{"id":1816,"date":"2019-02-09T21:45:58","date_gmt":"2019-02-09T21:45:58","guid":{"rendered":"https:\/\/stevenwhiting.com\/blog\/?p=1816"},"modified":"2019-02-11T14:28:11","modified_gmt":"2019-02-11T14:28:11","slug":"the-case-of-the-hanging-explorer","status":"publish","type":"post","link":"https:\/\/stevenwhiting.com\/blog\/?p=1816","title":{"rendered":"The Case Of The Hanging Explorer"},"content":{"rendered":"\n

This is an old case\nfrom XP days, back in 2011. And a perfect example of David Soloman’s saying\n“Check Process Explorer AND Process Monitor”. It’s possible the cause\nwill show in one but not the other as happened in this incident.<\/p>\n\n\n\n

We had several users\nthat would try to access network shares and then Explorer would hang for\nminutes. Eventually populating all the files that were on the share and giving\nthe user access. This wasn’t always happening so when it did, instead of giving\nme time to troubleshoot I was ordered “Just rebuild the machine”.<\/p>\n\n\n\n

Annoying. That isn’t\nfixing the issue, it’s just delaying it until it happens again. It was deemed\nquicker than finding out what was causing the issue. I disagreed. Having kit\nsat on the shelf waiting to be swapped out was all fine and good, but it still\nwasted their time. As they had to login to a new machine, set other settings\nup, wait for updates if the standby machine hadn’t been update recently etc.<\/p>\n\n\n\n

The only\ntroubleshooting I’d been given time to do was using Process Explorer. I could\nsee Explorer running at 50% every time the issue happened. But why?<\/p>\n\n\n\n

\"\"<\/a>
Explorer running a 50%<\/figcaption><\/figure>\n\n\n\n

FINALLY, the day\ncame where my manager had the issue and she was going on leave for 2 weeks.\n“Alright, use my laptop to see what you can find”.<\/p>\n\n\n\n

Did you read that?\nLaptop, that was a key, all the users affected were on laptops. Hmm.<\/p>\n\n\n\n

So when a process\nstarts its made up of threads and stacks. So although it looks like\n“Explorer” is running at 50% and Task Manager showed this, Task\nManager won’t show you the threads of stacks. I was able to reliably recreate\nthe issue, finally so ran Process Monitor. Nothing. Just filtering Explorer at\nthe time didn’t show anything obvious.<\/p>\n\n\n\n

So I turned back to\nProcess Explorer. Let’s look at the threads. Bingo.<\/p>\n\n\n\n

A .dll that isn’t\nexplorer.exe is running within the thread and it’s actually that .dll that is\nrunning at 50% NOT explorer.exe as crappy Task Manager shows. This is why Task\nManager, even in Windows 10, is pretty useless.<\/p>\n\n\n\n

\"\"<\/a>
Threads<\/figcaption><\/figure>\n\n\n\n

PGP. That is\nfamiliar. That’s are encryption software we use on the laptops. We see this by\nclicking Module which takes you to the .dll’s properties.<\/p>\n\n\n\n

\"\"<\/a>
Properties of a dll<\/figcaption><\/figure>\n\n\n\n

So is this .dll\nimportant? We can’t not encrypt the laptops. Maybe there’s a patch. Despite it\nshowing as PGP Corporation, Symantec had already bought them out at that point.\nSo I did a Google search. And we find this<\/p>\n\n\n\n

https:\/\/support.symantec.com\/en_US\/article.TECH149635.html<\/a><\/p>\n\n\n\n

It states there are\nrare issues where this .dll can cause an issue and the work around is to\nunregister the .dll<\/p>\n\n\n\n

Is that safe? Yes,\nall the thing did was search network drives for files that had been encrypted\nwith PGP so it can then change the icon to show it’s encrypted. Pointless!<\/p>\n\n\n\n

So any user that\nthen ran into the issue I’d connect to their machine, run CMD as admin, then\nrun the unregister command<\/p>\n\n\n\n

regsvr32 \/u PGPfsshl.dll<\/code><\/p>\n\n\n\n

And that’s it.\nExplorer would no longer hang for minutes and the user could carrying on with\ntheir work. All within 5mins. 5mins compared to swapping out their laptop with\na replacement. And that is why it is helpful to give your engineers time to\nfind the cause of a problem and then a solution or work around. As most often,\nthat can be a quicker fix that just a rebuild.<\/p>\n","protected":false},"excerpt":{"rendered":"

This is an old case from XP days, back in 2011. And a perfect example of David Soloman’s saying “Check Process Explorer AND Process Monitor”. It’s possible the cause will show in one but not the other as happened in … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[75,200],"class_list":["post-1816","post","type-post","status-publish","format-standard","hentry","category-it-notes","tag-processexplorer","tag-sysinternals"],"_links":{"self":[{"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1816","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1816"}],"version-history":[{"count":5,"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1816\/revisions"}],"predecessor-version":[{"id":1849,"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1816\/revisions\/1849"}],"wp:attachment":[{"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1816"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1816"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1816"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}