cluberti

Yes - I see another thread where the fwdrv is pausing exactly while the bluetooth driver is being called. So it looks like the fwdrv driver is being paused while the bluetooth driver is being used, but in the dump it looks like the fwdrv is causing the pauses (and in fact, it may be making it worse - I wouldn't call it the victim completely, because it is causing a pause in csrss.exe for the user). Now that I know what that process was (with the bluetooth driver), I can say that it does have some threads that are exhibiting behavior of a pause (can't tell why from the dump, though). Fantastic find!!!

What appears to be happening from the dump is that we have 7 threads in services.exe waiting on a service to start / respond to a control request. Note that while services.exe is hung, a machine will chug along, but will not be able to open applications properly or get out to the internet until services.exe continues and un-hangs. That's probably why everything seems to still run, but hangs until the issue is cleared. I thought I'd show you what I was seeing in the dump, before I tell you what I think. To start, here's one of the service threads that is stuck waiting, as an example (all 7 threads in a hung state look basically the same): !THREAD 89420890 Cid 0290.01e0 Teb: 7ffa2000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable 891a2f18 SynchronizationEvent Not impersonating DeviceMap e1000160 Owning Process 89080da0 Image: services.exe Wait Start TickCount 1854 Ticks: 1209 (0:00:00:18.890) Context Switch Count 16 UserTime 00:00:00.0000 KernelTime 00:00:00.0000 Win32 Start Address 0x00000ccd LPC Server thread working on message Id ccd Start Address kernel32!BaseThreadStartThunk (0x7c810659) Stack Init abb77000 Current abb76ca0 Base abb77000 Limit abb74000 Call 0 Priority 9 BasePriority 8 PriorityDecrement 0 DecrementCount 0 ChildEBP RetAddr Args to Child abb76cb8 80502b17 89420900 89420890 804fad6c nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4]) abb76cc4 804fad6c 00000000 00000000 00000000 nt!KiSwapThread+0x6b (FPO: [0,0,0]) abb76cec 805befc4 00000001 00000006 abb76c01 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo]) abb76d50 8054060c 000003cc 00000000 00000000 nt!NtWaitForSingleObject+0x9a (FPO: [Non-Fpo]) abb76d50 7c90eb94 000003cc 00000000 00000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ abb76d64) 0105f7a4 7c90e9c0 7c91901b 000003cc 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) 0105f7a8 7c91901b 000003cc 00000000 00000000 ntdll!ZwWaitForSingleObject+0xc (FPO: [3,0,0]) 0105f830 7c90104b 0001a344 01005f6e 0101a344 ntdll!RtlpWaitForCriticalSection+0x132 (FPO: [Non-Fpo]) 0105f838 01005f6e 0101a344 00373f10 00000000 ntdll!RtlEnterCriticalSection+0x46 (FPO: [1,0,0]) 0105f860 010060fd 00373f10 00000000 00000000 services!ScStartServiceAndDependencies+0x1d (FPO: [Non-Fpo]) 0105f884 010066fe 000d2530 00000000 00000000 services!RStartServiceW+0x8c (FPO: [Non-Fpo]) 0105f8d0 77e79dc9 000d2530 00000000 00000000 services!RStartServiceA+0xbd (FPO: [Non-Fpo]) 0105f8f0 77ef321a 010066d8 0105f904 00000003 RPCRT4!Invoke+0x30 0105fcf8 77ef36ee 00000000 00000000 000d526c RPCRT4!NdrStubCall2+0x297 (FPO: [Non-Fpo]) 0105fd14 77e7988c 000d526c 000afec8 000d526c RPCRT4!NdrServerCall2+0x19 (FPO: [Non-Fpo]) 0105fd48 77e797f1 01002579 000d526c 0105fdf0 RPCRT4!DispatchToStubInC+0x38 (FPO: [Non-Fpo]) 0105fd9c 77e7971d 0000001f 00000000 0101a138 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x113 (FPO: [Non-Fpo]) 0105fdc0 77e7bd0d 000d526c 00000000 0101a138 RPCRT4!RPC_INTERFACE::DispatchToStub+0x84 (FPO: [Non-Fpo]) 0105fdfc 77e7bb6a 000d9028 000a70b0 000d5010 RPCRT4!LRPC_SCALL::DealWithRequestMessage+0x2db (FPO: [Non-Fpo]) 0105fe20 77e76784 000a70ec 0105fe38 000d5010 RPCRT4!LRPC_ADDRESS::DealWithLRPCRequest+0x16d (FPO: [Non-Fpo]) 0105ff80 77e76c22 0105ffa8 77e76a3b 000a70b0 RPCRT4!LRPC_ADDRESS::ReceiveLotsaCalls+0x28f (FPO: [Non-Fpo]) 0105ff88 77e76a3b 000a70b0 00000048 00fbfc98 RPCRT4!RecvLotsaCallsWrapper+0xd (FPO: [Non-Fpo]) 0105ffa8 77e76c0a 000ad248 0105ffec 7c80b683 RPCRT4!BaseCachedThreadRoutine+0x79 (FPO: [Non-Fpo]) 0105ffb4 7c80b683 000d83a0 00000048 00fbfc98 RPCRT4!ThreadStartRoutine+0x1a (FPO: [Non-Fpo]) 0105ffec 00000000 77e76bf0 000d83a0 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo]) Here's the thread that's talking from dkservice.exe to services.exe: !THREAD 88ea7a00 Cid 06c8.06fc Teb: 7ffdd000 Win32Thread: e1fe3008 WAIT: (WrLpcReply) UserMode Non-Alertable 88ea7bf4 Semaphore Limit 0x1 Waiting for reply to LPC MessageId 00001964: Current LPC port e27ca180 IRP List: 8923fa18: (0006,0094) Flags: 00000800 Mdl: 00000000 Not impersonating DeviceMap e1000160 Owning Process 89125910 Image: DkService.exe Wait Start TickCount 2028 Ticks: 1035 (0:00:00:16.171) Context Switch Count 2511 LargeStack UserTime 00:00:00.0000 KernelTime 00:00:00.0156 Win32 Start Address ADVAPI32!ScSvcctrlThreadA (0x77deb479) Start Address kernel32!BaseThreadStartThunk (0x7c810659) Stack Init baaf8000 Current baaf7c50 Base baaf8000 Limit baaf4000 Call 0 Priority 8 BasePriority 8 PriorityDecrement 0 DecrementCount 16 ChildEBP RetAddr Args to Child baaf7c68 80502b17 88ea7a70 88ea7a00 804fad6c nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4]) baaf7c74 804fad6c 88ea7bf4 88ea7bc8 88ea7a00 nt!KiSwapThread+0x6b (FPO: [0,0,0]) baaf7c9c 805a1dcf 00000001 00000011 00e9e301 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo]) baaf7d50 8054060c 000000c8 0019c9b0 0019c9b0 nt!NtRequestWaitReplyPort+0x63d (FPO: [Non-Fpo]) baaf7d50 7c90eb94 000000c8 0019c9b0 0019c9b0 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ baaf7d64) 00e9dedc 7c90e3ed 77e7c968 000000c8 0019c9b0 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) 00e9dee0 77e7c968 000000c8 0019c9b0 0019c9b0 ntdll!ZwRequestWaitReplyPort+0xc (FPO: [3,0,0]) 00e9df2c 77e7a716 0019c9e8 00e9df4c 77e7a747 RPCRT4!LRPC_CCALL::SendReceive+0x228 (FPO: [Non-Fpo]) 00e9df38 77e7a747 00e9df68 77de1d58 00e9e344 RPCRT4!I_RpcSendReceive+0x24 (FPO: [Non-Fpo]) 00e9df4c 77ef3675 00e9df94 0019ca04 00000000 RPCRT4!NdrSendReceive+0x2b (FPO: [Non-Fpo]) 00e9e328 77debc14 77de1d58 77de5768 00e9e344 RPCRT4!NdrClientCall2+0x222 (FPO: [Non-Fpo]) 00e9e33c 77debbca 0017ff10 00000000 00000000 ADVAPI32!RStartServiceW+0x1b (FPO: [Non-Fpo]) 00e9e37c 5999587c 0017ff10 00000000 00000000 ADVAPI32!StartServiceW+0x1e (FPO: [Non-Fpo]) 00e9e3e4 77e42180 00000000 00e9ec90 0017ae90 wmiaprpl!WmiAdapterWrapper::Open+0x85 (FPO: [Non-Fpo]) 00e9ead4 77e40e5c 0017ae90 0000007a 77df4d50 ADVAPI32!OpenExtObjectLibrary+0x58f (FPO: [Non-Fpo]) 00e9ec48 77e09c8e 00e9ec90 00000000 00e9f158 ADVAPI32!QueryExtensibleData+0x3d8 (FPO: [Non-Fpo]) 00e9f020 77df4406 80000004 00e9f13c 00000000 ADVAPI32!PerfRegQueryValue+0x513 (FPO: [Non-Fpo]) 00e9f110 77dd7054 80000004 00e9f13c 00e9f160 ADVAPI32!LocalBaseRegQueryValue+0x306 (FPO: [Non-Fpo]) 00e9f148 740072e7 00000000 00e9f1d8 00038000 ADVAPI32!RegQueryValueExW+0xa2 (FPO: [Non-Fpo]) 00e9f1b0 7400862b 80000004 009462a0 00e9f1d8 pdh!GetSystemPerfData+0x66 (FPO: [Non-Fpo]) 00e9f3e4 740052cb 009420e0 00000000 00000007 pdh!GetMachine+0x205 (FPO: [Non-Fpo]) 00e9f430 740096b3 00941fb8 00000000 009420c0 pdh!InitCounter+0x1e0 (FPO: [Non-Fpo]) 00e9f44c 74009807 00941ef8 00941f68 00000000 pdh!PdhiAddCounter+0xba (FPO: [Non-Fpo]) 00e9f4a0 00481b17 00941ef8 00e9f500 00000000 pdh!PdhAddCounterW+0xdd (FPO: [Non-Fpo]) WARNING: Stack unwind information not available. Following frames may be wrong. 00e9f500 006d0065 0072006f 005c0079 00200025 DkService!DecryptPasswordStr+0x1e7 00e9f504 0072006f 005c0079 00200025 006f0043 0x6d0065 00e9f508 005c0079 00200025 006f0043 006d006d 0x72006f 00e9f50c 00200025 006f0043 006d006d 00740069 0x5c0079 00e9f510 006f0043 006d006d 00740069 00650074 0x200025 00e9f514 006d006d 00740069 00650074 00200064 0x6f0043 00e9f518 00740069 00650074 00200064 00790042 0x6d006d 00e9f51c 00650074 00200064 00790042 00650074 0x740069 00e9f520 00200064 00790042 00650074 00200073 0x650074 00e9f524 00790042 00650074 00200073 006e0049 0x200064 00e9f528 00650074 00200073 006e0049 00550020 0x790042 00e9f52c 00200073 006e0049 00550020 00650073 0x650074 00e9f530 006e0049 00550020 00650073 00000000 0x200073 00e9f534 00550020 00650073 00000000 00000000 0x6e0049 00e9f538 00650073 00000000 00000000 00000000 0x550020 00e9f53c 00000000 00000000 00000000 00000000 0x650073 And that thread is waiting on a response from this thread, also in dkservice.exe: !THREAD 89136da8 Cid 06c8.06cc Teb: 7ffdf000 Win32Thread: e267f860 WAIT: (Executive) UserMode Non-Alertable 891befec NotificationEvent IRP List: 89187c20: (0006,0094) Flags: 00000900 Mdl: 00000000 Not impersonating DeviceMap e1000160 Owning Process 89125910 Image: DkService.exe Wait Start TickCount 1652 Ticks: 1411 (0:00:00:22.046) Context Switch Count 216 LargeStack UserTime 00:00:00.0062 KernelTime 00:00:00.0000 Win32 Start Address 0x004a58b7 Start Address kernel32!BaseProcessStartThunk (0x7c810665) Stack Init ae16f000 Current ae16ec2c Base ae16f000 Limit ae16b000 Call 0 Priority 6 BasePriority 6 PriorityDecrement 0 DecrementCount 0 ChildEBP RetAddr Args to Child ae16ec44 80502b17 89136e18 89136da8 804fad6c nt!KiSwapContext+0x2f (FPO: [Uses EBP] [0,0,4]) ae16ec50 804fad6c 00000103 00000000 89187c20 nt!KiSwapThread+0x6b (FPO: [0,0,0]) ae16ec78 8057e6e6 00000001 00000000 893c0101 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo]) ae16eca0 8057b761 893c01e8 00000103 891bef90 nt!IopSynchronousServiceTail+0xc6 (FPO: [Non-Fpo]) ae16ed38 8054060c 000000c0 00000000 00000000 nt!NtReadFile+0x55d (FPO: [Non-Fpo]) ae16ed38 7c90eb94 000000c0 00000000 00000000 nt!KiFastCallEntry+0xfc (FPO: [0,0] TrapFrame @ ae16ed64) 0012fba0 7c90e288 7c801875 000000c0 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) 0012fba4 7c801875 000000c0 00000000 00000000 ntdll!NtReadFile+0xc (FPO: [9,0,0]) 0012fc0c 77deb3cb 000000c0 0012fcd8 00000216 kernel32!ReadFile+0x16c (FPO: [Non-Fpo]) 0012fc38 77deb25f 000000c0 0012fcd8 00000216 ADVAPI32!ScGetPipeInput+0x2a (FPO: [Non-Fpo]) 0012fcac 77deb568 000000c0 0012fcd8 00000216 ADVAPI32!ScDispatcherLoop+0x3f (FPO: [Non-Fpo]) 0012ff0c 0044a1ed 0012ff20 004d65b4 00000001 ADVAPI32!StartServiceCtrlDispatcherW+0xe3 (FPO: [Non-Fpo]) WARNING: Frame IP not in any known module. Following frames may be wrong. 0012ffc0 7c816fd7 0007fbc8 00000000 7ffd4000 0x44a1ed 0012fff0 00000000 004a58b7 00000000 78746341 kernel32!BaseProcessStart+0x23 (FPO: [Non-Fpo]) That thread is in the middle of an NtReadFile operation, and it is causing the delay - not sure why, but here's the culprit in the dkservice.exe process: !handle 0x0000c0 F 0x89125910 processor number 0, process 89125910 PROCESS 89125910 SessionId: 0 Cid: 06c8 Peb: 7ffd4000 ParentCid: 0290 DirBase: 0a540260 ObjectTable: e1fba198 HandleCount: 285. Image: DkService.exe Handle table at e27ba000 with 285 Entries in use 00c0: Object: 891bef90 GrantedAccess: 0012019f Entry: e27ba180 Object: 891bef90 Type: (89e62ca0) File ObjectHeader: 891bef78 HandleCount: 1 PointerCount: 3 Directory Object: 00000000 Name: \net\NtControlPipe8 {NamedPipe} You'll probably have to get with Diskeeper to determine what the process is looking for on service startup, because without symbols to the Diskeeper product I can't tell why it's looking for this file, nor why it waits so long after completing this handle operation to a named pipe that it continues. One thing you could try though is to uninstall all of the other software with fsf drivers, like antivirus or antispyware software, to make sure they aren't causing the delay - I've seen other slowness on machines with the VMware server vmount and net drivers installed as well, so removal of vmware server from the machine might help as well. Just a thought.

Agreed. By default, the only NT4 drivers that will install on W2K is printer drivers (a no-no, but we allowed it). You have to perform surgery on the driver's .inf files to make it work, and even then, some drivers will fail to install. Oh, and NT4 drivers will indeed make your 2K box unstable - just warning you.

The thread that was pausing had fwdrv.sys loaded (the kerio firewall driver) - it is possible it was just a victim, but I'm fairly sure it was the culprit. If you boot into safe mode w/ networking, does the problem continue? As to your second question, reading and analyzing dump files is something you'll get better at if you do two things: 1. Read (many times) the book "Windows Internals, 4th Edition", by Mark Russinovich and David Solomon. It describes in great detail the inner workings of the Windows NT kernel, including priority, memory managment, security model, network stack, etc. A must for anyone doing kernel debugging. 2. Get into a kernel debugging class led by someone who knows and understands it, either at your local training center or some other way.

This is usually done by hooking into winlogon.exe by the developer, but the startup script should work just fine.

Thanks jcarle. Actually, I think I still have a memory dump of yours, but I can't remember the post it was from . Or, maybe I'm getting old...

Usually this is seen when the image builder installed the Intel chipset software. If you can get into safe mode and can remove the Intel chipset utility (and associated drivers), you should be able to get it to boot.

Here's the actual thread that's causing the pauses: THREAD 85db0020 Cid 0004.0028 Teb: 00000000 Win32Thread: 00000000 WAIT: (WrUserRequest) KernelMode Non-Alertable 85af9678 SynchronizationEvent Not impersonating DeviceMap e1001050 Owning Process 85555640 Image: csrss.exe Wait Start TickCount 209706 Ticks: 30 (0:00:00:00.468) Context Switch Count 186897 UserTime 00:00:00.0000 KernelTime 00:00:13.0359 Start Address nt!ExpWorkerThread (0x80533cd0) Stack Init f78d0000 Current f78cfb88 Base f78d0000 Limit f78cd000 Call 0 Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 16 ChildEBP RetAddr Args to Child f78cfba0 8050017a 85db0090 85db0020 804f99be nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) f78cfbac 804f99be bf9995c0 e1ee6008 00000000 nt!KiSwapThread+0x46 (FPO: [0,0,0]) f78cfbd4 bf88904c 00000000 0000000d 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo]) f78cfbfc bf92f0ce e1ee6008 00000108 00000001 win32k!RequestDeviceChange+0x77 (FPO: [Non-Fpo]) f78cfc18 8057dbe7 f78cfc90 e1ee6008 804f99be win32k!DeviceNotify+0x9f (FPO: [Non-Fpo]) f78cfc40 8057e144 bf92f02f f78cfc90 e1ee6008 nt!PiNotifyDriverCallback+0x4f (FPO: [Non-Fpo]) f78cfcac 8058e5dd 804d8314 8476d030 00000000 nt!IopNotifyTargetDeviceChange+0xfe (FPO: [Non-Fpo]) f78cfd34 8058e92e f78cfd70 806d0778 e18ae008 nt!PiProcessQueryRemoveAndEject+0x6dd (FPO: [Non-Fpo]) f78cfd50 8058ea87 f78cfd70 85b314a8 8055a1fc nt!PiProcessTargetDeviceEvent+0x2a (FPO: [Non-Fpo]) f78cfd74 80533dd0 85b314a8 00000000 85db0020 nt!PiWalkDeviceList+0xfd (FPO: [Non-Fpo]) f78cfdac 805c4a06 85b314a8 00000000 00000000 nt!ExpWorkerThread+0x100 (FPO: [Non-Fpo]) f78cfddc 80540fa2 80533cd0 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo]) 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 And here's the thread that I see that looks to be the culprit - the device that we're sending the DeviceChange request to: THREAD 859f3cd8 Cid 021c.0240 Teb: 7ffd8000 Win32Thread: e2a52258 WAIT: (DelayExecution) KernelMode Non-Alertable 859f3dc8 NotificationTimer IRP List: 848c5008: (0006,0220) Flags: 00000404 Mdl: 00000000 846e4e28: (0006,01d8) Flags: 00000970 Mdl: 00000000 8591d6b8: (0006,0190) Flags: 00000970 Mdl: 00000000 Not impersonating DeviceMap e1001050 Owning Process 85555640 Image: csrss.exe Wait Start TickCount 209707 Ticks: 29 (0:00:00:00.453) Context Switch Count 712636 LargeStack UserTime 00:00:00.0000 KernelTime 00:00:00.0640 Start Address winsrv!StartCreateSystemThreads (0x75b17cd7) Stack Init b0007000 Current b00067f4 Base b0007000 Limit b0004000 Call 0 Priority 15 BasePriority 13 PriorityDecrement 0 DecrementCount 16 *** ERROR: Module load completed but symbols could not be loaded for fwdrv.sys ChildEBP RetAddr b000680c 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b0006818 804f93fb nt!KiSwapThread+0x46 (FPO: [0,0,0]) b0006844 b80144df nt!KeDelayExecutionThread+0x1c9 (FPO: [Non-Fpo]) b000686c 804eddf9 kbdhid!KbdHid_Close+0xc3 (FPO: [Non-Fpo]) b000687c f778e5f5 nt!IopfCallDriver+0x31 (FPO: [0,0,0]) b000689c f778c6db kbdclass!KeyboardSendIrpSynchronously+0x59 (FPO: [Non-Fpo]) b00068cc f778d12e kbdclass!KbdEnableDisablePort+0x61 (FPO: [Non-Fpo]) b0006900 804eddf9 kbdclass!KeyboardClassClose+0x146 (FPO: [Non-Fpo]) b0006910 80577c84 nt!IopfCallDriver+0x31 (FPO: [0,0,0]) b0006948 805af547 nt!IopDeleteFile+0x132 (FPO: [Non-Fpo]) b0006964 80521e47 nt!ObpRemoveObjectRoutine+0xdf (FPO: [Non-Fpo]) b0006988 805b0547 nt!ObfDereferenceObject+0x5f (FPO: [Non-Fpo]) b00069a0 805b05dd nt!ObpCloseHandleTableEntry+0x155 (FPO: [Non-Fpo]) b00069e8 805b0715 nt!ObpCloseHandle+0x87 (FPO: [Non-Fpo]) b00069fc b6e4a18c nt!NtClose+0x1d (FPO: [Non-Fpo]) WARNING: Stack unwind information not available. Following frames may be wrong. b0006a08 8053c808 fwdrv+0x2818c b0006a08 804fd479 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b0006a14) b0006a84 bf92ed8e nt!ZwClose+0x11 (FPO: [1,0,0]) b0006a9c bf8873ca win32k!CloseDevice+0x37 (FPO: [Non-Fpo]) b0006ad0 bf88977a win32k!ProcessDeviceChanges+0x114 (FPO: [Non-Fpo]) b0006d30 bf86d09c win32k!RawInputThread+0x5ce (FPO: [Non-Fpo]) b0006d40 bf8010ca win32k!xxxCreateSystemThreads+0x60 (FPO: [Non-Fpo]) b0006d54 8053c808 win32k!NtUserCallOneParam+0x23 (FPO: [Non-Fpo]) b0006d54 7c91eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b0006d64) 0073ffe0 75b1ba3d ntdll!KiFastSystemCallRet (FPO: [0,0,0]) 00000000 f000eef3 winsrv!NtUserCallOneParam+0xc 00000000 00000000 0xf000eef3 Here's the data for fwdrv on your system: start end module name b6e22000 b6f01000 fwdrv (no symbols) Loaded symbol image file: fwdrv.sys Image path: \SystemRoot\system32\drivers\fwdrv.sys Image name: fwdrv.sys Timestamp: Thu Jul 06 12:01:48 2006 (44AD33EC) CheckSum: 00047EA0 ImageSize: 000DF000 File version: 4.3.142.0 Product version: 4.3.142.0 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04e4 CompanyName: Sunbelt Software ProductName: Sunbelt Firewall Engine InternalName: fwdrv.sys OriginalFilename: fwdrv.sys ProductVersion: 4.3.142.0 FileVersion: 4.3.142.0 FileDescription: Sunbelt Kerio Firewall FWDRV LegalCopyright: Copyright © 2002-2005 Sunbelt Software. All rights reserved. LegalTrademarks: SUNBELT SOFTWARE and the "S" logo are registered trademarks of Sunbelt Software. Sunbelt Firewall Engine and SFE are trademarks of Sunbelt Software. Uninstall that software and reboot, and see if the problem continues.

At this point, I'm not really certain as to what could be causing it (nothing seems to jump out as the culprit other than performance logs and alerts, and that's just a stab in the dark). Perhaps at this point using Process Monitor from sysinternals to see if we get any access denied messages from the filesystem or in the registry, or perhaps installing the Userdump application from Microsoft to gather a dump of Sandra crashing - I honestly can't think of anything else, as I'm not a big Sandra user.

If you disable all non-Microsoft shell hooks and startup / service items via shellexview and autoruns, then we need to get a process dump of explorer.exe when it's using 100% CPU - you'll need to install the debugging tools for windows, and gather an "adplus -hang" mode dump of explorer.exe when the problem occurs. I guess I'm asking at this point, did you disable the non-Microsoft items, and is the issue still occurring?

It's due to changes in iernonce.dll in IE7 - you have to call the IE6 version of the .dll via the rundll32 call to do a runonce - and it'll only work once per rundll32 call. Long term, consider using a different way to deploy software, as runonce will no longer be easy with IE7. Note you'll have the same problem in XP if you upgrade to IE7 successfully.

Do you know how crucified Microsoft will be (already is, to a point in Vista) for not being 100% backwards compatible with crap from forever ago? And make changes - what about the uproar about the annoyances that UAC or IE7 changes have brought (for security reasons no less - "we want security but we don't want to be inconvenienced or have anything change at all" )? Oh, and our OSes are unstable (baloney), and our products are always late (that part is true ).

No - RIS requires Active Directory to store an query data. However, having one server running as a DC and running RIS is possible (not recommended, but possible). Your DC would also have to run it's own DNS server for AD as well...

No, I actually need the dump file (memory.dmp) to see what the processors were doing at the time, and what processes were running, how the I/O subsystem was behaving, etc. I know it was a manually initiated crash .

If you're getting these "pauses" every 6 seconds for 1 second, if you pull the NIC cable, does the issue recur? If so, I'd suggest the following: 1. Create or set the following registry value: Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters Value: CrashOnCtrlScroll Type: REG_DWORD Data: 1 2. Right-Click on the "My Computer" icon on the desktop and select "Properties"; this will open the "System Properties" window. Go to the "Advanced" tab and click "Performance Options". Click "Change" under "Virtual Memory". Set the pagefile to be located on the partition where the OS is installed, and set it to be equal to Physical RAM + 50 MB. 3. Also in the "System Properties" window, click on the "Advanced" tab, then click "Startup and Recovery". Make sure "Complete Memory Dump" is selected (see 3a if this is not in the list). You can change the location of the memory dump file to a different local partition if you do not have enough room on the partition where the OS is installed. 3a. If the "Complete Memory Dump" option in step 3 is not available, you will need to manually set this registry value: Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl Value: CrashDumpEnabled Type: REG_DWORD Value: 1 4. You will need to reboot for these changes to take effect. Once you reboot, time your pauses again and make sure it's every 6 seconds, and lasting for 1 second (or more). When this occurs, hold down the RIGHT hand CTRL key and press SCROLL LOCK twice (again, making sure to do this during the hang - you'll have to get it just right). This will cause the box to bugcheck, and create a memory.dmp file of the issue occuring. You can then open this in windbg to analyze, or upload it for one of us to take a look at.

Download autoruns and shellexview, and disable all non-Microsoft items in both utilities. Reboot, and see if the problem recurs.

Actually, if upgrading to IE7 resolved it, you had an issue with shell components. I say this because IE7 removes itself from the shell almost entirely (almost, but not completely), and does upgrade the shell components to make sure they work with the new IE7 binaries. Since IE6 used actual shell component .dlls when running, the upgrading of the shell binaries is likely the resolution. But glad to hear you've got it working .

I would say the best place would be the vendor's website for both products. If they don't exist on that site, they probably don't exist.

Installation of R2 requires two things - one, a Windows Server 2003 server as a DC (has to ALREADY be a DC, not one you're installing with R2 already installed), and second, at least a mixed-mode domain. R2 is unable to upgrade the schema from anything but a Server 2003 DC (obviously without R2 installed, because you can't install R2 without first updating the schema). You cannot install R2 into a domain that doesn't already have a Windows Server 2003 DC, because you need that machine to upgrade the schema to allow R2 installation - it's roundabout, but makes sense if you break it down .

I honestly can't see why you would have trouble starting the Sandra services unless they have dependencies on one (or more) of the disabled services. However, since Sandra is a performance tool, perhaps setting the Performance logs and alerts service back to manual will help?

Since that error code usually means "Access Denied", I'd run filemon / regmon on that machine while attempting to install iTunes (or register the vbscript host) - you should see where the access denied messages are coming from, and be able to resolve it by rectifying the permissions.

I actually ran into this problem in Vista x64, and it came down to having the correct proxy software installed (ISA server on the network, needed the 64bit firewall client installed). Can you ping the XP or 2003 machines? Can you telnet to port 3389 on those machines from the Vista machine? If the answer is no to one or both, you might want to make sure you aren't going through a proxy.

I would suggest first installing Windows 2003 x64 on the server, sans R2, and upgrade the domain functional level to 2003 mixed mode after moving the FSMO roles to the 2003 server. After that, run adprep /forestprep and adprep /domainprep from the R2\adprep folder and see if that works for you.

Could you post your system services list (disabled or non-running services) - that'll help!

If your machine really is clean (spyware and viruses), a real-time spyware scanner (like Windows Defender) may be able to keep it away.