Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Thread Stack Disruption


  • This topic is locked This topic is locked
22 replies to this topic

#1 Kairyn

Kairyn

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 21 October 2012 - 10:56 AM

Hi,

My computer freezes for 5 seconds for up to 4 minutes (In that range.)

Sometimes it is selective applications, sometimes all of them. My explorer.exe freezes 100% of the time this occurs.

Analyzing wait chains using resource monitor (perfmon) tells me that "Threads are waiting to finish Network I/O". The thread numbers are always random and don't seem to really point anywhere... At least not that I'm aware of. (I attempted to use process explorer but had issues when trying to install the debugging tools required for viewing threads to work.)

System health checks indicate no issues. MemTest86+ reports no issues with my RAM (I ran 7 passes overnight). Voltages are within range, my computer temperature never rises over 50C... CPU usage does not spike unpredictably during a freeze or hang. Chkdsk finds no errors, bad sectors, etc... Another program I installed to look at my HDD (CrystalDiskInfo) reports that everything is working. The caps on my motherboard are not bloated or leaking. Everything is plugged in where it should be. I am not experiencing any form of data loss or corruption on my HDD. I have done a 'soft reformat' where I replaced all of my windows files (Everything else got moved to windows.old). My drivers are up to date, I do not have a program that automatically installs new ones for me and the issue did not occur upon installing a driver.

My computer's performance is actually surprisingly fast, the only issue are these intermittent freezes. I have never experienced them in the time I've used this computer until this point. The only symptom appears to be the seemingly random freezes of processes be they games, software, or native windows functions. Sometimes they report as "Not Responding" but for the most part they do not. I am able to move my mouse and make use of any other application that hasn't frozen. My computer can go for several hours without freezing before it has a period of constant freezing... These periods last for about 5-30 minutes before unhindered usage can resume.

I would reformat, but I have no method of backing up all my files externally (Around 30GB).

CatchMe reports
"detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error"

Initially I believed the issue to be a rootkit, but according to Gary (Oh My) my computer appears to be completely clean.

You can reference that topic here.
http://www.bleepingcomputer.com/forums/topic472023.html

Any help sorting the issue out would be greatly appreciated.

(I'm running Windows 7 Home Premium 64-Bit by the by.)

Edited by Kairyn, 21 October 2012 - 10:57 AM.


BC AdBot (Login to Remove)

 


#2 easyrider2

easyrider2

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:10 AM

Posted 21 October 2012 - 12:54 PM

Hi,

I am not convinced that this is the network issue but just to double check, you may disconnect your computer from the network for few hours / day and see if you encounter the same problem.

If it's not the network issue, you may possibly have problem with your graphic card overheating.

The only other thing crossing my mind is...malware infection...but in this matter I would trust the judgement and expertise of Oh My from Malware Response Team.

Best of luck.

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 56,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:10 PM

Posted 21 October 2012 - 04:57 PM

To prevent confusion and possible changes to your system that may interfere with your malware topic...this topic is now closed.

Upon completion of your malware topic, I or someone else will reopen this topic, if you like. You can contact me or any Moderator via PM to reopen the topic upon completion/close of your malware topic.

Louis

Topic reopened...closed through my error.

Edited by hamluis, 22 October 2012 - 09:23 AM.


#4 Kairyn

Kairyn
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 22 October 2012 - 09:33 AM

Hi,

From what I understand, "Threads Awaiting to finish Network I/O" doesn't necessarily indicate an internet issue, it could potentially refer to communication between applications or an attempt to find a network path.

Regarding overheating, as I said my temperatures are all under 50C when freezes occur. There are no graphical artifacts during the freezes... Most video cards can still operate at 100C (Boiling point of water... My old GeForce 8800 would go up to 120C before I started getting problems) so I think we can safely rule that out.

I've managed to view the stacks (Strange that I wasn't able to earlier or install diagnostic tools required.. But oh well.) of the afflicted threads. Some of the 'threads' seem temporal but there's always at least one thread that accompanies every single wait chain (So I've singled those ones out.)

Here's the stack for the hanging Explorer thread.
ntoskrnl.exe!SeAccessCheckWithHint+0xb4a
ntoskrnl.exe!KeAcquireSpinLockAtDpcLevel+0x682
ntoskrnl.exe!KeWaitForMultipleObjects+0x26b
ntoskrnl.exe!MmCreateSection+0xe23
ntoskrnl.exe!ObCreateObject+0x412
ntoskrnl.exe!KeSynchronizeExecution+0x3a43
ntdll.dll!NtWaitForMultipleObjects+0xa
KERNELBASE.dll!GetCurrentThread+0x36
kernel32.dll!WaitForMultipleObjectsEx+0xb3
USER32.dll!PeekMessageW+0x1cd
DUser.dll+0x14e6
DUser.dll+0x15ef
DUser.dll+0x1565
USER32.dll!TranslateAcceleratorW+0x5e
ntdll.dll!KiUserCallbackDispatcher+0x1f
USER32.dll!WaitMessage+0xa
EXPLORERFRAME.dll!DllCanUnloadNow+0x91d
EXPLORERFRAME.dll!DllCanUnloadNow+0x2ecb9
EXPLORERFRAME.dll!DllCanUnloadNow+0x2ee47
EXPLORERFRAME.dll!DllCanUnloadNow+0x2edde
EXPLORERFRAME.dll!DllCanUnloadNow+0x5a8
SHELL32.dll!Ordinal683+0x1183c
SHELL32.dll!Ordinal767+0x484
SHELL32.dll!Ordinal890+0x7ea
SHLWAPI.dll!SHRegGetUSValueW+0x306
kernel32.dll!BaseThreadInitThunk+0xd
ntdll.dll!RtlUserThreadStart+0x21


And here's the stack for a hanging Firefox thread.
ntoskrnl.exe!SeAccessCheckWithHint+0xb4a
ntoskrnl.exe!KeAcquireSpinLockAtDpcLevel+0x682
ntoskrnl.exe!KeWaitForMutexObject+0x19f
ntoskrnl.exe!NtWaitForSingleObject+0xb2
ntoskrnl.exe!KeSynchronizeExecution+0x3a43
wow64cpu.dll!TurboDispatchJumpAddressEnd+0x690
wow64cpu.dll!TurboDispatchJumpAddressEnd+0x484
wow64.dll!Wow64SystemServiceEx+0x1ce
wow64.dll!Wow64LdrpInitialize+0x429
ntdll.dll!LdrGetProcedureAddress+0x24117
ntdll.dll!LdrInitializeThunk+0xe
ntdll.dll!NtWaitForSingleObject+0x15
mswsock.dll+0x678c
WS2_32.dll!select+0x9f
nspr4.dll!PR_Poll+0x2a2
nspr4.dll!PR_Poll+0x12
xul.dll!?NewObjectOutputWrappedStorageStream@scache@mozilla@@YAIPAPAVnsIObjectOutputStream@@PAPAVnsIStorageStream@@_N@Z+0x33a5b
xul.dll!?NewObjectOutputWrappedStorageStream@scache@mozilla@@YAIPAPAVnsIObjectOutputStream@@PAPAVnsIStorageStream@@_N@Z+0x33b3a
xul.dll!CallWindowProcCrashProtected+0x3829


I've noticed that "ntoskrnl.exe!SeAccessCheckWithHint+0xb4a" are present in both stacks, and both of them start with ntoskrnl, so it may be an issue with ntoskrnl... However, I'm unsure of how to proceed with this information as I am fairly clueless as to how I would actually view what ntoskrnl is up to and where it might be getting stuck.

#5 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:10 AM

Posted 22 October 2012 - 10:55 AM

Hi

I have seen two things create similar behavior. They may not apply to you but it won't hurt to check.

1. Third party firewall software, though I saw none in a quick glance at your log results in the thread that you referenced.

2. A bad optical drive. Try unplugging any CD or DVD drives connected to the computer and see if the behavior goes away.

Other than that, the problem has the characteristics of an input/output device that is not responding to some request and is waiting an amount of time for a timeout message to be received. During this wait, it is stopping other things from running until a response or timeout is received.

It could be something else but looking at devices connected to the computer is a good starting point for troubleshooting it.

James

#6 Kairyn

Kairyn
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 22 October 2012 - 06:36 PM

Hi James,

Unplugging my optical seems to have significantly reduced the hangs (At least so far) but did not stop them from occurring entirely.

Any suggestions?

Kairyn

#7 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:10 AM

Posted 23 October 2012 - 12:35 AM

From reading your previous posts, I don't need to explain how tricky this problem can be :)

If it was a malfunctioning optical drive it would have gone away completely after removing it and turning the computer back on.

At this point it may be what I was referring to as "It could be something else". That something else is often an obscure permissions problem with a service and those can be hard to track and sometimes don't give you info in your event logs. I had one of these in XP once that drove me nuts.

I saw this in your logs in the virus thread...
Error - 14/10/2012 2:33:56 AM | Computer Name = Weeny-PC | Source = DCOM | ID = 10005
Description =

Could you look in your event viewer and see if there are numerous errors with DCOM with event ID 10005 and see if any of them have info in the DESCRIPTION field?
If you need instructions how to do that let us know.

James

#8 Kairyn

Kairyn
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 23 October 2012 - 08:30 AM

None, I do notice that I have 12 errors with Event ID 11 however indicating a controller error with my HDD.

Although they're all citing HDD5, when mine is cabled to SATA1. Might just be my USB that the errors are referring to.

I was also prompted on login that Hardisk SATA 1 S.M.A.R.T Bad, Backup or Replace. I reviewed the SMART data about a week ago and it checked out fine, so I'm not too sure what it's going on about but it looks like my drive suddenly needs replacing either way. :X

Edited by Kairyn, 23 October 2012 - 09:30 AM.


#9 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:10 AM

Posted 23 October 2012 - 10:27 AM

I was also prompted on login that Hardisk SATA 1 S.M.A.R.T Bad, Backup or Replace. I reviewed the SMART data about a week ago and it checked out fine, so I'm not too sure what it's going on about but it looks like my drive suddenly needs replacing either way. :X


That would certainly cause your problem. Instead of the optical drive being the one causing timeouts, it could be a failing hard drive causing them.

Backup all of your important data ASAP and then get some SMART information for us to look at and see if we can help determine if it is the cause of your problems.

To get SMART data I like
http://hddscan.com/
for a quick and simple look.

and I like
http://gsmartcontrol.berlios.de/home/index.php/en/Downloads
for a more detailed look at the SMART data.

Choose the one that suits you and let me know if you need instructions for running them.
James

#10 Kairyn

Kairyn
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 23 October 2012 - 10:40 AM

Hi James,

Here's the SMART data and an extra bit of information to boot.

smartctl 5.43 2012-06-30 r3573 [i686-w64-mingw32-win7(64)-sp1] (sf-5.43-1)
Copyright (C) 2002-12 by Bruce Allen, http://smartmontools.sourceforge.net

=== START OF INFORMATION SECTION ===
Model Family:     Hitachi Deskstar 7K1000.B
Device Model:     Hitachi HDT721010SLA360
Serial Number:    STF6L7MS3VV1YK
LU WWN Device Id: 5 000cca 35ef679ff
Firmware Version: ST6OA31B
User Capacity:    1,000,204,886,016 bytes [1.00 TB]
Sector Size:      512 bytes logical/physical
Device is:        In smartctl database [for details use: -P show]
ATA Version is:   8
ATA Standard is:  ATA-8-ACS revision 4
Local Time is:    Tue Oct 23 09:38:05 2012 MDT
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

General SMART Values:
Offline data collection status:  (0x00)	Offline data collection activity
					was never started.
					Auto Offline Data Collection: Disabled.
Self-test execution status:      (   0)	The previous self-test routine completed
					without error or no self-test has ever 
					been run.
Total time to complete Offline 
data collection: 		(14090) seconds.
Offline data collection
capabilities: 			 (0x5b) SMART execute Offline immediate.
					Auto Offline data collection on/off support.
					Suspend Offline collection upon new
					command.
					Offline surface scan supported.
					Self-test supported.
					No Conveyance Self-test supported.
					Selective Self-test supported.
SMART capabilities:            (0x0003)	Saves SMART data before entering
					power-saving mode.
					Supports SMART auto save timer.
Error logging capability:        (0x01)	Error logging supported.
					General Purpose Logging supported.
Short self-test routine 
recommended polling time: 	 (   1) minutes.
Extended self-test routine
recommended polling time: 	 ( 235) minutes.
SCT capabilities: 	       (0x003d)	SCT Status supported.
					SCT Error Recovery Control supported.
					SCT Feature Control supported.
					SCT Data Table supported.

SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE
  1 Raw_Read_Error_Rate     0x000b   097   097   016    Pre-fail  Always       -       196612
  2 Throughput_Performance  0x0005   100   100   054    Pre-fail  Offline      -       0
  3 Spin_Up_Time            0x0007   228   228   024    Pre-fail  Always       -       253 (Average 251)
  4 Start_Stop_Count        0x0012   100   100   000    Old_age   Always       -       387
  5 Reallocated_Sector_Ct   0x0033   100   100   005    Pre-fail  Always       -       0
  7 Seek_Error_Rate         0x000b   100   100   067    Pre-fail  Always       -       0
  8 Seek_Time_Performance   0x0005   100   100   020    Pre-fail  Offline      -       0
  9 Power_On_Hours          0x0012   099   099   000    Old_age   Always       -       9316
 10 Spin_Retry_Count        0x0013   100   100   060    Pre-fail  Always       -       0
 12 Power_Cycle_Count       0x0032   100   100   000    Old_age   Always       -       369
192 Power-Off_Retract_Count 0x0032   100   100   000    Old_age   Always       -       795
193 Load_Cycle_Count        0x0012   100   100   000    Old_age   Always       -       795
194 Temperature_Celsius     0x0002   146   146   000    Old_age   Always       -       41 (Min/Max 15/48)
196 Reallocated_Event_Count 0x0032   100   100   000    Old_age   Always       -       0
197 Current_Pending_Sector  0x0022   100   100   000    Old_age   Always       -       0
198 Offline_Uncorrectable   0x0008   100   100   000    Old_age   Offline      -       0
199 UDMA_CRC_Error_Count    0x000a   200   200   000    Old_age   Always       -       0

SMART Error Log Version: 1
No Errors Logged

SMART Self-test log structure revision number 1
No self-tests have been logged.  [To run self-tests, use: smartctl -t]


SMART Selective self-test log data structure revision number 1
 SPAN  MIN_LBA  MAX_LBA  CURRENT_TEST_STATUS
    1        0        0  Not_testing
    2        0        0  Not_testing
    3        0        0  Not_testing
    4        0        0  Not_testing
    5        0        0  Not_testing
Selective self-test flags (0x0):
  After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.

Kairyn

Edited by Kairyn, 23 October 2012 - 10:42 AM.


#11 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:10 AM

Posted 23 October 2012 - 11:23 AM

Good job :)

All I see is this
1 Raw_Read_Error_Rate     0x000b   097   097   016    Pre-fail  Always       -       196612

and that value is a slippery one because all the manufacturers seem to treat it differently. I looked around my lab and I do not have a single Hitachi drive laying around so I can't say for sure. If I had to guess, the Hitachi value for those starts at 100 and goes down to 16 before it reports as failed. Yours is only at 97 so that would be far from failing.

Do you have any other drives connected that may be the culprit? If so, check the SMART on that.

If not, try a Short Test on the drive. In GSmartControl for the drive go to the PERFORM TESTS tab, choose SHORT SELF TEST and click EXECUTE and let us know if it passed. If it fails, provide the error log or the same report you posted above as it should then have the error info in it. Also, turn off and unplug the computer and make sure the cables are plugged in tightly for the drive and motherboard (switch SATA ports on the motherboard if you can).

James

#12 Kairyn

Kairyn
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 23 October 2012 - 12:22 PM

Hi James,

The test reports that it completed with no errors, and that the lifetime hours are currently at 9318.

It should also be noted that my Raw Read Error Rate dropped to 74.

Kairyn

Edited by Kairyn, 23 October 2012 - 12:24 PM.


#13 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:10 AM

Posted 23 October 2012 - 01:05 PM

Okay, it's pretty safe to assume that is the problem. You should now check into the possibility of getting the drive replaced under warranty. Let Hitachi know that it is giving you a SMART warning on boot and your SMART attribute 01 continues to degrade as you use it. That should be enough.

The SHORT TEST would have given us a specific reason (like specific mechanical problems or bad servo sectors) but there are issues that can cause RAW READ ERRORS that won't be detected by the SHORT TEST and the LONG TEST may push the drive over the edge and make it unusable so you don't want to try that until you are sure that you do not need anything on it.

How are you set for replacing that drive?
I presume it is the OS drive. Do you have Windows 7 disks for installing on a new drive?
Do you have any programs or settings that must be migrated to the new drive but you're not sure how?
Are you in a tight spot and need to try to clone this drive to a new drive in order to use the computer?

James

#14 Kairyn

Kairyn
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:10 PM

Posted 23 October 2012 - 01:51 PM

Hi James,

Unfortunately I no longer have warranty (It was only for a one year period.)

I have a single drive, it's my intent to format a new drive and forfeit the majority of data and put what I can onto my USB. (It's about 7.85GB.)

This is a pre-installed machine so unfortunately I do not have a Windows 7 Disc, meaning I'll need to download the iso (There's a few legitimate disc images out there) and put it onto my USB. Initially I was simply going to use my old IDE drives from my original setup but it seems I don't have the cabling, nor anywhere to connect it to with my current motherboard. I know someone who might have a spare 500GB SATA drive, so I intend to acquire one from them.

Cloning may be the easiest solution (I have 322 GB on this drive) but I've never actually gone through the process of doing that. I believe last time I even thought of doing something similar was way back in 2004 so I'm a bit clueless as to the process involved.

Kairyn

Edited by Kairyn, 23 October 2012 - 01:51 PM.


#15 James Litten

James Litten

    Ԁǝǝ˥q


  • BC Advisor
  • 1,946 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:12:10 AM

Posted 23 October 2012 - 02:22 PM

Hi Kairyn

I can help you with cloning if you decide to do that.

Have you tried the drive in a different SATA port on the motherboard yet or is this a laptop?

James




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users