[DigitalNomad]

Hi All,
Hoping someone can shed some light on this as I've been battling with it for a week now and run out of things to try from the usual avenues of google etc.
I have a machine that after logging onto a domain, services.exe comsumes 99% of the cpu. Now this only happens when network is connected. If I remove the network cable it doesn't occur.

UPDATE: I've just noticed that even if left at the login screen without logging it happens. It seems if the network cable is plugged in it will happend logged on to the domain or not.


I can't see anything suspicious in the HiJack this log and I've run various virus scanners and spyware scanners with no results, so I'm not thinking it is a virus but maybe a confllict somewhere. Now it's a co-workers machine so I don't know if they installed something and it happened or it just started happening. They seem to think it just started happening.

After fiddling with various things I thought I had it licked, however after leaving the machine sitting idle for 15 minutes I went back to it and the it's back again.

In process explorer when I bring up the properties for services.exe and view the threads, one with the start address of "kernal32.dllCreatethread+0x22" is the thread hogging all the CPU. Now if I click on the suspend button the cpu usage returns to normal but hogs the CPU again if I resume it. Obviously if I kill the thread the problem goes away.

Here is the thread stack:
ntkrnlpa.exe!KiUnexpectedInterrupt+0x8d
ntkrnlpa.exe!PsLookupThreadByThreadId+0x4abc
ntkrnlpa.exe!KiDeliverApc+0xb3
ntkrnlpa.exe!ZwYieldExecution+0x196c
ntkrnlpa.exe!ZwYieldExecution+0x1900
hal.dll!HalClearSoftwareInterrupt+0x34a
hal.dll!HalRequestSoftwareInterrupt+0x30
ntkrnlpa.exe!NtDuplicateObject+0x101d
ntkrnlpa.exe!ObOpenObjectByName+0xeb
ntkrnlpa.exe!LsaDeregisterLogonProcess+0xc811
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb14
ntdll.dll!KiFastSystemCallRet
ADVAPI32.dll!RegDeleteKeyW+0x64
umpnpmgr.dll+0x19b58
umpnpmgr.dll+0x19b41
umpnpmgr.dll+0x19e93
umpnpmgr.dll!ServiceEntry+0x5908
umpnpmgr.dll!ServiceEntry+0x640f
RPCRT4.dll!CheckVerificationTrailer+0x70
RPCRT4.dll!NdrStubCall2+0x215
RPCRT4.dll!NdrServerCall2+0x19
RPCRT4.dll!NdrGetTypeFlags+0x1c9
RPCRT4.dll!NdrGetTypeFlags+0x12e
RPCRT4.dll!NdrGetTypeFlags+0x5a
RPCRT4.dll!NdrConformantArrayFree+0x42e
RPCRT4.dll!NdrConformantArrayFree+0x28b
RPCRT4.dll!I_RpcBCacheFree+0x14c
RPCRT4.dll!I_RpcBCacheFree+0x5e3
RPCRT4.dll!I_RpcBCacheFree+0x405
RPCRT4.dll!I_RpcBCacheFree+0x5cb
kernel32.dll!GetModuleFileNameA+0x1ba

If anyone can provide any info would be greatly appreciated.

Cheers
DN

[cluberti]

It looks like a device is causing either an insert or remove event, spinning up an interrupt that isn't being handled properly. Do you have the process monitor .pml file to share?

[DigitalNomad]

I've tracked to a file ccmsetup.exe, which I believe is Client Configuration Manager. Evertime this file is it causes the cpu usage issue. Have tried uninstalling to no avail. As a test I deleted this file which worked for a while then somehow it was back. You'll notice in the log that msiexec.exe is called which I think is re-installing ccmsetup.exe.

Don't know if that helps.

I have the pml file but it's 253MB Any idea how I shrink it?

Thanks for your time

[submix8c]

ccmsetup info -
http://technet.microsoft.com/en-us/library...2(printer).aspx
just so you know how it works...

[MagicAndre1981]

@DigitalNomad

try to compress it with 7zip as a 7z archive with Ultra compression.

[DigitalNomad]

Thanks for the replies guys.

Magic:
I did try that, but the file was still way to large. I'm suprised that it is so big for about a minute worth of gathering data. I can save it as a csv though I don't know what the readablity of it will be?

Submix8c:
Thanks for the link. I had already looked at that. Like I mentioned I've been scouring the net for answers for the past week or so.. All our machines run the configuration manager but none of the them other behave like this, nor do they have ccmsetup.exe actually running continually like this machine.

This post has been edited by DigitalNomad: 19 November 2009 - 03:30 PM

[MagicAndre1981]

compress it and upload it to a 1Clickhoster like RS, megashare or zippyshare and post the link here or send it in a PM to cluberti.

[cluberti]

PM sent with upload location.

[DigitalNomad]

cluberti, on Nov 20 2009, 08:24 AM, said:

PM sent with upload location.

Thanks cluberti,
Tried to login but get login error: "530 login failed"

Thanks

UPDATE: I have uploaded it here for you.

http://www22.zippysh...92379/file.html

Thanks again

This post has been edited by DigitalNomad: 20 November 2009 - 06:31 AM

[cluberti]

It seems services.exe is failing to delete or read the following registry key, over, and over, and over,.... you get the picture:

Date & Time:	11/19/2009 12:14:57 PM
Event Class:	Registry
Operation:	RegOpenKey
Result:	ACCESS DENIED
Path:	HKLM\System\CurrentControlSet\Enum\Root\*SMS_MOUSE\0000\LogConf
TID:	348
Duration:	0.0000229
Desired Access:	Delete

Date & Time:	11/19/2009 12:14:57 PM
Event Class:	Registry
Operation:	RegDeleteKey
Result:	CANNOT DELETE
Path:	HKLM\System\CurrentControlSet\Enum\Root\*SMS_MOUSE\0000
TID:	348
Duration:	0.0000056

Seems like you might want too look at the permissions of the registry keys under \*SMS_MOUSE\ on that machine, as there are literally thousands of these events and this is the only place where the process gets "stuck". Given that the stack is similar to the one you posted above, this is the likely culprit.

[DigitalNomad]

Thanks for that cuberit. Really aprreciate you taking the time to help out. I'll look into that. I beleive that SMS mouse has something to do with the remote mouse function but I'll dig a little further and see what I can find.

Thanks to others that have also taken the time to post.