1

I have an odd problem. I have a farm of 8 Citrix terminal servers, running Server 2003 Std x86. The hardware on all servers is identical and all servers were built from the same image. Late last week, one the servers started having a problem where any file, when opened by double-clicking, seems to lock explorer.exe for about 2 minutes (I've timed it multiple times, anywhere from 2:09 to 2:40) after which point the file eventually opens. The file can be .txt, .doc, .xls, .jpg, etc. HOWEVER, if I open the required program first (notepad, Excel, whatever) and go to File/Open the file opens without incident.

I've tried running ProcessMonitor while the explorer 'lock' is occurring and I can't find a smoking gun (it's possible that it's there, but with 18,000+ lines it'll take a while to track it down even using filters).

I've started the server in Safe Mode and files open normally (without the lock). Subsequently I've tried stopping every service I can (while started normally) without success.

I've uninstalled AV (Symantec EAP 11) without any positive impact. The event logs are clean and none of the other servers are experiencing this problem.

Does anyone have any thoughts?

squillman
  • 37,618
  • 10
  • 90
  • 145
random.value
  • 21
  • 2

3 Answers3

1

Okay, I figured it out and thought I'd post the answer here in case anyone finds this post thought a search.

Last week I replaced Adobe Reader on the Citrix farm with Foxit Reader. Before doing so I did some testing using an old Citrix server that's not part of the production farm. At some point I noticed that the Foxit install just consisted of an execuatable, and you could click the executable from anywhere on the network. At some point I clicked on the Foxit executable from the server which later became inflicted with this problem.

Late last week that old Citrix (testing) server failed and it wasn't restarted.

Justin's comment to use Wireshark showed multiple attempts on the part of the afflicted server to contact the failed test server. I searched the registry for that servername and found that the open, print and printto registry keys set to the foxit executable on the failed test server, rather than the local copy of Foxit.exe These keys: HKEY_CLASSES_ROOT\Applications\Foxit Reader.exe\shell\open\command HKEY_CLASSES_ROOT\Applications\Foxit Reader.exe\shell\print\command HKEY_CLASSES_ROOT\Applications\Foxit Reader.exe\shell\printto\command

Changing these keys to point to the local copy of Foxit.exe fixed the problem. Thanks Justin, for pointing me in the right direction.

random.value
  • 21
  • 2
  • +1. Nice detective work. – joeqwerty Jan 19 '10 at 21:40
  • ah! I was so close :-) I'll have to remember to add "recently used applications" to the list of things that windows likes to cache on network drives. I've only ever seen this on mapped drives, but I suppose that is because unmapped UNC paths are not used much where I work. I take it that it was the UNC path that windows saved in the registry? – Justin Jan 20 '10 at 03:14
0

Every time I've seen explorer hang it was because of an inaccessible mapped drive.

Justin
  • 3,776
  • 15
  • 20
  • In this case, I'm testing by clicking a .txt file on the desktop of the local server admin. However, all of the mapped network drives are accessible. – random.value Jan 18 '10 at 21:07
  • 1
    Can you run wireshark to see if it could be a network thing? If it is it should be easy to spot. I've seen the network drive issue break even "local" files because of things like 'recent files' being on the network drive. – Justin Jan 18 '10 at 23:52
  • I think you're onto something. I ran wireshark and found that the server in question had a couple of bogus DNS entries (which I cleaned up, but that didn't fix the problem). However, when I disabled the NIC, files opened normally. I uninstalled/reinstalled the network adapter to no effect. I'm set to try another round of Wireshark. I'll report back if I find anything. – random.value Jan 19 '10 at 16:24
0

I would disable the Netbios protocol altogether (temporarily ) and see if that improves performance. By removing the protocol completely, you can narrow down the problem. Also, disabling the network adapter (temporarilty) would accomplish the same thing probably.

djangofan
  • 4,172
  • 10
  • 45
  • 59