Posted 01 December 2011 - 09:01 AM
Hello, I have Windows Vista Home Premium SP2 up to date Windows Update running on a quad core with 4GB of RAM. MS Security Essentials installed.
Problem: Procmon shows wmiprvse.exe performing a CREATE FILE operation on tzres.dll over and over and over, apparently as fast as it can. I do not know how long this situation has been happening. This has some apparent effects, though: one CPU core is constantly occupied with this activity, all the I/O seems to impact the I/O performance, and procmon does nothing but capture these events, which number in the hundreds of thousands very quickly (I could use a filter, I know). Please see below for the Procmon entries in question, and just multiply by 100,000 to get an idea what my procmon looks like every few minutes.
What I have done: searched for the problem and found nothing exactly the same on Vista. Some people have reported the exact same behavior on Windows 2008 server running Windows System Resource Manager (WSRM) but I couldn't correlate that to my installation or issue. Full scan with MS Security Essentials finds nothing. Full scan with Malwarebytes finds nothing. Full scan with Spybot Search and Destroy finds nothing. As I mentioned, I am not sure how long it's been doing this, so unfortunately I couldn't state whether this started with a particular update or install. Thanks for any additional diagnostic or resolving ideas you can provide.
This, over and over and over:
6:39:45.1272851 AM wmiprvse.exe 4020 CreateFile C:\Windows\System32\tzres.dll SUCCESS Desired Access: Read Data/List Directory, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
6:39:45.1274625 AM wmiprvse.exe 4020 CreateFileMapping C:\Windows\System32\tzres.dll FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection: PAGE_READONLY
6:39:45.1274739 AM wmiprvse.exe 4020 QueryStandardInformationFile C:\Windows\System32\tzres.dll SUCCESS AllocationSize: 4,096, EndOfFile: 2,048, NumberOfLinks: 2, DeletePending: False, Directory: False
6:39:45.1274963 AM wmiprvse.exe 4020 CreateFileMapping C:\Windows\System32\tzres.dll SUCCESS SyncType: SyncTypeOther
6:39:45.1275379 AM wmiprvse.exe 4020 CloseFile C:\Windows\System32\tzres.dll SUCCESS