G
Guest
Hi All,
Sorry for the long post, but I have been working
on this problem for many days now.
I have a Windows 2000 Prof PC (P4 2.45GHz, 512MB RAM)
which is part of a windows 2003 domain. The PC
has the following problem:
On boot the PC is fine. I can log into the domain
OK. After about 5-8 minutes, the System process starts
to increase CPU usage reaching 100% in a few seconds.
The process continues like this until it has used
about 10 miutes of CPU time. It then decays away
slowly, until eventually reaching normal (0% most
of the time).
Here's the weird part: this happens only the first
time I boot the machine each day. On subsequent
restarts, the PC behaves fine.
First off, I regard myself as no slouch when it comes
to malware. So I am pretty sure this is not
virus/worm/adware. I have run full scans on this PC
with Symantec AV Coprate Ed. 10.0, Pest Patrol 4.4,
and HijackThis. None of these revealed any nasties.
There are no connections to external systems open. I
have even analysed the network traffic using ethereal
to be sure that there is nothing on the wire that
shouldn't be there.
So, now I have used the sysinternals ProcessExplorer
(V. nice!) as recommended here. It reveals that when
the system process is in this busy state, the value
of DPCs (deferred procedure calls) is also very high (~50).
Secondly, there are about 10 threads within the system
process that all have the same start address: 0x16b4c.
Using debugger symbols tells me that these are all
ExpWorkerThreads. The stack for each of these looks
like this:
ntoskrnl.exe!KiSwapThread+0xc5
ntoskrnl.exe!KeRemoveQueue+0x195
ntoskrnl.exe!ExpWorkerThread+0x73
ntoskrnl.exe!PspSystemThreadStartup+0x54
ntoskrnl.exe!KiThreadStartup+0x16
I have four questions:
1) What is the meaning of the high DPCs value -is it
significant or just another indication that the system
is busy?
2) Is there a way to see what driver is associated with
these "worker threads" to give a hint as to the source
of the problem?
4) Could this be the MS04-011 race condition given here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;841382
If so, how can I obtain the fix?
3) Anyone any other suggestions as to what else to try?
Thanks for listening.
Geoff
Sorry for the long post, but I have been working
on this problem for many days now.
I have a Windows 2000 Prof PC (P4 2.45GHz, 512MB RAM)
which is part of a windows 2003 domain. The PC
has the following problem:
On boot the PC is fine. I can log into the domain
OK. After about 5-8 minutes, the System process starts
to increase CPU usage reaching 100% in a few seconds.
The process continues like this until it has used
about 10 miutes of CPU time. It then decays away
slowly, until eventually reaching normal (0% most
of the time).
Here's the weird part: this happens only the first
time I boot the machine each day. On subsequent
restarts, the PC behaves fine.
First off, I regard myself as no slouch when it comes
to malware. So I am pretty sure this is not
virus/worm/adware. I have run full scans on this PC
with Symantec AV Coprate Ed. 10.0, Pest Patrol 4.4,
and HijackThis. None of these revealed any nasties.
There are no connections to external systems open. I
have even analysed the network traffic using ethereal
to be sure that there is nothing on the wire that
shouldn't be there.
So, now I have used the sysinternals ProcessExplorer
(V. nice!) as recommended here. It reveals that when
the system process is in this busy state, the value
of DPCs (deferred procedure calls) is also very high (~50).
Secondly, there are about 10 threads within the system
process that all have the same start address: 0x16b4c.
Using debugger symbols tells me that these are all
ExpWorkerThreads. The stack for each of these looks
like this:
ntoskrnl.exe!KiSwapThread+0xc5
ntoskrnl.exe!KeRemoveQueue+0x195
ntoskrnl.exe!ExpWorkerThread+0x73
ntoskrnl.exe!PspSystemThreadStartup+0x54
ntoskrnl.exe!KiThreadStartup+0x16
I have four questions:
1) What is the meaning of the high DPCs value -is it
significant or just another indication that the system
is busy?
2) Is there a way to see what driver is associated with
these "worker threads" to give a hint as to the source
of the problem?
4) Could this be the MS04-011 race condition given here:
http://support.microsoft.com/default.aspx?scid=kb;en-us;841382
If so, how can I obtain the fix?
3) Anyone any other suggestions as to what else to try?
Thanks for listening.
Geoff