Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.exe / Browseui.dll - High Cpu Usage (slow Folders)


  • Please log in to reply
3 replies to this topic

#1 skribb

skribb

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 31 August 2008 - 01:25 PM

Ever since I came back to the computer and noticing that it had rebooted itself (presumably a STOP error of some kind), Explorer.exe has been utilising 37-50% cpu when browsing through folders (i.e the spikes occur only when activiley browsing). I was using addons (QTTabBar and QTAddressBar) for explorer.exe but have since removed them, although the cpu error persists. Naturally, the CPU spike causes folders to load slowly, they take about 5 seconds to appear, in contrast with the former 0-1 seconds.

For further clarity; right-clicking folders/files and running applications does not produce a CPU spike at all.

Just to prove that explorer is the culprit, I tried other file managers and they loaded folders instantly and with 0-1 % CPU usage.

I did troubleshooting all night and found that there are some strange occurrences when I open any given folder, though the activites differ slightly from folder to folder.

Basically, BROWSEUI.dll!Ordinal138+0x7bdd is the one hogging the cpu. The CSwitch Delta peaks at around 3000 when the cpu spikes occur.


Here's the stack for one of the BROWSEUI.dll!Ordinal138+0x7bdd:
ntkrnlpa.exe!KiUnexpectedInterrupt+0x121
ntkrnlpa.exe!ZwYieldExecution+0x1c56
ntkrnlpa.exe!ZwYieldExecution+0x2538
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb74
ntkrnlpa.exe!KiDispatchInterrupt+0x72e
ntkrnlpa.exe!ExAcquireResourceExclusiveLite+0x67
ntkrnlpa.exe!ExFreePoolWithTag+0x40d
ntkrnlpa.exe!ExReleaseResourceLite+0x8d
ntdll.dll!KiFastSystemCallRet
BROWSEUI.dll!Ordinal138+0x7bdd
kernel32.dll!GetModuleFileNameA+0x1b4



I went into Filemon to record what was being accessed while opening folders and I saw these suspect activities:

31 17:38:32 explorer.exe:500 QUERY INFORMATION H:\WINDOWS\??????? NAME INVALID Attributes: Error
32 17:38:32 explorer.exe:500 QUERY INFORMATION H:\Documents and Settings\skribb\??????? NAME INVALID Attributes: Error
33 17:38:32 explorer.exe:500 QUERY INFORMATION H:\WINDOWS\system32\??????? NAME INVALID Attributes: Error
34 17:38:32 explorer.exe:500 QUERY INFORMATION H:\WINDOWS\system\??????? NAME INVALID Attributes: Error
35 17:38:32 explorer.exe:500 QUERY INFORMATION H:\WINDOWS\??????? NAME INVALID Attributes: Error
36 17:38:32 explorer.exe:500 QUERY INFORMATION H:\WINDOWS\system32\??????? NAME INVALID Attributes: Error
37 17:38:32 explorer.exe:500 QUERY INFORMATION H:\WINDOWS\??????? NAME INVALID Attributes: Error
38 17:38:32 explorer.exe:500 QUERY INFORMATION H:\WINDOWS\System32\Wbem\??????? NAME INVALID Attributes: Error
39 17:38:32 explorer.exe:500 QUERY INFORMATION H:\Program\Windows XP Support Tools\??????? NAME INVALID Attributes: Error
40 17:38:32 explorer.exe:500 QUERY INFORMATION H:\Program\Delade filer\Teleca Shared\??????? NAME INVALID Attributes: Error
41 17:38:32 explorer.exe:500 QUERY INFORMATION H:\Program\DISKEE~1\DISKEE~1\??????? NAME INVALID Attributes: Error

The ??????? is sometimes shown as ?.?????? or ? ?????? or ?????? etc, and sometimes it also says NOT FOUND instead of NAME INVALID.


If a folder contains no subfolders, the above is all that happens. However if a folder contains subfolders, the below is also reported, for every subfolder of the current folder (note that this didn't seem to affect the CPU, the spike was pretty much the same in an empty folder, i.e with only the above errors):

3214 18:49:15 explorer.exe:500 READ H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly INVALID DEVICE REQUEST Offset: 0 Length: 24
3215 18:49:15 explorer.exe:500 QUERY INFORMATION H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly BUFFER OVERFLOW FileFsVolumeInformation
3216 18:49:15 explorer.exe:500 QUERY INFORMATION H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly BUFFER OVERFLOW FileAllInformation
3217 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA NOT FOUND Options: Open Access: Read
3218 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:SummaryInformation:$DATA NOT FOUND Options: Open Access: Read
3219 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:Docf_SummaryInformation:$DATA NOT FOUND Options: Open Access: Read
3220 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:SummaryInformation:$DATA NOT FOUND Options: Open Access: Read
3221 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:Docf_SummaryInformation:$DATA NOT FOUND Options: Open Access: Read
3222 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:SummaryInformation:$DATA NOT FOUND Options: Open Access: Read
3223 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:Docf_SummaryInformation:$DATA NOT FOUND Options: Open Access: Read
3224 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:SummaryInformation:$DATA NOT FOUND Options: Open Access: Read
3225 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:Docf_SummaryInformation:$DATA NOT FOUND Options: Open Access: Read
3226 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:SummaryInformation:$DATA NOT FOUND Options: Open Access: Read
3227 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:Docf_SummaryInformation:$DATA NOT FOUND Options: Open Access: Read
3228 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:SummaryInformation:$DATA NOT FOUND Options: Open Access: Read
3229 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:Docf_SummaryInformation:$DATA NOT FOUND Options: Open Access: Read
3230 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:SummaryInformation:$DATA NOT FOUND Options: Open Access: Read
3231 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:Docf_SummaryInformation:$DATA NOT FOUND Options: Open Access: Read


What I have tried so far, without luck:
1. Kill all processes and services except the crucial ones
2. Search for references in the registry
3. Reinstalled IE7 (since browseui.dll is a IE component). The reinstall gave me a newer version of browseui.dll, but that didn't help, apparently.
4. Searched for spyware and adware. Didn't bother search for virus since I use a resident guard which hasn't reported anything.

What I perhaps should try:
Unregister browseui.dll , reboot, then reregister browseui.dll
I'm not sure I should. I'm afraid it'll break explorer.exe, but if you feel like coaxing me into trying this, feel free to do so.

Final notes:
1. I will not reformat or reinstall XP. With my last computer I didn't reformat for 2-3 years, and I'd like to keep it that way. (just getting this out of the way so we can focus on ironing out the problem )
2. The disk is defragmented. I am using Diskeeper with auto-defrag.
3. I can provide full Filemon, Regmon, Procmon or HJT logs if necessary (or any other log program).

BC AdBot (Login to Remove)

 


#2 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:48 AM

Posted 31 August 2008 - 02:10 PM

1) Check the Event Viewer for errors around the time of the crash (in both the Application and System logfiles). Also check for errors that occur when accessing the files (usually in the Application logfile)

2) Open up Task Manager and go to the Processes tab. Click on the View menu, then on Select columns.
Place a check mark next to I/O Reads and click OK to exit the dialog.
Resize the Task Manager window so you can see the I/O Reads, then double click on the I/O Reads column header to sort by that column.
Then perform the action that causes the problem and identify the image names associated with any spikes. Repeat this for the Memory and CPU columns. Let us know the names of the images that spike.

3) Perform an analysis of the dump file from the crash - that's the most likely to give us something concrete to work with. Here's a link on how to do it: http://forums.majorgeeks.com/showthread.php?t=35246
Post back with the results of the analysis and we'll see what we can do.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#3 skribb

skribb
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:48 AM

Posted 31 August 2008 - 03:35 PM

Hello John, thanks for the reply!

I found a crashlog from the BSOD, but there is nothing recorded in any category of the eventlog when I open a folder.

There are no spikes in I/O Reads, the app using most reads is Samurize and Diskeeper, but that is normal (I've also tried disabling those with no results, so they are definitely not the problem).
There are no memory spikes.
The spike only occurs in the CPU, and the culprit is like I mentioned, explorer.exe, and after analysing the threads, the file causing the spike is browseui.dll.


The dump didn't give me much info, however I received three interesting things:

Unable to load image ntoskrnl.exe, Win32 error 0n2

BugCheck 100000CE, {8b496a70, 8, 8b496a70, 0}

Probably caused by : PGPwded.SYS ( PGPwded+1a70 )

PGP is an encryption software that I installed, tried, decided I didn't want and uninstalled. Doesn't feel like a much of a biggie to me. I'm gonna search for file and registry remnants of PGP.

The ntoskrnl.exe error is interesting though, but I wouldn't know what to make out of it. Does Windows even start with a faulty ntoskrnl?


Update:
I had recently disabled Spybot from within Spybot itself, without it affecting performance. Now I disabled it from within IE, which seemed to have solved the problem.

I will return if the problem re-arises.

Edited by skribb, 31 August 2008 - 04:07 PM.


#4 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:01:48 AM

Posted 31 August 2008 - 04:10 PM

In general, blue screen events that cite core Windows system files should be screened for other factors. In most cases, a problem with NTOSKRNL.EXE will have more issues than just a BSOD - so it's reasonable to assume that something else is causing the error. Being unable to load the image for NTOSKRNL.EXE is a concern, but not as big a concern as it may sound (since the default symbols for the debugger include the symbols needed for NTOSKRNL.EXE). But, keep it in mind as a clue.

Here's a link to a description of the STOP 0xce error: http://aumha.org/a/stop.php#0xce

I'd suggest running the !analyze -v switch in the debugger (you can type it in the little bar at the bottom of the window) and post the entire results here. Often there's a clue in the log - and we may request that you use more commands for the debugger. Personally, I'm concerned about the Stack text (and comparing it to the stack that you posted for browseui.dll)

Finally, since it cites a driver as the cause, I'd recommend using Driver Verifier to ensure that the correct driver has been identified.
To do this, go to Start...Run...and type in "verifier" (without the quotes) and press Enter
Click Next to Create Standard Settings
Click Next to Automatically select unsigned drivers
Click Finish to accept the drivers that were selected and close the dialog.
Reboot.

The system will either BSOD immediately, or you'll have to work on it a bit before it BSOD's (we're hoping for the immediate BSOD).

Capture the dump file in Safe Mode, and then go back into Driver Verifier and (in the first screen) select the option to Delete existing settings. That'll stop Driver Verifier from running and should let you boot back into normal mode.
My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users