Solved

Explorer.exe uses 100% CPU

Posted on 2010-08-24
24
3,233 Views
Last Modified: 2012-05-10
Were running on Windows 2008 R2 Terminal server with AppSense on top. Occasionally explorer.exe uses 100% CPU when a user is logged in. We tried to use an explorer.exe fix I found on the net, but this didnt help much. I also resized the pagefile to be bigger, as recommended in some posts feedback. That didnt do the trick either.

Does someone has some other solutions to recommend?
0
Comment
Question by:Mr Woober
  • 11
  • 7
  • 2
  • +3
24 Comments
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33510435
Have you checked the integrity of the hard drive? Also, what operations is he running (moving, deleting, opening windows explorer, etc)?
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33510461
Also, do the users have GPOs? Maybe one is doing something that requires lots of hard drive activity. Or there's something set to run on login (which wouldn't run on normal server boot, only at login).
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33510518
Remove any AV installed on the system
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33510529
Removing AV on a server isn't a good idea :P
0
 
LVL 1

Author Comment

by:Mr Woober
ID: 33510533
yes, we just had a complete check of the disks and system just a few days ago. I cannot see that the user is copying any files, only handles and modules are active. Still the CPU uses 100%..
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33510588
Well, a common cause for this to happen are corrupt files. Either from the application or from the system. When windows attempts to get info from those files, because they are corrupt, the process will be left "hanging" until a reply comes (which doesn't) or it times out. Try re-installing the application, and maybe running an SFC.
0
 
LVL 27

Expert Comment

by:Lukasz Chmielewski
ID: 33510800
You could download SysInternal Suite and use process explorer to determine what causes explorer.exe to use 100%.

http://technet.microsoft.com/en-us/sysinternals/default.aspx
0
 
LVL 1

Author Comment

by:Mr Woober
ID: 33510813
Well, uninstalling AV isnt a good idea. I'll try that as an last option. But thanks, I'll try running an SFC and see if that maybe help.
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33510839
The AV isn't likely to do it, not unless it has corrupt files itself. Else you would see the AV engine battling for CPU.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33510841
What AV are you running?
0
 
LVL 1

Author Comment

by:Mr Woober
ID: 33511096
We run Panda AV.. It seems like there is a process going bananas, how can I use those Sysinternal tools to see what process is runnning with 100% CPU? There was kinda hard to find it..
0
 
LVL 27

Expert Comment

by:Lukasz Chmielewski
ID: 33511734
there is a tool procexp.exe in sysinternals which - with setting a filter for one process (explorer.exe) - can show you what exactly explorer.exe does for the most of the time
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:Mr Woober
ID: 33516055
ah, ok thanks :) I'll see what I can find..
0
 

Expert Comment

by:rlaning
ID: 33532541
What are users doing when explorer.exe starts consuming 100% CPU ?

We've seen similar problems a while ago  on Windows 2003 terminal servers where explorer.exe would go to 100% CPU and remain there when browsing picture folders. Previewing or getting tags from some poisonous JPEG files seemed to drive explorer.exe insane.  We ended up unregistering a certain DLL (the graphic file extension) to prevent this from happening.

Perhaps this helps your thinking in the right direction....
0
 
LVL 4

Expert Comment

by:contactrobol
ID: 33583839
restart computer run in safemode. Run msconfig disable any unwanted service and programs and restart.
0
 
LVL 1

Author Comment

by:Mr Woober
ID: 33679477
Now I have a user that is disconnected, using 100% of the Explorer.exe. I tried to find the PID, but its not found using the Process Monitor. And under task manager I just see that the user have explorer.exe, rdclip.exe, dwm.exe and taskhost.exe. But only explorer.exe uses 100% cpu.
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33679956
Use process explorer. Much more info than task manager.
Have you tried SFC yet?
And you should try a chkdsk as well. As I said before, one of the most likely causes is corrupt files/drive failures. It would cause windows to try to read that sector over and over and over again until it eventually got tired.
0
 
LVL 1

Author Comment

by:Mr Woober
ID: 33680107
I tried the process explorer aswell, but that only shows that Explorer.exe is using 100% CPU. Wasnt able to see much more than this.

We'll try SFC on Sunday when were going to have maintainance on all servers.

Thanks for the help so far, I'll keep you posted as soon as we tested this.
0
 
LVL 18

Expert Comment

by:Cluskitt
ID: 33680197
You can use SFC without impacting the network. Only if it finds corrupted files will you need to reboot, but if there are corrupt files, you should fix them asap anyway, so... :)
0
 
LVL 1

Author Comment

by:Mr Woober
ID: 33680313
I ran SFC on one of our TS, and everything seems fine.

"Windows Resource Protection did not find any integrity violations."
0
 
LVL 1

Author Comment

by:Mr Woober
ID: 33715138
Now I have an Explorer.exe that uses 100% of the CPU, I took a snapshot from the Process Explorer showing the Thread ID. I'm not able to find the TID in Process Monitor as it hangs after a while.

What can I make out of this message?
SHLWAPI.jpg
0
 
LVL 1

Author Comment

by:Mr Woober
ID: 33715194
Here is the Stack of this Thread

ntoskrnl.exe!SeAccessCheckWithHint+0xb4a
ntoskrnl.exe!KeAcquireSpinLockAtDpcLevel+0x7d2
ntoskrnl.exe!KeWaitForMutexObject+0x19f
ntoskrnl.exe!PsIsSystemProcess+0x94
ntoskrnl.exe!KeStackAttachProcess+0x11c1
ntoskrnl.exe!KiCheckForKernelApcDelivery+0x25
ntoskrnl.exe!RtlGUIDFromString+0x2ea44
ntoskrnl.exe!ObCreateObject+0x712
ntoskrnl.exe!KeSynchronizeExecution+0x3a43
ntdll.dll!ZwWaitForMultipleObjects+0xa
KERNELBASE.dll!GetCurrentThread+0x36
kernel32.dll!WaitForMultipleObjectsEx+0xb3
ole32.dll!CreatePointerMoniker+0x49f
ole32.dll!CreatePointerMoniker+0x40b
ole32.dll!STGMEDIUM_UserUnmarshal+0x28f0
ole32.dll!CoGetInstanceFromFile+0x9c22
ole32.dll!CoGetInstanceFromFile+0x519b
ole32.dll!CreatePointerMoniker+0x266
ole32.dll!CreatePointerMoniker+0x68b
ole32.dll!DcomChannelSetHResult+0x1aec
ole32.dll!CoGetInstanceFromFile+0x4a75
RPCRT4.dll!Ndr64AsyncServerCallAll+0x15bb
ole32.dll!CoGetInstanceFromFile+0x5050
ole32.dll!DcomChannelSetHResult+0x1a66
ole32.dll!ObjectStublessClient5+0x177
ole32.dll!ObjectStublessClient5+0xe6
ole32.dll!DcomChannelSetHResult+0x1673
ole32.dll!DcomChannelSetHResult+0x12a1
ole32.dll!CoRegisterMessageFilter+0x12b6
ole32.dll!CoRegisterMessageFilter+0x11e4
ole32.dll!CoRegisterMessageFilter+0xd79
SHELL32.dll!Ordinal733+0x26af9
SHELL32.dll!SHCreateShellItemArrayFromDataObject+0x4a1
SHELL32.dll!SHCreateShellItemArrayFromDataObject+0xcaa
SHELL32.dll!SHCreateShellItemArrayFromDataObject+0x1615
SHELL32.dll!Ordinal813+0x6e00
SHELL32.dll!Ordinal813+0x7343
SHLWAPI.dll!SHRegGetUSValueW+0x306
kernel32.dll!BaseThreadInitThunk+0xd
ntdll.dll!RtlUserThreadStart+0x21
0
 
LVL 1

Author Comment

by:Mr Woober
ID: 33778908
I found that the problem is caused by a file in Outlook, called OUTLLIBR.DLL which is version: 11.0.8161.0
0
 
LVL 1

Accepted Solution

by:
Mr Woober earned 0 total points
ID: 33935706
The problems seems to be a compatibility issue with AppSense and PManger.exe, causing some certain programs to use 100% of the CPU.

Recommended hotfixes from MS is:

- http://support.microsoft.com/kb/983461 (with the latest version of the kernel)
- http://support.microsoft.com/kb/981187 (with the latest version of win32k.sys)
- http://support.microsoft.com/kb/978869 (with the latest version of ntdll.dll)
- http://support.microsoft.com/kb/978330 (with the latest version of hal.dll)
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now