explorer.EXE intercept? I/O other always increasing

[James007Long]

Yes its most likely a driver. I already tried disabling all the services.
i'm looking at the drivers.

James.

[James007Long]

these were disabled with no effect on i/o other inceasing:

akbus,akpcsc,smusic,dmkaud,ipnat,kmixer,maestro,ol camudp,
parpart,pfc,redbook,serial,aec,audstub,cdrom,cmbat t,compbatt,
fdc,flpydisk,irda,mskssrv,nwlnkflt,nwlnkfwd,ptilin k,raspti,
mspclock,mspqm,rasirda,smcirda,splitter,swmidi, (sysaudio.

where its not:
battery, dvd/cd, floppy, ir devices/port, parallell/direct parallel,
audio card and probly serial.

narrowing down whats left I'm looking at networking protocols.

Добавлено через 7 часов 47 минут

Hi,
Would like to a try a rescan,
Where do I find the latest version AVZ english?

tkx
James

btw used msconfig to bring up windows minimum with network,
and problem still there. as soon as networking is involved the problem
is apparrent. not surprising as what makes i/o other stop increasing is to
disconnect the network connection.

Добавлено через 12 минут

I've prevented dhcp from loading in services. assigned static ip and dns.
regmon show this for explorer.exe:

the f242xxxx is my nic.


78.83390808 explorer.exe:1652 QueryValue HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage\B ind SUCCESS "\Device\{F24256B3-E315-466B-AED3-3228EE8BA90F}"
78.83427429 explorer.exe:1652 OpenKey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{F24256B3-E315-466B-AED3-3228EE8BA90F} SUCCESS Access: 0x20019
78.83430481 explorer.exe:1652 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{F24256B3-E315-466B-AED3-3228EE8BA90F}\EnableDHCP SUCCESS 0x0
78.83433533 explorer.exe:1652 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{F24256B3-E315-466B-AED3-3228EE8BA90F}\DhcpServer SUCCESS "255.255.255.255"
78.83436584 explorer.exe:1652 QueryValue HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{F24256B3-E315-466B-AED3-3228EE8BA90F}\DhcpServer SUCCESS "255.255.255.255"
78.83439636 explorer.exe:1652 CloseKey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Param eters\Interfaces\{F24256B3-E315-466B-AED3-3228EE8BA90F} SUCCESS
79.83440399 explorer.exe:1652 QueryValue HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage\B ind BUFFER OVERFLOW
79.83443451 explorer.exe:1652 QueryValue HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage\B ind BUFFER OVERFLOW

its ALWAYS here! why? is that normal?

1. why is it STILL looking for a DHCP server?
2. what are the OVERFLOW's about in Linkage?


tks
James

[XP user]

1. why is it STILL looking for a DHCP server?

I haven't got the faintest idea - I'm actually a bit crazy (), so in my system, (except for 45 other useless Windows services), I completely removed the DHCP Client service - still the OS is looking for something in that direction.

2. what are the OVERFLOW's about in Linkage?

The same answer, I'm sorry. I can't provide you with any sensible answer. This is only known to Microsoft...

Paul

[James007Long]

using procexp.exe from systinternals, I got properties on the the explorer.exe threads and was able to suspend/allow them.

when I suspend these, the problem goes away!


1. stobject.dll!DLLCANUNLOADNOW + 0x1f55

presumably this had to do with tweakmanager causing windows
to unloading unused dlls,
I dont know, and could use help with it.

I had made that setting
in tweakmanager then later thought better of it. problem was tm
left the key there, and deleted the value. sometimes windows
procedes on the presence of a key alone. so I deleted the key
as well.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
Explorer\AlwaysUnloadDLL

ok this thread has 3 sometimes 4 threads but I pause the one with
the most context switches and my problem goes away.

2. SHLWAPI.DLL ordinal505+0x37a
not sure what this is could use some help, but guesing the ldap
protocol implementation is hiding in here, which means ldap
is snarfing my registry like crazy.

can anyone tell me what these are?
thanks
James

[XP user]

Hi, James!

The library file stobject.dll, is required by Windows and is used to provide functionality to the System Tray. Windows cannot operate without stobject.dll. I wouldn't touch it if I were you.

shlwapi.dll is a library which contains functions for UNC and URL paths, registry entries, and color settings. I would leave that alone as well.

The AlwaysUnloadDLL registry key: Windows Explorer caches DLLs (Dynamic-Link Libraries) in memory for a period of time after the application using them has been closed. This can be an inefficient use of memory on low memory systems, and may cause problems or delays for programmers developing with Windows DLL files. Set the default value to equal '1' to disable Windows caching the DLL in memory. Actually this is really only useful in older systems (Win98 for example).

Paul

[James007Long]

shlwapi.dll is a library which contains functions for UNC and URL paths, registry entries, and color settings. I would leave that alone as well.

no, i dont plan on deleting dll files, just finding a cause/fix.

casting aside stobject for the moment.....

"registry entries" in shlwapi.dll? you say? hmmmmmmmmmmmmmmm
really wierd..if i suspend that thread, the problem goes away.

i/o other ceases to increase while sitting idle.

I wonder if anyone knows what function/code is at the entry point
SHLWAPI.DLL ordinal505+0x37a ?

just an overview of that section would be great.

is there a reason why
pausing this thread should stop i/o other from increasing?


thanks
James


Thanks James

[XP user]

I wonder if anyone knows what function/code is at the entry point
SHLWAPI.DLL ordinal505+0x37a ?

There is quite some info about this entry in Google. Most of the topics are about explorer crashing, and after that only the ordinal505+0x37a is left. Seems to have something to do with desktop and folder context menus.

Paul

[James007Long]

Thanks, Paul.

working on network monitor under XP, I want to see what all the traffic is about.

and, I disabled the following wan miniports:
IP,L2TP,PPOE,PPTP and nothing changed, i.e. i/o other still increases.

These *may* have come from questionable sources via bittorrent
anyone ever had any problems with these?
winrar 3.51 corporate edition no key necessary registered to darketernal
isobuster 1.6.0.19
nero 7


ok got netmon running under xp. I dont see i/o that would be
commensurate with i/o othe bytes, and dont see anything else.

how strange is it that if I disconnect the connection it stops?

even tried this on a hardwired client, with the cable connected to
a hub and with no conection to the intrnet, i/o other increases
at a constant rate while idle. unplug the cable from the hub
and i/o other stops dead while idle.

what protocol does that? not tcp/ip.

[XP user]

@ James007Long

I have no immediate answer to your questions. I must say I'm puzzled by the explorer DHCP queries all the time, especially since my machine doesn't need it and the service itself no longer exists. So I dug up an 'old' sysinternals tool for you that will show you that explorer.exe is doing something all the time - TDImon. Explorer.exe must be communicating with any of these:
* afd.sys
* tcpip.sys
* netbt.sys

It's probably worth checking the difference between Net 'On' and Net 'Off'. Unfortunately, since Microsoft's takeover of sysinternals, they don't release this wonderful tool anymore. I wouldn't be surprised if Microsoft had a compelling reason not to support its development any longer.
Here it is for you [see attachment].

So, what we have deduced so far:
* it must be something that communicates through or with a driver
* it must be something that has an explorer extension (most likely a context menu application handler)
* it must be something that uses your network somehow

Here's a tiny fragment from the TDIMon's log entries:

Код:

8:46:56	explorer.exe:106	829182C8	IRP_MJ_DEVICE_CONTROL	TCP:<none>		SUCCESS	IOCTL_TCP_QUERY_INFORMATION_EX	
8:46:56	explorer.exe:106	8293B900	IRP_MJ_DEVICE_CONTROL	TCP:<none>		SUCCESS	IOCTL_TCP_QUERY_INFORMATION_EX

which lead me to this:
http://www.osronline.com/ddkx/kmarch/k113_0hiq.htm
http://msdn2.microsoft.com/en-us/library/ms796116.aspx
This may very well contain the answer you're looking for...

Paul

[James007Long]

All my boxes do it now. it wasn't this way. kinda like remembering when there wasnt a deposit on bottles. anyway, I give up.

Thanks for all your help Paul, and everyone on the forum.

James