StevenWhiting.com

A place for info I've learnt in IT & stuff. (I get a little kick back from affiliate ads & links, just so you are aware)

Browsing Posts published on February 9, 2019

Another old one from the XP days and I believe this was Outlook 2010.

Two users would kept getting this Outlook popup every few minutes. Very helpful message “A program”. Would be good if it could report what program had invoked it.

Outlook Message

So I fire up Process Monitor and take a trace. Once I stop the capture I take a look. I assume it’s a not registry issue so I filter all reg entries out.

You can quickly do this by just clicking the registry icon

Filter buttons

This now filters out all the reg entries in the trace.

I then filter out just Outlook to see if there is anything obvious and see these entries.

Outlook filtered

I pick the first TCP entry and press CTRL+B to bookmark it. I then go and turn the Outlook filter off so all other entries reappear. I do this to see what is going on around that time other than Outlook and I bookmark it in case I lose my place.

This reveals the app that appears to be invoking this and causing the popup

More filters

The piece of Crapita (sorry I mean Capita https://en.wikipedia.org/wiki/Capita) software appears to be reference the Outlook Object Library and then I see Outlook trying to connect to the exchange server. These all correspond with the pop-up. Speaking to the person who supported the Crapita app they discovered there was an issue on the server that was causing CapitaEVForms to do this. Once disabled the message stopped.

It appears if an external app attempts to invoke Outlook without permission or as in this case, access the address book without being “Trusted” then Outlook pops up a warning in case the access was malicious.

This is an old case from XP days, back in 2011. And a perfect example of David Soloman’s saying “Check Process Explorer AND Process Monitor”. It’s possible the cause will show in one but not the other as happened in this incident.

We had several users that would try to access network shares and then Explorer would hang for minutes. Eventually populating all the files that were on the share and giving the user access. This wasn’t always happening so when it did, instead of giving me time to troubleshoot I was ordered “Just rebuild the machine”.

Annoying. That isn’t fixing the issue, it’s just delaying it until it happens again. It was deemed quicker than finding out what was causing the issue. I disagreed. Having kit sat on the shelf waiting to be swapped out was all fine and good, but it still wasted their time. As they had to login to a new machine, set other settings up, wait for updates if the standby machine hadn’t been update recently etc.

The only troubleshooting I’d been given time to do was using Process Explorer. I could see Explorer running at 50% every time the issue happened. But why?

Explorer running a 50%

FINALLY, the day came where my manager had the issue and she was going on leave for 2 weeks. “Alright, use my laptop to see what you can find”.

Did you read that? Laptop, that was a key, all the users affected were on laptops. Hmm.

So when a process starts its made up of threads and stacks. So although it looks like “Explorer” is running at 50% and Task Manager showed this, Task Manager won’t show you the threads of stacks. I was able to reliably recreate the issue, finally so ran Process Monitor. Nothing. Just filtering Explorer at the time didn’t show anything obvious.

So I turned back to Process Explorer. Let’s look at the threads. Bingo.

A .dll that isn’t explorer.exe is running within the thread and it’s actually that .dll that is running at 50% NOT explorer.exe as crappy Task Manager shows. This is why Task Manager, even in Windows 10, is pretty useless.

Threads

PGP. That is familiar. That’s are encryption software we use on the laptops. We see this by clicking Module which takes you to the .dll’s properties.

Properties of a dll

So is this .dll important? We can’t not encrypt the laptops. Maybe there’s a patch. Despite it showing as PGP Corporation, Symantec had already bought them out at that point. So I did a Google search. And we find this

https://support.symantec.com/en_US/article.TECH149635.html

It states there are rare issues where this .dll can cause an issue and the work around is to unregister the .dll

Is that safe? Yes, all the thing did was search network drives for files that had been encrypted with PGP so it can then change the icon to show it’s encrypted. Pointless!

So any user that then ran into the issue I’d connect to their machine, run CMD as admin, then run the unregister command

regsvr32 /u PGPfsshl.dll

And that’s it. Explorer would no longer hang for minutes and the user could carrying on with their work. All within 5mins. 5mins compared to swapping out their laptop with a replacement. And that is why it is helpful to give your engineers time to find the cause of a problem and then a solution or work around. As most often, that can be a quicker fix that just a rebuild.