Automated Memory "Processes" Snapshots?

[(PeteCresswell)]

One of my PCs has taken to sort of freezing up for 20-45 seconds
at a time.

During that time, I can get TaskMan up via Ctl/Alt/Delete, but
after that I cannot make anything happen by clicking tabs,
buttons, or other windows.

Last time around, TaskMan told me CPU Usage was fluctuating
20-50% and as soon as the usage dropped, my mouse clicks started
working again and the PC returned to normal.

Seems like I'm looking for something that can run in the
background and save a snapshot of all running processes along
with their CPU usage - say every 10 seconds.

Does anybody know of anything like that?

Other approaches to finding the culprit?

 

[Mayayana]

| During that time, I can get TaskMan up via Ctl/Alt/Delete, but
| after that I cannot make anything happen by clicking tabs,
| buttons, or other windows.
|

Can you use left and right arrowing to get to the processes
window? That should tell you what's busy.

| Last time around, TaskMan told me CPU Usage was fluctuating
| 20-50% and as soon as the usage dropped, my mouse clicks started
| working again and the PC returned to normal.
|

It sounds like 1 process is doing something intensive
and that's locking up response. If that process is not
designed to share there's not much you can do other
than figure out what the culprit is and act accordingly.
Anything you try to use to take a snapshot is probably
going to be waiting in line for its chance to act, just as
your mouse clicks are. By the time its chance comes
the process will probably have stopped.

 

[Char Jackson]

One of my PCs has taken to sort of freezing up for 20-45 seconds
at a time.

During that time, I can get TaskMan up via Ctl/Alt/Delete, but
after that I cannot make anything happen by clicking tabs,
buttons, or other windows.

Last time around, TaskMan told me CPU Usage was fluctuating
20-50% and as soon as the usage dropped, my mouse clicks started
working again and the PC returned to normal.

One thing I would do is check the System section of Event Viewer to
see if anything jumps out. (Start, Run, eventvwr.msc) Filter out the
informational entries so you're left with the Critical, Error, and
Warning entries.

I've seen similar system behavior, although not identical, when I was
working on a system with a failing hard drive.

 

[(PeteCresswell)]

Per Char Jackson:

I've seen similar system behavior, although not identical, when I was
working on a system with a failing hard drive.

You may have nailed it.

Just on GPs, I re-booted and there was a ChkDsk C: which
found/fixed a number of errors. (would've been nice if whoever
engineered that process could have piped the ChkDsk output to a
text file somewhere.... but as it is, the nature of the errors is
lost...)

Now we'll see if the problem resurfaces.

 

[(PeteCresswell)]

Per Char Jackson:

One thing I would do is check the System section of Event Viewer to
see if anything jumps out

I got a few of these on the same day but much earlier:
"TCP/IP has reached the security limit imposed on the number of
concurrent TCP connect attempts"

And I got a couple of these on the prior day:
"The FwHookDrv service failed to start due to the following
error: The system cannot find the file specified. "

 

[Char Jackson]

Per Char Jackson:

You may have nailed it.

Just on GPs, I re-booted and there was a ChkDsk C: which
found/fixed a number of errors. (would've been nice if whoever
engineered that process could have piped the ChkDsk output to a
text file somewhere.... but as it is, the nature of the errors is
lost...)

Now we'll see if the problem resurfaces.

The results of the automatic Chkdsk are written to the event log.

Here are more details.
<http://www.computing.net/answers/windows-xp/xp-chkdsk-where-are-the-results/132863.html>

 

[Tim Meddick]

"Mayayana", with regards to your comments ;

Anything you try to use to take a snapshot is probably
going to be waiting in line for its chance to act,

....not necessarily! If you were to start your "snapshot" program with the
highest priority you can give it (realtime), then there's a good chance it
will execute pretty much straight away.

One possibility would be to use the following from a Window's Command
Prompt (type "cmd.exe" into the "Run" box on the Start Menu) ;


start /REALTIME tasklist.exe >TaskList.txt


....if you wanted this "Task List" output saved automatically every minute,
you could use it in a batch-file like ;

------------------- copy between lines -------------------

@echo off
SETLOCAL
echo.
echo *** PRESS [N] TO EXIT ***
set COUNT=0
if DEFINED COUNT goto PROCEED

ROCEED
set /a COUNT=(%count%+1)
start /REALTIME tasklist.exe >Tasks#%count%.txt
if EXIST Tasks#%count%.txt echo Tasks#%count%.txt SAVED
if %count%]==99] goto :EOF
choice.exe /t:y,60 /n
if ERRORLEVEL=2 goto :EOF
goto PROCEED

------------------- copy between lines -------------------

....but, as with the first example, be sure to start the batch-file also
with "Real-Time" priority ;


start "Snapshot Window" /REALTIME "tskshots.bat"


....or, pasted into a desktop shortcut, after creating "tskshots.bat" ;


%SystemRoot%\system32\cmd.exe /c start "Snapshot Window" /REALTIME
"tskshots.bat"

==

Cheers, Tim Meddick, Peckham, London.

 

[Char Jackson]

Per Char Jackson:

I got a few of these on the same day but much earlier:
"TCP/IP has reached the security limit imposed on the number of
concurrent TCP connect attempts"

That shouldn't be a fatal error. I would disregard it.

And I got a couple of these on the prior day:
"The FwHookDrv service failed to start due to the following
error: The system cannot find the file specified. "

According to the following link, that refers to a rogue (malware)
program that should be removed. Removal instructions seem to be linked
there, as well.
<http://www.bleepingcomputer.com/startups/FwHookDrv.sys-23405.html>

 

[(PeteCresswell)]

Per Char Jackson:

The results of the automatic Chkdsk are written to the event log.

Here are more details.
<http://www.computing.net/answers/windows-xp/xp-chkdsk-where-are-the-results/132863.html>

Bingo!

Thanks.

Computer Management | Event Viewer | Application | "Winlogon"

FWIW:
----------------------------------------------------------------------------
Checking file system on C:
The type of the file system is NTFS.
Volume label is System.


One of your disks needs to be checked for consistency. You
may cancel the disk check, but it is strongly recommended
that you continue.
Windows will now check the disk.
Cleaning up instance tags for file 0x615c.
Attribute record of type 0x80 and instance tag 0x4 is cross
linked
starting at 0xf1f59 for possibly 0x3 clusters.
Attribute record of type 0x80 and instance tag 0x4 is cross
linked
starting at 0xf1f59 for possibly 0x3 clusters.
Some clusters occupied by attribute of type 0x80 and instance tag
0x4
in file 0x1100f is already in use.
Deleting corrupt attribute record (128, "")
from file record segment 69647.
The file reference 0xe00000000fe1c of index entry LAN.LNK of
index $I30
with parent 0xb433 is not the same as 0xf00000000fe1c.
Deleting index entry LAN.LNK in index $I30 of file 46131.
Index entry SSD Build.02.xls.LNK of index $I30 in file 0xb433
points to unused file 0xfe3e.
Deleting index entry SSD Build.02.xls.LNK in index $I30 of file
46131.
Index entry SSDBUI~1.LNK of index $I30 in file 0xb433 points to
unused file 0xfe3e.
Deleting index entry SSDBUI~1.LNK in index $I30 of file 46131.
Cleaning up minor inconsistencies on the drive.
CHKDSK is recovering lost files.
Recovering orphaned file SSDBUI~1.LNK (7526) into directory file
46131.
Recovering orphaned file SSD Build.02.xls.LNK (7526) into
directory file 46131.
Recovering orphaned file LAN.LNK (65052) into directory file
46131.
Cleaning up 888 unused index entries from index $SII of file 0x9.
Cleaning up 888 unused index entries from index $SDH of file 0x9.
Cleaning up 888 unused security descriptors.
Inserting data attribute into file 69647.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume
bitmap.
Windows has made corrections to the file system.

51199123 KB total disk space.
37980296 KB in 97004 files.
38600 KB in 10892 indexes.
0 KB in bad sectors.
248995 KB in use by the system.
65536 KB occupied by the log file.
12931232 KB available on disk.

4096 bytes in each allocation unit.
12799780 total allocation units on disk.
3232808 allocation units available on disk.

Internal Info:
80 e5 01 00 84 a5 01 00 05 84 02 00 00 00 00 00 ................
65 01 00 00 05 00 00 00 3c 05 00 00 00 00 00 00 e.......<.......
98 b1 4e 08 00 00 00 00 c8 44 d9 05 00 00 00 00 ..N......D......
28 00 a9 0b 00 00 00 00 00 00 00 00 00 00 00 00 (...............
00 00 00 00 00 00 00 00 ba 28 3d 21 00 00 00 00 .........(=!....
f0 e1 ed 9e 00 00 00 00 90 36 07 00 ec 7a 01 00 .........6...z..
00 00 00 00 00 20 22 0e 09 00 00 00 8c 2a 00 00 ..... "......*..

Windows has finished checking your disk.
Please wait while your computer restarts.

 

[(PeteCresswell)]

Per Char Jackson:

According to the following link, that refers to a rogue (malware)
program that should be removed. Removal instructions seem to be linked
there, as well.
<http://www.bleepingcomputer.com/startups/FwHookDrv.sys-23405.html>

Thanks again!

Looks like a undeleted leftover from a WinDefender infection I
thought I had cleaned out for good months ago.

 

[Char Jackson]

Per Char Jackson:

Thanks again!

Looks like a undeleted leftover from a WinDefender infection I
thought I had cleaned out for good months ago.

You're welcome.

 

[Iceman]

"Mayayana", with regards to your comments ;


...not necessarily! If you were to start your "snapshot" program with the
highest priority you can give it (realtime), then there's a good chance it
will execute pretty much straight away.

One possibility would be to use the following from a Window's Command
Prompt (type "cmd.exe" into the "Run" box on the Start Menu) ;


start /REALTIME tasklist.exe >TaskList.txt

The OP didn't state if his OS is Home or Pro. If 'Home' then tasklist.exe
isn't included. However, it can be downloaded from the Net. See this page:

http://www.tech-recipes.com/rx/679/xp_tasklist_get_list_processes_command_line/

 

[Tim Meddick]

Indeed!! - Sorry, I forget, sometimes, that everyone doesn't use the
Professional version!

However, if the user, in reality, is using XP Home, then a better choice
than to look for, and download : TaskList.exe would be to download one of
the impressive PSTools utilities - [PSLIST.EXE]

To download PSList.exe, click on the link below and choose to save the
file.
http://live.sysinternals.com/Tools/pslist.exe

The command to use in order to save a snapshot would then be : -

start /REALTIME pslist.exe >TaskList.txt

==

Cheers, Tim Meddick, Peckham, London.