DigitalNomad Posted November 19, 2009 Share Posted November 19, 2009 Hi All,Hoping someone can shed some light on this as I've been battling with it for a week now and run out of things to try from the usual avenues of google etc.I have a machine that after logging onto a domain, services.exe comsumes 99% of the cpu. Now this only happens when network is connected. If I remove the network cable it doesn't occur.UPDATE: I've just noticed that even if left at the login screen without logging it happens. It seems if the network cable is plugged in it will happend logged on to the domain or not.I can't see anything suspicious in the HiJack this log and I've run various virus scanners and spyware scanners with no results, so I'm not thinking it is a virus but maybe a confllict somewhere. Now it's a co-workers machine so I don't know if they installed something and it happened or it just started happening. They seem to think it just started happening.After fiddling with various things I thought I had it licked, however after leaving the machine sitting idle for 15 minutes I went back to it and the it's back again.In process explorer when I bring up the properties for services.exe and view the threads, one with the start address of "kernal32.dllCreatethread+0x22" is the thread hogging all the CPU. Now if I click on the suspend button the cpu usage returns to normal but hogs the CPU again if I resume it. Obviously if I kill the thread the problem goes away.Here is the thread stack:ntkrnlpa.exe!KiUnexpectedInterrupt+0x8dntkrnlpa.exe!PsLookupThreadByThreadId+0x4abcntkrnlpa.exe!KiDeliverApc+0xb3ntkrnlpa.exe!ZwYieldExecution+0x196cntkrnlpa.exe!ZwYieldExecution+0x1900hal.dll!HalClearSoftwareInterrupt+0x34ahal.dll!HalRequestSoftwareInterrupt+0x30ntkrnlpa.exe!NtDuplicateObject+0x101dntkrnlpa.exe!ObOpenObjectByName+0xebntkrnlpa.exe!LsaDeregisterLogonProcess+0xc811ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb14ntdll.dll!KiFastSystemCallRetADVAPI32.dll!RegDeleteKeyW+0x64umpnpmgr.dll+0x19b58umpnpmgr.dll+0x19b41umpnpmgr.dll+0x19e93umpnpmgr.dll!ServiceEntry+0x5908umpnpmgr.dll!ServiceEntry+0x640fRPCRT4.dll!CheckVerificationTrailer+0x70RPCRT4.dll!NdrStubCall2+0x215RPCRT4.dll!NdrServerCall2+0x19RPCRT4.dll!NdrGetTypeFlags+0x1c9RPCRT4.dll!NdrGetTypeFlags+0x12eRPCRT4.dll!NdrGetTypeFlags+0x5aRPCRT4.dll!NdrConformantArrayFree+0x42eRPCRT4.dll!NdrConformantArrayFree+0x28bRPCRT4.dll!I_RpcBCacheFree+0x14cRPCRT4.dll!I_RpcBCacheFree+0x5e3RPCRT4.dll!I_RpcBCacheFree+0x405RPCRT4.dll!I_RpcBCacheFree+0x5cbkernel32.dll!GetModuleFileNameA+0x1baIf anyone can provide any info would be greatly appreciated.CheersDN Link to comment Share on other sites More sharing options...
cluberti Posted November 19, 2009 Share Posted November 19, 2009 It looks like a device is causing either an insert or remove event, spinning up an interrupt that isn't being handled properly. Do you have the process monitor .pml file to share? Link to comment Share on other sites More sharing options...
DigitalNomad Posted November 19, 2009 Author Share Posted November 19, 2009 I've tracked to a file ccmsetup.exe, which I believe is Client Configuration Manager. Evertime this file is it causes the cpu usage issue. Have tried uninstalling to no avail. As a test I deleted this file which worked for a while then somehow it was back. You'll notice in the log that msiexec.exe is called which I think is re-installing ccmsetup.exe.Don't know if that helps.I have the pml file but it's 253MB Any idea how I shrink it?Thanks for your time Link to comment Share on other sites More sharing options...
submix8c Posted November 19, 2009 Share Posted November 19, 2009 ccmsetup info -http://technet.microsoft.com/en-us/library...2(printer).aspxjust so you know how it works... Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted November 19, 2009 Share Posted November 19, 2009 @DigitalNomadtry to compress it with 7zip as a 7z archive with Ultra compression. Link to comment Share on other sites More sharing options...
DigitalNomad Posted November 19, 2009 Author Share Posted November 19, 2009 (edited) Thanks for the replies guys. Magic:I did try that, but the file was still way to large. I'm suprised that it is so big for about a minute worth of gathering data. I can save it as a csv though I don't know what the readablity of it will be?Submix8c:Thanks for the link. I had already looked at that. Like I mentioned I've been scouring the net for answers for the past week or so.. All our machines run the configuration manager but none of the them other behave like this, nor do they have ccmsetup.exe actually running continually like this machine. Edited November 19, 2009 by DigitalNomad Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted November 19, 2009 Share Posted November 19, 2009 compress it and upload it to a 1Clickhoster like RS, megashare or zippyshare and post the link here or send it in a PM to cluberti. Link to comment Share on other sites More sharing options...
cluberti Posted November 20, 2009 Share Posted November 20, 2009 PM sent with upload location. Link to comment Share on other sites More sharing options...
DigitalNomad Posted November 20, 2009 Author Share Posted November 20, 2009 (edited) PM sent with upload location.Thanks cluberti,Tried to login but get login error: "530 login failed"ThanksUPDATE: I have uploaded it here for you.http://www22.zippyshare.com/v/99392379/file.htmlThanks again Edited November 20, 2009 by DigitalNomad Link to comment Share on other sites More sharing options...
cluberti Posted November 20, 2009 Share Posted November 20, 2009 It seems services.exe is failing to delete or read the following registry key, over, and over, and over,.... you get the picture:Date & Time: 11/19/2009 12:14:57 PMEvent Class: RegistryOperation: RegOpenKeyResult: ACCESS DENIEDPath: HKLM\System\CurrentControlSet\Enum\Root\*SMS_MOUSE\0000\LogConfTID: 348Duration: 0.0000229Desired Access: DeleteDate & Time: 11/19/2009 12:14:57 PMEvent Class: RegistryOperation: RegDeleteKeyResult: CANNOT DELETEPath: HKLM\System\CurrentControlSet\Enum\Root\*SMS_MOUSE\0000TID: 348Duration: 0.0000056Seems like you might want too look at the permissions of the registry keys under \*SMS_MOUSE\ on that machine, as there are literally thousands of these events and this is the only place where the process gets "stuck". Given that the stack is similar to the one you posted above, this is the likely culprit. Link to comment Share on other sites More sharing options...
DigitalNomad Posted November 27, 2009 Author Share Posted November 27, 2009 Thanks for that cuberit. Really aprreciate you taking the time to help out. I'll look into that. I beleive that SMS mouse has something to do with the remote mouse function but I'll dig a little further and see what I can find.Thanks to others that have also taken the time to post. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now