Saturday, July 08, 2006

Hunting Down avgw.exe

I had mentioned in an earlier post that I had recently noticed some "rogue" behavior after booting my pc lately.

I am usually to be found at work dealing with desktop security issues at work: malware, spyware, viruses, trojans, pushing for increased information security policies, file encryption policy enforcement...etc. So you can be pretty confident I keep a close eye on all the Valca home systems as well.

What I slowly noticed over the past several weeks was that when I booted and logged into the pc, it would be slow to launch some applications. This behavior was also now occurring on my in-law's pc. Alvis was getting very frustrated (in the way only a pre-teen can) when we would try to link up via our web-cams.

Typical conversation:

Alvis: It's not working.
Claus: Just be patient.
Alvis: (ten seconds later) It's still not working. Ughhh!
Claus: What's going on?
Alvis: It's not working. The cursor is just flashing with that time-turner thing.
Claus: OK. What about the Internet?
Alvis: Internet isn't working either. I can't open email or the red-panda thing.
Claus: Firefox?
Alvis: Yeah. I'm just going to turn it off. Papa's computer is messed up.
Claus: Try pressing Ctrl-Alt-Del keys. Click the Processes tab and click the column that says CPU so the numbers are listed at the top.
Alvis: It's not working! Oh wait. It just did something. I think it is OK now. Nevermind....

Using your l33t help-desk skills over the phone with your young daughter is only for the stupid or brave. But I did confirm that whatever it was was happening on both pc's.

So I began to take a closer look at my system. This is what I knew:

1) The problem didn't always happen, but most often did when I booted the pc in the late afternoon after work.

2) The hard-drive activity light would go bazonkers for about 5-10 minutes. Massive read (and write?) activity was happening.

3) The system would bog down big-time.

4) Eventually it would finish and everything was back to normal.

First thing I did at boot was to immediately open Windows Task Manager. (I could have also used the much more powerful Process Explorer from Sysinternals). Like I tried to get Alvis to do, I checked out the processes and sorted the column by CPU rate (greatest to least). Since I knew whatever the process was, it was impacting the hard-drive I also opened up FileMon from Sysinternals to see what was accessing the files so much.

It didn't take me very long at all to see with both tools that the process causing all the hoopla was called avgw.exe. It was greedily hogging up both the CPU and the file system access. I had a pretty good idea what it was but a quick Google was needed to confirm.

avgw.exe is a component (AVG Watch) of the AVG anti-virus program's file scanning engine. Link. It isn't a Bad Thing, but what was going on?

With a little more digging, I discovered that this program can kick off to run a scan on your system at next boot if your pc was off when the normally scheduled time to scan the pc for viruses was missed.

I went into the AVG Control Center window, clicked on the "Scheduler" item and opened the Scheduled Tasks window. Next I selected the default "Test plan in basic mode" and clicked the "Edit Schedule" button. Finally I UN-SELECTED the check box "If missed, start immediately when computer start-up". Save the changes and click out of the windows. (I also changed the daily system scan time from the morning to late in the afternoon when I am more likely to have the pc up for a while.)

Problem solved. No more crazy hard-drive overload at boots, no more CPU hogging while I am just settling down to my cup of java (beans not code) in the morning. I've also made this change to Pop's pc as well and it also responded kindly.

So, I can only guess that some fairly recent programming change in one of AVG's program updates made the impact I suddenly started to notice.

For the record avgw.exe is a good and safe process. You can do the brute-force thing and (temporarily) kill the process if you want--I had experimented with that. But the easiest solution is to just bump your daily scan time to when it is more likely to find your pc already on for a while and then uncheck the option to scan at boot if regularly scheduled scan time was missed.

Bonus Tip:

If you use Firefox and notice you are having problems loading images from some websites (say www.grandstreamdreams.blogspot.com), but they seem to load fine from Internet Explorer, you aren't going goofy.

In Firefox go to the menu bar and select Tools --> Options.
Then click on the "Content" (globe) icon at the top.
Make sure the "Load Images" checkbox is selected (it will probably be that way).
Then make sure the "for originating website only" checkbox is unchecked.

It seems that Blogger/Blogspot host their blog post images on a different location than the main post content. In some installs of Firefox, this option gets selected, preventing you from seeing those images.

Happy rogue process hunting!
--Claus

8 comments:

Anonymous said...

Thank you for saving me. Every bleedin' morning going in and wondering why avgw.exe was clogging up my cpu and no-one seemed to know how to change it.

Thank You...I have my PC back!!

Anonymous said...

Yes, thank you. My AVG updater on my work laptop was set for 9:11am. What a terrible time to update, invariably I'm in the middle of something whenever it starts! I changed the time to 4am.

Anonymous said...

it's rogue (a bad guy), not rouge (the color red). thanks -- great tip.

Claus said...

That is too funny!

I guess spell check only can take you so far....now fixed...

Thanks for your tip in return!

Anonymous said...

This old post of yours helped me with an returning problem at my laptop.

Thank you

Anja (Denmark)

Unknown said...

Thanks Claus! Have two PCs that were slogging through this process. Fixed!! Have bookmarked your blog.
Thank you.

Leigh

Anonymous said...

Thanks for the tip, found it on google.

Anonymous said...

Thanks a lot, was having the exact same problem! :) Cheers!