MagicAndre1981 Posted July 29, 2011 Share Posted July 29, 2011 (edited) Hi Dave,I got the trace and I can see that the winlogon.exe causes a high CPU usage for a long time. I see that the function HvpFindFreeCellInThisViewWindow is the cause. Before that starts, a symantec driver (Norton Unerase Protection) is loaded. Stop the tool and try again. Also check if it happens if you disable your Trend Micro (maybe a virus update definition from July 17th causes the issue). If this doesn't work stop the Windows Search service and check if it solves it. Maybe the index is corrupt, so try to reindex.Also what is this Rapport Management Service?André Edited July 29, 2011 by MagicAndre1981 Link to comment Share on other sites More sharing options...
Dave-H Posted July 29, 2011 Author Share Posted July 29, 2011 (edited) Thanks, very interesting.I disabled the Norton Unerase Protection service, which didn't seem to change the shutdown problem, but I've run another trace without it enabled.It should be here.Has this changed things much, if at all?Rapport is an on-line banking login security program, from a company called Trusteer.It's been on my system for some time, and never caused any problems as far as I know.It is another program that auto updates itself though. Edited July 29, 2011 by Dave-H Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted July 29, 2011 Share Posted July 29, 2011 it doesn't changed anything. stop the search service and the other tools and look if it is fixed. Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted July 29, 2011 Share Posted July 29, 2011 (edited) 1 thing. the thread which causes the high cpu usage is __report_gsfailure. This looks like NX Bit, buffer overflow issues.try to eliminate all 3rd party applications. Edited July 31, 2011 by MagicAndre1981 Link to comment Share on other sites More sharing options...
Dave-H Posted July 29, 2011 Author Share Posted July 29, 2011 OK, there's another trace here.This is with Norton Unerase Protection disabled, Trend Internet Security disabled, and the Windows Search Service and Indexing Service disabled.The file seems to be a lot smaller!The shutdown is still slow. Thanks for sticking with this, I wish I could look at these traces myself!Cheers, Dave. Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted July 29, 2011 Share Posted July 29, 2011 it is still the same __report_gsfailure issue. stop all 3rd party software and try again. Link to comment Share on other sites More sharing options...
Dave-H Posted July 29, 2011 Author Share Posted July 29, 2011 OK, all third party processes killed in Task Manager.Another trace here.Even killed Explorer before running the trace.Shutdown still slow........... Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted July 29, 2011 Share Posted July 29, 2011 try to generate a Memory dump of the entire system when it hangs at shutdown:compress it with 7zip (7z file with ULTRA compression). Maybe we can see what causes this __report_gsfailure issue. Link to comment Share on other sites More sharing options...
Dave-H Posted July 29, 2011 Author Share Posted July 29, 2011 OK, the complete memory dump is here.I generated it as soon as the system was told to shutdown, as I didn't think it would work if I left it any later.It's pretty big, even zipped up!I hope it gives someone a clue as to what's happening here.Thanks, Dave. Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted July 29, 2011 Share Posted July 29, 2011 I can't see anything from it Was it taken at the point you see the hang?Wait what cluberti writes. In the meantime use msconfig (clean boot) to stop loading all 3rd party tools (killing the processes still leaves the loaded drivers on the system) and see if this helps because you use really old drivers:BANTExt.sys Thu May 28 04:43:29 1998 sorry that I can't help more :'( Link to comment Share on other sites More sharing options...
Dave-H Posted July 30, 2011 Author Share Posted July 30, 2011 I can't see anything from it Was it taken at the point you see the hang?Wait what cluberti writes. In the meantime use msconfig (clean boot) to stop loading all 3rd party tools (killing the processes still leaves the loaded drivers on the system) and see if this helps because you use really old drivers:BANTExt.sys Thu May 28 04:43:29 1998 sorry that I can't help more :'(Thanks Andre, I really appreciate everything you've done so far! There is another memory dump here.This one was taken after using msconfig to run the system with a minimum of programs and services running.The dump was initiated later than the first one too, while the sysem was hung on "saving your settings".I hope it may be more useful.Off to bed now (1.30 am here in England!)Thanks everyone who has helped with this so far.I've never had a problem with my system yet that hasn't been solved with the help of MSFN, and I'm sure that this won't be the first to not be solved!Thanks guys and good night!Cheers, Dave. Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted July 30, 2011 Share Posted July 30, 2011 STACK_TEXT: a6dee9a8 b9b887fb 000000e2 00000000 00000000 nt!KeBugCheckEx+0x1ba6dee9c4 b9b88033 00867600 018692c6 00000000 i8042prt!I8xProcessCrashDump+0x237a6deea0c 804db90f 8a70f638 8a867548 03010009 i8042prt!I8042KeyboardInterruptService+0x21ca6deea0c 80598d5a 8a70f638 8a867548 03010009 nt!KiInterruptDispatch+0x45a6deead4 80598cdf e3328b60 0000000d 00000040 nt!HvpScanForFreeCellInViewWindow+0x57a6deeb00 80598c9e e3328b60 00000004 00000040 nt!HvpFindFreeCellInThisViewWindow+0xf2a6deeb28 805986d0 e3328b60 00000007 00000040 nt!HvpFindFreeCell+0x98a6deeb50 80598818 e3328b60 00000040 00000000 nt!HvpDoAllocateCell+0x40a6deeb78 80598adc 00000034 00856d30 e3a55d34 nt!HvReallocateCell+0xb2a6deeb98 805becf5 e3328b60 00856d68 0000000d nt!CmpAddValueToList+0x59a6deebe4 805bed6d e2c8f008 00815bd0 00856a98 nt!CmpCopyKeyPartial+0x1a8a6deec24 805be855 e1135000 00000400 00000006 nt!CmpCopySyncTree2+0x25aa6deec54 8065e3bd e2c8f008 00000020 e3328b60 nt!CmpCopySyncTree+0x4fa6deec88 80656f0d 00000020 80000798 00000003 nt!CmSaveKey+0xdea6deecb0 804dd99f e2934370 80000798 a6deed54 nt!NtSaveKey+0xcfa6deecb0 804e42df e2934370 80000798 a6deed54 nt!KiFastCallEntry+0xfca6deed30 80656ec2 800006e4 80000798 a6deed64 nt!ZwSaveKey+0x11a6deed54 804dd99f 00000090 00000780 0006f8ac nt!NtSaveKey+0x84a6deed54 7c90e514 00000090 00000780 0006f8ac nt!KiFastCallEntry+0xfc0006f858 7c90db5a 77e3c728 00000090 00000780 ntdll!KiFastSystemCallRet0006f85c 77e3c728 00000090 00000780 0115e1d0 ntdll!ZwSaveKey+0xc0006f8ac 77e35f0c 00000090 00000780 00082950 ADVAPI32!LocalBaseRegSaveKey+0x1690006f8ec 76a1aac8 00000090 0114d008 00000000 ADVAPI32!RegSaveKeyW+0x880006fb3c 76a1b5f8 01153240 0115e1d0 00000000 USERENV!CUserProfile::HandleRegKeyLeak+0x1e10006fbd4 76a1d9f4 00000000 000002d4 00000001 USERENV!CUserProfile::UnloadUserProfileP+0x47b0006fc4c 0102e5e0 000002d4 00000780 00000000 USERENV!UnloadUserProfile+0xcd0006fc80 0102005d 0007a5e0 00000002 000790d8 winlogon!SaveUserProfile+0xb10006fcd4 01038bc2 000790d8 0000000b 000790d8 winlogon!Logoff+0x2dc0006fcfc 01031c7e 000790d8 7c80b741 00000000 winlogon!MainLoop+0x48a0006ff50 0103e75e 01000000 00000000 00072364 winlogon!WinMain+0x60b0006fff4 00000000 7ffd8000 000000c8 0000017d winlogon!WinMainCRTStartup+0x174the Windows hangs while saving registry keys. Now I don't have the knowledge to see which key.But you can run a new xbootmgr trace and add +REGISTRY after POWER to trace registry access. But I don't know if this works for XP Link to comment Share on other sites More sharing options...
Dave-H Posted July 30, 2011 Author Share Posted July 30, 2011 Hi Andre!I've uploaded another trace here.This one has the REGISTRY parameter added.It seemed to work OK.It was taken on a normal shutdown, with everything running that's normally running on boot.I can do another one from a minimal startup if that will make things clearer.Thanks for sticking with this!Cheers, Dave. Link to comment Share on other sites More sharing options...
Geej Posted July 31, 2011 Share Posted July 31, 2011 Base on winlogon image in #19 by MagicAndre1981, you can get a list of dlls opened by msgina.dll using ListDLLs v3.1Then generate a list of dlls to investiage. Basically, dlls that are non-MS is highly suspicious.@echo offListdlls -d msgina.dll>Mylist.txtListdlls winlogon.exe>>Mylist.txtListdlls explorer.exe>>Mylist.txtStart "view now" Mylist.txtAlso look into services.msc to disable 3rd party applications. (Launch by Start -> Run -> services.msc)That all I can think right now.... Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted July 31, 2011 Share Posted July 31, 2011 This one has the REGISTRY parameter added.It seemed to work OK.It was taken on a normal shutdown, with everything running that's normally running on boot.I can do another one from a minimal startup if that will make things clearer.Thanks for sticking with this!Cheers, Dave. the trace shows that one of the latest SetValue calls is this:\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1343024091-1757981266-1417001333-500My last idea is to create a new user profile and if it works there, run the Windows Easy Transfer program to migrate the user data and settings to the new account. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now