high CPU usage - not malware

network connections

LookinAround,

No, I haven't tried disabling the network connection, but I did disconnect the cable to the router. Didn't make a difference. I will try various things when I get home tonight.


Roy

TCPView

Lookinaround,

I attached a TCPView text file taken with the computer at idle and no IE windows open. I don't know what to look for. Do you see anything out of line?

Roy

Hey there.

This could be a long shot but it worked for me when I noticed my PC slowing dramatically and high CPU usage was the bane of my life:

http://www.techspot.com/vb/topic79860-2.html

It was nothing to do with malware, updates or any other such 'problem'. My PC had simply decided to change one of it's most important settings!

Got to be worth a try. If it's not your problem then good luck with finding out whatever is.

G

Nothing out of line, but

1. When you said
   I wanted to make sure we're in sync with some terms we're using As I recall, your previous data kept referencing explorer.exe (which is Windows Explorer) and not IE (Internet Explorer or iexplore.exe)
2. Not stands out but.... but alg.xe is Application Layer Gateway. Would like to see you try running with ALG service disabled. What is it set at now? Do you use Windows Firewall or someother firewall? (better if not windows firewall).
   Do you have a simple computer-> router -> calbe to/from Internet? Or different arrangement?

Gazington, LookinAround, CCT

Gazington,

I hadn't read that article, but I had seen another that explained basically the same process. When I checked, I was already set to Ultra DMZ Mode 2. Thanks for the suggestion.

LookinAround,

You assumption is correction. I understand that explorer.exe (which is the process using high CPU) is windows explorer which manages desktop functions, as opposed to IE or Iexplorer.exe which is the internet browser. The only reason I mentioned IE in my post was because I provided a log from TCPView which would have shown an entry if IE was running, so I told you it was not.

I disabled the Applications Layer Gateway service, rebooted, and there is no noticable effect on CPU usage. It is still showing explorer.exe at 8% and taskmgr.exe at 3%. I will now re-enable ALG.

This computer is a desktop, and is set up right next to my wireless router. It is hard wired from a port on the wireless router to an ethernet port on the desktop. I am hard wired from the ISP modem to the wireless router to this computer. All the other other computers in the house are wireless, this one is not.

I am currently using the Windows firewall. I used Zone Alarm for a few weeks and found it intrusive. I can try switching back to Zone Alarm if you think that would help, but I don't think that decision is related to the CPU usage problem.

CCT,

Did you see my previous note where after selectively shutting down all services, the only one that made a significant difference was Network Connections. When I shut that down, explorer.exe CPU usage dropped from 9% to 2%.

Thanks everyone for all your suggestions. Even the ones that don't improve the CPU usage situation are teaching me a lot about my puter.

Roy

Am just running out so just a quick note...

1. Have you verified the versions you're running of the two dll's noted for explorer?... something like schwap.dll and stobject i mentioned in prior post

2. if u felt like doing the event log clear/reboot/etc., save and post the .evt files for Application and System (note this was edited to fix Security should say System) i'd take a look when back home later

3. the questions on firewall, router connection had to do w/whether you could just leave ALG disabled but not an issue now as you said you tried it when disabled and no diff.

LookinAround

SHLWAPI.dll is in the windows\system32 directory, is 463 kb, was created on August 4, 2004, and was modified on April 18, 2007. The file version is 6.0.2900.3121. Is it suspicious this file was modified in 2007?

stobject.dll is in the windows\system32 directory, is 119 kb, was created on August 4, 2004, and the modification date also shows August 4, 2004. The file version is 5.1.2600.21800.

I clear the event logs, rebooted, played around with Process Explorer a little, then ran Event Log Explorer. There a no events under Application, Security or System other than information events.

I am really suspicious of that April 2007 modification of SHLWAPI.dll. I am going to look for a known legitimate version on the web and download it. I won't install it until I have your comments.

Roy

Interesting....

I am using SHLWAPI.DLL 6.0.2900.2995 last modified Sept, 2006

but don't try to change it yet until we figure out what's going on/why is different (it may just be one file of a set of things need occur, for example)

fyi. i apply MS updates unless they sound useless for my configuration. so do want to see why you might be more recent then mine (or if it's bogus)

Are you using Internet Explorer 6???? At least i know where your dll came from then. Tho it's a good suspect to pursue still don't know if that's your issue yet or not. Does the KB below show up in add/remove (be sure to check Show Updates at the top)? If so try uninstalling it.

I may not be back at my computer for awhile... but will check back in when i can.

btw, you can't simply overwrite a .dll (if that's what you were thinking). Don't know if you're familiar with SFC? System File Checker? it will keep putting the system version back.

windowsxp-kb933566-x86-enu.exe
Affected products and service packs:

Internet Explorer 6
- Windows XP Service Pack 2
Download update >>>
4.4 MB

File Changes:

file new date new version
%winsys%\shlwapi.dll 2007-04-18 6.0.2900.3121
%winsys%\browseui.dll 2007-04-18 6.0.2900.3121
%winsys%\cdfview.dll 2007-04-18 6.0.2900.3121
%winsys%\dxtmsft.dll 2007-04-18 6.3.2900.3121
%winsys%\dxtrans.dll 2007-04-18 6.3.2900.3121
%winsys%\extmgr.dll 2007-04-18 6.0.2900.3121
%winsys%\iepeers.dll 2007-04-18 6.0.2900.3121
%winsys%\inseng.dll 2007-04-18 6.0.2900.3121
%winsys%\jsproxy.dll 2007-04-18 6.0.2900.3121
%winsys%\mshtml.dll 2007-05-04 6.0.2900.3132
%winsys%\mshtmled.dll 2007-04-18 6.0.2900.3121
%winsys%\msrating.dll 2007-04-18 6.0.2900.3121
%winsys%\mstime.dll 2007-04-18 6.0.2900.3121
%winsys%\pngfilt.dll 2007-04-18 6.0.2900.3121
%winsys%\shdocvw.dll 2007-04-18 6.0.2900.3121
%winsys%\urlmon.dll 2007-04-18 6.0.2900.3121
%winsys%\wininet.dll 2007-04-18 6.0.2900.3121

Amazing what else one can find once knowing what to look for!

The file date you see on that shlwapi.dll version .3121 is April 18, 2007 but it was just released as part of a cumulative install june 12, 2007! So the problem would have just started about 4 weeks back.
MS07-033: Cumulative Security Update for Internet Explorer, KB933566

Seems some people have crashed clicking on folders, some found installations won't work and/or TCP/IP port creation fails (you sure no entries appeared in that event log?)

Maybe you had port creation problems as well. Like I had said other day, when i ran Process Monitor and looked for similar tcpip messages i was flooded with those messages tho still running normal. It sounds like maybe you had a tsunami and i couldn't tell from reading the post online!

Hope this works for you.

LookinAround

I'm sorry I don't understand, but what is it you hope works for me?
Are you telling me to load that security update?

Roy

No problem.

I found

1. Shwapi.dll version 6.0.2900.3121 was released as part of a MS security update kb933566
2. That particular update was packaged along with several other updates and released by MS mid-June as Cumulative.... (see post i made couple posts back)
3. I'm pretty certain based on version number you downloaded and installed that Cumulative package (which includes kb933566). When u installed the cumulative you got that one which put the new .dll on your computer
4. Still don't know that that particular version is your problem but i have seen others reporting problems (tho not same as yours) when installing that particular Cumulative patch
5. So i think it's worth the try to remove the kb933566 update(which should revert the dll's it gave you) using Add/remove programs per my earlier post. Later should u want the patch reapplied, i would thnk you should find it on MS website, download it and reapply.

In fact, would you say the problem might have first started mid-June?

LookinAround

Actually, I think I picked up that version when I recently ran the latest SP2 update for windows. I had read some threads that indicated SP2 fixed some issues related to high CPU usage, so I downloaded and installed the latest version. I already had SP2, but was unsure if there had been updates that would make it worthwhile to re-install it so I did. I had the high CPU usage problem prior to doing this.

Roy

First, so around when did your problem first start (as best you remember)

Second, the system spec you listed way back when is XP SP2 v5.1 build 2600 (which is typical). It was released Aug, 2004.

• When you said
  
• Are you saying you reinstalled SP2, the entire Operating System?? And the problem was there even before reinstalling the entire Operating System? Or you mean you reinstalled specific updates? you remember around when u did this by chance?
• How do you typically look for SP2 updates? Do you use Windows Update (now Microsoft Update)? Do you do Express or do you do Custom Updates?

You can see the what/when for each install by going to the the windows or microsoft update page as usual. then click review update history u'll see on the left of the window