you need to make sure the user runs a logon script for the TS that calls "runonce.exe /alternateshellstartup" - this will launch explorer.exe just long enough to do certificate and group policy processing, and then explorer.exe will exit when finished (and the user will not see any desktop).

I've actually seen this, and it was about a year ago. The person had O/C'ed the processor and memory, and damaged both. Replacing the RAM fixed the errors in the OS, but memtest would still report errors during testing, and those didn't go away until the processor and motherboard was replaced.

Yzowl is trying to get you to find the answer, rather than spelling it out for you. Whether or not this was something you found helpful, there was nothing "rude" about this thread until your post. In invoking rule 7b, I've barred this account from posting for 3 days. Do it again and I will personally ban it. I'd hate to lose a good member, but you must at least try to pretend to be nice.

When you connect to \\host on a Vista (or 2008) machine, you're really saying you want to view \\host\ipc$, which is not a browseable share unless you've authenticated (hence users with a matching user/pass can access the share). I believe to replicate the old behavior, you need to make sure the network connection on the Vista machine is "Private", that File *and* printer sharing is on, Public folder sharing is on, and that "Password protected sharing" is also enabled. That last one may or may not be required, so feel free to experiment, however browsing a workgroup is always a problem if usernames / passwords don't match across machines, so you may be SOL in completely replicating XP's (less secure) file sharing behavior.

Maybe a coincidence, maybe not. However, the IP address isn't malicious: IP address: 207.46.248.249 Reverse DNS: sa.windows.com. Reverse DNS authenticity: [Verified] ASN: 8070 ASN Name: MICROSOFT-CORP---MSN-AS-BLOCK IP range connectivity: 2 Registrar (per ASN): ARIN Country (per IP registrar): US [United States] Country Currency: USD [United States Dollars] Country IP Range: 207.46.0.0 to 207.46.255.255 Country fraud profile: Normal City (per outside source): Redmond, Washington Country (per outside source): US [United States] Private (internal) IP? No IP address registrar: whois.arin.net As to the crash, the only thing I can tell you is that something running inside explorer.exe crashed during an API call (ntdll.dll is the Windows "API" .dll for most usermode calls), so a crash in ntdll.dll only means that something running inside explorer.exe was attempting ... something. Can you gather a user mode dump for a crashing process, as per my instructions here? The resulting .dmp file will be useful in tracking this down.

May I ask if this was an upgrade from Vista RTM to Vista SP1, or Vista Beta/RC to Vista RTM to Vista SP1? These errors seem to happen on machines upgraded to SP1, and I've seen some complaints of people trying to install SP1 on Vista RTM getting the same errors. The servicing engine is failing, and I'm not entirely sure there's a good workaround for this.

In that case, IE8 (the installer) actually finished, but CBS failed (component-based servicing). Look for a cbs.log file in the windows\logs\cbs folder.

It can run executables from javascript with no prompts whatsoever, not to mention that it (by default) sends your omnibar information back to Google - and that was just the first day, I'm sure there will be many more "fun" things about Chrome to come up as time moves on. I'm hopeful these will be addressed quickly, but one has to wonder - how much security does Chrome actually have if such a simple exploit was included in the release?I will agree that Chrome is quite zippy on javascript pages (due to compiled js and a very good engine), but more complex (not javascript driven) pages tend to choke it and slow it down immensely, and some pages just don't look quite right when compared to Firefox, Safari, Opera, or IE. Also, Google's applications are inherently in beta status for a long time, leaving some of us wondering how much actual refinement and further development actually goes into their applications once they do release - dev might indeed continue full-scale, but there's no way to know if it never hits "1.0" or "2.0" (in fact, how many Google apps compared to their entire stable are in beta? - I'm actually curious...) The IE installer logs everything. Look for ie8*.log files on your box - the information on why it failed should be in there.

A little bit different dump - obviously it's the same exception, due to an invalid address, but here it is again just for reference: // The exception showing the A/V: 0:012> .exr 0xffffffffffffffff ExceptionAddress: 04025b90 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 04025b90 Attempt to read from address 04025b90 // The stack - Dr Watson appears to have caught the exception handler: 0:012> k ChildEBP RetAddr 0262da6c 7c90df2c ntdll!KiFastSystemCallRet 0262da70 7c809574 ntdll!NtWaitForMultipleObjects+0xc 0262db0c 7c80a105 kernel32!WaitForMultipleObjectsEx+0x12c 0262db28 6945763c kernel32!WaitForMultipleObjects+0x18 0262e4bc 694582b1 faultrep!StartDWException+0x5df 0262f530 7c8643c6 faultrep!ReportFault+0x533 0262f7a4 75fa53af kernel32!UnhandledExceptionFilter+0x55b 0262f7ac 77c35cf5 BROWSEUI!BrowserProtectedThreadProc+0x71 0262f7d4 7c9032a8 msvcrt!_except_handler3+0x61 0262f7f8 7c90327a ntdll!ExecuteHandler2+0x26 0262f8a8 7c90e46a ntdll!ExecuteHandler+0x24 0262f8a8 04025b90 ntdll!KiUserExceptionDispatcher+0xe WARNING: Frame IP not in any known module. Following frames may be wrong. 0262fba4 7e418734 0x4025b90 0262fbd0 7e418816 USER32!InternalCallWinProc+0x28 0262fc38 7e4189cd USER32!UserCallWinProcCheckWow+0x150 0262fc98 7e418a10 USER32!DispatchMessageWorker+0x306 0262fca8 75f9d875 USER32!DispatchMessageW+0xf 0262fcc0 75fa5218 BROWSEUI!TimedDispatchMessage+0x33 0262ff20 75fa5389 BROWSEUI!BrowserThreadProc+0x336 0262ffb4 7c80b713 BROWSEUI!BrowserProtectedThreadProc+0x50 0262ffec 00000000 kernel32!BaseThreadStart+0x37 // The address is indeed invalid: 0:012> dc 04025b90 L1 04025b90 ???????? ???? // Knowing this is likely an unloaded module causing the error, I decided // to look at the unloaded and loaded module list to see what is actually // being unloaded, if that list was captured (it was this time). Make sure // to notice the address range that SSCtxMnu.dll is using - it overlapped // with TaskManDll: 0:012> lm Loaded modules: 02830000 02873000 TaskManDll T (no symbols) ... Unloaded modules: 027e0000 0285d000 SSCtxMnu.dll Knowing that this is a bad instruction pointer, and since this is likely a .dll that is hooking Windows Explorer (explorer.exe - otherwise, why else would it load), I can make a relatively safe assumption that this is a bad window hook instruction hence the callback to the unloaded module causing a crash in the shell. I do not know if SSCtxMnu is responsible, if TaskManDLL loaded up and caused the SSCtxMnu dll to unload (I don't know which module grabbed that load address range first, so it's hard to say which is causing it), but I'd say they're both at least suspect at the moment. I believe TaskManDll to be a part of your FineCrypt package: 0:012> lmivm TaskManDll start end module name 02830000 02873000 TaskManDll T (no symbols) Symbol file: TaskManDll.dll Image path: C:\Program Files\FineCrypt\TaskManDll.dll Image name: TaskManDll.dll Timestamp: Tue Jan 08 15:09:56 2008 (4783D894) CheckSum: 00052A77 ImageSize: 00043000 File version: 10.1.0.1 Product version: 10.1.0.0 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 And SSCtxMnu is a part of SpySweeper: 0:012> lmivm SSCtxMnu start end module name 02630000 026ad000 SSCtxMnu T (no symbols) Symbol file: SSCtxMnu.dll Image path: C:\PROGRA~1\SPYSWE~1\SSCtxMnu.dll Image name: SSCtxMnu.dll Timestamp: Fri Jun 19 18:22:17 1992 (2A425E19) CheckSum: 00078464 ImageSize: 0007D000 File version: 5.5.7.124 Product version: 5.5.0.0 File flags: 8 (Mask 3F) Private File OS: 0 Unknown Base File type: 1.0 App File date: 00000000.00000000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 Honestly, once you've done a spyware and virus scan (to make sure the computer is clean), I'd uninstall both and see if the problem continues. If not, reinstall one or the other and see what happens. Also, I'd consider contacting the support groups of both FineCrypt and WebRoot to see if they know of any incompatibilities of their products when installed on the same machine as the other, just in case. No module should try to load over another, and module load ranges shouldn't overlap - usually this puts a module into a deferred state to try and load again in a different location, but the above looks suspicious. Note that I'd still prefer an adplus dump, because this may be a separate problem and may not have caused this issue at all, and I cannot be sure from a Dr Watson dump due to how much data it is actually missing compared to a full adplus.

There are a lot of differences, but the user experience is basically the same. The biggest difference is (of course) one is a 32bit OS running 32bit code, and one is a 64bit OS that runs the OS as native 64bit, but can still run (most) 32bit code. There are vast differences in process virtual address space sizes, RAM amounts that can be addressed, etc. It's still "Windows", just a different architecture. Media Center edition is Windows XP Professional, but with the Microsoft Windows Media Center application in addition. No, 32bit is x86, and 64bit that is commonly referred is x64 (note that there is also a 64bit architecture called Itanium, from Intel - it's not the same as x64, and it's designated as ia64).

Usually this is down to either driver support (aka good vs bad drivers), and/or TCP offloading. If you can disable offloading in the driver properties (usually something like TCP Offload or Large Send Offload) and reboot, you may see much better performance. Some drivers just aren't written properly, and when the OS goes to use the Scalable Network Pack features they say they support, bad performance, dropped packets, etc happens. Mostly Broadcom, but there could be others out there.

This worked fine in Vista, and on XP/2003 with WSH 5.7 installed: Set objFSO = CreateObject("Scripting.FileSystemObject") If objFSO.FileExists("E:\Program Files\Internet Explorer\iexplore.exe") Then ' // I tested C:\ and E:\ ' If objFSO.FileExists("C:\Program Files\Internet Explorer\iexplore.exe") Then Wscript.Echo "File exists." Else Wscript.Echo "File does not exist." End If

IE8's one process per tab was publicly disclosed in March of 2008 (and has been a feature since inception). Other than having optimizations in running javascript, almost nothing Google Chrome does is new - except maybe embedding Gears so that more people will use Google apps with Chrome, or sending back everything you type in the address/search bar to Google to be stored and mined when Google is your default search provider.

Click the link in the black bar at the top, where it says "click to view full image". Here's the link: http://img220.imageshack.us/img220/3771/aaaasr6.jpg

Yes, that looks like a physical memory error. Unless that's a server-class machine, the memory is very likely not ECC, so don't worry about that. Note that overheated RAM or a bad motherboard (or timings that are too aggressive) can cause this. I would definitely consider replacing the RAM, but remember that you should probably contact the OEM that sold you the computer hardware itself to see if they can test the other components as well.

OK, now that I'm not so busy, I can say that in fact you CAN edit the offline registry. Mount the WIM, make sure you can see hidden and system files/folders in Windows Explorer's folder options, and you can simply copy the default user's ntuser.dat to your Vista or 2008 system, load up the .dat file in regedit as a hive, and modify it. Once done, unload the hive, copy the .dat file back, and viola.

What does procmon say (probably watching explorer.exe) when you choose the "do not show the language bar" settings in the language bar's properties? It's gotta set a flag somewhere in the registry or on the filesystem to disable that bar...