[Fenichel]

  OK, I guess there just isn't enough time for ProcMon to do the PML encoding before the freeze.  I've tried it again, and this time (with CrashPlan off & KIS suspended) it's a much smaller file, but still CSV, here.

[Advertisements]

I looked at your last logfile.  

 

What is G:?

 

There are still signs of crashplan

 

Also it seems you have a lot of system restore points.

If you run

vssadmin  list  shadows

from an elevated command prompt how many do you see?  

[RKinner]

I looked at your last logfile.  

 

What is G:?

 

There are still signs of crashplan

 

Also it seems you have a lot of system restore points.

If you run

vssadmin  list  shadows

from an elevated command prompt how many do you see?  

[Fenichel]

 

What is G:?

It is a disk volume.  I have volumes C:, D:, G:. H:, and I:.

 

Also it seems you have a lot of system restore points.

If you run

vssadmin list shadows

from an elevated command prompt how many do you see?

This doesn't work in Safe Mode.  I'll try it on my next foray into Normal Mode.  On 2017-04-01, the first day of my troubles, I went into Windows System Restore, where it lists available Restore Points.  There was only one listed, timestamped 2017-04-01 00:00:40. 

[Fenichel]

  I tried that vssadmin line in Normal Mode.  It didn't finish, having produced no output, and then came the freeze.

[RKinner]

Go in to services.msc and change Volume Shadow Copy service to Disabled and then see if you can survive in regular mode.

[Fenichel]

  I tried the vssadmin line in Normal mode again, and this time it showed a half dozen or so restore points, the most recent dated 2017-03-22.  I tried to rerun it, piping the results to a text file, but then came the freeze.

  I have disabled the Volume Shadow Copy Service, and now I'll go back to Normal Mode to see what happens.

[Fenichel]

No luck.  With or without the Volume Shadow Copy service, same old freeze. 

[RKinner]

Hard to see what is happening with ProcMon since the freeze happens after you take the log.  If you right click on the clock and Start Task Manager then minimize it there should be a little box near the clock that fills up with green as the CPU gets busy.  Does it go solid green when it freezes?

 

You might go into Task Scheduler and click on Task Scheduler Library then right click on each of the task in the pane just to the right and disable.  Just in case one of them is triggering and causing problems.

 

It might be worth running memtest86 plus  http://www.memtest.org/

 

You have to boot from a CD or USB but then you can rule out the memory and the cpu if it manages to complete a few passes.

[Fenichel]

 

 If you right click on the clock and Start Task Manager then minimize it there should be a little box near the clock that fills up with green as the CPU gets busy.  Does it go solid green when it freezes?

No, it is close to 0%, then flashes up to ?30% or so when the KIS popup appears, but then goes back down at the freeze. 

 

You might go into Task Scheduler and click on Task Scheduler Library then right click on each of the task in the pane just to the right and disable.  Just in case one of them is triggering and causing problems.

  The freeze hits before I could get to more than the first task, and the Task Scheduler is not accessible in Safe Mode.

 

It might be worth running memtest86 plus  http://www.memtest.org/

 

You have to boot from a CD or USB but then you can rule out the memory and the cpu if it manages to complete a few passes.

  I'll try this.  I don't know how to get my computer to boot from a USB drive, but I may be able to do it from a CD.  It doesn't sound likely that the memory is consistently failing when I run in Normal Mode, but never in Safe Mode.  I know that Normal mode must use more memory initially, but some of the antivirus scans I've been running use lots of memory, and they've never complained.

[Fenichel]

  Instead of using memtest, I used the Windows Memory Diagnostic Tool, running at pre-boot time.  After grinding away for about 3 hours, it had finished one pass, and it had found nothing.  I may run it overnight for another few passes, but I'm reasonably confident that this is a software problem, not hardware.

 

  Kaspersky is looking into the problem, but they seem to favor asking me to try something, getting a near-immediate result from me, waiting 24 hours, asking me to try something else, getting a near-immediate result from me, waiting 24 hours, and so on.

 

  Is the Task Scheduler's database of tasks usefully accessible in some way that doesn't require actually running the Task Scheduler?  If it were, I might be able to unschedule lots of things without racing against the clock in Normal Mode.

[RKinner]

Tasks live in c:\Windows\System32\Tasks\

 

You can open the individual tasks in Windows Write if you want to read what they do.

 

If you move the task to a different folder it will go away.  Putting it back is a little harder.  

 

Once a task is created it shows up in the registry:

 

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\CompatibilityAdapter\Signatures

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache

 

Tasks are tricky things.  I've tried copying the registry entries and the Task folder then deleting the replacing and it complains.  Somehow it know when you do that.

 

Task Scheduler is also a service but you can't normally disable it in services.msc

 

You have to go into the registry to 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Schedule

and change the start from 2 to 4

 

That might be an interesting thing to try.  

 

You will find all of your services and drivers under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\

 

so if you are trying to stop Kasperski completely you can find most of it there and change Start to 4.  (look Services & Drivers sections of your initial FRST log to see what the services are called and which belong to Kaspersky)  Sometimes you have to take ownership of a key in order to change it.  

 

https://www.maketech...-registry-keys/

[Fenichel]

  Thanks, but it sounds as if messing with Tasks via the Registry is something I'm likely to screw up in some irreversible way.  My greatest fear now is that I will do something that locks me out, even out of Safe Mode. 

 

  The experiment I want to do before giving up is to get rid of Kaspersky and then reinstall it.  I suppose I could do it through Regedit, but it seems foolish to try that while I'm getting help from the Kaspersky people.  They can probably help me with the uninstall most simply.  Their pacing (see message #55) is not to my liking, but I can't believe that they & I will be at it for more than a few more cycles.

 

  The depressing, tedious PITA of reinstalling Windows, reconfiguring it, reinstalling all my applications, and reconfiguring them looks more and more inevitable.  That will be a lost week of my life.

[Fenichel]

@RKinner

  When my problem started, Windows froze shortly after booting into Normal Mode (Condition A).  I had found a sequence of commands (Sequence A')

Change startup type of Window Management Instrumentation (WMI) Service to disabled
Stop the WMI Service; you may need to stop IP Helper Service first or other dependent services before it allows you to stop WMI Service
Rename the repository folder: C:\WINDOWS\system32\wbem\Repository to Repository.old
Open a CMD Prompt with elevated privileges
CD windows\system32\wbem
for /f %s in ('dir /b /s *.dll') do regsvr32 /s %s
Set the WMI Service type back to Automatic and start WMI Service
cd /d c:\ ((go to the root of the c drive, this is important))
for /f %s in ('dir /s /b *.mof *.mfl') do mofcomp %s
Reboot

that, if run in Safe Mode, allowed the next (and only the next) boot into Normal Mode to run freezeless (Condition B). Having to do a pre-boot into Safe Mode before each boot into Normal Mode is a PITA, but if I were in Condition B now, then I'd be more efficiently able to do the cleanup I want to do before plunging into the big format & reload that I now recognize are inevitable.

 

While I was in Condition B, you spotted that I had a problem with spldr:

 

I think we probably need to worry more about this error first:

 

Name: Security Processor Loader Driver

Description: Security Processor Loader Driver

Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}

Manufacturer: 

Service: spldr

Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)

Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.

Devices stay in this state if they have been prepared for removal.

After you remove the device, this error disappears.Remove the device, and this error should be resolved.

 

 

and you pointed me to some registry edits (Sequence B')

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\spldr]
"DisplayName"="Security Processor Loader Driver"
"ErrorControl"=dword:00000003
"Start"=dword:00000000
"Type"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\spldr\Enum]
"0"="Root\\LEGACY_SPLDR\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

That eliminated the spldr error, but, as I remarked one or two messages later, it effectively made my problem worse.  Since restoring spldr, Sequence A' no longer provides any benefit.  Instead, I am in Condition C, where every Normal-Mode boot freezes after a few seconds, or, if I've disabled KIS, a minute later, right after the appearance of the Kaspersky popup urging me to reenable protection. 

 

  Temporarily, I'd like to return to Condition B.  I had never dealt with services at the registry level before using Sequence B'.  I'm sure there's a simple edit of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\spldr registry entries that will effectively undo Sequence B'; I can guess what it might be, but your suggestion will be appreciated.

[Fenichel]

  I did one experiment, with no useful result.  I regedited the  Start  value of spldr from 0 to 3, performed Sequence A', and then rebooted into Normal Mode.  Same old freeze, without KIS popup, after about a minute.  Now I've restored that Start value to 0.

Edited by Fenichel, 14 April 2017 - 07:40 PM.

[RKinner]

You can try changing Start to 4.  And see what happens.  3 is Manual so Windows can still start it if it wants.  4 is Disabled.

 

If you feel that WMI is part of the problem then set it to Disabled too.