DCOMLaunch thrashing my hard disk.
-
Thursday, February 09, 2012 11:04 PM
Hi folks,
My disk is being hit many times every second that my PC is powered on. Poking around with the excellent process monitor from SysInternals has shown that the activity is from the DCOMLaunch utility that runs within the svchost daemon. The program is constantly querying registry keys that generally have some sort of CLSID for a name and seem to contain PCI IDs as values. I'm not sure why DCOM would be trying to enumerate my hardware, but that's beside the point - I want this to stop. Please help! I've provided a brief exerpt of a sample ProcMon log below, and I would be happy to provide any other information that would help you to help me.
Thanks in advance,
Eglin
4:45:43.7766394 PM svchost.exe 764 RegQueryValue HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\DeviceInstance SUCCESS Type: REG_SZ, Length: 60, Data: USB\VID_045E&PID_028E\0B5D273 4:45:43.7766689 PM svchost.exe 764 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS 4:45:43.7766894 PM svchost.exe 764 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\# SUCCESS 4:45:43.7768539 PM svchost.exe 764 RegQueryKey HKLM\System\CurrentControlSet\Control\DeviceClasses SUCCESS Query: HandleTags, HandleTags: 0x0 4:45:43.7768924 PM svchost.exe 764 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS Desired Access: Query Value 4:45:43.7769337 PM svchost.exe 764 RegQueryKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS Query: HandleTags, HandleTags: 0x0 4:45:43.7769579 PM svchost.exe 764 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\# SUCCESS Desired Access: Query Value 4:45:43.7769894 PM svchost.exe 764 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS 4:45:43.7770145 PM svchost.exe 764 RegQueryKey HKLM\System\CurrentControlSet\Control\DeviceClasses SUCCESS Query: HandleTags, HandleTags: 0x0 4:45:43.7770367 PM svchost.exe 764 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS Desired Access: Query Value 4:45:43.7770615 PM svchost.exe 764 RegQueryKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS Query: HandleTags, HandleTags: 0x0 4:45:43.7770824 PM svchost.exe 764 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS Desired Access: Query Value 4:45:43.7771089 PM svchost.exe 764 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb} SUCCESS
test
All Replies
-
Friday, February 17, 2012 4:11 PM
Hi,
Since lots of services host on SVChost.exe, so maybe we can try to narrow down which service is trying to access all the disk via DCOM.
We can list all the instences of service host on SVChost.exe by "tasklist -svc".
Also you can try to separate all the affected SVChost.exe to the standalone svchost instances by the following steps:
Preparing to Debug the Service Application
http://msdn.microsoft.com/en-us/library/ff553427(v=vs.85).aspx
After that, please locate the affected service, find out if this service needs to list all the disk.
Thanks.
“Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”
-
Sunday, February 19, 2012 7:48 AM
Hi there, Kevin!
Thanks a million for taking the time to help me. I have determined that the service in question is DComLaunch. Please tell me how to proceed.
-
Thursday, March 01, 2012 7:23 AM
Hi,
For the DCOM issue, usually we can perform the following troubleshooting steps:
1. Generally, we can do the following steps to perform the default permission:
=====================
a. Click Start -> Run, type DCOMCNFG and press Enter.
b. Expand Component Services -> Computers -> My Computer. Right click on My Computer and choose Properties.
c. Go to COM Security tab, under Access Permissions, click Edit Limits, and make sure "Everyone" account has Local Access and Remote Access permission.
d. Under Launch and Activation Permissions, click Edit Limits, and give "Everyone" account Local Launch, Remote Launch, Local Activation and Remote Activation.
e. Close the dialog boxes, and in the previous Component Services, expand to Component Services -> Computers -> My Computer -> DCOM Config, find the 3rd party component, right click on it, and choose Properties.
f. In General tab, set Authentication Level to "Default".
g. In Security tab, set Launch and Activation Permissions to Customize, click Edit, and give Everyone account all the permissions listed: Local Launch, Remote Launch, Local Activation and Remote Activation.
h. Set Access Permissions to Customize, and also give Everyone account all the permissions: Local Access and Remote Access, give SELF all the permissions, and give SYSTEM Local Access permission.
i. Click OK to save all the settings, and see if it helps.
2. If still not work, we can backup "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole", and import the working keys from another server/PC.
thanks.
“Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”
-
Thursday, March 01, 2012 3:12 PM
Thank you very much for continuing to help me troubleshoot, sir. Looking at your outline gave me great optimism, as it seems like such a concise and thorough regimen. Unfortunately, adjusting the COM Access permissions (remote launch and activation were not previously allowed) did not do the trick. I looked at the list of the the COM components as directed in step 'e', but I do not know which item you would have me adjust. The list appears to include every COM component on my system, many identified only by what appear to be CLSIDs, and the only one that had "third party" in the title was the EAP dispatcher - the security options were all set to default and greyed out. Is there something about my situation that leads you to believe that my security settings are somehow to blame, or is this just good general troubleshooting?
I do have a laptop running Windows 7 and could try to import the OLE registry branch, although I'm a bit concerned. It seems that if the troublesome component also exists on my laptop (I don't believe it does, but I haven't tested), then the import will not help. If the problem does not exist on the laptop, merging the keys will not remove the problematic section. Or, are you suggesting that I first delete the entire \ole registry branch? Is such a thing possible without catastrophic system failure?
Is there any way to actually determine what activity is requesting the constant hard drive reads, short of mucking around aimlessly with a kernel debugger? Perhaps some sort of DCOM diagnostic tool? I can hear my hard drive making funny noises now, and (although it could be paranoia, after losing more than two drives a year over several years to hardware failure) with current drive prices I'm loathe to start making purchases.
Thanks again for trying to help me, and I am hoping that you can continue to assist me. It would be wonderful to get this taken care of.
Thanks,
Eglin
-
Thursday, March 01, 2012 7:33 PM
You can look at stacks in procmon if you setup the symbols...
-
Friday, March 02, 2012 3:43 PM
You can look at stacks in procmon if you setup the symbols...
Hi, JS. Would you please describe how to setup the debug symbols and what I would look for after doing so?
Thanks,
Eglin
-
Friday, March 02, 2012 4:00 PM
Maybe this link will help:
http://devcoma.blogspot.com/2009/11/how-to-configure-sysinternals-procmon.html
The tricky part is installing windbg. These days you have to download the windows sdk web installer, and then only check off windows debugger.
-
Monday, March 19, 2012 10:00 AM
Hi Eglin,
Do you have any updates from the procmon?
If the DCOM is keeping querying HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}
i am thinking if there are too many orphaned registry keys there?
please check if the following KB applies to your server?
http://support.microsoft.com/kb/982210
“Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”
-
Tuesday, March 20, 2012 1:07 AM
Hi Eglin,
Do you have any updates from the procmon?
If the DCOM is keeping querying HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}
i am thinking if there are too many orphaned registry keys there?
please check if the following KB applies to your server?
http://support.microsoft.com/kb/982210
“Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”
Hi Mr. Tu,
Thank you for responding again. I'm embarrassed to notice that I didn't mention that I'm using Windows 7 Home Premium. Since that workaround is only intended for Windows Server machines, is there another method for checking and removing orphaned registry keys that you might recommend?
Thanks in advance,
Eglin
-
Thursday, March 22, 2012 1:35 PM
Hi,
Can you find the identifier "USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb" in the Device Management? If so please try to re-install this device.
On the Windows 7 client, i think the USB device is not a critical part for the system. please try to backup the related registry keys and delete them.
“Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”
- Proposed As Answer by Niki HanMicrosoft Contingent Staff, Moderator Tuesday, April 03, 2012 8:55 AM
- Unproposed As Answer by Eglin Tuesday, September 04, 2012 7:39 AM
-
Wednesday, April 04, 2012 10:43 AM
The ID you've given seems to correspond with my USB XBox controller. Would you please describe to me the steps I should take to reinstall it? I believe that I'm currently using Windows 7's built-in drivers for the device, although I did allow Windows Update to install a driver update for it.Hi,
Can you find the identifier "USB#VID_045E&PID_028E#0B5D273#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb" in the Device Management? If so please try to re-install this device.
On the Windows 7 client, i think the USB device is not a critical part for the system. please try to backup the related registry keys and delete them.
“Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”
-
Thursday, April 05, 2012 8:24 AM
Hi,
Please backup the registry key and delete them. Next time when you connected the USB device to this pc, OS will recreate a new identifier for this device.
please monitor if this issue still occurs after deleting the affected registry.
Thanks.
“Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.”
- Marked As Answer by Niki HanMicrosoft Contingent Staff, Moderator Friday, April 13, 2012 3:05 AM
- Unmarked As Answer by Eglin Tuesday, September 04, 2012 7:39 AM
-
Friday, August 31, 2012 9:00 PM
Hi,
I have to bring that topic up again because I am having the exact same problem and couldn't solve it by deleting the key. (I deleted every key that is beeing access and listed below)
I am using Process Monitor to see that my harddrives are beeing accessed nearly every second by C:\Windows\system32\svchost.exe -k DcomLaunch
Basically it accesses all my drives (that is a vertex 3 SSD and a RAID5 with the Intel Onboard RapidStorage of three WD Greens) and some USB3 stuff (that one I dont understand a bit because I do not have a single USB device connected. Even if I delete that key Windows just recreates it after a reboot and starts accessing it again)
HKLM\System\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#IDE#DiskOCZ-VERTEX3_____________________________2.22____#4&18f37dbf&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
HKLM\System\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#IDE#DiskStore1.0.00__#4&18f37dbf&0&0.1.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
HKLM\System\CurrentControlSet\Control\DeviceClasses\{f5f8219f-14c2-4e33-8b8b-06ee75321d07}\##?#IUSB3#ROOT_HUB30#4&a3f7854&0#{f5f8219f-14c2-4e33-8b8b-06ee75321d07}The PC is quite new and freshly installed with Windows 7 Professional 64bit.
Does anybody have another idea? I am stumped and feel the health of my harddrives decreasing with every second :(
Thanks!
- Edited by EpoX_ Friday, August 31, 2012 9:02 PM
-
Tuesday, September 04, 2012 7:41 AMI'm afraid that I never found any resolution for the issue.
-
Friday, January 25, 2013 7:07 PM
I have the exact same issue but it doesn't seem related to DComLaunch. If I run tasklist I see 3 services sharing the same svchost as DComLaunch:
tasklist /svc /fi "imagename eq svchost.exe"
svchost.exe 872 DcomLaunch, PlugPlay, Power
When I look at the stack trace in ProcMon for those registry calls they originate in ntdll.dll and then go through RPCRT4.dll and umpnpmgr.dll before hitting kernel dll's. This makes me think it's the PlugPlay service that is hammering the registry.
The issue only occurs on my machine when Steam is running. As soon as I close Steam then the registry activity immediately ceases. Start Steam and it starts again. It makes the system totally unusable.
Re: setting up the symbols in ProcMon, I think this might be default in newer versions of ProcMon. If not, go to Options > Configure Symbols. Set Symbol Paths to srv*http://msdl.microsoft.com/download/symbols
-
Friday, January 25, 2013 9:12 PM
Thanks for the information about setting up symbols in ProcMon. I will download a newer version and check it out (the version I've been using is probably very ancient).
Some of the registry entries that are getting hammered for me have UUIDs corresponding to USB devices, so there may certainly be some relationship to P&P. For me, the issue happens even when I have shut down every service and application I'm able to disable. My system remains responsive, but the constant hard drive activity worries me. Hard drives are expensive, and I have zero doubt that all this constant activity wears them out. I'm also extremely frustrated that MS doesn't have better controls for system management. Every bit of software seems to feel privileged to install stuff all over the system, setup services, and open network connections. There really needs to be some better way to insulate the system from this stuff - something short of running a heavy-weight VM for every application.
Anyway, thank you for sharing. If you come up with further information, I'd very much appreciate it if you would report back.
Thanks,
Eglin
-
Wednesday, March 20, 2013 4:44 PM
I deleted some registry values matching f5f8219f-14c2-4e33-8b8b-06ee75321d07 and it still did not stop after a restart.
That ID is something related to USB3 so I uninstalled the Intel USB3 driver. That helped, might be worth a try.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{f5f8219f-14c2-4e33-8b8b-06ee75321d07}
-
Thursday, March 21, 2013 11:54 AMI eventually resolved this issue by unplugging my 8 year old ipod from the USB slot. I traced it using the Resource Monitor and checked that during the hangs there was disk activity originating from the System process to /Device/HardDisk/DR4, with a response time around 20 seconds. This device was the ipod. Since leaving it unplugged for about a month now I have not had this issue.
What is strange is that I still have registry activity on those keys from svchost, but my hard disk doesn't sound like it's thrashing anymore. So I can't be sure what the issue was but I would suggest checking Resource Monitor and try unplugging USB devices.
Did you ever find the real cause of this? -
Monday, March 25, 2013 12:37 PM
I have the same issue, need help!
-
Tuesday, March 26, 2013 9:18 AMI never did find the cause or solution. Most of the UUIDs/CLSIDs I found being constantly accessed by the DCOM service correlated to USB devices - Intel's USB driver, XBox 360 controller, etc, but I was never able to create an environment that halted the constant disk access. I have/ have had concurrent issues with Zone Alarm's paid firewall suite doing unbuffered writes to its log files several times a second. The whole situation has really soured me on Windows in general. Every application feels like it has the right to install services and background tasks, and Microsoft has done nothing to help us isolate out processes and control permissions with a fine grain. It's pretty hard, as an example, to browse the web without having Adobe's awful Flash installed; MS should have tools to protect us from allowing Flash to essentially alter the comspec and hijack every single running process on the system. I know this is devolving into a rant, rather than constructive troubleshooting, but after having MANY hard drive failures over the last few years, I am very much fed up.
-
Tuesday, March 26, 2013 9:54 AM
This is an example, how we a small fishes are have 'in are ass kicked. The true is that, there could be a big number of people that has the same problem and don't realized it. I'm no developer so i have only the base knowledge of the system functionality, and it is hard for me finding the resolution to this issue. Since win95 i always had an original system on my pc, never complaining, what is a paradox newer needed help till now. The bizarre and odd thing is that even formatting the system and installing win 7 on clear ssd don't help...
- Edited by matisf Tuesday, March 26, 2013 9:56 AM
-
Thursday, March 28, 2013 4:06 PMnever give up
-
Tuesday, April 09, 2013 4:13 PM
UP
-
Wednesday, April 10, 2013 12:17 AMHi, I found this topic while investigating this Steam problem. It's exhibiting the same registry spam symptoms and the same registry key as you describe, and it involves nonstop probing for the presence of a particular gamepad device. Because it hands off the work to svchost, it obscures the originating process's identity. But it was still susceptible to be located by process of elimination. Note that it's a fairly harmless low-cpu activity, but it's still wasteful and annoying.
- Edited by theultramage Wednesday, April 10, 2013 12:20 AM
-
Wednesday, April 10, 2013 9:28 PM
hey ultramage, thanks for linking that information. Good investigation and nicely done finding the root of our issue, I think I learned a bit more about some techniques to employ.I can confirm that I no longer see the registry activity when I suspend the thread with SDL2.dll. I really wish that Steam would fix this issue, it's really terrible programming from them.
Seems we have a slightly different problem than the OP, which is a pity. But I think it highlights an important point: the stack trace in this case does not lead to the prime mover in the chain of registry spam. Eglin, I'm curious to know if you're still hearing the hard disk activity? You may have some luck trying to isolate the issue by booting to safe mode. If that stops the problem, then using Sysinternals autoruns can help to progressively add programs back into the boot until the problem re-occurs.
-
Friday, April 12, 2013 6:45 PMThe dcomlaunch registry accesses were most likely not the cause and just distracted from the actual problem (you'd have to have 10000+ of them a second going on before it starts being noticable, and it'd cause cpu usage, not disk usage). Process monitor does not have full access to the system so it may not be able to record lowlevel disk activity; turning off some of the default filters (SYSTEM, IRP_*, etc) may show it. Also in Windows Resource monitor, the disk section can show low-level stuff like volume-level defragmentation that happens below the filesystem. Also Process Explorer may reveal who's doing the activity by watching each process's deltas (page faults, i/o bytes per second,. etc).
.png)
