So Dad calls me up last weekend because his home pc is freezing up after boot.
Symptoms: Once he logs onto his desktop it seems ok, he is able to launch a program or two. He goes to check his email or browse the web and ----bammo! The Great XP Freeze. Pressing Ctrl-Alt-Del is unresponsive. Finally after what could be many minutes of waiting the system is flooded with pop-up Task-Manager windows matching the number of times he has tried the Microsoft Three-Finger Tango. Internet is good again and mail comes flowing.
Hmmmm. I'm on the phone and Dad. I could set up a TightVNC remote session, but I'm not sure how well that would run on his chilly system.Troubleshooting begins:
1) He mentioned a new update of ZoneAlarm got installed recently. Firewall problem? Could be. Since he doesn't run a hardware based router/firewall and is on cable modem, I have him disconnect his CAT-V cable. ZA gets uninstalled.2) He is also running a Nortons Security A/V "suite" product. OK. I've had trouble with those. Uninstall that pile of programming also. Reboot.
3) System comes up quick and fine. Once on his desktop he is able to open programs with no sign of the dreaded XP Freeze. Great!
4) Before we drop him back on the Net, let's get Windows XP built-in firewall enabled. I lead him through the steps. We find it and eventually get it activated. Great! Reboot.
5) Hook the pc back to the Net.
6) Boots up and gets to the desktop....bammo! Lockup! The Microsoft Three-Finger Tango fails to get Task Manager launching. Hmmmm. Malware?
-At this point we are approaching the point where more advanced troubleshooting will need to kick in. I suggest Dad brings the box down here to me on his weekly drive-in to Houston for his consulting job. Plans are made.
(Few days later)
7) I fire up the box on our dining-room table and set to work, Dad watching and taking notes. Class is in session. XP boots and runs great. Dad is shaking his head. I really need to replicate the freezing behavior! The box isn't cooperating. (I think it knows a techie is in front of it. I swear they can sense our presence!) It's still off the Net for now.
8) First thing I do is to drop in my utility-tools CD and fire off HiJack This. I find a number of old "auto-run" references and some "quick-launch" references we don't need. I clean all those out, but no signs of malware. Lots of dead startup links for Symantec left by the Nortons uninstall. Thanks guys... I confirm the HiJack This findings with Sysinternal's AutoRuns. Yep. Looks clean now.
10) Check the Add/Remove Program List. Even though Norton's was uninstalled, there are still four Norton's related items still hanging on in there. Uninstalls fail since the product is gone. I'll come back later to strip them out of the registry manually. I find Microsoft Anti-Spyware Beta (expired) is still on the system. That gets removed.
11) Reboot. XP still humming along well. Well.....a quick check with Sysinternal's Process Explorer doesn't show any unusual Processes or threads.
12) I check his system properties. Yep XP SP2, 512MB RAM, 800ishMHz processor. (OEM HP system build.) The processor speed is pretty low (in my humble opinion) for running XP, but RAM is OK and it is working. With Process Explorer still going I launch various programs and watch the cpu load shoot up on some processes but then drop down once the application is going. Looks like the processor is having a bit of a challenge keeping up. Could be bad memory, but I doubt it since this pc hasn't had any BSOD events. I tell Dad he should consider upgrading to a better processor but it isn't critical just yet as all they do on the box is some word-processing, light picture cropping and email/Net surfing.
13) OK. Well, let's hook it to the Net and get a new firewall and A/V solution loaded that will be more kind on his processor than ZA and Nortons.
14) Reboot and hook to the net behind my firewall/router. Once on the desktop....BAMMMO!!!! TOTAL SYSTEM LOCKUP!!!!
15) I'm actually very excited to see this! I've got the problem replicated now! No Net = good pc. Net = bad pc. Now I've got a target to focus on.
16) The Three-Finger Tango fails. So I reboot in safe-mode, system is fine...and add Process Manager to the Startup Group. Hopefully this will launch it prior the the lock-up stalling so I can see what bad-boy is causing it. Whatever it is, it is clear to me that Something is getting to the net and either hogging up all the bandwith from the pc or is executing a process that the lowly cpu cannot keep up with.
17) Once rebooted the system comes back and Process Explorer comes to life. Fantastic! I'm watching the cpu process loads and.....wait for it.....YES! Got it! Well how about 'dat. The G-man set the trap, waited on stake-out, and collared the kriminal!
Let's pause a momement in this "thrilling bat-tastic blog-drama" and sort out what we learned so far. Dad's pc has sufficient RAM, an overtaxed processor (it was upgraded from WindowsME to XP) and bit the dirt when it was connected to the Net. No malware on the system. Through careful troubleshooting, we can now explain the lockup event. When connected to the Net, XP (having Automatic Update check enabled) goes on-line immediately and searches for availiability of any updates to download. Unfortunately, the wuauclt.exe process take prioriy over the system and runs the cpu cycles up to 90+%. Bad. Nothing else works until it completes it's check (however long that takes--usually a LONG time as of late) then closes the process and sufficeint cpu resources become available for the system (and Dad) again. All the things Dad tried to launch are released from the buffer and flood the desktop. Nice.
19) Time to fix. Well. That's being generous. I would be more accurate to say--time to "work around" the issue. The (user-side) "fix" would probably be a beefier processor (more on that later...).
20) I go into Control Panel and completely disable the Windows Automatic Updates feature. This will prevent the wuauclt.exe from launching at startup and hogging the processor. XP hates this and tells me about it in no uncertain terms. It places a scary red shield in the system tray and provides balloon text warning about the serious consequences of that decision. Great. 'Preciate that, Microsoft.
21) After a minute of Googling, I locate a page that reminds me how to disable the "Security Alert Icon" notification feature. Gone!
22) I place a shortcut to Windows Update web-page on the desktop and advise Dad to manually check for critical updates the weekend after the 1st Tuesday of each month.
23) I download (via my handy PC First-Aid Kit blog link) and install Sunbelt Software's Kerio Firewall. Dad wants the "simple" installation option that enables inbound firewall protection only. He is too overwhelmed with deciphering the outbound firewall prompt messages and is afraid he might block something important (which has occurred). I agree. Inbound blocking only. Done.
24) I download and install AVG-Free anti-virus. I give a quick tour and configure it to automatically download and install the updates and run a scan in the late afternoon. AVG cooperates nicely with Keiro and picks up his Outlook email client and plugs right into it with no additional configurations needed.
25) Reboot. The final test.
26) Armed with Process Explorer we watch as the system hits the desktop and the process thread cycles look normal. AVG and Kerio are running lightly on the system and no lockup and no wuauclt.exe launching. Mischief Managed!
27) Just for kicks I fire up IE 6 and we run the Web-based Windows Updates. BAMMO! there goes the lockup and the process load is at 90% again. I explain to Dad that based on the cpu loads I'm watching, it looks like it is working, just VERY slowly. I advise him to just start the Updates, and then walk away from the pc for a while (like before he goes jogging). When he comes back it (hopefully) will have finished up.
I didn't install the latest Windows Defender Beta version, as I didn't want to add any additional processing demands on his taked system.
Dad is happy. The system is breathing new life and all is well. Another modern-day father-son bonding moment. Instead of working under the hood of the MG-TD (kit-car) convertible we built together (Classic Roadsters, LTD. - the Duchess model) way-back when, now it is over a keyboard and system software. Ahhh. Nothing like the hum of a hard-drive and cooling fan to set the bonding mood.....unfortunately, no beer was consumed in the process...maybe why I was able to figure it out this time....
I'd never noticed any problems myself. I have Automatic Updates set on my machines to auto download and notify (but not install so I can check them first). So this morning, I ran a "custom" Web-based Windows Update scan on my own pc: 2.0GHz AMD processor, 1GB RAM. I fired up Process Explorer before I began and watched. Sure enough, the wuauclt.exe process peaked around 74ish% of my cpu cycles. Wow. But because of the beefy processor, it just peaked and dropped up and down very quickly until it was done. So I had the system headroom to not notice any lockups or anything.
Open Questions that remain for Microsoft (or anyone else who knows...):
1) Why does wuauclt.exe need to claim that many cpu cycles to do it's job? Is it that intensive a process to check for updates on the Web and compare that to the locally cached catalog? Or is the code just poorly written?
2) Why does it take (what seems like) FOREVER for the query to Microsoft's update servers to return a response? Are they being hammered? Do they have enough? Is it a bandwidth issue in Redmond?
3) I'm quite OK with it taking a while to download the updates to the system, but it just doesn't seem to me to require that long a delay in displaying the list of needed system updates. This happens on our Win98 (yes, I know...) systems, Windows 2000 SP4 systems, and XP (Pro/Home) systems. Can't this be more efficient?
4) A google search on this subject suggests that many others are having similar issues and Microsoft is aware of this "issue."
Others who are having (unrelated but interesting) Windows Freezing issues....
System freezing up? Check your hardware - Ed Bott's Windows Expertise
Tech Support With Thomas Hawk -- Thomas Hawk's Digital Connection
The Case of the Process Startup Delays - Mark Russinovich's TechNet Blog (formerly of Sysinternals)
Note to self: Damn. I SOOOO wish I could have Mark's l33t troubleshooting skills! I've GOT to buy his books. He's taught me so much!
See you in the skies, and happy Microsoft defrosting....