Self-Healing Blank Desktop?

  • Thread starter Thread starter (PeteCresswell)
  • Start date Start date
P

(PeteCresswell)

As a practical matter, this is probably moot because I'm planning on
building up a new system and because the problem seems to go away on
it's own... but still...

- Boot the machine

- Enter password

- TeamViewer's "Computers & Contacts" list comes up,
but nothing else

- Now I'm looking at a blank desktop screen (no icons),
totally empty except for the TeamViewer window

- Open up TaskMan and observe Performance=28-30% CPU

- TaskMan | Processes = no explicit app using CPU:
System Idle = 75%
SvcHost = 25%

- Even with that situation, TeamViewer is fully functional.
Can link to another PC, open up a window into that PC,
no response time issue, and so-forth.

- Use TaskMan | File | NewTask (Run) to navigate to ProcessLasso.exe
and start it up in an effort to see who is using the CPU.

- ProcessLasso's window opens up, spanning both monitors

- Try to resize it, and system hangs: no response to mouse or
keyboard

- Force a system reboot via the Kill button on the PC.

- System reboots and all is well..

This doesn't happen that often, but often enough to make me wonder if
I'm seeing some sort of intermittent hardware issue.

The last iteration was the first one where I had the sense to open up
ProcesLasso - and next time it happens, maybe I'll have the presence of
mind to not try to resize the window before taking a look at what it
says.

Until then, does anybody have a feeling as to what might be going on?

Seems like something that is critical path to whoever draws the desktop
icons is hanging - but that TeamViewer gets kicked off before that
process starts. FWIW, I also have tried killing TeamViewer - but the
desktop still does not get drawn.
 
(PeteCresswell) said:
As a practical matter, this is probably moot because I'm planning on
building up a new system and because the problem seems to go away on
it's own... but still...

- Boot the machine

- Enter password

- TeamViewer's "Computers & Contacts" list comes up,
but nothing else

- Now I'm looking at a blank desktop screen (no icons),
totally empty except for the TeamViewer window

- Open up TaskMan and observe Performance=28-30% CPU

- TaskMan | Processes = no explicit app using CPU:
System Idle = 75%
SvcHost = 25%

- Even with that situation, TeamViewer is fully functional.
Can link to another PC, open up a window into that PC,
no response time issue, and so-forth.

- Use TaskMan | File | NewTask (Run) to navigate to ProcessLasso.exe
and start it up in an effort to see who is using the CPU.

- ProcessLasso's window opens up, spanning both monitors

- Try to resize it, and system hangs: no response to mouse or
keyboard

- Force a system reboot via the Kill button on the PC.

- System reboots and all is well..

This doesn't happen that often, but often enough to make me wonder if
I'm seeing some sort of intermittent hardware issue.

The last iteration was the first one where I had the sense to open up
ProcesLasso - and next time it happens, maybe I'll have the presence of
mind to not try to resize the window before taking a look at what it
says.

Until then, does anybody have a feeling as to what might be going on?

Seems like something that is critical path to whoever draws the desktop
icons is hanging - but that TeamViewer gets kicked off before that
process starts. FWIW, I also have tried killing TeamViewer - but the
desktop still does not get drawn.

When you see a behavior, that a Google search does
not show to be common, you assume malware is to blame.

If the evidence showed, TeamViewer machines
"constantly had blank screens", then you'd assume
a TeamViewer design issue. A quick search isn't
showing that.

At startup, poorly architected software using
inter-process communications, can have race conditions,
where things complete out of order, and something gets
deadlocked.

From the malware perspective, the svchost could be a
fake svchost.exe sitting in a Startup folder. If you
know the PID of the svchost, you could look for the
same PID on the properly-running system, and then
list what is inside that, to get some idea
what candidates might live in there. On Windows XP Pro,
you might use tasklist /svc in a command prompt window,
or on Windows XP Home, maybe Process Explorer, to gather
evidence.

There is a way to segregate individual things, putting
each one in its own svchost. If you have to, this
technique should prevent the miscreant from "hiding
in a crowd" inside a svchost. You will need to run
one of these lines per thing inside the svchost,
so they each get a private svchost to abuse.
Then, one svchost = one guilty party. No hiding.

http://blogs.msdn.com/b/spatdsg/archive/2007/09/17/debugging-services.aspx

sc config <service> type= own <--- fifteen services,
fifteen svchosts...
sc config <service> type= share <--- put them back the
way they were, one
at a time

PID (process identifier number) assignments definitely
don't have to be identical on each boot attempt, so it's
not like this method is guaranteed to point a finger or
anything. But when I've had a few problems here, I
might typically see the same PID doing it.

*******

Because I have a strange sense of humor, I might be
tempted to run the no-longer-supported BootVis. I was
surprised that it ran on my WinXP SP3, and is another tool
that I can try if something mysterious happens at startup.
It keeps logs of startup, and you could compare the
timing of the failed case, to the working cases.

http://attachments.techguy.org/attachments/119252d1194304456/bootvis-graphs.jpg

*******

A quick Google, picked up mention of a svchost-like
thing being an agent for MoneyPak malware, or as a
means of doing a BitCoin Miner. So there are other
possibilities that need a malware check to find.

Paul
 
Back
Top