Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows 7 freezes shortly after boot, new stuff in WMI

WMI freeze LogFileEventConsumer

  • Please log in to reply

#31
Fenichel

Fenichel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

  Disabling the audio drivers caused the time before the freeze to increase to almost a minute, but then it was back to the hardware reset.

 

There is a program called procmon that may tell you what is happening but not sure you can get it to work in Safe Mode.

  I know about ProcMon, but it doesn't run in Safe Mode.

 

Attached Thumbnails

  • ProcMon.JPG

  • 0

Advertisements


#32
Fenichel

Fenichel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

  I think we're running out of options here, unless you have some other tricks up your sleeve.  I am not looking forward to reloading Windows, but I think I'll have to do that. Just reloading from the DVD doesn't take much time, but there are any number of wanted updates and a small number of distinctly unwanted updates that I'll need to be alert to avoid, and then there'll be a few days of reinstalling all my applications.

I vaguely remember hearing of DVDs that provided Windows 7/64 in a moderately-updated state, speeding up the reloading process by at least a few hours. Are people on this forum familiar with those?


  • 0

#33
Fenichel

Fenichel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

  I may have made some progress, but I'll need your help to exploit it. 

 

  I had only about 13% of space free on my C: drive, so I enlarged it.  Perhaps for this reason, When I next tried normal mode it lasted for at least a minute.  One of my normal startup tasks copies selected files from AppData to my data volume so that they can be backed up, and that task had time to get started, but it crashed trying to copy that same oversize i2cdev.cpp that I mentioned earlier.  After the freeze, I went back to safe mode and deleted the culprit file from its hiding place in AppData.

 

  I don't think it's doing its dirty work from there, but now (if the longer grace period before the freeze is reliable), I'll be able to do the ProcMon thing.


  • 0

#34
Fenichel

Fenichel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

  I have run ProcMon during a Normal Mode boot.  I tried to follow your instructions

 

Run Process Monitor by right clicking and Run As Admin.

 
As soon as it starts, File, then uncheck Capture Events.  Once it stops,
 
under Options, click Enable Boot Logging.  Close Process Monitor and reboot.
 
Open Process Monitor and it should tell you it has a boot log for you to look at.  
Tell it you want to see it then:
 
File, Save, All Events,  then OK.  It should save the file to logfile.pml which should be on your desktop.

but I was rushed, because each time, I knew that the freeze was about to cut me off.  On reboot, I restarted ProcMon, but I didn't see it telling me that it had a bootlog for me.  I just did a File/Save, using CVS format (there were 2 other choices).  It was huge, as you predicted.  I have uploaded the monster to my Web site at

http://www.fenichel.net/geeks/. 

 

  If this is not what you wanted, please let me know. 


  • 0

#35
Fenichel

Fenichel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

  Weirder & weirder.  I thought I'd try running ProcMon in Normal mode again, to get the output format that you had suggested, if nothing else. The sequence was

  • reboot in Normal mode
  • start ProcMon, uncheck File/Capture, request boot log, leave Procmon.
  • reboot in Normal mode
  • during reboot, a diagnostic message appeared from AVPUI.  I pushed on
  • Windows came up with a totally blank desktop (no task bar, no Start button, no response to Ctl-Alt-Del), except for a tiny note saying (falsely) that mine was not a legal copy of Windows.
  • The only way out of that was a hardware reset, so here I am again in Safe mode.  When I reboot in Normal mode, I get the same blank screen each time, so that the completed Procmon experiment (whether or not done successfully) will be the only one we'll get. 

Edited by Fenichel, 09 April 2017 - 03:48 PM.

  • 0

#36
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,009 posts
  • MVP

Can you stop the CrashPlan Service?  I am unable to load the full file but what I can see is mostly Crashplanservice.exe


  • 0

#37
Fenichel

Fenichel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

  It doesn't run in Safe Mode, and, as I noted in my last message, I'm all Safe Mode all the time now.  I will write a little program to filter out all the CrashPlan-related lines.


  • 0

#38
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,009 posts
  • MVP

Would rather you stop the program from running.  There are pages of nothing but crashplan.


  • 0

#39
Fenichel

Fenichel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

  I wrote and ran a program that removed all the CrashPlan lines.  The trimmed file is at http://www.fenichel..../Logfile2.CSV.

 

  As of now, as described in message #35, I can't run anything in Normal Mode, so redoing the ProcMon experiment is not feasible.

 

  I could alter the program to do other filtering, if it would help.


Edited by Fenichel, 09 April 2017 - 11:22 PM.

  • 0

#40
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,009 posts
  • MVP

I still can't see to the bottom of the file but so far all I see is Crashplan related.  Every time it opens a file to copy it Kaspersky has to check to make sure its OK.  Appears that if you could stop Crashplan from loading it might not freeze.

 

Filter out avp.exe and let's see if I can load it all.  My Open Office can only load 265,655 rows.


  • 0

Advertisements


#41
Fenichel

Fenichel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

  OK, the avp.exe-free version is up here.

 

  Because my MS Office doesn't work in Safe Mode, I've been looking at that file using the ever-handy Programmer's Notepad.  It has no problem with big files; it even handled this file in its original 250-MB form.

 

  I have made progress with a parallel attack.  I need to do some more experiments, but it may be true that the freeze happens only when Kaspersky runs, perhaps because Kaspersky files have been corrupted. Yesterday I suspended Kaspersky, went into Normal Mode, puttered around for about a minute, then got a popup from Kaspersky urging me to restart the AV protection.  I did, then immediately got another popup urging me to update the AV definitions.  I clicked to start that process, and the system froze a second or two later.  In other words, the freeze

  • might reliably happen a few seconds after Kaspersky starts
  • might happen when, and only when, Kaspersky tries to update its DB of virus definitions, or
  • might have nothing to do with Kaspersky, but instead happens a variable time after booting.

I will do some more experiments today.


  • 0

#42
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,009 posts
  • MVP

Did you stop crashplan at the same time?  

 

I've had other people send me boot files and never had problems reading them even in csv format.  Yours has so many extra lines due to crashplan, avp.exe and there is also an svchost.exe 

which opens lines like HKLM\System\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#VOLUMESNAPSHOT#HARDDISKVOLUMESNAPSHOT1

which I think is part of crashplan's activity because I don't usually see it in a boot.  It is no wonder that it appears to hang since the CPU has to do all of this extra work right after boot and doesn't have time for anything else.  Stopping just kaspersky will cut the extra load in half but I think crashplan is at the root of your problem.

 

Crashplan has a service:

 

S2 CrashPlanService; C:\Program Files\CrashPlan\CrashPlanService.exe [266112 2016-10-17] (Code 42 Software)

 

a shortcut which appears broken:

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CrashPlanDesktop.lnk [2015-10-30]

ShortcutTarget: CrashPlanDesktop.lnk -> C:\Program Files (x86)\system tools\backup\CrashPlan\CrashPlanDesktop.exe (No File)
 
and a Startup Entry.
 
HKLM\...\Run: [CrashPlanTray] => C:\Program Files\CrashPlan\CrashPlanTray.exe [461184 2016-10-17] (Code 42 Software, Inc.)
 
You can stop the service by searching for services.msc and hitting Enter then find CrashPlan Service.  Right click and select Properties then change the Startup Type to Disabled.  OK.
 
The Shortcut an be removed by moving CrashPlanDesktop.lnk from C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
 
The startup entry can be unchecked in msconfig.

  • 0

#43
Fenichel

Fenichel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

  Thanks for the suggestion.  I knew that CrashPlan didn't run in Safe Mode, but I'd forgotten that I could still get at the CrashPlan service, to keep it from starting up as soon as I got to Normal Mode.  It is disabled now.

 

  I am rerunning all of the AV scans that I ran yesterday, trying to verify that the malware detected yesterday did not re-install itself with some sort of flanking maneuver around the AV.  I won't go back to Normal Mode until that's done, which will be a few hours from now.


  • 0

#44
Fenichel

Fenichel

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts

  According to KIS, MalWareBytes, SuperAntiSpyware, and eSet, my system is clean now.  Nevertheless, with CrashPlan and the Kaspersky code both disabled (but KIS still lurking, popping up from time to time urging me to re-enable it), I get about a minute of Normal mode before the freeze.

  On my last visit, this was enough to get into ProcMon, and this time it had time enough to tell me about the boot log it had been holding for me.  I got it to try saving the log in its native (.PML) format, and it got 96% done with this before the freeze.  The results are in http://www.fenichel....s/boot log.zip.  Next to that in http://www.fenichel....ks/CrashOut.zip  I put a copy (with source) of my program that can

  • selectively copy lines of a text file (it is how I produced the CrashPlan-free version of the textfile version of the boot log), and
  • search for files that have their FILE_ATTRIBUTE_ENCRYPTED bit set

on the off chance that someone else will find it useful.

  I am waiting to hear from Kaspersky, to see if they want to try to salvage some forensics from my installation.  When that's done, I'll uninstall/reinstall KIS and see what happens.  If that doesn't do the trick (I am not optimistic), it will be time to scrub this machine down to silicon & iron oxide, and reinstall Windows.


  • 0

#45
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,009 posts
  • MVP

None of the pml files are viable.  It complains they weren't closed properly and are corrupt.

 

If you stop the windows management Instrument service does it let you stay in regular mode?


  • 0






Similar Topics


Also tagged with one or more of these keywords: WMI, freeze, LogFileEventConsumer

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP