Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Windows 7 PC gets very sluggish

    Posted on Cybertooth Comment on the AskWoody Lounge

    Home Forums AskWoody support Windows Windows 7 Questions: Windows 7 Windows 7 PC gets very sluggish

    This topic contains 298 replies, has 24 voices, and was last updated by  Lars220 47 minutes ago.

    • Author
      Posts
    • #229987 Reply

      Cybertooth
      AskWoody Lounger

      My Windows 7 computer has had an annoying issue in recent months. A few (2-3) days after a reboot, both Internet browsing and Windows Explorer start getting very sluggish. No matter the browser, websites open slowly and applications take 30 seconds or more to open. Even the Start menu and the Notification Area take a long while to respond to clicks.

      Sometimes (but not always) the taskbar grays out while the PC is doing whatever it thinks it’s doing, then finally it comes back to the usual color and the desired action finally takes place.

      Eventually, Internet browsing comes to a complete halt as I can’t reach new sites or even refresh open tabs.

      Anybody have an idea of what could be going on? Here are the things I’ve done in the attempt to fix this (not necessarily in the order shown):

      • Scanned the PC for malware (multiple scanners). No malware found.
      • Run sfc /scannow. It doesn’t find any corrupted system files.
      • Run error-checking (chkdsk). No errors found.
      • Run Disk Cleanup.
      • Run CCleaner.
      • Checked Task Manager; no unusually high CPU or RAM usage identified.
      • Examined the Event Viewer; no unusual events seem to occur around the time that Web browsing comes to a halt.
      • In msconfig, disabled a few startup items for things I wasn’t using (Seagate DiscWizard, Seagate Scheduler Helper, Bluetooth Software, WDDMStatus).
      • Uninstalled Norton Internet Security and installed BitDefender.
      • On the idea it might be an aging solid-state drive, I imaged the Windows drive (a 6-year-old 100GB SSD) and transferred the image to a brand-new 450GB SSD.

      None of this has made any appreciable difference: I’m still having to reboot the machine every couple of days because Explorer slows down to a crawl and Web browsing ceases to function.

      I suppose I could go in and stop or disable some services, but I don’t feel comfortable enough in my Windows knowledge to just start disabling services, although I do have some possible candidates.

      The PC is Group B, updated through the September patches (haven’t yet applied the recently green-lighted October set).

      What could be causing this? Web searches haven’t been particularly helpful because I have twin problems and everything I’ve found refers to one OR the other of these issues, but not both together.

       

    • #230037 Reply

      Ascaris
      AskWoody MVP

      Can you start task manager and see what it reports?  It seems like something is maxing out the CPU utilization, and that can get you started on what it might be.

      Does the event viewer show anything unusual when it happens?

      Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

    • #230045 Reply

      Cybertooth
      AskWoody Lounger

      No, that’s what’s puzzling: CPU utilization is normal, and I haven’t managed to pinpoint anything in the event viewer. (When the issue crops up, it takes a while to even launch the Task Manager.)

      But then of course, not finding anything in the event viewer doesn’t mean much in my case because the information there is so arcane, I’d have to know what to look for. There could be all sorts of clues in there that just fly right past me…

      BTW, tonight I ran the hardware diagnostics CD that came with the computer (OK, the PC asked me to create it soon after the first-ever boot), and it didn’t find any issues with the RAM or other components.

      ADDENDUM: I thought to call up the CPUID Hardware Monitor, and FWIW it shows the SSD temperature at 99C.

       

      • This reply was modified 2 weeks, 2 days ago by  Cybertooth.
      • This reply was modified 2 weeks, 2 days ago by  Cybertooth.
      • #230066 Reply

        anonymous

        99C for an SSD?  At idle?  That’s not right.  Normal temps are mid to high 20s.

        • #230115 Reply

          Cybertooth
          AskWoody Lounger

          I’m thinking that it must be a defective sensor, since it hasn’t budged from that temperature reading all evening. Started out at 99 and has stayed there.

          Funny thing–the other day we noticed that the outdoor temperature reading on our thermostat claimed it was 78F when it was actually jacket weather outside. The next day, the “temperature” climbed to the high 80s even though it really was in the 60s. Day after that it shot up to over 110. Yesterday it was at 142 and today it reached 151. The repairman assures us that it’s nothing to be concerned about, it doesn’t affect the system’s operation.

          So we have some experience with bad temp sensors.  🙂

           

          • #230126 Reply

            Microfix
            AskWoody MVP

            Have you tried running the PC in safe-mode for a while from cold and then checking the SSD temp?
            Also what subsystem drivers are you using, OEM or MS?
            I’d highly recommend using OEM chipset drivers.

            | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x64 O/L | XP Pro O/L
              No problem can be solved from the same level of consciousness that created IT - AE
            • #230231 Reply

              Cybertooth
              AskWoody Lounger

              Have you tried running the PC in safe-mode for a while from cold and then checking the SSD temp? Also what subsystem drivers are you using, OEM or MS?

              I’d highly recommend using OEM chipset drivers.

              I’ll try running in Safe Mode for a while and report back.

              As far as I know, this PC is using OEM drivers. Are there any in particular I should be checking to make sure?

               

            • #230235 Reply

              Microfix
              AskWoody MVP

              From memory: (on a tux M/c)
              type ‘device manager’ in the search box, hit enter, click ‘System devices’, find your chipset, right click ‘properties’, driver tab. , it should either be amd or intel (dependant on what motherboard chipset you have if it’s oem)

              | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x64 O/L | XP Pro O/L
                No problem can be solved from the same level of consciousness that created IT - AE
            • #230242 Reply

              Cybertooth
              AskWoody Lounger

              Thanks, Microfix. You have a good memory, that’s exactly where the info was.  🙂

              The chipset is the Intel 7 Series/C216 Chipset Family, and the Properties all report the driver provider as Intel.

              I turned the PC off, let it cool for a bit, and booted into Safe Mode and ran the CPUID monitor. SSD temperature reading started at 99C and stayed there:

              CPUID-SSD-temps

              • This reply was modified 2 weeks, 1 day ago by  Cybertooth.
              • This reply was modified 2 weeks, 1 day ago by  Cybertooth.
              Attachments:
              You must be logged in to view attached files.
              1 user thanked author for this post.
            • #230699 Reply

              Bill C.
              AskWoody Lounger

              I suspect that HWMonitor is the issue vis-a-vis the temps. On my machine HWMonitor shows the Motherboard SYSTIN sensor temp as being 91C (195F) when idle. Speccy and the OEM (Intel) MB monitors and overclocking software never show it that high. (See image of HW monitor)

              I went so far as to ues an IR thermal scope and probe to view the motherboard and there were no hot spots that showed high temps. Even the graphics card running a 100% test in overclock mode only reached 70C.

              The slowdown could be a memory leak from software. Do a task manager check right after boot and then after an hour or so of use and see if something is not releacing memoery after the program is shut down. that will bring things to a crawl. I have also founf older versions of the Western Digital backup software would bring games to a crawl when it decided to run. I disabled the real-time monitoring and it fixed the issue, but only a later version of the software cured it.

              Attachments:
              You must be logged in to view attached files.
          • #230263 Reply

            anonymous

            An idea… If the (existing?) temp sensor is bad, and if possible tape a reliable analog/digital thermometer or thermocouple to the SSD.

            • #230286 Reply

              Cybertooth
              AskWoody Lounger

              Please see this post and let me know if it affects your recommendation. I’m wondering if that 99C reading is either bogus or unimportant.

               

            • #230495 Reply

              anonymous

              After catching up, if you were not persuaded to expediently pull your hand away after touching any part of it the drive might be fine.  Yes, it could be a faulty sensor or ghost measurement. Hands generally work well, I was suggesting using a thermometer or thermocouple if you had the equipment around, it would be another method to confirm that Hard Disk Sentinel has been reading the right information.

              2 users thanked author for this post.
      • #230094 Reply

        anonymous

        Are SSD’s controllers supposed to have thermal paste with a heat sink or even a thermal pad inside?

        • #230252 Reply

          satrow
          AskWoody MVP

          ‘Ordinary’ 2.5″ SSDs don’t really need them – but they should still be fitted somewhere with good airflow.

          Some high performance NVMe SSD drives do overheat when worked hard (Samsung 850 Pro’s are probably the commonest example), there are many 3rd party coolers on the market for them, you could also adapt other small chipset/memory coolers to suit – but you do still need to ensure they have good airflow – not so easy with some motherboards, especially those with multiple PCIe cards fitted.

          1 user thanked author for this post.
    • #230049 Reply

      PKCano
      AskWoody MVP

      Is there any traffic through your router to indicate the computer is communicating with the Internet?
      (Is it mining bitcoins behind your back? LOL!)

      • #230057 Reply

        Cybertooth
        AskWoody Lounger

        🙂  Not that I can tell! I’ve checked it with BitDefender, HitmanPro, Malwarebytes, a variety of online scanners, and none of them find anything wrong. I even did an offline, Live CD scanner or two.

        About monitoring traffic via the router, I’m not expert enough to know how to do that, but I guess I could learn to. But then again, this only starts happening after a couple of days, the machine runs fine for that amount of time and then it starts acting up.

         

        • #230165 Reply

          anonymous

          Without a Coin-mining filter(eg for Adblock Plus) or Coin-mining blocking add-on/extension installed on the web-browser, web-browsing will often become impossible or very very laggy.

          • #230227 Reply

            Cybertooth
            AskWoody Lounger

            That makes sense, but the thing is that, when the problem starts, all of the browsers on this PC get sluggish and eventually can’t get to the Internet. And BitDefender can’t update its database. In fact, typically the first sign I see that the problem has come back since the last reboot, is in the morning when I sit down at the computer and there’s a notice from BD saying that the database update failed at some point overnight.

            Also, if a coin miner were stealing CPU cycles, you’d think that would show up in the CPU usage meters, but CPU usage remains normal (as far as I can tell).

             

    • #230054 Reply

      SH2071
      AskWoody Lounger

      An idea out of left field – are the computer’s ventilation holes clogged with carpet fluff, restricting airflow? I had this issue some years back, on a W7 machine that had been used for many years. Once I cleaned the fluff away, problem gone. The computer must have been overheating.

      • #230060 Reply

        Cybertooth
        AskWoody Lounger

        You’re right, PCs can start doing weird things if they’re clogged up with dust and stuff. I opened the case a few weeks ago and blasted the insides with a can of compressed air. I forgot to put that on the list of steps taken, sorry about that.

         

    • #230131 Reply

      mn–
      AskWoody Lounger

      Otherwise would be entirely typical for a heat management problem except that those usually show up a lot quicker after a reboot. As in, hours at most.

      Dust is just the most common problem – I’ve seen cracked heat conductors, expired thermal paste, clogged coolant pipes and failed pumps … computer internal parts ending up in the fan blades due to heat-induced warping (on a “gaming laptop”), and an actual chip design error (a friend’s Cyrix CPU back in the late 90s).

      A “power workstation”, say a HP Zsomething, may have a closed-cycle liquid cooling system for the CPU straight from the factory and may suffer a pump failure.

      • #230250 Reply

        Cybertooth
        AskWoody Lounger

        Whoa, that would be a major problem. Fortunately, no computer parts have come flying off–yet!

        However, this one is air-cooled (fans) and, except for the (apparently) flaky sensor, temperatures read normal.

         

        • #230297 Reply

          mn–
          AskWoody Lounger

          Well, it’s not impossible that a wrongly reported temperature would cause thermal throttling… but this feels sort of unlikely here too, because in that case why would it wait for a couple of days?

          • #230361 Reply

            Cybertooth
            AskWoody Lounger

            That makes sense to me, too. I’m wondering if the sluggishness could be due to some software (not hardware) related issue that builds up over a couple of days’ time.

             

            • #230702 Reply

              Bill C.
              AskWoody Lounger

              See my post at #230699 regarding a software memory leak.

    • #230236 Reply

      jabeattyauditor
      AskWoody Lounger

      When you copied to the new SSD did you expand the C: drive to use the additional space?

      When the system is running sluggishly, do you have any free space on the C: drive?

      • #230247 Reply

        Cybertooth
        AskWoody Lounger

        Yup, I expanded it to use the additional space. But I don’t know what the free space looks like when the system is running sluggishly. I’ll make sure to check that next time this happens, probably sometime late Wednesday night…

         

    • #230246 Reply

      satrow
      AskWoody MVP

      What’s the SSD make/model and firmware revision, many of them have/had specific issues, some that show up only over time and may not be indicated with the ‘wrong’ tools/tests (eg Samsung 840 non-Pro/EVO, issue only shows when using HDTune to test), there may be newer firmware available that might ‘fix’ it.

      Don’t rely only one temperature testing program as HDD/SSD makers use some SMART #s for different purposes, I normally use HWiNFO set for Sensors only, it’s updated quite often.

      Some SSDs don’t even have a temp. sensor (usually older and/or smaller types like mSATA).

      1 user thanked author for this post.
      • #230258 Reply

        Cybertooth
        AskWoody Lounger

        The SSD is a Kingston SA400S37480G. How does one find out the firmware version?

        In addition to the CPUID Hardware Monitor, I launched PC Wizard and HD Tune. PC Wizard’s temperature readings agree with those of CPUID-HM (29 and 99), while HD Tune alternates between 29 and “-“, which I take to mean it considers the other reading to be unreliable.

         

        • #230260 Reply

          Microfix
          AskWoody MVP

          https://www.kingston.com/en/support/technical/ssdmanager

          This might help.

          | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x64 O/L | XP Pro O/L
            No problem can be solved from the same level of consciousness that created IT - AE
          1 user thanked author for this post.
          • #230435 Reply

            Cybertooth
            AskWoody Lounger

            I installed this software (thanks for the link!) but something’s gone awry: most of the tabs (Firmware, Operations, Health, Security) have blank fields under them. The only tab that yields any result is Events, and that one is failing with “reason code 2”, whatever that means.

            Curiously, I got more information about the SSD from Intel’s SSD Toolbox (which I did not uninstall when the SSD was replaced) than from Kingston’s own utility. Hard Disk Sentinel is also providing info about the drive that Kingston fails to.

            The requirements for using this software include running the disk in AHCI mode. I checked that and it was already set as they required.

             

        • #230262 Reply

          satrow
          AskWoody MVP

          Firmware version should be tacked onto the end of the model# in Device Manager’s properties sheet for the drive, under Hardware ID.

          ADDED: Check the Drive’s SMART stats, the remaining life might be low. I use Hard Disk Sentinel (which will also show the temps), there’s a trial version.

          1 user thanked author for this post.
          • #230283 Reply

            Cybertooth
            AskWoody Lounger

            The firmware version is SBFK71E0.

            That Hard Disk Sentinel is pretty cool, thanks @satrow!

            The SSD is brand-new (installed just a few weeks ago) and HDS reports its “status” as “perfect”. SMART readings have always been something of a mystery to me, but nothing jumps out as obviously worrisome.

            One interesting thing: HDS reports the drive’s temperature as 29, with a maximum temp “during entire lifespan” of 35. It doesn’t know anything about a 99C reading.

             

             

            • #230288 Reply

              satrow
              AskWoody MVP

              See if the SSDManager @microfix linked above detects the temps – and see if it checks for Firmware updates, I didn’t see any listed at Kingston.

              ADDED: I’ve not seen HDS get the historic temps wrong yet but there’s always a first time. How warm does it feel to the touch, or on a close hover above it (40C will feel normal/just warm, 60C hot)?

              • This reply was modified 2 weeks, 1 day ago by  satrow.
            • #230289 Reply

              Microfix
              AskWoody MVP

              it does indeed and also updates firmware IF required.

              | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x64 O/L | XP Pro O/L
                No problem can be solved from the same level of consciousness that created IT - AE
              1 user thanked author for this post.
    • #230276 Reply

      MrJimPhelps
      AskWoody MVP

      I think you have a bad SSD. Running hot and sluggish are what convince me of that. The fact that your CPU usage is normal means that there is no mining for bitcoins happening. The fact that your temp sensor tells you that the temp is very high means either that it IS very high, or you have a faulty reading. Pull the cover off of your computer and touch the SSD with your finger. Does it feel hot? If it is really hot, then you have a bad SSD. If it is not hot, yet the temp sensor says it is, then you could test the SSD by installing it in another computer, to see if the same problem exists there. If the problem shows up on the other computer, then your SSD is bad.

      Group "L" (Linux Mint)
      with Windows 8.1 running in a VM
      2 users thanked author for this post.
      • #230292 Reply

        Cybertooth
        AskWoody Lounger

        Thanks Jim, but bear in mind that the problem was happening even before the new SSD went in. In fact, replacing the SSD was one of the things I did in the attempt to solve the issue.

        What’s odd is that, according to the listing for the SSD in CPUID HW Monitor, the “assembly” temperature is 29C while the “drive” temperature is 99C. Not sure what the distinction is between the “drive” and the “assembly.” And then the Hard Disk Sentinel seems to pay attention only to the lower reading. I’m thinking that the 99C is a faulty reading.

        I’m typing this on the affected PC and my stomach is clamoring for lunch 🙂 but I’ll open up the case this afternoon and see what’s what.

         

        • #230347 Reply

          MrJimPhelps
          AskWoody MVP

          If there really isn’t much heat being generated, then it has to be a faulty reading; and you can tell that by touching the different parts. You can also run some different temperature checking programs, such as Speedfan.net.

          Another common cause for sluggishness is some non-Microsoft service running in the background, misbehaving, slowing everything down. Basically, you run MSCONFIG, go to the services tab, and check the box that will hide all Microsoft services. Disable all non-Microsoft services, then reboot, to see if that solved the sluggishness problem. If that didn’t solve the problem, then go back into MSCONFIG and re-enable all of the non-Microsoft services. However, if it did solve the problem, then you know that one or more of the non-Microsoft services is the culprit. Using MSCONFIG, re-enable the non-Microsoft services one at a time, clicking Apply then rebooting after each re-enable. When things get sluggish again, you will know that the service you just enabled is the culprit. Disable it permanently in MSCONFIG, and make note of the name of that service. Continue the process till you have checked all of the non-Microsoft services.

          Group "L" (Linux Mint)
          with Windows 8.1 running in a VM
          • #230419 Reply

            Cybertooth
            AskWoody Lounger

            I’m hoping that it isn’t some misbehaving service. This is my secondary work computer and, because the issue takes 2-3 days to show up, it could take weeks to identify the problem, while in the meantime the PC may be less than fully functional.

            (The same drawback applies to running the PC in Safe Mode. Unfortunately, it’s not a problem that occurs right away such that you can just take care of it and go back to a normal startup.)

             

        • #230434 Reply

          Ascaris
          AskWoody MVP

          Is “assembly” for sure on the SSD and not the motherboard? My motherboards have an “assembly” temperature that is on the board itself… I actually located it on my main PC board by using canned air to chill various bits and watching the realtime temp readings.  I was setting up the airflow pattern in my case and I wanted to see exactly where it was being read.

          It’s possible “assembly” could also be on your SSD.  99C isn’t a credible temperature; that’s one degree short of the boiling point of water, and is close to the maximum die temp you would ever want to see in any CPU or GPU (the highest ones generally tolerate up to 105, but if they are actually getting that hot in practice, it usually means something’s wrong with the cooling).  The last AMD CPUs I used had max temps that were only in the 60s C (that was my Phenom II).  An SSD would never generate that kind of temp unless there was a serious short circuit, and I doubt it would even run in that circumstance.  It might even cause the PSU overcurrent protection to trip and shut the PC down.

          That reminds me: Is this a desktop PC?

          The SSD temp generally will be the same as the ambient temp (the temp inside the case, which is the same one that I just mentioned, “assembly!”), though it can be expected to rise when doing sustained writes (not sure about reads).  Even in the confined space in my Core 2 Duo laptop (2.5″ drive, very little ventilation), the SSD I now have in there is quite cool, in contrast to the last HDD I had in there (WD Black 7200 RPM), which typically was in the mid 40s C while idle, and would get near 50 (sometimes over 50) with any kind of sustained activity (defragging, backing up, etc.).  The left palm rest on the laptop (right over the drive) was always warm after the PC had been running a while, but with the SSD, it’s as cool as the right one.

           

           

          Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

      • #230423 Reply

        Cybertooth
        AskWoody Lounger

        This afternoon I opened the case and touched the SSD. It felt lukewarm, certainly not hot.

        I tend to believe the lower readings given by Hard Disk Sentinel, but when I get the chance to I’ll connect the SSD to a different PC and see what happens there.

         

    • #230291 Reply

      OscarCP
      AskWoody Lounger

      MrJimPhelps writes: “ The fact that your CPU usage is normal means that there is no mining for bitcoins happening. ”

      Really? What an awful world, sometimes, this one can be! I wish I had not seen that, but thanks for the warning, anyhow.

    • #230333 Reply

      PaulK
      AskWoody Lounger

      Far left field here, probably left of the foul line, so no home run –
      Problem clears with boot, but redevelops over days, so some resource is slowly choking. Task Manager gives no apparent clue.

      Is there still Free space within Physical Memory?
      Is C:\pagefile.sys a reasonable size?

      How about Resource Monitor? Is there high Disk activity, shown in the Overview panel or in the Disk tab?

      Are there other computers on the network? Do they exhibit any degradations?
      Is internet access via ethernet (wired) or via Wi-Fi? Which band?
      Another stretch: Can you turn off IPv6 (and still operate) on the adapter(s)?

      • #230364 Reply

        Cybertooth
        AskWoody Lounger

        That’s my suspicion, that it’s some piece of software that’s causing the issue to build up over a few days and then (like a volcano) break through to the surface.

        There are other PCs on the network, but this is the only one that’s doing this.

        Internet access is via ethernet.

        The pagefile.sys size is 11.8GB (the computer has 12GB of RAM), and it’s managed automatically by Windows.

        Good questions about the physical memory, Resource Monitor, and IPv6. I’ll check the memory and Resource Monitor next time this happens, and will look into turning off IPv6 (not sure how to do that).

         

      • #230382 Reply

        PaulK
        AskWoody Lounger

        IPv6 (and other adapter settings):
        Network and Sharing Center > Change Adapter Settings > [right-click] Local Area Connection (or whatever the ethernet adapter is labelled) > Properties. You needn’t go to Configure for finer tuning.

        (Off-topic war story – involves Configure: This was a few years ago when I changed from DSL to cable. (I had bought my own modem and router.) Part of the initial cable setup is to connect a computer directly to the modem, omitting the router. My computer adapter is 1.0 Gbps Full Duplex capable, and the modem has 1G port. Went OK. Cable Installer left, job done.

        Connected the router, and rebooted everything. Initially would be OK, but the modem would drop after a few minutes. Rebooted everything; same scenario. Re directly connected computer to modem. Solid failure. Reset Adapter from (Auto / 1 G) to 100 Mbps. Worked. Repeated speed-change tests. Confirmed my diagnosis: modem wouldn’t work at 1 G; and the router has no capability to run ethernet-In at other than 1G. (Called modem Help line – went through their scripts: reboots; swap ethernet cables, etc.) Returned modem to Costco (excellent service, no questions). Got a new modem of same model. No trouble since then.)

        1 user thanked author for this post.
        • #230421 Reply

          Cybertooth
          AskWoody Lounger

          OK, IPv6 is now disabled. There are no immediate effects, positive or negative.

          Glad you got that modem issue cleared up BTW. That would have driven me nuts!

           

    • #230371 Reply

      anonymous

      different ballpark, different planet, might not see Milky way from here

      Swapping drives, bent pin? Sure seems like that would make everything totally unusable; but I’m failing to see cause of obviously errant temp reading.

      Sorry that I’ve forgotten if this, or the original, drive has been tried in another box?

      • #230439 Reply

        Cybertooth
        AskWoody Lounger

        Great idea: I’ll hook up the old SSD to another PC and see how things go. I had meant to do this anyway, to run a CHKDSK on the SSD.

         

    • #230416 Reply

      Ascaris
      AskWoody MVP

      Seems like some third-party driver has hooked into the system, but somehow isn’t doing what it is supposed to do, so whatever process or processes it is interfering with are waiting around for something to happen.

      I used to run a security suite called Agnitum Outpost in Windows.  It was a comprehensive program, but over the years it grew to be heavy and quite impactful on system performance.  Despite Agnitum’s claims that it “stops everything, slows nothing,” it actually did slow a lot of things.  It was cutting my wifi transfer speed in half, among other things, and that was when I began to look for an alternative.  The timing was right, I guess, as Agnitum announced not much later that it was being acquired by Yandex and that the first thing Yandex was doing was cancelling Outpost.  So much for my “lifetime” license.

      Anyway, the drivers for Outpost hooked many, many things.  It was a full HIPS as well as a firewall (full in and outbound filtering) and antimalware suite.  There are a ton of ways to compromise a Windows system without actually running an executable, and Outpost was designed to stop them all.

      The problem with this, if there was one, was that every single thing the OS needed to do was dependent on Outpost.  If it wanted to load a DLL, Outpost had to approve it.  If it wanted to do a registry write, Outpost had to approve that too.  If it was an action that had already been whitelisted by the computer owner/user (me, in this case), Outpost would approve it instantly and the thing it was doing would happen with a usually imperceptible delay, but if it was a new DLL or something similar, Outpost would pop up a dialog asking the user what to do about it.

      Until that dialog was answered, the process that some program was trying to perform was on hold.  It was waiting around for something to happen… something that was important enough for the program to not have a plan B if for some reason it didn’t happen.  The program waiting does not know that it has been held up by a security program– only that it hasn’t been given the go-ahead yet.

      If Outpost were to malfunction and not pop that box up, the system could be waiting for whatever it is to happen, Outpost would be waiting for directions from the user, and the user would be waiting for the PC to hurry up and do something.

      To its credit, I can’t recall this ever actually happening with Outpost, but with its hooks everywhere in Windows, it was a possibility that it could have.

      What makes things worse with this kind of thing is Windows’ habit of leaving programs partially installed even after they have been uninstalled by the usual means.  A fragment of the program still installed and registered could be holding things up even if the program itself is long gone.

      Security programs often get the first look in instances like this, since they are the ones that tend to hook a lot of important system functions, but it could be anything that installs a kernel driver and malfunctions.  You might want to see if Norton has a clean-up program that can be used to remove any leftover bits of their security software after it has been uninstalled, and if there isn’t one, see if you can find a guide for manual uninstallation (which you can still do even though it is supposed to be uninstalled already).  It can be a tedious procedure, going through various registry keys and checking to make sure that bits and pieces are actually gone.

      If you go to the device manager and tell it to list hidden devices, you might be able to see listings for some drivers (under non plug n play devices, probably) that reference Norton or other things that have been removed.  Generally, these things can be safely removed without causing any other problems, but as always, it’s good to have a backup before trying anything like this.

      Microsoft’s driver verifier can also be useful in sniffing out bad drivers.  There are many guides out there on how to do this, and they all seem to vary in which types of drivers they say to check.  As long as the guide is from a generally trusted source, it should be fine.  I’ve used the one from the site that thinks the name of this one is a swear word (disappointing), sevenforums, with good results.

      I’ve also had instances where a program that seems to be working is causing other weird behaviors, and I end up finding it through trial and error.  When I’ve tried the other things and not had any success, I might back things up and just try uninstalling various things and seeing what happens.  I’ve found several weird malfunctions this way that didn’t appear using any of the normal means.  Having a backup you know you can fall back upon if things go poorly means you can try things you otherwise wouldn’t for fear of potentially breaking something.  Sometimes that fear also prevents you from potentially fixing things!  Backups are a must for this kind of troubleshooting.

      Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

      1 user thanked author for this post.
      • #230450 Reply

        OscarCP
        AskWoody Lounger

        I once had a series of nagging problems with Windows 7 that were solved by looking at the Services installed and deleting several not from MS, but from some obscure vendors. They were probably harmless in themselves, but were blocking some needed functions and causing the problems. First I made a list of all those services, in case it was necessary to reinstall any, then got rid of the lot. Never since then have had a reason to miss a single one of them. Obviously, they were not necessary for anything I do.

        • #230485 Reply

          Cybertooth
          AskWoody Lounger

          This is a step that I view with trepidation, the same as with disabling startup items. Just how much functionality would the computer end up losing, and how long would it take to pinpoint this slow-building problem, I wonder.

           

          • #230597 Reply

            OscarCP
            AskWoody Lounger

            Besides using the list of the non-MS services one would write before disabling them, to then re-enable them, one at the time, until finding the culprit or culprits and disabling only those again (something I, fortunately, did not have to do), one can always start by creating a restore point before disabling anything, or even an ISO disk image, as several people here, reportedly, do during their regular backups. Which is always a good idea, I might add.

            1 user thanked author for this post.
            • #230602 Reply

              Cybertooth
              AskWoody Lounger

              Good policy. I guess there’s really not much else left to do in this troubleshooting, than to start taking some of these more drastic steps. Next time the PC slows down (which, based on recent experience, I’m expecting by late tomorrow night), the plan is to try some of the new measures that have been suggested here, and if they don’t work then I’ll start disabling services and/or startup items as proposed.

              <thumbs up> A big Thank You to everyone who has shared ideas, troubleshooting measures, or web links. I’ll post back here to report on developments.

    • #230436 Reply

      samak
      AskWoody Lounger

      If it only happens 2-3 days after a reboot, why not just reboot daily? Seems like it might save a lot of time…

      W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

      • #230438 Reply

        Cybertooth
        AskWoody Lounger

        Doing that is not out of the question, although I do prefer to leave browser tabs and other stuff open overnight so that the next morning I can pick right back up where I was.

        For some reason, IE11’s “reopen last session” isn’t always offered the next time I launch it after a reboot. Pale Moon seems to be more reliable in this regard, although I can’t say for sure that it’s never failed to offer to restore the previous browsing session. So rebooting every day would add administrative overhead in having to keep track of what tabs were open before the reboot.

         

        • #231681 Reply

          anonymous

          Have you tried “hibernating” the PC rather than “shutting it down”? I don’t use hibernation myself, but as I understand it, when you hibernate Windows copies the current dynamic state of the PC held in RAM into a file “hiberfil.sys” on the disk before powering things down and then when you re-start the contents of “hiberfil.sys” are copied into RAM to restore the dynamic state of the PC. I assume that this will include your browser’s state? This is intended to give a faster PC “start-up” from the user’s perspective.

          Now in your case, if your problem is a “software” problem, presumably restoring “hiberfil.sys” to RAM will restore the problem so you gain nothing (except a little more information about the nature of the problem).

          However if your problem is a “hardware” problem i.e. the PC electronics in some sense, then the electrical power down and cooling off of the PC components might “fix” or delay your problem. If you “hibernate” each night, then the successive effect of these “delays” each night might mean that things are delayed indefinately and your problem will appear to have gone away (it is just delayed indefinately – like an orbiting satellite in freefall is actually falling to Earth but never reaches the Earth).

          Just a thought. Garbo.

          PS: If like me you never use Hibernation and you want to save some disk space (if you are running out or to reduce the size of a backup – this file is roughly the same size as the amount of RAM), then you can de-configure it in a command prompt “run as administrator” by typing “powercfg -h off”. The “Hibernate” option should disappear from your shutdown options and the file “hiberfil.sys” file should be deleted (or maybe it is deleted on the next PC start-up – I forget). Using “powercfg -h on” restores Hibernation if you want it later.

           

    • #230437 Reply

      Cybertooth
      AskWoody Lounger

      Is “assembly” for sure on the SSD and not the motherboard?

      You got me there!  🙂

      That reminds me: Is this a desktop PC?

      It’s a desktop PC, model HPE h9-1185 Phoenix. Nice computer… when it’s not acting up!

      The SSD did feel about room temperature (lukewarm) when I put my hand on it this afternoon.

       

      • #230507 Reply

        Microfix
        AskWoody MVP

        @cybertooth have you tried (or used) HP’s own utility for HW diagnosis?
        HP HW Diagnosis
        Perhaps run this once things slow down to establish if there is a HW issue.

        | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x64 O/L | XP Pro O/L
          No problem can be solved from the same level of consciousness that created IT - AE
        1 user thanked author for this post.
        • #230574 Reply

          Cybertooth
          AskWoody Lounger

          Nice find, @microfix!

          Previous PCs from HP came preinstalled with a good program called PC-Doctor, but this one came instead with a utility to create a diagnostics CD. During the bootup process, there’s also a chance to select diagnostics tools. I tried both and they’re good programs, but they can’t run from within Windows, and (not surprisingly) they didn’t find anything since the problem wasn’t happening at the time.

          I’ll download and run this the next time the computer gets sluggish.

          ADDENDUM: If you scroll down almost to the bottom of that HP page, the software that my PC came with is the Vision Diagnostics on the right.

           

          • This reply was modified 2 weeks ago by  Cybertooth.
          1 user thanked author for this post.
    • #230566 Reply

      anonymous

      I have not read all of the contributions in this thread, but the originator wrote that Windows Explorer becomes sluggish and he/she does not want to re-start the PC, so has the originator tried just re-starting Windows Explorer (not the PC) to see if this fixes the sluggishness?

      This can be tried out in 2 steps using the Task Manager – keeping it open after the 1st step. 1) In “Processes” select “explorer.exe” and using the mouse Right button select “End Process”. 2) In the Task Manager “File” option select “New Task”, type in “explorer.exe” and click OK. Windows Explorer should start up again. Is it now less sluggish?

      If this helps, it is possible to achieve the same effect in a less clunky way using a batch file. In a new text file add the 4 lines:

      @echo off
      taskkill /f /im explorer.exe
      start explorer.exe

      (there is a Return at the end of the 3rd line above making 4 lines in total) and rename the file something like “RestartExplorer.bat”. Put this somewhere convenient e.g. the desktop so that you can double click on it or in the folder “C:\ProgramData\Microsoft\Windows\Start Menu” to put it in the Start menu to achieve the same effect.

      I don’t normally use Internet Explorer myself, but I did start it and open a couple of sites in separate tabs and both IE itself and these sites remained in place after I restarted “explorer.exe”, so based on this very limited test it appears IE is somewhat isolated from re-starting Windows Explorer.

      This being “Windows” where there are often several ways of achieving the same thing, there may be other ways to re-start Windows Explorer.

      One side-effect of re-starting Windows Explorer is that Notification Area icons may not be the same after re-start. For example, the white flag security icon does not re-appear until a couple of minutes later. (I guess it goes through the same delayed processing after explorer re-start as at PC start-up?)

      BTW: I originally went down this track a couple of years ago after I found that the Avira anti-virus (AV) notification icon did not appear at PC start-up, but did appear after Windows Explorer re-start. (I assumed the order in which things happened at PC start-up affected this.) I put the above batch file in the Start menu “Startup” sub-folder to re-start “explorer.exe” soon after the PC start and this re-sequencing was enough to display the AV’s icon for a few months until a later update changed how the icon worked completely. (I have since replaced Avira AV with the (much lighter on PC resources) Panda AV and its notification area icon does not re-appear after re-starting “explorer.exe”. As I rarely re-start “explorer.exe” this is not an issue for me.)

      HTH. Garbo.

       

      1 user thanked author for this post.
      • #230579 Reply

        Cybertooth
        AskWoody Lounger

        Garbo, I have tried killing and re-starting Windows Explorer when the sluggishness starts and unfortunately it hasn’t improved things.

        But that’s a handy batch file and I’m adding it to the Start menu, thank you.

         

      • #230656 Reply

        anonymous

        If it becomes sluggish over a period of time do you have a “memory leak” where something is allocating RAM for use, but not freeing the RAM after use, so that the total amount of RAM which appears in use increases with time?

        I have used a program called “CleanMem” for many years. It does 2 things. 1) It sets up 2 scheduled tasks which every few minutes checks that the programs which have memory allocated are still running and if not running frees the allocated memory. (From memory I tweaked the task intervals from their default values down to a 5 minute intervals, but I forget what the default was.) 2) It displays the percentage memory in use as a 2 digit number on a traffic light inspired background i.e. green for <50% usage, amber/yellow for 50% to 75% and red above 75%. If the percentage memory in use increases over time you can see it and a colour change to red is obvious and possibly a cause for concern. (At present on my 32 bit W7 PC with 3GB of RAM with Windows itself, Panda AV, Malwarebytes Premium and Firefox inside a Sandboxie sandbox running it shows 35% RAM usage on a green background. I don’t remember the last time it went red.) There are mouse right click options for this icon to clear memory immediately.

        It might be a good idea to install this (it is still available, although it has not been updated since 2014) or something similar, to either 1) fix the problem by freeing RAM allocated to programs no longer running (if that is the problem), or 2) see that something still running is using more memory over time.

        HTH. Garbo.

         

        • #230714 Reply

          OscarCP
          AskWoody Lounger

          A memory leak from some poorly designed or buggy program or procedure can cause other software to behave unusually. In this case it would seem, from what I’ve read in Cybertooth’s postings, that the slowdown problem he has noticed seems to affect only the browsers. With a memory leak, wouldn’t the effect be more across the board? Otherwise, “leaky” software would be a good candidate, if it keeps on automatically running, stopping and re-starting repeatedly for several days, without a reboot to clear things up, as it will tie down more memory each time, until it begins to cause observable problems.

        • #230733 Reply

          Cybertooth
          AskWoody Lounger

          Thanks for the software suggestion. I’ve downloaded CleanMem. Should I start running it now while the system is working properly, or wait until it starts misbehaving?

          I’d lean toward running it only when the system misbehaves, as otherwise we may not know if it made a difference. But you have experience with the program and I don’t.

           

      • #230785 Reply

        anonymous

        Garbo writes: Further to my 2:51PM #230656 post above, I should have explained how I have CleanMem set up. After installing it I tweak in 2 places.

        1) In the Start menu CleanMem area select “CleanMem Settings” to set up the scheduled tasks. This opens a 4 step “wizard”. I leave the 1st 3 steps at their default settings, but at step 4 I select “Install CleanMem Task Schedule” to create the scheduled tasks. The “Edit CleanMem Task Schedule” button opens the standard Windows task window and shows the new tasks “Clean System Memory” and “CleanMem Mini Monitor” in the list at the bottom of the central pane. Double click on either of these to get the usual interface for tweaking these Windows tasks. The only thing I changed is to set the “Clean System Memory” task intervals to 5 minutes for both of the 2 triggers, but this is not essential and I forget what the defaults were or why I changed them. (My best guess writing today is that I reduced them to a more frequent “nice round number”, but not too short an interval so that CleanMem itself affects PC performance, so a reasonable compromise.) Click Finish to close the CleanMem wizard.

        2) In the Start menu CleanMem area select “CleanMem Mini Monitor” and the coloured icon showing the percentage memory should open in the Notification Area. Using the mouse right button select “Monitor Settings” to open a different settings window.

        a) On the “General” tab I tick/select “Automatically start at Windows startup” because I like CleanMem to run automatically.

        b) On the “Monitor Settings” tab I untick/de-select “Show Monitor” to hide the larger, more detailed indicator on the desktop just above the Notification Area because I find it distracting and I have other programs which show notifications in that corner of the desktop and things could become messy if they overlap/hide each other, but that is just my personal choice – I’m happy with just the Notification Area icon itself and the percentage number on the coloured background.

        (The other tabs relate to the paid for version.)

        If it is a memory leak issue there are 2 possibilities. Either it is caused by a program which does not properly free its memory to be allocated to other processes after use, in which case CleanMem if running should free the memory the next time the “Clean System Memory” task runs, fixing your problem, or a program which is still running is progressively using more memory over time which CleanMem cannot tidy up after (because the program is still running), but in this case the CleanMem monitor percentage number and colour code will warn you about it so that you yourself can take mitigating action or investigate further. So for either possibility I suggest running it all the time. CleanMem itself uses about 8MB of memory.

        If you don’t want to run the memory cleaning all of the time I assume you need to disable the “Clean System Memory” task using the usual Windows Task Schedular mechanism or do not tick the “Automatically Start …” as described in 2) b) above.

        If you find memory usage is increasing with time then you could use the Task Manager which shows usage by (Windows or 3rd party) process or like me use something like Sysinternals Process Explorer to give clearer, more detailed information.

        If it is a Windows service causing the problem, it could be unclear which service because Windows by default often groups several services into 1 process. While investigating a different issue I discovered a means of separating out most services into separate processes which makes debugging easier. (Windows does not allow all services to be separated.)

        (i) In a command window “run as administrator” type

        tasklist /SVC /FI “IMAGENAME eq svchost.exe”

        to see how the services are grouped.

        (ii) Then type

        sc config <service name> type= own

        replacing <service name> with each of the services listed in (i) to start most of the services in a separate process after the next PC re-start. It will tell you that you cannot do this for a few of them, but something may be better than nothing in this area.

        (This being “Windows” there are other ways to achieve the same effect.) I have not seen any change to the amount of memory allocated after this change itself, so I do not know why Windows does not work this way by default.

        HTH. Garbo.

         

        1 user thanked author for this post.
    • #230625 Reply

      Sessh
      AskWoody Lounger

      Ok, so, I didn’t read all the replies, but I am imagining what I would do if I started having this problem because I wouldn’t tolerate it and would get to the bottom of it ASAP.

      First off, I would bring up the task manager and look under the processes tab to check CPU usage percentages and look for anything out of the ordinary using up CPU and I would look for anomalies such as a program using more memory than it should. I would also check the performance tab as well and go from there.

      I would not think it’s a hardware problem because it wouldn’t take 2-3 days after every reboot to act up again. It sounds like some service is set to run at that time and it’s causing problems. Perhaps it is something in the task scheduler that shouldn’t be there.

      So, when this happens, do you see anything using CPU in the task manager? It doesn’t have to be maxing it out at 100%, but I would expect to see something using a consistent amount of CPU to catch my eye if there’s something there to see. Is system memory being all used up or any one process using a very large amount of it? Is the activity indicator light on your rig blinking or flickering like it’s doing something? You mentioned that it takes programs 30 seconds to open, so if you try to open a program with the task manager already open so you can observe active processes, is there a CPU spike from anything other than the program you’re trying to open?

      • This reply was modified 2 weeks ago by  Sessh.
      • #230635 Reply

        OscarCP
        AskWoody Lounger

        Also might be and idea to check with Task Manager the epoch by epoch levels of disk usage and networking activity.

      • #230738 Reply

        Cybertooth
        AskWoody Lounger

        Thanks for the ideas. I haven’t noticed any unusual CPU utilization during these episodes, but next time it happens I will take a closer look at RAM usage. I’ll also try opening a program while keeping an eye on CPU usage. Task manager is already up and running so that there’s a baseline for comparison.

         

    • #230671 Reply

      anonymous

      Asking to clarify the environment. Sorry if already posted this information.

      This is a Win7 system “on bare metal”,
      operating as only a Win7 during the afflicted times,
      there are no VM’s in use,
      all diagnostics are referencing this one environment,
      all methods attempted so far are directed at this one “online” environment.

      My thought is that referencing from within a virtual environment, or directing tools to the wrong environment may lead to confusion.

      • #230735 Reply

        Cybertooth
        AskWoody Lounger

        Hi, yes, this is a Windows 7 system running on bare metal. No VMs involved.

         

    • #230728 Reply

      EP
      AskWoody Lounger

      I am wondering what kind of CPU/processor Cybertooth has on his Win7 computer as he did not mention that (was it an Intel or AMD CPU)?

      • #230736 Reply

        Cybertooth
        AskWoody Lounger

        It’s an Intel Core i7-3770, with 12GB of RAM installed.

        Hope this info helps!

         

    • #230744 Reply

      anonymous

      ? says:

      have you booted a linux dvd or usb?

      • #230767 Reply

        Cybertooth
        AskWoody Lounger

        I ran a couple of live CDs to scan the Windows drive for malware, but that’s about it.

         

        • #230770 Reply

          GoneToPlaid

          Hello Cybertooth,

          Please go to: http://www.gmer.net/
          And then download and save the EXE to your computer’s desktop. Note that the GMER EXE file will have an automatically generated random file name. After saving the randomly named EXE to your desktop, double-click it and run it.

          I am only interested in what its main screen presents after it is launched. GMER will quick report info about all running threads: Type, Name, and Value. Do not bother with, or try, any of the other buttons or check boxes in GMER.

          What I need to know is if there are any reported threads which have no Name, as this is a sure sign of either a malware or rootkit infection.

          If you don’t see any running threads which have no name, then close GMER and repeatedly launch and then close GMER several times (perhaps up to two dozen times) over a a period of several minutes (perhaps up to 10 minutes), until you finally see a running thread which has no Name. Do so with all other programs except your antivirus program closed.

          The upshot is that GMER is my last resort for detecting state actor malware. Yeah, I got hit by state actor malware via CCleaner last year when Piriform was breached by China. Only GMER randomly caught the randomly running threads which had no assigned Name. Nothing else detected it — and I mean NOTHING ELSE even though I tried SEVERAL scanning tools. I was hit because my domain name was very similar to a potential targeted domain name. I had to restore all of my home Windows 7 computers from offline backups.

          Oh, and for everyone, Avast (Piriform) totally incorrectly reported that no secondary payloads were dropped to anyone who received the initial payload, other than the identified targets. Why do I say this? Because I received the secondary payload on all of my home Win7 computers because my domain name was similar enough to one of the targets. Like I said, the secondary payload was so good that absolutely nothing other than GMER could randomly detect it as one or more unnamed running threads.

          2 users thanked author for this post.
          • #230843 Reply

            Cybertooth
            AskWoody Lounger

            Thanks, @gonetoplaid. I’ve downloaded GMER and will try it, but will wait until the issue recurs (based on the previous pattern, likely sometime today/tonight). I have a couple of monitoring tools running to keep tabs on resource usage and would prefer to keep them open for the time being.

            That’s a real bummer that you got hit by a state actor just because your domain name was close enough to one of their targets. Good thing you had adequate system backups! I don’t have a domain name or run a website, so at least in that respect I wouldn’t expect to be targeted by major-league hackers, but you never know so I’ll keep GMER at hand.

             

    • #230771 Reply

      GoneToPlaid
      AskWoody Lounger

      I just replied to Cybertooth re GMER, yet I forgot to log in. That anonymous post was from me.

      1 user thanked author for this post.
      • #230904 Reply

        Cybertooth
        AskWoody Lounger

        @gonetoplaid, is this the sort of “no name thread” you had in mind? (See the middle line of the three shown.)

        GMER-no-name

        I didn’t run this with all other applications closed, but at this point I just want to knowif that’s the sort of result I should be looking for.

         

        • This reply was modified 1 week, 6 days ago by  Cybertooth.
        • This reply was modified 1 week, 6 days ago by  Cybertooth.
        Attachments:
        You must be logged in to view attached files.
    • #230768 Reply

      anonymous

      ? says:

      With all the preceding technical advice I’m stumped as to why the problem isn’t visible. If your machine runs linux nominally you would would think the os and\or hardware isn’t the problem? I’ve never “grayed out,” windows 7 even running it on a 2002 Dell 4300 Dimension with an 845 intel board and 1GB ram and a 2.8ghz processor. I have grayed out linux many times running it on usb sticks though.

      MSE wanted to run random background scans which would trigger higher cpu usage so I turned that off. I run with task manager and event viewer on to monitor and noticed lately that the svchost for the event viewer sucks up lots of extra RAM after updating MSE and even more after doing a quick scan, and since I sleep the system instead of turning it off, the only way to bring it back down is to close the event viewer and re open it.

      ‘m guessing that you have already opened the bottom of the event viewer and gone through all the logs there as well. So, I hope to hear all about how you fix this baffling problem.

      • #230850 Reply

        Cybertooth
        AskWoody Lounger

        Yeah, the basic problem is that it seems to build up gradually until reaching some threshold of inoperability (when it becomes evident that the PC is no longer working properly).

        I’ve had Task Manager open to the Processes tab since last night, and this morning I launched the Resource Monitor in anticipation of something happening today. Before going to bed, I took a screenshot of the processes from Task Manager, sorted by memory usage (“working set”). First thing I did this morning was to check the current usage, and noticed that svchost.exe (NETWORK SERVICE) had gone up by 100,000Kb since last night.

        I also notice that the computer’s response to my typing (as I type this) is clearly lagging. This wasn’t happening last night, but it has happened previously before Windows Explorer and browsing turned to molasses.

        One other sign is that the thumbnails that normally pop up when I hover the mouse pointer over a taskbar icon, are no longer showing up this morning.

        And yet Task Manager says memory usage is only at 46%.

         

        • #230884 Reply

          satrow
          AskWoody MVP

          Could you switch to TaskMan’s Performance tab, > View > check the Show Kernel Times setting and upload a screenshot please?

          • #230897 Reply

            Cybertooth
            AskWoody Lounger

            @satrow, here’s the screenshot you requested:

            Task-Manager-perf
            (FWIW, the view with Show Kernel Times selected looks identical to that without it selected.)

            Attachments:
            You must be logged in to view attached files.
            • #230944 Reply

              satrow
              AskWoody MVP

              It’s showing kernel spikes of ~8%, that’s above the limit where the most sensitive gamers would notice the ‘lag’ and around the point where I would begin to detect it – try dragging a window around the screen and see if you notice the kernel line more that way (you might even notice/feel some ‘stutter lag’ as you do so)

              It’s often better to show CPU% as one graph, you can then see several minutes of ‘action’ when you drag TaskMan to full width, dragging the height to 10 squares to the graph makes it easy to work out the %. Open a screenshot in the native photo viewer and enlarge it to see the kernel activity clearer.

              There’s little sign of excess paging, the pagefile’s using @1.2GB max. It might be a ‘bad’ driver, what’s the audio output like, any stuttering/dropouts?

              Your other stats look reasonable (but I use a very restricted subset of the W7 default Services, etc., so it’s difficult for me to do any direct comparisons), could be some startup software, maybe something resident installed by the PC OEM (I’ve seen an HP with their software ‘helper/updater causing similar issues.

              Here’s my rig’s current stats, long uptime but basically just 2x browsers running:

              68days

              • This reply was modified 1 week, 6 days ago by  satrow.
              • This reply was modified 1 week, 6 days ago by  satrow.
              Attachments:
              You must be logged in to view attached files.
              1 user thanked author for this post.
            • #231031 Reply

              Cybertooth
              AskWoody Lounger

              I finally saw what you mean: it’s the red line, which was hard to see before putting Task Manager into full-screen mode.

              The spikes continue at about the same magnitude as you said.

              FWIW, back in the Processes tab, the RAM Working Set used by svchost.exe (Network Service) keeps climbing. Last night it was at 426,000K, this morning it was up to 530,000K, and now it’s reached 608,000K.

               

            • #231144 Reply

              satrow
              AskWoody MVP

              Right-click the offending svchost.exe and select ‘Go to Service(s)’ in the dropdown, list/screengrab the highlighted Services.

    • #230936 Reply

      GoneToPlaid
      AskWoody Lounger

      @gonetoplaid, is this the sort of “no name thread” you had in mind? (See the middle line of the three shown.)  I didn’t run this with all other applications closed, but at this point I just want to know if that’s the sort of result I should be looking for.

      Yes. In GMER, every running thread should list the full path and file name which launched the thread. If GMER can’t see the path and file name which launched the thread, then neither can the OS. Apparently MBAM can’t see it either.

      When I got the secondary payload(s) via the infected CCleaner, GMER intermittently would show that I had around a dozen running threads with no name — as in no path and file name which launched those threads. Installing the updated CCleaner which claimed to remove the initial payload did not resolve the issue. System Restore did not resolve the issue. I downloaded and tried several AV and rootkit scanners. None of them could detect anything. Only GMER did. I had to restore all of my computers from offline backups after booting using Macrium’s USB recovery media.

      The following is just the first step. Please download and run MalwareBytes Anti-Rootkit (MBAR) BETA from here:

      https://www.malwarebytes.com/antirootkit/

      See if MBAR can identify any installed rootkits. Do not try to remove any identified rootkits until we are sure about what you have been infected with. Removal procedures of any rootkits, back doors, and any additional payloads can depend on what was identified. You may have to get tailored help from one of the online specialty forums which assists users in properly removing whatever was identified, to make sure that nothing else has been missed, and to clean up any remaining damage.

      I need to know what version of MBAM you are using, and if you are also running any other type of AV software along with MBAM.

      2 users thanked author for this post.
      • #231040 Reply

        Cybertooth
        AskWoody Lounger

        MBAR reports the system is clean:

        MBAR

        Meanwhile, GMER reported (abeit with several programs open) a “rootkit”…

        GMER-RK

        …which when hovering over it in Windows Explorer turns out to be the “BitDefender Active Threat Control Filesystem Minifilter”. VirusTotal gives it a threat score of 0/66:

        Virus

        You’d asked for the version of MBAM and what other AV software I’m using. It’s MBAM Free v.3.6.1. I also use BitDefender Free and HitmanPro.Alert (paid). Used to have Norton Internet Security on this machine.

         

        • This reply was modified 1 week, 6 days ago by  Cybertooth.
        • This reply was modified 1 week, 6 days ago by  Cybertooth.
        Attachments:
        You must be logged in to view attached files.
    • #230968 Reply

      anonymous

      ? says:

      maybe run Sysinternals:https://docs.microsoft.com/en-us/sysinternals/downloads/

      Autoruns? i found a process named simply “X” on Vista years ago.

      also Process Explorer, can drill down all the way,

      and Process Monitor with the correct filters set.

      i run them live from the web site, or from a stick so i don’t have to download them to my machine(s). if you want to go all the way or need to, then get the “symbols,” file. you can run virus total as well? happy hunting and i hope you find a resolution soon!

      1 user thanked author for this post.
      • #231047 Reply

        Cybertooth
        AskWoody Lounger

        Thanks for the good wishes. I’ll run one of the programs you suggest and see what turns up.

         

    • #231060 Reply

      anonymous

      ? says:

      i don’t like it when the windows mystery problems pop up, if you aren’t familiar with the Sysinternals tools there was a long learning curve for me, i guess the Autoruns would show any extra baggage in the quickest way. if you close the Event Viewer does the memory drop off accordingly? you can get the process number of  offending svchost (network service) in task manager and track it from there…

      fingers crossed!

      2 users thanked author for this post.
      • #231150 Reply

        Cybertooth
        AskWoody Lounger

        The process ID for the instance of svchost.exe that I’m suspecting is 1792, which is associated with Cryptographic Services, DNS Client, Workstation, and Network Location Awareness.

        I’ll see if I get the chance to launch Autoruns tonight, it’s going to be a busy evening at home.

         

        • #231161 Reply

          anonymous

          ? says:

          no worries, hope you can use the tool(s). if you go to the link at the bottom of the individual tool pages there is an option to run “live,” or download. i put them on my toolbox stick. the only trace i find is in the registry having to do with the license to use. HKLM>SOFTWARE. you can delete the entry with no apparent adverse effects if it offends you. there is a quick guide to using Autoruns on howtogeek:

          https://www.howtogeek.com/howto/12837/use-autoruns-to-manually-clean-an-infected-pc/

          some others on google as well.

          the Process Explorer is a pumped up version of task manager and you can go to the process and drill down to the individual threads in the offending process. if you mouse over the individual svchost(s) there is a detailed description of the individual processes within.

          https://www.howtogeek.com/school/sysinternals-pro/lesson2/   and/or,

          https://www.pcworld.com/article/3181348/software/how-to-use-process-explorer-microsofts-free-supercharged-task-manager-alternative.html

          the Process Monitor is more intensive as it grabs a sample of the selected running processes and allows the user to peer inside.

          sounds like you are on the right track having identified the suspect components of the surging svchost.

          seems that GTP has isolated the problem regarding the 3rd party program? MBAM?

          p.s. running 120 processes? my win 7 is trimmed down to 28 32 with the intel bluetooth running.

          nominal at 600mb memory in play.

          cheers!

    • #231075 Reply

      GoneToPlaid
      AskWoody Lounger

      MBAR reports the system is clean. Meanwhile, GMER reported (abeit with several programs open) a “rootkit” which when hovering over it in Windows Explorer turns out to be the “BitDefender Active Threat Control Filesystem Minifilter”. VirusTotal gives it a threat score of 0/66.

      You’d asked for the version of MBAM and what other AV software I’m using. It’s MBAM Free v.3.6.1. I also use BitDefender Free and HitmanPro.Alert (paid). Used to have Norton Internet Security on this machine.

      Alrighty. It appears that your computer is clean. Give me a few minutes to review your original post and comment since I want to suggest two possibilities.

    • #231098 Reply

      GoneToPlaid
      AskWoody Lounger

      My Windows 7 computer has had an annoying issue in recent months. A few (2-3) days after a reboot, both Internet browsing and Windows Explorer start getting very sluggish. No matter the browser, websites open slowly and applications take 30 seconds or more to open. Even the Start menu and the Notification Area take a long while to respond to clicks. Sometimes (but not always) the taskbar grays out while the PC is doing whatever it thinks it’s doing, then finally it comes back to the usual color and the desired action finally takes place. Eventually, Internet browsing comes to a complete halt as I can’t reach new sites or even refresh open tabs. Anybody have an idea of what could be going on?…

      None of this has made any appreciable difference: I’m still having to reboot the machine every couple of days because Explorer slows down to a crawl and Web browsing ceases to function. I suppose I could go in and stop or disable some services, but I don’t feel comfortable enough in my Windows knowledge to just start disabling services, although I do have some possible candidates. The PC is Group B, updated through the September patches (haven’t yet applied the recently green-lighted October set). What could be causing this? Web searches haven’t been particularly helpful because I have twin problems and everything I’ve found refers to one OR the other of these issues, but not both together.

      Hi Cybertooth,

      Thanks for your reply about which version of MBAM you are using. You stated that you are using MBAM 3.6.1. Have a look at this MB page which lists the issues which have been (or supposedly have been) fixed in each of the recent releases:

      https://www.malwarebytes.com/support/releasehistory/#malwarebytes-premium

      In particular, note that the 3.5.1 branch supposedly: Fixed issue where anti-ransomware module could cause high CPU and memory use.

      MBAM version 3.6.1 (which you are using) was released back on September 19, 2018. MBAM version 3.5.1 was released back on May 8, 2018. This time frame may be significant since you mentioned that you have been having the issues you described “in recent months.” The upshot is that your issue may be with MBAM’s anti-ransomware module. You can disable the MBAM Anti-RransomWare (ARW) module and see if your issues go away.

      A good way to check if it is indeed the MBAM ARW module which is causing your issues is to do the following:

      1. Keep the ARW module enabled.
      2. Open Task Manager and turn on the columns which I indicated with a yellow box in the attached image.
      3. Watch and see if the memory Working Set and/or the memory Private Working Set for some, many, or all programs increases over time. This would indicate that the ARW module is causing the memory Working Sets to grow over time, and that the ARW module is not performing proper memory cleanup. Many years ago (around 2010) Panda’s free cloud AV program had the exact same issue.

      You might notice that the Page Faults column for my computer (in the attached image) shows thousands of page faults for every running process. All of these are completely harmless soft page faults. These soft page faults are generated by Panda because Panda operates differently in comparison to nearly all other AV programs. This is also why Panda never required the special registry key when Microsoft implemented its first attempts to mitigate Meltdown back in January 2018. I am not trying to plug Panda in any way. I simply wanted to explain why my computer shows thousands of totally meaningless soft page faults. On the other hand any hard page fault is the result of bad programming, and should never occur except possibly when testing programs which are in the alpha stage of development.

      Now do the following:

      1. Disable MBAM’s ARW module and reboot.
      2. Open Task Manager and monitor step #3, above, to see if your issue is resolved.

      If your issue was resolved, then perhaps MBAM is having a conflict BitDefender? I am guessing that you are running both MBAM and BitDefender at the same time? One should never run more than one AV program at a time, unless the other AV program (such as HitmanPro.Alert) was specifically designed to not interfere with other AV programs.

      A note about HitmanPro.Alert. I too paid for it — 3 licenses. Yet I stopped using it for two reasons. I had some compatibility issues, and testing of this and similar types of products indicated that these products were marginally effective. Instead, there are entirely new classes of anti-ransomware and anti-exploit products which have become available.

      Best regards,

      –GTP

       

      Attachments:
      You must be logged in to view attached files.
      1 user thanked author for this post.
      • #231145 Reply

        Cybertooth
        AskWoody Lounger

        @gonetoplaid, thanks a bunch for the detailed instructions.

        I’m using MBAM Free, which doesn’t have the ARW feature activated:

        MBAM

        We may need a different approach, then. What do you think?

        I did add the columns you suggested to Task Manager and am monitoring them anyway, since the pattern you identified could of course still be going on, but caused by something else.

        Thanks, too, for the insights about HitmaPro.Alert. I’ve been using it for a couple of years and am satisfied with what it does (most of the incompatibilities have been ironed out), but I’m definitely curious about the new classes of anti-exploit products that have come out in the meantime.

        Attachments:
        You must be logged in to view attached files.
    • #231224 Reply

      Cybertooth
      AskWoody Lounger

      All right, it’s happening again. I’m typing this from a different PC.

      Browsers having trouble opening new web pages or refreshing currently open ones (although it hasn’t come to a complete halt yet), and the Taskbar grayed out while I was trying to maximize an open program (Windows Photo Viewer, to see the previous Task Manager screenshots for comparison), although eventually it managed to open. The same thing happened when I wanted to maximize the Resource Monitor.

      Working Set memory in svchost.exe is at 760,056K and Private Memory at 694,004K. Page faults are at 10,129,349 and climbing, FWIW.

      The subprocesses involved in process ID 1792 are CryptSvc, Dnscache, LanmanWorkstation, NlaSvc, and TapiSrv.

      CPU usage is at 4-5%.

      As a test, I tried opening the Hard Disk Sentinel discussed earlier in this thread. It requires elevated rights, and the prompt for that took several seconds to come up. Took about a minute for the program to launch. Next I closed it by clicking on the red X button and it took 30 seconds to close. There was also a “(Not Responding)” indication after the program name in the title bar.

      Firefox window opened but the browser can’t load the home page (Startpage.com).

      Now one very surprising thing I found in Resource Monitor: the Network section shows several processes under svchost.exe as having the address “(www.)facebook.com.” [Note: I added the parentheses because when I type the actual address shown by Resource Monitor, the blog software here automatically adds “http://” to the address, which is not what I’m seeing. Grrr!!!] For some of these, under the “Image” column right after “svchost.exe” it says “(LocalService)”, while for others it says “(LocalServiceAndNoImpersonation)”. Why on earth would svchost.exe be interested in Facebook, and what is this “no impersonation” business??

      What may make this even more interesting is that I have (www.)facebook.com (as well as facebook.com) in my hosts file as a no-go zone. (I did the same thing on my Vista PC and it hasn’t experienced any slowdown or other issues.)

      And for some reason, some of the programs I’m running also have PIDs associated with (www.)facebook.com, including BitDefender, Heimdal Pro (another type of security software), and even Pale Moon. I took a screenshot but I couldn’t save it to this computer via the network, nor could I of course post it via the affected PC; I had to save it to a USB drive and bring it over to this computer to attach to this post:

      Facebook

      And that’s about all I can report tonight.

       

      • This reply was modified 1 week, 6 days ago by  Cybertooth.
      • This reply was modified 1 week, 6 days ago by  Cybertooth.
      • This reply was modified 1 week, 6 days ago by  Cybertooth.
      Attachments:
      You must be logged in to view attached files.
      • #231237 Reply

        GoneToPlaid
        AskWoody Lounger

        Alrighty. You pulled the original SSD which you clowned to a new SSD? Perhaps it is time to take the original SSD to a local shop and have them scan it for rootkits and malware. At this point, you so do need to know what you are dealing with.

        1 user thanked author for this post.
        • #231512 Reply

          Cybertooth
          AskWoody Lounger

          Hi @gonetoplaid, I’m in the process of checking the previous SSD. Scanned it with Norton 360, Norton Power Eraser, and HitmanPro on one computer, and it came out clean. Currently it’s being scanned by MBAM Free on another PC, after getting examined by BitDefender on that same PC without issue.

          For good measure, I also intend to check it with the Eset and F-Secure online scanners, as well as the TrendMicro Anti-Threat Toolkit and the Emsisoft Emergency Kit.

           

      • #231266 Reply

        anonymous

        This is no more than a guess, but you mention the Cryptographic (CryptSvc) service being in the process giving you problems above. I have been having problems with that service and outgoing internet accesses for a few months. I first wrote about it on AskWoody back in May at https://www.askwoody.com/forums/topic/patch-tuesday-problems-and-fixes-but-theres-no-cause-for-alarm/#post-191998.

        As hinted by my follow-on replys this issue persisted and every few weeks a fresh batch of unrecognised outgoing accesses for the then unknown to me “thing” using svchost.exe occurred and I just added the new IP to my blocking list. A few weeks ago I realised that this had become a long list so I started to look into the issue.

        I searched online to see if there was any pattern to the IPs and found that they were for one of the large ISPs here in the UK (Virgin Media and NTL its previous name before re-branding), Google and something called “AS3356 Level 3 Parent, LLC” in the USA (some server company?). None of these struck me as particularly good or bad in themselves although I had no known reason to contact them.

        To try to narrow down what was making the outgoing accesses I separated out the services into separate processes as I described towards the end of my post earlier in this thread https://www.askwoody.com/forums/topic/windows-7-pc-gets-very-sluggish/#post-230785 This showed that it was the Cryptographic Service (CrptSvc).

        Its description in the services window indicates that among other things it “retrieves root certificates from Windows Update” which to me (a non-expert) suggests that it should make internet accesses to update things? It was then a question of trying to find an appropriate Windows Firewall outgoing access rule to allow CryptSvc to actually work, even though I tried rules to allow TCP, UDP, any protocol and even any service I still got the same issue. The only thing which worked was to set up a svchost.exe rule which allows outgoing access for anything (all programs and services)! As I understand it, in Windows anything can use svchost.exe, so basically this is opening the outgoing door for anything in the PC which seemed too loose to me.

        I eventually found a work-around at  https://social.technet.microsoft.com/Forums/en-US/27ded2ad-cc85-4c0a-9b41-c6b469a20aab/windows-firewall-and-windows-update-win-81?forum=w8itpronetworking by the contributor “Uwe” on Tuesday, June 13, 2017 towards the end of that thread and this has worked for a couple of weeks now. BTW: Uwe’s step 5 “Add a firewall rule to allow outgoing traffic for mysvchost.exe.” means an outgoing rule to “Apply to all programs and services”, but “mysvchost.exe” is only used by CryptSvc as set in the Registry (Uwe’s step 4), so essentially the filtering is done by the Registry setting not the firewall rule. Neat!

        Now how does any of this relate to your issue? Honest answer is I do not know if it does, but consider:

        1) CryptSvc may be implicated in both our problems.

        2) We have both had problems for a few months, but the problems are intermittant and are not triggered by any obvious event.

        3) Are your unexplained Facebook accesses the same sort of thing as my unexplained Google, VM and AS3356 Level 3 Parent, LLC accesses? Is CryptSvc trying to get updated Certificate data from these places as just general sorts of places where such data may be found? I don’t know!

        This is just speculation, but it might be good idea to separate out the 5 services including CryptSvc you mention above into separate processes as I describe in #230785 above to see which of these it is which is causing your problem to narrow things down further. (This does involve a PC reboot, so you may need to wait a further few days for a result.)

        HTH. Garbo.

         

        1 user thanked author for this post.
        • #231519 Reply

          Cybertooth
          AskWoody Lounger

          Garbo, thank you very much for the ideas and links.

          I read them and will have to think about it carefully. I don’t know very much about networking and firewalls, and when I run up against a rule like “default deny block incoming TCP” (or whatever, this is just a made-up example), my limited mind stumbles over the double negative: OK, so am I “blocking” the action, or am I “denying” it, or am I “denying the blocking”…??? Before long I start feeling like this:

          the-scream

           

          Attachments:
          You must be logged in to view attached files.
          • #231552 Reply

            OscarCP
            AskWoody Lounger

            What is “CryptSvc” for, and who needs it?

            If the answer is “not much” and “no one in particular”, then if one disabled it, would that be, as one might hope for the sake of Cybertooth’s mental health, the end of this story?

            (Added later) Or maybe not:

            https://www.bleepingcomputer.com/startups/cryptsvc.dll-25643.html

            Sorry, Cybertooth!

            • This reply was modified 1 week, 5 days ago by  OscarCP.
            1 user thanked author for this post.
            • #231585 Reply

              Cybertooth
              AskWoody Lounger

              Yeah, the Cryptographic Services is pretty important, unfortunately.

              I’m not sure that I’m up to the task of digging so deep into the workings of Windows, or of monitoring network traffic with any hope of pinpointing the source of the problem. I think that, as a practical matter, beyond what I’ve already tried my choices are now limited to:

              1. Living with the problem indefinitely;
              2. Replacing Windows on that box with Linux.

              The prospect of re-installing all the programs I have on there is so disheartening as to be out of the question for me. If it came to that, I really would rather run with the penguins.

               

    • #231439 Reply

      anonymous

      ? says:

      Cybertooth,

      not wanting to “flog the dead horse,” i hope you aren’t “infected,” if you want to look at your network traffic while the sluggish is going on try netstat if you don’t have another traffic analyzer (like wireshark)

      https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat

      “netstat -n -o” you can set it to self update with a seconds elapsed, like so: netstat -o 5, for refresh every “5” seconds, then you can look up the ip addresses?
      <pre class=”x-hidden-focus”>

      1 user thanked author for this post.
      • #231514 Reply

        Cybertooth
        AskWoody Lounger

        That sounds good. I’ll run netstat next time the PC slows down (after this morning’s reboot, I expect that to be happening by the end of Saturday).

         

    • #231598 Reply

      Cybertooth
      AskWoody Lounger

      Just to give an idea of the virtual hopelessness of tracking down something like what I’ve been experiencing, consider the following.

      In the space of 16 hours between Wednesday night (when the sluggishness recurred) and mid-day Thursday (when I rebooted the PC), Event Viewer shows 28 instances of Event ID 7011:

      A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Dnscache service.

      So I looked up Event ID 7011 and found this Technet article. The recommended “solution” is to increase the default time value, which struck me as singularly unhelpful. And indeed, one comment below the end of the article characterizes this idea as,

      Something like your car engine is noisy, turn the radio volume up.

       

      • This reply was modified 1 week, 4 days ago by  Cybertooth.
      • #231602 Reply

        GoneToPlaid
        AskWoody Lounger

        Hi Cybertooth,

        I am confident that your computer is not infected. Please try resetting Windows Firewall to its default values and then reboot. I suggest this since I have seen some funky problems with Windows Firewall, even when it is disabled and when I am using a third party firewall. I also suggest this if you did have a previous malware infection in the past which you removed. Did you have any previous malware infection in the past which you thought that you had completely removed? If yes, then even though the malware infection itself was removed, then it could have affected other things — such as Windows Firewall.

        Just a thought for what its worth.

        Best regards,

        –GTP

        P.S. And if the above doesn’t resolve your issues, then I will ask you to PM me a full Speccy output as a text file. Before you do so, I will post instructions about how to remove confidential information from the Speccy text file.

         

        • This reply was modified 1 week, 4 days ago by  GoneToPlaid. Reason: Add a PS note
        1 user thanked author for this post.
        • #231725 Reply

          Cybertooth
          AskWoody Lounger

          @gonetoplaid, I don’t remember this PC ever being infected with malware.

          I’ll reset the Windows Firewall (it used to be managed by Norton Internet Security, when it was installed here) and reboot. That will push out the next expected episode of sluggishness to Sunday instead of Saturday.

           

      • #231608 Reply

        satrow
        AskWoody MVP

        It’s not hopeless, you need to troubleshoot and break it down logically to localise the error/misconfiguration/infection/hijack or w/e.

        Describe what hosts file you have and the size; a large hosts file + DNSCache enabled = ‘lag’ + probably those, or similar, errors in your logs. My hosts file is 18+ MB, DNSCache is disabled.

        Next step might be to compare network settings for your browser(s) against the Internet Options in Control Panel, Connections tab and LAN settings. My settings are manually set as below:

        Browser_net_connex_settings

        Attachments:
        You must be logged in to view attached files.
        1 user thanked author for this post.
        • #231719 Reply

          Cybertooth
          AskWoody Lounger

          @satrow, my hosts file is 445KB. I use the hosts file provided by Safer Networking (the folks who make Spybot Search & Destroy). I also added Facebook to the hosts file.  🙂

          In the LAN settings dialog, I have “Automatically detect settings” checked. And in both Pale Moon and Firefox, in Connection Settings I have “Use system proxy settings” checked.

           

          1 user thanked author for this post.
          • #231728 Reply

            satrow
            AskWoody MVP

            Now deselect ‘Automatically detect… ‘ and set the browsers for ‘No proxy’ and give it a test.

    • #231729 Reply

      anonymous

      ? says:

      Cybertooth,

      humm, burning up lots of air time on this, best bet would be to find the offending process(s) and go from there. using task manager is a good start and Process Explorer makes it possible to get down even further.

      maybe you have looked at your dns cache using ipconfig? and what happens if you flush it?

      https://en.wikiversity.org/wiki/Computer_Networks/Ipconfig/DNS_Cache_Options

      lots of moving parts involved which is why i take everything off that i don’t need so any problem that may arise stands out and can be dealt with. i’m hooked directly into the DHCP and don’t use any sort of proxies so someone else who is a proxy person may have good advice there. i run with the stock “acme” hosts file.

      i do hope you soon find out what the problem is without to much additional brain damage, and would love to learn about the solution.

      PS GTP’s “take it to the shop, ” is always a viable option if you become weary have a reputable and affordable local “Geek Squad.”

       

      1 user thanked author for this post.
      • #231828 Reply

        Cybertooth
        AskWoody Lounger

        I did wonder if it might help to flush the DNS cache and start that fresh.

        OTOH, all these measures seem to be aimed at fixing the Internet part of the sluggishness, but there’s still the Windows Explorer sluggishness part which is what made researching my problem so maddening.

         

        • #231833 Reply

          AlexEiffel
          AskWoody MVP

          Cybertooth,

          Explorer often probes the network and can turn awfully slow when for example, you have a network drive for a VPN that isn’t yet connected… It seems like it waits for a network timeout before responding again. I help someone with a computer that is set up like this, so you open Explorer and you need to wait a while whenever the VPN isn’t connected, so I wouldn’t be surprised if your problem is network related that you might have issues with Explorer as well as the browsers.

          1 user thanked author for this post.
          • #231883 Reply

            Cybertooth
            AskWoody Lounger

            @alexeiffel, thanks for explaining how Windows Explorer and Internet surfing could be related. I didn’t know that was possible. So maybe if we fix one side of the issue, that’ll take care of the other side.

             

            1 user thanked author for this post.
    • #231737 Reply

      jabeattyauditor
      AskWoody Lounger

      Time to make a fresh data backup (if you don’t have one) & reinstall from scratch.

      2 users thanked author for this post.
      • #231829 Reply

        Cybertooth
        AskWoody Lounger

        Ugh, that would definitely be a last resort, and one against which I would seriously weigh just making the switch to Linux if I’m gonna go through all that pain anyway.

         

        • #231890 Reply

          Ascaris
          AskWoody MVP

          It would definitely be less work than that to take a backup, then start uninstalling things and retesting.  Trial and error, narrow it down, then when you know, restore the backup and uninstall just the thing that’s malfunctioning.  If it’s software at fault, of course.

          From what you wrote, I don’t think it’s a network issue.  Slow/blocked connections to or from the network should not slow the entire system, including the start menu and such.  If it’s not a process grabbing all of the memory and it’s not a process grabbing all of the CPU time, my gut says a driver… or hardware, of course.  I haven’t seen all of the thread, but I know you’re familiar enough with Linux to know you could use a live USB drive to test it.

          Edit: Ha!  This is a non-sequitur in context.  I thought of the Linux comment and conflated that with the Aero theme comment in another thread.   I was thinking that other comment was written here, but since I already wrote this here, I will leave it for continuity.

          I’ve seen a lot of themes that claim to be Windows 7ish for various desktop environments, but I’ve never tried any.  I’ve always liked Classic!

          For KDE, what they call widget themes are really more or less their own theme engines– you can grab a new engine like QtCurve from the repo, select that in the Widget themes option, and then check out the QtCurve themes available, or make your own with the extensive options in the UI.

          Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

          • This reply was modified 1 week, 4 days ago by  Ascaris.
    • #231826 Reply

      Cybertooth
      AskWoody Lounger

      OK, I’ve reset the Windows Firewall as @gonetoplaid recommended and also made the changes to the proxy settings that @satrow proposed, then rebooted.

      Based on previous experience, we won’t know what effect these steps may have until sometime Sunday.

      P.S. I also have the Brave browser (which is based on Chrome/Chromium), but I haven’t found a way to tweak the proxy settings there as with IE and FF/PM.

      • This reply was modified 1 week, 4 days ago by  Cybertooth.
    • #231888 Reply

      Cybertooth
      AskWoody Lounger

      Progress report: after making the changes that satrow and gonetoplaid recommended, I rebooted. This has been the experience tonight:

      * Pale Moon started acting sluggish as soon as I opened it, with repeated “(Not Responding)” episodes and a spinning circle as I tried to scroll around or type text here.

      * The Brave browser (for which I couldn’t find the way to change the proxy settings) is taking inordinate amounts of time loading websites, but it seems to work normally afterward.

      * Launching non-browser applications is also taking unusually long times. Resource Monitor shows a spike in network activity when launching a program, although that might be related simply to the application’s looking for updates.

      I haven’t seen the taskbar graying out.

      • #231928 Reply

        satrow
        AskWoody MVP

        Revert the changes I suggested and see if there’s any difference in behaviour. A reboot shouldn’t be necessary but pages might need forced reloading (Shift + Refresh/reload/F5) or browsers restarted.

        What’s the kernel activity been like since the reboot? Does Resource Monitor indicate any activity on the data drive?

        • #232004 Reply

          Cybertooth
          AskWoody Lounger

          OK, the browsers are behaving well now, with no slowdowns. Launching applications is also back to normal.

          According to Resource Monitor, most of the disk activity that’s taking place is on the system drive (the SSD). In Task Manager’s network tab, there’s the occasional kernel spike up to 13% or so.

           

    • #231898 Reply

      Cybertooth
      AskWoody Lounger

      I noticed tonight that the Hard Disk Sentinel is reporting that my data (not OS) HDD’s health is at “45%,” with 8 “bad sectors” that “were moved to the spare area,” 264 “weak sectors,” and 216 errors that “occurred during data transfer.”

      Is it possible that the data drive could somehow be the cause of all these troubles, or is this more likely an unrelated issue?

       

      • This reply was modified 1 week, 4 days ago by  Cybertooth.
      • #231904 Reply

        Ascaris
        AskWoody MVP

        Yes, it sure can, if there’s anything over there it’s trying to read.  What is on the data drive?  Is it feasible to move the data to the boot drive or to disconnect it for the test?  I would consider that drive to be extremely suspect and prone to fail at any time, so rescue your data while you can!

        It could even be a background process reading the data… defragger, antimalware, that kind of thing.  If it tries to read data from a sector that the drive is having difficulty reading, it will keep trying to read the data for a while, and the entire system can drag down while it’s waiting for the drive to provide the data.  I’d say there is an excellent chance you found the issue, and at the very least, get your data safe while you still can.

        Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

        • This reply was modified 1 week, 4 days ago by  Ascaris.
        2 users thanked author for this post.
        • #231908 Reply

          Cybertooth
          AskWoody Lounger

          The HDD contains downloaded files and programs, PDFs saved from the Web, and Windows Media Center recordings (mostly World Series and playoff games 🙂 ). It definitely would be feasible to disconnect it for a few days to see if the slowness issue goes away.

          Hard Disk Sentinel rates this 45% health level as “acceptable,” but like you I’m dubious. Out of curiosity, I changed the “health calculation method” from default to a stricter method “recommended for servers,” and that yielded only a 13% health rating. Whether or not this is the source of the sluggishness, it looks like I’ll be making a trip to Amazon or Staples very soon.

           

      • #232111 Reply

        AlexEiffel
        AskWoody MVP

        Sure can, Cybertooth. I once had a PC that became extremely slow because I think Windows keeps retrying to read the sector it can’t read over and over without telling you. Switching the HD solved the problem.

        So it would also make sense that at some point after many hours on, you come across this same bad zone of your disk and then you start slowing down.

         

        1 user thanked author for this post.
        • #232135 Reply

          Cybertooth
          AskWoody Lounger

          Thanks, @alexeiffel. Looks like the experts agree that it’s possible for a troubled drive to cause the symptoms I’ve been describing.

          We’ll know for sure by early next week if replacing the HDD takes care of the problem.

           

          1 user thanked author for this post.
    • #231991 Reply

      GoneToPlaid
      AskWoody Lounger

      I noticed tonight that the Hard Disk Sentinel is reporting that my data (not OS) HDD’s health is at “45%,” with 8 “bad sectors” that “were moved to the spare area,” 264 “weak sectors,” and 216 errors that “occurred during data transfer.” Is it possible that the data drive could somehow be the cause of all these troubles, or is this more likely an unrelated issue?

      Like Ascaris said, this sure can cause issues. Please install and run Piriform’s Speccy and upload a screen capture for the affected hard drive, similar to my attached screen capture. Also, is System Protection enabled on the affected hard drive? Please see my other attached screen capture.

      Attachments:
      You must be logged in to view attached files.
      • #232006 Reply

        Cybertooth
        AskWoody Lounger

        Hi @gonetoplaid, System Protection was enabled on the HDD.

        Here’s the screenshot for that disk:

        HDD-Speccy

        Let me know if you need to see the SMART info at the bottom of the page.

         

        Attachments:
        You must be logged in to view attached files.
        • #232024 Reply

          anonymous

          Hi Cybertooth,

          Can you post another screenshot which shows all of the S.M.A.R.T. table?

        • #232028 Reply

          GoneToPlaid
          AskWoody Lounger

          I looked up that Seagate drive’s model number. It is reliability issues and is one of those drives for which Seagate knocked its warranty period down to 1 year. You should immediately copy as much salvageable data as you can to a new hard drive. If you use a backup utility to clone the drive, you will have to configure the backup utility to ignore errors. Macrium Reflect, for example, has a setting to ignore errors.

          • This reply was modified 1 week, 3 days ago by  GoneToPlaid.
          1 user thanked author for this post.
          • #232038 Reply

            Cybertooth
            AskWoody Lounger

            Thanks, @gonetoplaid. I’m getting a new HDD and copying this one over to it this weekend. (Sorry Amazon, you’re just not fast enough 🙂 .)

            Here’s the screenshot of the rest of the SMART data for that disk:

            HDD-Speccy-2

            In the first screenshot, oddly, Speccy calls this one an “SSD” (see after the model number).

             

            Attachments:
            You must be logged in to view attached files.
            • #232090 Reply

              GoneToPlaid
              AskWoody Lounger

              Hello Cybertooth and everyone else,

              I am glad that you are getting your drive’s data copied over to a new hard drive. I just went through this exact same [edited] about a week and a half ago (having to immediately clone a few Seagate hard drives to new hard drives), after discovering that Seagate’s 3TB hard drives are the subject of a class action lawsuit.I had a few of the Seagate 3TB hard drives which are at issue. My only saving grace which prevented failure was that I never defragmented any of my 3TB hard drives in nearly 5 years of operation.

              I think that the issue was an inherent flaw in Seagate’s newly advertised (at the time) “magnetic shingle recording technology” (or something like this description) in which written data was allowed to somewhat overlap previously written data on adjacent tracks and sectors, and along the tracks and sectors themselves.

              I believe that more hard drive models from the original manufacturing time frame (2012, 2013, and possibly into the first quarter of 2014) should be involved in this class action lawsuit.

              Following are some URLs for interesting reading about both the Seagate 3TB hard drive failure rates and about the class action lawsuits. The last URL is a link to the law firm which has filed two class action lawsuits regarding the defective 3TB Seagate hard drives:

              Backblaze pulls 3TB Seagate HDDs from service, details post-mortem failure rates

              Seagate faces class-action lawsuit over 3TB hard drive failure rates

              Seagate Hard Drives — Hagens Berman — National Class Action Litigation Firm based in Seattle, WA

              Note that I do not consider any of Seagate’s more recently manufactured hard drives to have any issues. In fact, I am using over a half dozen of them within my home computers. The upshot is that I believe that this is a “manufacturing time frame” thing in terms of whether or not one is using a Seagate hard drive which is potentially vulnerable to a sudden and relatively quick failure.

              A warning to all: If you are using a Seagate hard drive which was manufactured at any time from the beginning of 2012 to early 2014, and if Piriform’s Speccy utility shows more than zero reallocated sectors, either copy the data from that hard drive to a new hard drive, or clone the hard drive to a new hard drive.

              Best regards,

              –GTP

              2 users thanked author for this post.
            • #232093 Reply

              OscarCP
              AskWoody Lounger

              GoneToPlaid, Well, this is disturbing news: “A warning to all: If you are using a Seagate hard drive which was manufactured at any time from the beginning of 2012 to early 2014…

              (1) How does one tell if a Seagate external hard drive is ca. 2012 – 2014? There are no dates on the cover of the HDs, at least the one I have. And the cover is glued to the base plate.

              BTW: I have a 4 TB Seagate HD I bought last year to use as a “Time Machine” for my Mac.

              (2) What is the difference between “copying” and “cloning” the contents of an HD to another?

            • #232138 Reply

              Cybertooth
              AskWoody Lounger

              @gonetoplaid, the HDD is being imaged by Macrium Reflect as I write this. Just one thing: in an earlier post, you wrote that

              If you use a backup utility to clone the drive, you will have to configure the backup utility to ignore errors. Macrium Reflect, for example, has a setting to ignore errors.

              I’m pretty sure that tonight I neglected to do that in Reflect. Would you recommend going back and repeating the process, this time making sure to adjust that setting for the image?

              (In case it matters, I’m “imaging” the drive rather than “cloning” it. That is, I’m making an image to an external drive and then putting that image on the replacement HDD.)

               

            • #232139 Reply

              Ascaris
              AskWoody MVP

              The “ignore errors” setting is necessary when Macrium Reflect cannot finish because of errors.  If you get it imaged successfully, you should be good.

              Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

              1 user thanked author for this post.
            • #232092 Reply

              Ascaris
              AskWoody MVP

              It’s a Seagate, so you can go to the Seagate site and download their Seatools utility.  It has a Windows version and a bootable .iso version.  After the backing up is complete, you might want to run that and see what it comes up with.  My guess is that it will not give the drive a “pass” as it is.  Tools like that can sometimes revive a drive, but that would depend on whether the soft and hard error sectors are constant or whether they are constantly increasing.  If they’re stable, the software can scan and mark any sectors with errors bad, so the drive will never try to use them anymore.  If no more bad sectors appear, the slowdown and the risk to your data will be gone– but that’s a very big IF.

              The sudden appearance of bad sectors in some areas of the drive is often just the beginning.  I’ve tried to resuscitate drives that have started on this downward spiral, and often the new errors start happening during the repair scan, getting to the point that it will take weeks to finish the job at the current rate.  In other instances, it may finish the scan and pronounce the drive repaired, but as soon as you put it into service again, the soft sectors start appearing again, then start turning into hard errors, and the whole thing begins again.

              I have a drive that is now in my backup server that had a couple of soft sectors on it.  No hard errors (sectors where the error is so severe that the data is completely unreadable, rather than one that takes a while to read but is ultimately recoverable), but just the soft errors were enough to cause me to want to investigate further.  I did a repair scan using, I believe, the HGST tool (it’s a Hitachi drive, from the time before they became HGST), and it fixed a few soft errors and pronounced the drive okay.  I don’t trust it fully… I keep redundant backups on it, things that it wouldn’t be catastrophic to lose (a backup of a backup of the original, so I would have to lose the original and the backup before the one on the HGST would ever be needed).  It’s been running fine for a couple of years since then, with no more issues in SMART.

              My trust is a little bit better on that drive now that it has behaved for a long time, but then I don’t really trust any drive all that much anyway.  I’ve had too many suddenly fail without warning to ever trust them very much!  Always have your data in at least two places, and more is better.  For each of my important PCs, I have multiple levels of backup on my backup server, on different drives (it has five drives, I think), and I have another one on my WD external HDD, and yet another on my Seagate HDD.  I’d go even further and use something like Backblaze too, safely encrypting things locally before I send it, if I had enough upstream bandwidth.

              If Seatools can fix the drive, you can put it back into service, but don’t use it for anything that would break your heart to lose.  With what GTP said about that model, I’d always be suspicious of it even after it was fixed.

              Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

            • #232136 Reply

              Cybertooth
              AskWoody Lounger

              @ascaris, maybe it’s a coincidence (or maybe it’s not), but today for the first time I noticed that, on opening Windows Explorer, the HDD in question had a yellow triangle with a “!” inside. The SSD (system drive) has a green circle with a check mark inside it. Hmmm.

               

              • This reply was modified 1 week, 2 days ago by  Cybertooth.
            • #232141 Reply

              Ascaris
              AskWoody MVP

              If you right click the drive in Explorer, then go to the Hardware tab, what does it say for the drive in the info box at the bottom?  Normally it would say it’s working properly, but that ! icon suggests that Windows has a message about that.

              Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

            • #232142 Reply

              Cybertooth
              AskWoody Lounger

              All it says is “This device is working properly.”

              Wonder if running Hard Disk Sentinel somehow suggested to Windows that “something” is wrong with the drive despite its “working properly.”

              Device Manager doesn’t show anything wrong with the HDD, either.

               

            • #232148 Reply

              satrow
              AskWoody MVP

              Can you publish a screenshot of the SMART data as recorded by HDS?

            • #232149 Reply

              Ascaris
              AskWoody MVP

              Probably the overlay over the drive icon is added by HD Sentinel.  I’ve never seen those indicators myself!

              Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

    • #232167 Reply

      GoneToPlaid
      AskWoody Lounger

      Hi @gonetoplaid, System Protection was enabled on the HDD. Here’s the screenshot for that disk: HDD-Speccy Let me know if you need to see the SMART info at the bottom of the page.

      I looked again at your posted screen capture. Note that the raw values for for the read and seek error rates are through the roof. This Seagate drive is failing and is the cause of your issues.

    • #232174 Reply

      GoneToPlaid
      AskWoody Lounger

      GoneToPlaid, Well, this is disturbing news: “A warning to all: If you are using a Seagate hard drive which was manufactured at any time from the beginning of 2012 to early 2014…” (1) How does one tell if a Seagate external hard drive is ca. 2012 – 2014? There are no dates on the cover of the HDs, at least the one I have. And the cover is glued to the base plate. BTW: I have a 4 TB Seagate HD I bought last year to use as a “Time Machine” for my Mac. (2) What is the difference between “copying” and “cloning” the contents of an HD to another?

      First, I need to revise the date range to very late 2011 to possibly early 2015, depending on how long a given drive model was manufactured.

      You can use Speccy to get the hard drive’s model number and its serial number. You can Google the model number to see when it was first introduced to the market.  Googling Cybertooth’s drive model ST2000DL003, it appears that it was announced in December 2011. Here is info about his HDD:

      https://www.storagereview.com/seagate_barracuda_green_2tb_review_st2000dl003

      You can type in your Seagate drive’s serial number into this Seagate Warranty page to get info about your drive’s warranty and its model number:

      https://www.seagate.com/support/warranty-and-replacements/

      I did this for Cybertooth’s drive serial number. Attached is a screen capture which shows “Warranty Information Not Available. Please contact support.” So then I clicked on the green Product Support button which took me to another web page. I then clicked on “See all documents” and downloaded the PDF data sheet which is dated 2013. I was shocked to see, for the HDD models listed in this data sheet, that the rated Power-on Hours is only 8760 hours or exactly 365 days. Here is a link to the data sheet for Cybertooth’s HDD:

      https://www.seagate.com/files/www-content/product-content/video_3_5_pipeline-fam/pipeline-hd/en-us/docs/video3-5-hdd-ds1783-3-1309us.pdf

       

      Attachments:
      You must be logged in to view attached files.
      1 user thanked author for this post.
      • #232262 Reply

        OscarCP
        AskWoody Lounger

        GoneToPlaid,

        Thank you so much. I googled, as you advised, my model number, and got from this site: https://www.storagereview.com/seagate_4tb_backup_plus_portable_drive_review the news that it was introduced in mid-2015, so it is probably outside the “danger zone” that you mentioned. Because I am using this external HD to back up the Mac, I can always replace it with another HD if this one were to fail, and the “Time Machine” utility will automatically  back up the whole Mac’s internal disk into the new external one when I plug it into the Mac, so that is covered. But it is not happy news that Seagate disks are defective. Particularly low-cost, high-capacity ones such as those of this model, that is bound, for both reasons, to be a popular one that is likely to have been selling well.

        Now I am hoping that the problem with some Macs’ SSD that Kirsty brought up the other day is not one I may have to deal with, ever: https://www.askwoody.com/forums/topic/apple-recalls-issued-nov-9th-2018/ Fortunately, mine has a 15″ screen, the problem, apparently, being only with 13″ machines.

        Also, I hope Cybertooth finally finds a solution to the very annoying problem that is the main topic discussed here, but manages to do so without having to rebuild the PC, or vastly modify the software that runs on it.

        • This reply was modified 1 week, 2 days ago by  OscarCP.
        • #232318 Reply

          GoneToPlaid
          AskWoody Lounger

          I’ve been dealing with this thing all day, which is why I haven’t been posting today. Here’sw what’s happened since last night: Went to bed making an image of the failing HDD with Macrium Reflect. (@gonetoplaid: Since you asked, the drive is internal and is stored horizontally.) When I came back to the PC this morning, the Macrium progress bar was at 100% but there was an error message with a code number, indicating that the image was unable to finish. I took a screenshot but I can’t get to it at the moment, for reasons that I’ll explain later…Now it looks like the “failing” drive can be read just fine on a different PC, while stuff on the “healthy” brand-new SSD is all screwed up.

          Hi Cybertooth,

          Okay, so the situation was as bad bad with the failing hard drive as I thought. Don’t bother connecting it to any computer at this point. Put back in your original SSD since apparently the new SSD somehow got messed up, and since you initially thought that the original SSD was causing your issues. You have already scanned the original SSD six ways from Sunday to verify that it doesn’t contain any malware.

          A NOTE TO ALL: Older versions of Macrium, after you restore an OS image, leave System Restore in a TURNED OFF state! Whenever you restore a Macrium OS image, please remember to immediately check that System Restore is enabled for your restored OS hard drive!

          I think that Macrium Reflect may have successfully imaged your failing hard drive, yet at the very end the Windows Volume Shadow Copy Service crashed when it tried to resolve any pending commits to the failing hard drive or to the OS SSD drive.

          Did an actual Macrium image get created? If yes, then launch Macrium Reflect, select the image file, and have Macrium verify the image. Verification of a Macrium image is way faster than the time it took to do the backup — like at least 10 to 20 times faster. I dunno because I never thought to time it. Let’s pray that the image verification is successful! If it is, then you can restore the image to a new hard drive.

          Heck, even if Macrium fails to verify the image, you could tell Macrium to NOT verify the image before restoring the image to the new hard drive. In this case, Macrium will end up restoring everything which it possibly can. In either case, you will then need to do the following:

          After you restore the image to a new hard drive, then you will need to check the new hard drive for errors. You know — right-click on the drive letter, click on Properties, then click on Tools, and then click on Check now… in the Error-checking box. I figure that up to 95% of your data was successfully recovered after doing this error-checking cleanup on the new hard drive.

          Best regards,

          –GTP

           

          1 user thanked author for this post.
          • #232323 Reply

            Cybertooth
            AskWoody Lounger

            Hi GoneToPlaid,

            When I went back to it sometime this afternoon, Macrium was unable to see the image of the data drive. It was there in Windows Explorer, but the Reflect software did not find it; as far as Reflect was concerned, it didn’t exist.

            Ultimately I deleted the file to make room for the manual file copy (which is still going on, with about an hour to go).

            I’ll put the original SSD back into the PC, probably tomorrow, and see what happens.

            P.S. Thanks for the tip about resetting System Restore after using Macrium Reflect.

             

    • #232184 Reply

      GoneToPlaid
      AskWoody Lounger

      I compared Cybertooth’s two November 10 screen captures. Here are the numbers, followed by what I calculated:

      Cybertooth’s first screen capture, posted on November 10, 2018 at 10:18 am…
      Read Error Rate: 6D91B00 hex = 114,891,520 decimal
      Seek Error Rate: 324E9D3 hex = 52,750,803 decimal

      Cybertooth’s second screen capture, posted on November 10, 2018 at 12:45 pm…
      Read Error Rate: 7324330 hex = 120,734,512 decimal
      Seek Error Rate: 324FCBD hex = 52,755,645 decimal

      HDD Read and Seek Error Deltas after approximately 2.5 hours…
      Delta Read Error Rate = 5,842,992
      Delta Seek Error Rate = 4,842

      The HDD is failing so fast that Cybertooth is going to get only a couple of shots at saving most of his data. Even then, some data may be corrupted. My guess is that his HDD’s platter spindle is failing badly, especially if his HDD uses Maxtor’s defective spindle design.

      Cybertooth, is this HDD an internal drive, or is it in an external enclosure? In either case, how is the drive oriented — vertically or horizontally? If the Macrium backup fails, please power off the drive and answer these questions before proceeding with any other attempts to either back up or copy the HDD’s data.

       

      4 users thanked author for this post.
      • #232298 Reply

        Cybertooth
        AskWoody Lounger

        I’ve been dealing with this thing all day, which is why I haven’t been posting today. Here’sw what’s happened since last night:

        Went to bed making an image of the failing HDD with Macrium Reflect. (@gonetoplaid: Since you asked, the drive is internal and is stored horizontally.)

        When I came back to the PC this morning, the Macrium progress bar was at 100% but there was an error message with a code number, indicating that the image was unable to finish. I took a screenshot but I can’t get to it at the moment, for reasons that I’ll explain later.

        So I decided to start copying the stuff on the HDD by hand, starting with the documents. They copied over to the SSD (C: drive) just fine. Then I moved on to the rest of the files there, excluding the Recorded TV folder which is very large. When the copying process got to a certain file (a 15GB .IMG file for the Kobo e-reader), it said that it needed permission to copy it; I gave permission and it tried to continue but the process failed.

        And not only did it fail, but the data drive (the troubled HDD) disappeared from Windows Explorer!

        I restarted the PC and started over again. Got to the same file, tried the same thing, and the same thing happened: the E: drive vanished.

        Next, I tried rebooting into Windows, this time with the intent to copy around that particular Kobo file. Except that now I got a BSOD that looked exactly like the one described in the first post on this sevenforums.com thread.

        Great. Now WTF do I do. So I try rebooting. I get back into Windows and open Windows Explorer–and the miscreant E: drive isn’t there at all!

        OK, based on my reading about the BSOD (that wasn’t the only site I read), I decided to boot into Safe Mode, in case it was some driver misbehaving. Got into Safe Mode and tried to open Windows Explorer… and this time it takes a very long time to respond, after which I get a small dialog (or whatever they call it) from Explorer.exe saying that, “Server execution failed.”

        Sometime this afternoon (I’ve done so many things that I’ve lost track of the exact sequence), I loaded Kubuntu 16.04 from a DVD, and it too was unable to find the data drive.

        Thinking that the problem might be related to the effing HDD, I shut down the PC to take the HDD out. Killing two birds with one stone, I mount the HDD onto a Windows 7 laptop using a USB3 disk caddy, while I reboot the Windows 7 PC with just the SSD in it.

        Now get this:

        1. The HDD mounted just fine in the laptop. Every time I tried to copy the Downloads folder with that Kobo image on it, it failed and the HDD disappeared from Windows Explorer just as on the original PC. Finally I decided to try to copy everything ELSE on the drive EXCEPT for that .IMG file. There’s a lot of stuff to copy over, but I have managed to copy everything I’ve tried and the TV programs are in the process of getting copied to an external drive. (I’d like to keep my Detroit Tigers playoff and World Series games, especially as it doesn’t look like they’re about to reach the playoffs again anytime soon.)

        2. But even more surprisingly, after rebooting into the Windows 7 PC with only the SSD system drive connected, I can’t open Windows Explorer or even the Control Panel. Attempts fail with that same “server execution failed” message. WTF???

        * * *

        So the reason I can’t provide a screenshot of Macrium Reflect’s error is that it’s in the Pictures library on the SSD, and I can’t browse the PC with Windows Explorer or open anything on the SSD that requires using the links on the right side of the Start menu. (I can, however, open programs that are on the left side, including the Command Prompt, as well as programs that have icons on the desktop.)

        One further data bit: at some point yesterday (Saturday), I looked at System Restore and noticed that it had been turned off and no restore points were available. I re-enabled it and quickly created a restore point. Two further restore points have been created since then. I’ve tried the two most recent ones; the first one didn’t solve my Explorer problem, and the second one failed to “complete successfully.”

        I haven’t a clue as to what the heck is going on with this computer. Now it looks like the “failing” drive can be read just fine on a different PC, while stuff on the “healthy” brand-new SSD is all screwed up.

         

    • #232325 Reply

      GoneToPlaid
      AskWoody Lounger

      Hi GoneToPlaid, When I went back to it sometime this afternoon, Macrium was unable to see the image of the data drive. It was there in Windows Explorer, but the Reflect software did not find it; as far as Reflect was concerned, it didn’t exist. Ultimately I deleted the file to make room for the manual file copy (which is still going on, with about an hour to go). I’ll put the original SSD back into the PC, probably tomorrow, and see what happens. P.S. Thanks for the tip about resetting System Restore after using Macrium Reflect.

      I pray that the manual file copy works. If that hiccups and fails, then I will give you instructions about installing ViceVersa, configuring ViceVersa to ignore errors, and letting ViceVersa do the copying of whatever it can copy from the failing hard drive. I have a feeling that this will be your final chance if the present file copy fails.

      • #232330 Reply

        Cybertooth
        AskWoody Lounger

        It looks like the manual copy worked! I have successfully copied everything that was on the HDD to new places. I opened a sampling of the documents, which are the most critical files, and every one opened fine.

        Now on to the SSD. Before moving to replace the new SSD with the old one, what do you think of the approach proposed on this page?

        Alternative ideas that make it possible to avoid the replacement are also welcome, of course.

         

         

        • #232411 Reply

          GoneToPlaid
          AskWoody Lounger

          I might suggest trying the old SSD and seeing if it works fine and that you don’t have any Windows Explorer issues. If its all good, then you could use Macrium to again clone it to the new SSD. Have Macrium shut down the computer when the clone completes. Remove the old SSD before firing up the computer with the cloned SSD.

        • #232425 Reply

          Bob99
          AskWoody Lounger

          …Before moving to replace the new SSD with the old one, what do you think of the approach proposed on this page? Alternative ideas that make it possible to avoid the replacement are also welcome, of course.

          I went down the rabbit hole suggested by the link you posted. I DO believe this will solve your problem of getting the “server execution failed” message. There is a link to a MS KB article on the site you referenced above, and I went there as well for further clarity on the procedure.

          However, before making the changes listed in the Microsoft KB bulletin (KB886549), make sure the listed default location actually exists in the first place.

          To do so, go to the command prompt, which should drop you at C:\Users\(your username). If it doesn’t, then navigate to it by first typing “cd\” then typing “cd users\(your username)”. Once there, simply type the directory command, “dir”. That will give you a list of all the files and folders in that location. If a “Documents” folder is listed, you’re all set to proceed. If not, then simply add it back in with the command “md Documents” (without the quotes, of course). Please notice there is a space between the letters md and the beginning of the word Documents.

          Once you’ve verified the existence of the folder or have successfully created it, then proceed as directed on the Microsoft Knowledge Base page I linked to above. That should “cure” your error with Windows Explorer.

          I’m guessing that the reason for the error is that Explorer is being told where it’s supposed to find key core components of it’s functionality and when it can’t find one or more of them, it probably comes to a grinding halt because it doesn’t know what to do next.

          BTW, once you’ve restored the “pointers” within the registry and put this hiccup behind you, feel free to install the new SSD you’ve acquired as @gonetoplaid has suggested and use it as your new data drive.

          HTH

          R/

          Bob99

          EDIT: Congratulations to @cybertooth on being able to get the computer fully “upright and functional”. He posted his results while I was typing and researching my response above. 🙂

          • This reply was modified 1 week, 1 day ago by  Bob99.
          1 user thanked author for this post.
      • #232392 Reply

        Cybertooth
        AskWoody Lounger

        A correction to something I said in post #232298: the internal drives in this PC are kept in a vertical position, not horizontally. I misspoke (miswrote?).

         

        • #232398 Reply

          Microfix
          AskWoody MVP

          SSD’s can be mounted in any orientation as there are no ‘mechanical’ parts. However, when it comes to HDD’s, I’ve always mounted them on the horizontal plane in PC’s. AT, ATX, uATX etc are industry standards which have horizontal bays for HDD’s.

          I don’t think I’ve ever seen a HDD mounted on the vertical axis which may, or may not add gravitational stress to the HDD reading arm. Interesting you should mention that..

          | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x64 O/L | XP Pro O/L
            No problem can be solved from the same level of consciousness that created IT - AE
          • #232414 Reply

            Ascaris
            AskWoody MVP

            The specifications for all of the conventional hard drives (as opposed to SSDs) I’ve read all say it’s fine to mount the drives in a vertical orientation.  The effect of gravity on the arm is minimal compared to the actual force it generates to seek anywhere on the drive in a hundredth of a second, and they self-align to the servo track(s) on one or more of the platters anyway, so there won’t be any trouble finding the correct track after the first seek.

            It would not hurt to check with the manufacturer regarding permissible mounting orientations if you’re nervous about it.

            Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

            1 user thanked author for this post.
            • #232438 Reply

              GoneToPlaid
              AskWoody Lounger

              I agree. That is why I mentioned that it was many years ago when there was a debate about mounting hard drives vertically, since back then self-align technology didn’t exist. You are entirely correct that the G forces on the actuator arms during movement far exceed G. Regardless of the hard drive’s orientation, the most important thing is to make sure that the drive is mounted securely. I am very keen about using four screws when installing a hard drive, so as to minimize all operational vibration.

              • This reply was modified 1 week, 1 day ago by  GoneToPlaid.
        • #232413 Reply

          GoneToPlaid
          AskWoody Lounger

          Years ago there was some debate about whether or not it is okay to mount hard drives vertically. Personally, I have never been keen about mounting hard drives vertically since it adds gravitational stress to the platters (cyclic motion into and out of a gravity well). On the other hand, I have seen many major brand desktop computers in which the hard drives are mounted vertically.

          • #232599 Reply

            mn–
            AskWoody Lounger

            Not to mention the major brand high-availability datacenter servers and storage systems where disks were mounted vertically… could name several models from NetApp and HP that I’ve personally used that were like that.

            Though not all disk models were certified for use in those.

    • #232333 Reply

      Sessh
      AskWoody Lounger

      Why is GoneToPlaid not an MVP here? Shouldn’t he be? I think he should be.

      1 user thanked author for this post.
    • #232336 Reply

      Cybertooth
      AskWoody Lounger

      A follow-up on my question in #232330:

      I checked my registry against the default values listed on the page that’s linked to in that post. The only difference is that the value for Personal (in both places) is set to E:\Documents E.

      Currently there isn’t a drive E: installed. This deviation from the default couldn’t possibly be causing that “server execution failure” error… or could it? If it is, then the solution could be as simple as installing the replacement data drive and designating it as drive E:.

       

    • #232335 Reply

      anonymous

      Oy, wow was that repercussion for Shingled Magnetic Recording ever disclosed on a box or in easily accessed literature for end users? Thank you for sharing your knowledge.

    • #232339 Reply

      Paul T
      AskWoody MVP

      The upshot is that while SMR and laser technology appears to perform very well in the lab, such technologies could end up having issues in the real world over time.

      Do you have any data to substantiate this or are you just being paranoid?

      after discovering that Seagate’s 3TB hard drives are the subject of a class action lawsuit.I had a few of the Seagate 3TB hard drives which are at issue. My only saving grace which prevented failure was that I never defragmented any of my 3TB hard drives in nearly 5 years of operation.

      Again, how do you know this? A sample size of one does not a study make.

      cheers, Paul

      • #232429 Reply

        GoneToPlaid
        AskWoody Lounger

        Toshiba, unlike many of its competitors, is not yet willing to use SMR in any enterprise class products. HAMR technology is just beginning to come to market. The Seagate ST3000DM001 drive doesn’t have a rotational vibration sensor to counteract excessive vibration in heavy use scenarios. Defragging a hard drive is a heavy use scenario. As mentioned, I never defragged my Seagate 3TB hard drives — not once — during the nearly 5 years of operation.

        MVP Edit: Removal of HTML

    • #232418 Reply

      Cybertooth
      AskWoody Lounger

      I am delighted to report that, after putting the new data HDD inside the case and booting up with the current SSD, everything appears to be working normally. There were no blue screens, Windows Explorer is working, and the right panel of the Start menu is working.

      Because the original issue was surfacing 2-3 days after each reboot, we won’t be sure that it’s completely fixed until sometime Wednesday. But for now, things are looking promising and, after an intense week of troubleshooting and nail-biting, I’m just relieved that the PC is back at full operation.

      I hope this doesn’t jinx it, but I want to give my sincere gratitude and appreciation to everyone who participated in this discussion, offering ideas, tips, and information. While the experience with the computer was frustrating, the experience dealing with it here at Woody’s could not be topped.

      Thank You!

      2 users thanked author for this post.
      • #232424 Reply

        satrow
        AskWoody MVP

        How’s the kernel activity looking now?

        1 user thanked author for this post.
        • #232436 Reply

          GoneToPlaid
          AskWoody Lounger

          Yeah, that is a good question. Let’s hope that Cybertooth reports that there are no more long kernel spikes. I am still wondering if Cybertooth will still see memory usage growing for any processes other than web browsers. I still think that this issue was a side effect of the failing hard drive.

          1 user thanked author for this post.
        • #232501 Reply

          Cybertooth
          AskWoody Lounger

          @satrow, I’ll monitor this and see what it looks like.

          In the less than two minutes since I opened Task Manager, kernel activity has been pretty steady at <= 4%, with just one brief jump to 12% when I launched the Resource Monitor.

          BTW, I’m curious: what does kernel activity (or spikes) indicate?

           

          • This reply was modified 1 week, 1 day ago by  Cybertooth.
        • #232543 Reply

          Cybertooth
          AskWoody Lounger

          Kernel activity according to Task Manager has been very low–lower than I remember it being before switching HDDs. Generally sticking to the less than 4 percent range, with smaller and less frequent spikes.

           

          1 user thanked author for this post.
          • #232615 Reply

            satrow
            AskWoody MVP

            (Trying to make this digestible, I only have a rudimentary understanding of the intricacies of Windows Internals, it’s not going to be close to 100% accurate.)

            Kernel activity indicates mostly directly controlled hardware level activity at a higher CPU Priority than given to User Applications, the main upshot of ‘higher’ % kernel activity is that anything at a lower CPU priority will have to wait longer in a queue until there’s an available Thread to use; added to this, anything else that needs to access the same driver/hardware functions will also face an extended wait – thus my earlier comparison to ‘lag’ – the higher the kernel %, the longer before your actions, or those of the software you’re running, will take effect.

            Task Manager, and many of the similar 3rd party software, runs at High Priority, they can ‘interrupt’ or jump the queue much faster than an ‘ordinary’ program.

            The CPU regions are often shown as ‘rings’, the innermost ring, Ring 0, is the kernel, the most privileged and protected zone; outside that, Rings 1 and 2 are mainly hardware drivers and Security software drivers; the applications we all use daily on the Desktop have low privileges and usually Normal Priority and are loaded in the outer ring, where they are prevented from directly accessing anything from the inner Rings to prevent crashes/blue screens, etc.

            https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/user-mode-and-kernel-mode

            https://en.wikipedia.org/wiki/Protection_ring#SUPERVISOR-MODE

            https://en.wikipedia.org/wiki/Hybrid_kernel#NT_kernel

            https://docs.microsoft.com/en-us/windows/desktop/ProcThread/scheduling-priorities

            1 user thanked author for this post.
            • #232662 Reply

              Cybertooth
              AskWoody Lounger

              Thanks @satrow for the explanation. I understand the concept now a lot better than before.

              BTW kernel activity this morning is the same as last night: quiet and uneventful.

              This thread plus last week’s thread about Linux/Windows networking have been quite an education!

               

      • #232431 Reply

        GoneToPlaid
        AskWoody Lounger

        This is splendid news! It sounds like your remarkable persistence throughout this long ordeal has finally paid off.

        1 user thanked author for this post.
    • #232583 Reply

      jabeattyauditor
      AskWoody Lounger

      One quick take-away from this thread (and I’m figuratively looking in the mirror while I type this) – ALWAYS give the complete hardware and software picture when initially presenting the issue.

      It’s very easy to let our own biases control the information we present; I probably wouldn’t have initially mentioned the existence of the separate (and later determined to be dying) data drive if I were Cybertooth – after all, it looked like something Windows-related, and that was certainly confined to the boot SSD, right?

      2 users thanked author for this post.
      • #232617 Reply

        satrow
        AskWoody MVP

        Also: hardware trumps software – ensure the hardware is fully functional at the basic, non overclocked level first.

        1 user thanked author for this post.
    • #232898 Reply

      GoneToPlaid
      AskWoody Lounger

      One quick take-away from this thread (and I’m figuratively looking in the mirror while I type this) – ALWAYS give the complete hardware and software picture when initially presenting the issue. It’s very easy to let our own biases control the information we present; I probably wouldn’t have initially mentioned the existence of the separate (and later determined to be dying) data drive if I were Cybertooth – after all, it looked like something Windows-related, and that was certainly confined to the boot SSD, right?

      Now that was a really good post. I totally agree. Were I in Cybertooth’s shoes and if I was using a SSD for my OS drive and if I had also seen steadily increasing memory consumption by running processes, then I too would have initially assumed that either the OS SSD was having issues or that the OS’s SSD drive may have become infected by malware. Either was what many of us suspected.

      All of us should thank Cybertooth for being so relentless in terms of further communicating his issues, along with all steps which he took.

      The upshot is that this episode should become an important “case file” so that step by step procedures can be developed in order for anyone to provide important and useful information to us about their computer and its hardware, yet also how to properly sanitize the useful hardware reports so as to not disclose any confidential information. I had sent a PM to Cybertooth about how to use Piriform’s Speccy to output a text file about his computer, and about the steps to then take in order to remove any confidential information before uploading the Speccy output for all of us to examine.

      I wish that I could upload my simple TXT file instructions, along with an example of a sanitized output from Speccy for my main computer, but I can’t since the forum does not allow either ZIP or TXT file attachments.

       

      1 user thanked author for this post.
    • #233012 Reply

      Cybertooth
      AskWoody Lounger

      It happened again.

      This morning I went back into the office and clicked on the Notification Area arrow/triangle to check on things, when the Taskbar went gray again and the spinning circle spun within the box of the Notification Area.

      Eventually that settled down and my next step was to open a new browser. Sure enough, while the browser (in this case, Brave) did launch, it could not get to the home page. Browsers that were already open (IE11, Pale Moon) could not refresh their open tabs.

      Kernel activity in Task Manager was very low, in the 1-3% range.

      So it wasn’t the failing HDD.

      As this thread is already extremely lengthy, I propose to the mods that we move any discussion stemming from this post over to a new thread, which we could title “Windows 7 PC gets very sluggish, Part 2”, linking back to this one for reference

       

      • This reply was modified 6 days, 15 hours ago by  Cybertooth.
    • #233028 Reply

      GoneToPlaid
      AskWoody Lounger

      Hi Cybertooth,

      Please list what third party plugins are installed in your web browsers. In particular, I am curious about any plugins which were installed by Bitdefender.

      Best regards,

      –GTP

       

      • #233037 Reply

        Cybertooth
        AskWoody Lounger

        Hi GoneToPlaid,

        Here’s a screenshot of the Pale Moon plugins:

        Pale-Moon-plugins

        The add-ons list for IE11 is much longer but almost all of them have been in there for several years. There are no add-ons associated with BitDefender.

         

        Attachments:
        You must be logged in to view attached files.
        • #233288 Reply

          GoneToPlaid
          AskWoody Lounger

          Do you ever use Silverlight for anything? I never have. I uninstalled Silverlight a years ago, and then I hid 16 attempts by Microsoft to reinstall Silverlight onto my Win7 computers via Windows Update.

          Also, I never installed the Foxit PhantomPDF plugins into my web browsers. Instead, I configured my web browsers with the choice of either downloading a PDF or to open a PDF within Foxit instead of within the web browser. I am very careful about what plugins I install into my web browsers since I have encountered a few plugins in the past which have memory leaks. These memory leaks, even when the web browser was doing absolutely nothing (just sitting there on the Google search page and with no other open tabs), would cause the web browser’s memory usage to grow over time. Eventually the web browser became so sluggish that it was unusable.

          Try disabling the Foxit plugin in your Pale Moon browser.

          • This reply was modified 5 days, 23 hours ago by  GoneToPlaid.
          • #233290 Reply

            Cybertooth
            AskWoody Lounger

            It’s installed on this PC, but TBH I don’t remember ever needing it for anything. Do you suspect that it could be a source of the troubles?

            Your question about plug-ins got me thinking about the ones I have installed. There is one plug-in that’s given me some grief in the couple of years I’ve had it: the Foxit PhantonPDF plug-in. I like it because it’s one of the very few plug-ins I’ve found that will let me print a Web page while preserving the hyperlinks on the page. But for a while it was occasionally causing crashes on some sites, and although that hasn’t happened for a long time I have to consider it a possible suspect. As a test, I’ve disabled it in IE11 and PM.

            I will also disable Silverlight now and monitor developments. If the problem doesn’t come back after a couple of days, I’ll re-enable either Silverlight or the Foxit plug-in and see which of them is responsible.

             

    • #233235 Reply

      Cybertooth
      AskWoody Lounger

      OK, things have taken a turn clearly for the worse. I rebooted just this morning, and tonight already the Taskbar has grayed out and programs are having a hard time opening, with “Not Responding” notices on the title bar. (I can still get on the Internet, for now.) As I’ve been reporting, up until today this was happening a couple of days after a reboot.

      Update: Within 20 minutes of writing the above, I could no longer access the Internet and launching programs kept getting slower. So I had to reboot, this time less than 11 hours after the previous reboot.

       

      • This reply was modified 6 days, 6 hours ago by  Cybertooth.
    • #233301 Reply

      GoneToPlaid
      AskWoody Lounger

      It’s installed on this PC, but TBH I don’t remember ever needing it for anything. Do you suspect that it could be a source of the troubles? Your question about plug-ins got me thinking about the ones I have installed. There is one plug-in that’s given me some grief in the couple of years I’ve had it: the Foxit PhantonPDF plug-in. I like it because it’s one of the very few plug-ins I’ve found that will let me print a Web page while preserving the hyperlinks on the page. But for a while it was occasionally causing crashes on some sites, and although that hasn’t happened for a long time I have to consider it a possible suspect. As a test, I’ve disabled it in IE11 and PM. I will also disable Silverlight now and monitor developments. If the problem doesn’t come back after a couple of days, I’ll re-enable either Silverlight or the Foxit plug-in and see which of them is responsible.

      Silverlight is just another potential security hole. Years ago I had to have it for only one particular web site which now no longer uses it. I recommend uninstalling Silverlight. It now has been several months since Microsoft has tried to push Silverlight to me via Windows Update. I guess they gave up on this dead horse.

      I too need to print web pages as PDFs which preserve the hyperlinks within the PDF. Other solutions instead of PhantomPDF are available.

      Best regards,

      –GTP

       

      • #233452 Reply

        Cybertooth
        AskWoody Lounger

        All right, it’s been just under 11 hours since Silverlight was uninstalled and the Foxit PhantomPDF plug-in was disabled. That’s about the length of time the PC managed to go yesterday before needing to reboot, although we’ve already gone longer than that since the last reboot. If it doesn’t screw up in the next hour or two, the next critical point will be Friday evening.

        @gonetoplaid, what solutions for preserving hyperlinks in a Web page printed to PDF have you found? The only other one that I know of is Adobe Acrobat, but I’ve been avoiding their newer versions because of their cloud push (which is why I switched to Foxit).

         

    • #233509 Reply

      Cybertooth
      AskWoody Lounger

      RAM usage is practically unchanged since last night when the Foxit plug-in was disabled and Silverlight was uninstalled. I have deliberately kept all the same programs and browser tabs open since then.

      The plug-in is my main suspect.

       

      1 user thanked author for this post.
      • #233529 Reply

        geekdom
        AskWoody Lounger

        I don’t much like FoxIt, but I did use the free package briefly to complete forms. It got installed, used, and uninstalled. If your problem is the FoxIt plugin and you need it from time to time, enable it, use it, and then disable it. (If it were my computer, I would remove the FoxIt plugin after use.)

        Group G{ot backup} Win7 · x64 · SP1 · i3-3220 · TestBeta
        1 user thanked author for this post.
      • #233597 Reply

        GoneToPlaid
        AskWoody Lounger

        Now that is sounding quite good! I have a strong feeling that the Foxit web browser plugin has been part of your issue. Why do I say so? Because, given the version of Foxit PhantomPDF which you have, a memory leak issue in the free version of around the same version 2.x number was subsequently fixed in a later version 3.x. Memory leaks in various versions of Foxit seem to be a bit of an occasional yet recurring thing. Simply Google (without quotes) “foxit pdf memory leaks”. I use Foxit PhantomPDF at home, and it is used at the law office as well.

        I am glad to hear that you don’t use Silverlight for anything. Given its history of security holes and near zero adoption, I am glad that you dumped it.

        Now here is the really cool thing about this drawn out attempt to resolve your issues: Due to your persistence and your continued posts, we managed to separately identify that you had a failing hard drive which literally could have completely failed at any time.

        1 user thanked author for this post.
        • #233608 Reply

          Cybertooth
          AskWoody Lounger

          You’re totally correct about that! Chances are that the HDD would have gone on to fail completely with nothing having been done about it. So this discussion has been incredibly valuable even if the original problem doesn’t get solved.

          BTW thanks for the info about the Foxit memory leak, I wasn’t aware of that. I’ll look up the issue’s history and also see if there’s an update available for the version I use.

           

    • #233748 Reply

      GoneToPlaid
      AskWoody Lounger

      @gonetoplaid, what solutions for preserving hyperlinks in a Web page printed to PDF have you found? The only other one that I know of is Adobe Acrobat, but I’ve been avoiding their newer versions because of their cloud push (which is why I switched to Foxit).

      Hi Cybertooth,

      I trashed my previous reply to your question so that I could post this updated reply. Unbeknownst to me and apparently in 2015, Nitro replaced their free PrimoPDF which contained OpenCandy with the exact same thing yet without the OpenCandy DLL (ocsetuphlp.dll). The download link on Nitro’s web site is the “Download Free” button near the top left of the following page:

      http://www.primopdf.com/

      The download link on the above web pages takes you to this CNET page:

      https://download.cnet.com/PrimoPDF/3000-10743_4-10264577.html?part=dl-10264577&subj=dl&tag=button

      I downloaded this latest installer. The installer does not include a CNET wrapper. Then I extracted its contents and compared its contents to the contents of the installer which I had download in March 2012. All of the files in both installers are identical, except that the latest installer does not include the OpenCandy ocsetuphlp.dll. The only other change is that Nitro changed the time stamps for most of the files in the latest installer from 2009 and 2011 to 2015.

      After installing PrimoPDF, go to its Options settings. Under Check for Updates >> Updates, turn off checking for updates. Under Check for Updates >> Streamline, do not enable “Allow PrimoPDF to run Streamlined” since this feature no longer works.

      PrimoPDF behaves like a printer. You can change other settings for PrimoPDF by going to Devices and Printers and changing the printing preferences, just as you can for any other printer.

      Best regards,

      –GTP

       

      • This reply was modified 4 days, 12 hours ago by  GoneToPlaid.
      1 user thanked author for this post.
    • #233781 Reply

      Cybertooth
      AskWoody Lounger

      Had to reboot again this morning.

      Even though the Foxit PhantomPDF plug-in was disabled, “working memory” RAM usage for Pale Moon grew overnight from 471KB to 620KB.

      All the other usual symptoms were in evidence: inability to reach the Internet, grayed-out Taskbar, slow opening of programs and closing of files. Clicked on the Start menu and it didn’t do anything beyond turning bright, so I couldn’t even shut down Windows the usual way, had to do it using Ctrl-Alt-Del.

      I’m thinking of loading a Linux live CD on this computer for a couple of days to see what happens.

       

      • #233801 Reply

        Microfix
        AskWoody MVP

        What version of palemoon are you using?
        There’s a new version out today: https://www.palemoon.org/releasenotes.shtml

        | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x64 O/L | XP Pro O/L
          No problem can be solved from the same level of consciousness that created IT - AE
        2 users thanked author for this post.
        • #233879 Reply

          Cybertooth
          AskWoody Lounger

          Wow, there’s another one already?

          I used the quiet period between the two previous reboots to install version 28.2.0 (32-bit), on Wednesday I think it was.

           

      • #233838 Reply

        Ascaris
        AskWoody MVP

        The browser isn’t working at a kernel level, so while plugins can slow it down, it should not slow down the OS itself.  If you’re getting slowdowns in things like the taskbar, it’s either CPU being maxed out (which you already ruled out), a serious bug that is allowing a userspace program to intrude on the kernel, or it’s some issue that affects the kernel directly (driver, hardware, OS code itself).

        Since it wasn’t the HDD (dangit), the thing about using a live USB to test it would be the next thing to try IMO, and then if it passes that, on to driver verifier in Windows and/or process of elimination.

        The fact that inability to reach the net always happens with this seems to be a clue.  What kind of connection to the internet are you using from the PC end (meaning ethernet, wireless, etc., and what kind of adapter)?

        Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

        • This reply was modified 4 days, 10 hours ago by  Ascaris.
        1 user thanked author for this post.
        • #233881 Reply

          Cybertooth
          AskWoody Lounger

          It’s a wired Ethernet connection. FWIW, it’s fiber optic service (Verizon FiOS) but we’ve only had this service for a month or so, and the issue with this computer predates the arrival of FiOS.

          Device Manager reports my NIC as:

          Atheros AR8161/8165 PCI-E Gigabit Ethernet Controller (NDIS 6.20)

          I must confess, historically I haven’t had great success updating drivers on this PC. About four years ago I updated the Broadcom wireless LAN driver (which is seldom used), and the computer developed an enormous memory leak that would take up half of the RAM; when I reverted to the original driver, the problem went away. And this summer, when Norton suddenly stopped getting virus definitions, Norton tech “support” suggested I update the video driver (?!). That resulted in a BSOD and the installation of BitDefender in Norton’s place.

          • #234078 Reply

            Ascaris
            AskWoody MVP

            Updating the video driver should not cause a BSOD, so that’s a bit worrisome.  I don’t know that it is related, but there’s something amiss there.

            In terms of drivers, Atheros (and its new owner, Qualcomm) chooses to put its customers at risk by not making drivers readily available to the public, telling them instead to go to their OEM for drivers.  This forces people to look to alternative (and potentially risky) sources when their OEM has stopped providing new drivers for a given PC (which is usually pretty quick– often the ones the unit came with from the factory is all you’ll ever get from the OEM). Telling users to go to OEMs that don’t care about a product once the warranty ends isn’t helpful to them.

            On older cards like yours, it can be a problem because all of the manufacturers typically do this, so where are you going to get the drivers even if they are produced by the OEM?

            Fortunately, the drivers are signed, so at least in theory, if they are altered, they will not be installed or will pop up a scary looking warning if you attempt to (depending on which version of Windows) install an unsigned driver.

            Let me see if Woody is okay with me suggesting the place I use in a public message.

             

             

            Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

            1 user thanked author for this post.
            • #234116 Reply

              Ascaris
              AskWoody MVP

              Okay!  Got the okay from Woody, so long as I include the caveats.

              There’s a site I’ve been using for several years to get Windows drivers that I can’t get from the OEM (which is lots of them).  It was instrumental in getting Windows 7 and 8.1 on my Core 2 Duo laptop that only came with Vista!  It’s a French site, called station-drivers.com.  I’ve never had any malware or other problems with the site.  I wish I could remember who suggested the site, but it had to have been what I considered a trusted source, or I would not have paid any attention.

              Norton reports the site as safe, FWIW.

              Still, use caution whenever getting drivers from anywhere other than the OEM.  They should be okay as long as the signature is intact, but caution is always well-advised.  If QC/Atheros would just make them available (while explaining that it is best to get them from the OEM if possible), we wouldn’t have to resort to third-party sites, but they’re far from the only OEM at fault for that.

              There are several new drivers for the Atheros card in question at the site.  That’s the link for the 64-bit version– I didn’t see if you posted the bitness of your Windows installation.  You may want to give it a try.  It’s up to you!  If the problem is in the driver for your NIC, this might fix it.

              I would also disable the wifi in Device Manager while testing the wired Ethernet.  A driver can still cause issues even on in inactive connection if the device is enabled.

               

              Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

              1 user thanked author for this post.
    • #233846 Reply

      GoneToPlaid
      AskWoody Lounger

      The browser isn’t working at a kernel level…

      I think that Ascaris is correct in terms of the Pale Moon browser. Microfix mentions that a new version of the Pale Moon browser was released today.

      1 user thanked author for this post.
    • #233864 Reply

      Mr. Natural
      AskWoody Lounger

      I agree with the memory leak theory. If it takes time to occur, that would be my guess. I’ll mention a few things hoping someone didn’t already mention. I haven’t fully read all the details.

      Check all programs launching at startup. Remove what you don’t need. Check the old start menu programs startup folder and the 2 registry entries.

      hklm AND hklu\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      Bios update and disabling temperature sensors in bios.

      Disable or remove all browser add ins.

      1 user thanked author for this post.
      • #234016 Reply

        Cybertooth
        AskWoody Lounger

        I just removed three items from startup (Adobe Acrobat, AcroTray, and the Catalyst Control Center), and checked the registry keys you suggested. Everything that’s there is supposed to be there, no “strangers” found.

        Also unchecked several Norton-related items that were showing up in Autoruns.

        It probably violates proper diagnostic procedure to make these changes on top of the other ones I’ve just made to take effect on the next reboot, but I’ve been dealing with this issue for weeks and the problem typically takes days to recur. Grrr!!!

         

        • This reply was modified 3 days, 15 hours ago by  Cybertooth.
    • #233922 Reply

      Lars220
      AskWoody Lounger

      Here is another idea that does not take long to check, it does sound like a memory leak type of problem, although in first post you mention checked Task Manager and no unusual cpu or ram usage is noted. Idea is just check if KB3078667 is installed: Control Panel – Programs and Features – left panel top View installed updates, right top Search KB3078667. If not check:

      https://support.microsoft.com/en-us/help/3078667/system-malfunction-because-memory-leak-occurs-in-dwm-exe-in-windows-7  –  just read to see if sounds maybe is problem?

      download link:   https://www.microsoft.com/en-us/download/details.aspx?id=48615

      if when computer slows down again, can you post a screenshot of the Task Manager Processes tab, so that we can all visualize the cpu and ram usage, be sure to sort the highest usages at top.  Just some ideas, hopefully not dead end rabbit holes.  Good Luck.

      1 user thanked author for this post.
      • #233954 Reply

        Ascaris
        AskWoody MVP

        I would also be interested in seeing the performance tab, or its contents at least.  Seeing how the Total, Cached, Available, Free memory stack up (when its having a problem) might give a clue if it is memory related.

         

        Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

        1 user thanked author for this post.
        • #233968 Reply

          Cybertooth
          AskWoody Lounger

          So that we have a baseline (more or less; the system has been up for 13+ hours since the last reboot), here are the RAM figures as of this post:

          Physical memory (MB)
          Total 12174
          Cached 5216
          Available 7618
          Free 2652

           

    • #233960 Reply

      Lars220
      AskWoody Lounger

      After some thinking, another idea is to run the built in Windows Memory Diagnostic Tool to test the physical hardware, remember, check the hardware also. Here is a link with pictures, note the first picture shows Windows 10 Start Search, but just type into the Windows 7 Start Search programs and files for:  ‘ Windows Memory Diagnostic ‘ = it will ask to reboot and takes some time.

      https://helpdeskgeek.com/how-to/troubleshoot-ram-with-windows-memory-diagnostic-tool/

      If you had a failing Hard Disk Drive earlier, maybe the actual RAM sticks are failing also ?

      1 user thanked author for this post.
      • #233964 Reply

        Cybertooth
        AskWoody Lounger

        I ran hardware diagnostics last, week, I think. Everything checked out seemingly OK… including the HDD that turned out to be failing!

        But I guess it can’t hurt to try testing the memory again the next time a reboot is necessary.

         

    • #233961 Reply

      Lars220
      AskWoody Lounger
      • #233963 Reply

        Cybertooth
        AskWoody Lounger

        Turns out that KB3078667 isn’t installed on this PC. However, while that patch has to do with dwm.exe, I’ve noticed in the last few days that there’s another process that begins to eat up increasing amounts of memory along with Pale Moon: the svchost.exe “Network Service.” Looking at the PID associated with this process, it’s 1884 and the following services are listed under it in Task Manager:

        CryptSvc

        Dnscache

        LanmanWorkstation

        NlaSvc

        TapiSrv

        Fifteen minutes ago, I took down the amount of “working set” RAM used by this process; it was at 267K.  Now it’s at 272K and trending upward.

        Wonder if this could have something to do with what’s going on in this computer.

        Update: A half-hour after posting this, Working Set RAM for svchost.exe (Network Service) is now up to 284K. I also see that CPU usage by this process is at 13%, with occasional drops to 0%.

         

        • This reply was modified 3 days, 23 hours ago by  Cybertooth.
        • #233971 Reply

          GoneToPlaid
          AskWoody Lounger

          Hi Cybertooth,

          Please do go ahead and install KB3078667 since it is a required fix for its specific issue. I have KB3078667 on all of my Win7 computers since 2015. Just because a message box isn’t displayed, this doesn’t mean that memory can’t be eaten up over time even if a message box never gets displayed, even though the hidden message box would be displayed over time.

          Here is the link for the KB article about KB3078667:

          https://support.microsoft.com/en-us/help/3078667/system-malfunction-because-memory-leak-occurs-in-dwm-exe-in-windows-7

          And here is the Update Catalog link:

          https://www.catalog.update.microsoft.com/Search.aspx?q=KB3078667

          Again, please install KB3078667 so that we can either see if this resolves your issue, or so that we can rule out the lack of KB3078667 being installed as being the cause of your issue.

          Best regards,

          –GTP

           

          1 user thanked author for this post.
          • #234003 Reply

            Cybertooth
            AskWoody Lounger

            Hi GoneToPlaid,

            I downloaded KB3078667 and went to install it, when Windows told me it was already installed.

            So I did yet another search in Update History, and indeed it was nowhere to be found. But this time I also performed a search under Installed Updates… and there it is, installed on 9/20/2015.

            This is so maddening. Why can’t both of these functions (Update History and Installed Updates) give consistent information??? It would have saved time and effort for everyone participating here. Having looked under Update History and not finding it, why would one think to also look under Installed Updates? (In my case, it was done out of frustration.) After all, logically speaking, if it’s not in the update history it means that it’s never been installed. Or so you’d think…

             

            • #234004 Reply

              PKCano
              AskWoody MVP

              Update History is not a good indication of what updates are installed.
              If an update is installed through WU and you subsequently uninstall it, the uninstall is not recorded in WU history. But if you then reinstall the update through WU, it will show up twice in Update History. If you wipe the datastore, say to fix WU, (or some event does it for whatever reason) the history is erased. Then again it does not necessarily reflect what is actually installed.

              Always use Installed Updates if you want to see what is installed on the computer.

              3 users thanked author for this post.
            • #234010 Reply

              Cybertooth
              AskWoody Lounger

              Much appreciate the info. So, the link that they put closest to the update installation button (“View update history”) is the less reliable of the two, and the link that’s tucked away over in the left corner (“Installed Updates”) is actually the more reliable one.  🙂

               

        • #233983 Reply

          anonymous

          If you are going to install this update, it will probably need a PC restart (they usually do), so this would be a good time to separate out the services into separate processes so that you can see which of these services it actually is giving a problem. I described this at the end of my post https://www.askwoody.com/forums/topic/windows-7-pc-gets-very-sluggish/#post-230785  a couple of weeks ago.

          Also as you may have some combination of Windows Explorer (explorer.exe) and network problems, I have just checked my Windows Firewall settings and I have a Block outgoing access rule for all protocols and ports for “explorer.exe”.

          I do not remember adding this, so this must have been there for some time. It is unlikely that I would have added this myself manually because it would not have occurred to me that Windows Explorer would need to make internet access so why would I need to set a rule for it pre-emptively. More likely is that “explorer.exe” did make such an outgoing access attempt for some reason and my Windows Firewall Notifier (WFN) (similar in functionality to the better known Windows Firewall Control (WFC)) would have blocked this by default and given me a notification. In the current climate of telemetry/spyware/invasion of privacy not thinking of an obvious reason to allow this access I would have used the notification interface to set the Block outgoing access rule. With an explicit rule in place I will have not received any later notifications of such accesses. I am not aware of any side-effects due to this Block rule, but I am just a basic home PC user not doing anything particularly complicated.

          Anyway I don’t know if this is relevant in your case, but if your “explorer.exe” is making outgoing accesses for some reason and these are failing does “explorer.exe” freeze in some sense while waiting for a response to this failing outgoing access? I don’t know. Just a guess!

          If you were to block the access, would the transaction end immediately avoiding any freeze observable to you as the PC user? Again I don’t know, but this might be worth a try. (Of course if you have more complex requirements needing “explorer.exe” outgoing accesses for some reason, then this would be a non-starter.)

          HTH. Garbo.

          1 user thanked author for this post.
          • #234007 Reply

            Cybertooth
            AskWoody Lounger

            Thanks, Garbo.

            I went back to your earlier post and followed the instructions to separate the processes for PID 1884. As you said, that should take effect after the next reboot. The processes involved are the ones listed in post #233963.

            Will install CleanMem after that next reboot (and reboot again right away if you think it’s necessary for CleanMem to work optimally).

             

    • #234013 Reply

      Cybertooth
      AskWoody Lounger

      Referencing post #233968:

      As of the post you’re reading (some eight hours later), the RAM numbers are:

      Cached 5666

      Available 7186

      Free 1660

      Working Set memory for svchost.exe (Network Service) is at 425K, with CPU usage still at 13% most of the time.

       

      • #234037 Reply

        anonymous

        @cybertooth

        Above, in post 233881, you mention that your NIC is shown as an Atheros AR8161/8165 PCI-E Gigabit Ethernet Controller (NDIS 6.20).

        Well, I googled your NIC and the first hit that came up was from Dell, for a driver for the NIC. So, to quote the “legendary” commercial from back in the day, “Dude, you got a Dell?” If the computer in question for this thread is indeed a Dell Inspiron 5xxx / 7xxx series or a Vostro Notebook 3xxx series, then you may want to go get the latest driver for your computer and install it. As you’ve pointed out above, the memory leak is coming from processes that are all networking-related. The page from Dell is right here: https://www.dell.com/support/home/us/en/04/drivers/driversdetails?driverid=t83w4

        There were other pages listed as well, some from sites you don’t really want to go to for drivers, as they’re possible candidates for having “wrappers” or other types of crapware bundled with the driver. I also got a hit for the MS Update Catalog, but the drivers for Win 7 were all dated September and December 2011, which might be older than what you’ve already got installed. The driver listed on the Dell page was last updated in September 2013.

        This brings to mind another thing you may want to try with help from others here such as @ascaris or @gonetoplaid. Go to you computer mfr.’s web site (no matter if it is Dell or HP or Alienware, for example) and find a copy of the driver you currently have and install it. The driver may simply have some issues that Windows may be unable to repair, but “reinstalling” a fresh copy of the same version may help clear things up. Just a thought.

        I came to the above conclusion (of a bad driver) after reading the post above from @ascaris, and your subsequent post about which specific services are tied in with the svchost process that’s leaking the memory.

        R/

        Bob99

        1 user thanked author for this post.
        • #234044 Reply

          Cybertooth
          AskWoody Lounger

          Bob99, thanks for the ideas. The computer is an HP. Here’s the drivers page for it. Apparently there’s no new NIC driver (the new wireless adapter driver being offered is, I think, the one that led to a huge memory leak for me a few years ago).

          I didn’t realize you could install a driver over itself. This’ll be another new thing to try after the next reboot.

          • #234049 Reply

            anonymous

            Thanks for the feedback, @cybertooth . However, before getting into replacing drivers, please pursue @gonetoplaid ‘s advice in his post just below this one, post #234040.

    • #234040 Reply

      GoneToPlaid
      AskWoody Lounger

      My Windows 7 computer has had an annoying issue in recent months. A few (2-3) days after a reboot, both Internet browsing and Windows Explorer start getting very sluggish…

      The PC is Group B, updated through the September patches (haven’t yet applied the recently green-lighted October set). What could be causing this? Web searches haven’t been particularly helpful because I have twin problems and everything I’ve found refers to one OR the other of these issues, but not both together.

      Hi Cybertooth,

      All of my Win7 computers are Group B, yet they are updated only through August. Perhaps there is an issue with the September security only update? Just a thought, yet I don’t think that this is the case since you mentioned that this issue has been occurring in recent months.

      I now remember that in 2016 I had a similar issue on one of my Win7 laptop computers. Things would get slow when using Firefox, and then Panda AV would start popping up occasional messages that Panda had lost its Internet connection to Panda’s cloud servers. Whoa! I knew something was wrong. I had a hunch that it must be Windows telemetry when I saw that the maximum number of HTTP connections was exceeded. Sure enough, I discovered that in 2014 I had accidentally installed KB2952664. And sure enough, KB2952664 was periodically and silently getting updated when I would check for updates. There were 10 versions of KB2952664 on the laptop. Obviously the latest installed version had issues.

      Let’s perform a “sanity check” to make sure that you don’t have any of the three infamous telemetry updates installed on your computer. Please see my post and Dropbox link for CMD files which can check if these telemetry updates are installed, and optionally to remove all installed instances of these telemetry updates. See:

      https://www.askwoody.com/forums/topic/kb2952664/#post-172871

      Note that my Dropbox KB2952664 folder has been replaced with the following folder name:

      WIN7 — KB3150513, KB2952664, KB2977759

      There are two CMD files in the above folder. One CMD file simply checks if any of these three telemetry updates are installed. The other CMD file does the same thing, and then gives you the option to have the CMD file automatically remove all installed instances of these telemetry updates.

      Best regards,

      –GTP

       

      1 user thanked author for this post.
      • #234061 Reply

        Cybertooth
        AskWoody Lounger

        Hi GoneToPlaid,

        That is a VERY cool pair of CMD files you created. Your instructions are a model of clarity.

        According to the results, none of the telemetry updates is installed on this PC.

         

        • #234072 Reply

          GoneToPlaid
          AskWoody Lounger

          Hi Cybertooth,

          Okay. So now we have ruled out the possibility that Microsoft telemetry might possibly be the cause of your issues. I think that we should focus on your network card and wireless card drivers.

          Best regards,

          –GTP

           

    • #234052 Reply

      GoneToPlaid
      AskWoody Lounger

      Bob99, thanks for the ideas. The computer is an HP. Here’s the drivers page for it. Apparently there’s no new NIC driver (the new wireless adapter driver being offered is, I think, the one that led to a huge memory leak for me a few years ago). I didn’t realize you could install a driver over itself. This’ll be another new thing to try after the next reboot.

      Hi Cybertooth,

      Could you go to Control Panel >> Device Manager, and then for both your NIC and for your Wireless adapters and after double-clicking on each of these devices, post screen captures similar to my attachment? I ask since I want to make sure that I can find the latest drivers which precisely match the device IDs for your NIC and Wireless adapters.

      Have you ever allowed Windows Update to install hardware drivers? I hope not since I have had past issues with Microsoft thinking that they know best — versus the actual manufacturers of the hardware. In terms of hardware drivers, I trust Microsoft about as far as I can throw a dead horse! Hardware manufacturers frequently update drivers for older hardware in order to resolve reported issues. Yet for older hardware, the hardware manufacturers do not go through the time and expense of getting these updated drivers certified by Microsoft.

      Finally, have you checked in Event Viewer under Error and under Warning, and then under Windows Logs >> Application and under Windows Logs >> System for error messages?

      Best regards,

      –GTP

       

      Attachments:
      You must be logged in to view attached files.
      • #234067 Reply

        Cybertooth
        AskWoody Lounger

        Hi GoneToPlaid,

        These are the screenshots for the NIC and wireless adapter:

        NIC-properties
        WLAN-properties

        The only two hardware drivers that I remember ever trying to install are the new Broadcom wireless driver (which led to the huge memory leak) and the AMD video card drivers (which caused a BSOD). The video driver was updated via Device Manager; I can’t remember how I had updated the wireless driver but it may have been via Windows Update.

        I’ll check the Event Viewer later today.

         

        Attachments:
        You must be logged in to view attached files.
        • #234081 Reply

          GoneToPlaid
          AskWoody Lounger

          Hi Cybertooth,

          Please download the ORIGINAL drivers from HP’s web site for your network and wi-fi cards, and save them to a convenient location on your computer’s C: drive. Following are the download links for these two original drivers for your specific computer:

          Original Atheros Network Controller Driver
          https://ftp.hp.com/pub/softpaq/sp56001-56500/sp56474.exe

          Original Broadcom Wireless Network Controller Driver
          https://ftp.hp.com/pub/softpaq/sp56001-56500/sp56209.exe

          Then go to Device Manager an uninstall the drivers for your network and wi-fi cards. When uninstalling, make sure that you choose to delete the driver files.

          After uninstalling these drivers, reboot your computer. Then install the original network drivers first, and then install the original wi-fi card drivers.

          I suspect that a later network card driver, which fixed an issue when upgrading to Windows 8, may have created a bug if said driver is used in Windows 7. I have a feeling that you have no intentions of upgrading to Windows 8 or Windows 10.

          Best regards,

          –GTP

           

          1 user thanked author for this post.
          • #234085 Reply

            Cybertooth
            AskWoody Lounger

            Thanks, GoneToPlaid.

            I’m back in for a few minutes and then I have to run back out, but when I return to the office I’ll do the driver uninstall/install.

            FWIW, here are the current RAM numbers (in MB):

            Cached 7217

            Available 7572

            Free 398

            Question: Should I do this before (with a reboot in-between), or after, or instead of Garbo’s idea described here? I ask because lately it’s been a couple of days after each reboot before the problem resurfaces.

            • This reply was modified 3 days, 9 hours ago by  Cybertooth.
            • #234090 Reply

              Ascaris
              AskWoody MVP

              Those RAM numbers look fine.  It’s “available” that is the pertinent number, not “free.”

              Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

              1 user thanked author for this post.
      • #234115 Reply

        Cybertooth
        AskWoody Lounger

        Finally, have you checked in Event Viewer under Error and under Warning, and then under Windows Logs >> Application and under Windows Logs >> System for error messages? Best regards, –GTP

        I see 5 errors in the last hour (Service Control Manager, Event ID 7011) that say:

        A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Dnscache service.

        In addition, there are 25 SharedAccess_NAT errors (Event 31004) that go:

        The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.

        The Taskbar is also graying out again. I’ll be lucky to post this before losing Internet connectivity again.

         

         

        • #234139 Reply

          Ascaris
          AskWoody MVP

          Those 31004 errors don’t seem to be harmful.  There’s a MS article on the topic that states:

          The two Events described in this article do not indicate any problem with the operating system nor do they cause any functionality issues with Internet Connection Sharing. These events can be safely ignored as they are incorrectly logged because a request to allocate zero bytes memory is invalid.

          The first error, though, could be related to the slowdown, and it seems to support the idea of a network adapter/driver issue.  DNS is, of course, part of networking!

          Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

          • This reply was modified 3 days, 5 hours ago by  Ascaris.
          1 user thanked author for this post.
    • #234083 Reply

      GoneToPlaid
      AskWoody Lounger

      Updating the video driver should not cause a BSOD, so that’s a bit worrisome…

      Ah, one would think. Yet this occurred to me when I stupidly decided to allow Windows Update to install what Microsoft thought was the latest AMD video driver for one of my computers, even though I normally never allow Windows Update to install new drivers. This BSOD experience reinforced my conviction to NEVER install any drivers which are presented by Microsoft via Windows Update.

    • #234119 Reply

      Cybertooth
      AskWoody Lounger

      There are several new drivers for the Atheros card in question at the site. That’s the link for the 64-bit version– I didn’t see if you posted the bitness of your Windows installation. You may want to give it a try. It’s up to you! If the problem is in the driver for your NIC, this might fix it. I would also disable the wifi in Device Manager while testing the wired Ethernet. A driver can still cause issues even on in inactive connection if the device is enabled.

      Fantastic, @ascaris, glad that Woody gave the green light to post the link.

      Now there’s a choice to be made: should I try installing one of the new drivers for the Atheros card, or should I try (re)installing the original driver as GoneToPlaid suggests? If the plan turns out to be to  try these solutions in sequence, which one should go first?

      I’ll let you and GoneToPlaid decide.  🙂

       

      • This reply was modified 3 days, 7 hours ago by  Cybertooth.
      • #234134 Reply

        Ascaris
        AskWoody MVP

        I would suggest GTP’s way first.  If it doesn’t help, then try mine.  Always better to try with the lower risk one first!

         

        Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

        1 user thanked author for this post.
    • #234121 Reply

      Cybertooth
      AskWoody Lounger

      After some thinking, another idea is to run the built in Windows Memory Diagnostic Tool to test the physical hardware, remember, check the hardware also. Here is a link with pictures, note the first picture shows Windows 10 Start Search, but just type into the Windows 7 Start Search programs and files for: ‘ Windows Memory Diagnostic ‘ = it will ask to reboot and takes some time.

      https://helpdeskgeek.com/how-to/troubleshoot-ram-with-windows-memory-diagnostic-tool/

      If you had a failing Hard Disk Drive earlier, maybe the actual RAM sticks are failing also ?

      Ran the Windows Memory Diagnostic Tool upon rebooting this afternoon: everything checked out, fortunately.

      BTW, just prior to the reboot, Working Memory usage had reached 620K and free RAM had dropped to 84K.

      • This reply was modified 3 days, 7 hours ago by  Cybertooth.
      • This reply was modified 3 days, 7 hours ago by  Cybertooth.
    • #234152 Reply

      Lars220
      AskWoody Lounger

      I suspect that the problem is some type of a memory leak. Sysinternals has a nice tool / utility called RAMMap that can be useful. Here are some links to check out – review:

      https://www.ghacks.net/2011/08/09/use-rammap-to-list-all-files-currently-in-windows-ram/

      https://searchwindowsserver.techtarget.com/tip/Using-RamMap-and-VMMap-Tools-to-Troubleshoot-Windows-Memory-Issues

      Download:      https://docs.microsoft.com/en-us/sysinternals/downloads/rammap

      When your computer slows down, please take screenshot of Task Manager tabs and post.

      1 user thanked author for this post.
      • #234174 Reply

        Cybertooth
        AskWoody Lounger

        Should I take a screenshot of every Task Manager tab? Full-screen or reduced size? And even at full screen, there are more services listed than can fit on a single screen.

        I just want to make sure I provide the info you need.

         

    • #234166 Reply

      GoneToPlaid
      AskWoody Lounger

      Hi Cybertooth,

      I went back through all of this thread for ideas. You mentioned that you did these things:

      — Uninstalled Norton Internet Security and installed BitDefender.
      — And this summer, when Norton suddenly stopped getting virus definitions, Norton tech “support” suggested I update the video driver (?!). That resulted in a BSOD and the installation of BitDefender in Norton’s place.
      — Also unchecked several Norton-related items that were showing up in Autoruns.

      Event ID 7011: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Dnscache service.

      Event ID 7011 can be caused by a corrupt content index catalog. The index catalog could have become corrupt when Windows had problems trying to index files on the failing hard drive. Go to Control Panel >> Indexing Options and click on the Advanced button. In the Advanced Options windows, click on the Rebuild button.

      Event ID 7011 can also be caused by remnants of Norton Internet Security. Go to Control Panel >> Programs and Features, and uninstall NIS, Norton LiveUpdate and any Norton Add-ons. Don’t forget to remove any Norton add-ons for Outlook. Reboot after uninstalling these items. Then download and run the Norton Remove and Reinstall tool:

      https://support.norton.com/sp/en/us/home/current/solutions/v60392881_EndUserProfile_en_us

      Obviously you are going to use the tool to remove all remaining traces of Norton.

      Best regards,

      –GTP

       

    • #234169 Reply

      Cybertooth
      AskWoody Lounger

      Hi Cybertooth, Please download the ORIGINAL drivers from HP’s web site for your network and wi-fi cards, and save them to a convenient location on your computer’s C: drive.

      GoneToPlaid, I followed the instructions as far as the reboot, including the deletion of the current drivers. But I was not able to install the downloaded versions: as soon as Windows 7 came back up, it installed drivers on its own initiative before I could do anything myself with the downloaded drivers.

      Here are the screenshots for the two drivers:

      NIC-properties-2
      WLAN-properties-2

      The info on the images suggests these are the very same drivers the PC was using prior to the uninstallation and reboot. But there is one difference: previously, in addition to the NIC and wireless drivers, I had a “Broadcom Virtual Wireless Adapter.” (I did not uninstall that one. Maybe I needed to?) Now, though, in addition to those three I also have one driver I had not seen before–a “Microsoft Virtual WiFi Miniport Adapter #2”.

      Now if these newly installed drivers do turn out to be the ones I downloaded, I will be mightily impressed because I saved them to a folder in the C: drive that otherwise contains only Word documents.

      Assuming that we got acceptable results from this procedure with the drivers, it’s a question of waiting and seeing if the same symptoms come back in a day or two.

       

      • This reply was modified 3 days, 1 hour ago by  Cybertooth.
      • This reply was modified 3 days, 1 hour ago by  Cybertooth.
      Attachments:
      You must be logged in to view attached files.
      • #234176 Reply

        GoneToPlaid
        AskWoody Lounger

        Hi Cybertooth,

        Please post screen captures of the Driver tab which is adjacent to the Details tab. That will tell you which drivers Windows is now using. And yes, the Microsoft Virtual WiFi Miniport Adapter is something that Windows 7 automatically installs whenever Windows installs drivers for a wireless network card. It is interesting that the Miniport driver was missing. It shouldn’t have been missing.

        If you trust me, would you be willing to email me a full Speccy TXT report file and an Autoruns TXT file to my email address which I provided in a PM to you? I am going to be up for about another half hour if you also want to give me a quick call at home.

        Also, don’t forget to do the Norton removal tool thing and to rebuild your search index file before you go to bed.

        Best regards,

        –GTP

        • #234186 Reply

          Cybertooth
          AskWoody Lounger

          Hi GoneToPlaid,

          OK, I ran the Norton Removal and Recovery Tool and rebuilt the index catalog. For good measure, I went into Autoruns and deleted (AFAIK) all remaining traces of Norton/Symantec there.

          Here are shots of the Atheros and Broadcom driver tabs:

          NIC-driver
          WLAN-driver

          Regarding the Speccy and Autoruns .TXT files, let’s wait on that until we see the effects (if any) of the numerous changes made over the last day or so. I’m running into the practical consideration that work is piling up while I keep going back to deal with this problem.

          Attachments:
          You must be logged in to view attached files.
          • #234195 Reply

            GoneToPlaid
            AskWoody Lounger

            Excellent. You are using the correct network and wireless drivers shown on HP’s web site.

    • #234211 Reply

      Lars220
      AskWoody Lounger

      Hello Cybertooth and GoneToPlaid, I do not want to interrupt or interfere with GoneToPlaid excellent advise. Hopefully totally removing all of Norton, and the new Network Drivers will be the solution. Concerning a possible ‘memory leak’ type of problem, looking at the Task Manager Performance tab, note at lower left the ‘Physical Memory Available’. If the problem is a slow, 2 to 3 days, the Available memory will slowly diminish until the computer becomes unresponsive. Leaving Task Manager minimized in the bottom task bar will consume maybe 3.6 MB of memory, not much if you have 12 GB. The memory graph will slowly climb until it gets near 100% use, probably the computer will freeze around 97~98%. Only other tab to watch at this time is the Processes tab, click to show processes from all users, then click on the Memory column to sort the highest memory use to the top. We want to watch for 2 to 3 days and see what process is using (or leaking) the memory. Following is a nice link from microsoft technet about Troubleshooting using Task Manager, Performance Monitor, and sysinternals Ram Map. When you have time please review:

      https://blogs.technet.microsoft.com/mspfe/2012/12/05/troubleshooting-windows-performance-issues-lots-of-ram-but-no-available-memory/

      Thank you GoneToPlaid for sharing your skills with all of us.

      1 user thanked author for this post.
      • #234231 Reply

        GoneToPlaid
        AskWoody Lounger

        Hello Lars220,

        Thank you for your post. That TechNet article was well worth reading, and should be the next thing for Cybertooth to try since I am running out of ideas. Anything you can come up with for Cybertooth to check or try would be most appreciated.

        Please have a look at the drivers page for Cybertooth’s HP computer:

        https://support.hp.com/us-en/drivers/selfservice/hp-pavilion-hpe-h9-1100-phoenix-desktop-pc-series/5154893/model/5212313

        I am thinking that Cybertooth might want to uninstall (if mentioned) and then reinstall the original drivers (in the following order):

        — Uninstall Intel Management Engine (via Control Panel >> Programs and Features) and reboot.
        — Reinstall the original Intel chipset drivers since Cybertooth doesn’t plan to upgrade his OS from Win7 to Win8 or Win10 (thus no need to update the chipset drivers).

        — Reinstall the original Intel USB drivers.
        — Reinstall the original HP Bluetooth drivers.
        — Reinstall the original graphics drivers.
        — Reinstall the original Intel Management Engine drivers.

        In other words, the idea is to get Cybertooth’s computer back to its original set of drivers with the exception of the updated Qualcomm Atheros AR9000 Series 802.11n Wireless LAN Driver which is now installed and which was provided by HP. Doing so would put Cybertooth’s computer back to a “if it ain’t broke, don’t fix it” mode in terms of the installed drivers for his computer’s motherboard.

        We can later consider updating his ME, USB, and graphics drivers. Yet all such drivers would come straight from Intel and AMD, and never from Microsoft. Right now, we are after establishing a solid baseline in terms of the installed drivers for his motherboard.

        With regards to the HP drivers, HP does strongly recommend installing the 2015 BIOS update for better UEFI security, yet this could not possibly be the cause of Cybertooth’s stated issues unless UEFI has been hacked on his computer. I seriously doubt this. The 2015 BIOS update doesn’t contain any new CPU microcodes since all are dated 2010 to 2013.

        The only additional thing I can think of is whether or not Cybertooth’s computer is using its default BIOS settings. HP doesn’t give one too many options in BIOS for changing settings. Cybertooth, did you have to replace your motherboard’s CMOS battery at any time during the past several months? If so and after replacing the battery, did you boot to BIOS and load the factory defaults for the BIOS?

        I pretty much have nothing else, aside from perhaps examining a Speccy output file from Cybertooth to look for anything out of whack under the Operating System and Network categories in particular.

        Lars220 and everyone else, what do you think? At this point, Cybertooth is now using the published HP drivers for his NIC and for his Wireless, and everything so far has pointed to a memory leak in this category? Yet possibly something could have propagated upwards from using incorrect motherboard drivers? This is why I described, above, how Cybertooth can reinstall the basic motherboard drivers.

        Best regards,

        –GTP

         

        • This reply was modified 2 days, 11 hours ago by  GoneToPlaid.
        1 user thanked author for this post.
        • #234242 Reply

          Cybertooth
          AskWoody Lounger

          Hi GoneToPlaid,

          Nope, the CMOS battery in there is the same one that came with the computer. I don’t have any specific memory of changing BIOS settings on this PC, but that doesn’t mean I haven’t. On the next reboot I’ll go into the BIOS and take a look around.

          If and when the time comes to uninstall and reinstall drivers, we’ll have to find a way to do it before Windows takes over and starts installing its own choice of drivers, as happened when I went to change the NIC and wireless drivers.

           

      • #234235 Reply

        Cybertooth
        AskWoody Lounger

        That’s part of what’s been so puzzling about this issue. I’ve been monitoring the RAM usage in Task Manager, and what happens is that “free” memory steadily drops down to double digits (it was at just 84KB just before the last time I had to reboot), while “available” RAM remains fairly stable (at the last reboot, IIRC it was still over 7000KB). When the PC finally slows down to a crawl, the bars on the memory graph on the left will still be far from the top.

        In terms of who or what is using the RAM, I’ve observed a slow but definite increase in memory usage by Pale Moon and a faster increase by “svchost.exe (Network Service)”. With the caveat that the things we’ve done since Friday may (or may not) have resolved the issue, here are the numbers shortly after the most recent reboot:

        RAM:

        Cached  4126

        Available  8585

        Free  4861

        Processes (Working Set (Memory) column):

        Pale Moon  295

        svchost.exe(Network Service)  — [not listed]

        And here are the current numbers:

        RAM:

        Cached  4107

        Available  8744

        Free  5028

        Processes (Working Set (Memory) column):

        Pale Moon  456

        svchost.exe (Network Service)  175

        (All open tabs and applications were deliberately kept unchanged overnight.) Looking at today’s figures, it’s a hopeful sign (maybe) that free RAM hasn’t dropped, but PM and svchost.exe seem to be continuing on their merry way to Molasses Land.

        We’ll monitor these numbers for a day or two. In the meantime, when I get the chance to (deadlines are starting to loom large) I’ll review the Technet page that you provided. It looks like it’ll be as useful as it is informative. Thanks for looking it up!

        • #234241 Reply

          OscarCP
          AskWoody Lounger

          Cybertooth,

          I think you have, by now, tested your PC for so many things that you might have already tried this as well, but just in case, here it goes suggestion No. 1001:

          Have you tried using some other browser than Pale Moon? Perhaps one not related to Mozilla/Firefox, let’s say IE11 or Chrome?

          1 user thanked author for this post.
          • #234268 Reply

            Cybertooth
            AskWoody Lounger

            Thanks for the suggestion, OscarCP. In most of the monitoring this week, in my private notes I’ve included IE11 RAM usage. But it’s been completely steady so I stopped monitoring it.

            FWIW, I also use Pale Moon on my Vista PC. RAM usage goes up there as well, except that in that case I can refresh the tabs and bring the RAM back down, whereas on this PC doing that doesn’t help. Also, the Vista system never reaches the point where it just can’t get on the Internet any more.

            Maybe I can try opening all the PM tabs in FF and see how things develop over time.

             

        • #234262 Reply

          Ascaris
          AskWoody MVP

          This is normal for Windows (and Linux, and I would assume MacOS).

          When a computer first boots, some of the RAM is taken by program files and data structures.  The rest is “free.”  Free memory is any memory that has nothing (logically speaking) in it… it’s just sitting there waiting for something to do.  Free memory will be at its greatest extent right after you boot.  (“Free” memory may in fact have data within it, but there’s nothing pointing to that data as being pertinent to anything, so the data isn’t useful in any way.  As far as the OS is concerned, a memory location is empty when there’s no process pointing to that location and claiming it as being in use.  That’s what I mean by “logically” empty.)

          As you use the system, things will be loaded into the free memory.  When you close programs, the OS will keep some of it in memory “just in case” for later use. If there is a lot of free memory hanging around, it may also prefetch some things from the hard disk/SSD that it predicts you may want to use in the near future, based on what you’ve already done so far.  It’s constantly shuffling around what is in there, unloading stuff that hasn’t been accessed in a while, loading in things that are more likely to be needed in the near future.

          All of that memory is now cached memory, not free memory.  It’s “cached” because the OS is using it to cache all kinds of data, libraries, and programs that are likely to be needed later.  It’s far faster when the things the OS needs are in memory than having to get them off of a disk… it’s a performance feature.  Even a speedy NVMe SSD is a lot slower than RAM, but the slower the disk, the greater the performance benefit of caching.

          The cached memory is available just as free memory is, so that any program that requests more memory will immediately be able to get it.  The OS will assign free memory first, then begin repurposing cached memory, which just means it “forgets” its pointers to the data it has cached (essentially making it “free” at that point), then assigns the memory to the process in question.

          Cached memory is convenient and quick to have when the OS finds a necessary DLL or such in that memory instead of having to go to the disk, but it can be cleared at any time without any problem… it just means the OS will have to get the data from the disk instead of the cache, which is the same thing that would happen if there was no caching in the first place.

          In terms of memory management, there is no performance penalty to be paid when it comes time to repurpose cached memory when it is needed for a given process (program), as opposed to using free memory.  The entire caching system is designed for speed… it’s meant to be repurpose-able at an instant.

          An OS running at maximum efficiency will keep caching things in free memory, and soon will have nearly no free memory, but plenty of cached memory, which means also plenty of available memory.  Available memory is free + cached.  Free memory is performance potential left on the table– a wasted resource.

          If your available memory figure was low, then I would be looking to that as a potential problem.  Low free memory after a time simply means Windows is working as designed.

          It’s also not unusual for services to use more memory as time passes.  As long as the memory consumption isn’t exploding out of control, using up all available memory, it’s not a problem.  RAM use by processes bounces up and down as they do their thing, and memory used can increase in time even without a memory leak, since the process has more data it needs to remember for a given session.  It’s not a cause for alarm until something is using way more memory than it should and not releasing it.

           

          Group L (Linux): KDE Neon User Edition 5.14.3 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

          3 users thanked author for this post.
        • #234264 Reply

          Sessh
          AskWoody Lounger

          FWIW, the memory your browser uses depends on how many tabs are open and what those tabs contain. My Win7 machine has nearly 39 days of uptime now and Pale Moon is bouncing around between 480K and 550K of memory with six tabs open and PM is always open with many tabs. Sometimes, I have eight tabs open and two are Youtube videos I want to watch later, I’ve seen Pale Moon using just over a GB of ram in those cases, but I have 16GB of ram in this thing so it’s no big deal.

          I also use the 64-bit version of PM which I believe uses more memory anyway. I have not noticed any memory leaks with Pale Moon and memory usage is generally variable within certain ranges depending on what I’m asking it to do. I routinely leave this system running for 1-2 months without a reboot and have never had an issue with Pale Moon and memory leaks. Just offering a data point and yes, I update Pale Moon as soon as it’s available, so I am on the most recent version.

          Hopefully, the driver changes will resolve your memory issues and you can get some work done.

          My memory numbers at 39 days of uptime are:

          • Total: 16299
          • Cached: 6840
          • Available: 12915
          • Free: 6098
          • This reply was modified 2 days, 9 hours ago by  Sessh.
          1 user thanked author for this post.
          • #234271 Reply

            Cybertooth
            AskWoody Lounger

            Hopefully, the driver changes will resolve your memory issues and you can get some work done.

            My memory numbers at 39 days of uptime are:

            • Total: 16299

            • Cached: 6840

            • Available: 12915

            • Free: 6098

            I’m jealous!!  🙂

            But seriously, thank you for the data points, they give us something to compare my numbers to.

             

    • #234247 Reply

      GoneToPlaid
      AskWoody Lounger

      Hi GoneToPlaid, Nope, the CMOS battery in there is the same one that came with the computer. I don’t have any specific memory of changing BIOS settings on this PC, but that doesn’t mean I haven’t. On the next reboot I’ll go into the BIOS and take a look around. If and when the time comes to uninstall and reinstall drivers, we’ll have to find a way to do it before Windows takes over and starts installing its own choice of drivers, as happened when I went to change the NIC and wireless drivers.

      In this case, you would be reinstalling drivers right on top of whatever drivers are presently installed. Yet we can get to that later, if necessary. At this point, I am hoping the running the Norton removal tool and resetting the Windows search index, in conjunction with Windows having automatically reinstalling the correct drivers for your networking, may have resolved your issues. I looked at your post with your most recent RAM figures. It does look promising.

      1 user thanked author for this post.
      • #234274 Reply

        Cybertooth
        AskWoody Lounger

        OK, just to update the numbers from a couple of hours ago:

        RAM (from Task Manager):

        (previous figures in italics)

        Cached  4213    4107

        Available  7838    8744

        Free  3958    5028

        Processes:

        Pale Moon  436    456

        svchost.exe  217    175

         

        • This reply was modified 2 days, 8 hours ago by  Cybertooth.
    • #234321 Reply

      Cybertooth
      AskWoody Lounger

      Just over six hours after the last readings, here are the new numbers:

      RAM:

      Cached   6522

      Available   7691

      Free   1237

      Processes:

      Pale Moon   463

      svchost.exe   298

      The system has been up for 21 hours. A noticeable lag has developed between typing or scrolling, and the response. This is usually the first symptom…

       

    • #234352 Reply

      anonymous

      Hi,

      A couple of software related thoughts.

      I’ve had issues in the past with using too large a .hosts file – is it possible to change back to the 1k older version that would have been saved as a backup and test?

      Do you have Microsoft Office installed on the PC – have had issues in the past when Word is opened and then closed – it does not release all the memory it uses on its initial start and this eventually has a knock-on effect on the overall available.

      1 user thanked author for this post.
      • #234398 Reply

        Cybertooth
        AskWoody Lounger

        I do have MS Office installed on this computer, but here’s the maddening thing: when the computer gets sluggish, memory usage is still nowhere near complete. This morning I had to reboot again (after 28 hours’ uptime), and while “free” RAM was hovering between 0 and 100MB, “available” RAM was more than 50% and total RAM in use was around 34%.

        Here are the figures from just before rebooting today:

        RAM:
        Cached 7894
        Available 7951
        Free 102

        Processes:

        PM 451K
        svchost.exe 417K

         

        The hosts file is less than half a megabyte in size (445KB, IIRC).

         

        • #234402 Reply

          satrow
          AskWoody MVP

          What does TaskMan’s Performance tab show for Kernel Memory Paged/Non-Paged?

          • #234409 Reply

            Cybertooth
            AskWoody Lounger

            Right now, shortly after the reboot, it says:

            Paged   312

            Nonpaged   148

            This could serve as a reference point as we march toward the next reboot.  🙂

             

            • #234410 Reply

              satrow
              AskWoody MVP

              That looks fine.

              What Extensions are you using in Pale Moon?

              What sites does it have loaded now and have you had GMail loaded in it during this session?

            • #234437 Reply

              Cybertooth
              AskWoody Lounger

              @satrow, I have one DuckDuckGo search-engine results page and 7 AskWoody tabs open.  😉  That’s in preparation to do October’s Group B updates, including the SSU that has to be done first.

              The PM extensions are Encrypted Web 5.1.5 and uBlock Origin 1.14.23b12.

              I don’t use GMail. In fact, I don’t do e-mail on this computer at all.

               

            • #234450 Reply

              satrow
              AskWoody MVP

              The most recent uBlockO for Pale Moon is the firefox-legacy-1.16.4.5, you might want to install ublock0-updater to keep it updated.

              I’m pretty sure Encrypted Web is no longer supported, an alternative might be HTTPS Always if you want to keep forcing https (PM would normally get the https site versions anyway, sites that don’t have, or need, https would fail if you force https). HTTPS Always is available here.

              1 user thanked author for this post.
            • #234464 Reply

              Cybertooth
              AskWoody Lounger

              Huh, when I open the add-ons page and click on “check for updates,” PM tells me none were found. I’ll try the alternative method you offered.

               

    • #234421 Reply

      Sessh
      AskWoody Lounger

      Hi, A couple of software related thoughts. I’ve had issues in the past with using too large a .hosts file – is it possible to change back to the 1k older version that would have been saved as a backup and test?

      Interesting addition and something I had forgotten about. Before I adopted much of Noel’s security strategy and was tinkering around with things, I first tried a large hosts file. I don’t recall how large it was exactly, but it was big. I had to ditch that strategy quickly because with the large hosts file, the internet took a few minutes to start working after a reboot and there was extra CPU usage. It was so long ago and such a brief experiment that I don’t recall more details, though. As soon as I put back the default hosts file, the problem immediately resolved. Apparently, Windows doesn’t like hosts files that are too large. I don’t know if that could cause your issues, though.

      I’m trying to recall if I had system slowdown during those few minutes with the internet not turning on. I can’t say for sure there wasn’t. Not much help. 🙂

      • This reply was modified 1 day, 14 hours ago by  Sessh.
      • #234434 Reply

        satrow
        AskWoody MVP

        As stated above, I use a large hosts file (now 19MB) with DNScache disabled and can log into Steam and then join an online game inside 90 seconds of Windows(7) starting up, similar with web browsing. I doubt that a 0.5MB hosts file would have a noticeable impact.

        I do run a streamlined Windows though and I try to keep reboots to a minimum – the last restart was in August:

        80DayUptime

        Attachments:
        You must be logged in to view attached files.
        1 user thanked author for this post.
    • #234454 Reply

      GoneToPlaid
      AskWoody Lounger

      Hi Cybertooth,

      I really think that a Speccy output TXT file would help us get a handle on your computer’s issues. Things we need to see are what services are enabled or disabled, what the running processes are, and what is shown under the Network section in the generated TXT file from Speccy. Instructions for removing confidential information from Speccy’s generated TXT file, and an example, are in the “Speccy — How to sanitize its output TXT file” folder on my Dropbox. Here is the link:

      https://www.dropbox.com/sh/ohvcinlscjvq6i5/AABwVmnwfFhw0fdtPBWsYmAba

      Best regards,

      –GTP

       

      • #234463 Reply

        satrow
        AskWoody MVP

        Doesn’t the online (Published output) sanitise them and make them a lot more accessible than a plain txt file output? Maybe you could run a test?

        • #234487 Reply

          GoneToPlaid
          AskWoody Lounger

          I just tried Speccy’s Publish feature. I wish that I had not since the Publish feature does a poor job of sanitizing potentially sensitive information.

          Only directly under Operating System, this information is removed:

          — Computer type: Desktop
          — Installation Date: 02/28/2014 07:51:07 AM
          — Serial Number:

          Only directly under Network, this information is removed:

          — IP Address– 192.168.XXX.XXX
          — Subnet mask– 255.255.255.0
          — Gateway server– 192.168.XXX.XXX
          — Preferred DNS server– XXX.XXX.XXX.XXX
          — Alternate DNS server– XXX.XXX.XXX.XXX
          — DHCP– Enabled
          — DHCP server– 192.168.XXX.XXX

          Speccy’s Publish feature does not remove:

          — My name which is part of USERPROFILE.
          — Computer name, netbios name, dns name and domain name.
          — The serial numbers of my RAM or hard drives.
          — Additional entries which list the local IP addresses or the IP addresses for the gateway, dhcp and dns servers.
          — Network share names which may be confidential.

          • #234495 Reply

            satrow
            AskWoody MVP

            So the only ‘sensitive’ info needs physical access to the PC to make any profit from it?

    • #234519 Reply

      anonymous

      Hello CyberTooth, I (we) see your are having sluggish issues with your windows 7. I admit I have not read every single post here, but would like to try and help.

      GoneToPlaid you are doing great.

      CyberTooth, GTP, and others, You might want to look at the below ideas to consider.

      Have you tried Safe Mode with Networking?

      Go to msconfig.exe (System Configuration Utility) and start the computer in selective startup mode with all services except Microsoft services disabled.
      https://support.microsoft.com/en-us/help/331796/perform-a-clean-startup-to-determine-whether-background-programs-are-i

      Look at Process Explorer from Systernals.
      https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

      Have you opened the PC to see if the motherboard has any bulging capacitors? I know you put in an SSD but did you look?

      Satrow is right about a large Hosts file. With Windows XP, Vista, and 7 a Hosts file over 200 or 300K could greatly slow down browsing if DNS Caching service is left on. This may help. http://winhelp2002.mvps.org/hosts.htm

      Removal of Norton was a good idea.

      I hope you find it. Please keep us posted here for when you do find a solution.

      A windows 7 user.

      2 users thanked author for this post.
      • #234570 Reply

        Cybertooth
        AskWoody Lounger

        Booting into Safe Mode and checking the capacitors are good ideas.

        If and when a new reboot is needed, I’ll open up the case and look for bulging caps.

        The drawback of Safe Mode is that the computer will need to operate in that reduced capacity for a long while, given that the issue doesn’t crop up right away. Still, it may be worth a shot if nothing else ends up working. Thanks for the idea.

         

    • #234527 Reply

      Mr. Natural
      AskWoody Lounger

      Did anyone mention “ipconfig /flushdns”? Clearing all temporary internet files in any browser used.

      1 user thanked author for this post.
      • #234569 Reply

        Cybertooth
        AskWoody Lounger

        Just did that now, thank you.

        Let’s see what happens.

         

    • #234537 Reply

      anonymous

      Cybertooth.

      In your most recent post above quoting numbers you are still referring to svchost as a single entity, so I take it that you have not yet split the 5 suspect services into separate processes (separate svchosts) as I have suggested previously to try to narrow down which of the 5 services is causing the problems?

      In the meantime you could check to see which of the 5 are actually running and possibly restart each in turn to see if RAM is released which might indicate the suspect service. (To see the services details either type “services.msc” in the start menu Run box or in Task Manager in the “Services” Tab select the “Services” button. This being “Windows” there will be other ways to achieve the same effect!)

      For example on my W7 PC at present, of the 5 services you list in the suspect “Network Services svchost”, I only have “Cryptographic Services (CryptSvc)” and “Network Location Awareness (NlaSvc)” with startup type “Automatic” and running. The other 3 “DNS Client (Dnscache)”, “Workstation (LanmanWorkstation)” and “Telephony (TapiSrv)” have startup type “Manual” and are not running (nothing has triggered them to start). (This is a simple PC connected to the internet via a router and cable modem using an Ethernet cable and not in a LAN connected to other PCs, servers, network printers etc.)

      On the Pale Moon (PM) side of things, I assume that you have add-ons (isn’t that why people continue with forks from older versions of Firefox – their preference for the more flexible, old-style add-ons?). Have you tried running PM with add-ons disabled to see if the problem is in the core PM or with its add-ons? (I assume PM has retained the Firefox “restart with add-ons disabled” option under the Help drop-down menu?) If it is with an add-on, you would need to work out which and possibly remove it.

      Have you tried re-installing PM from scratch in case it has become corrupted during an update? You may want to save your current configuration before uninstalling to save time after re-installing and there is/was a small utility called “pmbackup.exe” to do this. (It is possible to backup/restore configuration manually by copying some folder(s) and copying back later, but without checking I don’t know which folder(s) it is and I believe “pmbackup” does this anyway.)

      A more left-field idea: From memory I believe that you have BitDefender AV? Although this rates well in performance I have been put off trying it for long because it does not (or did not when I looked at it) allow much user control. Is it possible that it has identified something it believes is/was a threat of some kind and quaranteed it without informing you (as a mere user) and might this missing thing be causing you problems? It might be worth checking the BitDefender “Quarantine” (or whatever it may be called) if it lets you and if there is something there get a 2nd opinion about it using something like “Virus Total” just in case it is false positive. (I use Panda and Avira AVs and both give indications of what they are doing and allow exceptions to be set for false positives. I don’t like to be kept in the dark.)

      HTH. Garbo.

      1 user thanked author for this post.
      • #234550 Reply

        OscarCP
        AskWoody Lounger

        Anonymous  #234537  : ” Have you tried re-installing PM from scratch in case it has become corrupted during an update? You may want to save your current configuration before uninstalling to save time after re-installing and there is/was a small utility called “pmbackup.exe” to do this.

        Wouldn’t the creation of a restore point before reinstalling PM achieve the same thing? (Control Panel/System/ Security)

        • #234571 Reply

          anonymous

          Why would Cybertooth want to “restore”?

          What I was thinking, but did not explain clearly enough, was saving configuration for later, completely uninstalling PM e.g. using Revo Uninstaller or something similar to clean as much as possible (and maybe even searching the folder structure and/or Registry for further remaining stuff which Revo may have missed, but only if Cybertooth has confidence to do this), before installing the latest PM with as little as possible of its earlier installation still there and then putting back the saved configuration. If Cybertooth is prepared to spend the extra time it would be cleaner to set all of the configuration settings again from scratch in case these settings are to blame in some way, but it is possible that he has forgotten all of the changes made previously.

          More generally I don’t use restore points myself so I don’t know how complete they are. After no more than a ~50% successful restoration rate with Windows built-in backup and restore mechanism in the past I prefer to do manual backups using non-Microsoft means. (I needed to restore a PC and after finding that the most recent backup I wanted to restore failed, I spent a dreary weekend working through about 12 backups I had squirrelled away and only about half would restore. In the end the 3rd most recent backup was the most recent that would actually restore. Not good!) In fact I prefer to keep my Microsoft footprint as small as possible.

          Garbo.

           

          • #234609 Reply

            OscarCP
            AskWoody Lounger

            Garbo,

            Thanks for explaining the uses of the utility program Revo Uninstaller.

            I mentioned using restore points to get the system back to its previous state at the time the restore point is created, because that has saved me some trouble in the past and caused me no problems. Using one of them also restores applications that have been updated after the creation of that restore point, to their state before those updates, so the updates become once more available to install, or are installed automatically again, depending on the settings one has chosen for that.

            So, if Cybertooth, let us say, decides to first remove and then reinstall PM and before doing any of that creates a restore point, i.e. before removing PM, if there is any problem afterwards he can get back where things were before he removed PM, leaving him neither better nor worse than before doing that. Of course, this can be also a way to prevent lasting problems after patching or making any other change of some significance to the PC software, if something then goes wrong.

            I also do not use the Windows back up feature, but do it by hand to an external disk. More as a matter of habit than for any more practical reason.

      • #234574 Reply

        Cybertooth
        AskWoody Lounger

        Garbo, thanks for reminding me of that idea to isolate the several svchost.exe processes. Because that was quite a number of posts ago, I’m putting the link in here as a more current memo to try that, assuming that the issue persists.

        Regarding Pale Moon, the monitoring suggests a much slower increase in RAM use by PM as compared to svchost.exe, and in any case when the PC turns into a snail there’s still plenty of RAM left overall. But again, as when you can’t find the lost keys or phone in the “logical” places, it’s time to start looking in less likely-sounding places.

        At your suggestion, I checked the BitDefender quarantine and (fortunately) there isn’t anything in there. I would have never thought of doing this had you not mentioned it!

         

        • #234579 Reply

          GoneToPlaid
          AskWoody Lounger

          Hi Cybertooth,

          That’s the thing. When PM is just sitting there (perhaps on Google’s search page) the memory of PM and svchost shouldn’t be slowly increasing. We all are guessing that it is PM. I suggest closing all web browsers, and then watch the instances of svchost for a while to see if their memory usage creeps upward. It shouldn’t. 20 minutes should tell you all you need to know.

          Best regards,

          –GTP

           

          • #234603 Reply

            Cybertooth
            AskWoody Lounger

            Well, it wasn’t 20 minutes, but svchost.exe RAM usage when I closed PM 2.5 hours ago was 160,508 KB, whereas currently it’s at 192,084 KB. No browsers were open during that time.

            With any luck, this will yield useful clues.

             

            • #234606 Reply

              GoneToPlaid
              AskWoody Lounger

              Well, that ain’t right. The memory consumed by the svchost processes shouldn’t be growing. The upshot is that the issue is not with your web browsers. Instead, it has to be with Windows itself or installed software.

              I have 14 copies of srvhost.exe running on my primary Win7 computer, and their memory consumption does not grow over time.

              1 user thanked author for this post.
            • #234608 Reply

              Cybertooth
              AskWoody Lounger

              Two further hours later, svchost.exe is up to 215,576KB. Although I do have several PM tabs open now, so it’s not a direct comparison.

              As far as I can tell, “svchost.exe (Network Service)” is the only element of svchost.exe whose RAM usage grows over time. Maybe it’s time to apply Garbo’s idea of breaking svchost.exe out into its various components, even at the cost of delaying the next episode of sluggishness.

              FWIW, this PC is on a LAN with several other computers linked via a FiOS router that also handles telephone and TV service.

               

            • #234645 Reply

              satrow
              AskWoody MVP

              Enable the Peak Working set column to see what’s growing/shrinking over time. I have 3x svchosts that have a noticeably larger Peak than they do Current.

        • #234602 Reply

          anonymous

          I like the idea that the browser is where we detect the symptom of delay, but may not be the cause of delay. In the spirit of GoneToPlaid’s suspect elimination effort. If the creep continues, isolate the system from the internet for an additional observation period. I would expect no change, but it proves the issue is local and gives protection for the next step. If the creep continues, turn off or disable the Active or other “live” function of Bitdefender for another observation period.

          I continue to suspect leftover Norton pieces, despite actions to eliminate them. Bitdefender may be tripping over these without having something to quarantine. This would not be a flaw in Bitdefender as it would be accurately identifying code that has suspicious privileges without an associated program. I have known people to resort to a system clean install because they blamed incomplete removal of an uninstalled antivirus.

          Of course if you eliminate browsers, traffic, and antivirus and still see the creep we need another idea. My next would be back to the graphics processor, because the delay seems independent of the CPU use. The system could be waiting on delay from the GPU.

          More ideas for the mix.

          1 user thanked author for this post.
          • #234628 Reply

            Cybertooth
            AskWoody Lounger

            All right, I’m disconnecting the Ethernet cable from this PC when I go to bed tonight, then check the svchost.exe RAM usage in the morning.

            Regarding the possible presence of Norton remnants, maybe I can go into the Registry and search for them.

             

          • #234702 Reply

            Cybertooth
            AskWoody Lounger

            Eleven hours after unplugging the Ethernet cable, RAM usage bysvchost.exe is at 252,604KB. I had left it last night at 241,836KB.

            The level continued to climb overnight, but at a much slower rate than when the Ethernet cable is plugged in.

            In the couple of minutes since I re-connected the PC to the Internet, that number has gone to 254,972KB.

             

            • This reply was modified 12 hours, 57 minutes ago by  Cybertooth.
            • This reply was modified 12 hours, 53 minutes ago by  Cybertooth.
            • #234726 Reply

              Microfix
              AskWoody MVP

              https://www.neuber.com/network-taskmanager/
              @cybertooth, bit of a stab in the dark here (pun not intended) but, see what you think of the above program, try online overnight and offline overnight.
              Compare the two results should show the culprit for ethernet traffic.

              | W8.1 Pro x64 | Linux x64 Hybrids | W7 Pro x64 O/L | XP Pro O/L
                No problem can be solved from the same level of consciousness that created IT - AE
              1 user thanked author for this post.
            • #234779 Reply

              Cybertooth
              AskWoody Lounger

              @microfix, thanks for the tip about this program.

              I downloaded, installed, and opened it, but I haven’t figured out yet how to get it to work. I’m at a popup that says, “Please wait. The computer names are being determined.” But nothing ever seems to actually get added to the list.

              Also tried the offered hint, entering this PC’s name… and it tells me that it was not found!?!

              I’m in a rush right now, was hoping that it would “just work.” Will have to sit down and read the documentation, bummer.  🙂

               

    • #234611 Reply

      GoneToPlaid
      AskWoody Lounger

      Hi Cybertooth,

      In Task Manager and when showing all processes for all users, how many instances of srvhost.exe are running? Normally there should be several instances running. If not, then something is wrong.

      Hopefully now you see why we are shooting in the dark until you post a sanitized Speccy output.

      Best regards,

      –GTP

       

      • #234615 Reply

        Cybertooth
        AskWoody Lounger

        Right now there are 14 svchost.exe processes listed in Task Manager: 5 with a “User Name” of SYSTEM, 7 are LOCAL SERVICE, and 2 are NETWORK SERVICE. Of all these, the only one whose RAM usage cracks 100,000KB is the branch of Network Service we’ve mentioned before; the next biggest one (at 86,000KB but apparently steady) is running under SYSTEM and is associated with a slew of services including Windows Update.

        I’ll think some more about Speccy.

         

        • This reply was modified 1 day, 1 hour ago by  Cybertooth.
        • This reply was modified 1 day, 1 hour ago by  Cybertooth.
    • #234623 Reply

      Lars220
      AskWoody Lounger

      I also have 14 instances of svchost.exe running when Show processes for all users is clicked, while in Task Manager at the top menu “View” click to set view to see the options to “Select Columns” = open that small window, scroll down near bottom and put a check mark in box for “Command Line”, on my list it is the fourth from bottom. Then you may have to adjust the horizontal scroll bar at bottom of Task Manager to see the Programs  or Services that are related to each ‘svchost.exe’ entry. Maybe this will help us determine what is the problem child. Also you can move the column headings left and right to move un-needed information to the far right off the screen like. Otherwise maybe uncheck un-needed columns for the time being. Hope This Helps. HTH = had to check Microfix’s Acronyms list, thanks Microfix. (duh)

       

      1 user thanked author for this post.
      • #234626 Reply

        Cybertooth
        AskWoody Lounger

        @lars220, I added the Command Line column to Task Manager and the command associated with “svchost.exe (Network Service)” is:

        svchost.exe -k NetworkService

        Incidentally, RAM usage by that process is now at 238,640KB. Not a whole lot in the bigger scheme of this PC, but for my money that’s where the problem lies.

         

    • #234633 Reply

      Lars220
      AskWoody Lounger

      I am going to bookmark some links here concerning “svchost.exe -k NetworkService” for future reference and will read sometime later;

      https://www.ghacks.net/2008/08/29/svchost-viewer/

      https://archive.codeplex.com/?p=svchostviewer

      https://superuser.com/questions/91867/how-do-i-troubleshoot-high-svchost-exe-usage-in-windows-7

      https://www.sevenforums.com/general-discussion/369517-svchost-exe-netsvcs-draining-all-my-memory.html

      That last link has 12 pages and will take some time. I’ll be back, later …

      1 user thanked author for this post.
    • #234730 Reply

      BrianL
      AskWoody Lounger

      I have the same sluggish problem. I am running a 2009 HP Pavalion P6000 series with a 1TB HHD, and Win 7 Home Premium 64bit, AMD quad core processor, 6 GB Memory. Is there no clear cut answer?

      • #234826 Reply

        Cybertooth
        AskWoody Lounger

        @brianl, I’m afraid that the answer is definitely not clear-cut.  🙂  In fact, troubleshooting this issue has been frustrating as all heck, as well as time-consuming.

        But now that so much work has been done here by so many knowledgeable people, maybe your issue can be dealt with more quickly. (Fingers crossed.) Please try the Svchost Process Analyzer that I mentioned in my post below and see what it tells you.

        You can also try the Network Task Manager that @microfix recommended above and maybe you’ll have better luck with it.

         

        • #234844 Reply

          GoneToPlaid
          AskWoody Lounger

          I have to ask both of you if last year you both ever installed the malware infected CCleaner version ccsetup533 which was infected with Trojan.floxif. I did, and I got hit with a secondary payload which nothing could detect, except for GMER which when repeatedly run, would occasionally show unnamed threads which were running.

    • #234822 Reply

      Cybertooth
      AskWoody Lounger

      https://www.neuber.com/network-taskmanager/ @cybertooth, bit of a stab in the dark here (pun not intended) but, see what you think of the above program, try online overnight and offline overnight. Compare the two results should show the culprit for ethernet traffic.

      Several hours later, the Network Task Manager never did find any computers to analyze, even this one where it was running.

      However, the original link was not for naught. After poking around a bit on that website, I found the Svchost Process Analyzer, which yielded the following results:

      Svchost-process
      The service name for the first item in the lower pane (leftmost column) is “Win HTTP Web Proxy Auto-Discovery Service,” and the display name (second column) is “WinHttpAutoProxySvc.”

      Maybe this provides some useful clues?

       

      Attachments:
      You must be logged in to view attached files.
      • #234838 Reply

        GoneToPlaid
        AskWoody Lounger

        Naw. I ran the Svchost Process Analyzer and got the exact same two results as well, so that ain’t it. A Speccy output would really be helpful!

    • #234880 Reply

      Lars220
      AskWoody Lounger

      svchost-k-netsvcs

      I read through the bookmarked links I posted above, but did not find anything conclusive. I think GoneToPlaid’s request for a sanitized “Speccy” report may be our next best path forward? In reviewing Garbo’s post # 234537 above  https://www.askwoody.com/forums/topic/windows-7-pc-gets-very-sluggish/#post-234537  – I suggest disabling the Services for the related svchost.exe -k Network Service. In Task Manager Process tab, I right-clicked that process, and then seleceted Go to Service(s) for the ScreenShot that I will try to post here: