Mark's Blog

> Because I want access to detailed information about system processes, as well as my own, I also specify the /e option on Vista, which causes Windows to present a UAC prompt on logon that allows me to grant Process Explorer administrative rights

Somewhat off-topic, but what's your opinion of using Vista's Task Scheduler to launch applications at startup/login with elevated privileges?

I use this technique to start Task Manager* elevated without facing a UAC prompt.

*: No offence, but I start Process Explorer for the heavy stuff and leave task manager running always.

Imagine that you tried to get this fixed through the support form on the vendor's web site. That way we would have known if tech-savvy people who don't have a "hardware ecosystem team" to turn to also could manage to get something like this resolved in such a delightful way as you did.

Cheers,

David

Mark,

The /mimimize switch for process explorer is actually /t, at least for current version :).

Great post, BTW!

Excellent Article!!  Thank's Mark!

Thanks for the great article, especially the kernrate and xperf tools.

I quite like ThreadMaster as a tool/workaround for flattening out CPU spikes, but it's not a match for quality debugging.

Now I've just got to work out how I'm going to hook up kernrate/xperf via Powershell to my MRTG graphs...

Thanks!  Now I know what's causing my problems and was able to repro with the same results as you.  Feel like sharing that driver?  :)

What about KernRate for Windows Server 2003 x64 ?

Perhaps you can find it on Microsoft.com

I found http://www.nynaeve.net/?p=132

Heh; I'm having a weird issue with my Dell laptop too (like Geoff), narrowed it down to System Process - and my suspicion has been that it's the dang broadcom driver, but I've been unable to dig in any deeper.  

(seems to be worst when I'm connected via wireless, and when I'm transferring large files, and especially, when I'm in my living room, where my wireless signal isn't the best; the CPU spikes, then the connection drops - when the system gets into this "state", I can't even shut down gracefully.  Won't even ctrl-alt-del, just hangs).

I'm very much looking forward to the new driver, hopefully that fixes it.

I'd like to learn how to set up a Symbol server and load symbols, so I don't run into the troubleshooting "brick wall" for these kernel-mode driver cases.

nice post, good to see a lot of explanation and background info for the concepts you talk about - that helps a lot when trying to understand it all.

Brilliant!  This problem has been plaguing me for a couple of years.  I was hoping you'd blog about it.

Unfortunately in the case of a Compaq Presario X1000, X1010 laptop, the intermittent spikes weren't so easily diagnosed. The problematic driver simply never rose to the top of the list. Ended up chasing all kinds of Red Herrings. Regardless, the spikes were severly disruptive and halted mouse, audio, video and drive activity for about a 1/4 sec on each occurance; spikes occuring about 2-3 seconds apart for up to 30 seconds during each "fit". The fits were anywhere from two up to five minutes apart.  Forget watching videos.  Tried stripping down the machine's drivers and services, disabling devices, new drivers, OEM drivers, old drivers, chipset, audio, video, NIC, WLAN, BlueTooth, CardReader, USB Hubs, new Video ROM, new BIOS, etc, etc... lots of time.

To keep a longer story short, I eventually noticed that the spikes did NOT occur in Safe Mode, but DID occur in Safe Mode WITH Networking.  In Safe Mode with Networking, the problematic driver like oil in water indeed rose to the top-three on the list; versus being near the bottom.  HAL, W70N51, NTOSKRNL

What was it ?  

c:\windows\system32\drivers\w70n51.sys:

       Verified:       Signed

       Signing date:   4:00 PM 7/21/2006

       Publisher:      Intel« Corporation

       Description:    Intel« PRO/Wireless LAN Driver

       Product:        Intel« PRO/Wireless LAN Adapter

       Version:        1.0.0.0

       File version:   1.2.4.41

       Original Name:  w70n51.sys

       Internal Name:  w70n51.sys

       Copyright:      Copyright ¬ Intel« Corporation 2005

       Comments:       NDIS 5.1 Miniport Driver

       File Index:     0x00150000

       Links  :        1381240

Same problem with the newest drivers from Compaq/HP and newest available from the Intel Website.  I'll try the oldest drivers I can find but I've spent enough time on this already.

For others, Start Menu --> RUN --> type "CMD.Exe" --> OK button.

At the command console prompt type:

sc config w70n51 start= disabled

Reboot for the driver to be disabled. (it can't be stopped) USB NICs are available for as little as $20 on eBay.

Can't express enough appreciation for your help Russonivich.  Thanks. :-)

-Marc

I too have had issues with Broadcom Gb ethernet drivers. We built a Dell Dual Xeon server system purely to host a SQL 2005 server (for use with MS Business Contact Manager) on Win2003. It worked fine during testing, but when deployed suffered from excessive sessions of 100% CPU usage (often for hours), during which time users suffered slow and stuttery Outlook 2007.

Spent ages fiddling with SQL, no effect then one day figured out via the SQL Dashboard, that SQL was spending excessing time on network I/O (about 80% time).

Updating the Broadcom network driver, as you did, and bingo CPU usage is hardly moves, except at 8.30am - 9am as users connect.

Very nice to see a short, real-world example using Kernrate - since using it to check where time was spent in a UMDF vs. WDM driver, I had almost fogotten about it.

Yes, also my Vista laptop is sometimes sluggish (just micro-freezed a second ago again!), and thanks to this post I will use Process Explorer and Kernrate to check out why.

And as I'm already writing: Thank you (both) for the excellent, "slim" and extremely useful Windows system tools you give us admins and developers (for free!) for all these years.

Back in 1997, when working in admin + 2nd level support, tools like filemon and regmon were often essential for finding the root cause of a problem. They were certainly much quicker than the available alternative - debugging and/or trying to profile a foreign application.

One thing has not changed in all these years: the "Sysinternals" tools - today e.g. Process Explorer and Process Monitor - are extremely useful. These days I use them for driver and application maintenance: e.g. with WinObj I could finally *verify* that our "mutants" were active and properly named.

This blog - and the webcast you link to above - make it much easier to grasp their potential by giving real-world examples.

To sum up: Thanks! (A lot!)

(...and sorry for the long post)

Nice investigation! As always :)

RaFi, Kernrate is part of the Windows Server 2003 Resource Kit Tools and works very well on x64 platforms.

Mark, thanks for this, just the advice on getting Process Explorer running on boot was invaluable; a 450mHz Pentium III is at full stretch with XP.

For the person who asked earlier about the processor usage of ProEx, it is 1%-2% on my rather elderly machine.

Awesome article! Unfortunately, we are all stretched so thin in IT that we rarely have the time to become such experts in this area. Mark, makes it sound so easy ( That is why he has a Ph.d ), however any Systems administrator knows how difficult such a problem is to isolate, and even more so, it it is intermittent.

Jose Medeiros

San Jose, CA

I run Process Explorer as a service when the machine boots by using Microsoft's SrvAny.  

It not only ensures that Process Explorer is running every time the machine boots it also allows me to logon as a normal User and have Process Explorer running as NT AUTHORITY\SYSTEM.

I also have an AT command set to run it at 7am everyday so if it has exited the previous day its there running again each morning again.

If \HKEY_USERS\...\Sysinternals\Handle\EulaAccepted = 0 in the Registry, then handle.exe /accepteula does not work correctly.

Hey Mark,

Thanks for the interesting post.

I had the same problem and following your article I was able to detect that my b57nd60a.sys driver is causing the same problem. I have a HP laptop, but apparently it has the same network card by Broadcom. I have version 10.10 of the driver and I am now waiting for HP to release a new driver.

Since I have a 64bit Vista, I used xperf. This is what I have done:

1) Installed Windows Performance Tools Kit from the link you provided

2) ran: C:\Program Files\Microsoft Windows Performance Toolkit>xperf -start -on diag

3) ran: C:\Program Files\Microsoft Windows Performance Toolkit>xperf -stop -d c:\temp\result.etl

4) Opened the ETL file in the viewer.

5) Clicked "Summary Table" on a CPU graph.

6) Expanded until I found the problematic item.

Very interesting indeed.

Regards,

Arik.

Mark,

I am sending out a prayer.

All I ask is that Windows 7's top priority is speed. It should be faster than XP.

Vista was never even an option for me after I discovered lower benchmarks across the board.

Within my circle of friends, not a single one even considers Vista an option due to its performance problems.

Don't release Windows7 until you've got a codebase that is faster than XP, period.

I found the article very helpful, so thanks Mark.  Looking beyond desktop machines, can this be implmeneted to troubleshoot servers as well?  Working in an organisation that serves internet web applications, is there any way to run these tools remotely rather than from the environment itself?

Look forward to you next article.

Thank you,

I couldn't figure out what was causeing my father's computer to run so slowly. When I used process explorer it showed that the Interupts were running at >75%. When I looked in detail using kernrate I saw that hal was using almost twice as much time as the kernal itself. When I looked at hal in the detailed view from kernrate it was mostly harddrive related commands.

Further investgation showed that somehow the primary IDE controller was in PIO instead of DMA. Once I uninstalled the device and bounced the box everything worked great. The harddrive was running in DMA5 once more, and idle system processes were back below 4%. I would never have figured out this error without sysinternals and watching your presentation of how to use the tools.

Mark

I remember seeing a video demonstration on the Microsoft site for using Procexp. Do you happen to kown the URL or how I can access the demo again.

Great tool, I am trying to sort out an issue with Windows media player (The player is halted by high CPU usage from some where for about 0.5 - 1 sec always around 3/4 of the way through the track?)

I have used Procexp to indentify the thread, but cannot get much further.

Any help welcomed

Regards

Mark

This happens because the hardware vendor will configure every possible driver for the entire machine to be loaded and enabled even for devices you do not use.

As a plea for help, can we get a Windows version with a user friendly way to disable drivers and services for parts that are not needed?

Some examples:

Zero configuration wireless networking service

Windows image acqusition (WIA) service

SSDP discovery service

FAX service

etc.

Our standard desktop is severely slowed down by the extra RAM usage used by the unneeded processes and drivers.

Lastly,  can some of the always loaded processes (e.g., print spooler) be put into a hibernate mode where they use minimal memory until a print request comes in from the user?  Spooler is using 9mb of RAM on a machine booted 1 hour ago where there has been no print jobs started.  

I have the same exact issue described in this article with my Inspiron 1525.  Occasionally the Broadcom driver takes up 50% of both cores of my Core2Duo 2.0Ghz and will not fix itself until the system is restarted.  Sending/recieving in Microsoft Outlook 2007 reproduces this error every time for me.

Is there a way I can fix this?  I'm at my wits end.  Mark makes reference to a 'fixed driver' he recieved but I cannot find it anywhere.

MUCH THANKS FOR ANY HELP!

I installed the newest Vista driver (10.82.0.0a) on my Dell Precison M70 from Broadcom's site menitoned above. Since then all peaks on the system process disappeared. Thanks!!!

I've noticed that the system process has been using 17% of my cpu for some time now.  I finally got around to kernrating it, and lo-and-behold it was the same Broadcom driver.  Installing the new version has made the system process nice and quite again.  Thanks Mark!

P.S. I couldn't get xperf to admit that the Broadcom driver was at fault, perhaps I didn't specify the correct logging option.

Wow, amazing how quickly problems get solved when people share each other's secrets a la open source.  Microsoft acts internally more like open source, and expects the public not to.  Or perhaps everybody gets PDBs just for the asking.

Mark,

How about adding something like a "Monitor drivers" feature to Process explorer where it uses the same sequence of debugging steps to maintain a list of non-microsoft device drivers that frequently use a lot of cpu?  I know some would always be expected to show up but perhaps these can be marked as known and then unknown ones highlighted?  This idea needs refining but might be worth adding,

Cheers,

Akaz

Thanks for troubleshooting and in the replies the link to the Broadcom vanilla driver.

From Wireshark, I noticed this seemed to be happening when Outlook 2007 was trying to talk RPC/DCE to the Exchange server.  There was a repetitive 4 packet transaction, not sure what either Outlook or the server trying to do or why this affected the BroadCom card.

Marc,

THANKS!

Intuit,

THANKS!

Between the two of you I didn't even need to track the bastard intel 2100 crappy driver down. I first attempted the broadcom 57x driver to no avail. Saw Intuits post and tried that. Bingo!

Nice article. Having used Kernrate, a mention of krview would have been nice. I have seen the reports generated by krview is very informative and a nice document to send it across for further analysis. I wonder why Microsoft is not coming up with a x64 version kernrate. Though this is OT, I am using this thread to bring to your attention and hope you can use your contacts inside to do something about this. I have not tried xperf yet as I use XP...

Great article. I had CPU spiking up on the system process and went through your diagnostic process. It turned out to be the same Broadcom driver that was causing the issue. I downloaded the latest driver and the issue is resolved now.

Many Thanks.