Sysinternals Forums - ProcMon Hangs up during initialization

Author

Message

Topic Search

Topic Options

Post Reply

Create New Topic

Printable Version

PaulForbes View Drop Down

Newbie

Joined: 28 July 2007
Online Status: Offline
Posts: 1

Quote

Topic: ProcMon Hangs up during initialization
Posted: 28 July 2007 at 7:10am

Another hanging on initialization person.

Vista home, running trend micro av.

ReneeFox

Newbie

Joined: 03 June 2007
Location: United States
Online Status: Offline
Posts: 29

Quote

Posted: 28 July 2007 at 11:16am

Maybe we should change the Topic of this post to "ProcMon Hangs after Initialization," because I think I get past that part. Nobody has said exactly where the process is when it hangs.

I do have great news, though. I won't be needing ProcMon, because all my Internet-jumping up and down caused EA to join up with nVidia, and they fixed the problem. Turns out that nVidia knew about this 2 years ago, and just needed a proverbial kick in the butt to fix it. I gave EA a proverbial kick to give nVidia one. So, I'm very happy because I love the game and haven't been able to play it right since I started playing it; crashes became more frequent, and annoying as all get out!

Smile

I Love Computers!

Jeff Hook

Newbie

Joined: 01 August 2007
Online Status: Offline
Posts: 2

Quote

Posted: 01 August 2007 at 12:38pm

I'd like to know if I can use FileMon in Windows XP Home with SP2 due to my inability to run Process Monitor 1.20.0.0.

Optional details are below:

Most Sysinternals users seem to be IT professionals &/or "power users." I'm only a home user who's unable to use Process Monitor in XP Home, with SP2. I was looking for a current version of FileMon, but I found these notes at Sysinternals' FileMon page:

++++

Note: Filemon and Regmon have been replaced by Process Monitor on versions of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista. Filemon and Regmon remain for legacy operating system support, including Windows 9x…

…FileMon works on NT 4.0, Windows 2000, Windows XP, Windows XP and Windows Server 2003 64-bit Edition, Windows 2003 Server, Windows 95, Windows 98 and Windows ME….

++++

I assume this means FileMon *isn't* regarded as appropriate for XP with SP2, so I obtained Process Monitor version 1.20.0.0 yesterday, but I wasn't able to run it.

It opened a reduced-size GUI, with the word “initializing” displayed on the bottom frame, but then didn’t respond further. Task Manager reported two instances of it but both were “not responding.” I repeatedly tried “End Task” with no effect, in Task Manager, sending many error reports to Microsoft. I wasn't able to reboot, and I was forced to "power down" the system unit by pressing its power button. I worried about the effects of this, but the system seemed to reboot without any sign of damage.

I'm using Task Manager even though I've recently read on Sysinternal's Process Explorer page that users can substitute that utility for Task Manager. I was so favorably impressed by Sysinternal's comprehensive list of utilities, and by their thorough Web pages, that I assumed I'd found a "mother lode" of helpful software. This was my first attempt to use a Sysinternals utility, and I never expected this type of problem.

Jeff Hook

NJ,USA

Edited by Jeff Hook - 02 August 2007 at 4:26pm

Thur

Newbie

Joined: 09 August 2007
Online Status: Offline
Posts: 3

Quote

Posted: 09 August 2007 at 9:56am

I am facing exactly the same problem:

1. First instance of procmon.exe hangs. There is no way to terminate the process and windows does not shut down completely.
2. Second started instance of procmon.exe is running just fine.

I tried to gather some information on the hanging instance using windgb. I am not an expert on this topic, though:

lkd> !process 88b9f020
PROCESS 88b9f020 SessionId: 0 Cid: 0dd4    Peb: 7ffdf000 ParentCid: 0de4
    DirBase: 6e1e4000 ObjectTable: e3ea4498 HandleCount: 68.
    Image: Procmon.exe
    VadRoot 884415b8 Vads 81 Clone 0 Private 489. Modified 2019. Locked 0.
    DeviceMap e1a7b318
    Token                             e406d4a8
    ElapsedTime                      00:14:16.371
    UserTime                          00:00:00.030
    KernelTime                        00:00:00.300
    QuotaPoolUsage[PagedPool]        39380
    QuotaPoolUsage[NonPagedPool]      3400
    Working Set Sizes (now,min,max) (1431, 50, 345) (5724KB, 200KB, 1380KB)
    PeakWorkingSetSize               1432
    VirtualSize                      808 Mb
    PeakVirtualSize                   808 Mb
    PageFaultCount                    3517
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      808

        THREAD 8a3c1b80 Cid 0dd4.03ec Teb: 7ffde000 Win32Thread: e1509008 WAIT: (UserRequest) KernelMode Non-Alertable
            b4b9a770 NotificationEvent
        Not impersonating
        DeviceMap                 e1a7b318
        Owning Process            88b9f020       Image:        Procmon.exe
        Wait Start TickCount      400193        Ticks: 57733 (0:00:09:38.161)
        Context Switch Count      291                 LargeStack
        UserTime                  00:00:00.020
        KernelTime               00:00:00.300
        Win32 Start Address 0x00130000
        Start Address kernel32!BaseProcessStartThunk (0x7c810665)
        Stack Init b4b9ab30 Current b4b9a6ec Base b4b9b000 Limit b4b94000 Call b4b9ab3c
        Priority 10 BasePriority 8 PriorityDecrement 2 DecrementCount 16
        ChildEBP RetAddr
        b4b9a704 804dc0f7 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        b4b9a710 804dc143 nt!KiSwapThread+0x46 (FPO: [0,0,0])
        b4b9a738 805a3126 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
        b4b9a7c4 b7f68e07 nt!NtLoadDriver+0x179 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
        b4b9a888 804de7ec Sandbox+0x13e07
        b4b9a888 7c91eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b4b9a894)
        004c51f4 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0])

lkd> !thread 8a3c1b80
THREAD 8a3c1b80 Cid 0dd4.03ec Teb: 7ffde000 Win32Thread: e1509008 WAIT: (UserRequest) KernelMode Non-Alertable
    b4b9a770 NotificationEvent
Not impersonating
DeviceMap                 e1a7b318
Owning Process            88b9f020       Image:        Procmon.exe
Wait Start TickCount      400193        Ticks: 26845 (0:00:04:28.836)
Context Switch Count      291                 LargeStack
UserTime                  00:00:00.020
KernelTime               00:00:00.300
Win32 Start Address 0x00130000
Start Address kernel32!BaseProcessStartThunk (0x7c810665)
Stack Init b4b9ab30 Current b4b9a6ec Base b4b9b000 Limit b4b94000 Call b4b9ab3c
Priority 10 BasePriority 8 PriorityDecrement 2 DecrementCount 16
ChildEBP RetAddr Args to Child
b4b9a704 804dc0f7 8a3c1bf0 8a3c1b80 804dc143 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
b4b9a710 804dc143 e4243cb2 00000000 e4243c38 nt!KiSwapThread+0x46 (FPO: [0,0,0])
b4b9a738 805a3126 00000000 00000006 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
b4b9a7c4 b7f68e07 0012f380 b4b9a894 0012f368 nt!NtLoadDriver+0x179 (FPO: [Non-Fpo])
WARNING: Stack unwind information not available. Following frames may be wrong.
b4b9a888 804de7ec 0012f380 004c51f4 7c91eb94 Sandbox+0x13e07
b4b9a888 7c91eb94 0012f380 004c51f4 7c91eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b4b9a894)
004c51f4 00000000 00000000 00004000 77417918 ntdll!KiFastSystemCallRet (FPO: [0,0,0])

Hope this helps..

Edited by Thur - 09 August 2007 at 10:14am

mastabog

Newbie

Joined: 16 July 2007
Online Status: Offline
Posts: 3

Quote

Posted: 09 August 2007 at 4:44pm

Bug still present in the new v1.21 ...

There have one major release v1.2 and one minor v1.21 and this is still ignored. This is a major bug ... really. It's odd that it doesn't get fixed.

Mark

Members Profile

Send Private Message

Find Members Posts

Visit Members Homepage

Add to Buddy List

Admin Group

Joined: 04 June 2005
Location: United States
Online Status: Offline
Posts: 454

Quote

Posted: 11 August 2007 at 4:17pm

What's the "Sandbox" driver you have on your system?

Please post crash dump to someplace I can access and I'll take a look. When you're connected with the kernel debugger you can save a dump with the ".dump" command.

controler

Senior Member

Joined: 01 October 2006
Online Status: Offline
Posts: 222

Quote

Posted: 12 August 2007 at 6:38am

I am having the same exact problem here.

Dell with Nvidia card, Win XP freshly reformated and have KAV's new suit running.

Freezes at 27 % here after 91,000 events.

Is this a problem if we are running procmon as a user with admin priv's?

I just uninstalled KAv and procman works fine now without hanging :-)

I installed RKU first to try terminate procman if it hung. I could reinstall KAV and see if the problem returns.

controler

Edited by controler - 12 August 2007 at 7:01am

Thur

Newbie

Joined: 09 August 2007
Online Status: Offline
Posts: 3

Quote

Posted: 12 August 2007 at 1:29pm

The "sandbox" driver belongs to the Agnitum Outpost Firewall. This one looked suspicious to me as well, so I installed Outpost on a clean Windows XP in a virtual machine and procmon was running just fine there. You can get a trial version here http://www.agnitum.com/products/outpost/download.php.

I created a kernel memory dump and uploaded it to rapidshare.com.
The archive is password protected and the password is: procmontestdump.
You can download it from this link: http://rapidshare.com/files/48600862/MEMORY.rar.

Mark

Members Profile

Send Private Message

Find Members Posts

Visit Members Homepage

Add to Buddy List

Admin Group

Joined: 04 June 2005
Location: United States
Online Status: Offline
Posts: 454

Quote

Posted: 12 August 2007 at 4:31pm

I've taken a look at the dump you've uploaded and can conclusively say that it's not a Process Monitor problem. It's not clear what driver is at fault, though, but the suspects around the hang are:

* Sandbox.sys: the Agnitum Outpost Firewall driver

* A347bus.sys: the Alcohol driver

* Amon.sys: the NOD32 Antivirus driver

* rffsd.sys: the NetDrive driver

I recommend you disable these one at a time until the hang problem no longer reproduces to narrow in on the one at fault.

Jeff Hook

Newbie

Joined: 01 August 2007
Online Status: Offline
Posts: 2

Quote

Posted: 12 August 2007 at 4:52pm

I installed a 30-day trial copy of v. 2.7 of the NOD32 AV "suite" on 7-26-07, before I made my first attempt to run Process Monitor 1.20.0.0 on 7-31-07. This NOD32 text explains the suite's modules:

+++++++++++++

AMON – the resident (running in operating memory at all times) or file system monitor. This program is the most crucial antivirus defense tool and should always be enabled.

NOD32 – (also referred to as the "on-demand" scanner) this is the scanner executed manually by the user, or automatically by the scheduler.

IMON (Internet MONitor) - this scanner provides the first line of defense by monitoring Internet traffic (POP3 protocol for e-mail and HTTP for files downloaded from the Internet via HTTP)

DMON (Document MONitor) - this scanner provides protection from macro viruses in MS Office documments, works with applications utilizing MS Antivirus API (e.g. MS Office 2000 and higher, Internet Explorer 5.0 and higher)

EMON (Email MONitor) – this scanner provides protection from email-borne viruses for MAPI compatible mail clients

+++++++++++++

Jeff Hook

NJ, USA

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version
PaulForbes Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 28 July 2007 Online Status: Offline Posts: 1	Quote Reply Topic: ProcMon Hangs up during initialization Posted: 28 July 2007 at 7:10am
	Another hanging on initialization person. Vista home, running trend micro av.

ReneeFox Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 03 June 2007 Location: United States Online Status: Offline Posts: 29	Quote Reply Posted: 28 July 2007 at 11:16am
	Maybe we should change the Topic of this post to "ProcMon Hangs after Initialization," because I think I get past that part. Nobody has said exactly where the process is when it hangs. I do have great news, though. I won't be needing ProcMon, because all my Internet-jumping up and down caused EA to join up with nVidia, and they fixed the problem. Turns out that nVidia knew about this 2 years ago, and just needed a proverbial kick in the butt to fix it. I gave EA a proverbial kick to give nVidia one. So, I'm very happy because I love the game and haven't been able to play it right since I started playing it; crashes became more frequent, and annoying as all get out!
	I Love Computers!

Jeff Hook Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 01 August 2007 Online Status: Offline Posts: 2	Quote Reply Posted: 01 August 2007 at 12:38pm
	I'd like to know if I can use FileMon in Windows XP Home with SP2 due to my inability to run Process Monitor 1.20.0.0. Optional details are below: Most Sysinternals users seem to be IT professionals &/or "power users." I'm only a home user who's unable to use Process Monitor in XP Home, with SP2. I was looking for a current version of FileMon, but I found these notes at Sysinternals' FileMon page: ++++ Note: Filemon and Regmon have been replaced by Process Monitor on versions of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista. Filemon and Regmon remain for legacy operating system support, including Windows 9x… …FileMon works on NT 4.0, Windows 2000, Windows XP, Windows XP and Windows Server 2003 64-bit Edition, Windows 2003 Server, Windows 95, Windows 98 and Windows ME…. ++++ I assume this means FileMon isn't regarded as appropriate for XP with SP2, so I obtained Process Monitor version 1.20.0.0 yesterday, but I wasn't able to run it. It opened a reduced-size GUI, with the word “initializing” displayed on the bottom frame, but then didn’t respond further. Task Manager reported two instances of it but both were “not responding.” I repeatedly tried “End Task” with no effect, in Task Manager, sending many error reports to Microsoft. I wasn't able to reboot, and I was forced to "power down" the system unit by pressing its power button. I worried about the effects of this, but the system seemed to reboot without any sign of damage. I'm using Task Manager even though I've recently read on Sysinternal's Process Explorer page that users can substitute that utility for Task Manager. I was so favorably impressed by Sysinternal's comprehensive list of utilities, and by their thorough Web pages, that I assumed I'd found a "mother lode" of helpful software. This was my first attempt to use a Sysinternals utility, and I never expected this type of problem. Jeff Hook NJ,USA Edited by Jeff Hook - 02 August 2007 at 4:26pm

Thur Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 09 August 2007 Online Status: Offline Posts: 3	Quote Reply Posted: 09 August 2007 at 9:56am
	I am facing exactly the same problem: 1. First instance of procmon.exe hangs. There is no way to terminate the process and windows does not shut down completely. 2. Second started instance of procmon.exe is running just fine. I tried to gather some information on the hanging instance using windgb. I am not an expert on this topic, though: lkd> !process 88b9f020 PROCESS 88b9f020 SessionId: 0 Cid: 0dd4 Peb: 7ffdf000 ParentCid: 0de4 DirBase: 6e1e4000 ObjectTable: e3ea4498 HandleCount: 68. Image: Procmon.exe VadRoot 884415b8 Vads 81 Clone 0 Private 489. Modified 2019. Locked 0. DeviceMap e1a7b318 Token e406d4a8 ElapsedTime 00:14:16.371 UserTime 00:00:00.030 KernelTime 00:00:00.300 QuotaPoolUsage[PagedPool] 39380 QuotaPoolUsage[NonPagedPool] 3400 Working Set Sizes (now,min,max) (1431, 50, 345) (5724KB, 200KB, 1380KB) PeakWorkingSetSize 1432 VirtualSize 808 Mb PeakVirtualSize 808 Mb PageFaultCount 3517 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 808 THREAD 8a3c1b80 Cid 0dd4.03ec Teb: 7ffde000 Win32Thread: e1509008 WAIT: (UserRequest) KernelMode Non-Alertable b4b9a770 NotificationEvent Not impersonating DeviceMap e1a7b318 Owning Process 88b9f020 Image: Procmon.exe Wait Start TickCount 400193 Ticks: 57733 (0:00:09:38.161) Context Switch Count 291 LargeStack UserTime 00:00:00.020 KernelTime 00:00:00.300 Win32 Start Address 0x00130000 Start Address kernel32!BaseProcessStartThunk (0x7c810665) Stack Init b4b9ab30 Current b4b9a6ec Base b4b9b000 Limit b4b94000 Call b4b9ab3c Priority 10 BasePriority 8 PriorityDecrement 2 DecrementCount 16 ChildEBP RetAddr b4b9a704 804dc0f7 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b4b9a710 804dc143 nt!KiSwapThread+0x46 (FPO: [0,0,0]) b4b9a738 805a3126 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo]) b4b9a7c4 b7f68e07 nt!NtLoadDriver+0x179 (FPO: [Non-Fpo]) WARNING: Stack unwind information not available. Following frames may be wrong. b4b9a888 804de7ec Sandbox+0x13e07 b4b9a888 7c91eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b4b9a894) 004c51f4 00000000 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) lkd> !thread 8a3c1b80 THREAD 8a3c1b80 Cid 0dd4.03ec Teb: 7ffde000 Win32Thread: e1509008 WAIT: (UserRequest) KernelMode Non-Alertable b4b9a770 NotificationEvent Not impersonating DeviceMap e1a7b318 Owning Process 88b9f020 Image: Procmon.exe Wait Start TickCount 400193 Ticks: 26845 (0:00:04:28.836) Context Switch Count 291 LargeStack UserTime 00:00:00.020 KernelTime 00:00:00.300 Win32 Start Address 0x00130000 Start Address kernel32!BaseProcessStartThunk (0x7c810665) Stack Init b4b9ab30 Current b4b9a6ec Base b4b9b000 Limit b4b94000 Call b4b9ab3c Priority 10 BasePriority 8 PriorityDecrement 2 DecrementCount 16 ChildEBP RetAddr Args to Child b4b9a704 804dc0f7 8a3c1bf0 8a3c1b80 804dc143 nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4]) b4b9a710 804dc143 e4243cb2 00000000 e4243c38 nt!KiSwapThread+0x46 (FPO: [0,0,0]) b4b9a738 805a3126 00000000 00000006 00000000 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo]) b4b9a7c4 b7f68e07 0012f380 b4b9a894 0012f368 nt!NtLoadDriver+0x179 (FPO: [Non-Fpo]) WARNING: Stack unwind information not available. Following frames may be wrong. b4b9a888 804de7ec 0012f380 004c51f4 7c91eb94 Sandbox+0x13e07 b4b9a888 7c91eb94 0012f380 004c51f4 7c91eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b4b9a894) 004c51f4 00000000 00000000 00004000 77417918 ntdll!KiFastSystemCallRet (FPO: [0,0,0]) Hope this helps.. Edited by Thur - 09 August 2007 at 10:14am

mastabog Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 16 July 2007 Online Status: Offline Posts: 3	Quote Reply Posted: 09 August 2007 at 4:44pm
	Bug still present in the new v1.21 ... There have one major release v1.2 and one minor v1.21 and this is still ignored. This is a major bug ... really. It's odd that it doesn't get fixed.

Mark Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Admin Group Joined: 04 June 2005 Location: United States Online Status: Offline Posts: 454	Quote Reply Posted: 11 August 2007 at 4:17pm
	What's the "Sandbox" driver you have on your system? Please post crash dump to someplace I can access and I'll take a look. When you're connected with the kernel debugger you can save a dump with the ".dump" command.

controler Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 01 October 2006 Online Status: Offline Posts: 222	Quote Reply Posted: 12 August 2007 at 6:38am
	I am having the same exact problem here. Dell with Nvidia card, Win XP freshly reformated and have KAV's new suit running. Freezes at 27 % here after 91,000 events. Is this a problem if we are running procmon as a user with admin priv's? I just uninstalled KAv and procman works fine now without hanging :-) I installed RKU first to try terminate procman if it hung. I could reinstall KAV and see if the problem returns. controler Edited by controler - 12 August 2007 at 7:01am

Thur Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 09 August 2007 Online Status: Offline Posts: 3	Quote Reply Posted: 12 August 2007 at 1:29pm
	The "sandbox" driver belongs to the Agnitum Outpost Firewall. This one looked suspicious to me as well, so I installed Outpost on a clean Windows XP in a virtual machine and procmon was running just fine there. You can get a trial version here http://www.agnitum.com/products/outpost/download.php. I created a kernel memory dump and uploaded it to rapidshare.com. The archive is password protected and the password is: procmontestdump. You can download it from this link: http://rapidshare.com/files/48600862/MEMORY.rar.

Mark Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Admin Group Joined: 04 June 2005 Location: United States Online Status: Offline Posts: 454	Quote Reply Posted: 12 August 2007 at 4:31pm
	I've taken a look at the dump you've uploaded and can conclusively say that it's not a Process Monitor problem. It's not clear what driver is at fault, though, but the suspects around the hang are: * Sandbox.sys: the Agnitum Outpost Firewall driver * A347bus.sys: the Alcohol driver * Amon.sys: the NOD32 Antivirus driver * rffsd.sys: the NetDrive driver I recommend you disable these one at a time until the hang problem no longer reproduces to narrow in on the one at fault.

Jeff Hook Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 01 August 2007 Online Status: Offline Posts: 2	Quote Reply Posted: 12 August 2007 at 4:52pm
	I installed a 30-day trial copy of v. 2.7 of the NOD32 AV "suite" on 7-26-07, before I made my first attempt to run Process Monitor 1.20.0.0 on 7-31-07. This NOD32 text explains the suite's modules: +++++++++++++ AMON – the resident (running in operating memory at all times) or file system monitor. This program is the most crucial antivirus defense tool and should always be enabled. NOD32 – (also referred to as the "on-demand" scanner) this is the scanner executed manually by the user, or automatically by the scheduler. IMON (Internet MONitor) - this scanner provides the first line of defense by monitoring Internet traffic (POP3 protocol for e-mail and HTTP for files downloaded from the Internet via HTTP) DMON (Document MONitor) - this scanner provides protection from macro viruses in MS Office documments, works with applications utilizing MS Antivirus API (e.g. MS Office 2000 and higher, Internet Explorer 5.0 and higher) EMON (Email MONitor) – this scanner provides protection from email-borne viruses for MAPI compatible mail clients +++++++++++++ Jeff Hook NJ, USA