[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5983
  • Last Modified:

dfrgifc.exe 100% CPU usage

Hello Experts,

Since a few weeks we have a really annoying issue with our file servers. After a few days, the defrag process (C:\windows\system32\dfrgifc.exe)  kicks in and pegs all the CPUs to 100% (8 of them) bringing file access to a crawl.

Background:
Windows 2003 R2 SP2 in a Microsoft cluster (Active / Active) in a 2003 level Active Directory and connected through 2 Clariions SANs.

Process explorer shows the following:
Winlogon
               \services
                               \svchost
                                             \wmiprvse.exe
                                             \wmiprvse.exe
                                             \dfrgntfs.exe
                                             \dfrgifc.exe

Also when I check what the process is doing, it says "profiling" but I don't see any files read or written (no I/o activity).

I checked the following:
* no tasks is being scheduled through tasks scheduler
* no tasks is being scheduled through AT command
* no other programs are install to trigger a scheduled task
* virus scanner can't find anything
* boot optimize function is set to disabled
* prefetch is off
* index service is disabled

In order to avoid the issue, I renamed the file dfrgifc.exe to dfrgifc.exe.old and killed the process however I would like to have more input for this.

Any ideas would be appreciated.

Happy Holidays!
0
IdontKnow
Asked:
IdontKnow
  • 21
  • 9
  • 4
  • +4
1 Solution
 
farazhkhanCommented:
Hi,

Well, update your server with all ltest patches from Microsoft update site if you haven'e done it.

Regards,
Faraz H. Khan
0
 
IdontKnowAuthor Commented:
I forgot.. it has also be done ;o)
Same results though ;o(
0
 
arnoldCommented:
It looks as though dfrntfs is started as part of a service.

Do you have a WMI script that triggers defrag?
http://msdn.microsoft.com/en-us/library/aa394592%28VS.85%29.aspx
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
IdontKnowAuthor Commented:
Nope, no WMI script. I checked all the started services but couldn't find anything related to defrag.
Is there a specific service / windows component for R2 which could do that? So far I couldn't find anything.

0
 
arnoldCommented:
It is within the same SVhost as the one starts wmi.
The script for WMI does not need to be local it can be on a different server that is configured to start.

The question is that it might be a DFS defrag.  Check the event logs, the services to see what starts this process.
0
 
arnoldCommented:
the dfrgifc.exe seems to be something that is run from within an application.  Tried running it by itself and it just starts and goes to the background. it might be an API through which some applications direct defrag to perform various tasks i.e. analyze, defrag.
0
 
IdontKnowAuthor Commented:
Since I have renamed the dfrgifc.exe program I get this event log:

Unable to start a DCOM Server: {17ED95A4-61CC-46E0-A84D-325A1CEF1C7D}. The error:
"The system cannot find the file specified. "
Happened while starting this command:
"C:\WINDOWS\system32\dfrgifc.exe" -Embedding

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

So far when the cpu was pegged, I couldn't run the defrag program as the system was saying that only one instance of the program can run at one time. After I renamed the program and killed the related process, I could run the defrag program.

I am not sure why the DCOM service is trying to run defrag though... any ideas?
0
 
arnoldCommented:
Check what you have installed.  Check whether you have a GPO that triggers the defrag.  From what I saw, I think you have an auto defrag or you have a setup that uses WMI to defrag.
Check what applications you have installed on the system.

Check the services i.e. stop non essential services for your server and see which takes this one out.

0
 
IdontKnowAuthor Commented:
I checked the GPOs, local policies, application installed, startup and shutdown scripts and try to disable / enable services eith no results. Some services cannot be disabled or restarted though like the DCOM service which makes it hard to troubleshoot without restarting the server (which I can't now).

Something that I can't explain is why the dfrgifc.exe wasn't doing any I/O operation but was just "profiling" (I'm not sure what it means in this case) and pegging the CPU. Any idea on this?

0
 
ChiefITCommented:
Go to start>>run>> and type msconfig:

Is Defrag.exe a process set up as a startup program

I am at my linux box. So, I don't know if your defrag services are set to automatically start at startup. I don't think they will need to start at startup since you call it when you start Defrag.
0
 
IdontKnowAuthor Commented:
I checked with msconfig however nothing related to defrag is being launched automatically... ;o(

Merry Christmas!
0
 
arnoldCommented:
It is running under svchost\wmiprvse it is either setup to run as a service or it is being launched through a WMI.  

Go through programs\administrative tools\Component services\computers\my computer\dcom config\
And see what is assicuated with the {17ED95A4-61CC-46E0-A84D-325A1CEF1C7D}.

On a server I checked, there is an dfrgifc DCOM object with a different ID as well as dcom object for Defrag FAT and Defrag NTFS.

Make sure there are no other sessions running on the system. Also check under whose credentials is the defrag running? A user, system or other account.
0
 
IdontKnowAuthor Commented:
NT Authority\System was running the process. No other sessions were running.
Couldn't find information there however in the registry I get a match:

Key Name:          HKEY_CLASSES_ROOT\CLSID\{17ED95A4-61CC-46E0-A84D-325A1CEF1C7D}
Class Name:        <NO CLASS>
Last Write Time:   9/18/2008 - 10:54 AM
Value 0
  Name:            <NO NAME>
  Type:            REG_SZ
  Data:            Defrag Class

Value 1
  Name:            AppID
  Type:            REG_SZ
  Data:            {89D5C4CB-8DB6-4B8D-BB0F-FC3B91AC8FCA}


Key Name:          HKEY_CLASSES_ROOT\CLSID\{17ED95A4-61CC-46E0-A84D-325A1CEF1C7D}\LocalServer32
Class Name:        <NO CLASS>
Last Write Time:   9/18/2008 - 10:54 AM
Value 0
  Name:            <NO NAME>
  Type:            REG_SZ
  Data:            "C:\WINDOWS\system32\dfrgifc.exe"


Key Name:          HKEY_CLASSES_ROOT\CLSID\{17ED95A4-61CC-46E0-A84D-325A1CEF1C7D}\ProgID
Class Name:        <NO CLASS>
Last Write Time:   9/18/2008 - 10:54 AM
Value 0
  Name:            <NO NAME>
  Type:            REG_SZ
  Data:            Dfrgifc.Defrag.1


Key Name:          HKEY_CLASSES_ROOT\CLSID\{17ED95A4-61CC-46E0-A84D-325A1CEF1C7D}\TypeLib
Class Name:        <NO CLASS>
Last Write Time:   9/18/2008 - 10:54 AM
Value 0
  Name:            <NO NAME>
  Type:            REG_SZ
  Data:            {310DD6D6-F386-4F33-9A5D-2ECE2B0AC7B0}


Key Name:          HKEY_CLASSES_ROOT\CLSID\{17ED95A4-61CC-46E0-A84D-325A1CEF1C7D}\VersionIndependentProgID
Class Name:        <NO CLASS>
Last Write Time:   9/18/2008 - 10:54 AM
Value 0
  Name:            <NO NAME>
  Type:            REG_SZ
  Data:            Dfrgifc.Defrag

-----------------------------------------------------------------------------------------------------------------------------

Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17ED95A4-61CC-46E0-A84D-325A1CEF1C7D}
Class Name:        <NO CLASS>
Last Write Time:   9/18/2008 - 10:54 AM
Value 0
  Name:            <NO NAME>
  Type:            REG_SZ
  Data:            Defrag Class

Value 1
  Name:            AppID
  Type:            REG_SZ
  Data:            {89D5C4CB-8DB6-4B8D-BB0F-FC3B91AC8FCA}


Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17ED95A4-61CC-46E0-A84D-325A1CEF1C7D}\LocalServer32
Class Name:        <NO CLASS>
Last Write Time:   9/18/2008 - 10:54 AM
Value 0
  Name:            <NO NAME>
  Type:            REG_SZ
  Data:            "C:\WINDOWS\system32\dfrgifc.exe"


Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17ED95A4-61CC-46E0-A84D-325A1CEF1C7D}\ProgID
Class Name:        <NO CLASS>
Last Write Time:   9/18/2008 - 10:54 AM
Value 0
  Name:            <NO NAME>
  Type:            REG_SZ
  Data:            Dfrgifc.Defrag.1


Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17ED95A4-61CC-46E0-A84D-325A1CEF1C7D}\TypeLib
Class Name:        <NO CLASS>
Last Write Time:   9/18/2008 - 10:54 AM
Value 0
  Name:            <NO NAME>
  Type:            REG_SZ
  Data:            {310DD6D6-F386-4F33-9A5D-2ECE2B0AC7B0}


Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{17ED95A4-61CC-46E0-A84D-325A1CEF1C7D}\VersionIndependentProgID
Class Name:        <NO CLASS>
Last Write Time:   9/18/2008 - 10:54 AM
Value 0
  Name:            <NO NAME>
  Type:            REG_SZ
  Data:            Dfrgifc.Defrag




0
 
sivanovCommented:
DFRGIFC is provided for WMI to implement the DefragAnalysis() and Defrag() methods
of the Win32_Volume WMI class, to enable defragmentation and defragmentation
analysis via WMI.
Therefore the DFRGIFC.EXE process must have been invoked via WMI, probably from a
WMI script that calls Win32_Volume.DefragAnalysis(), somewhere on your network.
PLease search for MOM script designed to check disk volumes or run CHKDSK.
0
 
IdontKnowAuthor Commented:
As their is no WMI script or other VBS or program set to run on schedule the only thing that I can think of is OO defrag which is installed on the servers. It is supposed to run a job on Sundays from 5pm to 5am only however it is set to use all the resources available. Would it use the DFRGIFC and WMI to run? I don't know. I have set it up to use only part of the resources. I'll see if it kicks in and if the servers go to a crawl this week. Thank you for the hint, I'll keep you posted.
0
 
sivanovCommented:
Do you have MOM or SCOM in your enviroment?
A file handle is left open on the cluster disk resource when you run a MOM script on a Windows Server 2003-based cluster node.
http://support.microsoft.com/kb/924831
Check the dr.watson log  - most probably you will find there  something like
Application exception occurred:
        App: C:\WINDOWS\system32\dfrgifc.exe (pid=.....
Good way for troubleshoting can be taking dump of the process or the memomy - but its much easier if you exlude scripts or programs which check the disk and monitor.
Be ware that running backup application when the defrag is checking and running could be also a consern.

0
 
IdontKnowAuthor Commented:
We are not using MOM nor SCOM in production so it couldn't be it. I checked dr.watson log however nothing about the process. Don't we have anything in this log if the application crashes anyway? This one doesn't, just kick in randomly and uses 100% CPU. In order to limit it I had to use process explorer to set its CPU affinity to 2 CPUs only. Maybe I'll try a memory or process dump if I can figure this out and I'll check with the backup guy on when he does his backups.
0
 
IdontKnowAuthor Commented:
Here is the result of the last process dump:

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.


Loading Dump File [C:\WINDOWS\dfrgifc5952.dmp]
User Mini Dump File with Full Memory: Only application data is available

Comment: 'Userdump generated complete user-mode minidump with Exception Monitor function on nas3'
WARNING: Whitespace at start of path element
WARNING: Whitespace at start of path element
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: c:\windows\System32; c:\windows\system\System32; http://www.alexander.com/SymServe
Windows Server 2003 Version 3790 (Service Pack 2) MP (8 procs) Free x86 compatible
Product: Server, suite: Enterprise TerminalServer SingleUserTS
Machine Name:
Debug session time: Thu Jan 21 02:16:37.000 2010 (GMT-7)
System Uptime: 22 days 13:37:21.290
Process Uptime: 22 days 12:15:18.000
.....................
Loading unloaded module list
.
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(eec.1740): Access violation - code c0000005 (first/second chance not available)
eax=01f1edb0 ebx=010057ed ecx=0281edb0 edx=0281edb0 esi=0281f2bc edi=0281f560
eip=0100881c esp=0281ed94 ebp=0281ed94 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
dfrgifc!IsExceptionObjectToBeDestroyed+0xc:
0100881c 8b08            mov     ecx,dword ptr [eax]  ds:0023:01f1edb0=????????

Not sure if someone can tell me what it means?
0
 
arnoldCommented:

http://msdn.microsoft.com/en-us/library/cc266788.aspx
http://msdn.microsoft.com/en-us/library/cc266418.aspx#ca0c8db7-0f2b-4b1a-973c-304275053ffb
try
.process (set process context)
and rerun .ecxr

The additional difficulty you do not know what starts this process in the first place in order to stop it from starting.
0
 
sivanovCommented:
Could you give some details about "OO defrag" . Could you disable it /unsintall it for some period. If you give us some details about this app we can also try to verify if it is ussing the build in t defraag process.
Cheers
Sv.
0
 
IdontKnowAuthor Commented:
Seems like it doesn't work:


Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
WARNING: Whitespace at start of path element
WARNING: Whitespace at start of path element
Symbol search path is: SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: c:\windows\System32; c:\windows\system\System32; http://www.alexander.com/SymServe
ModLoad: 01000000 01017000   C:\WINDOWS\system32\dfrgifc.exe
ModLoad: 7c800000 7c8c2000   C:\WINDOWS\system32\ntdll.dll
ModLoad: 77e40000 77f42000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 76a80000 76a92000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 77ba0000 77bfa000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77380000 77411000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77c00000 77c49000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 7d1e0000 7d27c000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77c50000 77cef000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 76f50000 76f63000   C:\WINDOWS\system32\Secur32.dll
ModLoad: 77670000 777a9000   C:\WINDOWS\system32\ole32.dll
ModLoad: 76290000 762ad000   C:\WINDOWS\system32\IMM32.DLL
ModLoad: 007f0000 00ab5000   C:\WINDOWS\system32\xpsp2res.dll
ModLoad: 777b0000 77833000   C:\WINDOWS\system32\CLBCatQ.DLL
ModLoad: 77d00000 77d8b000   C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 77010000 770d6000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 77b90000 77b98000   C:\WINDOWS\system32\VERSION.dll
ModLoad: 6d470000 6d476000   C:\WINDOWS\system32\dfrgifps.dll
ModLoad: 77e00000 77e21000   C:\WINDOWS\system32\NTMARTA.DLL
ModLoad: 76f10000 76f3e000   C:\WINDOWS\system32\WLDAP32.dll
ModLoad: 7e020000 7e02f000   C:\WINDOWS\system32\SAMLIB.dll
(1548.1154): Break instruction exception - code 80000003 (first chance)
eax=7ffd9000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c81a3e1 esp=00f7ffcc ebp=00f7fff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c81a3e1 cc              int     3
0:008> .ecxr
Unable to get exception context, HRESULT 0x8000FFFF
0:008> .process
Implicit process is now 7ffd9000
0:008> .ecxr
Unable to get exception context, HRESULT 0x8000FFFF
0
 
IdontKnowAuthor Commented:
OO defrag is a third party program which does scheduled defrag of the hard drives (currently set on Sundays only). More information here: http://www.oo-software.com/home/en/ We are using the server edition V. 10

I can deinstall the agent of course for a periode of time to see if it helps. Doing it right now and will keep everyone posted.
0
 
sivanovCommented:
Good
another test could be to:
1. download and run Process monitor tool from MS site
2. run defrag from the OO defrag app or from the clietn
3. See if the dfrgifc is started and check who is the parrent process (when you open a line from the procmon for the process dfrgifc there is a line "Parrent pID" ) get the PID and check to which process belong
4. but anyway !!!!!!  the artcikle from MS clearly say that for cluster we should not play with defrag
Modify the MOM script to make sure that the DefragAnalysis method is only called on a cluster disk resource that is owned by the cluster node.
Modify the MOM script to make sure that the DefragAnalysis method is not called in a clustered environment.
i would not play with LIVE cluster and disk defrag, plan it carefully or remove it.
cheers
Sv.
0
 
IdontKnowAuthor Commented:
OO defrag has been installed on the cluster since 2006 and never had any issues with it. After I uninstalled it a week+ ago everything was fine until today where the process pegged all the CPUs again and crashed at some point with the following:

Error signature:
szAppName : dfrgifc.exe     szAppVer : 5.2.3790.3959     szModName : dfrgifc.exe
szModVer : 5.2.3790.3959     offset : 00004968    

C:\DOCUME~1\syscja\Local Settings\Temp\1\WER378f.dir00\appcompat.txt
-----------------------------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-16"?>
<DATABASE>
<EXE NAME="SYSTEM INFO" FILTER="GRABMI_FILTER_SYSTEM">
    <MATCHING_FILE NAME="advapi32.dll" SIZE="619008" CHECKSUM="0xE8ACF7AB" BIN_FILE_VERSION="5.2.3790.4555" BIN_PRODUCT_VERSION="5.2.3790.4555" PRODUCT_VERSION="5.2.3790.4555" FILE_DESCRIPTION="Advanced Windows 32 Base API" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.2.3790.4555 (srv03_sp2_gdr.090718-1230)" ORIGINAL_FILENAME="advapi32.dll" INTERNAL_NAME="advapi32.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x99BE1" LINKER_VERSION="0x50002" UPTO_BIN_FILE_VERSION="5.2.3790.4555" UPTO_BIN_PRODUCT_VERSION="5.2.3790.4555" LINK_DATE="07/18/2009 15:58:24" UPTO_LINK_DATE="07/18/2009 15:58:24" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="gdi32.dll" SIZE="284672" CHECKSUM="0x58EA8641" BIN_FILE_VERSION="5.2.3790.4396" BIN_PRODUCT_VERSION="5.2.3790.4396" PRODUCT_VERSION="5.2.3790.4396" FILE_DESCRIPTION="GDI Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.2.3790.4396 (srv03_sp2_gdr.081022-1212)" ORIGINAL_FILENAME="gdi32" INTERNAL_NAME="gdi32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x4AFCC" LINKER_VERSION="0x50002" UPTO_BIN_FILE_VERSION="5.2.3790.4396" UPTO_BIN_PRODUCT_VERSION="5.2.3790.4396" LINK_DATE="10/23/2008 11:43:54" UPTO_LINK_DATE="10/23/2008 11:43:54" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="kernel32.dll" SIZE="1038336" CHECKSUM="0x7EFD9E0D" BIN_FILE_VERSION="5.2.3790.4480" BIN_PRODUCT_VERSION="5.2.3790.4480" PRODUCT_VERSION="5.2.3790.4480" FILE_DESCRIPTION="Windows NT BASE API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.2.3790.4480 (srv03_sp2_gdr.090321-1244)" ORIGINAL_FILENAME="kernel32" INTERNAL_NAME="kernel32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x101B44" LINKER_VERSION="0x50002" UPTO_BIN_FILE_VERSION="5.2.3790.4480" UPTO_BIN_PRODUCT_VERSION="5.2.3790.4480" LINK_DATE="03/21/2009 17:08:26" UPTO_LINK_DATE="03/21/2009 17:08:26" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="ntdll.dll" SIZE="774144" CHECKSUM="0x74ACB78F" BIN_FILE_VERSION="5.2.3790.4455" BIN_PRODUCT_VERSION="5.2.3790.4455" PRODUCT_VERSION="5.2.3790.4455" FILE_DESCRIPTION="NT Layer DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.2.3790.4455 (srv03_sp2_gdr.090203-1205)" ORIGINAL_FILENAME="ntdll.dll" INTERNAL_NAME="ntdll.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xC2B9D" LINKER_VERSION="0x50002" UPTO_BIN_FILE_VERSION="5.2.3790.4455" UPTO_BIN_PRODUCT_VERSION="5.2.3790.4455" LINK_DATE="02/09/2009 11:02:56" UPTO_LINK_DATE="02/09/2009 11:02:56" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="ole32.dll" SIZE="1267200" CHECKSUM="0x8A88C6B2" BIN_FILE_VERSION="5.2.3790.3959" BIN_PRODUCT_VERSION="5.2.3790.3959" PRODUCT_VERSION="5.2.3790.3959" FILE_DESCRIPTION="Microsoft OLE for Windows" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.2.3790.3959 (srv03_sp2_rtm.070216-1710)" ORIGINAL_FILENAME="OLE32.DLL" INTERNAL_NAME="OLE32.DLL" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x14357B" LINKER_VERSION="0x50002" UPTO_BIN_FILE_VERSION="5.2.3790.3959" UPTO_BIN_PRODUCT_VERSION="5.2.3790.3959" LINK_DATE="02/17/2007 14:01:09" UPTO_LINK_DATE="02/17/2007 14:01:09" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="oleaut32.dll" SIZE="553984" CHECKSUM="0x7485B5CF" BIN_FILE_VERSION="5.2.3790.4202" BIN_PRODUCT_VERSION="5.2.3790.4202" PRODUCT_VERSION="5.2.3790.4202" COMPANY_NAME="Microsoft Corporation" FILE_VERSION="5.2.3790.4202" INTERNAL_NAME="OLEAUT32.DLL" LEGAL_COPYRIGHT="Copyright © Microsoft Corp. 1993-2001." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x96543" LINKER_VERSION="0x50002" UPTO_BIN_FILE_VERSION="5.2.3790.4202" UPTO_BIN_PRODUCT_VERSION="5.2.3790.4202" LINK_DATE="12/13/2007 07:49:29" UPTO_LINK_DATE="12/13/2007 07:49:29" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="shell32.dll" SIZE="8360960" CHECKSUM="0x6FB25B22" BIN_FILE_VERSION="6.0.3790.4315" BIN_PRODUCT_VERSION="6.0.3790.4315" PRODUCT_VERSION="6.00.3790.4315" FILE_DESCRIPTION="Windows Shell Common Dll" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="6.00.3790.4315 (srv03_sp2_gdr.080617-1232)" ORIGINAL_FILENAME="SHELL32.DLL" INTERNAL_NAME="SHELL32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x806876" LINKER_VERSION="0x50002" UPTO_BIN_FILE_VERSION="6.0.3790.4315" UPTO_BIN_PRODUCT_VERSION="6.0.3790.4315" LINK_DATE="06/17/2008 20:08:08" UPTO_LINK_DATE="06/17/2008 20:08:08" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="user32.dll" SIZE="583680" CHECKSUM="0x44D95093" BIN_FILE_VERSION="5.2.3790.4033" BIN_PRODUCT_VERSION="5.2.3790.4033" PRODUCT_VERSION="5.2.3790.4033" FILE_DESCRIPTION="Windows USER API Client DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows® Operating System" FILE_VERSION="5.2.3790.4033 (srv03_sp2_gdr.070228-0030)" ORIGINAL_FILENAME="user32" INTERNAL_NAME="user32" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0x91402" LINKER_VERSION="0x50002" UPTO_BIN_FILE_VERSION="5.2.3790.4033" UPTO_BIN_PRODUCT_VERSION="5.2.3790.4033" LINK_DATE="03/02/2007 06:38:46" UPTO_LINK_DATE="03/02/2007 06:38:46" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="wininet.dll" SIZE="916480" CHECKSUM="0xBADF36EC" BIN_FILE_VERSION="8.0.6001.18854" BIN_PRODUCT_VERSION="8.0.6001.18854" PRODUCT_VERSION="8.00.6001.18854" FILE_DESCRIPTION="Internet Extensions for Win32" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Windows® Internet Explorer" FILE_VERSION="8.00.6001.18854 (longhorn_ie8_gdr.091026-1700)" ORIGINAL_FILENAME="wininet.dll" INTERNAL_NAME="wininet.dll" LEGAL_COPYRIGHT="© Microsoft Corporation. All rights reserved." VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x40004" VERFILETYPE="0x2" MODULE_TYPE="WIN32" PE_CHECKSUM="0xE2A59" LINKER_VERSION="0x60000" UPTO_BIN_FILE_VERSION="8.0.6001.18854" UPTO_BIN_PRODUCT_VERSION="8.0.6001.18854" LINK_DATE="10/29/2009 13:08:53" UPTO_LINK_DATE="10/29/2009 13:08:53" VER_LANGUAGE="English (United States) [0x409]" />
    <MATCHING_FILE NAME="winsock.dll" SIZE="2864" CHECKSUM="0x73AE8088" BIN_FILE_VERSION="3.10.0.103" BIN_PRODUCT_VERSION="3.10.0.103" PRODUCT_VERSION="3.10" FILE_DESCRIPTION="Windows Socket 16-Bit DLL" COMPANY_NAME="Microsoft Corporation" PRODUCT_NAME="Microsoft® Windows(TM) Operating System" FILE_VERSION="3.10" ORIGINAL_FILENAME="WINSOCK.DLL" INTERNAL_NAME="WINSOCK" LEGAL_COPYRIGHT="Copyright © Microsoft Corp. 1981-1996" VERFILEDATEHI="0x0" VERFILEDATELO="0x0" VERFILEOS="0x10001" VERFILETYPE="0x2" MODULE_TYPE="WIN16" S16BIT_DESCRIPTION="BSD Socket API for Windows" S16BIT_MODULE_NAME="WINSOCK" UPTO_BIN_FILE_VERSION="3.10.0.103" UPTO_BIN_PRODUCT_VERSION="3.10.0.103" VER_LANGUAGE="English (United States) [0x409]" />
</EXE>
</DATABASE>

-----------------------------------------------------------------------------------------------------------------------------

There is also a minidump C:\DOCUME~1\syscja\Local Settings\Temp\1\WER378f.dir00\dfrgifc.exe.mdmp

In the Application log I get:

event ID 1000 source App error
Faulting application dfrgifc.exe, version 5.2.3790.3959, faulting module dfrgifc.exe, version 5.2.3790.3959, fault address 0x00006d76.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
event ID 4097 source DrWatson
The application, C:\WINDOWS\system32\dfrgifc.exe, generated an application error The error occurred on 02/01/2010 @ 14:02:00.301 The exception generated was c0000005 at address 01004968 (dfrgifc!CDfrgAsyncObject::DisallowCancel)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Really odd...

I'm still looking into it and will report
0
 
IdontKnowAuthor Commented:
After I have removed OO Defrag and restarted the servers I got the same issue again, hence OO Defrag is not the culprit. Something else is triggering the issue but couldn't pipoint out what. Still looking into it.
0
 
arnoldCommented:
Based on the process list, the item seems to be being triggered via wmi or within the same svchost process list.
get process explorer from sysinternals.com and see which services are part of this group.  Disable the ones that you don't need and see if the issue remains.
0
 
IdontKnowAuthor Commented:
How do I see which services are part of the group using process explorer?? Shall I right cligh on each process and select properties?
0
 
arnoldCommented:
There is no easy way, you have to disable the item one at a time since some services when activated can run within the same svchost handler.
In your diagram the process explorer displays the dfrgifc as part of the same group or subordinated to by the wmiprvse.
You might have several SVChosts events, hovering over them should provide a list of the various services that are handled by this svchost process.
0
 
IdontKnowAuthor Commented:
Just a dumb question. We are using nagios to monitor disk space on the cluster using a proxy (another windows box). Our nagios box crapped out a month or so ago and has been rebuilt. It seems like we are seeing this issue since. I believe that nagios is using wmi to get volume information. Would it be the culprit? Any ideas???
0
 
arnoldCommented:
It could if part of the check includes fragmentation which then directs the system to defrag.

Check the nagios agent file on this server to see if it has any directive/option to defrag.
0
 
IdontKnowAuthor Commented:
Unfortunately it wasn't it. Still looking though...
0
 
IdontKnowAuthor Commented:
It seems like nagios is not the trigger. We are looking into another theory. The IOPs on the clariion may not be fast enough to answer the queries from the server resulting on pushing the server to run a defrag analyze to check the disk fragmentation level. I'll try to update when I know more about this.
0
 
IdontKnowAuthor Commented:
This issue has not been resolved. Need other ideas to look into.
0
 
dovidmichelCommented:
IdontKnow,

Is ARCserve or any of it agents installed on this system?
0
 
IdontKnowAuthor Commented:
Arcserve is also installed as the backup client however it is also installed on all our Windows servers. Recently it seems like only one of the node got the issue.
0
 
dovidmichelCommented:
I've been helping someone else
Win 2003 R2 cluster
defrag exception same day of the week, about the same time
using Process Monitor and Process Explorer it seems there might be a connection with the Client Agent.

I don't have a cluster to test but in my testing UnivAgent (the Universal Agent process for Client Agent) is only active when contacted via ARCserve server or Agent Admin GUI.

However on this cluster it does show activity when the exception happens.

As a test leave the CA ARCserve Universal Agent service stopped to see if the exception still happens.
In your case does it always happen on the same day of the week, same time?
Is there any indication of an initial even where defragmentation failed because of an error with data on the volume, file/directory structure, lack of free space, etc.?
0
 
IdontKnowAuthor Commented:
Stopping the client will stop the backup, not sure I can do that. Also, it is not an event occuring at a certain time, it seems to vary from a couple of days to a couple of weeeks. We are running backups full during the week-end and incremental during the week so basically the client is being used everyday. I haven't seen the defragmentation failing so far and the process spiking the CPUs doesn't do anything but profiling (defrag analyze). I'll check with the backup guy about the client. Do you remember which version was being used in your case?

Thanks.
0
 
dovidmichelCommented:
perhaps this will resolve the problem.

http://support.microsoft.com/kb/973597
0
 
dovidmichelCommented:
0
 
dphammerCommented:
This issue is old but I though I would post as I don't see an actual resolution.
We have the same issue that dfrgifc.exe kicks off, seemingly out of nowhere. In our case it starts every day at 2:00 PM and causes excessive I/O in our SAN environment, which slowed certain business applications.
We were able to definitively determine that it is our Arcserve Backup agents that are starting the process. When we stop the related Arcserve services prior to 2:00 PM the process did not start. When we leave the services running, the process starts. For now we have renamed the .exe and when time allows will work with CA. If anyone is aware of a resolution or statement from CA on this it would be nice to hear it.
We are on r16 of Arcserve.
0
 
IdontKnowAuthor Commented:
Old thread... Since, we have upgraded the servers to Windows 2008R2... no more issues. Still was a mystery though...
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 21
  • 9
  • 4
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now