Hello,

For the last months, I repeatedly have the problem that sometimes (every 2nd or 3rd time) after resuming from hibernation, in a few cases also after disconnecting from the Internet, one or more instances of explorer.exe are consuming 100% CPU, but never the shell instance.

I tried figuring out what it was doing, but I was unsuccessful so far.

Here is a stack of the thread which consumed most of the CPU:

0, ntoskrnl.exe!KiDeliverApc+0x166
1, ntoskrnl.exe!KiSwapThread+0x31f
2, ntoskrnl.exe!KiCommitThreadWait+0x129
3, ntoskrnl.exe!ExpWaitForResource+0x29f
4, ntoskrnl.exe!ExEnterPriorityRegionAndAcquireResourceExclusive+0x1ad
5, win32k.sys!EnterCritAvoidingDitHitTestHazard+0x13
6, win32k.sys!NtUserMessageCall+0x28
7, ntoskrnl.exe!KiSystemServiceCopyEnd+0x13
8, user32.dll!NtUserMessageCall+0xa
9, user32.dll!SendMessageWorker+0x168
10, user32.dll!SendMessageW+0xfb
11, ExplorerFrame.dll!CNscTree::_TreeInvalidateItemInfo+0xd0
12, ExplorerFrame.dll!CNscTree::_EnumBackgroundDone+0xb4a14
13, ExplorerFrame.dll!CNscTree::OnQIUpdateEnumDone+0x93
14, ExplorerFrame.dll!CNscEnumQueueItem::Dispatch+0xcf
15, ExplorerFrame.dll!CTaskLock::DispatchQueueItem+0xc5
16, ExplorerFrame.dll!CNscTree::_SubClassTreeWndProc+0x118
17, ExplorerFrame.dll!CNscTree::s_SubClassTreeWndProc+0x5f
18, comctl32.dll!CallNextSubclassProc+0xe0
19, comctl32.dll!MasterSubclassProc+0xa2
20, user32.dll!UserCallWinProcCheckWow+0x149
21, user32.dll!DispatchMessageWorker+0x1a7
22, AppVEntSubsystems64.dll!VirtualizeCurrentThread+0x1e492
23, ExplorerFrame.dll!CExplorerFrame::FrameMessagePump+0xe3
24, ExplorerFrame.dll!BrowserThreadProc+0x5e
25, ExplorerFrame.dll!BrowserNewThreadProc+0x3a
26, ExplorerFrame.dll!CExplorerTask::InternalResumeRT+0x12
27, ExplorerFrame.dll!CRunnableTask::Run+0x114
28, shell32.dll!CShellTaskThread::ThreadProc+0x2a3
29, shell32.dll!CShellTaskThread::s_ThreadProc+0x2f
30, SHCore.dll!StrRetToBSTR+0x19f
31, kernel32.dll!BaseThreadInitThunk+0x22
32, ntdll.dll!RtlUserThreadStart+0x34

I was hoping I could identify a rogue shell extension or something similar, but I didn't find any such evidence so far.

In case you need this information, this is a list of my shell extensions/copy hooks/context menu handlers/drag&drop handlers (without duplicates):

+ " SkyDrivePro1 (ErrorConflict)"	"Microsoft OneDrive for Business Extensions"	"Microsoft Corporation"	"c:\program files\microsoft office 15\root\vfs\programfilesx64\microsoft office\office15\grooveex.dll"	"12.11.2014 01:13"
+ "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}"	""	"Apache Software Foundation"	"c:\program files (x86)\openoffice 4\program\shlxthdl\shlxthdl.dll"	"20.09.2013 12:50"
+ "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}"	""	"Apache Software Foundation"	"c:\program files (x86)\openoffice 4\program\shlxthdl\shlxthdl_x64.dll"	"20.09.2013 12:41"
+ "7-Zip"	"7-Zip Shell Extension"	"Igor Pavlov"	"c:\program files\7-zip\7-zip32.dll"	"18.04.2011 19:34"
+ "7-Zip"	"7-Zip Shell Extension"	"Igor Pavlov"	"c:\program files\7-zip\7-zip.dll"	"18.04.2011 19:35"
+ "ANotepad++64"	"ShellHandler for Notepad++ (64 bit)"	""	"c:\program files (x86)\notepad++\nppshell_06.dll"	"12.05.2014 10:49"
+ "Ath_CopyHook"	"Bluetooth File Transfer Plugin"	"QualcommAtheros"	"c:\program files (x86)\bluetooth suite\folderviewimpl.dll"	"25.09.2013 10:58"
+ "Atheros"	"Atheros Bluetooth Module"	"QualcommAtheros"	"c:\program files (x86)\bluetooth suite\btvappext.dll"	"25.09.2013 10:58"
+ "DropboxExt"	"Dropbox Shell Extension"	"Dropbox, Inc."	"c:\users\david\appdata\roaming\dropbox\bin\dropboxext64.24.dll"	"24.06.2014 01:32"
+ "DropboxExt1"	"Dropbox Shell Extension"	"Dropbox, Inc."	"c:\users\david\appdata\roaming\dropbox\bin\dropboxext.24.dll"	"24.06.2014 01:31"
+ "FTShellContext"	"Atheros Bluetooth Module"	"QualcommAtheros"	"c:\program files (x86)\bluetooth suite\shellcontextext.dll"	"25.09.2013 10:58"
+ "GDContextMenu"	"Google Drive shell extension"	"Google"	"c:\program files (x86)\google\drive\contextmenu64.dll"	"16.01.2015 01:57"
+ "GDriveBlacklistedOverlay"	"Google Drive shell extension"	"Google"	"c:\program files (x86)\google\drive\googledrivesync64.dll"	"16.01.2015 01:56"
+ "igfxcui"	"igfxpph Module"	"Intel Corporation"	"c:\windows\system32\igfxpph.dll"	"09.09.2013 18:26"
+ "LockHunterShellExt"	"LockHunter Explorer Extension"	"Crystal Rich Ltd"	"c:\program files\lockhunter\lhshellext32.dll"	"25.03.2009 08:53"
+ "LockHunterShellExt"	"LockHunter Explorer Extension"	"Crystal Rich Ltd"	"c:\program files\lockhunter\lhshellext64.dll"	"28.04.2009 10:21"
+ "PDF Shell Extension"	"PDF Shell Extension"	"Adobe Systems, Inc."	"c:\program files (x86)\common files\adobe\acrobat\activex\pdfshell.dll"	"11.05.2013 10:34"
+ "PushbulletCtx"	""	""	"File not found: :/Program Files (x86)/Pushbullet/pushbullet_ctx.DLL"	""
+ "RecuvaShellExt"	"Recuva shell extensions"	"Piriform Ltd"	"c:\program files\recuva\recuvashell64.dll"	"14.03.2014 12:41"
+ "SD360"	"360 Total Security"	""	"c:\program files (x86)\360\total security\menuex64.dll"	"12.01.2015 03:55"
+ "SourceGearDiffMergeShellExtension32"	"SourceGear DiffMerge ShellExtension 32"	"SourceGear LLC"	"c:\program files (x86)\sourcegear\common\diffmerge\sourcegeardiffmergeshellextension32.dll"	"23.10.2013 19:15"
+ "SourceGearDiffMergeShellExtension64"	"SourceGear DiffMerge ShellExtension 64"	"SourceGear LLC"	"c:\program files\sourcegear\common\diffmerge\sourcegeardiffmergeshellextension64.dll"	"23.10.2013 19:17"
+ "StartMenuExt"	"Start Menu Helper Extension"	"IvoSoft"	"c:\windows\syswow64\startmenuhelper32.dll"	"20.04.2014 18:17"
+ "StartMenuExt"	"Start Menu Helper Extension"	"IvoSoft"	"c:\windows\system32\startmenuhelper64.dll"	"20.04.2014 18:16"
+ "WinRAR32"	"WinRAR shell extension"	"Alexander Roshal"	"c:\program files\winrar\rarext32.dll"	"02.12.2014 11:07"
+ "WinRAR"	"WinRAR shell extension"	"Alexander Roshal"	"c:\program files\winrar\rarext.dll"	"02.12.2014 11:07"
+ "WinSCPCopyHook"	"Drag&Drop shell extension for WinSCP (64-bit)"	"Martin Prikryl"	"c:\program files (x86)\winscp\dragext64.dll"	"14.08.2013 12:22"

I you have any clue what might be going, I would be very happy to hear it. It's really annoying, as I have to kill explorer.exe and thereby close all my folder windows when this happens.

Thank you!

Best regards,
David Trapp

• Edited by CherryDT Monday, February 02, 2015 8:43 PM

Hello CherryDT

What is your current situation?

Please take a look at the following KB to perform a clean boot in Windows and then check if the issue still exists.
http://support.microsoft.com/kb/929135

Please upload the Windows performance recorder trance as MVP Zigzag mentioned.

Best regards,
Fangzhou CHEN

Hello,

this computer is my main work laptop, so it might take some time until I'm next able to find time to do a clean boot and then play with reproducing the issue.

However, I was now able to record a performance recorder trace while the problem happened. There is a problem, though: I let the trace run 60s as requested in the linked wiki entry, but the file size is now 6 GB and WPA complains about over 12 million lost events (even though the buffer was never more than 9% used)... I'm not sure how/where to upload such a huge file, and whether it's even helpful with that many lost events. Should I wait for the problem to happen again and then only record 5 seconds or so?

Anyway, I made screenshots of WPA in case they are helpful already:

https://db.tt/urZtv2Gt
https://db.tt/VDggmFN5

I tried getting details about the CPU utilization, but I was unable to get any addresses, for some reason. (Symbol path is configured correctly.)

Best regards,
David Trapp

• Edited by CherryDT 13 hours 39 minutes ago

David

If you zip the file it will be under 750Mb and those event, while concerning should not negate the trace results.

You need to upload it

Hello,

this computer is my main work laptop, so it might take some time until I'm next able to find time to do a clean boot and then play with reproducing the issue.

However, I was now able to record a performance recorder trace while the problem happened. There is a problem, though: I let the trace run 60s as requested in the linked wiki entry, but the file size is now 6 GB and WPA complains about over 12 million lost events (even though the buffer was never more than 9% used)... I'm not sure how/where to upload such a huge file, and whether it's even helpful with that many lost events. Should I wait for the problem to happen again and then only record 5 seconds or so?

Anyway, I made screenshots of WPA in case they are helpful already:

https://db.tt/urZtv2Gt
https://db.tt/VDggmFN5

I tried getting details about the CPU utilization, but I was unable to get any addresses, for some reason. (Symbol path is configured correctly.)

Best regards,
David Trapp

• Edited by CherryDT Thursday, February 05, 2015 10:04 PM

7-Zip cut the filesize down to a lightweight 287MB. Great!

Here is the link: https://www.dropbox.com/s/1u622dsix1lsm5n/CHE-MOBILE-W8.02-05-2015.22-25-28.7z?dl=0

Please tell me once you got the file, I'll delete it then.

CDT

Obviously explorer.  Unfortunately in this trace the thread that is driving explorer to use %46 of the cpu is labeled unknown.  I do notice you have 142 processes loaded but suspect that is just making the problem worse.  Two things of note. 

From your above (#11) explorer is waiting because of an invalid date (hints of a corruption)

ExplorerFrame.dll!CNscTree::_TreeInvalidateItemInfo+0xd0

Second I noticed that the only non system item that runs for the entire duration of the excessive explorer usage is "rescuetime.exe"

I would run a system file check and temp disable rescue time to see if that is the issue

Please run a system file check (SFC)
All instructions are in our Wiki article below...
Should you have any questions please ask us.

System file check (SFC) Scan and Repair System Files

Hello,

thanks for having a look. However, I already ran SFC before posting on this forum (as part of my own investigation) and it came back clean. RescueTime (a time tracking tool) is probably not the culprit because it happened also several times in the past without RescueTime being running (that was because I had accidentally removed it from autorun at that time).

Unfortunately, I can't follow your "invalid date" explanation. I don't think an "invalid date" is anywhere involved; in fact, the method in question is called "_TreeInvalidateItemInfo" and not "_TreeInvalidDateItemInfo" (note that there is only one "d"), so I assume its job is just to invalidate (and in turn, refresh) the cached information about nodes in the left pane's folder tree of the explorer window(s) - since the folder tree is the only NamespaceTreeControl (whose corresponding class name is CNscTree) in explorer folder view windows. As I see it, something is causing explorer to repeatedly refresh the folder tree data, but I am stuck at finding out what exactly.

Best regards,
David Trapp

EDIT: Disassembling ExplorerFrame!CNscTree::_TreeInvalidateItemInfo confirms that, because it seems to call TreeView_SetItem for a tree node and its parent (possibly with all fields set to *_CALLBACK), and CNscTree::_UpdateItemDisplayInfo for the parent node.

EDIT2: I'd love to dig more into the trace, however I am hitting a wall at function names/addresses. Everywhere where I would expect a function name/address (such as the "by stack" views), I only see question marks instead. What could be the reason?

• Edited by CherryDT 21 hours 38 minutes ago

Hello,

thanks for having a look. However, I already ran SFC before posting on this forum (as part of my own investigation) and it came back clean. RescueTime (a time tracking tool) is probably not the culprit because it happened also several times in the past without RescueTime being running (that was because I had accidentally removed it from autorun at that time).

Unfortunately, I can't follow your "invalid date" explanation. I don't think an "invalid date" is anywhere involved; in fact, the method in question is called "_TreeInvalidateItemInfo" and not "_TreeInvalidDateItemInfo" (note that there is only one "d"), so I assume its job is just to invalidate (and in turn, refresh) the cached information about nodes in the left pane's folder tree of the explorer window(s) - since the folder tree is the only NamespaceTreeControl (whose corresponding class name is CNscTree) in explorer folder view windows. As I see it, something is causing explorer to repeatedly refresh the folder tree data, but I am stuck at finding out what exactly.

Best regards,
David Trapp

EDIT: Disassembling ExplorerFrame!CNscTree::_TreeInvalidateItemInfo confirms that, because it seems to call TreeView_SetItem for a tree node and its parent (possibly with all fields set to *_CALLBACK), and CNscTree::_UpdateItemDisplayInfo for the parent node.

EDIT2: I'd love to dig more into the trace, however I am hitting a wall at function names/addresses. Everywhere where I would expect a function name/address (such as the "by stack" views), I only see question marks instead. What could be the reason?

• Edited by CherryDT Friday, February 06, 2015 2:07 PM