locked
Find File or Handle freezes Process Explorer RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    While using CTRL-F to search for handles related to Corsair iCue, all of a sudden Find (CTRL-F) no longer works, and PE stops refreshing until I change the refresh rate.

    This is Windows 8.1 Pro w/ current Windows updates applied (9/30/2020).

    I changed PE to latest release and same issue .

    I've uninstalled the ICue app, and no change.

    I've changed AV app from McAfee to Symantec and no change.

    Windows Defender has been and is still turned off.

    Any ideas?


    • Edited by TheRumour Wednesday, September 30, 2020 7:14 AM
    Wednesday, September 30, 2020 7:13 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    I think that to examine this problem a full memory dump is necesary to be taken when the probelm happens..

    Try configuring the machine to get a keyboard initiated full memory dump following these instructions:

    Forcing a System Crash from the Keyboard - Windows drivers | Microsoft Docs

    Take a dump just to validate it works.

    when you repro again the problem, force the dump, and then send an emai to Mark Cook at SysSite@microsoft.com and work with him to find the problem.

    HTH
    -mario

    Wednesday, September 30, 2020 8:46 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Mario,

    Any alternative for submitting a full dump considering security and privacy issues?

    -Vince

    Thursday, October 1, 2020 12:37 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Mind you, CTRL-F still works in all other apps as expected.

    It's only PE where there is an issue.

    -Vince

    Thursday, October 1, 2020 12:40 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    unfortunately PE uses a kernel driver.. and at the moment we don't know if it is blocked in the user intereface or in the driver for this i suggested a full memory dump.. if you still can move around in explorer you can use procdump to create a dump a process explorer. Even better you can use procdump to monitor PE until it blocks and then capture one or more PE dumps and send them in for analysis..

    You can run procmon this ways:

    procdump -ma -n 10 -e procexp64.exe

    or better

    procdump -ma -n 10 -h procexp64.exe

    In this case if the main window hang for more than 5 seconds it will write a dump of the process..

    I'm still convinced that the best thing to do is a full memory dump, but we can start trying this way..

    send the data in to Mark Cook as soon as you reproed the problem.

    HTH
    -mario

    Thursday, October 1, 2020 7:48 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Mario, I'm getting "dump count not reached" in both command variations.

    I added -t...


    18:41:19 C:\Users\root\Downloads\Procdump>procdump -ma -n 10 -e -t procexp64.exe

    ProcDump v10.0 - Sysinternals process dump utility
    Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
    Sysinternals - www.sysinternals.com

    Process:               procexp64.exe (16552)
    Process image:         C:\Users\root\AppData\Local\Temp\procexp64.exe
    CPU threshold:         n/a
    Performance counter:   n/a
    Commit threshold:      n/a
    Threshold seconds:     n/a
    Hung window check:     Disabled
    Log debug strings:     Disabled
    Exception monitor:     Unhandled
    Exception filter:      [Includes]
                           *
                           [Excludes]
    Terminate monitor:     Enabled
    Cloning type:          Disabled
    Concurrent limit:      n/a
    Avoid outage:          n/a
    Number of dumps:       10
    Dump folder:           C:\Users\root\Downloads\Procdump\
    Dump filename/mask:    PROCESSNAME_YYMMDD_HHMMSS
    Queue to WER:          Disabled
    Kill after dump:       Disabled


    Press Ctrl-C to end monitoring without terminating the process.

    [18:47:45] Dump 1 initiated: C:\Users\root\Downloads\Procdump\procexp64.exe_201002_184745.dmp
    [18:47:45] Dump 1 writing: Estimated dump file size is 185 MB.
    [18:47:45] Dump 1 complete: 185 MB written in 0.7 seconds
    [18:47:46] The process has exited.
    [18:47:46] Dump count not reached.

    but basically PE doesn't hang per se but the refresh speed (which is still at the default) can be changes to .5 or any other speed and functionality resumed.

    So I'll let you determine if the above dump would be worthwhile.

    If so, should I cantact Mark to figure out how to get the dump to him (dump size (7zip) is 30MB.

    -Vince

    Friday, October 2, 2020 10:57 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Alternatively, I used :

    20:27:56 C:\Users\root\Downloads\Procdump>procdump -s 8 -n 3 procexp64.exe

    ProcDump v10.0 - Sysinternals process dump utility
    Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
    Sysinternals - www.sysinternals.com

    Process:               procexp64.exe (21036)
    Process image:         C:\Users\root\AppData\Local\Temp\procexp64.exe
    CPU threshold:         n/a
    Performance counter:   n/a
    Commit threshold:      n/a
    Threshold seconds:     8
    Hung window check:     Disabled
    Log debug strings:     Disabled
    Exception monitor:     Disabled
    Exception filter:      [Includes]
                           *
                           [Excludes]
    Terminate monitor:     Disabled
    Cloning type:          Disabled
    Concurrent limit:      n/a
    Avoid outage:          n/a
    Number of dumps:       3
    Dump folder:           C:\Users\root\Downloads\Procdump\
    Dump filename/mask:    PROCESSNAME_YYMMDD_HHMMSS
    Queue to WER:          Disabled
    Kill after dump:       Disabled


    Press Ctrl-C to end monitoring without terminating the process.

    [20:28:13] Timed:
    [20:28:13] Dump 1 initiated: C:\Users\root\Downloads\Procdump\procexp64.exe_201002_202813.dmp
    [20:28:13] Dump 1 complete: 2 MB written in 0.1 seconds
    [20:28:22] Timed:
    [20:28:22] Dump 2 initiated: C:\Users\root\Downloads\Procdump\procexp64.exe_201002_202822.dmp
    [20:28:22] Dump 2 complete: 2 MB written in 0.1 seconds
    [20:28:31] Timed:
    [20:28:31] Dump 3 initiated: C:\Users\root\Downloads\Procdump\procexp64.exe_201002_202831.dmp
    [20:28:32] Dump 3 complete: 2 MB written in 0.1 seconds
    [20:28:32] Dump count reached.

    and have three .dmp files 

     Directory of C:\Users\root\Downloads\Procdump

    10/02/2020  08:29 PM    <DIR>          .
    10/02/2020  08:29 PM    <DIR>          ..
    05/05/2019  11:00 AM             7,490 Eula.txt
    09/17/2020  09:20 AM           725,368 procdump.exe
    10/02/2020  08:29 PM           478,242 Procdump.zip <<<< archived >>>>
    09/17/2020  09:14 AM           382,344 procdump64a.exe
    10/02/2020  06:47 PM       189,268,021 procexp64.exe_201002_184745.dmp
    10/02/2020  06:56 PM        35,806,726 procexp64.exe_201002_184745.dmp.7z
    10/02/2020  06:56 PM        51,271,190 procexp64.exe_201002_184745.dmp.zip
    10/02/2020  08:28 PM         1,591,373 procexp64.exe_201002_202813.dmp <<<<<<<
    10/02/2020  08:28 PM         1,601,175 procexp64.exe_201002_202822.dmp <<<<<<<
    10/02/2020  08:28 PM         1,601,079 procexp64.exe_201002_202831.dmp <<<<<<<
                  10 File(s)    282,733,008 bytes
                   2 Dir(s)  246,242,140,160 bytes free

    -Vince

    Saturday, October 3, 2020 12:33 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Yep, try contacting Mark at Syssite@microsoft.com and let's see what he can found.

    Thanks

    -mario

    Saturday, October 3, 2020 4:00 PM