Windows Explorer hangs

xinren · March 24, 2017, 11:39am

I am new to the area and I am trying to fix a defect in a legacy filter driver. My legacy driver has a shadow folder and I can select folder(s) that I would like to shadow. The problem now is that Windows Explorer hangs when I would shadow the folder c:\user\me\documents; where there is no problem when I would shadow the folder c:\foo. Windows Explorer hangs when I open the Explorer, select the document folder, and close the Explorer for a few times. Quick is looking for something …

I have read every post in this forum about “Windows Explorer hangs” and it is very helpful.

I use the !locks and did not see any pending lock.
I use Windbg to check the Explorer process, I find many threads’ info as

THREAD ffffe0016eb96080 Cid 0c98.0988 Teb: 0000000000c64000 Win32Thread: ffffe0016b68bad0 WAIT: (UserRequest) UserMode Alertable
ffffe0016eb9bd40 NotificationEvent
ffffe0016eba8760 SynchronizationEvent
Not impersonating
DeviceMap ffffc001c6e3c620
Owning Process ffffe0016ea97080 Image: explorer.exe
Attached Process N/A Image: N/A
Wait Start TickCount 6601 Ticks: 56 (0:00:00:00.875)
Context Switch Count 4307 IdealProcessor: 0
UserTime 00:00:00.015
KernelTime 00:00:00.062
Win32 Start Address 0x00007ffd5b84c1c0
Stack Init ffffd000218ecc90 Current ffffd000218ebf80
Base ffffd000218ed000 Limit ffffd000218e7000 Call 0000000000000000
Priority 12 BasePriority 8 PriorityDecrement 2 IoPriority 2 PagePriority 5
Child-SP RetAddr Call Site
ffffd000218ebfc0 fffff800086eb84a nt!KiSwapContext+0x76
ffffd000218ec100 fffff800086eb2d9 nt!KiSwapThread+0x15a
ffffd000218ec1b0 fffff800086ea71e nt!KiCommitThreadWait+0x149
ffffd000218ec240 fffff80008ac7b9d nt!KeWaitForMultipleObjects+0x24e
ffffd000218ec300 fffff80008a0a586 nt!ObWaitForMultipleObjects+0x2bd
ffffd000218ec810 fffff800087691a3 nt!NtWaitForMultipleObjects+0xf6
ffffd000218eca90 00007ffd72965c34 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd000218ecb00) 00000000050df958 00000000`00000000 ntdll!NtWaitForMultipleObjects+0x14
3. from what I am reading, it looks like an oplock issue.

I would appreciate it if some experts can give me some hints.
a). I can see which files have been accessed by Explorer in my debug info, but is there a way for me to see which file causes the hanging?
b). I can see the driver recevies IRP_MJ_FILE_SYSTEM_CONTROL and IRP_MN_USER_FS_REQUEST, which could be oplock information.
However, when I check irpSp->Parameters.fsControlCode, it is 0 that does not make too much sense to me.
c). I am not very experienced in using windbg, can I get more information from TrapFrame @ ffffd000`218ecb00?
d). there are 20+ threads, is there a way to see which threads are hanging?
e). is there anything obvious I am missing or I did not do?

Thanks in advance

Xinren

Scott_Noone_OSR · March 24, 2017, 1:47pm

There’s not enough info here to say what the thread is doing. Also,
according to the debug output this thread has only been waiting for 0.875s
(though sometimes this number requires further scrutiny).

Try doing a:

!process 0 1F explorer.exe

This will include user mode state as well. Someone might be able to look at
the threads and point to one that might be problematic.

A file system control code of zero doesn’t make much sense to me either. I’d
check the code where you are tracing this debug output. You should also
trace opens with the FILE_OPEN_REQUIRING_OPLOCK bit set.

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntfsd…

I am new to the area and I am trying to fix a defect in a legacy filter
driver. My legacy driver has a shadow folder and I can select folder(s) that
I would like to shadow. The problem now is that Windows Explorer hangs when
I would shadow the folder c:\user\me\documents; where there is no problem
when I would shadow the folder c:\foo. Windows Explorer hangs when I open
the Explorer, select the document folder, and close the Explorer for a few
times. Quick is looking for something …

I have read every post in this forum about “Windows Explorer hangs” and it
is very helpful.

I use the !locks and did not see any pending lock.
I use Windbg to check the Explorer process, I find many threads’ info as

THREAD ffffe0016eb96080 Cid 0c98.0988 Teb: 0000000000c64000 Win32Thread:
ffffe0016b68bad0 WAIT: (UserRequest) UserMode Alertable
ffffe0016eb9bd40 NotificationEvent
ffffe0016eba8760 SynchronizationEvent
Not impersonating
DeviceMap ffffc001c6e3c620
Owning Process ffffe0016ea97080 Image:
explorer.exe
Attached Process N/A Image: N/A
Wait Start TickCount 6601 Ticks: 56 (0:00:00:00.875)
Context Switch Count 4307 IdealProcessor: 0
UserTime 00:00:00.015
KernelTime 00:00:00.062
Win32 Start Address 0x00007ffd5b84c1c0
Stack Init ffffd000218ecc90 Current ffffd000218ebf80
Base ffffd000218ed000 Limit ffffd000218e7000 Call 0000000000000000
Priority 12 BasePriority 8 PriorityDecrement 2 IoPriority 2
PagePriority 5
Child-SP RetAddr Call Site
ffffd000218ebfc0 fffff800086eb84a nt!KiSwapContext+0x76
ffffd000218ec100 fffff800086eb2d9 nt!KiSwapThread+0x15a
ffffd000218ec1b0 fffff800086ea71e nt!KiCommitThreadWait+0x149
ffffd000218ec240 fffff80008ac7b9d
nt!KeWaitForMultipleObjects+0x24e
ffffd000218ec300 fffff80008a0a586
nt!ObWaitForMultipleObjects+0x2bd
ffffd000218ec810 fffff800087691a3 nt!NtWaitForMultipleObjects+0xf6
ffffd000218eca90 00007ffd72965c34 nt!KiSystemServiceCopyEnd+0x13
(TrapFrame @ ffffd000218ecb00) 00000000050df958 00000000`00000000
ntdll!NtWaitForMultipleObjects+0x14
3. from what I am reading, it looks like an oplock issue.

I would appreciate it if some experts can give me some hints.
a). I can see which files have been accessed by Explorer in my debug info,
but is there a way for me to see which file causes the hanging?
b). I can see the driver recevies IRP_MJ_FILE_SYSTEM_CONTROL and
IRP_MN_USER_FS_REQUEST, which could be oplock information.
However, when I check irpSp->Parameters.fsControlCode, it is 0 that does not
make too much sense to me.
c). I am not very experienced in using windbg, can I get more information
from TrapFrame @ ffffd000`218ecb00?
d). there are 20+ threads, is there a way to see which threads are hanging?
e). is there anything obvious I am missing or I did not do?

Thanks in advance

Xinren

xinren · March 27, 2017, 8:25am

Scott, thanks for reply. I tried to use !process 0 1F explorer.exe, which provides much more information.

Xinren

xinren · April 11, 2017, 2:24pm

I did a lot of tracing and then realized that Scott’s comments are really valuable.

using !process 0 1f explorer.exe, I did get a lot of information, for example,

THREAD ffffe00137d31080 Cid 0cf8.0d3c Teb: 0000000000204000 Win32Thread: ffffe001370e3cf0 WAIT: (Executive) UserMode Non-Alertable
ffffd0002522bb70 SynchronizationEvent
IRP List:
ffffe001382df010: (0006,0430) Flags: 00060874 Mdl: 00000000
Not impersonating
DeviceMap ffffc001e462a6e0
Owning Process ffffe00137cc9840 Image: explorer.exe
Attached Process N/A Image: N/A
Wait Start TickCount 10518 Ticks: 1948 (0:00:00:30.437)
Context Switch Count 335 IdealProcessor: 0 NoStackSwap
UserTime 00:00:00.093
KernelTime 00:00:00.140
Win32 Start Address ntdll!TppWorkerThread (0x00007ff98817b350)
Stack Init ffffd0002522bdd0 Current ffffd0002522b730
Base ffffd0002522c000 Limit ffffd00025226000 Call 0000000000000000
Priority 11 BasePriority 8 PriorityDecrement 2 IoPriority 2 PagePriority 5
CompressedPageDataReader warning: failed to get _SM_PAGE_KEY symbol.
Child-SP RetAddr Call Site
ffffd0002522b770 fffff801107056ca nt!KiSwapContext+0x76
ffffd0002522b8b0 fffff80110705159 nt!KiSwapThread+0x15a
ffffd0002522b960 fffff80110704dc5 nt!KiCommitThreadWait+0x149
ffffd0002522b9f0 fffff80110a9b01c nt!KeWaitForSingleObject+0x375
ffffd0002522bab0 fffff801107dbfa3 nt!NtQueryInformationFile+0x72c
ffffd0002522bbd0 00007ff9881f52f4 nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ ffffd0002522bc40) 00000000022cde48 00000000`00000000 ntdll!NtQueryInformationFile+0x14

This is related to the file system, and there is a pending irp.

I am tracking the pending irp

kd> !irp ffffe001382df010
Irp is active with 11 stacks 13 is current (= 0xffffe001382df440)
No Mdl: System buffer=ffffe00137c76af0: Thread ffffe00137d31080: Irp is completed.
cmd flg cl Device File Completion-Context
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[IRP_MJ_QUERY_INFORMATION(5), N/A(0)]
0 0 ffffe00136a33030 00000000 fffff801c57f55a0-ffffe001357c3010
\FileSystem\NTFS FLTMGR!FltpPassThroughCompletion
Args: 00000000 00000000 00000000 00000000
[IRP_MJ_QUERY_INFORMATION(5), N/A(0)]
0 0 ffffe00136a31180 00000000 fffff801c691bd04-ffffe00137c76b10
\FileSystem\FltMgr mydrv!FsfQueryFileAttrReparseComplete
Args: 00000000 00000000 00000000 00000000
[IRP_MJ_QUERY_INFORMATION(5), N/A(0)]
0 0 ffffe00136a60940 00000000 00000000-00000000
\Driver\ctsrddrv
Args: 00000000 00000000 00000000 00000000

Irp Extension present at 0xffffe001382df3f8:

I can try to use minispy to see the filename that is associated with this pending irp. Meanwhile, is there a quick way to find out which file is waiting here?
is there something obvious for the experts that I did not see?
I did look at the bit FILE_OPEN_REQUIRING_OPLOCK = 0x00010000. However, I would need to look it again.

I would appreciate any tips/helps.

Xinren

Scott_Noone_OSR · April 12, 2017, 12:16pm

The IRP is complete but is still queued to the thread. If you run !apc do
you see IopCompleteRequest pending in the APC queue? Does your filter pass
Driver Verifier?

-scott
OSR
@OSRDrivers

wrote in message news:xxxxx@ntfsd…

I did a lot of tracing and then realized that Scott’s comments are really
valuable.

using !process 0 1f explorer.exe, I did get a lot of information, for
example,

THREAD ffffe00137d31080 Cid 0cf8.0d3c Teb: 0000000000204000 Win32Thread:
ffffe001370e3cf0 WAIT: (Executive) UserMode Non-Alertable
ffffd0002522bb70 SynchronizationEvent
IRP List:
ffffe001382df010: (0006,0430) Flags: 00060874 Mdl: 00000000
Not impersonating
DeviceMap ffffc001e462a6e0
Owning Process ffffe00137cc9840 Image:
explorer.exe
Attached Process N/A Image: N/A
Wait Start TickCount 10518 Ticks: 1948
(0:00:00:30.437)
Context Switch Count 335 IdealProcessor: 0
NoStackSwap
UserTime 00:00:00.093
KernelTime 00:00:00.140
Win32 Start Address ntdll!TppWorkerThread (0x00007ff98817b350)
Stack Init ffffd0002522bdd0 Current ffffd0002522b730
Base ffffd0002522c000 Limit ffffd00025226000 Call 0000000000000000
Priority 11 BasePriority 8 PriorityDecrement 2 IoPriority 2
PagePriority 5
CompressedPageDataReader warning: failed to get _SM_PAGE_KEY symbol.
Child-SP RetAddr Call Site
ffffd0002522b770 fffff801107056ca nt!KiSwapContext+0x76
ffffd0002522b8b0 fffff80110705159 nt!KiSwapThread+0x15a
ffffd0002522b960 fffff80110704dc5 nt!KiCommitThreadWait+0x149
ffffd0002522b9f0 fffff80110a9b01c nt!KeWaitForSingleObject+0x375
ffffd0002522bab0 fffff801107dbfa3 nt!NtQueryInformationFile+0x72c
ffffd0002522bbd0 00007ff9881f52f4 nt!KiSystemServiceCopyEnd+0x13
(TrapFrame @ ffffd0002522bc40) 00000000022cde48 00000000`00000000
ntdll!NtQueryInformationFile+0x14

This is related to the file system, and there is a pending irp.

I am tracking the pending irp

kd> !irp ffffe001382df010
Irp is active with 11 stacks 13 is current (= 0xffffe001382df440)
No Mdl: System buffer=ffffe00137c76af0: Thread ffffe00137d31080: Irp is
completed.
cmd flg cl Device File Completion-Context
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[N/A(0), N/A(0)]
0 0 00000000 00000000 00000000-00000000

Args: 00000000 00000000 00000000 00000000
[IRP_MJ_QUERY_INFORMATION(5), N/A(0)]
0 0 ffffe00136a33030 00000000 fffff801c57f55a0-ffffe001357c3010
\FileSystem\NTFS FLTMGR!FltpPassThroughCompletion
Args: 00000000 00000000 00000000 00000000
[IRP_MJ_QUERY_INFORMATION(5), N/A(0)]
0 0 ffffe00136a31180 00000000 fffff801c691bd04-ffffe00137c76b10
\FileSystem\FltMgr mydrv!FsfQueryFileAttrReparseComplete
Args: 00000000 00000000 00000000 00000000
[IRP_MJ_QUERY_INFORMATION(5), N/A(0)]
0 0 ffffe00136a60940 00000000 00000000-00000000
\Driver\ctsrddrv
Args: 00000000 00000000 00000000 00000000

Irp Extension present at 0xffffe001382df3f8:

I can try to use minispy to see the filename that is associated with this
pending irp. Meanwhile, is there a quick way to find out which file is
waiting here?
is there something obvious for the experts that I did not see?
I did look at the bit FILE_OPEN_REQUIRING_OPLOCK = 0x00010000. However, I
would need to look it again.

I would appreciate any tips/helps.

Xinren