PE ver 1.7 - CPU usage near 100%

Discussion in 'Port Explorer' started by Disciple, Aug 8, 2003.

Thread Status:
Not open for further replies.
  1. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    System Info:
    Win XP home sp1 w/all critical updates and patches

    Problem:
    I have noticed recently, the last 2 weeks or so, my system will suddenly stop responding. For example, just prior to coming here to post this I was finished reading the GRC newsgroups and clicked on the inbox button to go back there re-check my e-mail before closing OE. The system started accessing the hard drive, as usual, and then just hung. I hit Ctrl+Alt+Del to bring up the Task Manager and check the Processes tab, there was PE gobbling up 98-99% of the CPU time.

    My observations:
    Bringing up PE and closing it does not end the process in the Task Manager. The only way to end the process was to highlight it in Task Manager and use the End Process button. I can restart PE and all will be fine for a while, the time varies, and then I must repeat the process.

    Question:
    Can anyone shine some light on this behavior and offer a possible cure for preventing this in the future?
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Strange, the closing and mountain up of threads are older issues which were solved many versions ago and as far as i remember only appeared in versions only released to the betatesters team, are you sure you run 1700 and uninstalled former versions completely?

    It might also help if you keep the logging on the lower values and keep the capture.bin small: after spying on sockets the amount of data can grow to enormous proportions and can cause some problems after a while.
    In the PE directory look for the size of the capture.bin.
    I'm used to keep it rather small with removing data frequently and you can save it away in the directory with another name if you want to keep those dialogues for later checking (can always look at them via the viewer again)
    Might help
     
  3. Charles Ray

    Charles Ray Guest

    I had/have the same problem...Windows XP and PE 1.7...and was bugged in a previous post. Jason advised me to disable file logging and windows logging under settings. This stopped the problem for me. Jason indicated that this would be fixed in the next version hopefully. On my system it seemed to start several versions back.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hm, so i remembered not all exactly or it is another issue. It was on the win98 systems by then, while the XP users ran fluently.
    I'm used to keep the logs and capture.bin all small as i don't like to plague the system and myself with having to read through all long files. Only few times missed a part in the logging i discovered afterwards which might have needed more attention.
    Thanks for telling, really thought it was solved for all as i keep logging this way without any trouble.
     
  5. Ben

    Ben Registered Member

    Joined:
    Aug 4, 2003
    Posts:
    12
    Location:
    Los Angeles, CA
    reading the Help Troubleshooting menu in PE this is what it says:

    In some rare circumstance, Windows XP doesn't clean up all its sockets correctly after an application has closed. This has the effect of Port Explorer showing a socket with an asterix and no filename because the application is closed yet Windows XP is reporting that the closed application owns the socket(s). Usually after your internet connection has been disconnected the 'blank' socket(s) will be cleaned up by Windows XP. This isn't a Port Explorer problem, it's a Windows XP issue. To check this, whenever you see a blank socket go to your command prompt and type "netstat -ano" (without quotes). You should see the sockets which have the same PID as the blank sockets in Port Explorer. If you look in Windows Task Manager (Ctrl+Alt+Delete | Task Manager) you will see no process that has the PID that netstat and Port Explorer report.

    Maybe this is what is all about?
     
  6. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Thanks for the reply Jooske, yes it's ver 1.700, done with a clean install. At least I think it was a clean install as I was having problems with the Socket Spy at that time and I wanted a fresh install to see if it would clear that up. I'll drop the size of the Window and File logging to the lowest value. One thing you mentioned was the capture bin, and I have a bad habit of not clearing the socket spy right away. Looking at it just now there was a lot of stuff there that should have been cleared. I'll see if that makes any difference.

    I did not see a capture.bin file in the PE directory. I just might do an uninstall and reinstall any way just in case something went wrong or I did not do a clean install.
     
  7. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Charles Ray and Ben thanks for the input. I will watch this more closely and see if it could be related to the sockets not being released by XP.
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    No need to reinstall PE for the capture bin as that one is created each time again when you make a new spy session. You can delete it, rename it if you want to keep it, clean it out, whatever you want, PE will function just as well without it. Normally (when it is there) you'll see it in the PE directory and can easily see it's size.
    No problem when you think you're in a longer spy session in the meantime to copy one away and just continue with a next which will be created anyway, just check if the sockets are still in the vieweer and if it is all going ok, as you might maybe need to add the PID again. Not expected, but better check it.
    It's really best to keep that thing small; Jason ever posted some calculation of the growth in just a few minutes and that was gigantic!
    For instance when you get a 1024 bytes data packet, that is indeed that much and all is in the spy for you to look at, so imagine a session of several minutes with lots of data and maybe acknowledgements of receiving etc etc in short time that's easy a MB so how about ten minutes of intensive data traffic?
    But it can be interesting to look at them!


    In Older PE versions i noticed already with PE up a win98 system releases it's dead threads much quicker then when i leave that up to windows itself (without PE installed) and in later versions i noticed that releasing speed has just increased with PE development.
    So already for that i wouldn't like to be a moment without PE !
    So it seems for XP it might have other effects.
    Does it help to refresh more often?
     
  9. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Yes this is a known problem that will be fixed in the next version of Port Explorer (no release date estimation yet). You can either Disable Window or File Logging to remove the problem it seems. It only seems to affect WinNT/2K and XP systems so 9x users are unaffected. For the time being, until the new release I would just "End Process" Port Explorer if it happens (since it is random and usually takes a few hours, and no one knows what causes it) , since on NT/2K and XP doing that doesn't hurt the system at all and you can just restart PE.

    -Jason-
     
  10. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Ok this issue has been fixed, I don't have an ETA on the release date but it should be available soon.

    It seems windows has an issue with its ToolHelp API on Win2k/XP (at least) where it sometimes reports an inaccurate parent process ID. In the cases were we managed to "replicate" this bug it was explorer.exe saying iexplore.exe was its parent, and iexplore.exe said explorer.exe was its parent. This ends up in a never ending loop trying to find the real parent process.

    I assumed windows wouldn't do something silly like this and hence I didn't add any protection against it, but now it is in there.

    -Jason-
     
  11. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    :blink:

    :D
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Funny that it is not effecting the win9x series then.

    Now you mention: if i have a "not responding" IE for instance it can happen in the taskmanager it shows as Explorer not responding, which can be solved by closing that IE window i think it is.
    It can happen it says the Iexplorer not responding which i then close and this can cause a reboot as if i closed Explorer!
    These two are so mixed:
    if we have problems in Explorer these can rather often be solved with a repair install of IE.
    So why wouldn't they cause problems too like you described above?
    Anyway as said before, PE helps my windows in general to free the space from closed threads.
     
  13. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    The same problem does probably exist on Win9x, in the ToolHelp API.. but Port Explorer doesn't use that relevant information on 9x... it is only used in 2K/XP for service enumeration. This is why there are no problems with Port Explorer using 99% CPU on Win9x :) .

    I remember on Windows 98 that when IE went down a lot of the times it took Explorer with it and you would need to reboot. Win2k/XP makes you forget about those painful times ;)

    -Jason-
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    A repair IE does a lot. But explorer/IE/OE are completely integrated and an error in the one can take whole windows down sometimes. It can happen you click on an URL in an OE email which for some reason not opens the IE window expected, looking in the taskmanager see explorer not responding. Close OE and all is right again. Sometimes in the same situation one sees IE not responding and solved sometimes with closing that IE then, other times too that OE closing is necessary.
    This all to avoid a reboot :)

    Good there are still win9x users around to remind you of those happy undocumented features Jason :)
     
  15. Charles Ray

    Charles Ray Guest

    Just a quick follow-up on my earlier post. Turning off Window and File logging is NOT a cure as I previously thought it was. In the last 24 hours, I've had three (3) occurrences of PE version 1.70 taking over the CPU busy. Had to kill PE each time and restart.

    The only change is that I've been getting a LOT of remote computer access attempts in the last two days which are blocked by Norton Internet Security 2003. The frequency of these seems to be extremely high in the past 24-48 hours....27 attempts/attacks in 3 hours early yesterday morning...from all around the world. :p These are continuing as I post this...5 in the 25 minutes.
     
  16. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Hi Charles, no the problem isn't related to file/window logging.. its something to do with Microsoft probably not "cleaning" a variable once in a while so it mixes up parent process ID's for process's which don't have parents. It is fixed though now so you just have to wait till its released! :)

    -Jason-
     
  17. Charles Ray

    Charles Ray Guest

    I kin wait... :cool: :rolleyes: :D
     
Thread Status:
Not open for further replies.