dnsrslvr.dll consuming 50% of vista

Message Topic Search Topic Options Post Reply Create New Topic Printable Version

   Hi everyone, I've been searching for a solution to this problem and am not getting anywhere. I have a vista system that boots slowly, and after it finally comes up, I discover that the task manager is showing a network service SVCHOST.DLL consuming 50% of the cpu resources.  Upon running procmon, it was isolated to dnsrslvr.dll!Reg_DoRegisterAdapter+0x501
When I kill that process, things return to normal.  This machine had VMWARE at one time, and I'm wondering if one of the internal virtual adapters got buggered up when it was uninstalled. Any ideas on how to correct this problem?
Thanks very much,
Chris

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version
csharpdev Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 11 December 2008 Online Status: Offline Posts: 7	Quote Reply Topic: dnsrslvr.dll consuming 50% of vista Posted: 11 December 2008 at 11:01pm
	Hi everyone, I've been searching for a solution to this problem and am not getting anywhere. I have a vista system that boots slowly, and after it finally comes up, I discover that the task manager is showing a network service SVCHOST.DLL consuming 50% of the cpu resources. Upon running procmon, it was isolated to dnsrslvr.dll!Reg_DoRegisterAdapter+0x501 When I kill that process, things return to normal. This machine had VMWARE at one time, and I'm wondering if one of the internal virtual adapters got buggered up when it was uninstalled. Any ideas on how to correct this problem? Thanks very much, Chris

molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Online Status: Offline Posts: 17287	Quote Reply Posted: 12 December 2008 at 3:30am
	Hi Chris, Usually for this type of problem, it helps to configure symbols (make sure to follow the instructions) in Process Explorer. Then, when the problem happens, sort the CPU column in Process Explorer in descending order - what is the process that is consuming the most CPU? Once you identify that process, visit its Threads tab in the Process properties, sort by Cycles Delta (descending) [Vista] or CSwitch Delta (descending) [XP/2003], and get the full stack of the topmost thread(s).
	Daily affirmation: net helpmsg 4006

csharpdev Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 11 December 2008 Online Status: Offline Posts: 7	Quote Reply Posted: 12 December 2008 at 5:12am
	This is what I got - it looks like one of theinterfaces doesn't exist, but I don't know what to do about it. There seems to be an interface with a GUID of 0751f0d9-4f38-4fcb-8ea8-2e05f05fc711 in the registry, but it doesn't exist. The problem is still there if I set the registry value on the Enabled property to 0. ntkrnlpa.exe!KeWaitForMultipleObjects+0xab7 ntkrnlpa.exe!KeWaitForSingleObject+0x492 ntkrnlpa.exe!PsGetCurrentThreadTeb+0x377 ntkrnlpa.exe!KiCheckForKernelApcDelivery+0x24 ntkrnlpa.exe!MmUnsecureVirtualMemory+0x1346 ntkrnlpa.exe!NtSetInformationThread+0x3331 ntkrnlpa.exe!ZwQueryLicenseValue+0xbd2 ntdll.dll!KiFastSystemCallRet ADVAPI32.dll!RegQueryValueExW+0x97 DNSAPI.dll!DnsQuery_W+0x2f4 DNSAPI.dll!Reg_GetValueEx+0xac dnsrslvr.dll+0x5a51 dnsrslvr.dll!Reg_DoRegisterAdapter+0xb55 dnsrslvr.dll!Reg_DoRegisterAdapter+0xa3e dnsrslvr.dll!Reg_DoRegisterAdapter+0x633 dnsrslvr.dll!Reg_DoRegisterAdapter+0x564 kernel32.dll!BaseThreadInitThunk+0x12 ntdll.dll!RtlInitializeExceptionChain+0x63 ntdll.dll!RtlInitializeExceptionChain+0x36

molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Online Status: Offline Posts: 17287	Quote Reply Posted: 12 December 2008 at 5:23pm
	The symbols don't seem to be resolving properly. What does the Configure Symbols dialog look like?
	Daily affirmation: net helpmsg 4006

csharpdev Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 11 December 2008 Online Status: Offline Posts: 7	Quote Reply Posted: 12 December 2008 at 5:42pm
	C:\Windows\System32\dbghelp.dll and I confirmed the file is there. The symbols path is srvC:\Symbolshttp://msdl.microsoft.com/download/symbols That one is probably wrong. (I just fixed the help file security) I'll take another look and repost - (Yes, the symbols were not being downloaded. )

molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Online Status: Offline Posts: 17287	Quote Reply Posted: 12 December 2008 at 5:44pm
	You need to download the Debugging Tools for Windows and point Process Explorer to the dbghelp.dll that comes with them, as described in the referenced post. The symbols path is configured correctly.
	Daily affirmation: net helpmsg 4006

csharpdev Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 11 December 2008 Online Status: Offline Posts: 7	Quote Reply Posted: 14 December 2008 at 5:34am
	OK, here is the stack listing ntkrnlpa.exe!KiSwapContextCqw_õLqj+0x26 ntkrnlpa.exe!KiSwapThreadtCqw_õLqj+0x44f ntkrnlpa.exe!KeWaitForSingleObject+0x492 ntkrnlpa.exe!KiSuspendThreadObject+0x18 ntkrnlpa.exe!KiDeliverApceadObject+0x138 hal.dll!HalpDispatchSoftwareInterruptÐ0++0x49 hal.dll!HalpCheckForSoftwareInterruptÐ0++0x64 hal.dll!HalEndSystemInterruptnterruptÐ0++0x73 hal.dll!HalpIpiHandlerterruptnterruptÐ0++0x189 ntdll.dll!KiFastSystemCallRetptnterruptÐ0+ ntdll.dll!ZwEnumerateKeyllRetptnterruptÐ0++0xc ADVAPI32.dll!LocalBaseRegEnumKeyptnterruptÐ0++0xe3 ADVAPI32.dll!RegEnumKeyExWnumKeyptnterruptÐ0++0xb9 dnsrslvr.dll!areg_ReadAllEntriesFromRegistry++0x6e dnsrslvr.dll!Areg_CleanupStaleAdaptersgistry++0x2b dnsrslvr.dll!Reg_DoRegistrationdaptersgistry++0x5d dnsrslvr.dll!Ip_NotifyThreadiondaptersgistry++0x77 kernel32.dll!BaseThreadInitThunkaptersgistry++0xe ntdll.dll!__RtlUserThreadStartptersgistry++0x23 ntdll.dll!_RtlUserThreadStarttptersgistry++0x1b

molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Online Status: Offline Posts: 17287	Quote Reply Posted: 14 December 2008 at 3:19pm
	(Side note: Process Explorer 11.31 has a workaround for the extra characters that show up in the stack frames.) The stack indicates a registry operation (which might indicate excessive registry activity). Identify the Thread ID (TID) in Process Explorer, and then run Process Monitor (configure symbols the same way you did with Process Explorer). Set the filter to TID is <previously noted TID> then Include, and note the registry activity associated with that thread.
	Daily affirmation: net helpmsg 4006

csharpdev Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 11 December 2008 Online Status: Offline Posts: 7	Quote Reply Posted: 15 December 2008 at 12:26am
	You are correct! - repeat the following entries a few milllion times... 4:18:56.9401163 PM svchost.exe 1472 RegEnumKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters SUCCESS Index: 0, Name: {0751F0D9-4F38-4FCB-8EA8-2E05F05FC711} 4:18:56.9401281 PM svchost.exe 1472 RegOpenKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0751F0D9-4F38-4FCB-8EA8-2E05F05FC711} SUCCESS Desired Access: Read 4:18:56.9401436 PM svchost.exe 1472 RegOpenKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0751F0D9-4F38-4FCB-8EA8-2E05F05FC711} SUCCESS Desired Access: Read 4:18:56.9401592 PM svchost.exe 1472 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0751F0D9-4F38-4FCB-8EA8-2E05F05FC711}\StaleAdapter SUCCESS Type: REG_DWORD, Length: 4, Data: 0 4:18:56.9401712 PM svchost.exe 1472 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0751F0D9-4F38-4FCB-8EA8-2E05F05FC711}\StaleAdapter SUCCESS Type: REG_DWORD, Length: 4, Data: 0 4:18:56.9401834 PM svchost.exe 1472 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0751F0D9-4F38-4FCB-8EA8-2E05F05FC711}\RegisteredSinceBoot SUCCESS Type: REG_DWORD, Length: 4, Data: 0 4:18:56.9401952 PM svchost.exe 1472 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0751F0D9-4F38-4FCB-8EA8-2E05F05FC711}\RegisteredSinceBoot SUCCESS Type: REG_DWORD, Length: 4, Data: 0 4:18:56.9402073 PM svchost.exe 1472 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0751F0D9-4F38-4FCB-8EA8-2E05F05FC711}\Flags NAME NOT FOUND Length: 144 4:18:56.9402192 PM svchost.exe 1472 RegCloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0751F0D9-4F38-4FCB-8EA8-2E05F05FC711} SUCCESS 4:18:56.9402307 PM svchost.exe 1472 RegCloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0751F0D9-4F38-4FCB-8EA8-2E05F05FC711} SUCCESS

molotov Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Moderator Group Joined: 04 October 2006 Online Status: Offline Posts: 17287	Quote Reply Posted: 15 December 2008 at 4:29am
	If you search the registry for 0751F0D9-4F38-4FCB-8EA8-2E05F05FC711, where else does it turn up? In one of the numbers under [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards], what is the data of the Description value, where the ServiceName data matches the GUID 0751F0D9-4F38-4FCB-8EA8-2E05F05FC711? How many other GUIDs appear as subkeys of [HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters]?
	Daily affirmation: net helpmsg 4006