2007-01-28

Troubleshooting Performance Issues with Automatic Updates

...or,
How to Isolate A Shared Service Hosted by SVCHOST.EXE

There are a number of articles in the Microsoft Knowledge Base about performance issues with Windows Update / Microsoft Update, as well as other problems related to the scanning mechanisms used by automatic-type update services. There are some fixes, and fixes for some fixes, but no "ultimate" solution. Stepping back a bit, how can you even determine if Automatic Updates is causing performance issues on your system?

The Automatic Updates service is not a stand-alone process, so it is not sufficient to simply look for which process is consuming the most CPU time or the most memory. Rather, Automatic Updates is integrated into the "netsvcs" SVCHOST service hosting instance. On the systems that I have examined, this instance hosts over 20 services - 25 services on the system I am using to write this. How can you see what services are running inside of a process? One way is to use "tasklist /svc", and examine the "Services" column. Another way is to use Process Explorer - simply hover the mouse pointer over a process and any services that are contained in the process are listed in a tooltip. Or, view the Process' "Properties" page and examine the "Services" tab for more details.

This sharing of services in one process isn't a bad thing - Windows has been doing this for some time. There are times when it makes sense, and times when it doesn't. Basically, processes are expensive and the more you have the more resources they consume. If you are able to share services in the address space of a process, you are conserving resources. But if the services have different security needs, for example, then you should probably split them into two separate processes to "isolate" the functionality that requires greater privileges.

Back to the task at hand... The fact that services can share a process is nice, but this really gets in the way of troubleshooting a service you suspect may be causing problems. So it can be useful to extract a shared service and make it run in its own process. With services hosted by SVCHOST, the configuration is controlled in the registry. Microsoft doesn't publicly document the interfaces for SVCHOST.EXE as it doesn't want people writing services and making them run in the same address space of processes that host Windows built-in services - if the service is poorly written it can cause SVCHOST.EXE to crash, and subsequently kill all of the other services running in that instance of SVCHOST.EXE. That doesn't mean you can't manipulate the built-in Windows services to use a configuration you desire, though...

The SVCHOST services are controlled by registry settings in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]. (Standard warnings about editing the registry apply.) Each REG_MULTI_SZ in this key represents a SVCHOST group containing a list of one or more services to run in an instance of SVCHOST.EXE. So if one wishes to isolate the Automatic Updates service, one needs to find which group it is in. The "name" of the Automatic Updates service is "wuauserv" - Windows Update Automatic Updates service. This service resides in the "netsvcs" group. So, since the desire is to create a new SVCHOST instance to run the service in, remove wuauserv from the list in the netsvcs value. Then, create a new REG_MULTI_SZ value and give it an appropriate name, such as AutomaticUpdates. Add wuauserv to this value.

Next, navigate to [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\wuauserv] and change the ImagePath (which specifies the program and arguments the Service Control Manager is to use to invoke the service) from:
%systemroot%\system32\svchost.exe -k netsvcs
to:
%systemroot%\system32\svchost.exe -k AutomaticUpdates

That's it. Stop and restart the Automatic Updates service (net stop wuauserv / net start wuauserv) and you should see a new instance of SVCHOST.EXE that contains only the Automatic Updates service. Now you can monitor the performance of this process, drop its priority (Task Manager or Process Explorer), etc.

The same technique can be applied to isolate other SVCHOST hosted services as well. However, some caution and investigation should be applied on a case-by-case basis- it should be noted that some services may have some dependence on residing in the same address space as another service. This may or may not be intentional; if intentional I suspect that it probably has to have some relation to performance. If not intentional, it is likely a bug.

»

2007-01-24

Vista Features You'll Never See

A quick one this week...

Ran into an interesting posting at shell: revealed about features of Longhorn that didn't make the cut. The post paints the picture that after the Longhorn reset (described here), a lot of features were yanked, and then goes on to describe some rather humorous things that just make you think... "What if?"

»

2007-01-18

Fix Available for Performance Problems with Internet Explorer 7's Phishing Filter

I don't know how I missed it (well, I suspect it's related to quirks in the method(s) in which Microsoft makes notifications of new KB articles available), but it seems that Microsoft has released an update to Internet Explorer 7 to address the performance issues with the Phishing Filter that I had previously (here and here) encountered.

The KB article (The computer may respond very slowly as the Phishing Filter evaluates Web page contents in Internet Explorer 7) is dated December 12, 2006, and contains links to download pages for various versions of Windows that Internet Explorer 7 can run on. Your copy of Windows has to pass the Windows Genuine Advantage (WGA) check before Microsoft will allow you to download the fix. Once downloaded, installation is straightforward; depending on what programs you have open at the time, you may be required to reboot after the installation finishes.

It is interesting to note that the Cause section (below) explains exactly the conditions I was operating in, and the behavior I observed.


CAUSE

This problem occurs when one or more of the following conditions are true:
• The Web page contains many frames.
• You browse many frames in a short time.
Internet Explorer 7 evaluates the whole Web page when you browse a frame. Therefore, CPU usage may be very high.



Additionally, the workaround (at the bottom of the article) is to disable the Phishing Filter on the "Advanced" tab of the "Internet Options".

Prior to installing the update, I set the Phishing Filter to "Turn off automatic website checking" ("Advanced" tab of "Internet Options") and made sure it was "Enabled" for the Internet Explorer Security Zone I was working in. I then verified that I was able to recreate the behavior I witnessed in The Case of the Sluggish Internet Explorer 7.

I installed the update and needed to reboot (I forgot I had SharpReader open, and it had loaded MSHTML.DLL). Upon reboot I attempted to cause the CPU to spike by doing precisely the things that had caused the problem in the past. I didn't have any luck in doing so. In fact, none of the threads in the iexplore.exe process were consuming an inordinate amount of CPU. It would appear that the fix involved, to some extent at least, changing the technique Internet Explorer uses to queue up requests to have something evaluated by the Phishing Filter (previously, I had hypothesized that Internet Explorer 7 was using the ThreadPool API and was creating a new thread for each request). Based on my explorations so far, the fix takes care of the problem. Kudos to Microsoft for recognizing the problem and taking appropriate steps to address it.

The fix updates 2 Windows / Internet Explorer program files in %windir%\system32 - ieapfltr.dll (the "Microsoft Phishing Filter") and mshtml.dll (the "Microsoft (R) HTML Viewer"). I didn't take the time to save off copies of the previous versions of these DLLs to try to compare differences (perhaps an exercise for another day). However, the new MSHTML.DLL has a date of 2006-11-09, and the new IEAPFLTR.DLL has a date of 2006-11-08. Internet Explorer 7.0 was released on 2006-10-18. So it appears that Microsoft knew of problems with the Phishing Filter performance prior to launch; obviously this wasn't a showstopper issue. It also would appear to have taken just over 1 month for the fix to make its way through the testing / release process. I guess that's not too bad, considering that some high-priority / critical security updates take at least that long. On the other hand, this is a new feature so it didn't have the legacy behind it that some of the security updates have to contend with. I guess I should just be happy to have a fix... ;)

»

2007-01-17

Unspecified Potential Security Risk!

Oh, my. Two weeks in a row with ambiguous security-related messages from a web browser.

This week, we have the following:


Internet Explorer

This page has an unspecified potential security risk.
Would you like to continue?

If it wasn't for the fact that I wasn't browsing the web - I was trying to open a ZIP file on a network share - I probably would have said "No". But since I really needed to get into the ZIP file, I decided to take my unspecified potential chances. I think I'm OK.

»

2007-01-10

Puritanical Security? And a Few Other Notes on HTML Help

I was going through some CHM help files the other day and I wound up copying one of the links to the clipboard and tossing it into Maxthon. I wasn't even really aware of what I was doing (just plodding along mindlessly) so I was rather surprised when I was presented with the following dialog:


Security Warning !

Using MK: protocol in browser may cause puritanical security problems.
Do you really want to enable this protocol during this session?


Of course, I had no desire to cause puritanical security problems, so I went with the default "No". The URL I had copied was in fact a "Microsoft Infotech" protocol link in the form of:
mk:@MSITStore:f:\file.chm::/Whatever/Whatever.html

The InfoTech protocol has changed several times over the last few years to reduce security vulnerabilities in HTML help. See MS05-026: A vulnerability in HTML Help could allow remote code execution and MS04-023: Vulnerability in HTML Help could allow code execution for more information.

Another issue that is seen rather frequently is the inability to open CHM / HTML Help files from a network path (UNC path or mapped drive). The article "You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1" discusses various registry settings that can be manipulated to allow the display of content in CHM files in this scenario.

»

2007-01-02

mtpstoolkit RatingBehavior related to AJAX?

Unfortunately, I forgot what website I was visiting when I encountered the following dialog:



Assertion Failed: Unrecognized tag mtpstoolkit:RatingBehavior

Break into debugger?

I have no concrete idea what the dialog is related to, but I suspect it has to do with some AJAX framework. Interestingly, googling mtpstoolkit (groups search here) currently proves to be rather fruitless. The stack of the thread "owning" the dialog (with a large number of calls in jscript.dll) seems to support the AJAX theory:

ntoskrnl.exe!KiSwapContext+0x2e
ntoskrnl.exe!KiFastCallEntry+0xf8
ntdll.dll!KiFastSystemCallRet
USER32.dll!NtUserWaitMessage+0xc
USER32.dll!InternalDialogBox+0xd0
USER32.dll!SoftModalMessageBox+0x938
USER32.dll!MessageBoxWorker+0x2ba
USER32.dll!MessageBoxIndirectW+0x56
ieframe.dll!SHFusionMessageBoxIndirect+0x26
ieframe.dll!CDocHostUIHandler::ShowMessage+0x128
ieframe.dll!CDocHostUIHandler::Exec+0xe6
ieframe.dll!CDocObjectHost::OnExec+0xcb1
ieframe.dll!CDocObjectHost::Exec+0xd7
mshtml.dll!CreateHTMLPropertyPage+0x2503b
mshtml.dll!CreateHTMLPropertyPage+0x22f72
mshtml.dll!CreateHTMLPropertyPage+0x8980
mshtml.dll!CreateHTMLPropertyPage+0x3f40c
mshtml.dll!DllGetClassObject+0xc53d3
mshtml.dll!DllGetClassObject+0xca51f
mshtml.dll!DllGetClassObject+0xca498
mshtml.dll!DllGetClassObject+0xca353
jscript.dll!IDispatchExInvokeEx2+0xac
jscript.dll!IDispatchExInvokeEx+0x56
jscript.dll!InvokeDispatchEx+0x78
jscript.dll!VAR::InvokeByDispID+0x7e
jscript.dll!CScriptRuntime::Run+0x1675
jscript.dll!ScrFncObj::Call+0x8d
jscript.dll!NameTbl::InvokeInternal+0x40
jscript.dll!VAR::InvokeByDispID+0xfd
jscript.dll!VAR::InvokeByName+0x165
jscript.dll!VAR::InvokeDispName+0x43
jscript.dll!VAR::InvokeByDispID+0xb9
jscript.dll!CScriptRuntime::Run+0x16c9
jscript.dll!ScrFncObj::Call+0x8d
jscript.dll!NameTbl::InvokeInternal+0x40
jscript.dll!VAR::InvokeByDispID+0xfd
jscript.dll!VAR::InvokeByName+0x165
jscript.dll!VAR::InvokeDispName+0x43
jscript.dll!VAR::InvokeByDispID+0xb9
jscript.dll!CScriptRuntime::Run+0x1675
jscript.dll!ScrFncObj::Call+0x8d
jscript.dll!NameTbl::InvokeInternal+0x40
jscript.dll!VAR::InvokeByDispID+0xfd
jscript.dll!VAR::InvokeByName+0x165
jscript.dll!VAR::InvokeDispName+0x43
jscript.dll!VAR::InvokeByDispID+0xb9
jscript.dll!CScriptRuntime::Run+0x1675
jscript.dll!ScrFncObj::Call+0x8d
jscript.dll!NameTbl::InvokeInternal+0x40
jscript.dll!VAR::InvokeByDispID+0xfd
jscript.dll!VAR::InvokeByName+0x165
jscript.dll!VAR::InvokeDispName+0x43
jscript.dll!VAR::InvokeByDispID+0xb9
jscript.dll!CScriptRuntime::Run+0x1675
jscript.dll!ScrFncObj::Call+0x8d
jscript.dll!NameTbl::InvokeInternal+0x40
jscript.dll!VAR::InvokeByDispID+0xfd
jscript.dll!VAR::InvokeByName+0x165
jscript.dll!VAR::InvokeDispName+0x43
jscript.dll!VAR::InvokeByDispID+0xb9
jscript.dll!CScriptRuntime::Run+0x1675
jscript.dll!ScrFncObj::Call+0x8d
jscript.dll!NameTbl::InvokeInternal+0x40
jscript.dll!VAR::InvokeByDispID+0xfd
jscript.dll!JsFncCall+0x8e
jscript.dll!NatFncObj::Call+0x41
jscript.dll!NameTbl::InvokeInternal+0x40
jscript.dll!VAR::InvokeByDispID+0xfd
jscript.dll!VAR::InvokeByName+0x165
jscript.dll!VAR::InvokeDispName+0x43
jscript.dll!VAR::InvokeByDispID+0xb9
jscript.dll!CScriptRuntime::Run+0x1675
jscript.dll!ScrFncObj::Call+0x8d
jscript.dll!NameTbl::InvokeInternal+0x40
jscript.dll!VAR::InvokeByDispID+0xfd
jscript.dll!VAR::InvokeByName+0x165
jscript.dll!VAR::InvokeDispName+0x43
jscript.dll!VAR::InvokeByDispID+0xb9
jscript.dll!CScriptRuntime::Run+0x1675
jscript.dll!ScrFncObj::Call+0x8d
jscript.dll!NameTbl::InvokeInternal+0x40
jscript.dll!VAR::InvokeByDispID+0xfd
jscript.dll!VAR::InvokeByName+0x165
jscript.dll!VAR::InvokeDispName+0x43
jscript.dll!VAR::InvokeByDispID+0xb9
jscript.dll!CScriptRuntime::Run+0x16c9
jscript.dll!ScrFncObj::Call+0x8d
jscript.dll!NameTbl::InvokeInternal+0x40
jscript.dll!VAR::InvokeByDispID+0xfd
jscript.dll!JsFncApply+0xc4
jscript.dll!NatFncObj::Call+0x41
jscript.dll!NameTbl::InvokeInternal+0x40
jscript.dll!VAR::InvokeByDispID+0xfd
jscript.dll!VAR::InvokeByName+0x165
jscript.dll!VAR::InvokeDispName+0x43
jscript.dll!VAR::InvokeByDispID+0xb9
jscript.dll!CScriptRuntime::Run+0x1675
jscript.dll!ScrFncObj::Call+0x8d
jscript.dll!NameTbl::InvokeInternal+0x40
jscript.dll!VAR::InvokeByDispID+0xfd
jscript.dll!CScriptRuntime::Run+0x16c9
jscript.dll!ScrFncObj::Call+0x8d
jscript.dll!CSession::Execute+0xa1
jscript.dll!NameTbl::InvokeDef+0x179
jscript.dll!NameTbl::InvokeEx+0xcb
mshtml.dll+0x2234
mshtml.dll!DllGetClassObject+0x24151
mshtml.dll!DllGetClassObject+0x77fb6
mshtml.dll!DllGetClassObject+0x7925f
mshtml.dll!DllGetClassObject+0x6f679
mshtml.dll!DllGetClassObject+0x9f5de
mshtml.dll!DllGetClassObject+0xb63c7
USER32.dll!InternalCallWinProc+0x28
USER32.dll!UserCallWinProcCheckWow+0x150
USER32.dll!DispatchMessageWorker+0x306
USER32.dll!DispatchMessageW+0xf
avant.exe+0x5df02
avant.exe+0x5df5b
avant.exe+0x39941f

Anyone know what precisely mtpstoolkit is a part of?

»