C windows diagnostics system pcw

Similar Threads

This is looking at all scripts included in Windows 7. These contain a lot of useful sample code.

The purpose here is to show you PowerShell scripts included in Windows and where I think the script contains useful code examples I’ve listed what they can show you how to do.

Maintenance Troubleshooter

C:\Windows\diagnostics\scheduled\Maintenance\

Look in subfolders for example of localization.

• CL_Utility.ps1

  • Using Environment Variables

  • Reading Registry

  • Retrieving Size of of Folder

  • Deleting Folder

  • Delete Folders older than x months

  • Get Free Disk Space

  • Build list of files older than a certain date

  • Convert KB to MB

  • Convert B to GB

  • Using delimited list

  • Convert Path to WQL Compatible Path

  • Test if Shortcut points to valid link

  • Using embedded C# and Interop to interact with COM

  • Update windows Time Source

  • Get status of service

  • Get System Drive Info

  • Check if machine is domain joined

  • Wait for a service to reach a particular status

• RS_AdminDiagnosticHistory.ps1

• RS_MachineWERQueue.ps1

• RS_RemoveShortcuts

• RS_RemoveUnusedDesktopIcons.ps1

  • Get file name from full path

  • Get proper date format

  • Using ArrayList

• RS_SyncSystemTime

  • Get Time Sync Type

  • Update Time Sync Type

  • Restart Service

• RS_UserDiagnosticHistory.ps1

• RS_UserWERQueue.ps1

• TS_BrokenShortcuts.ps1

  • Check a directory for list of broken shortcuts

• TS_DiagnosticHistory.ps1

• TS_InaccurateSystemTime.ps1

  • Check whether system time is accurate

• TS_UnusedDesktopIcons.ps1

  • Get a list of unused files from a directory (i.e. haven’t been accessed in x months)

• TS_VolumeErrors.ps1

  • Embedded C# with DLLImpot calling Windows APIs in Kernel32.DLL

  • Test if Volume is Dirty

• TS_WERQueue.ps1

AERO Troubleshooter

C:\Windows\diagnostics\system\AERO\

• CL_AeroFeature.ps1
  • Check if AeroTransperency is enabled
• CL_Invocation.ps1
  • Start a process, wait to exit wtiem out
• CL_LoadAssembly.ps1
  • Load Assembly by Namespace or from Path
• CL_RegSnapin.ps1
  • Register/Unregister InstallUtil snap-in
• CL_RunDiagnosticScript.ps1
• CL_Utility.ps1
  • Get absolute path of a file name (i.e. Join-Path & Get-Location)
  • Get System Path
  • Get Runtime Path
  • Update Feature ASsessment
  • Check AERO Transparency using inline C# code and calls to dwmapi.dll
  • Retrieve Power Policy Info
  • Retrieve Theme Management using inline C# code
  • Retrieve Theme Source Code using inline C# code and COM
  • Compile C# Code
  • Convert Power source name
  • Wait for Service Status
• CL_VideoMemory.ps1
  • Retrieve screen resolution data
  • Check Video Memory
  • Check Video Performance
• CL_WinSAT.ps1
  • Check Video Memory Bandwidth
  • Check if WinSAT has run
  • Check if video card supports DirectX9.0
  • Check if video card supports Pixel Shader Model 2.0 or higher
  • Check if video card has WDDM driver
• MF_AERODiagnostic.ps1
  • Embedded C# call windows API GetSystemMetrics in User32.dll
  • Check if running on remote session
• RS_ChangeColorDepth.ps1
  • Using MonitorSnapin.dll to set color depth on each monitor
• RS_ColorTheme.ps1
  • WMI query
  • Calling ThemeTool.exe to get get current theme, get theme status, and get current visual style name
• RS_DWMEnable.ps1
  • Enable DWM through registry and service configuration
• RS_PowerPolicySetting.ps1
  • Set Balanced Power Policy
• RS_Themes.ps1
  • WMI queries
  • Restart Services
• RS_Transparency.ps1
  • Enable AERO Transparency through registry and service restart
• RS_UXSMS.ps1
  • WMI queries
  • Restart Services
• RS_WinSat.ps1
  • Invoke WinSat Display Assessment
• TS_ColorTheme.ps1
  • Use of ThemeTool.exe to get current theme, get theme status, get current visual style name
• TS_DWMEnable.ps1
  • Use of DesktopWindowsMgmt.dll to see if DWM is enabled
• TS_HardwareSupport.ps1
  • Processing XML Data (WinSat –i.e. Windows Experience Index XML data)
  • Detecting support for DirectX9 and Pixel Shader Model 2.0
  • Check video memory size
  • Use of MonitorSnapin.dll to check monitor resolution data
• TS_LowColorDepth.ps1
  • Using MonitorSnapin.dll to check if any screen does not have 32-bit color enabled
• TS_MirrorDriver.ps1
  • Embedded C# calling Windows APIs in User32.dll
  • Check whether mirror driver is running or not
• TS_PowerPolicySetting.ps1
  • Checking current Power Policy
  • Using Regular Expressions
  • Using System.Windows.Forms.SystemInformation
• TS_SKU.ps1
  • Check if AERO is enabled?
  • Using embedded C# & Interop to work with slc.dll
• TS_Themes.ps1
  • Use of WMI to check status of Themes service
• TS_Transparency.ps1
• TS_UXSMS.ps1
  • Use of WMI to check status of UXSMS service
• TS_WDDMDriver.ps1
  • Processing XML
  • Loading WinSat (Windows Experience) data to determine if WDDM driver is installed
• TS_WinSat.ps1
  • Check whether WinSat (Windows Experience) has run

Audio Troubleshooter

C:\Windows\diagnostics\system\Audio\

• CL_Invocation.ps1
  • Start a process, wait to exit wtiem out
• CL_LoadAssembly.ps1
  • Load Assembly by Namespace or from Path
• CL_RegSnapin.ps1
  • Register/Unregister InstallUtil snap-in
• CL_RunDiagnosticScript.ps1
• CL_Utility.ps1
  • Get Audio Device Type Name
  • Embedded C# & COM interaction –> IPolicyConfig
  • Get localized Audio Device Type Name
  • Get Device State Name
• MF_AudioDiagnostic.ps1
  • Use AudioDiagnosticSnapIn.dll to get Audio Device ID
  • Use inline C# and interop with User32.dll to check if running in Remote Session
  • Export registry
• RS_AudioService.ps1
  • Use WMI and ServiceProcess.ServiceController to check startup type of Audio services and reset to automatic if necessary
• RS_ChangeVolume.ps1
  • Retrieve volume level of audio devices
• RS_EnableInCPL.ps1
  • Enable audio device based on device ID
• RS_NotDefault.ps1
  • Set Default Audio Device Endpoint
• RS_Unmute.ps1
  • Check if audio device is muted, if it is unmute it
• TS_AudioDeviceDriver.ps1
  • WMI to retrieve sound devices
  • Check for any sound devices with errors
  • Retrieve PNP Device ID of Audio Device
• TS_AudioService.ps1
  • WMI to check Audio services are running
• TS_DisabledInCPL.ps1
  • Check if audio device is disabled
• TS_LowVolume.ps1
  • Check if audio device is low volume
• TS_Mute.ps1
  • Check if audio device is muted
• TS_NotDefault.ps1
  • Check default audio device
• TS_UnpluggedIn.ps1
  • Check if speaker cable is connected to audio device

Device Troubleshooter

C:\Windows\diagnostics\system\Device\

• CL_DetectingDevice.ps1
  • Use WMI to retrieve list of hardware devices
  • Identify Config Manager Error codes on Devices
• CL_Utility.ps1
  • Using inline C# to interop with setupapi.dll, cfgmgr.dll, user32.dll, newdev.dll, Wer.dll
  • Identify Driver Not Found based on Device ID
  • Wait for Driver Install
  • Rescan all devices
  • Reinstall device by device ID
  • Show Update Driver Wizard
  • Remove a device
  • Enable a device
  • Get Event
  • Query Windows Error Reporting Response for a Deviec ID
• DB_DeviceErrorLibrary.ps1
  • Creation of hash table
  • Populate hash table with keys and localized strings
• RS_CheckDevices.ps1
  • Read from hash table
• RS_DriverNotFound.ps1
  • Use WMI to identify problematic devices
  • Search event log for certain events
• RS_EnableDevice.ps1
  • Enable all disabled devices
• RS_RescanAllDevices.ps1
• RS_UpdateDriver.ps1
• RS_WindowsUpdate.ps1
• TS_DeviceDisabled.ps1
  • Use WMI to identify disabled devices
• TS_DriverNeedUpdated.ps1
  • Use WMI to identify driver needs updating
• TS_DriverNotFound.ps1
  • Use WMI to identify drivers not found
• TS_HardwareDeviceMain.ps1
  • Use of hash table
• TS_NotWorkProperly.ps1
  • Use WMI to identify devices not working properly
• TS_WindowsUpdate.ps1
  • Use Registry key to check Device Driver Search Settings

Device Centre Troubleshooter

C:\Windows\diagnostics\system\DeviceCenter\

• CL_Utility.ps1
  • Inline C# to interop ole32.dll &P/Invoke COM Interfaces
  • Using Microsoft.Windows.Diagnosis.DDOManager
• TS_DeviceCenter.ps1
  • Retrieve information on a problematic device

HomeGroup

C:\Windows\diagnostics\system\HomeGroup\

• CL_Detection.ps1
  • Retrieve Home Group Name
  • Check IPv6 is enabled
  • Check HomeGroup Registry Keys
  • Check Registry Key Permissions
  • Check if Windows Firewall is Enabled
  • Check Windows Firewall Rules
  • Check Group Membership
• CL_INetwork.ps1
  • Use of inline C# to interact with Network List Manager using included Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll
  • Check if connected to Home Network
  • Check if connect to Domain Network
  • Set current network to Home
• CL_NativeMethods.ps1
  • Use of inline C# to work with slc.dll and interface with com
  • Check current Windows SKU functionality
  • Check if domain joined
  • Republish offline items from cache
• CL_Service.ps1
  • Wait for service status
  • Check if service is running
  • Retrieve reference to service
  • Set service start-up type to automatic
• CL_WscApi.ps1
  • Use of inline C# to  interact with wscapi.dll
  • Check if firewall has configuration issue
• RS_ApplyFix.ps1
  • Enable firewall rules
  • Change NTFS permissions on files
  • Add users to local group
• RS_LaunchInteraction.ps1
  • Examples of using interaction in Windows Troubleshooter scripts
• RS_Service.ps1
  • Set startup of all services related to HomeGroup to Automatic
• TS_HomeGroup.ps1
  • Enable homegroup logging through registry key
• VF_HomeGroup.ps1

Networking Troubleshooter

C:\Windows\diagnostics\system\Networking

• HTInteractiveRes.ps1
• InteractiveRes.ps1
• NetworkDiagnosticsResolve.ps1
• NetworkDiagnosticsTroubleshoot.ps1
• NetworkDiagnosticsVerify.ps1
• StartDPSService.ps1
• UtilityFirewall.ps1
• Use inline C# to interop with Shlwapi.dll and FirewallAPI.dll
• UtilityFunctions.ps1
• UtilitySetConstants.ps1
• Use of Constants

Program Compatibility Wizard

C:\Windows\diagnostics\system\PCW

• RS_ProgramCompatibilityWizard.ps1
• Use of inline C# to interop with pcwutil.dll, apphelp.dll, kernel32.dll
• Get temporary file path
• Get file info
• Get media type
• Map file path to ID
• Get existing compat mode of an .exe path
• Set/Overwrite existing app compat mode of an .exe
• Get binary type
• Write event to event log
• TS_ProgramCompatibilityWizard.ps1
• Use of infline C# to interop with sfc.dll, acppage.dll
• Get Start Menu Path
• Get All Users Start Menu Path
• Get Desktop Path
• Check if file is “Protected”
• Implementing Sort
• Retrieve .exe from .lnk file
• VF_ProgramCompatibilityWizard.ps1

Performance Troubleshooter

C:\Windows\diagnostics\system\Performance

• CL_Utility.ps1
• Inline C# interop with wtsapi32.dll, user32.dll, powrprof.dll
• Get system path
• Get logged on users info – user name, domain name and session ID
• Get Windows Type
• Create Registry Key
• Backup the Startup Registry Key
• Backup Startup Link Files
• Remove Startup Programs
• Retrieve/Set Windows Power Configuration
• Check hardware is laptop
• Check screen saver configuration
• Change screen saver configuration
• Check if display is dimmed
• Get Inbox Exe Product Name
• RS_MultipleUsers.ps1
• Inline c# interop with wtsapi32.dll
• Force log off of specified users
• Use of ArrayList
• RS_PowerMode.ps1
• Set Balanced Power Plan
• RS_RemoveAllUsersStartupPrograms.ps1
• Remove All Users Start-up Programs in the registry
• RS_RemoveCurrentUserStartupPrograms.ps1
• Remove Current User Start-up Programs in the registry
• RS_StartSysMainService.ps1
• Find SysMain service using WMI and set to automatic startup
• RS_SwitchIntoDMA.ps1
• Switch disk devices into DMA-enabled mode
• RS_VisualEffects.ps1
• Launch window of performance options
• TS_MultipleAntivirusProducts.ps1
• Check for multiple anti virus products installed
• TS_MultipleUsers.ps1
• TS_PIOMode.ps1
• Check if disk devices are in PIO mode
• TS_PowerMode.ps1
• Check if Power Saver mode is enabled
• TS_SuperFetch.ps1
• Check if SysMain service is Running
• TS_TooManyStartupPrograms.ps1
• Enumerate all programs that run at startup
• TS_VisualEffects.ps1
• Check visual effects setting through Registry key

Power Troubleshooter

C:\Windows\diagnostics\system\Power

• Power_Troubleshooter.ps1
• Powerconfig.ps1
• Inline C# to interop with powrprof.dll
• Get friendly name of active power schema
• Check if laptop
• Check if video is dimmed
• Check for PPM Capability
• Check if screen saver is active
• Disable screen saver
• Get Active Schema GUID
• Set Active Schema GUID
• Get Power Settings
• Get Default Power Setting
• Get Balancer Power Plan
• Check Power Setting Access
• Check Active Scheme Access
• RS_AdjustDimDisplay.ps1
• Adjust Dim Display Power Settings
• RS_AdjustScreenBrightness.ps1
• Adjust Screen Brightness Power Settings
• RS_Adjustwirelessadaptersettings.ps1
• Adjust Wireless Adapter Power Settings
• RS_Balanced.ps1
• Retrieved Balanced Power Plan GUID
• Set current power plan to Balanced
• RS_ChangeProcessorState.ps1
• Change Processor Power Settings
• RS_DisableScreensaver.ps1
• Disable Screen Saver
• RS_DisableUSBSelective.ps1
• Change USB Power Settings
• RS_ResetDisplayIdleTimeout
• Reset display idle time out
• RS_ResetIdleDiskTimeout.ps1
• Reset idle disk timeout
• RS_ResetIdleSleepsetting.ps1
• Reset idle sleep setting
• TS_Balanced.ps1
• Check if high performance power plan enable
• TS_DimDisplay.ps1
• Check dim display settings
• TS_DisplayIdleTimeout.ps1
• Check display idle timeout
• TS_IdleDiskTimeout.ps1
• Check idle disk timeout
• TS_IdleSleepsetting.ps1
• Check idle sleep setting
• TS_MinProcessorState.ps1
• Check processor power state
• TS_ScreenBrightness.ps1
• Check screen brightness
• TS_ScreenSaver.ps1
• Check if screen saver is enabled
• TS_USBSelective.ps1
• Check if USB Selective Suspend is enabled
• TS_Wirelessadaptersettings.ps1
• Check Wi-Fi Idle Sleep settings

Printer Troubleshooter

C:\Windows\diagnostics\system\Printer

• CL_Utility.ps1
• Inline C# to interop with winspool.drv
• Retrieve absolute path of a filename
• Get system path of a filename
• Get printer attributes
• Get printer type
• Get printer status
• Check if printer is shared
• Set printer attributes
• Check if printer is virtual by the printer name
• MF_PrinterDiagnostic.ps1
• RS_CancelAllJobs.ps1
• Cancel all printer jobs for specified printer
• RS_DeletePrintJobs.ps1
• Delete files stuck in print queue
• RS_HomeGroup.ps1
• Share specified printer
• RS_NoPrinterInstalled.ps1
• RS_PrinterDriver.ps1
• Update Printer Driver
• RS_ProcessPrinterjobs.ps1
• Cancel print jobs of selected printer
• RS_RestartSpoolerService.ps1
• Restart Print Spooler Service
• RS_SpoolerCrashing.ps1
• Attempt to fix common issues with print spooler crashing
• RS_StartSpoolerService.ps1
• Start Spooler Service
• RS_WrongDefaultPrinter.ps1
• Retrieve current default printer
• Set new default printer
• TS_CannotConnect.ps1
• Ping server name
• Get printer port information
• TS_DefaultPrinter.ps1
• Check default printer
• TS_HomeGroup.ps1
• Get HomeGroup name
• Check if printer is shared
• TS_NoPrinterInstalled.ps1
• Check printer has no device driver installed
• TS_OutOfPaper.ps1
• Check if paper is out of printer
• TS_OutOfToner.ps1
• Check if out of toner
• TS_PaperJam.ps1
• Check if paper jammed
• TS_PrinterDriver.ps1
• Check if any print drivers need updates
• TS_PrinterDriverError.ps1
• Check for print driver errors
• TS_PrinterTurnedOff.ps1
• Check if printer is off
• TS_PrintJobsStuck.ps1
• Check for stuck print jobs
• TS_SpoolerCrashing.ps1
• Search event log to check if spooler is crashing

Search Troubleshooter

C:\Windows\diagnostics\system\Search

• CL_Utility.ps1
• Use of inline C# to interop with advapi32.dll
• Grant current process right to assign ownership of security descriptors
• RS_RestoreDefaults.ps1
• Restore default registry settings for Windows Search
• RS_RestorePermissions.ps1
• Retrieve Windows Search Data Directory
• Take ownership of a folder
• Grant NTFS permissions to a folder
• RS_StartIndexingService.ps1
• Use WMI to find Indexing Service and set start-up type to automatic
• TS_CheckPermissions.ps1
• Check NTFS permissions of a folder
• TS_FilterHostCrashing.ps1
• Check event log to see if filter host is crashing
• TS_ForcedShutdownInRecovery.ps1
• Check event log for forced shutdowns in recovery mode
• TS_ForcedShutdownNoCorruption.ps1
• Check event log for forced shutdowns when no corruption occurred
• TS_IndexingService.ps1
• Check if Indexing Service is Running
• TS_IndexingServiceCrashing.ps1
• Scan event log to check for indexing service crashes
• TS_ProtocolHostCrashing.ps1
• Scan event log for protocol host crashing

Windows Media Player Configuration Troubleshooter

C:\Windows\diagnostics\system\WindowsMediaPlayerConfiguration

• RS_ConfigurationErrors.ps1
• Backup and re-recreate Windows Media Player preferences through Registry
• RS_NetworkCacheCorrupted.ps1
• Retrieve file version of an .exe
• Re-create network cache file
• TS_IsWMPUnavailable.ps1
• Check if Windows Media player is installed
• TS_NetworkCacheCorrupted.ps1
• Check if Network Cache is corrupt
• Process XML data
• TS_WindowsMediaPlayer.ps1
• Check if process is running

Windows Media Player Library Troubleshooter

C:\Windows\diagnostics\system\WindowsMediaPlayerMediaLibrary

• RS_MediaLibCorrupted.ps1
• Get appdata path
• Delete directories
• Rename directory
• TS_IsWMPUnavailable.ps1
• Check if Windows Media player is installed
• TS_WindowsMediaPlayer.ps1

Windows Media Player DVD Troubleshooter

C:\Windows\diagnostics\system\WindowsMediaPlayerPlayDVD

• RS_DvdDecoder.ps1
• TS_DVDAudioDecoder.ps1
• Use registry to identify preferred decoder for DVD audio
• Check codec is installed
• TS_DVDDevice.ps1
• Check device has valid DVD
• TS_DVDVideoDecoder.ps1
• Use registry to identify preferred decoder for DVD video
• Check codec is installed
• TS_IsWMPUnavailable.ps1
• Check if Windows Media player

Windows Update Troubleshooter

C:\Windows\diagnostics\system\WindowsUpdate

• TS_Connectivity.ps1
• Check Windows update for available updates
• If unable to use Windows update collect relevant event logs

Profile.ps1

C:\Windows\System32\WindowsPowerShell\v1.0\Examples

Provides examples of set-alias. Maps common bash/cmd syntax to PowerShell commands.

IE Browser Diagnostic

C:\Windows\winsxs\amd64_microsoft-windows-iebrowsewebdiagnostic_31bf3856ad364e35_6.1.7601.17514_none_829f3aa88408cea0

This location will vary based on x86 or x64 version of Windows and what build of the OS is used.

• CL_Utility.ps1
• Retrieve IE Add-on Publisher
• Retrieve Certificate Publisher
• Get IE Add-on Name from Guid
• Get IE Add-on Version Information
• Disable IE Add-On
• IEBrowseWeb_TroubleShooter.ps1
• RS_Disableaddon.ps1
• Disable list of add-ons
• RS_DisableaddonLoadingTime.ps1
• Retrieve loading time of add-ons
• RS_ResetCacheSize.ps1
• Reset IE Cache Limit
• RS_Resetpagesyncpolicy.ps1
• Reset IE Page sync policy
• RS_RestoreIEconnection.ps1
• Restore MaxConnectionsPerServer registry keys to default
• TS_IEAddon.ps1
• Retrieve info about IE Toolbars, Explorer Bars, Extensions, etc
• TS_IEAddonLoadingTime.ps1
• Retrieve IE add-on loading time information, report any add-ons taking more than 1 sec to load
• TS_pagesyncpolicy.ps1
• Check IE cache page sync settings
• TS_tempfilecachesize.ps1
• Retrieve temp cache file size
• VF_IEDefectiveAddon.ps1

IE Security Diagnostic Troubleshooter

C:\Windows\winsxs\amd64_microsoft-windowsiesecuritydiagnostic_31bf3856ad364e35_6.1.7601.17514_none_f28b13d21e65b224

This location will vary based on x86 or x64 version of Windows and what build of the OS is used.

• CL_Utility.ps1
• Use WMI to query Resultant Set Of Policy setting for a specific user
• IESecurity_TroubleShooter.ps1
• IEsecuritysettings.ps1
• Inline C# to interact with COM
• Perform IE repair to reset any insecure settings
• Retrieve IE zones
• Reset IE Protected Mode
• Check if IE Protected Mode is enabled
• RS_Blockpopups.ps1
• Disable Pop-ups through registry
• RS_IESecuritylevels.ps1
• RS_PhishingFilter.ps1
• Check if Phishing filter is enabled
• Enabled Phishing filter
• TS_Blockpopups.ps1
• Retrieve IE Pop-up blocker settings
• TS_IEsecuritylevels.ps1
• Check IE security settings
• TS_PhishingFilter.ps1
• Check if Phishing filter is enabled

The End.

Epitah: In built .VBS scripts

Most likely if you have become comfortable with PowerShell you will cringe each time you have to open a VBScript. However unfortunately sometimes it still comes back to haunt us. Some of the inbuilt VBScript files in Windows 7 include

In C:\windows\system32

gatherNetworkInfo.vbs – Collect all kinds of details about network configuration and store in bunch of .txt files

slmgr.vbs – for activation / licensing

winrm.vbs – Windows Remote Management

In C:\Windows\System32\Printing_Admin_Scripts\en-US

Scripts for doing all kind of possible things with printer devices.

~ The end. Really.

One of the features many people (me included) had been requesting from IE for a long time was a download manager. IE9 has one, and it is nice when it works. But myself and others I’ve spoken with have had an abnormally high rate of downloads failing, usually it seems at the point the file should have finished downloading:

Картинка с сайта: chentiangemalc.wordpress.com

Also in some cases when this occurs clicking Open Containing Folder does nothing:

Картинка с сайта: chentiangemalc.wordpress.com

The file is left as a .partial file extension. Renaming it to the correct extension and it is still usable.

Картинка с сайта: chentiangemalc.wordpress.com

Loaded up ProcMon (http://live.sysinternals.com/ProcMon.exe) and added filter:

Картинка с сайта: chentiangemalc.wordpress.com

Then I re-kicked off the download

Картинка с сайта: chentiangemalc.wordpress.com

Download progress went to 98% then immediately to this. When this problem occurs for a download it occurs every time the particular file is downloaded.:

Картинка с сайта: chentiangemalc.wordpress.com

Looking at the ProcMon log we see initially the file is downloaded to

%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\

We can also see InoRT.exe the Virus Scanner at work on the file.

Картинка с сайта: chentiangemalc.wordpress.com

Eventually it writes file into the download location as .partial file

Картинка с сайта: chentiangemalc.wordpress.com

We then see where it updates the NTFS stream of the file :Zone.Identifier followed by a SHARING VIOLATION error.

Картинка с сайта: chentiangemalc.wordpress.com

As a side note – if you want to view the NTFS stream just specify the filename and open using notepad i.e.

notepad Reflector7_0_1_1.zip.jsopacn.partial:Zone.Identifier

In any case with the Anti-Virus going crazy over the .partial file, temporarily disabled the Anti-Virus and downloads worked perfectly.

But what about other browsers that use download managers? I tried Firefox 4 … same issue (Note: FireFox 3.x not affected. It seems in earlier versions of FireFox a zero byte .zip file is created at same time as the .zip.part file, when this occurs the download is successful. In FireFox 4 the .zip file only gets created at end of download) FireFox downloads with a .part extension then when download is complete renames to correct file. In this case Download got close to completion then suddenly failed, same as IE9. The only difference is with FireFox if I re-download the file and leave the temporary files there from the 1st download the file will download OK. IE9 re-downloading the file the problem always reoccurs.

Картинка с сайта: chentiangemalc.wordpress.com

ProcMon log looked very similar:

Картинка с сайта: chentiangemalc.wordpress.com

However Google chrome the download worked fine. Google downloads file with .crdownload extension then renames to correct file extension.

Картинка с сайта: chentiangemalc.wordpress.com

So here we find something important:

• At least two web browsers are affected by the issue
  
• Affected PCs issue goes away with Disabling Anti-virus (not something you really want to do when downloading files from the internet)
  
• At least one web browser is not affected by the issue
  
• Further testing seemed this mostly occurred with .zip files, but not direct .exe files
  
• Tested with a different Anti-Virus – Microsoft Security Essentials and the problem did not occur
  

So while the anti-virus product (in this case CA eTrust) is partially to blame, What is different between the other browsers and Google chrome?

Using ProcMon documented the differences between the final stages of file write (starting from the last WriteFile Event)

With Chrome it seems my Anti-Virus is not even attempting to scan the .crdownload file.

However when using IE initially the AV fails to open the file, but keeps trying:

Картинка с сайта: chentiangemalc.wordpress.com

The important thing though is the CreateFile parameters used:

Картинка с сайта: chentiangemalc.wordpress.com

Share Mode is read-write, this should be OK, other process such as IE should still be able to write to file.

But then later down the line another CreateFile event is different

Картинка с сайта: chentiangemalc.wordpress.com

In this case the file is opened by the Anti-Virus with Share Mode Read, this means other process cannot write to the file.

Картинка с сайта: chentiangemalc.wordpress.com

Now we look at how Microsoft Security Essentials opens the file, on which machines with this installed I have not been able to replicate this issue. Security essentials performs CreateFileMapping on the .partial file but gets result FILE LOCKED WITH WRITERS twice, followed by FILE LOCKED WITH ONLY READERS on the actual .zip file. We don’t see any CreateFile events on the .partial file at all. (Much like with CA eTrust I do not see such events for Google Chrome’s .crdownload file)

Картинка с сайта: chentiangemalc.wordpress.com

After this CreateFileMapping we see the CreateFile events on the final .zip file.

Картинка с сайта: chentiangemalc.wordpress.com

However when going into the properties there is an important difference. All CreateFile events on the file from MS Security essentials were limited to access of Read Attributes, Synchronize and Share Mode allows Read, Write, and Delete.

I couldn’t find any configuration options in IE9 regarding the download manager or ways to disable it. The reference to .partial is hard-coded into C:\windows\system32\ieframe.dll or C:\windows\syswow64\ieframe.dll (for 32-bit IE on 64-bit OS)

Using F12 to bring up Developer Toolbar in IE we can see the actual download of data from network completed without error:

Картинка с сайта: chentiangemalc.wordpress.com

Finally this does not occur on all downloads, not even all downloads of same file type.

Failed downloads include:

Downloads that worked:

In general it seems to only happen for me with files that are larger than a certain size (~2 MB+). Mostly .zip files, but in some cases .exe files as well (such .exe files so far have been self-extracting executables). If anybody is finding a pattern on what files fail for them?

Excluding .partial from real-time scanning will fix the issue. I am raising support case with the relevant AV vendor, as using another AV product this issue does not occur. I am also providing information about this problem directly to Microsoft, so let me know any details about your system/scenarios of this download. If IE9 implements this process of renaming file differently I believe it should also be able to resolve the issue. Immediately after the failure occurs I am able to manually rename the .partial file to the correct filename.

Thanks to readers with their comments. It seems problem is known to occur with

• AVG
  

• McAfee Enterprise 8.8
  

• CA eTrust (ITM)
  

I can’t replicate the issue with

Let us know your configuration if you see this issue, and provide some examples of files attempting to download that are failing.

When moving from IE6 to IE8 a customer had this issue with a web page. A file with .SIM extension when opened from Desktop opened in correct application. However when launched directly from IE it incorrectly attempted to open in QuickTime. This problem only occurred with IE8, not IE6.

Mouse over the hyper link the file showed in status bar with correct extension – .SIM

Картинка с сайта: chentiangemalc.wordpress.com

However when right clicking link and selecting Save Target As the extension magically changed into .MOV. This also happened in IE6. The difference IE6 when using Open it opened as .SIM.

Картинка с сайта: chentiangemalc.wordpress.com

So I started a ProcMon log (http://live.sysinternals.com/ProcMon.exe) As Windows use Registry keys for file associations I set a filter to include the following Operation is RegQueryValue, Process Name is Iexplore.exe and Process Name is wmplayer.exe. I looked for the start of wmplayer.exe process and worked backwards. So I see Internet Explorer is treating the file as MIME type video/quicktime

Картинка с сайта: chentiangemalc.wordpress.com

Right clicking the selected entry and clicking Jump To we can see the reg key. We can see the registered extension here is .mov

Картинка с сайта: chentiangemalc.wordpress.com

Looking at HKCR\.sim we saw the file registration our app should be using to launch:

Картинка с сайта: chentiangemalc.wordpress.com

We also can see here the MIME type that should have been used application/x-sim

But why is it using QuickTime? As we didn’t have the luxury of IE9 Developer Toolbar in this case as in https://chentiangemalc.wordpress.com/2011/03/29/case-of-the-sap-do-you-want-to-open-or-save-tx-sapssd-on-ie9/

I went to using Fiddler (http://www.fiddler2.com) Which is an absolutely great utility for capture and analysis of http/https traffic.

The trace showed the following:

Картинка с сайта: chentiangemalc.wordpress.com

So why is this file showing up as Content-Type: video/quicktime ?

To do that required connecting to IIS. In this case it was a legacy version IIS 6.0.

So connecting to the Web Server I right clicked Internet Information Services and selected Properties. Then clicked MIME Types…

Картинка с сайта: chentiangemalc.wordpress.com

Looking at the registered MIME Types the .sim extension was set to video/quicktime

Картинка с сайта: chentiangemalc.wordpress.com

Clicking Edit fixed it up to correct MIME type

Note: MIME Types can also be set per Web Site. This will be in the individual Web Site’s properties under the HTTP Headers tab.

This changed fix the issue, .SIM file now opens correctly both from Web and Desktop.

On Windows 7 a user was reporting their desktop icons kept disappearing, but only specific ones. Each time they got re-created they kept disappearing randomly on Monday mornings.

Initial investigation started with the Event Log, and having an approximate time period assists. Windows 7 Event Viewer is far superior to that of Windows XP. One thing in Windows 7 is I usually check the initial summary screen to see if I find anything of interest. This is a very useful feature. Clicking on an event here will take you to all events of that type.

Картинка с сайта: chentiangemalc.wordpress.com

However it was not immediately obvious a cause so I set a filter on the date the problem occurred. I used the right column Create Custom View

I used the  Custom Range with an estimated start/end date of when the problem occurred.

Картинка с сайта: chentiangemalc.wordpress.com

I chose all the logs, but if you are looking at specific applications you can limit this further. In Windows 7 there are many very specific event logs, more so show up in Event Viewer than in XP.

Картинка с сайта: chentiangemalc.wordpress.com

When you choose a lot of event logs you get a warning. But if you’ve limited the time period it should be OK.

Картинка с сайта: chentiangemalc.wordpress.com

You can save your filter for frequent use, even categorize by folders if necessary.

Картинка с сайта: chentiangemalc.wordpress.com

I saw a lot of TaskScheduler events going and thought this is probably a good thing to filter on, so I updated the filter using Filter Current Custom View

This time I selected a more specific event log. You should know these on Windows 7 there are many lifesavers here. The one for Task Scheduler is under Application and Service Logs –> Microsoft –> Windows –> TaskScheduler –> Operational

I also filtered by Event ID 102 which is Task Completed.

Картинка с сайта: chentiangemalc.wordpress.com

One I found was called Diagnosis

Картинка с сайта: chentiangemalc.wordpress.com

I then went to Task Scheduler, another MMC Snap-In that is vastly improved over the one in Windows XP. OK scheduled for Weekly on Sundays looks like good chance of culprit here.

Картинка с сайта: chentiangemalc.wordpress.com

From the General Tab we can see how this runs:

Картинка с сайта: chentiangemalc.wordpress.com

Key points here:

• It runs as INTERACTIVE – that is it runs as the logged in user account
• Only runs when user is logged on
• It will elevate to admin privilege if the logged in user is member of local administrators
• The task is Hidden –> This does not have much effect, Hidden tasks are shown in Task Scheduler by default. But you can switch it off by deselecting View –> Show Hidden Tasks

Looking at the trigger we can see what sets it off. Triggers here in Windows 7 are much more powerful than available through XP Task Scheduler GUI. If you have not explored the capabilities of Windows 7 here you should.

Картинка с сайта: chentiangemalc.wordpress.com

Conditions tab in addition shows us some important points for when the task gets started:

Картинка с сайта: chentiangemalc.wordpress.com

The final important point is the Settings tab. Good thing to know if this task has been running for 3 days it will get stopped automatically. But another important point is Run task as soon as possible after a scheduled start is missed.

Картинка с сайта: chentiangemalc.wordpress.com

But how to diagnosis what this script does, when I look in the Actions tab it just said Custom Handler. There was no way to get any info about what process launched, etc. To get this information for the in-built scheduled tasks I first exported the event as XML

Картинка с сайта: chentiangemalc.wordpress.com

Viewing the XML we see section

<Actions Context=”Users”>
  <ComHandler>
    <ClassId>{C1F85EF8-BCC2-4606-BB39-70C523715EB3}</ClassId>
  </ComHandler>
</Actions>

So I immediately checked HKCR\CLSID\{C1F85EF8-BCC2-4606-BB39-70C523715EB3}

Here we found a .DLL file. But we can’t execute that directly…

Картинка с сайта: chentiangemalc.wordpress.com

This time I started ProcMon (http://live.sysinternals.com/ProcMon.exe) and set a filter on Details Contains sdiag then Include (This filter may not work in all cases, if not filter by path contains and the above CLSID, then trace events that follow)

Картинка с сайта: chentiangemalc.wordpress.com

Then using right side Action menu in Task Scheduler hit Run to run the Task.

Картинка с сайта: chentiangemalc.wordpress.com

Once again ProcMon comes to the party with some beautiful results…I smell a solution not far off. Looking through the sequence of events we see the .exe that gets launched: sdiagnhost.exe

Картинка с сайта: chentiangemalc.wordpress.com

\

I selected a sdiagnhost.exe event then hit Ctrl+R to reset filter, followed by right-clicking sdiagnhost.exe and selecting Include ‘sdiagnhost.exe’

Картинка с сайта: chentiangemalc.wordpress.com

Looking through the log I noticed it is launching .ps1 scripts, which are PowerShell cmdlets. Adding a filter Path ends with .ps1 we found them

Картинка с сайта: chentiangemalc.wordpress.com

OK! Pretty sure I found what I’m looking for here. TS_BrokenShortcuts.ps1. So I right clicked the Path and clicked Jump To… to display it in Explorer

Картинка с сайта: chentiangemalc.wordpress.com

But this didn’t bring me to the folder, because the folder had been deleted. It just opened up my profile folder.

Картинка с сайта: chentiangemalc.wordpress.com

But I then did a file search for the filename under C:\WINDOWS

So I found the file here

Картинка с сайта: chentiangemalc.wordpress.com

Looking at the directory structure we can see this is something based on the Windows Troubleshooting Framework.  Your own Troubleshooters can be built using the Windows 7 SDK. Details about creating Troubleshooting packs can be found here: http://msdn.microsoft.com/en-us/library/dd776530.aspx

Картинка с сайта: chentiangemalc.wordpress.com

Some key components of a Windows Troubleshooting Package include:

There are many such Troubleshooting scripts inbuilt to Windows 7, just search the Windows directory to find a treasure trove of PowerShell script samples. Looking at the .diagpkg XML file we can find the following steps in the process (note: I made these notes by quickly reviewing the scripts, if I made any error in analysis let me know):

OK so now apologies if there was any information overload. But how do we solve the problem of the missing shortcut?

Well if we had started our search on http://support.microsoft.com we would have found the solution from Microsoft http://support.microsoft.com/kb/978980

Now to summarize the Microsoft solution;

1) Keep the number of broken shortcuts on your desktop to four or less.

2) If you must have more than four broken shortcuts on your desktop, you can disable the System Maintenance troubleshooter.

Instructions for disabling it are:

1. Click Start and then click Control Panel.
2. Under System and Security, click Find and fix problems.
3. On the left navigation pane, click Change settings.
4. Set Computer Maintenance to Off.

OK – but wait? What about all the useful stuff system maintenance does? And what about my shortcuts? I still need them on my Desktop?

1) How about patching the scripts to not remove Desktop icons?

Unless Microsoft fixes this, I would not recommend modifying the inbuilt scripts (if you can, and it still runs ok) If Windows Updates occur etc, there might be possibility your scripts got overwritten, etc. Not a good idea to mess with stuff built into the OS. (except for fun)

2) Disable Computer Maintenance, copy the scripts to a new location, and just patch the desktop icon script. Create a new task scheduler event.

Yes, this would be possible, but a lot of effort & hacks required. Also if the Windows one got improvements, you wouldn’t get them.

3) I think at the moment if the two Microsoft suggestions don’t cut it the best option is to try:

Option 1

Modify the security permissions to ensure the current user does not have delete permission on the file.

This can be done as follows.

a) Right click the Desktop shortcut and click Properties, then click Advanced

b) Select the current logged in user and click Permissions

Картинка с сайта: chentiangemalc.wordpress.com

c) Untick Include inheritable permissions fromt his object’s parent

Картинка с сайта: chentiangemalc.wordpress.com

d) In the prompt Warning: If you proceed blah blah blah click Add

Картинка с сайта: chentiangemalc.wordpress.com

e) Set Delete permission to Deny. However keep in mind that in general it is never recommended to set Deny because using Deny often makes troubleshooting permissions issues later on. In any case it will be important to allow user to know once changing these permissions they cannot delete this shortcut, until they add back the Delete permission.

Картинка с сайта: chentiangemalc.wordpress.com

Картинка с сайта: chentiangemalc.wordpress.com

However I could still delete the shortcut. Clicking Effective Permissions and no delete was to be found.

Картинка с сайта: chentiangemalc.wordpress.com

So then I reset a filter in ProcMon with Path contains Dilbert – Shortcut.lnk. And I deleted the .lnk file. And no events in ProcMon. Even enabled Advanced Output, nothing.

OK either I’m up way too late or .lnk files completely bypass normal file operations and NTFS permissions. (Honestly it was the first time I’d ever tried to set permissions on them)

So Option 1 was a false alarm, turned out not to be a solution at all.

But don’t worry still came up with something:

Option 2

a) Right click on Desktop New  –> New Shortcut

Картинка с сайта: chentiangemalc.wordpress.com

b) For location of item specify C:\windows\explorer.exe “network share”

Картинка с сайта: chentiangemalc.wordpress.com

c) Give it a friendly name

Картинка с сайта: chentiangemalc.wordpress.com

d) A shortcut that won’t get deleted. I hope!

Now to double test this I disconnected my network and ran a script, based off the Microsoft one, to check for invalid links to see if my new link would show up as invalid.

The program reported

Checking Desktop Icons…
Valid Link: d:\users\mccafferym\desktop\dilbert comic relief.lnk
I can delete this file: d:\users\mccafferym\desktop\dilbert comic relief.lnk

Which is good: because it’s valid it’ll never get deleted. And no permissions hacking either. Or disabling our friendly diag schedule.

The only bizarre consequence of this type of shortcut is that if you try to open it when there is no network connectivity to the server you don’t get an error message or anything. Nothing…and then about 30 seconds later My Documents pops up.

Hmm. So it’s not perfect.

Replacing Explorer.exe with Iexplore.exe works as well, but if you don’t have connectivity to the server you’ll get your homepage instead.

If you find any better solutions let me know. Now it’s 2:00 am and I think sleep might be a good idea.

P.S I did end up creating a shortcut I couldn’t delete, but it also crashed explorer whenever I clicked on it.

Finally The PowerShell code to check links on desktop if they’ll get deleted.:

# Function to convert to WQL path
function ConvertTo-WQLPath([string]$wqlPath = $(throw “No WQL path is specified”))
{
    if($wqlPath -eq $null)
    {
        return “”
    }

    return $wqlPath.Replace(“\”, “\\”)
}

# Function to get desktop path
function Get-DesktopPath()
{
$methodDefinition = @”
    public static string GetDesktopPath
    {
        get
        {
            return Environment.GetFolderPath(Environment.SpecialFolder.DesktopDirectory);
        }
    }
“@

    $type = Add-Type -MemberDefinition $methodDefinition -Name “DesktopPath” -PassThru

    return $type::GetDesktopPath
}

# Function to check whether the shortcut is valid
function Test-ValidLink([Wmi]$wmiLinkFile = $(throw “No WMI link file is specified”))
{
    if(($wmiLinkFile -eq $null) -or ([String]::IsNullOrEmpty($wmiLinkFile.Target)))
    {
        return $false
    }

    return Test-Path $wmiLinkFile.Target
}

# Function to chech whether have permission to delete the shortcut file
function Test-Delete([Wmi]$wmiLinkFile = $(throw “No WMI link file is specified”))
{
    if($wmiLinkFile -eq $null)
    {
        return $false
    }

    return ($wmiLinkFile.AccessMask -band 0x10000) -eq 0x10000
}

“Checking Desktop Icons…”

[string]$desktopFolderPath = Get-DesktopPath

Get-ChildItem -Path $desktopFolderPath -filter *.lnk | Foreach-Object {
    $fullPath = ConvertTo-WQLPath $_.FullName
    $wmiLinkFile = Get-WmiObject -query “SELECT Name,Target,AccessMask FROM Win32_ShortcutFile WHERE Name = ‘$fullPath’”

    if (Test-ValidLink $wmiLinkFile)
    {
          “Valid Link: ” + $wmiLinkFile.Name
    }
    else
    {
        “Invalid Link: ” + $wmiLinkFile.Name       
    }

        if(Test-Delete $wmiLinkFile)
    {
       “I can delete this file: ” + $wmiLinkFile.Name
    }
    else
    {
        “CANT DELETE: ” + $wmiLinkFile.Name
    }
}

One thing I’ve found with Outlook 2010 the hard way is if settings are corrupted or not what Outlook is expecting it will crash on start-up. People who know me know I hate to rebuild a PC to fix a problem…so here we go. Last time had Outlook issues it was possible to rapidly find a solution without any logging tools as documented here Troubleshooting 101

This case I’m not so lucky.

Immediately after launching we see this – Microsoft Outlook has stopped working:

Картинка с сайта: chentiangemalc.wordpress.com

Launching Outlook /safe we get the same thing. If we do this twice we then get this message

Картинка с сайта: chentiangemalc.wordpress.com

Repair does not fix the problem. New user logging onto machine, same issue.

Картинка с сайта: chentiangemalc.wordpress.com

Initially I used ProcMon (http://live.sysinternals.com/ProcMon.exe) to look for any obvious causes of an app crash (i.e. missing DLLs, ACCESS DENIED events, etc)

This didn’t get me anywhere so I brought out WinDbg. To start ensure you’ve set up access to public Microsoft Symbols by running the following command from an administrative command prompt:

setx _NT_SYMBOL_PATH “srv*c:\symbols*http://msdl.microsoft.com/download/symbols” /M

Картинка с сайта: chentiangemalc.wordpress.com

You can get WinDbg from the Microsoft Windows SDK (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6b6c21d2-2006-4afa-9702-529fa782d63b&displaylang=en)

You can start by opening the executable using Ctrl+E or File | Open Executable…

Картинка с сайта: chentiangemalc.wordpress.com

So immediately I break into the debugger and in the command line i hit g [enter] where g is for GO.

Картинка с сайта: chentiangemalc.wordpress.com

I get warning of another first chance exception. These are OK if the program handles them. Only when these are unhandled do we get a crash. I hit g to go again, and we can see the status is *BUSY* so we know outlook is still running.

Картинка с сайта: chentiangemalc.wordpress.com

Then we break into our exception. First chance I hit g, second chance. Hmm. This is bad, lots of exclamation marks.

Картинка с сайта: chentiangemalc.wordpress.com

If you’ve ever tried analysing system crashes, in the application crash you can also use !analyze –v command, but here the information is often less useful then when dealing with system crashes.

Картинка с сайта: chentiangemalc.wordpress.com

I used .restart command in debugger to restart Outlook. This time before we hit “g” for go we enable API logging with the following command:

!logexts.loge

API logging will give information about what Windows API are called with what parameters and the return codes, etc.

Картинка с сайта: chentiangemalc.wordpress.com

Now we can “g” for GO to start logging. However for some reason API logging didn’t work on Outlook.exe, I don’t know if this is some kind of protection built into the program or what, as using this same processes on other machines has worked fine. Instead whenever logging was enabled I just got errors Access violation – code c0000005

Картинка с сайта: chentiangemalc.wordpress.com

EDIT: Thanks Takashi Toyota from Japan (http://www.ttoyota.com/) pointing out the reason for this error is that I was using AMD64 version of WinDbg on a 32-bit process. To do API logging of 32-bit process in 64-bit Windows I must also install the x86 version of the Windows Debugging Tools. From the WinDbg docoumentation when using x64 host:

• If you are analyzing a dump file, and if the dump file was made on Windows XP or a later version of Windows, you can use either the 32-bit package or the x64 package. (It is not important whether the dump file is a user-mode dump file or a kernel-mode dump file, and it is not important whether the dump file was made on an x86-based or an x64-based platform.)
• If you are analyzing a dump file, and if the dump file was made on Windows 2000 operating system, you should use the 32-bit package. (It is not important whether the dump file is a user-mode dump file or a kernel-mode dump file)
• If you are performing live kernel-mode debugging, and if the target computer is running Windows XP or a later version of Windows, you can use either the 32-bit package or the x64 package. (This situation applies to both x86-based and x64-based targets.)
• If you are performing live kernel-mode debugging, and if the target computer is running Windows 2000, you should use the 32-bit package.
• If you are performing live user-mode debugging, use the x64 package for debugging WOW64 with both 64-bit and 32-bit code. To debug other targets, use a 32-bit debugger to debug 32-bit code. ]

To install all versions of Debugging Tools when installing Windows SDK select “Debugging Tools” under Redistributable Packages

Картинка с сайта: chentiangemalc.wordpress.com

If this had worked you would have seen a folder called LogExts on your Desktop and inside it two new files from this trace – in this case Outlook.exe.lgv and Outlook.exe.txt. The .lgv file is opened using logviewer.exe from the Debugging tools. You can use logger.exe from Debugging tools to generate these logs as well.

With not much luck going on here I launched the Mail Setup control panel applet. In this case I launched it from C:\Program Files (x86)\Microsoft Office\Office14\mlcfg32.cpl

This time when clicking E-mail Accounts… I got an error message box:

This application has requested the Runtime to terminate it in an unusual way. Please contact the application’s support team for more information.

Картинка с сайта: chentiangemalc.wordpress.com

Now this time I used the simple feature of ProcMon to find the process ID of the process. One of my favourite inbuilt features of ProcMon/ProcExp is the Window Finder. I just click and drag this over the message box to set a filter on that process. I then looked in the PID column to find the relevant process ID.

Картинка с сайта: chentiangemalc.wordpress.com

With the Process ID in hand I then went back into WinDbg and hit F6 to attach to a Process. I specified the Process ID I  found in ProcMon and clicked OK.

Картинка с сайта: chentiangemalc.wordpress.com

Now debugger is attached, the program execution has stopped until I hit “g” to go again. However this case I didn’t want to go, but I ran the classic analyze –v again.

0:000:x86> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Microsoft Office\Office14\omsxp32.dll –
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Microsoft Office\Office14\olmapi32.dll –
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Microsoft Office\Office14\MLCFG32.CPL –
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Microsoft Office\Office14\omsxp32.dll –
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Microsoft Office\Office14\olmapi32.dll –
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Microsoft Office\Office14\MLCFG32.CPL –
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Common Files\Microsoft Shared\office14\mso.dll –
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Common Files\Microsoft Shared\office14\mso.dll –
GetPageUrlData failed, server returned HTTP status 404
URL requested: http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637/KERNELBASE_dll/6_1_7601_17514/4ce7bafa/e06d7363/0000b727.htm?Retriage=1
GetPageUrlData failed, server returned HTTP status 404
URL requested: http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637/KERNELBASE_dll/6_1_7601_17514/4ce7bafa/e06d7363/0000b727.htm?Retriage=1

FAULTING_IP:
KERNELBASE!RaiseException+58
FAULTING_IP:
KERNELBASE!RaiseException+58

7524b727 c9              leave
7524b727 c9              leave

EXCEPTION_RECORD:
EXCEPTION_RECORD:  ffffffffffffffff — (.exr 0xffffffffffffffff)
ffffffffffffffff — (.exr 0xffffffffffffffff)
ExceptionAddress: 000000007524b727 (KERNELBASE!RaiseException+0x0000000000000058)
   ExceptionCode: e06d7363 (C++ EH exception)
  ExceptionFlags: 00000001
NumberParameters: 3
   Parameter[0]: 0000000019930520
   Parameter[1]: 00000000000de190
   Parameter[2]: 000000006bc6054c
ExceptionAddress: 000000007524b727 (KERNELBASE!RaiseException+0x0000000000000058)
   ExceptionCode: e06d7363 (C++ EH exception)
  ExceptionFlags: 00000001
NumberParameters: 3
   Parameter[0]: 0000000019930520
   Parameter[1]: 00000000000de190
   Parameter[2]: 000000006bc6054c
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: msvcrt!EHExceptionRecord                      ***
***                                                                   ***
*************************************************************************

FAULTING_THREAD:  0000000000001a7c

DEFAULT_BUCKET_ID:  ZEROED_STACK

PROCESS_NAME:  rundll32.exe

ERROR_CODE: (NTSTATUS) 0xe06d7363 – <Unable to get error code text>

EXCEPTION_CODE: (NTSTATUS) 0xe06d7363 – <Unable to get error code text>

EXCEPTION_PARAMETER1:  0000000019930520

EXCEPTION_PARAMETER2:  00000000000de190

EXCEPTION_PARAMETER3:  000000006bc6054c

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

PRIMARY_PROBLEM_CLASS:  ZEROED_STACK

BUGCHECK_STR:  APPLICATION_FAULT_ZEROED_STACK

LAST_CONTROL_TRANSFER:  from 0000000073bfdf60 to 000000007524b727

STACK_TEXT: 
FAULTING_THREAD:  0000000000001a7c

DEFAULT_BUCKET_ID:  ZEROED_STACK

PROCESS_NAME:  rundll32.exe

ERROR_CODE: (NTSTATUS) 0xe06d7363 – <Unable to get error code text>

EXCEPTION_CODE: (NTSTATUS) 0xe06d7363 – <Unable to get error code text>

EXCEPTION_PARAMETER1:  0000000019930520

EXCEPTION_PARAMETER2:  00000000000de190

EXCEPTION_PARAMETER3:  000000006bc6054c

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

PRIMARY_PROBLEM_CLASS:  ZEROED_STACK

BUGCHECK_STR:  APPLICATION_FAULT_ZEROED_STACK

LAST_CONTROL_TRANSFER:  from 0000000073bfdf60 to 000000007524b727

STACK_TEXT: 
000de148 73bfdf60 e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58
000de180 6bc4b93e 000de190 6bc6054c 6bc3296c MSVCR90!_CxxThrowException+0x48 [f:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\throw.cpp @ 161]
WARNING: Stack unwind information not available. Following frames may be wrong.
000de1a0 6bc4b484 93e042cf 00000000 029b1528 omsxp32!XPProviderInit+0x45f0
000de1c8 6bc4b960 000de1e4 93e04107 00000000 omsxp32!XPProviderInit+0x4136
000de200 6bc4870b 65746b33 6bc44aff 00000028 omsxp32!XPProviderInit+0x4612
000de208 6bc44aff 00000028 93e04137 00010010 omsxp32!XPProviderInit+0x13bd
000de230 5f080b36 6bc30000 76c266bc 5f07a6ee omsxp32!ABProviderInit+0x39
000de294 5f08067e 029b0d48 029b1290 029213a8 olmapi32!ScCopyProps+0x965
000de334 5f07fbb8 029b0d48 3d010102 5f100ea0 olmapi32!ScCopyProps+0x4ad
000de3d4 5f07bac1 029b0d48 00000000 00000000 olmapi32!Ordinal297+0x82b
000de43c 5f07b54b 00000000 02920b58 00000000 olmapi32!MAPILogonEx+0x6b8
000de484 6fad2779 00000000 0238a104 00000000 olmapi32!MAPILogonEx+0x142
000de4a0 6fad5245 0238a104 0238a1c8 00128022 MLCFG32!DllMain+0x557
000de4c8 5f099f52 0238a100 0238a1d0 0238a100 MLCFG32!CPlApplet+0x28d
000dea4c 6fad563d 009a6268 0238a100 00000000 olmapi32!RPCTRACE+0x4ae
000dea70 6fad44dc 003514ae 02920e48 00000000 MLCFG32!CPlApplet+0x685
000deb0c 759f62fa 003514ae 00000111 00000454 MLCFG32!DllMain+0x22ba
000deb38 75a1f943 6fad442f 003514ae 00000111 USER32!InternalCallWinProc+0x23
000debb4 75a1f784 0051d4fc 6fad442f 003514ae USER32!UserCallDlgProcCheckWow+0x10f
000dec04 75a1f889 00e52e90 00000000 00000111 USER32!DefDlgProcWorker+0xb7
000dec24 759f62fa 003514ae 00000111 00000454 USER32!DefDlgProcW+0x29
000dec50 759f6d3a 75a1f860 003514ae 00000111 USER32!InternalCallWinProc+0x23
000decc8 759f965e 0051d4fc 776d4684 003514ae USER32!UserCallWinProcCheckWow+0x109
000ded0c 759f96c5 00e52e90 00000000 776d4684 USER32!SendMessageWorker+0x581
000ded30 75a35fbb 003514ae 00000111 00000454 USER32!SendMessageW+0x7f
000ded48 75a360fc 00e94570 00000000 00000000 USER32!xxxButtonNotifyParent+0x66
000ded70 75a2312e 0055cac8 00000000 00000001 USER32!xxxBNReleaseCapture+0x138
000dee0c 75a370b2 00e94570 00000000 00000202 USER32!ButtonWndProcWorker+0xa07
000dee34 759f62fa 00441602 00000202 00000000 USER32!ButtonWndProcW+0x54
000dee60 759f6d3a 75a3705e 00441602 00000202 USER32!InternalCallWinProc+0x23
000deed8 759f77c4 0051d4fc 7773819c 00441602 USER32!UserCallWinProcCheckWow+0x109
000def38 759f788a 7773819c 00000000 000def74 USER32!DispatchMessageWorker+0x3bc
000def48 75a1c81f 000def90 00000001 00e52e90 USER32!DispatchMessageW+0xf
000def74 75a1cde7 003514ae 00000000 0038156c USER32!IsDialogMessageW+0x5f6
000defb8 75a1cf5c 003514ae 0038156c 00000000 USER32!DialogBox2+0x15f
000defe4 75a1ce8a 68cb0000 68d6c174 0038156c USER32!InternalDialogBox+0xe5
000df004 75a1d009 68cb0000 68d6c174 0038156c USER32!DialogBoxIndirectParamAorW+0x37
000df028 6fad5add 68cb0000 0000044d 0038156c USER32!DialogBoxParamW+0x3f
000df074 6fad455a 68cb0000 0000044d 0038156c MLCFG32!CPlApplet+0xb25
000df09c 6fad463f 0038156c 00000000 02920e48 MLCFG32!DllMain+0x2338
000df0b8 6fad4e52 0038156c 02920dd8 0038156c MLCFG32!DllMain+0x241d
000df158 6fad4ef6 0038156c 0051dfb8 00000000 MLCFG32!DllMain+0x2c30
000df16c 75f69e2e 0038156c 00000005 00000000 MLCFG32!DllMain+0x2cd4
000df194 75f55fc1 0051dfb8 0038156c 00000005 SHELL32!CPL_CallEntry+0x3d
000dfa14 760c563e 0038156c 00170000 00515fec SHELL32!CPL_SwitchToOrLaunch+0x44c
000dfa30 0017137d 0038156c 00170000 00515fec SHELL32!Control_RunDLLNoFallback+0x18
000dfaa8 00171326 760c5626 0038156c 00170000 rundll32!CallRunDllFunction+0x22
000dfaf4 00171901 00515fa2 00000000 00515fec rundll32!wWinMain+0x122
000dfb88 75cf33ca 7efde000 000dfbd4 778c9ed2 rundll32!_initterm_e+0x1b1
000dfb94 778c9ed2 7efde000 7fac1d4b 00000000 kernel32!BaseThreadInitThunk+0xe
000dfbd4 778c9ea5 0017178c 7efde000 00000000 ntdll32!__RtlUserThreadStart+0x70
000dfbec 00000000 0017178c 7efde000 00000000 ntdll32!_RtlUserThreadStart+0x1b

000de148 73bfdf60 e06d7363 00000001 00000003 KERNELBASE!RaiseException+0x58
000de180 6bc4b93e 000de190 6bc6054c 6bc3296c MSVCR90!_CxxThrowException+0x48 [f:\dd\vctools\crt_bld\self_x86\crt\prebuild\eh\throw.cpp @ 161]
WARNING: Stack unwind information not available. Following frames may be wrong.
000de1a0 6bc4b484 93e042cf 00000000 029b1528 omsxp32!XPProviderInit+0x45f0
000de1c8 6bc4b960 000de1e4 93e04107 00000000 omsxp32!XPProviderInit+0x4136
000de200 6bc4870b 65746b33 6bc44aff 00000028 omsxp32!XPProviderInit+0x4612
000de208 6bc44aff 00000028 93e04137 00010010 omsxp32!XPProviderInit+0x13bd
000de230 5f080b36 6bc30000 76c266bc 5f07a6ee omsxp32!ABProviderInit+0x39
000de294 5f08067e 029b0d48 029b1290 029213a8 olmapi32!ScCopyProps+0x965
000de334 5f07fbb8 029b0d48 3d010102 5f100ea0 olmapi32!ScCopyProps+0x4ad
000de3d4 5f07bac1 029b0d48 00000000 00000000 olmapi32!Ordinal297+0x82b
000de43c 5f07b54b 00000000 02920b58 00000000 olmapi32!MAPILogonEx+0x6b8
000de484 6fad2779 00000000 0238a104 00000000 olmapi32!MAPILogonEx+0x142
000de4a0 6fad5245 0238a104 0238a1c8 00128022 MLCFG32!DllMain+0x557
000de4c8 5f099f52 0238a100 0238a1d0 0238a100 MLCFG32!CPlApplet+0x28d
000dea4c 6fad563d 009a6268 0238a100 00000000 olmapi32!RPCTRACE+0x4ae
000dea70 6fad44dc 003514ae 02920e48 00000000 MLCFG32!CPlApplet+0x685
000deb0c 759f62fa 003514ae 00000111 00000454 MLCFG32!DllMain+0x22ba
000deb38 75a1f943 6fad442f 003514ae 00000111 USER32!InternalCallWinProc+0x23
000debb4 75a1f784 0051d4fc 6fad442f 003514ae USER32!UserCallDlgProcCheckWow+0x10f
000dec04 75a1f889 00e52e90 00000000 00000111 USER32!DefDlgProcWorker+0xb7
000dec24 759f62fa 003514ae 00000111 00000454 USER32!DefDlgProcW+0x29
000dec50 759f6d3a 75a1f860 003514ae 00000111 USER32!InternalCallWinProc+0x23
000decc8 759f965e 0051d4fc 776d4684 003514ae USER32!UserCallWinProcCheckWow+0x109
000ded0c 759f96c5 00e52e90 00000000 776d4684 USER32!SendMessageWorker+0x581
000ded30 75a35fbb 003514ae 00000111 00000454 USER32!SendMessageW+0x7f
000ded48 75a360fc 00e94570 00000000 00000000 USER32!xxxButtonNotifyParent+0x66
000ded70 75a2312e 0055cac8 00000000 00000001 USER32!xxxBNReleaseCapture+0x138
000dee0c 75a370b2 00e94570 00000000 00000202 USER32!ButtonWndProcWorker+0xa07
000dee34 759f62fa 00441602 00000202 00000000 USER32!ButtonWndProcW+0x54
000dee60 759f6d3a 75a3705e 00441602 00000202 USER32!InternalCallWinProc+0x23
000deed8 759f77c4 0051d4fc 7773819c 00441602 USER32!UserCallWinProcCheckWow+0x109
000def38 759f788a 7773819c 00000000 000def74 USER32!DispatchMessageWorker+0x3bc
000def48 75a1c81f 000def90 00000001 00e52e90 USER32!DispatchMessageW+0xf
000def74 75a1cde7 003514ae 00000000 0038156c USER32!IsDialogMessageW+0x5f6
000defb8 75a1cf5c 003514ae 0038156c 00000000 USER32!DialogBox2+0x15f
000defe4 75a1ce8a 68cb0000 68d6c174 0038156c USER32!InternalDialogBox+0xe5
000df004 75a1d009 68cb0000 68d6c174 0038156c USER32!DialogBoxIndirectParamAorW+0x37
000df028 6fad5add 68cb0000 0000044d 0038156c USER32!DialogBoxParamW+0x3f
000df074 6fad455a 68cb0000 0000044d 0038156c MLCFG32!CPlApplet+0xb25
000df09c 6fad463f 0038156c 00000000 02920e48 MLCFG32!DllMain+0x2338
000df0b8 6fad4e52 0038156c 02920dd8 0038156c MLCFG32!DllMain+0x241d
000df158 6fad4ef6 0038156c 0051dfb8 00000000 MLCFG32!DllMain+0x2c30
000df16c 75f69e2e 0038156c 00000005 00000000 MLCFG32!DllMain+0x2cd4
000df194 75f55fc1 0051dfb8 0038156c 00000005 SHELL32!CPL_CallEntry+0x3d
000dfa14 760c563e 0038156c 00170000 00515fec SHELL32!CPL_SwitchToOrLaunch+0x44c
000dfa30 0017137d 0038156c 00170000 00515fec SHELL32!Control_RunDLLNoFallback+0x18
000dfaa8 00171326 760c5626 0038156c 00170000 rundll32!CallRunDllFunction+0x22
000dfaf4 00171901 00515fa2 00000000 00515fec rundll32!wWinMain+0x122
000dfb88 75cf33ca 7efde000 000dfbd4 778c9ed2 rundll32!_initterm_e+0x1b1
000dfb94 778c9ed2 7efde000 7fac1d4b 00000000 kernel32!BaseThreadInitThunk+0xe
000dfbd4 778c9ea5 0017178c 7efde000 00000000 ntdll32!__RtlUserThreadStart+0x70
000dfbec 00000000 0017178c 7efde000 00000000 ntdll32!_RtlUserThreadStart+0x1b

FOLLOWUP_IP:

FOLLOWUP_IP:
omsxp32!XPProviderInit+45f0
omsxp32!XPProviderInit+45f0

6bc4b93e cc              int     3
6bc4b93e cc              int     3

SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  omsxp32!XPProviderInit+45f0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME:
SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  omsxp32!XPProviderInit+45f0

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: omsxp32
omsxp32

IMAGE_NAME:  omsxp32.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4abf1222

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  ZEROED_STACK_e06d7363_omsxp32.dll!XPProviderInit

BUCKET_ID:  X64_APPLICATION_FAULT_ZEROED_STACK_omsxp32!XPProviderInit+45f0

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637/KERNELBASE_dll/6_1_7601_17514/4ce7bafa/e06d7363/0000b727.htm?Retriage=1

Followup: MachineOwner
———

IMAGE_NAME:  omsxp32.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4abf1222

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  ZEROED_STACK_e06d7363_omsxp32.dll!XPProviderInit

BUCKET_ID:  X64_APPLICATION_FAULT_ZEROED_STACK_omsxp32!XPProviderInit+45f0

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637/KERNELBASE_dll/6_1_7601_17514/4ce7bafa/e06d7363/0000b727.htm?Retriage=1

Followup: MachineOwner
———

Looking above we were getting crash pointing to a function omsxp32.dll. I then clicked the hyperlink of this dll name, which caused WinDbg to automatically run command lmvm omsxp32 which lists details of this module. I highlight a key thing:

0:000:x86> lmvm omsxp32
0:000:x86> lmvm omsxp32
start             end                 module name
6bc30000 6bc69000   omsxp32    (export symbols)       C:\Program Files (x86)\Microsoft Office\Office14\omsxp32.dll
    Loaded symbol image file: C:\Program Files (x86)\Microsoft Office\Office14\omsxp32.dll
    Image path: C:\Program Files (x86)\Microsoft Office\Office14\omsxp32.dll
    Image name: omsxp32.dll
    Timestamp:        Sun Sep 27 17:20:02 2009 (4ABF1222)
    CheckSum:         0003B96E
    ImageSize:        00039000
    File version:     14.0.4514.1004
    Product version: 14.0.4514.0
    File flags:       22 (Mask 3F) Pre-release Special
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0000.04e4
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft Office 2010
    InternalName:     OMS
    OriginalFilename: OMSXP32.DLL
    ProductVersion:   14.0.4514.1004
    FileVersion:      14.0.4514.1004
start             end                 module name
6bc30000 6bc69000   omsxp32    (export symbols)       C:\Program Files (x86)\Microsoft Office\Office14\omsxp32.dll
    Loaded symbol image file: C:\Program Files (x86)\Microsoft Office\Office14\omsxp32.dll
    Image path: C:\Program Files (x86)\Microsoft Office\Office14\omsxp32.dll
    Image name: omsxp32.dll
    Timestamp:        Sun Sep 27 17:20:02 2009 (4ABF1222)
    CheckSum:         0003B96E
    ImageSize:        00039000
    File version:     14.0.4514.1004
    Product version:  14.0.4514.0
    File flags:       22 (Mask 3F) Pre-release Special
    File OS:          40004 NT Win32
    File type:        1.0 App
    File date:        00000000.00000000
    Translations:     0000.04e4
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft Office 2010
    InternalName:     OMS
    OriginalFilename: OMSXP32.DLL
    ProductVersion:   14.0.4514.1004
    FileVersion:      14.0.4514.1004
    FileDescription:  Microsoft Outlook Mobile Service Provider
    LegalCopyright:   © 2009 Microsoft Corporation.  All rights reserved.
    FileDescription:  Microsoft Outlook Mobile Service Provider
    LegalCopyright:   © 2009 Microsoft Corporation.  All rights reserved.

If we look at Outlook.exe product version, doesn’t look like a match:

Картинка с сайта: chentiangemalc.wordpress.com

So I renamed omsxp32.dll to omsxp32.dll.bak and restarted Outlook:

Картинка с сайта: chentiangemalc.wordpress.com

OK so Outlook is running again. In this case the machine had previously had a beta version of Office 2010 thus the out-dated DLL file. The uninstall of beta mustn’t have worked properly, and this file wasn’t updated/replaced by the RTM version. Outlook still tried to load it though and didn’t have much luck with it.

Microsoft has an automated ‘Fix-It’ utility when versions of Office do not properly uninstall located here. http://support.microsoft.com/kb/290301

Because there was potential to be other issues with beta left overs I used the Fix-It utility to completely remove Office 2010, then re-install.

A common question from customers migrating to Windows 7 is will application virtualization solutions such as ThinApp / App-V magically solve all Windows XP to Windows 7 migration problems. In this case I’m talking about Desktop applications, not web applications.

Sorry to break it to you but the answer is no.

ThinApp and App-V, two of the most popular application virtualization solutions, work by separating registry & file access of the application from the host system. However both virtualization solutions still interact with the host operating system, and as a result may be subject to application compatibility issues with the host OS.

The chart below demonstrates in a very simplistic way how OS level compatibility issues can still make it into the package. While file & registry reads (and in some cases writes) are Virtualized, they are only virtualized when they are in the package created. (Typically this is: these files/registry keys were added during installation capture) Because it does not completely remove interaction with the host OS, there is still a reliance on the app being compatible with the host OS.

So for example let’s say we take an application compiled against Microsoft Foundation Class Library 4.0 (MFC40.DLL) If this DLL is not installed during the capture process the captured app may still fail to run on Windows 7. Yes you can fix it in a virtual package by adding it into the package. But placing the .DLL in same directory of the .EXE would probably have fixed it in a thick install.

Картинка с сайта: chentiangemalc.wordpress.com

Will it make migration easier?

Yes, probably. Typically apps virtualized take less time to package, and require less conflict testing as they run isolated. I say typically because typically you just capture, install and bob’s your uncle. However if that doesn’t work…it can get complex…As mentioned many times on VMWare’s site “Know Thy App” is critical for successful app virtualization.

Will application virtualization automatically fix some issues?

Yes, primarily installation issues, there is no need to troubleshoot an installation when capturing an install on a previous OS. For example if an MSI has an explicit OS version check, you may need remove this check for an MSI to work on Windows 7. However using ThinApp or App-V if you capture the app on XP you won’t have to worry about fixing this.

But ThinApp Can Run IE6, Why Can’t it Run Anything?

It is possible to make IE6 run on Windows 7. The issue with running IE6 on Windows 7 is not that it is not compatible, but there are a lot of conflicts between IE6 & IE8. By virtualizing the application you reduce the risk of such conflicts. In addition in the case of ThinApp you can force certain sites to only load in IE6 so you don’t have the constant security threat of IE6 browsing in your environment.

Will App Virtualization fix ANY compatibility issue?

No. As much as I hate to say it (I hate the sight of XP) options like MED-V will offer the highest chance of fixing compatibility issues.

To quote from VMWare ThinApp’s official blog (emphasis added) 

Just to clarify.. ThinApp will not magically make an application run on Windows 7 if it is not supported on Windows 7. That said, we do offer some help with ThinApp. Great examples are Internet Explorer 6, Adobe Reader 5 and Lotus Notes 6.5.6. All not running natively on Win7 but does so with the help of ThinApp. It may be tricky to find the solution and there are no guaranties. The work around is often to include older Windows XP dlls into the package and that might make the application run on Win7.

We blogged about this back in 2009 but with all the Windows 7 migrations going on it is time to emphasize the importance of the blog post.

The method discussed here: http://blogs.vmware.com/thinapp/2009/03/common-system32-dlls.html will help you to run many Windows XP legacy applications on Windows 7 even though they do not run natively installed on Win7. Adding MSVCP50.dll to a project helped me out just the other day.

Make sure you are using ThinApp version 4.5 or later. We added support for Windows 7 in version 4.5 so using an older version will not work.

(original post: http://blogs.vmware.com/thinapp/2011/04/making-windows-xp-only-apps-run-on-windows-7.html)

And on App-V from the TechNet site (emphasis added)

Is Microsoft App-V an Application-Compatibility Solution?

Microsoft App-V is, first and foremost, an application management and deployment solution that can convey significant benefit to the enterprise—reducing packaging costs, increasing system stability, and supporting today’s highly mobile workforce with dynamic access to software assets. But as part of the marketing messaging, the overloaded term application compatibility grew to be misinterpreted over time: that App-V could help with compatibility problems between the application and the OS. For the most part, it can’t.

(source: http://technet.microsoft.com/en-us/magazine/ff458340.aspx)

The best news: most applications are compatible with Windows 7. (unless you haven’t upgraded apps in 10 years)

But when they don’t what are some app compat solutions?

Ok some of the techniques I’ve used

• Use free analysis tools such as Application Compatibility Toolkit (ACT) to identify high risk apps and in some cases known fixes. Also contains IE8 compatibility assessment tool – great for developers to find issues in their IE6 only websites. (http://www.microsoft.com/downloads/en/details.aspx?FamilyID=24da89e9-b581-47b0-b45e-492dd6da2971&displaylang=en)
• If you have existing terminal services / citrix running a legacy OS like Server 2003 (is that legacy yet? for me it is) you might be able to use that. But then you still have to keep old OS in the environment. And really why would you NOT want to be using Server 2008 R2 Server Manager & full integration with PowerShell management…
• Haven’t used them but tools below may help in automated fixes
• APP-DNA (http://www.app-dna.com/)
• AdminStudio (http://www.flexerasoftware.com/products/adminstudio-application-compatibility-pack.htm)
• ChangeBase AOK (http://www.changebase.com/)
• None of these are “silver bullets” and will fix every issue. And they are subject to “false positives” i.e. saying an app will not work, but for all intensive purposes it just does.
• For IE6 compat in IE8 or IE9 Browsium provides a great end user experience 9(best thing: No IE6 user interface) http://www.browsium.com/
• Standard User Analyser from ACT can also automatically fix many issues related to apps designed for admin users to work under UAC
• ProcMon to identify issues, fix with SHIMs (again using ACT)
• Throwing the computer out the window
• Melting hard disks in 2,000 degree Celsius furnace (actually I didn’t try this, but would like to)
• Reading Dilbert Cartoons to maintain sanity
• Yes MED-V would probably work, but I hate XP and hope I never have to use it. But I probably will someday. Sigh.
• Migrate to Linux to eliminate the headache of all your existing application portfolio and spend the rest of your life re-compiling drivers each time a kernel upgrade occurs.

And if any of this doesn’t make sense, I apologize, I probably should have had less coffee and more sleep.

If you have better ideas please let me know

So I found on my Windows 7 x64 SP1 machine any device driver I tried to uninstall, Device Manager just froze…going on five minutes I thought this is a bit ridiculous. Restarted the machine twice and still had the same issue. Tried several different devices, problem applied to everyone I tried. Better find out what’s going on.

Картинка с сайта: chentiangemalc.wordpress.com

So what I did is I launched ResMon.exe which has a really simple way of telling us what is causing a program to hang. I did this by right clicking the .exe and selecting Analyze Wait Chain

Картинка с сайта: chentiangemalc.wordpress.com

So here I can see thread 2084 is waiting on DcomLaunch service with Process ID 764

Картинка с сайта: chentiangemalc.wordpress.com

\

Finding the mmc.exe process with PID 4668 in Process Explorer (http://live.sysinternals.com/procexp.exe) we right click it and select Properties. In the Threads tab we can see why it’s frozen:

Картинка с сайта: chentiangemalc.wordpress.com

I also looked at threads in the relevant SvcHost.exe however I’m not clear what’s going on here.

Картинка с сайта: chentiangemalc.wordpress.com

So this time I launch Process Monitor (http://live.sysinternals.com/ProcMon.exe) I repeat the process again – finding the hung thread in MMC.exe using ResMon. Then I create a filter in ProcMon to only view that thread, in this case TID is 5940:

Картинка с сайта: chentiangemalc.wordpress.com

The ProcMon log reminds me of something obvious…why didn’t I check setupapi.dev.log??? A great thing about ProcMon is you often find apps write log files somewhere, even if you didn’t know about it….

Картинка с сайта: chentiangemalc.wordpress.com

However looking at the log doesn’t give me much of a clue. No errors or anything out of the ordinary. So I go to last MMC.exe event in the ProcMon log, right clicked it and chose Properties. Then on the Stack tab:

Картинка с сайта: chentiangemalc.wordpress.com

Whenever I see 3rd party DLLs involved I tend to rate them as high risk, and will try to rule them out first. ino_fltr.sys is part of CA Etrust Anti-Virus. So I disabled it temporarily (be very cautious whenever disabling Anti-Virus, and be sure to re-enable it afterwards)

In this case I disabled 3 services used by the Anti-Virus

Картинка с сайта: chentiangemalc.wordpress.com

I restarted my machine, and voila – I can uninstall device drivers now. After uninstalling my device driver I re-enabled the services and ensured they were started.

Strange things which I will probably never know the answer to:

• After re-enabling Anti-Virus could not reproduce the problem – any device driver uninstalled almost instantly
• Tested on multiple devices with same Windows 7 image and same Anti-Virus software could not reproduce the problem again.

In Windows NT 4.0 DLL hell was a common occurrence. It was critical to install all apps, service packs, option packs in very specific orders to get a reliable system. When DLL conflicts occurred it was called ‘DLL HELL’ mostly because finding the root cause of such problems was a hellish experience. Today you can use application virtualization technologies such as ThinApp or App-V to eliminate these issues. However even without app virtualization on modern Windows such issues are rare and with good application design can be completely eliminated. Examples on techniques for eliminating this at application level can be found in MSDN Article “Avoiding DLL Hell” http://msdn.microsoft.com/en-us/magazine/bb985026.aspx

But if the app has a problem, you don’t have app virtualization as an option, and there is no fix from software provider available…a bit of ProcMon and file copies are probably all you need to fix it.

On launching iPhone Configuration Utility (iPCU) I was getting this error: The procedure entry point CFHTTPMessageSetHeaderFieldValue could not be located in the dynamic link library CFNetwork.dll. Tried on a few machines in my environment, all had the same error. Re-install of iTunes & iPhone Configuration utility didn’t fix the issue.

Картинка с сайта: chentiangemalc.wordpress.com

The error message displayed after entry point not found suggested re-installation of Apple Mobile Device Support.

Картинка с сайта: chentiangemalc.wordpress.com

However it was definitely installed, re-installing, updating to latest iTunes did not make the error go away.

Картинка с сайта: chentiangemalc.wordpress.com

So straight to ProcMon set a filter where

· Process Name is iPCU.exe

· Result is not SUCCESS

Картинка с сайта: chentiangemalc.wordpress.com

I then launched the iPhone configuration utility. I right clicked one entry where result was “FAST IO DISALLOWED” and selected “Exclude ‘FAST IO DISALLOWED’” This is because this gives no indication that the actual file access failed, an IRP-based operation will be tried instead. For more info on FAST IO refer to

“Disallowing a Fast I/O Operation in a Preoperation Callback Routine” http://msdn.microsoft.com/en-us/library/ff540121(VS.85).aspx

Картинка с сайта: chentiangemalc.wordpress.com

Looking here we find many attempts to load the cfNetwork.dll failing…

Картинка с сайта: chentiangemalc.wordpress.com

Now as DLLs are looked for in multiple locations (including current directory of app & directories in PATH environment variable) I checked did it succeed anywhere…To do this I set my filter to

· Path contains CFNetwork.dll

· Result is SUCCESS

· Path contains CFNetwork.dll

Картинка с сайта: chentiangemalc.wordpress.com

The result … it’s trying to load cfNetwork.dll from a directory that is not Windows included DLLs and is not Apple DLLs. Hmm. Seems strange…

Картинка с сайта: chentiangemalc.wordpress.com

A quick check of cfNetwork.dll on the system by running dir cfNetwork.dll /s from C: find two. The the DSM one is significantly smaller and does not have CFHTTPMessageSetHeaderFieldValue

Картинка с сайта: chentiangemalc.wordpress.com

Checking the path we can see why the DSM one was being used:

Картинка с сайта: chentiangemalc.wordpress.com

Copying “C:\Program Files\Common Files\Apple\Apple Application Support\CFNetwork.dll” to same directory as iPCU.exe “C:\Program Files\iPhone Configuration Utility” fixes the issue. Note we could have also copied it to C:\Windows\System32 (or C:\Windows\SysWow64 on 64-bit OS as iPCU.exe is a 32-bit EXE) However this could have introduced the risk that then DSM would access the Apple version of this DLL, instead of it’s own.

All looks good now.

Картинка с сайта: chentiangemalc.wordpress.com

Moral of the story; Don’t forget to ProcMon. And with some better application design it is possible to eliminate this problem altogether…

I love going deep and trying to look into memory dumps and gigabyte sized ProcMon logs, and through pages of API traces, etc. That being said there is a case for the old fashioned classic troubleshooting methods that pretty much apply in any industry & technology. The great thing about classic troubleshooting methods is without even knowing the technology/product you can often make more progress then a random attack at mountains of data. (OK it doesn’t help I’m no Raymond Chen on WinDbg – I have no choice but to start at basics )

I say this having seen many such examples throughout my career but write this because today I saw another great example.

A large organization had Outlook crashing all over the place. It was unstable. It froze. It took 5 minutes to send an email. It was consistently reproducible problem. Microsoft was engaged in a support case, as was the Anti-Virus vendor as that was suspected as a potential cause. Now Microsoft support asked for tests to be run. These are valuable tests, and what I would run myself. However this is where they started:

1) Reproduce problem 5 times, 1 minute apart, each time running ADPlus –hang to generate 5 user mode dumps.

2) Reproduce problem, generate a FULL memory dump on the client.

3) Reproduce problem generate a ProcMon log.

All great steps in troubleshooting application hangs, I don’t doubt that. So on 3 machines these tests were run and 16 GB of logs produced to transfer to Microsoft support. Two days later (possibly overwhelmed by all the data) Microsoft support asked for even more tests running additional tracing tools. Again perfectly valid for identifying application hangs.

However through this period I managed to get involved and proud to say despite Microsoft having a week head start on me I was able to very rapidly identify root cause & resolve the issue without examining any logs or memory dumps. In fact total troubleshooting time was probably about 15 minutes of testing.

So my conversation with a technical resource at customer site is something like this…

When did this start happening?

Since they migrated from GroupWise to Outlook.

How frequently does this occur?

Every time they send an email.

What version of Outlook / OS are you using?

Office XP + Office 2007, Windows XP SP3. We think the crashes might be caused by the different office versions.

Have you tried running Outlook without add-ins?

No.

Can you please run Outlook /safe?

OK. Just a moment…

5 minutes later…

OMG! The problem doesn’t occur anymore.

What add-ins do you have?

Three add-ins….

Please enable one at a time to rule out which add-in is causing problem. Make a table like this:

Quick look at this table and you see Add-in #1 is the culprit. OK…

What version of add-in #1 do you have?

Version 7.5.

And a quick google search later I found that this version of the add-in was not supported on Outlook 2007, and latest version was 9.2.

Contacted the vendor – the customer is entitled to free client upgrade. Upgraded 3 users to test and the problem instantly disappeared. All without touching a log file…

Moral of the story : Advanced troubleshooting techniques are great, but don’t use these techniques as a replacement for the basics. Check the basics first. What’s changed? When did it start happening? How many users affected? Happens at home/in office/etc? Version of software? Event log? Another machine? 3rd-party add-ins/etc…

EDIT: 3 weeks later Microsoft came back and confirmed what I found.

Having in the past week passed all my usual tests for web browsing IE9 was sent off to users for UAT (my confidence was pretty strong as that group included my management and general managers ). Yet I wasn’t surprised to find something in SAP was broken, because advanced SAP users always break something. Until the day my dream of eliminating SAP GUI becomes a reality I had to fix the issue. The component that was broken was advanced reporting functions that hook into the SAP GUI. Although this worked fine in IE8 on IE9 users were receiving a message “Do you want to open or save tx.sapssd from sap url?

Картинка с сайта: chentiangemalc.wordpress.com

A quick search of this prompt found many people experiencing this same issue on earlier versions of IE when file registration was configured for the extension .sapssd. There was no file registration information for this extension, and re-installing SAP GUI didn’t make the error go away. So I wondered what is the IE8 and IE9 version doing differently?

To do this i went to my all time favourite tool ProcMon (http://live.sysinternals.com/ProcMon.exe) and set a filter where “Path” Contains “.sapssd”

Картинка с сайта: chentiangemalc.wordpress.com

I just refreshed the page and did not click Open Save or Cancel and looked at the ProcMon log. What I notice

1) The file gets created in the temporary cache area

2) HKCR\.sapssd and HKCU\.sapssd are both checked to see if file extension is registered, but it is not

3) The registry entry HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sapssd is created (not shown in below screenshot)

4) After that pretty much nothing exciting happens, even if you click Open you just get prompted what app to open it with

Картинка с сайта: chentiangemalc.wordpress.com

I then launched a ThinApp’ed (http://www.vmware.com/products/thinapp/overview.html)  instance of IE8  on the same machine to compare the difference:

The launch was almost exactly the same, except this time the key HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sapssd did not get recreated

Картинка с сайта: chentiangemalc.wordpress.com

Importantly we got to a point where SAP GUI was launched:

Картинка с сайта: chentiangemalc.wordpress.com

With the first instance of saplogon.exe selected I then reset my ProcMon filter using Ctrl+R so I could work back to find out how IE new to load saplogon.exe:

Actually I had a lot of events to go through, I just wanted to get to start of saplogon.exe so I hit Ctrl+T to bring up Process Tree, then found saplogon.exe and clicked ‘Go To Event’ This took me to the Process Start even for the process.

Картинка с сайта: chentiangemalc.wordpress.com

At this point I just wanted to find the Internet Explorer events again so I right clicked Internet Explorer and chose include

Картинка с сайта: chentiangemalc.wordpress.com

I scrolled up through a few pages of events until I saw what I was looking for. A CLSID entry – this can trigger the app to launch. Right clicking the Registry Value I used the “Jump To” option to take me straight there…

Картинка с сайта: chentiangemalc.wordpress.com

An export of this key demonstrated this was what I wanted to launch. The key is included below for the benefit of anyone who ever has SAP nightmares again. But in this case the value I looked at here was the default value for CLSID\{83658045-6571-3232-7082-797884697869}\ProgID which gave me SAPFront.App I then also found and exported HKCR\SAPFront.App

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}]
“SapCreateKey”=dword:00000000
@=”SAP Logon Application”

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\AuxUserType]
“SapCreateKey”=dword:00000000

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\AuxUserType\2]
“SapCreateKey”=dword:00000000
@=”SAP Logon”

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\AuxUserType\3]
“SapCreateKey”=dword:00000000
@=”saplogon”

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\DefaultExtension]
“SapCreateKey”=dword:00000000
@=”.gui, Filetype (*.gui)”

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\DefaultIcon]
“SapCreateKey”=dword:00000000
@=”\”C:\\Program Files\\SAP\\FrontEnd\\Sapgui\\saplogon.exe\”,0″

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\DocObject]
“SapCreateKey”=dword:00000000
@=”0″

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\InprocHandler32]
“SapCreateKey”=dword:00000000
@=”ole32.dll”

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\Insertable]
“SapCreateKey”=dword:00000000
@=””

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\LocalServer32]
“SapCreateKey”=dword:00000000
@=”\”C:\\Program Files\\SAP\\FrontEnd\\Sapgui\\saplogon.exe\” /Inplace”

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\MiscStatus]
“SapCreateKey”=dword:00000000
@=”32″

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\Printable]
“SapCreateKey”=dword:00000000
@=””

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\ProgID]
“SapCreateKey”=dword:00000000
@=”SAPFront.App”

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\Verb]
“SapCreateKey”=dword:00000000

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\Verb]
“SapCreateKey”=dword:00000000
@=”&Edit,0,2″

[HKEY_CLASSES_ROOT\CLSID\{83658045-6571-3232-7082-797884697869}\Verb\1]
“SapCreateKey”=dword:00000000
@=”&Open,0,2″

; SapFront.App

[HKEY_CLASSES_ROOT\SapFront.App]
“SapCreateKey”=dword:00000000
@=”SAP Logon Application”
“EditFlags”=hex:00,00,01,00

[HKEY_CLASSES_ROOT\SapFront.App\CLSID]
“SapCreateKey”=dword:00000000
@=”{83658045-6571-3232-7082-797884697869}”

[HKEY_CLASSES_ROOT\SapFront.App\DocObject]
“SapCreateKey”=dword:00000000
@=”0″

[HKEY_CLASSES_ROOT\SapFront.App\Insertable]
“SapCreateKey”=dword:00000000
@=””

[HKEY_CLASSES_ROOT\SapFront.App\protocol]
“SapCreateKey”=dword:00000000

[HKEY_CLASSES_ROOT\SapFront.App\protocol\StdFileEditing]
“SapCreateKey”=dword:00000000

[HKEY_CLASSES_ROOT\SapFront.App\protocol\StdFileEditing\server]
“SapCreateKey”=dword:00000000
@=”\”C:\\Program Files\\SAP\\FrontEnd\\Sapgui\\saplogon.exe\””

[HKEY_CLASSES_ROOT\SapFront.App\protocol\StdFileEditing\verb]
“SapCreateKey”=dword:00000000

[HKEY_CLASSES_ROOT\SapFront.App\protocol\StdFileEditing\verb]
“SapCreateKey”=dword:00000000
@=”&Edit”

~

OK but the strange part is – these keys exist on the machine with IE9? Why aren’t the working? This time I went back to Ie9 and hit F12 to bring up the most wonderful developer toolbar I’ve ever found in a browser. On the Network tab I hit Start

What do we find here…HOW AWESOME IS THIS INFORMATION? I don’t have to go and download & install Fiddler for some basic analysis. Great. This file it’s trying to download has a fancy MIME type… application/vnd.sap-gui

Картинка с сайта: chentiangemalc.wordpress.com

I then went back to ProcMon and hit Ctrl+F to search on application/vnd.sap-gui

Sure enough Internet Explorer 9 had looked for it but come up short:

Картинка с сайта: chentiangemalc.wordpress.com

I created the following registry key to register the MIME type to the CLSID I had found earlier:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/vnd.sap-gui]
“CLSID”=”{83658045-6571-3232-7082-797884697869}”

After adding this key I immediately refreshed IE9 without restarting:

and instantly SAP menu is back alive & kicking

Картинка с сайта: chentiangemalc.wordpress.com

The best part, all done without reverting my UAT user back to IE8. Despite the “end of financial year pressure” (We operate on Japanese financial new year, so  the end is two days away) I hate to go backwards…