Windows freezes for 1 second every 6 seconds

[comomolo]

With a cronograph in hand I've been checking this behavoir and its consistent. Every 6 seconds Windows freezes for some 1-2 seconds. This makes using the computer a nightmare.

It started to happen last week. I inspected the system thoroughly, uninstalled non-essential apps, cleaned up the registry and nothing would stop this behaviour. My Windows installation was almost a year old so I decided to go for a fresh install. For a couple of days everything went fine, but today it's happening again. It sounds like something is coming from the internet, but every virus scan I run (Avast installed but also online scanners from Trend Micro and McAfee) says my system is clean.

Launching the Process Explorer I can see the services.exe is up high during the freezing, although it takes barely a 20% of the CPU during those peaks. It seems services.exe is a system process and unless it has been overwritten by mailcious software I don't understand why would it behave like this. In case it is infected, shouldn't the antivirus detect it?

I'm kind of deseperate. I use this computer for work and it's almost impossible to work like this.

Any help would be very appreciated.

CM

[cluberti]

If you're getting these "pauses" every 6 seconds for 1 second, if you pull the NIC cable, does the issue recur? If so, I'd suggest the following:

1. Create or set the following registry value:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters

Value: CrashOnCtrlScroll

Type: REG_DWORD

Data: 1

2. Right-Click on the "My Computer" icon on the desktop and select "Properties"; this will open the "System Properties" window. Go to the "Advanced" tab and click "Performance Options". Click "Change" under "Virtual Memory". Set the pagefile to be located on the partition where the OS is installed, and set it to be equal to Physical RAM + 50 MB.

3. Also in the "System Properties" window, click on the "Advanced" tab, then click "Startup and Recovery". Make sure "Complete Memory Dump" is selected (see 3a if this is not in the list). You can change the location of the memory dump file to a different local partition if you do not have enough room on the partition where the OS is installed.

3a. If the "Complete Memory Dump" option in step 3 is not available, you will need to manually set this registry value:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl

Value: CrashDumpEnabled

Type: REG_DWORD

Value: 1

4. You will need to reboot for these changes to take effect.

Once you reboot, time your pauses again and make sure it's every 6 seconds, and lasting for 1 second (or more). When this occurs, hold down the RIGHT hand CTRL key and press SCROLL LOCK twice (again, making sure to do this during the hang - you'll have to get it just right). This will cause the box to bugcheck, and create a memory.dmp file of the issue occuring. You can then open this in windbg to analyze, or upload it for one of us to take a look at.

[comomolo]

Thanks cluberti for your reply and help.

First of all, I must say I'm not a native English speaker. If by "recur" you mean "it keeps happening", then yes, when I unplug the NIC cable it keeps happening exactly the same.

I've gone through the procedure. I hope I did it right. In order to free my hands to provoke the memory dump, I played a song in Windows Media Player with visualizations on. The graphics keep freezing every 6 seconds, but I've seen that they make two "hicks", instead of just one pause. These two hicks are still around 1 sec long (in all).

I've downloaded the Windows Debugging Tools and opened the MEMORY.DMP file in WinDbg, but it seems I also need the symbols for it to say something meaningful, right? I'm downloading those symbols right now (it's a 195MB download, so it'll take a while here).

I understand you want me to upload the text file created by WinDbp, not the 1GB+ MEMORY.DMP file, right?

One more question: if this problem is hidden inside a service (a wild guess, since services.exe seems to be causing the pauses), would it help to run anti-spyware programs such as Ad-Aware in safe mode?

Sorry for these many questions. I'm new to this debugging process.

Thanks again.

CM

Edited November 22, 2006 by comomolo

[jcarle]

You should also check to make sure that you have DMA enabled on all your IDE channels by going into Device Manager and insuring that all IDE Channels are set to "DMA if available".

[comomolo]

The two IDE channels have DMA enabled, although only a DVD drive is attached there. The three hard disks in the system are SATA and are running well. Please keep in mind this is something that has suddenly started to happen. I've been using this computer for more than one year with no issues. The Windows install is fresh and it worked fine for a couple of days before this behaviour appeared.

I'm uploading both the text file in WinDbg and a capture of the Process Explorer graphs. Can you see the peaks in the graph? That' the services.exe every 6 seconds. (Learning from the graph I can see the 6 seconds interval gets longer every now and then, but most of the time it's a steady beat).

Right after Windows installation, the system used to idle between 0% and 2%. Now it never goes below 3% (I can't see 0% anymore, not even once in a while).

Here's what I see inside the WinDbg windows:

Microsoft (R) Windows Debugger  Version 6.6.0007.5
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Complete Dump File: Full address space is available

Symbol search path is: SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp2_gdr.050301-1519
Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0
Debug session time: Wed Nov 22 21:34:43.562 2006 (GMT+1)
System Uptime: 0 days 0:54:37.132
Loading Kernel Symbols
....................................................................................................
.............................
Loading User Symbols

Loading unloaded module list
..................................................
*******************************************************************************
*																			 *
*						Bugcheck Analysis									*
*																			 *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck E2, {0, 0, 0, 0}

Probably caused by : i8042prt.sys ( i8042prt!I8xProcessCrashDump+237 )

Followup: MachineOwner
---------

kd> !analyze -v
*******************************************************************************
*																			 *
*						Bugcheck Analysis									*
*																			 *
*******************************************************************************

MANUALLY_INITIATED_CRASH (e2)
The user manually initiated this crash dump.
Arguments:
Arg1: 00000000
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------


BUGCHECK_STR:  MANUALLY_INITIATED_CRASH

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  Idle

LAST_CONTROL_TRANSFER:  from f754e7fa to 804f8925

STACK_TEXT:  
80548d38 f754e7fa 000000e2 00000000 00000000 nt!KeBugCheckEx+0x1b
80548d54 f754e032 00c0f0d8 0190e0c6 00000000 i8042prt!I8xProcessCrashDump+0x237
80548d9c 8054071d 85904b20 85c0f020 00010009 i8042prt!I8042KeyboardInterruptService+0x21c
80548d9c f758dc46 85904b20 85c0f020 00010009 nt!KiInterruptDispatch+0x3d
80548e50 80540cc0 00000000 0000000e 00000000 processr!AcpiC1Idle+0x12
80548e54 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0x10


STACK_COMMAND:  kb

FOLLOWUP_IP: 
i8042prt!I8xProcessCrashDump+237
f754e7fa 5d			  pop	 ebp

SYMBOL_STACK_INDEX:  1

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: i8042prt

IMAGE_NAME:  i8042prt.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  41107ecc

SYMBOL_NAME:  i8042prt!I8xProcessCrashDump+237

FAILURE_BUCKET_ID:  MANUALLY_INITIATED_CRASH_i8042prt!I8xProcessCrashDump+237

BUCKET_ID:  MANUALLY_INITIATED_CRASH_i8042prt!I8xProcessCrashDump+237

Followup: MachineOwner
---------

CM

[cluberti]

No, I actually need the dump file (memory.dmp) to see what the processors were doing at the time, and what processes were running, how the I/O subsystem was behaving, etc. I know it was a manually initiated crash .

[comomolo]

Yeah, it didn't look very informative to me either... :-) The MEMORY.DMP file is about 1 gigabyte big...

I'll try do upload it again. It failed for the second time.

Edited November 23, 2006 by comomolo

[jcarle]

Yeah, it didn't look very informative to me either... :-) The MEMORY.DMP file is about 1 gigabyte big...

I'll try do upload it again. It failed for the second time.

Compress it using WinRAR. My 2GB MEMORY.DMP became 85MBs.

[comomolo]

I have finally uploaded my MEMORY.DMP file to this URL:

http://www.loquecreas.com/msfn/MEMORY.rar

It's about 480MB.

Please let me know when I can delete it from there, since that web space is not mine.

Thanks again for any help.

CM

[KinetiK]

are you using any Firewall, i have the same problem with MSN Messenger 7.0 and above in Windows 2000, the problem was Sygate.

[cluberti]

Here's the actual thread that's causing the pauses:

THREAD 85db0020  Cid 0004.0028  Teb: 00000000 Win32Thread: 00000000 WAIT: (WrUserRequest) KernelMode Non-Alertable
	85af9678  SynchronizationEvent
Not impersonating
DeviceMap				 e1001050
Owning Process			85555640	   Image:		 csrss.exe
Wait Start TickCount	  209706		 Ticks: 30 (0:00:00:00.468)
Context Switch Count	  186897			 
UserTime				  00:00:00.0000
KernelTime				00:00:13.0359
Start Address nt!ExpWorkerThread (0x80533cd0)
Stack Init f78d0000 Current f78cfb88 Base f78d0000 Limit f78cd000 Call 0
Priority 12 BasePriority 12 PriorityDecrement 0 DecrementCount 16
ChildEBP RetAddr  Args to Child			  
f78cfba0 8050017a 85db0090 85db0020 804f99be nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
f78cfbac 804f99be bf9995c0 e1ee6008 00000000 nt!KiSwapThread+0x46 (FPO: [0,0,0])
f78cfbd4 bf88904c 00000000 0000000d 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
f78cfbfc bf92f0ce e1ee6008 00000108 00000001 win32k!RequestDeviceChange+0x77 (FPO: [Non-Fpo])
f78cfc18 8057dbe7 f78cfc90 e1ee6008 804f99be win32k!DeviceNotify+0x9f (FPO: [Non-Fpo])
f78cfc40 8057e144 bf92f02f f78cfc90 e1ee6008 nt!PiNotifyDriverCallback+0x4f (FPO: [Non-Fpo])
f78cfcac 8058e5dd 804d8314 8476d030 00000000 nt!IopNotifyTargetDeviceChange+0xfe (FPO: [Non-Fpo])
f78cfd34 8058e92e f78cfd70 806d0778 e18ae008 nt!PiProcessQueryRemoveAndEject+0x6dd (FPO: [Non-Fpo])
f78cfd50 8058ea87 f78cfd70 85b314a8 8055a1fc nt!PiProcessTargetDeviceEvent+0x2a (FPO: [Non-Fpo])
f78cfd74 80533dd0 85b314a8 00000000 85db0020 nt!PiWalkDeviceList+0xfd (FPO: [Non-Fpo])
f78cfdac 805c4a06 85b314a8 00000000 00000000 nt!ExpWorkerThread+0x100 (FPO: [Non-Fpo])
f78cfddc 80540fa2 80533cd0 00000001 00000000 nt!PspSystemThreadStartup+0x34 (FPO: [Non-Fpo])
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16

And here's the thread that I see that looks to be the culprit - the device that we're sending the DeviceChange request to:

THREAD 859f3cd8  Cid 021c.0240  Teb: 7ffd8000 Win32Thread: e2a52258 WAIT: (DelayExecution) KernelMode Non-Alertable
			859f3dc8  NotificationTimer
		IRP List:
			848c5008: (0006,0220) Flags: 00000404  Mdl: 00000000
			846e4e28: (0006,01d8) Flags: 00000970  Mdl: 00000000
			8591d6b8: (0006,0190) Flags: 00000970  Mdl: 00000000
		Not impersonating
		DeviceMap				 e1001050
		Owning Process			85555640	   Image:		 csrss.exe
		Wait Start TickCount	  209707		 Ticks: 29 (0:00:00:00.453)
		Context Switch Count	  712636				 LargeStack
		UserTime				  00:00:00.0000
		KernelTime				00:00:00.0640
		Start Address winsrv!StartCreateSystemThreads (0x75b17cd7)
		Stack Init b0007000 Current b00067f4 Base b0007000 Limit b0004000 Call 0
		Priority 15 BasePriority 13 PriorityDecrement 0 DecrementCount 16
*** ERROR: Module load completed but symbols could not be loaded for fwdrv.sys
		ChildEBP RetAddr  
		b000680c 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
		b0006818 804f93fb nt!KiSwapThread+0x46 (FPO: [0,0,0])
		b0006844 b80144df nt!KeDelayExecutionThread+0x1c9 (FPO: [Non-Fpo])
		b000686c 804eddf9 kbdhid!KbdHid_Close+0xc3 (FPO: [Non-Fpo])
		b000687c f778e5f5 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
		b000689c f778c6db kbdclass!KeyboardSendIrpSynchronously+0x59 (FPO: [Non-Fpo])
		b00068cc f778d12e kbdclass!KbdEnableDisablePort+0x61 (FPO: [Non-Fpo])
		b0006900 804eddf9 kbdclass!KeyboardClassClose+0x146 (FPO: [Non-Fpo])
		b0006910 80577c84 nt!IopfCallDriver+0x31 (FPO: [0,0,0])
		b0006948 805af547 nt!IopDeleteFile+0x132 (FPO: [Non-Fpo])
		b0006964 80521e47 nt!ObpRemoveObjectRoutine+0xdf (FPO: [Non-Fpo])
		b0006988 805b0547 nt!ObfDereferenceObject+0x5f (FPO: [Non-Fpo])
		b00069a0 805b05dd nt!ObpCloseHandleTableEntry+0x155 (FPO: [Non-Fpo])
		b00069e8 805b0715 nt!ObpCloseHandle+0x87 (FPO: [Non-Fpo])
		b00069fc b6e4a18c nt!NtClose+0x1d (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
		b0006a08 8053c808 fwdrv+0x2818c
		b0006a08 804fd479 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b0006a14)
		b0006a84 bf92ed8e nt!ZwClose+0x11 (FPO: [1,0,0])
		b0006a9c bf8873ca win32k!CloseDevice+0x37 (FPO: [Non-Fpo])
		b0006ad0 bf88977a win32k!ProcessDeviceChanges+0x114 (FPO: [Non-Fpo])
		b0006d30 bf86d09c win32k!RawInputThread+0x5ce (FPO: [Non-Fpo])
		b0006d40 bf8010ca win32k!xxxCreateSystemThreads+0x60 (FPO: [Non-Fpo])
		b0006d54 8053c808 win32k!NtUserCallOneParam+0x23 (FPO: [Non-Fpo])
		b0006d54 7c91eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b0006d64)
		0073ffe0 75b1ba3d ntdll!KiFastSystemCallRet (FPO: [0,0,0])
		00000000 f000eef3 winsrv!NtUserCallOneParam+0xc
		00000000 00000000 0xf000eef3

Here's the data for fwdrv on your system:

start	end		module name
b6e22000 b6f01000   fwdrv	  (no symbols)		   
	Loaded symbol image file: fwdrv.sys
	Image path: \SystemRoot\system32\drivers\fwdrv.sys
	Image name: fwdrv.sys
	Timestamp:		Thu Jul 06 12:01:48 2006 (44AD33EC)
	CheckSum:		 00047EA0
	ImageSize:		000DF000
	File version:	 4.3.142.0
	Product version:  4.3.142.0
	File flags:	   0 (Mask 3F)
	File OS:		  4 Unknown Win32
	File type:		1.0 App
	File date:		00000000.00000000
	Translations:	 0409.04e4
	CompanyName:	  Sunbelt Software
	ProductName:	  Sunbelt Firewall Engine
	InternalName:	 fwdrv.sys
	OriginalFilename: fwdrv.sys
	ProductVersion:   4.3.142.0
	FileVersion:	  4.3.142.0
	FileDescription:  Sunbelt Kerio Firewall FWDRV
	LegalCopyright:   Copyright © 2002-2005 Sunbelt Software. All rights reserved.
	LegalTrademarks:  SUNBELT SOFTWARE and the "S" logo are registered trademarks of Sunbelt Software. Sunbelt Firewall Engine and SFE are trademarks of Sunbelt Software.

Uninstall that software and reboot, and see if the problem continues.

[comomolo]

I'm sorry I wouldn't know where to start reading. Is the firewall causing this? Is it another process? Turning on and off the firewall doesn't seem to affect the behaviour...

[jcarle]

Uninstall Sunbelt Kerio Firewall. Reboot. See if it stops.

[cluberti]

Thanks jcarle. Actually, I think I still have a memory dump of yours, but I can't remember the post it was from . Or, maybe I'm getting old...

[comomolo]

Done. It doesn't stop. Just out of curiosity, how can I learn to read these debugging files?