Explorer.exe / BROWSEUI.dll - high cpu usage (slow folders)

[skribb]

Ever since I came back to the computer and noticing that it had rebooted itself (presumably a STOP error of some kind), Explorer.exe has been utilising 37-50% cpu when browsing through folders (i.e the spikes occur only when activiley browsing). I was using addons (QTTabBar and QTAddressBar) for explorer.exe but have since removed them, although the cpu error persists. Naturally, the CPU spike causes folders to load slowly, they take about 5 seconds to appear, in contrast with the former 0-1 seconds.

For further clarity; right-clicking folders/files and running applications does not produce a CPU spike at all.

Just to prove that explorer is the culprit, I tried other file managers and they loaded folders instantly and with 0-1 % CPU usage.

I did troubleshooting all night and found that there are some strange occurrences when I open any given folder, though the activites differ slightly from folder to folder.

Basically, BROWSEUI.dll!Ordinal138+0x7bdd is the one hogging the cpu. The CSwitch Delta peaks at around 3000 when the cpu spikes occur.


Here's the stack for one of the BROWSEUI.dll!Ordinal138+0x7bdd:
ntkrnlpa.exe!KiUnexpectedInterrupt+0x121
ntkrnlpa.exe!ZwYieldExecution+0x1c56
ntkrnlpa.exe!ZwYieldExecution+0x2538
ntkrnlpa.exe!KeReleaseInStackQueuedSpinLockFromDpcLe vel+0xb74
ntkrnlpa.exe!KiDispatchInterrupt+0x72e
ntkrnlpa.exe!ExAcquireResourceExclusiveLite+0x67
ntkrnlpa.exe!ExFreePoolWithTag+0x40d
ntkrnlpa.exe!ExReleaseResourceLite+0x8d
ntdll.dll!KiFastSystemCallRet
BROWSEUI.dll!Ordinal138+0x7bdd
kernel32.dll!GetModuleFileNameA+0x1b4



I went into Filemon to record what was being accessed while opening folders and I saw these suspect activities:

31 17:38:32 explorer.exe:500 QUERY INFORMATION H:\WINDOWS\???? NAME INVALID Attributes: Error
32 17:38:32 explorer.exe:500 QUERY INFORMATION H:\Documents and Settings\skribb\???? NAME INVALID Attributes: Error
33 17:38:32 explorer.exe:500 QUERY INFORMATION H:\WINDOWS\system32\???? NAME INVALID Attributes: Error
34 17:38:32 explorer.exe:500 QUERY INFORMATION H:\WINDOWS\system\???? NAME INVALID Attributes: Error
35 17:38:32 explorer.exe:500 QUERY INFORMATION H:\WINDOWS\???? NAME INVALID Attributes: Error
36 17:38:32 explorer.exe:500 QUERY INFORMATION H:\WINDOWS\system32\???? NAME INVALID Attributes: Error
37 17:38:32 explorer.exe:500 QUERY INFORMATION H:\WINDOWS\???? NAME INVALID Attributes: Error
38 17:38:32 explorer.exe:500 QUERY INFORMATION H:\WINDOWS\System32\Wbem\???? NAME INVALID Attributes: Error
39 17:38:32 explorer.exe:500 QUERY INFORMATION H:\Program\Windows XP Support Tools\???? NAME INVALID Attributes: Error
40 17:38:32 explorer.exe:500 QUERY INFORMATION H:\Program\Delade filer\Teleca Shared\???? NAME INVALID Attributes: Error
41 17:38:32 explorer.exe:500 QUERY INFORMATION H:\Program\DISKEE~1\DISKEE~1\???? NAME INVALID Attributes: Error

The ???? is sometimes shown as ?. or ? or ????Đ?? etc, and sometimes it also says NOT FOUND instead of NAME INVALID.


If a folder contains no subfolders, the above is all that happens. However if a folder contains subfolders, the below is also reported, for every subfolder of the current folder (note that this didn't seem to affect the CPU, the spike was pretty much the same in an empty folder, i.e with only the above errors):

3214 18:49:15 explorer.exe:500 READ  H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly INVALID DEVICE REQUEST Offset: 0 Length: 24
3215 18:49:15 explorer.exe:500 QUERY INFORMATION H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly BUFFER OVERFLOW FileFsVolumeInformation
3216 18:49:15 explorer.exe:500 QUERY INFORMATION H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly BUFFER OVERFLOW FileAllInformation
3217 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA NOT FOUND Options: Open  Access: Read
3218 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:SummaryInformation:$DATA NOT FOUND Options: Open  Access: Read
3219 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:Docf_SummaryInformation:$DATA NOT FOUND Options: Open  Access: Read
3220 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:SummaryInformation:$DATA NOT FOUND Options: Open  Access: Read
3221 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:Docf_SummaryInformation:$DATA NOT FOUND Options: Open  Access: Read
3222 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:SummaryInformation:$DATA NOT FOUND Options: Open  Access: Read
3223 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:Docf_SummaryInformation:$DATA NOT FOUND Options: Open  Access: Read
3224 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:SummaryInformation:$DATA NOT FOUND Options: Open  Access: Read
3225 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:Docf_SummaryInformation:$DATA NOT FOUND Options: Open  Access: Read
3226 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:SummaryInformation:$DATA NOT FOUND Options: Open  Access: Read
3227 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:Docf_SummaryInformation:$DATA NOT FOUND Options: Open  Access: Read
3228 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:SummaryInformation:$DATA NOT FOUND Options: Open  Access: Read
3229 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:Docf_SummaryInformation:$DATA NOT FOUND Options: Open  Access: Read
3230 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:SummaryInformation:$DATA NOT FOUND Options: Open  Access: Read
3231 18:49:15 explorer.exe:500 OPEN H:\Documents and Settings\skribb\Skrivbord\download\Deadstar Assembly\:Docf_SummaryInformation:$DATA NOT FOUND Options: Open  Access: Read


What I have tried so far, without luck:
1. Kill all processes and services except the crucial ones
2. Search for references in the registry
3. Reinstalled IE7 (since browseui.dll is a IE component). The reinstall gave me a newer version of browseui.dll, but that didn't help, apparently.
4. Searched for spyware and adware. Didn't bother search for virus since I use a resident guard which hasn't reported anything.

What I perhaps should try:
Unregister browseui.dll , reboot, then reregister browseui.dll
I'm not sure I should. I'm afraid it'll break explorer.exe, but if you feel like coaxing me into trying this, feel free to do so.

Final notes:
1. I will not reformat or reinstall XP. With my last computer I didn't reformat for 2-3 years, and I'd like to keep it that way. (just getting this out of the way so we can focus on ironing out the problem )
2. The disk is defragmented. I am using Diskeeper with auto-defrag.
3. I can provide full Filemon, Regmon, Procmon or HJT logs if necessary (or any other log program).

[Broni]

I'd try few things:
1. Download, and install ShellExView: http://www.nirsoft.net/utils/shexview.html
Open it. Click on Type column to sort all entries.
Right click, and Disable all non-Microsoft Context Menu types entries.
Restart computer, and see, if it helps.
2. Run sfc /scannow
3. Windows repair: http://www.michaelstevenstech.com/XPrepairinstall.htm

[skribb]

thanks for replying, however I seem to have located the problem myself.


I had recently disabled Spybot from within Spybot itself, without it affecting performance. Now I disabled it from within IE, which seemed to have solved the problem.

I will return if the problem re-arises.

[Broni]

Cool