explorer.exe consuming 100% CPU after resuming from hibernation RRS feed

  • Question

  • Hello,

    For the last months, I repeatedly have the problem that sometimes (every 2nd or 3rd time) after resuming from hibernation, in a few cases also after disconnecting from the Internet, one or more instances of explorer.exe are consuming 100% CPU, but never the shell instance.

    I tried figuring out what it was doing, but I was unsuccessful so far.

    Here is a stack of the thread which consumed most of the CPU:

    0, ntoskrnl.exe!KiDeliverApc+0x166
    1, ntoskrnl.exe!KiSwapThread+0x31f
    2, ntoskrnl.exe!KiCommitThreadWait+0x129
    3, ntoskrnl.exe!ExpWaitForResource+0x29f
    4, ntoskrnl.exe!ExEnterPriorityRegionAndAcquireResourceExclusive+0x1ad
    5, win32k.sys!EnterCritAvoidingDitHitTestHazard+0x13
    6, win32k.sys!NtUserMessageCall+0x28
    7, ntoskrnl.exe!KiSystemServiceCopyEnd+0x13
    8, user32.dll!NtUserMessageCall+0xa
    9, user32.dll!SendMessageWorker+0x168
    10, user32.dll!SendMessageW+0xfb
    11, ExplorerFrame.dll!CNscTree::_TreeInvalidateItemInfo+0xd0
    12, ExplorerFrame.dll!CNscTree::_EnumBackgroundDone+0xb4a14
    13, ExplorerFrame.dll!CNscTree::OnQIUpdateEnumDone+0x93
    14, ExplorerFrame.dll!CNscEnumQueueItem::Dispatch+0xcf
    15, ExplorerFrame.dll!CTaskLock::DispatchQueueItem+0xc5
    16, ExplorerFrame.dll!CNscTree::_SubClassTreeWndProc+0x118
    17, ExplorerFrame.dll!CNscTree::s_SubClassTreeWndProc+0x5f
    18, comctl32.dll!CallNextSubclassProc+0xe0
    19, comctl32.dll!MasterSubclassProc+0xa2
    20, user32.dll!UserCallWinProcCheckWow+0x149
    21, user32.dll!DispatchMessageWorker+0x1a7
    22, AppVEntSubsystems64.dll!VirtualizeCurrentThread+0x1e492
    23, ExplorerFrame.dll!CExplorerFrame::FrameMessagePump+0xe3
    24, ExplorerFrame.dll!BrowserThreadProc+0x5e
    25, ExplorerFrame.dll!BrowserNewThreadProc+0x3a
    26, ExplorerFrame.dll!CExplorerTask::InternalResumeRT+0x12
    27, ExplorerFrame.dll!CRunnableTask::Run+0x114
    28, shell32.dll!CShellTaskThread::ThreadProc+0x2a3
    29, shell32.dll!CShellTaskThread::s_ThreadProc+0x2f
    30, SHCore.dll!StrRetToBSTR+0x19f
    31, kernel32.dll!BaseThreadInitThunk+0x22
    32, ntdll.dll!RtlUserThreadStart+0x34

    I was hoping I could identify a rogue shell extension or something similar, but I didn't find any such evidence so far.

    In case you need this information, this is a list of my shell extensions/copy hooks/context menu handlers/drag&drop handlers (without duplicates):

    + " SkyDrivePro1 (ErrorConflict)"	"Microsoft OneDrive for Business Extensions"	"Microsoft Corporation"	"c:\program files\microsoft office 15\root\vfs\programfilesx64\microsoft office\office15\grooveex.dll"	"12.11.2014 01:13"
    + "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}"	""	"Apache Software Foundation"	"c:\program files (x86)\openoffice 4\program\shlxthdl\shlxthdl.dll"	"20.09.2013 12:50"
    + "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}"	""	"Apache Software Foundation"	"c:\program files (x86)\openoffice 4\program\shlxthdl\shlxthdl_x64.dll"	"20.09.2013 12:41"
    + "7-Zip"	"7-Zip Shell Extension"	"Igor Pavlov"	"c:\program files\7-zip\7-zip32.dll"	"18.04.2011 19:34"
    + "7-Zip"	"7-Zip Shell Extension"	"Igor Pavlov"	"c:\program files\7-zip\7-zip.dll"	"18.04.2011 19:35"
    + "ANotepad++64"	"ShellHandler for Notepad++ (64 bit)"	""	"c:\program files (x86)\notepad++\nppshell_06.dll"	"12.05.2014 10:49"
    + "Ath_CopyHook"	"Bluetooth File Transfer Plugin"	"Qualcomm®Atheros®"	"c:\program files (x86)\bluetooth suite\folderviewimpl.dll"	"25.09.2013 10:58"
    + "Atheros"	"Atheros Bluetooth Module"	"Qualcomm®Atheros®"	"c:\program files (x86)\bluetooth suite\btvappext.dll"	"25.09.2013 10:58"
    + "DropboxExt"	"Dropbox Shell Extension"	"Dropbox, Inc."	"c:\users\david\appdata\roaming\dropbox\bin\dropboxext64.24.dll"	"24.06.2014 01:32"
    + "DropboxExt1"	"Dropbox Shell Extension"	"Dropbox, Inc."	"c:\users\david\appdata\roaming\dropbox\bin\dropboxext.24.dll"	"24.06.2014 01:31"
    + "FTShellContext"	"Atheros Bluetooth Module"	"Qualcomm®Atheros®"	"c:\program files (x86)\bluetooth suite\shellcontextext.dll"	"25.09.2013 10:58"
    + "GDContextMenu"	"Google Drive shell extension"	"Google"	"c:\program files (x86)\google\drive\contextmenu64.dll"	"16.01.2015 01:57"
    + "GDriveBlacklistedOverlay"	"Google Drive shell extension"	"Google"	"c:\program files (x86)\google\drive\googledrivesync64.dll"	"16.01.2015 01:56"
    + "igfxcui"	"igfxpph Module"	"Intel Corporation"	"c:\windows\system32\igfxpph.dll"	"09.09.2013 18:26"
    + "LockHunterShellExt"	"LockHunter Explorer Extension"	"Crystal Rich Ltd"	"c:\program files\lockhunter\lhshellext32.dll"	"25.03.2009 08:53"
    + "LockHunterShellExt"	"LockHunter Explorer Extension"	"Crystal Rich Ltd"	"c:\program files\lockhunter\lhshellext64.dll"	"28.04.2009 10:21"
    + "PDF Shell Extension"	"PDF Shell Extension"	"Adobe Systems, Inc."	"c:\program files (x86)\common files\adobe\acrobat\activex\pdfshell.dll"	"11.05.2013 10:34"
    + "PushbulletCtx"	""	""	"File not found: :/Program Files (x86)/Pushbullet/pushbullet_ctx.DLL"	""
    + "RecuvaShellExt"	"Recuva shell extensions"	"Piriform Ltd"	"c:\program files\recuva\recuvashell64.dll"	"14.03.2014 12:41"
    + "SD360"	"360 Total Security"	""	"c:\program files (x86)\360\total security\menuex64.dll"	"12.01.2015 03:55"
    + "SourceGearDiffMergeShellExtension32"	"SourceGear DiffMerge ShellExtension 32"	"SourceGear LLC"	"c:\program files (x86)\sourcegear\common\diffmerge\sourcegeardiffmergeshellextension32.dll"	"23.10.2013 19:15"
    + "SourceGearDiffMergeShellExtension64"	"SourceGear DiffMerge ShellExtension 64"	"SourceGear LLC"	"c:\program files\sourcegear\common\diffmerge\sourcegeardiffmergeshellextension64.dll"	"23.10.2013 19:17"
    + "StartMenuExt"	"Start Menu Helper Extension"	"IvoSoft"	"c:\windows\syswow64\startmenuhelper32.dll"	"20.04.2014 18:17"
    + "StartMenuExt"	"Start Menu Helper Extension"	"IvoSoft"	"c:\windows\system32\startmenuhelper64.dll"	"20.04.2014 18:16"
    + "WinRAR32"	"WinRAR shell extension"	"Alexander Roshal"	"c:\program files\winrar\rarext32.dll"	"02.12.2014 11:07"
    + "WinRAR"	"WinRAR shell extension"	"Alexander Roshal"	"c:\program files\winrar\rarext.dll"	"02.12.2014 11:07"
    + "WinSCPCopyHook"	"Drag&Drop shell extension for WinSCP (64-bit)"	"Martin Prikryl"	"c:\program files (x86)\winscp\dragext64.dll"	"14.08.2013 12:22"

    I you have any clue what might be going, I would be very happy to hear it. It's really annoying, as I have to kill explorer.exe and thereby close all my folder windows when this happens.

    Thank you!

    Best regards,
    David Trapp

    • Edited by CherryDT Monday, February 2, 2015 8:43 PM
    Monday, February 2, 2015 8:41 PM

All replies

  • David

    Have you tried running a windows performance recorder trace?  It MAY provide a different view of things for you

    In order to diagnose your problem we need to run Windows performance toolkit the instructions for which can be found in this wiki
    If you have any questions feel free to ask

    Please run the trace when you are experiencing the problem

    Wanikiya and Dyami--Team Zigzag

    Monday, February 2, 2015 8:57 PM
  • Hello CherryDT,

    What is your current situation?

    Please take a look at the following KB to perform a clean boot in Windows and then check if the issue still exists.

    Please upload the Windows performance recorder trance as MVP Zigzag mentioned.

    Best regards,
    Fangzhou CHEN

    Fangzhou CHEN
    TechNet Community Support

    Thursday, February 5, 2015 12:07 PM
  • Hello,

    this computer is my main work laptop, so it might take some time until I'm next able to find time to do a clean boot and then play with reproducing the issue.

    However, I was now able to record a performance recorder trace while the problem happened. There is a problem, though: I let the trace run 60s as requested in the linked wiki entry, but the file size is now 6 GB and WPA complains about over 12 million lost events (even though the buffer was never more than 9% used)... I'm not sure how/where to upload such a huge file, and whether it's even helpful with that many lost events. Should I wait for the problem to happen again and then only record 5 seconds or so?

    Anyway, I made screenshots of WPA in case they are helpful already:


    I tried getting details about the CPU utilization, but I was unable to get any addresses, for some reason. (Symbol path is configured correctly.)

    Best regards,
    David Trapp

    • Edited by CherryDT Thursday, February 5, 2015 10:04 PM
    Thursday, February 5, 2015 9:57 PM
  • David

    If you zip the file it will be under 750Mb and those event, while concerning should not negate the trace results.

    You need to upload it

    Wanikiya and Dyami--Team Zigzag

    Thursday, February 5, 2015 10:15 PM
  • 7-Zip cut the filesize down to a lightweight 287MB. Great!

    Here is the link: https://www.dropbox.com/s/1u622dsix1lsm5n/CHE-MOBILE-W8.02-05-2015.22-25-28.7z?dl=0 Deleted

    Please tell me once you got the file, I'll delete it then.

    • Edited by CherryDT Monday, February 9, 2015 11:36 AM
    Friday, February 6, 2015 12:34 PM
  • CDT

    Obviously explorer.  Unfortunately in this trace the thread that is driving explorer to use %46 of the cpu is labeled unknown.  I do notice you have 142 processes loaded but suspect that is just making the problem worse.  Two things of note. 

    From your above (#11) explorer is waiting because of an invalid date (hints of a corruption)


    Second I noticed that the only non system item that runs for the entire duration of the excessive explorer usage is "rescuetime.exe"

    I would run a system file check and temp disable rescue time to see if that is the issue

    Please run a system file check (SFC)

    All instructions are in our Wiki article below...
    Should you have any questions please ask us.

    Wanikiya and Dyami--Team Zigzag

    Friday, February 6, 2015 12:55 PM
  • Hello,

    thanks for having a look. However, I already ran SFC before posting on this forum (as part of my own investigation) and it came back clean. RescueTime (a time tracking tool) is probably not the culprit because it happened also several times in the past without RescueTime being running (that was because I had accidentally removed it from autorun at that time).

    Unfortunately, I can't follow your "invalid date" explanation. I don't think an "invalid date" is anywhere involved; in fact, the method in question is called "_TreeInvalidateItemInfo" and not "_TreeInvalidDateItemInfo" (note that there is only one "d"), so I assume its job is just to invalidate (and in turn, refresh) the cached information about nodes in the left pane's folder tree of the explorer window(s) - since the folder tree is the only NamespaceTreeControl (whose corresponding class name is CNscTree) in explorer folder view windows. As I see it, something is causing explorer to repeatedly refresh the folder tree data, but I am stuck at finding out what exactly.

    Best regards,
    David Trapp

    EDIT: Disassembling ExplorerFrame!CNscTree::_TreeInvalidateItemInfo confirms that, because it seems to call TreeView_SetItem for a tree node and its parent (possibly with all fields set to *_CALLBACK), and CNscTree::_UpdateItemDisplayInfo for the parent node.

    EDIT2: I'd love to dig more into the trace, however I am hitting a wall at function names/addresses. Everywhere where I would expect a function name/address (such as the "by stack" views), I only see question marks instead. What could be the reason?
    • Edited by CherryDT Friday, February 6, 2015 2:07 PM
    Friday, February 6, 2015 1:33 PM
  • Hello CherryDT,

    I apologize for the delay.

    Please don’t delete the shared WPT trace.
    Does it have lots of personal information?

    This file can help more people research and analyze this issue.

    Please check if we end the process and restart it in the task manager and check if the issue still exists.

    Best regards,
    Fangzhou CHEN

    Fangzhou CHEN
    TechNet Community Support

    Tuesday, February 10, 2015 7:45 AM