Zuxo
asked on
Win2K slowdown problem.
Hi,
I have Win2K that experiences a random slowdown.
On checking the proccessor graph it shows 100% useage at random times.
There are no specific programs that can cause this and with a reboot the problem goes away until the next time which can be in minutes or several hours.
The only regular occurance when I can confirm is by trying the control panel and performing a sound test which comes back with the program not responding message.
The proccess that is running at 100% is the ntoskernel.exe.
I have performed all the usual tests for virus's etc.
All the microsoft updates are installed.
There are appears to be no common point when it started doing this.
Once rebooted it performs flawlessly.... for a while. 8-((
Any ideas how to procceed in fault finding from this point?
Regards,
Zuxo
I have Win2K that experiences a random slowdown.
On checking the proccessor graph it shows 100% useage at random times.
There are no specific programs that can cause this and with a reboot the problem goes away until the next time which can be in minutes or several hours.
The only regular occurance when I can confirm is by trying the control panel and performing a sound test which comes back with the program not responding message.
The proccess that is running at 100% is the ntoskernel.exe.
I have performed all the usual tests for virus's etc.
All the microsoft updates are installed.
There are appears to be no common point when it started doing this.
Once rebooted it performs flawlessly.... for a while. 8-((
Any ideas how to procceed in fault finding from this point?
Regards,
Zuxo
ASKER
Thanks Pete,
I have used that program, that's how I found out that it was the ntoskernel that was running at 100% but I still don't know why. 8-((
It didn't seem to indicate what was being run by the kernel at that time.
What I did to cause the slow down whilst testing was simple things like opening a finance package or using windows explorer or even running a sound test.
All of those would cause a major slowdown at some times but at others the same test showed no problems....
Bit weird isn't it?
Zuxo
I have used that program, that's how I found out that it was the ntoskernel that was running at 100% but I still don't know why. 8-((
It didn't seem to indicate what was being run by the kernel at that time.
What I did to cause the slow down whilst testing was simple things like opening a finance package or using windows explorer or even running a sound test.
All of those would cause a major slowdown at some times but at others the same test showed no problems....
Bit weird isn't it?
Zuxo
Quick question are you running IIS, SQL or SUS??
Mike
Mike
it seems that you are infected by some trojan, worm and virus which is not recognized by your AV.
it is possible for you to provide us the list of services running at the time of slow down, so i can figure out what service is playing with your ntoskernal.
but first try Ad-aware spy removal programe to check any spy/trojan/worms effect.
regards,
Imran
it is possible for you to provide us the list of services running at the time of slow down, so i can figure out what service is playing with your ntoskernal.
but first try Ad-aware spy removal programe to check any spy/trojan/worms effect.
regards,
Imran
I disagree this does not necessarily mean a virus or spyware (although dont rule this out) this could be a memory leak or custom static files that can cause excess memory usage on the server
Do you run any of the above applications on the server or have you recently installed any other software
see http://www.windowsitpro.com/Article/ArticleID/25574/25574.html for an example of a memory leak/excess mem usage issue. I had the same problem on a SUS Server about 5 mins after SUS was installed.
Regards
Michael
Check Performance monitor on the server and check for some of the couters below....
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/core/fnec_evl_LLCW.asp
Do you run any of the above applications on the server or have you recently installed any other software
see http://www.windowsitpro.com/Article/ArticleID/25574/25574.html for an example of a memory leak/excess mem usage issue. I had the same problem on a SUS Server about 5 mins after SUS was installed.
Regards
Michael
Check Performance monitor on the server and check for some of the couters below....
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/core/fnec_evl_LLCW.asp
You can try doing the following.
Go into:
C:\WINNT\$NtUninstallKB835
And copy the ntoskrnl.exe
Put it on a Boot Floppy.
And copy it over to
C:\WINNT\System32
Over writting the Newer one.
Chances are one of the Updates that you did might have caused this file to
Become corrupted.
HTH
Carrzkiss
Go into:
C:\WINNT\$NtUninstallKB835
And copy the ntoskrnl.exe
Put it on a Boot Floppy.
And copy it over to
C:\WINNT\System32
Over writting the Newer one.
Chances are one of the Updates that you did might have caused this file to
Become corrupted.
HTH
Carrzkiss
ASKER
Hi Carrzkiss,
Thanks for the advice I'll give a go!
The list of running progs will be up as soon as I can get the list in a readable order. 8-((
Zuxo
Thanks for the advice I'll give a go!
The list of running progs will be up as soon as I can get the list in a readable order. 8-((
Zuxo
ASKER
Processes running on the computer SPLINTERS
Name Executable Priority Threads CPU Usage MEM Usage Started
[System Process] [System Process] Low (0) 1 0 0 K 06/05/2005 16:45:37
ATI External Event Utility EXE Module (Ati2evxx.exe) C:\WINNT\system32\Ati2evxx
ATI External Event Utility EXE Module (Ati2evxx.exe) C:\WINNT\system32\Ati2evxx
Symantec Common Client CC App (ccApp.exe) C:\Program Files\Common Files\Symant Normal (8) 17 0 15556 K 06/05/2005 16:46:41
Symantec Event Manager Service (ccEvtMgr.exe) C:\Program Files\Common Files\Symant Normal (8) 17 0 3920 K 06/05/2005 16:46:44
Common Client* (ccPwdSvc.exe) C:\Program Files\Common Files\Symant Normal (8) 3 0 2752 K 06/05/2005 16:47:44
Microsoft Indexing Service (cidaemon.exe) C:\WINNT\System32\cidaemon
Microsoft Index Service Helper (cisvc.exe) C:\WINNT\System32\cisvc.ex
ACE* (cli.exe) C:\Program Files\ATI Technologies\ATI Normal (8) 19 0 11820 K 06/05/2005 16:46:45
Microsoft Client/Server Runtime Server Subsystem (csrss.e C:\WINNT\System32\csrss.ex
eBay Toolbar Daemon* (eBayTBDaemon.exe) D:\eBay Toolbar2\eBayTBDaemon.exe Normal (8) 5 0 7784 K 06/05/2005 16:46:44
Program Manager C:\WINNT\explorer.exe Normal (8) 12 0 5532 K 07/05/2005 20:06:25
Microsoft AntiSpyware (Beta 1)* (gcasDtServ.exe) C:\Microsoft AntiSpyware\gcasDtServ.e Normal (8) 5 0 10856 K 06/05/2005 16:46:51
Microsoft AntiSpyware (Beta 1)* (gcasServ.exe) C:\Microsoft AntiSpyware\gcasServ.exe Low (4) 5 0 7492 K 06/05/2005 16:46:45
Ghoststarttrayapp (GhostStartTrayApp.exe) C:\Program Files\Norton SystemWorks\ Normal (8) 1 0 1316 K 06/05/2005 16:46:42
GHOSTS~2.EXE C:\PROGRA~1\NORTON~1\NORTO
hpgs2wnf Module* (hpgs2wnf.exe) C:\Program Files\Hewlett-Packard\HP Normal (8) 4 0 3784 K 08/05/2005 15:45:06
Input Locales (internat.exe) C:\WINNT\system32\internat
Local Security Authority Service (lsass.exe) C:\WINNT\system32\lsass.ex
Logitech WingMan Software* (Lwpevntm.exe) C:\PROGRA~1\Logitech\WINGM
Mmkeybd (MMKeybd.exe) C:\Program Files\Netropa\Multimedia K Normal (8) 4 0 4156 K 06/05/2005 16:46:43
Windows Installer Component (msiexec.exe) C:\WINNT\system32\msiexec.
WMDM PMSP Service (MsPMSPSv.exe) C:\WINNT\system32\MsPMSPSv
Windows Task Scheduler (MSTask.exe) C:\WINNT\system32\MSTask.e
Norton AntiVirus Auto-Protect Service (navapsvc.exe) C:\Program Files\Norton SystemWorks\ Normal (8) 9 0 3956 K 06/05/2005 16:47:20
Microsoft Windows Network DDE server (netdde.exe) C:\WINNT\system32\netdde.e
Netropa Hotkey Server task (nhksrv.exe) C:\Program Files\Netropa\Multimedia K Normal (8) 3 0 1072 K 06/05/2005 16:45:56
Nopdb (nopdb.exe) C:\PROGRA~1\NORTON~1\SPEED
NPROTECT.EXE C:\Program Files\Norton SystemWorks\ Normal (8) 24 0 9840 K 06/05/2005 16:47:25
OnScreen Display System Tray icon (OSD.exe) C:\Program Files\Netropa\Onscreen Dis Normal (8) 2 0 1816 K 06/05/2005 16:46:45
Remote Registry Service (regsvc.exe) C:\WINNT\system32\regsvc.e
Dantz Development Retrospect Backup (retrorun.exe) C:\Program Files\Dantz\Retrospect Exp Normal (8) 5 0 6820 K 06/05/2005 16:46:08
Windows Service Controller (services.exe) C:\WINNT\system32\services
Session Manager Subsystem (smss.exe) C:\WINNT\System32\smss.exe
Microsoft SNMP Agent (snmp.exe) C:\WINNT\System32\snmp.exe
SOUNDMAN.EXE C:\WINNT\SOUNDMAN.EXE Normal (8) 1 0 1744 K 06/05/2005 16:46:40
Hi Guys,
I have checked with Adaware and Microsoft spyware and Nortons AV. No problems found.
I have run registry mechanic and cleaned up the registry but so far no improvement. 8-((
No I'm not running SUS. Although I am calling it a server it only has a laptop connected to it.
It really just as a standalone PC running Win2K Pro.
The programs running are shown below :-
Sorry it's a bit of a mess as I don't know how to get a tidy output.
Microsoft Printer Spooler Service (spoolsv.exe) C:\WINNT\system32\spoolsv.
Microsoft Still Image Service (stisvc.exe) C:\WINNT\system32\stisvc.e
Microsoft Service Host Process (svchost.exe) C:\WINNT\System32\svchost.
Microsoft Service Host Process (svchost.exe) C:\WINNT\system32\svchost.
Microsoft Service Host Process (svchost.exe) C:\WINNT\System32\svchost.
Microsoft Service Host Process (svchost.exe) C:\WINNT\system32\svchost.
Norton SystemWorks* (SymTray.exe) C:\Program Files\Common Files\Symant Normal (8) 1 0 1992 K 06/05/2005 16:46:31
System System Normal (8) 37 0 228 K 06/05/2005 16:45:37
TCP/IP Services (tcpsvcs.exe) C:\WINNT\system32\tcpsvcs.
Traymon (TrayMon.exe) C:\Program Files\Netropa\Multimedia K Normal (8) 1 0 1520 K 06/05/2005 16:46:45
Windows Logon Process (winlogon.exe) C:\WINNT\system32\winlogon
Windows Management Service (WinMgmt.exe) C:\WINNT\System32\WBEM\Win
WinTasks Pro C:\Wintasks\wintasks.exe Normal (8) 4 0 9528 K 08/05/2005 15:44:39
Report created 08/05/2005 15:57:45 by WinTasks Pro
Name Executable Priority Threads CPU Usage MEM Usage Started
[System Process] [System Process] Low (0) 1 0 0 K 06/05/2005 16:45:37
ATI External Event Utility EXE Module (Ati2evxx.exe) C:\WINNT\system32\Ati2evxx
ATI External Event Utility EXE Module (Ati2evxx.exe) C:\WINNT\system32\Ati2evxx
Symantec Common Client CC App (ccApp.exe) C:\Program Files\Common Files\Symant Normal (8) 17 0 15556 K 06/05/2005 16:46:41
Symantec Event Manager Service (ccEvtMgr.exe) C:\Program Files\Common Files\Symant Normal (8) 17 0 3920 K 06/05/2005 16:46:44
Common Client* (ccPwdSvc.exe) C:\Program Files\Common Files\Symant Normal (8) 3 0 2752 K 06/05/2005 16:47:44
Microsoft Indexing Service (cidaemon.exe) C:\WINNT\System32\cidaemon
Microsoft Index Service Helper (cisvc.exe) C:\WINNT\System32\cisvc.ex
ACE* (cli.exe) C:\Program Files\ATI Technologies\ATI Normal (8) 19 0 11820 K 06/05/2005 16:46:45
Microsoft Client/Server Runtime Server Subsystem (csrss.e C:\WINNT\System32\csrss.ex
eBay Toolbar Daemon* (eBayTBDaemon.exe) D:\eBay Toolbar2\eBayTBDaemon.exe Normal (8) 5 0 7784 K 06/05/2005 16:46:44
Program Manager C:\WINNT\explorer.exe Normal (8) 12 0 5532 K 07/05/2005 20:06:25
Microsoft AntiSpyware (Beta 1)* (gcasDtServ.exe) C:\Microsoft AntiSpyware\gcasDtServ.e Normal (8) 5 0 10856 K 06/05/2005 16:46:51
Microsoft AntiSpyware (Beta 1)* (gcasServ.exe) C:\Microsoft AntiSpyware\gcasServ.exe Low (4) 5 0 7492 K 06/05/2005 16:46:45
Ghoststarttrayapp (GhostStartTrayApp.exe) C:\Program Files\Norton SystemWorks\ Normal (8) 1 0 1316 K 06/05/2005 16:46:42
GHOSTS~2.EXE C:\PROGRA~1\NORTON~1\NORTO
hpgs2wnf Module* (hpgs2wnf.exe) C:\Program Files\Hewlett-Packard\HP Normal (8) 4 0 3784 K 08/05/2005 15:45:06
Input Locales (internat.exe) C:\WINNT\system32\internat
Local Security Authority Service (lsass.exe) C:\WINNT\system32\lsass.ex
Logitech WingMan Software* (Lwpevntm.exe) C:\PROGRA~1\Logitech\WINGM
Mmkeybd (MMKeybd.exe) C:\Program Files\Netropa\Multimedia K Normal (8) 4 0 4156 K 06/05/2005 16:46:43
Windows Installer Component (msiexec.exe) C:\WINNT\system32\msiexec.
WMDM PMSP Service (MsPMSPSv.exe) C:\WINNT\system32\MsPMSPSv
Windows Task Scheduler (MSTask.exe) C:\WINNT\system32\MSTask.e
Norton AntiVirus Auto-Protect Service (navapsvc.exe) C:\Program Files\Norton SystemWorks\ Normal (8) 9 0 3956 K 06/05/2005 16:47:20
Microsoft Windows Network DDE server (netdde.exe) C:\WINNT\system32\netdde.e
Netropa Hotkey Server task (nhksrv.exe) C:\Program Files\Netropa\Multimedia K Normal (8) 3 0 1072 K 06/05/2005 16:45:56
Nopdb (nopdb.exe) C:\PROGRA~1\NORTON~1\SPEED
NPROTECT.EXE C:\Program Files\Norton SystemWorks\ Normal (8) 24 0 9840 K 06/05/2005 16:47:25
OnScreen Display System Tray icon (OSD.exe) C:\Program Files\Netropa\Onscreen Dis Normal (8) 2 0 1816 K 06/05/2005 16:46:45
Remote Registry Service (regsvc.exe) C:\WINNT\system32\regsvc.e
Dantz Development Retrospect Backup (retrorun.exe) C:\Program Files\Dantz\Retrospect Exp Normal (8) 5 0 6820 K 06/05/2005 16:46:08
Windows Service Controller (services.exe) C:\WINNT\system32\services
Session Manager Subsystem (smss.exe) C:\WINNT\System32\smss.exe
Microsoft SNMP Agent (snmp.exe) C:\WINNT\System32\snmp.exe
SOUNDMAN.EXE C:\WINNT\SOUNDMAN.EXE Normal (8) 1 0 1744 K 06/05/2005 16:46:40
Hi Guys,
I have checked with Adaware and Microsoft spyware and Nortons AV. No problems found.
I have run registry mechanic and cleaned up the registry but so far no improvement. 8-((
No I'm not running SUS. Although I am calling it a server it only has a laptop connected to it.
It really just as a standalone PC running Win2K Pro.
The programs running are shown below :-
Sorry it's a bit of a mess as I don't know how to get a tidy output.
Microsoft Printer Spooler Service (spoolsv.exe) C:\WINNT\system32\spoolsv.
Microsoft Still Image Service (stisvc.exe) C:\WINNT\system32\stisvc.e
Microsoft Service Host Process (svchost.exe) C:\WINNT\System32\svchost.
Microsoft Service Host Process (svchost.exe) C:\WINNT\system32\svchost.
Microsoft Service Host Process (svchost.exe) C:\WINNT\System32\svchost.
Microsoft Service Host Process (svchost.exe) C:\WINNT\system32\svchost.
Norton SystemWorks* (SymTray.exe) C:\Program Files\Common Files\Symant Normal (8) 1 0 1992 K 06/05/2005 16:46:31
System System Normal (8) 37 0 228 K 06/05/2005 16:45:37
TCP/IP Services (tcpsvcs.exe) C:\WINNT\system32\tcpsvcs.
Traymon (TrayMon.exe) C:\Program Files\Netropa\Multimedia K Normal (8) 1 0 1520 K 06/05/2005 16:46:45
Windows Logon Process (winlogon.exe) C:\WINNT\system32\winlogon
Windows Management Service (WinMgmt.exe) C:\WINNT\System32\WBEM\Win
WinTasks Pro C:\Wintasks\wintasks.exe Normal (8) 4 0 9528 K 08/05/2005 15:44:39
Report created 08/05/2005 15:57:45 by WinTasks Pro
Everything looks fine.
Have you tested what I posted yet?
Have you tested what I posted yet?
ASKER
Hi Carrzkiss,
Thanks for checking that list.
No, sorry not yet, that's the next job on the list as soon as I can get time on the computer later today.
I've got a shower room to build first or the wife will be somewhat annoyed. 8-((
Zuxo
Thanks for checking that list.
No, sorry not yet, that's the next job on the list as soon as I can get time on the computer later today.
I've got a shower room to build first or the wife will be somewhat annoyed. 8-((
Zuxo
I just saw your question. Is the same thing happeing in Safe Mode or Safe Mode with Networking?
Let us know.
Let us know.
I think think at this time you run repair of your windows.
if not successful format and reinstall every thing again the last hope. :-()
regards,
Imran
if not successful format and reinstall every thing again the last hope. :-()
regards,
Imran
ASKER
Hi Folks,
Thank you for your replies.
Carrzkiss, I have put the old ntoskrnl.exe in place.
It wouldn't fit on a floppy so I have renamed the existing one then copied the old one over.
Then rebooted so hopefully that should do it. I'll have to run it for a bit and see what happens.
I will of course get back to you either way. If it work the points are yours. 8-))
SystmProg, thanks for your reply. As yet I haven't tried it is safe mode as a lot of the progs won't run but if Carrzkiss's fix
doesn't work I may have to try that but I hope there are other ways to see what it is that is causing it.
Such as viewing the running threads etc.
Michael, I still have to try the information on counters, if the above fix doesn't work I'll try that next.
Imran, thanks for your thoughts but that would definetly be a last resort. 8-((
So Guys watch this space, I'll know in a day or so if it is fixed. It usually shows up within a day depending on ow much the PC is used.
Regards,
Zuxo
Thank you for your replies.
Carrzkiss, I have put the old ntoskrnl.exe in place.
It wouldn't fit on a floppy so I have renamed the existing one then copied the old one over.
Then rebooted so hopefully that should do it. I'll have to run it for a bit and see what happens.
I will of course get back to you either way. If it work the points are yours. 8-))
SystmProg, thanks for your reply. As yet I haven't tried it is safe mode as a lot of the progs won't run but if Carrzkiss's fix
doesn't work I may have to try that but I hope there are other ways to see what it is that is causing it.
Such as viewing the running threads etc.
Michael, I still have to try the information on counters, if the above fix doesn't work I'll try that next.
Imran, thanks for your thoughts but that would definetly be a last resort. 8-((
So Guys watch this space, I'll know in a day or so if it is fixed. It usually shows up within a day depending on ow much the PC is used.
Regards,
Zuxo
ASKER
Carrzkiss, I just forgot to mention the old ntoskrnl was bigger by a few bytes than the current one!
So there must have been some kind of update or corruption that changed it?
Zuxo
So there must have been some kind of update or corruption that changed it?
Zuxo
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Carrzkiss,
Unfortunately that didn't solve the problem. 8-((
What I did find by acccident is that there is a known error with SP4 regarding 100% proccessor use.
There is a Microsoft artical stating that 100% useage can occur but you have to contact Microsoft support
for a fix as there may be more testing, so I will try that.
I can't say that I am certain that will solve the problem as SP4 was installed for some time before this problem started to occur so
we shall see.....
Watch this space...
Zuxo
Unfortunately that didn't solve the problem. 8-((
What I did find by acccident is that there is a known error with SP4 regarding 100% proccessor use.
There is a Microsoft artical stating that 100% useage can occur but you have to contact Microsoft support
for a fix as there may be more testing, so I will try that.
I can't say that I am certain that will solve the problem as SP4 was installed for some time before this problem started to occur so
we shall see.....
Watch this space...
Zuxo
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What about Safe Mode?
ASKER
No, I've not tried it in safe mode as a lot of the progs won't run and the screen display gets badly screwed up.
That's a last resort if I can't fix it another way.
It's a case of if I can't run it as usual then most likely the fault won't show up although it is a good point I suppose just to see if
what I can run still causes the problem.
That would then eliminate some of the progs as being the problem.
Give me a chance to get the microsoft fix and see what that does.
If no luck then I'll proceed to check other counters as suggested above then safe mode as well.
I'll nail this fault even if it kills me!!!
Zuxo
That's a last resort if I can't fix it another way.
It's a case of if I can't run it as usual then most likely the fault won't show up although it is a good point I suppose just to see if
what I can run still causes the problem.
That would then eliminate some of the progs as being the problem.
Give me a chance to get the microsoft fix and see what that does.
If no luck then I'll proceed to check other counters as suggested above then safe mode as well.
I'll nail this fault even if it kills me!!!
Zuxo
ASKER
Thanks Nedvis,
There is 21gig spare on drive C, so that should be plenty.
Zuxo
There is 21gig spare on drive C, so that should be plenty.
Zuxo
Glad I could help you.
Good Luck
Good Luck
Taskmanager is all well and good (start > Run > Taskmgr.exe) but to see what programs have what processes open use....
Process Explorer
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml