cluberti

I did notice one thing by zooming in close on the processes running from about 2 seconds into the trace to the EndShell notification for session 1 (this is where the bulk of the time is - from end shell to the end of the trace is only about 3 seconds). What I noticed is that only 4 processes sustain throughout, with one of them being one I expected to shut down much quicker - the 4 processes are LogonUI.exe, dwm.exe, explorer.exe, and taskhost.exe. It's not abnormal for these to be running, but for them to stick around for so long with no other obvious disk or memory I/O, no other process, driver, or even generic events, leads me to believe one of these 4 might be a problem. I noticed that the nvidia driver unloaded at around 4.5 seconds, and the nvsvc.exe process stopped at ~6 seconds, so I doubt it's dwm. LogonUI will exist until you are completely logged out, so that's likely out as well. explorer.exe still being around for the bulk of it is also pretty normal, so something is keeping the shell open for what appears to be all but 3 seconds of the entire trace of what I'm guessing is a problem to close down your logon session. I doubt it's notepad, and the Windows Update service being unresponsive isn't exactly abnormal anyway (it's supposed to be handled by services.exe, not during shell shutdown - it hasn't even been asked to stop yet, likely). I actually think it's possible that you might be hitting a variant of this. I've never seen it on an English-language install before, but that doesn't mean it can't happen - I see that taskhost.exe is indeed still running MsCtfMonitor::ThreadProc while the ShutdownTasksThreadProc is running, so.... it's possible that this is it.

Don't double-post. It's not necessary.

Well, anything that is stored in memory is in a memory dump. Personal? I dunno, hard to say. I'm not about to go poking through 4GB of binary text to find something though .

The Realtek warning is more likely a line-state issue (due to the reboot) rather than an actual problem. In looking at the event, a few things spring to mind (including the aforementioned memory issue) - an i5 750 (Nehalem) is actually almost the same internally to a Xeon x5550 (i5 is basically an x5550 minus having HT capabilities), and the 5550 and i5-7xx series has a known errata issue with 2008 R2, and potentially Windows 7, that cause the same thing (bugcheck, then a kernel-power error in the event viewer). See if disabling C-States in the BIOS and/or the OS makes the problem go away as per the linked KB article.

So this is definitely not a complete dump, it's just a kernel summary (kernel only) dump. The problem with that is, there's a user-mode component to this dump that I cannot see because none of that memory was captured. However, I can tell you that the crash is likely being caused by a 32bit app running in user-mode, and it appears to be something that is loading right after logon (and potentially from the Intel video driver). // Here's the error - it was an unhandled exception writing // to a user-mode memory address, and likely in a 32bit app: 0: kd> .exr 0xfffff880`05fb9b38 ExceptionAddress: 0000000077c359ad ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 00000000022a0a88 Attempt to write to address 00000000022a0a88 // Looking quickly at the trap frame, all of the registers // have 32bit values - another indication it's a 32bit app: 0: kd> .trap 0xfffff880`05fb9be0 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=00000000022a1660 rdx=00000000022a1170 rsi=0000000000000000 rdi=0000000000000000 rip=0000000077c359ad rsp=00000000022a0a90 rbp=00000000022a1170 r8=0000000000000000 r9=0000000000000000 r10=0000000077d55010 r11=000007fefdbbc000 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc 0033:00000000`77c359ad ?? ??? // There's a thread pending an LPC call in csrss: 0: kd> !thread fffffa80098f8b60 THREAD fffffa80098f8b60 Cid 0220.03e4 Teb: 000007fffffdc000 Win32Thread: fffff900c069cc30 WAIT: (WrLpcReply) UserMode Non-Alertable fffffa80098f8f20 Semaphore Limit 0x1 Waiting for reply to ALPC Message fffff8a00289cd00 : queued at port fffffa80098d93c0 : owned by process fffffa8008b32060 Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa80080ac1d0 Image: csrss.exe Attached Process N/A Image: N/A Wait Start TickCount 48502 Ticks: 1 (0:00:00:00.015) Context Switch Count 268 LargeStack UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x000007fefdba3d44 Stack Init fffff880025c3d70 Current fffff880025c3650 Base fffff880025c4000 Limit fffff880025be000 Call 0 Priority 15 BasePriority 15 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 # Child-SP RetAddr Call Site 00 fffff880`025c3690 fffff800`02acd752 nt!KiSwapContext+0x7a 01 fffff880`025c37d0 fffff800`02acf8af nt!KiCommitThreadWait+0x1d2 02 fffff880`025c3860 fffff800`02ae4bef nt!KeWaitForSingleObject+0x19f 03 fffff880`025c3900 fffff800`02dcda36 nt!AlpcpSignalAndWait+0x8f 04 fffff880`025c39b0 fffff800`02dcb9c0 nt!AlpcpReceiveSynchronousReply+0x46 05 fffff880`025c3a10 fffff800`02dda36d nt!AlpcpProcessSynchronousRequest+0x33d 06 fffff880`025c3b30 fffff800`02dda446 nt!LpcpRequestWaitReplyPort+0x9c 07 fffff880`025c3b90 fffff800`02ac5853 nt!NtRequestWaitReplyPort+0x76 08 fffff880`025c3be0 00000000`77c700da nt!KiSystemServiceCopyEnd+0x13 09 00000000`0146fb88 00000000`00000000 0x77c700da // It goes to lsm.exe: 0: kd> !thread fffffa80098d0060 THREAD fffffa80098d0060 Cid 0260.0378 Teb: 000007fffffda000 Win32Thread: 0000000000000000 WAIT: (WrLpcReceive) UserMode Non-Alertable fffffa80098d0420 Semaphore Limit 0x1 Not impersonating DeviceMap fffff8a000008c10 Owning Process fffffa8008b32060 Image: lsm.exe Attached Process N/A Image: N/A Wait Start TickCount 48502 Ticks: 1 (0:00:00:00.015) Context Switch Count 31 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x0000000077c38f00 Stack Init fffff8800307ad70 Current fffff8800307a750 Base fffff8800307b000 Limit fffff88003075000 Call 0 Priority 9 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 # Child-SP RetAddr Call Site 00 fffff880`0307a790 fffff800`02acd752 nt!KiSwapContext+0x7a 01 fffff880`0307a8d0 fffff800`02acf8af nt!KiCommitThreadWait+0x1d2 02 fffff880`0307a960 fffff800`02dc6329 nt!KeWaitForSingleObject+0x19f 03 fffff880`0307aa00 fffff800`02dd8c78 nt!AlpcpReceiveMessagePort+0x189 04 fffff880`0307aa60 fffff800`02dd9037 nt!AlpcpReceiveLegacyMessage+0x127 05 fffff880`0307ab00 fffff800`02dd90af nt!NtReplyWaitReceivePortEx+0x106 06 fffff880`0307aba0 fffff800`02ac5853 nt!NtReplyWaitReceivePort+0xf 07 fffff880`0307abe0 00000000`77c6ff6a nt!KiSystemServiceCopyEnd+0x13 08 00000000`0096f628 00000000`00000000 0x77c6ff6a // After walking the call through wininit.exe, svchost.exe, and // services.exe, we end up here, in explorer.exe, where this likely // started to fail: 0: kd> !thread fffffa8006d27b60 THREAD fffffa8006d27b60 Cid 02a0.0548 Teb: 000007fffff92000 Win32Thread: 0000000000000000 RUNNING on processor 1 Not impersonating DeviceMap fffff8a001b689a0 Owning Process fffffa8009d64660 Image: explorer.exe Attached Process N/A Image: N/A Wait Start TickCount 48503 Ticks: 0 Context Switch Count 1 UserTime 00:00:00.000 KernelTime 00:00:00.000 Win32 Start Address 0x000007fefe6fc7d4 Stack Init fffff8800911dd70 Current fffff8800911da60 Base fffff8800911e000 Limit fffff88009118000 Call 0 Priority 8 BasePriority 8 UnusualBoost 0 ForegroundBoost 0 IoPriority 2 PagePriority 5 # Child-SP RetAddr Call Site 00 fffff880`0911d3f0 fffff800`02aa541e nt!KeContextToKframes+0x11 01 fffff880`0911d4d0 fffff800`02aa517c nt!KiContinuePreviousModeUser+0xd6 02 fffff880`0911da30 fffff800`02ac80c7 nt!KiContinueEx+0xbc 03 fffff880`0911daa0 fffff800`02ac5853 nt!NtContinue+0x87 04 fffff880`0911dbe0 00000000`77c702ea nt!KiSystemServiceCopyEnd+0x13 05 00000000`0930f728 00000000`00000000 0x77c702ea I know that the KiContinuePreviousModeUser is copying the context record to the stack for a switch to kernel-mode, but I can't see the user-mode portion of the stack to see if there was some sort of fail here. Given that igfxext.exe has just loaded right before the failure, and it has explorer shell extensions (and a kernel-mode video driver that it can interface with via processes like ScreenRotation.exe), I'm wondering if this is a problem with the (very new) Intel graphics driver and supporting software you have loaded? I've actually had issues with the ATI Radeon driver since 10.x doing similar things if the user-mode explorer app was installed as well, so I wouldn't be surprised if the Intel explorer shell app wasn't part of (or the root cause of) the problem.

No, CSV doesn't save a lot of info (just what you can see in the UI). I want access to things like the stack, command lines, loaded modules, etc - those are only saved in the PML format. You might just have to re-run the test and re-save the file is all.

Complete dump requires the max number for paging file size to be at least RAM+~48MB, and stored on the Windows volume. If you don't have enough paging file set it will complain to you like this. This is the main reason I recommend in my guides to set min and max to RAM+64MB at least, for this particular reason.

If you can, save out (and compress) the pml file and upload it somewhere we can get to.

No, what you uploaded was the output of !analyze -v basically, along with module information. Also, it's a minidump, so there's no way we're going to be able to tell you anything more than yes, csrss.exe crashed due to a page fault, causing the F4 bugcheck. At this point, if it's something that keeps happening, you might want to consider getting a full memory dump instead of a minidump. Once you get the next crash (and full memory.dmp), upload the actual .dmp file (zipped) next time somewhere we can get to it, and there's likely to be good data in there we can then pick out.

Here's the MsgBox value list from MSDN.

You probably also want to get the setup*.* log files from %windir%\inf as well.

Can you get a process monitor log of it occurring? It sounds like the CLSIDs that normally point to IE for html document handling have been changed, but there are a ton of them - figuring out which is usually easier just by looking at a procmon and watching the registry activity as you click a link.

Until your script crashes because you've got GC running at the same time you go to use a variable. If it's going to be solely enclosed within a sub or function, set it to nothing when you're done to force GC to clean it up (and only DIM or var it within the sub as well. If you're using it inside and out, don't clean it up (rule of thumb). Might be worth putting a lot of these into a helper class though, if you use certain functions a lot. Creating and destroying objects are intensive (relatively speaking) operations that would probably be best handled in the creation of a class at script start, rather than doing it JIT.

Probably because only keyboard or mouse input resets the timer by default - if you want an app that can do this, you'll have to upgrade to at least WMP 11 on XP, or Vista, and uncheck the "Allow screen saver during playback" option. If you're using a different app to play video, that app will have to have a way (usually via using SetThreadExecutionState to reset the timer and handling the SC_SCREENSAVE WM_SYSCOMMAND message to stop the screensaver itself) to reset the timer in it's options, or you're out of luck.

Lenovo and Dell have been fine, but with anything, avoid the bottom-feeder models.

That's what the default keys are for .

Seems like it was hosted on a shared server by a reseller (asmallorange.com, 64.22.96.64), so Trip's probably right. Didn't pay the bills (a little odd the reseller's in UK, but the server's in the US in Atlanta GA, but not totally odd - just a little).

You can also set your shell to something other than explorer.exe, but get similar behavior - it's runonce.exe /alternateshellstartup. If you run that, group policies and run/runonce are parsed, which covers most of the bases. Have that run as a part of a logon script, and you should be OK if you change your shell. You still won't get any functionality from anything that relies on explorer.exe or it's helper dll's loaded, but it will at least run group policy, start apps, etc, that would normally be done by explorer.exe.

I've never tried Moxi, but I know of two people who have. Neither liked it after using it for awhile after using MCE (neither was a TiVo user previously), and I did find a few reviews (like this one on Engadget) that matched up pretty well to their concerns. Ultimately, the complaints were not about technical things (it did what it did well, as far as being a DVR) but UI things and inconsistencies - apparently even after a few months for one of the guys it was still hard to navigate and use easily. As to #3, I have no idea.

Given this user was last active in January of 2008 and this is a one-post thread from 2007, don't expect a prompt reply.

You only need loopback if you're applying user settings in a GPO that needs to apply to a user, or vice-versa. Nothing you've said (so far) leads me to believe you're trying to do this, so let's get into specifics. What specific settings are you applying, and from what GPOs? Also, if you're having specific issues (and you seem to know what they are, so you've already won half the battle) it's best to move those into their own GPO and start doing some userenv logging. You do want to be a little more specific though - does the GPO simply launch a logon script that is doing the mapping, or are you using preference policies from a 2008/R2 domain controller to the clients to map the drives? I'm guessing from where you posted that it's the latter, but we need to be clear here.

Create the following registry key and value pair: Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Value: TaskbarNoThumbnail Type: REG_DWORD Data: 1 If the Explorer key (or the Policies key itself) doesn't exist, you'll have to create it/them.

You could also easily achieve the same as the reg file from a simple command: reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f However, if you're seeing UAC prompts, what exactly is ActiveSetup trying to change? A user-specific setting in their own profile's registry shouldn't cause a UAC prompt, nor should file and folder changes to most of their user profile. Is your ActiveSetup command or commands attempting to make changes outside the user's profile?

If they're selling routers, it's highly unlikely the modem is a router. The fact it only has one ethernet port is another clue - even today's cheap wired routers usually have more than one internal (LAN) port, to hook up multiple wired PCs internally. I'd guess you need an actual consumer-grade router to connect to the DSL modem's ethernet port, and then you'd connect your PCs to the router's LAN ports.

Because that's what the authors wanted. I think this was the biggest request other than bug fixes, and it was always shot down. Yes, it probably cost them money, but it was what the authors wanted, and that's all that mattered.