explorer.exe randomly hogging my CPU; any insight into this ProcessMonitor log?

4

My computer occasionally becomes terribly unresponsive. Opening Process Explorer reveals that it's explorer.exe hogging 100% of the CPU. I poked around until I found the thread id which was doing it, and monitored that thread with Process Monitor. There were many actions which the thread was attempting. Some of them resulted in "SUCCESS" and others resulted in "NOT FOUND". I have attached an Excel file with the logs, but I have also attached a screenshot with the actions and matching counts grouped/highlighted.

Any idea what this could be? I've run an AV scan (Microsoft Security Essentials), and it says I'm clean.

Log: https://www.dropbox.com/s/qk5y3hor4knsihh/processMonitor_Logfile.xlsx

screenshot

Per SLaks' question in the comments, Process Explorer shows the busy thread as SHLWAPI.dll; here is the stack: 

ntkrnlpa.exe+0x6ea6b
ntkrnlpa.exe!MmIsDriverVerifying+0xbde
hal.dll+0x2ef2
ntdll.dll!RtlConvertSidToUnicodeString+0xa3
ntdll.dll!RtlFormatCurrentUserKeyPath+0xdb
ADVAPI32.dll!ImpersonateLoggedOnUser+0x6e7
ADVAPI32.dll!ImpersonateLoggedOnUser+0x6a7
ADVAPI32.dll!ImpersonateLoggedOnUser+0x4ba
ADVAPI32.dll!ImpersonateLoggedOnUser+0x7e5
ADVAPI32.dll!ImpersonateLoggedOnUser+0x825
ADVAPI32.dll!RegQueryValueExW+0x8c
SHLWAPI.dll!Ordinal128+0x59
SHLWAPI.dll!SHRegGetValueW+0x16a
SHLWAPI.dll!SHRegGetValueW+0x9a
SHLWAPI.dll!SHQueryValueExW+0x20
SHELL32.dll!SHChangeNotifyDeregister+0xb5d
SHELL32.dll!SHChangeNotifyDeregister+0xe8e
SHELL32.dll!SHChangeNotifyDeregister+0xd26
SHELL32.dll!SHGetPathFromIDListW+0x16a
SHELL32.dll!ILRemoveLastID+0x1c3
SHELL32.dll!SHGetPathFromIDListW+0x8e
SHELL32.dll!SHGetPathFromIDListW+0x12
SHELL32.dll!OpenRegStream+0xc5d
SHELL32.dll!OpenRegStream+0xbbb
SHELL32.dll!SHGetRealIDL+0x2470
SHELL32.dll!Ordinal7+0x1a87f
SHELL32.dll!Ordinal7+0x1a8f8
SHELL32.dll!Ordinal7+0x1ba56
SHELL32.dll!ILFindLastID+0xbea
SHELL32.dll!ILSaveToStream+0x69a
SHELL32.dll!ILFindLastID+0xc96
SHELL32.dll!SHGetSpecialFolderLocation+0xddf
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd3d
SHELL32.dll!SHGetSpecialFolderLocation+0xa90
SHELL32.dll!Ordinal7+0x1b6e7
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd3d
SHELL32.dll!SHGetSpecialFolderLocation+0xa90
SHELL32.dll!Ordinal7+0x1b6e7
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd3d
SHELL32.dll!SHGetSpecialFolderLocation+0xa90
SHELL32.dll!Ordinal7+0x1b6e7
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd3d
SHELL32.dll!SHGetSpecialFolderLocation+0xa90
SHELL32.dll!Ordinal7+0x1b6e7
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd3d
SHELL32.dll!SHGetSpecialFolderLocation+0xa90
SHELL32.dll!Ordinal7+0x1b6e7
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd70
SHELL32.dll!SHGetSpecialFolderLocation+0xe1b
SHELL32.dll!SHGetSpecialFolderLocation+0xd3d
SHELL32.dll!SHGetSpecialFolderLocation+0xa90
SHELL32.dll!Ordinal7+0x1b6e7

loneboat

Posted 2012-12-31T02:27:29.457

Reputation: 489

Does this still happen? Can you use API Monitor to see the parameters and return value of MmIsDriverVerifying?

– Justin Dearing – 2014-12-24T15:41:43.850

What DLLs do you see in that thread's stack? – SLaks – 2012-12-31T03:49:02.057

What is the value of the InprocServer32 value on top of the spreadsheet? – SLaks – 2012-12-31T03:49:36.533

@SLaks: The DLL which is really chewing up the CPU is "SHLWAPI.dll" – loneboat – 2012-12-31T04:59:41.103

@Slaks: For your question about the "InprocServer32", which one are you asking about? The first one (in red) or the second one (in green)? Also, by "value", do you mean the value of that key in the Windows Registry? The value of the first one is "%SystemRoot%\system32\SHELL32.dll" and the second one does not appear to exist. The following is as close as I can get: "HKEY_CURRENT_USER\Software\Classes\CLSID" Under that, there is no entry for "{20D04...0309D}". – loneboat – 2012-12-31T05:00:59.200

does it happen when you use the same directories repeatedly? if so, it may be a corrupt thumbs.db file screwing your explorer.exe - – Lorenzo Von Matterhorn – 2012-12-31T21:23:03.363

@Znau: I know it seems to happen when I'm working in Explorer heavily, but I haven't noticed a specific folder causing it. Would it be safe to just write a script to delete all thumbs.db files on my system? – loneboat – 2013-01-01T01:06:24.703

@loneboat to me it seems safe, since it stores thumbnail data, nothing too sensitive; they can be rebuilt whenever you choose thumbnail view. – Lorenzo Von Matterhorn – 2013-01-04T17:30:19.853

Answers

0

explorer.exe apparently doesn't like it when there are shortcuts located directly under My Computer. Try removing the target.lnk item and see if the behavior still occurs.

Another possible fix is to go to Control Panel > Taskbar & Start Menu > Start Menu tab > customize, then scroll about 3/4 down and select "search without public folders".

Bigbio2002

Posted 2012-12-31T02:27:29.457

Reputation: 3 804

0

I Used to experience this problem on my XP Rig, and I couldn't seem to prevent it from happening- the problem seems like an anomalous occurrence. The only solution I was able to find for it was killing Explorer.exe through the Task Manager, and then restarting it.

Simply open up the task manager (Ctrl+Alt+Delete), navigate to the Processes tab within Task Manager, find "Explorer.EXE" under the "Image Name" list, and once you have found it, select it and then press the "End Process" button at the bottom right of the window. This will Kill explorer.

Once this is done, navigate back to the "Applications" tab in the Task Manager, press the "New Task" button, and in the dialog that comes up, type in "Explorer.EXE". This will restart Explorer and should fix the problem.

Ben Franchuk

Posted 2012-12-31T02:27:29.457

Reputation: 1 584

Asked: 2012-12-31T02:27:29.457

Viewed: 445 times

Active: 2015-12-20T11:28:44.543