WIA and hibernation again
in [Windows XP Basics]
|
Prev: Pressing Change Password -button in WIN XP causes reboot
Next: Microsoft caught pirating somebody's patent again!!!
From: William B. Lurie on 1 Apr 2010 04:05 John John - MVP wrote: > William B. Lurie wrote: > >>>> >>>> Event Type: Success Audit >>>> Event Source: Security >>>> Event Category: Logon/Logoff >>>> Event ID: 528 >>>> Date: 3/31/2010 >>>> Time: 1:26:17 PM >>>> User: NT AUTHORITY\NETWORK SERVICE >>>> Computer: COMPAQ-2006 >>>> Description: >>>> Successful Logon: >>>> User Name: NETWORK SERVICE >>>> Domain: NT AUTHORITY >>>> Logon ID: (0x0,0x3E4) >>>> Logon Type: 5 >>>> Logon Process: Advapi >>>> Authentication Package: Negotiate >>>> Workstation Name: Logon GUID: >>>> {00000000-0000-0000-0000-000000000000} >>>> >>>> For more information, see Help and Support Center at >>>> http://go.microsoft.com/fwlink/events.asp. >>>> >>>> Type Date Time Source Category Event User Computer >>>> Success Audit 3/31/2010 1:26:17 PM Security Privilege >>>> Use 576 NETWORK SERVICE COMPAQ-2006 >>>> Success Audit 3/31/2010 1:26:17 PM Security >>>> Logon/Logoff 528 NETWORK SERVICE COMPAQ-2006 >>>> Success Audit 3/31/2010 12:09:37 PM Security Privilege >>>> Use 576 NETWORK SERVICE COMPAQ-2006 >>>> Success Audit 3/31/2010 12:09:37 PM Security >>>> Logon/Logoff 528 NETWORK SERVICE COMPAQ-2006 >>>> >>>> These Windows services are started: >>>> >>>> Automatic Updates >>>> COM+ Event System >>>> Cryptographic Services >>>> DCOM Server Process Launcher >>>> DHCP Client >>>> Distributed Link Tracking Client >>>> DNS Client >>>> Error Reporting Service >>>> Event Log >>>> Fast User Switching Compatibility >>>> Help and Support >>>> IPSEC Services >>>> Network Connections >>>> Network Location Awareness (NLA) >>>> Plug and Play >>>> Print Spooler >>>> Protected Storage >>>> Remote Access Connection Manager >>>> Remote Procedure Call (RPC) >>>> Secondary Logon >>>> Security Accounts Manager >>>> Server >>>> Shell Hardware Detection >>>> System Event Notification >>>> Task Scheduler >>>> TCP/IP NetBIOS Helper >>>> Telephony >>>> Terminal Services >>>> Themes >>>> WebClient >>>> Windows Audio >>>> Windows Firewall/Internet Connection Sharing (ICS) >>>> Windows Management Instrumentation >>>> Wireless Zero Configuration >>>> Workstation >>>> >>>> The command completed successfully. >>>> >>>> >>>> Image Name PID Services >>>> ========================= ====== >>>> ============================================= >>>> System Idle Process 0 N/A >>>> System 4 N/A >>>> smss.exe 1200 N/A >>>> csrss.exe 1280 N/A >>>> winlogon.exe 1312 N/A >>>> services.exe 1356 Eventlog, PlugPlay >>>> lsass.exe 1368 PolicyAgent, ProtectedStorage, SamSs >>>> svchost.exe 1528 DcomLaunch, TermService >>>> svchost.exe 1628 RpcSs >>>> svchost.exe 1784 AudioSrv, CryptSvc, Dhcp, ERSvc, >>>> EventSystem, >>>> FastUserSwitchingCompatibility, >>>> helpsvc, lanmanserver, >>>> lanmanworkstation, >>>> Netman, Nla, RasMan, Schedule, >>>> seclogon, >>>> SENS, SharedAccess, ShellHWDetection, >>>> TapiSrv, Themes, TrkWks, winmgmt, >>>> wuauserv, >>>> WZCSVC >>>> svchost.exe 1928 Dnscache >>>> svchost.exe 240 LmHosts >>>> spoolsv.exe 552 Spooler >>>> explorer.exe 772 N/A >>>> svchost.exe 872 WebClient >>>> mmc.exe 1452 N/A >>>> EditPadLite.exe 172 N/A >>>> cmd.exe 1672 N/A >>>> ntvdm.exe 568 N/A >>>> tasklist.exe 296 N/A >>>> wmiprvse.exe 1572 N/A >>>> >>>> I think that's the lot. Note that I started it at 12:09 and at 1:26 >>>> an event interrupted the hibernation process. >>>> I can show you the details of those two events, if you like. >>>> I don't recall seeing events of that type before. Logon/logoff? >>>> Not by me. Privilege use? Huh? >>> >>> This is from your 'Clean Boot" on the clone? >>> >>> Logon Type 5 is a service logon, a service logged on to do a task. >>> >>> John >> Yes, John. I have been doing *all* of this testing and recording on >> the clone system, which I Clean Boot every time I make one of >> these 3-hour attempts to hibernate. > > So we went from 2 hours hibernate to 3 hours... or did I forget to move > my clock ahead... <g> > > >> ... It may have logged on >> to do a task, but it was no scheduled task that I can track down, >> and I was away from the machine. It sits with a black screen, idle, >> with the tower's power-on light flashing, and suddenly the screen >> comes on, with my desktop, and the period of waiting for it to go >> to hibernation has been interrupted. > > Maybe it's a screen saver... make sure that none are selected to run. > >> What next? > > Philosophy 101... Or disable more unneeded stuff... or look at loaded > modules. It's easier to disable unneeded stuff for now, but if you want > to look at loaded modules copy and paste this in the Start menu Run box > and press <Enter>: > > msinfo32 /category SWEnvLoadedModules > > If something looks out of whack there, investigate. Modules that are > loaded outside the \Windows path are not needed. > >> I'm not going to look at that clock matter, unless you tell me to. >> One thing at a time...... > > You don't need to bother with the time service, set your clock manually > and keep the time service disabled until you fix the hibernate problem. > You can check the current time here: http://www.time.gov/ > > So, what's the thing with the 3 hour hibernate... does it hibernate at 2 > hours? Or 1 hour? > > There are six Windows NT critical services, you have more than thirty > running services. Hibernation (probably) can't run on the six services > but weeding the list probably won't hurt your troubleshooting efforts. > > Candidates for outright removal (for troubleshooting set to manual start): > > Automatic Updates > Distributed Link Tracking Client > DNS Client > Error Reporting Service > Fast User Switching Compatibility > Network Location Awareness (NLA) > Print Spooler > Remote Access Connection Manager > Secondary Logon > Server > Task Scheduler > TCP/IP NetBIOS Helper > WebClient > > > Note: The Server service is the biggest hole on your computer. When > this service is running the drawbridge is down. If you don't want > anybody in, pull up the drawbridge. Remote services can't execute if > the Server service is disabled. > > John John, the 3 hours is just a typo. Don't sweat it. I'll set all those to Manual and see if anything changes.
From: William B. Lurie on 1 Apr 2010 09:19 William B. Lurie wrote: > John John - MVP wrote: >> William B. Lurie wrote: >> >>>>> >>>>> Event Type: Success Audit >>>>> Event Source: Security >>>>> Event Category: Logon/Logoff >>>>> Event ID: 528 >>>>> Date: 3/31/2010 >>>>> Time: 1:26:17 PM >>>>> User: NT AUTHORITY\NETWORK SERVICE >>>>> Computer: COMPAQ-2006 >>>>> Description: >>>>> Successful Logon: >>>>> User Name: NETWORK SERVICE >>>>> Domain: NT AUTHORITY >>>>> Logon ID: (0x0,0x3E4) >>>>> Logon Type: 5 >>>>> Logon Process: Advapi >>>>> Authentication Package: Negotiate >>>>> Workstation Name: Logon GUID: >>>>> {00000000-0000-0000-0000-000000000000} >>>>> >>>>> For more information, see Help and Support Center at >>>>> http://go.microsoft.com/fwlink/events.asp. >>>>> >>>>> Type Date Time Source Category Event User >>>>> Computer >>>>> Success Audit 3/31/2010 1:26:17 PM Security Privilege >>>>> Use 576 NETWORK SERVICE COMPAQ-2006 >>>>> Success Audit 3/31/2010 1:26:17 PM Security >>>>> Logon/Logoff 528 NETWORK SERVICE COMPAQ-2006 >>>>> Success Audit 3/31/2010 12:09:37 PM Security Privilege >>>>> Use 576 NETWORK SERVICE COMPAQ-2006 >>>>> Success Audit 3/31/2010 12:09:37 PM Security >>>>> Logon/Logoff 528 NETWORK SERVICE COMPAQ-2006 >>>>> >>>>> These Windows services are started: >>>>> >>>>> Automatic Updates >>>>> COM+ Event System >>>>> Cryptographic Services >>>>> DCOM Server Process Launcher >>>>> DHCP Client >>>>> Distributed Link Tracking Client >>>>> DNS Client >>>>> Error Reporting Service >>>>> Event Log >>>>> Fast User Switching Compatibility >>>>> Help and Support >>>>> IPSEC Services >>>>> Network Connections >>>>> Network Location Awareness (NLA) >>>>> Plug and Play >>>>> Print Spooler >>>>> Protected Storage >>>>> Remote Access Connection Manager >>>>> Remote Procedure Call (RPC) >>>>> Secondary Logon >>>>> Security Accounts Manager >>>>> Server >>>>> Shell Hardware Detection >>>>> System Event Notification >>>>> Task Scheduler >>>>> TCP/IP NetBIOS Helper >>>>> Telephony >>>>> Terminal Services >>>>> Themes >>>>> WebClient >>>>> Windows Audio >>>>> Windows Firewall/Internet Connection Sharing (ICS) >>>>> Windows Management Instrumentation >>>>> Wireless Zero Configuration >>>>> Workstation >>>>> >>>>> The command completed successfully. >>>>> >>>>> >>>>> Image Name PID Services >>>>> ========================= ====== >>>>> ============================================= >>>>> System Idle Process 0 N/A >>>>> System 4 N/A >>>>> smss.exe 1200 N/A >>>>> csrss.exe 1280 N/A >>>>> winlogon.exe 1312 N/A >>>>> services.exe 1356 Eventlog, PlugPlay >>>>> lsass.exe 1368 PolicyAgent, ProtectedStorage, SamSs >>>>> svchost.exe 1528 DcomLaunch, TermService >>>>> svchost.exe 1628 RpcSs >>>>> svchost.exe 1784 AudioSrv, CryptSvc, Dhcp, ERSvc, >>>>> EventSystem, >>>>> FastUserSwitchingCompatibility, >>>>> helpsvc, lanmanserver, >>>>> lanmanworkstation, >>>>> Netman, Nla, RasMan, Schedule, >>>>> seclogon, >>>>> SENS, SharedAccess, ShellHWDetection, >>>>> TapiSrv, Themes, TrkWks, winmgmt, >>>>> wuauserv, >>>>> WZCSVC >>>>> svchost.exe 1928 Dnscache >>>>> svchost.exe 240 LmHosts >>>>> spoolsv.exe 552 Spooler >>>>> explorer.exe 772 N/A >>>>> svchost.exe 872 WebClient >>>>> mmc.exe 1452 N/A >>>>> EditPadLite.exe 172 N/A >>>>> cmd.exe 1672 N/A >>>>> ntvdm.exe 568 N/A >>>>> tasklist.exe 296 N/A >>>>> wmiprvse.exe 1572 N/A >>>>> >>>>> I think that's the lot. Note that I started it at 12:09 and at >>>>> 1:26 an event interrupted the hibernation process. >>>>> I can show you the details of those two events, if you like. >>>>> I don't recall seeing events of that type before. Logon/logoff? >>>>> Not by me. Privilege use? Huh? >>>> >>>> This is from your 'Clean Boot" on the clone? >>>> >>>> Logon Type 5 is a service logon, a service logged on to do a task. >>>> >>>> John >>> Yes, John. I have been doing *all* of this testing and recording on >>> the clone system, which I Clean Boot every time I make one of >>> these 3-hour attempts to hibernate. >> >> So we went from 2 hours hibernate to 3 hours... or did I forget to >> move my clock ahead... <g> >> >> >>> ... It may have logged on >>> to do a task, but it was no scheduled task that I can track down, >>> and I was away from the machine. It sits with a black screen, idle, >>> with the tower's power-on light flashing, and suddenly the screen >>> comes on, with my desktop, and the period of waiting for it to go >>> to hibernation has been interrupted. >> >> Maybe it's a screen saver... make sure that none are selected to run. >> >>> What next? >> >> Philosophy 101... Or disable more unneeded stuff... or look at loaded >> modules. It's easier to disable unneeded stuff for now, but if you >> want to look at loaded modules copy and paste this in the Start menu >> Run box and press <Enter>: >> >> msinfo32 /category SWEnvLoadedModules >> >> If something looks out of whack there, investigate. Modules that are >> loaded outside the \Windows path are not needed. >> >>> I'm not going to look at that clock matter, unless you tell me to. >>> One thing at a time...... >> >> You don't need to bother with the time service, set your clock >> manually and keep the time service disabled until you fix the >> hibernate problem. You can check the current time here: >> http://www.time.gov/ >> >> So, what's the thing with the 3 hour hibernate... does it hibernate at >> 2 hours? Or 1 hour? >> >> There are six Windows NT critical services, you have more than thirty >> running services. Hibernation (probably) can't run on the six >> services but weeding the list probably won't hurt your troubleshooting >> efforts. >> >> Candidates for outright removal (for troubleshooting set to manual >> start): >> >> Automatic Updates >> Distributed Link Tracking Client >> DNS Client >> Error Reporting Service >> Fast User Switching Compatibility >> Network Location Awareness (NLA) >> Print Spooler >> Remote Access Connection Manager >> Secondary Logon >> Server >> Task Scheduler >> TCP/IP NetBIOS Helper >> WebClient >> >> >> Note: The Server service is the biggest hole on your computer. When >> this service is running the drawbridge is down. If you don't want >> anybody in, pull up the drawbridge. Remote services can't execute if >> the Server service is disabled. >> >> John > > John, the 3 hours is just a typo. Don't sweat it. > > I'll set all those to Manual and see if anything changes. Okay, now 0930....Did as suggested. All above now Manual. Started 6:45 A.M., at 0800 it reverted to Desktop, and at 8:05 monitor was dark and power light flashing. I stopped it and got following Events, net start and tasklist. Note one request, that chkdsk/r be run because of corrupt etc. First time that came around. Note other events, especially at start of run. > These Windows services are started: > > COM+ Event System > Cryptographic Services > DCOM Server Process Launcher > DHCP Client > Event Log > Fast User Switching Compatibility > Help and Support > IPSEC Services > Network Connections > Network Location Awareness (NLA) > Plug and Play > Protected Storage > Remote Access Connection Manager > Remote Procedure Call (RPC) > Security Accounts Manager > Server > Shell Hardware Detection > System Event Notification > Telephony > Terminal Services > Themes > Windows Audio > Windows Firewall/Internet Connection Sharing (ICS) > Windows Management Instrumentation > Wireless Zero Configuration > Workstation > > The command completed successfully. > Image Name PID Services ========================= ====== ============================================= System Idle Process 0 N/A System 4 N/A smss.exe 1200 N/A csrss.exe 1280 N/A winlogon.exe 1312 N/A services.exe 1356 Eventlog, PlugPlay lsass.exe 1368 PolicyAgent, ProtectedStorage, SamSs svchost.exe 1536 DcomLaunch, TermService svchost.exe 1636 RpcSs svchost.exe 1792 AudioSrv, CryptSvc, Dhcp, EventSystem, FastUserSwitchingCompatibility, helpsvc, lanmanserver, lanmanworkstation, Netman, Nla, RasMan, SENS, SharedAccess, ShellHWDetection, TapiSrv, Themes, winmgmt, WZCSVC explorer.exe 632 N/A ctfmon.exe 1548 N/A EditPadLite.exe 1720 N/A cmd.exe 1808 N/A tasklist.exe 356 N/A wmiprvse.exe 228 N/A Event Type: Error Event Source: DCOM Event Category: None Event ID: 10005 Date: 4/1/2010 Time: 6:40:36 AM User: COMPAQ-2006\Compaq_Owner Computer: COMPAQ-2006 Description: DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064} For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Error Event Source: DCOM Event Category: None Event ID: 10005 Date: 4/1/2010 Time: 6:35:10 AM User: COMPAQ-2006\Compaq_Owner Computer: COMPAQ-2006 Description: DCOM got error "The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. " attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064} For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Error Event Source: Ntfs Event Category: Disk Event ID: 55 Date: 4/1/2010 Time: 6:42:47 AM User: N/A Computer: COMPAQ-2006 Description: The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume R:. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 0d 00 00 00 02 00 4e 00 ......N. 0008: 02 00 00 00 37 00 04 c0 ....7..� 0010: 00 00 00 00 32 00 00 c0 ....2..� 0018: 00 00 00 00 00 00 00 00 ........ 0020: 00 00 00 00 00 00 00 00 ........ Event Type: Error Event Source: Service Control Manager Event Category: None Event ID: 7026 Date: 4/1/2010 Time: 6:44:25 AM User: N/A Computer: COMPAQ-2006 Description: The following boot-start or system-start driver(s) failed to load: ftsata2 KLIF For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Especially note this last one, which has been seen on almost every run.
From: John John - MVP on 1 Apr 2010 09:44 William B. Lurie wrote: > William B. Lurie wrote: >> John John - MVP wrote: >>> William B. Lurie wrote: >>> >>>>>> >>>>>> Event Type: Success Audit >>>>>> Event Source: Security >>>>>> Event Category: Logon/Logoff >>>>>> Event ID: 528 >>>>>> Date: 3/31/2010 >>>>>> Time: 1:26:17 PM >>>>>> User: NT AUTHORITY\NETWORK SERVICE >>>>>> Computer: COMPAQ-2006 >>>>>> Description: >>>>>> Successful Logon: >>>>>> User Name: NETWORK SERVICE >>>>>> Domain: NT AUTHORITY >>>>>> Logon ID: (0x0,0x3E4) >>>>>> Logon Type: 5 >>>>>> Logon Process: Advapi >>>>>> Authentication Package: Negotiate >>>>>> Workstation Name: Logon GUID: >>>>>> {00000000-0000-0000-0000-000000000000} >>>>>> >>>>>> For more information, see Help and Support Center at >>>>>> http://go.microsoft.com/fwlink/events.asp. >>>>>> >>>>>> Type Date Time Source Category Event User >>>>>> Computer >>>>>> Success Audit 3/31/2010 1:26:17 PM Security Privilege >>>>>> Use 576 NETWORK SERVICE COMPAQ-2006 >>>>>> Success Audit 3/31/2010 1:26:17 PM Security >>>>>> Logon/Logoff 528 NETWORK SERVICE COMPAQ-2006 >>>>>> Success Audit 3/31/2010 12:09:37 PM Security Privilege >>>>>> Use 576 NETWORK SERVICE COMPAQ-2006 >>>>>> Success Audit 3/31/2010 12:09:37 PM Security >>>>>> Logon/Logoff 528 NETWORK SERVICE COMPAQ-2006 >>>>>> >>>>>> These Windows services are started: >>>>>> >>>>>> Automatic Updates >>>>>> COM+ Event System >>>>>> Cryptographic Services >>>>>> DCOM Server Process Launcher >>>>>> DHCP Client >>>>>> Distributed Link Tracking Client >>>>>> DNS Client >>>>>> Error Reporting Service >>>>>> Event Log >>>>>> Fast User Switching Compatibility >>>>>> Help and Support >>>>>> IPSEC Services >>>>>> Network Connections >>>>>> Network Location Awareness (NLA) >>>>>> Plug and Play >>>>>> Print Spooler >>>>>> Protected Storage >>>>>> Remote Access Connection Manager >>>>>> Remote Procedure Call (RPC) >>>>>> Secondary Logon >>>>>> Security Accounts Manager >>>>>> Server >>>>>> Shell Hardware Detection >>>>>> System Event Notification >>>>>> Task Scheduler >>>>>> TCP/IP NetBIOS Helper >>>>>> Telephony >>>>>> Terminal Services >>>>>> Themes >>>>>> WebClient >>>>>> Windows Audio >>>>>> Windows Firewall/Internet Connection Sharing (ICS) >>>>>> Windows Management Instrumentation >>>>>> Wireless Zero Configuration >>>>>> Workstation >>>>>> >>>>>> The command completed successfully. >>>>>> >>>>>> >>>>>> Image Name PID Services >>>>>> ========================= ====== >>>>>> ============================================= >>>>>> System Idle Process 0 N/A >>>>>> System 4 N/A >>>>>> smss.exe 1200 N/A >>>>>> csrss.exe 1280 N/A >>>>>> winlogon.exe 1312 N/A >>>>>> services.exe 1356 Eventlog, PlugPlay >>>>>> lsass.exe 1368 PolicyAgent, ProtectedStorage, SamSs >>>>>> svchost.exe 1528 DcomLaunch, TermService >>>>>> svchost.exe 1628 RpcSs >>>>>> svchost.exe 1784 AudioSrv, CryptSvc, Dhcp, ERSvc, >>>>>> EventSystem, >>>>>> FastUserSwitchingCompatibility, >>>>>> helpsvc, lanmanserver, >>>>>> lanmanworkstation, >>>>>> Netman, Nla, RasMan, Schedule, >>>>>> seclogon, >>>>>> SENS, SharedAccess, >>>>>> ShellHWDetection, >>>>>> TapiSrv, Themes, TrkWks, winmgmt, >>>>>> wuauserv, >>>>>> WZCSVC >>>>>> svchost.exe 1928 Dnscache >>>>>> svchost.exe 240 LmHosts >>>>>> spoolsv.exe 552 Spooler >>>>>> explorer.exe 772 N/A >>>>>> svchost.exe 872 WebClient >>>>>> mmc.exe 1452 N/A >>>>>> EditPadLite.exe 172 N/A >>>>>> cmd.exe 1672 N/A >>>>>> ntvdm.exe 568 N/A >>>>>> tasklist.exe 296 N/A >>>>>> wmiprvse.exe 1572 N/A >>>>>> >>>>>> I think that's the lot. Note that I started it at 12:09 and at >>>>>> 1:26 an event interrupted the hibernation process. >>>>>> I can show you the details of those two events, if you like. >>>>>> I don't recall seeing events of that type before. Logon/logoff? >>>>>> Not by me. Privilege use? Huh? >>>>> >>>>> This is from your 'Clean Boot" on the clone? >>>>> >>>>> Logon Type 5 is a service logon, a service logged on to do a task. >>>>> >>>>> John >>>> Yes, John. I have been doing *all* of this testing and recording on >>>> the clone system, which I Clean Boot every time I make one of >>>> these 3-hour attempts to hibernate. >>> >>> So we went from 2 hours hibernate to 3 hours... or did I forget to >>> move my clock ahead... <g> >>> >>> >>>> ... It may have logged on >>>> to do a task, but it was no scheduled task that I can track down, >>>> and I was away from the machine. It sits with a black screen, idle, >>>> with the tower's power-on light flashing, and suddenly the screen >>>> comes on, with my desktop, and the period of waiting for it to go >>>> to hibernation has been interrupted. >>> >>> Maybe it's a screen saver... make sure that none are selected to run. >>> >>>> What next? >>> >>> Philosophy 101... Or disable more unneeded stuff... or look at >>> loaded modules. It's easier to disable unneeded stuff for now, but >>> if you want to look at loaded modules copy and paste this in the >>> Start menu Run box and press <Enter>: >>> >>> msinfo32 /category SWEnvLoadedModules >>> >>> If something looks out of whack there, investigate. Modules that are >>> loaded outside the \Windows path are not needed. >>> >>>> I'm not going to look at that clock matter, unless you tell me to. >>>> One thing at a time...... >>> >>> You don't need to bother with the time service, set your clock >>> manually and keep the time service disabled until you fix the >>> hibernate problem. You can check the current time here: >>> http://www.time.gov/ >>> >>> So, what's the thing with the 3 hour hibernate... does it hibernate >>> at 2 hours? Or 1 hour? >>> >>> There are six Windows NT critical services, you have more than thirty >>> running services. Hibernation (probably) can't run on the six >>> services but weeding the list probably won't hurt your >>> troubleshooting efforts. >>> >>> Candidates for outright removal (for troubleshooting set to manual >>> start): >>> >>> Automatic Updates >>> Distributed Link Tracking Client >>> DNS Client >>> Error Reporting Service >>> Fast User Switching Compatibility >>> Network Location Awareness (NLA) >>> Print Spooler >>> Remote Access Connection Manager >>> Secondary Logon >>> Server >>> Task Scheduler >>> TCP/IP NetBIOS Helper >>> WebClient >>> >>> >>> Note: The Server service is the biggest hole on your computer. When >>> this service is running the drawbridge is down. If you don't want >>> anybody in, pull up the drawbridge. Remote services can't execute if >>> the Server service is disabled. >>> >>> John >> >> John, the 3 hours is just a typo. Don't sweat it. >> >> I'll set all those to Manual and see if anything changes. > > Okay, now 0930....Did as suggested. All above now Manual. > Started 6:45 A.M., at 0800 it reverted to Desktop, and at > 8:05 monitor was dark and power light flashing. I stopped > it and got following Events, net start and tasklist. > Note one request, that chkdsk/r be run because of corrupt etc. > First time that came around. Note other events, especially at start of run. > >> These Windows services are started: >> >> COM+ Event System >> Cryptographic Services >> DCOM Server Process Launcher >> DHCP Client >> Event Log >> Fast User Switching Compatibility >> Help and Support >> IPSEC Services >> Network Connections >> Network Location Awareness (NLA) >> Plug and Play >> Protected Storage >> Remote Access Connection Manager >> Remote Procedure Call (RPC) >> Security Accounts Manager >> Server >> Shell Hardware Detection >> System Event Notification >> Telephony >> Terminal Services >> Themes >> Windows Audio >> Windows Firewall/Internet Connection Sharing (ICS) >> Windows Management Instrumentation >> Wireless Zero Configuration >> Workstation >> >> The command completed successfully. >> > > Image Name PID Services > ========================= ====== > ============================================= > System Idle Process 0 N/A > System 4 N/A > smss.exe 1200 N/A > csrss.exe 1280 N/A > winlogon.exe 1312 N/A > services.exe 1356 Eventlog, PlugPlay > lsass.exe 1368 PolicyAgent, ProtectedStorage, SamSs > svchost.exe 1536 DcomLaunch, TermService > svchost.exe 1636 RpcSs > svchost.exe 1792 AudioSrv, CryptSvc, Dhcp, EventSystem, > FastUserSwitchingCompatibility, helpsvc, > lanmanserver, lanmanworkstation, Netman, > Nla, RasMan, SENS, SharedAccess, > ShellHWDetection, TapiSrv, Themes, > winmgmt, > WZCSVC > explorer.exe 632 N/A > ctfmon.exe 1548 N/A > EditPadLite.exe 1720 N/A > cmd.exe 1808 N/A > tasklist.exe 356 N/A > wmiprvse.exe 228 N/A > > Event Type: Error > Event Source: DCOM > Event Category: None > Event ID: 10005 > Date: 4/1/2010 > Time: 6:40:36 AM > User: COMPAQ-2006\Compaq_Owner > Computer: COMPAQ-2006 > Description: > DCOM got error "The service cannot be started, either because it is > disabled or because it has no enabled devices associated with it. " > attempting to start the service MDM with arguments "" in order to run > the server: > {0C0A3666-30C9-11D0-8F20-00805F2CD064} > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > Event Type: Error > Event Source: DCOM > Event Category: None > Event ID: 10005 > Date: 4/1/2010 > Time: 6:35:10 AM > User: COMPAQ-2006\Compaq_Owner > Computer: COMPAQ-2006 > Description: > DCOM got error "The service cannot be started, either because it is > disabled or because it has no enabled devices associated with it. " > attempting to start the service MDM with arguments "" in order to run > the server: > {0C0A3666-30C9-11D0-8F20-00805F2CD064} > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > > Event Type: Error > Event Source: Ntfs > Event Category: Disk > Event ID: 55 > Date: 4/1/2010 > Time: 6:42:47 AM > User: N/A > Computer: COMPAQ-2006 > Description: > The file system structure on the disk is corrupt and unusable. Please > run the chkdsk utility on the volume R:. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > Data: > 0000: 0d 00 00 00 02 00 4e 00 ......N. > 0008: 02 00 00 00 37 00 04 c0 ....7..� > 0010: 00 00 00 00 32 00 00 c0 ....2..� > 0018: 00 00 00 00 00 00 00 00 ........ > 0020: 00 00 00 00 00 00 00 00 ........ > > Event Type: Error > Event Source: Service Control Manager > Event Category: None > Event ID: 7026 > Date: 4/1/2010 > Time: 6:44:25 AM > User: N/A > Computer: COMPAQ-2006 > Description: > The following boot-start or system-start driver(s) failed to load: > ftsata2 > KLIF Is that an updated and current list of started Windows services? You discussed about those two drivers with another poster not too long ago. ftsata2: Do you now, or did you at any time have a Promise controller installed? KLIF: Do you now or did you at any time have Kaspersky AV software installed on the machine? The chkdsk message... What do you have stored on volume R? John
From: William B. Lurie on 1 Apr 2010 10:14 John John - MVP wrote: > William B. Lurie wrote: >> William B. Lurie wrote: >>> John John - MVP wrote: >>>> William B. Lurie wrote: >>>> >>>>>>> >>>>>>> Event Type: Success Audit >>>>>>> Event Source: Security >>>>>>> Event Category: Logon/Logoff >>>>>>> Event ID: 528 >>>>>>> Date: 3/31/2010 >>>>>>> Time: 1:26:17 PM >>>>>>> User: NT AUTHORITY\NETWORK SERVICE >>>>>>> Computer: COMPAQ-2006 >>>>>>> Description: >>>>>>> Successful Logon: >>>>>>> User Name: NETWORK SERVICE >>>>>>> Domain: NT AUTHORITY >>>>>>> Logon ID: (0x0,0x3E4) >>>>>>> Logon Type: 5 >>>>>>> Logon Process: Advapi >>>>>>> Authentication Package: Negotiate >>>>>>> Workstation Name: Logon GUID: >>>>>>> {00000000-0000-0000-0000-000000000000} >>>>>>> >>>>>>> For more information, see Help and Support Center at >>>>>>> http://go.microsoft.com/fwlink/events.asp. >>>>>>> >>>>>>> Type Date Time Source Category Event User >>>>>>> Computer >>>>>>> Success Audit 3/31/2010 1:26:17 PM Security Privilege >>>>>>> Use 576 NETWORK SERVICE COMPAQ-2006 >>>>>>> Success Audit 3/31/2010 1:26:17 PM Security >>>>>>> Logon/Logoff 528 NETWORK SERVICE COMPAQ-2006 >>>>>>> Success Audit 3/31/2010 12:09:37 PM Security >>>>>>> Privilege Use 576 NETWORK SERVICE COMPAQ-2006 >>>>>>> Success Audit 3/31/2010 12:09:37 PM Security >>>>>>> Logon/Logoff 528 NETWORK SERVICE COMPAQ-2006 >>>>>>> >>>>>>> These Windows services are started: >>>>>>> >>>>>>> Automatic Updates >>>>>>> COM+ Event System >>>>>>> Cryptographic Services >>>>>>> DCOM Server Process Launcher >>>>>>> DHCP Client >>>>>>> Distributed Link Tracking Client >>>>>>> DNS Client >>>>>>> Error Reporting Service >>>>>>> Event Log >>>>>>> Fast User Switching Compatibility >>>>>>> Help and Support >>>>>>> IPSEC Services >>>>>>> Network Connections >>>>>>> Network Location Awareness (NLA) >>>>>>> Plug and Play >>>>>>> Print Spooler >>>>>>> Protected Storage >>>>>>> Remote Access Connection Manager >>>>>>> Remote Procedure Call (RPC) >>>>>>> Secondary Logon >>>>>>> Security Accounts Manager >>>>>>> Server >>>>>>> Shell Hardware Detection >>>>>>> System Event Notification >>>>>>> Task Scheduler >>>>>>> TCP/IP NetBIOS Helper >>>>>>> Telephony >>>>>>> Terminal Services >>>>>>> Themes >>>>>>> WebClient >>>>>>> Windows Audio >>>>>>> Windows Firewall/Internet Connection Sharing (ICS) >>>>>>> Windows Management Instrumentation >>>>>>> Wireless Zero Configuration >>>>>>> Workstation >>>>>>> >>>>>>> The command completed successfully. >>>>>>> >>>>>>> >>>>>>> Image Name PID Services >>>>>>> ========================= ====== >>>>>>> ============================================= >>>>>>> System Idle Process 0 N/A >>>>>>> System 4 N/A >>>>>>> smss.exe 1200 N/A >>>>>>> csrss.exe 1280 N/A >>>>>>> winlogon.exe 1312 N/A >>>>>>> services.exe 1356 Eventlog, PlugPlay >>>>>>> lsass.exe 1368 PolicyAgent, ProtectedStorage, >>>>>>> SamSs >>>>>>> svchost.exe 1528 DcomLaunch, TermService >>>>>>> svchost.exe 1628 RpcSs >>>>>>> svchost.exe 1784 AudioSrv, CryptSvc, Dhcp, ERSvc, >>>>>>> EventSystem, >>>>>>> FastUserSwitchingCompatibility, >>>>>>> helpsvc, lanmanserver, >>>>>>> lanmanworkstation, >>>>>>> Netman, Nla, RasMan, Schedule, >>>>>>> seclogon, >>>>>>> SENS, SharedAccess, >>>>>>> ShellHWDetection, >>>>>>> TapiSrv, Themes, TrkWks, >>>>>>> winmgmt, wuauserv, >>>>>>> WZCSVC >>>>>>> svchost.exe 1928 Dnscache >>>>>>> svchost.exe 240 LmHosts >>>>>>> spoolsv.exe 552 Spooler >>>>>>> explorer.exe 772 N/A >>>>>>> svchost.exe 872 WebClient >>>>>>> mmc.exe 1452 N/A >>>>>>> EditPadLite.exe 172 N/A >>>>>>> cmd.exe 1672 N/A >>>>>>> ntvdm.exe 568 N/A >>>>>>> tasklist.exe 296 N/A >>>>>>> wmiprvse.exe 1572 N/A >>>>>>> >>>>>>> I think that's the lot. Note that I started it at 12:09 and at >>>>>>> 1:26 an event interrupted the hibernation process. >>>>>>> I can show you the details of those two events, if you like. >>>>>>> I don't recall seeing events of that type before. Logon/logoff? >>>>>>> Not by me. Privilege use? Huh? >>>>>> >>>>>> This is from your 'Clean Boot" on the clone? >>>>>> >>>>>> Logon Type 5 is a service logon, a service logged on to do a task. >>>>>> >>>>>> John >>>>> Yes, John. I have been doing *all* of this testing and recording on >>>>> the clone system, which I Clean Boot every time I make one of >>>>> these 3-hour attempts to hibernate. >>>> >>>> So we went from 2 hours hibernate to 3 hours... or did I forget to >>>> move my clock ahead... <g> >>>> >>>> >>>>> ... It may have logged on >>>>> to do a task, but it was no scheduled task that I can track down, >>>>> and I was away from the machine. It sits with a black screen, idle, >>>>> with the tower's power-on light flashing, and suddenly the screen >>>>> comes on, with my desktop, and the period of waiting for it to go >>>>> to hibernation has been interrupted. >>>> >>>> Maybe it's a screen saver... make sure that none are selected to run. >>>> >>>>> What next? >>>> >>>> Philosophy 101... Or disable more unneeded stuff... or look at >>>> loaded modules. It's easier to disable unneeded stuff for now, but >>>> if you want to look at loaded modules copy and paste this in the >>>> Start menu Run box and press <Enter>: >>>> >>>> msinfo32 /category SWEnvLoadedModules >>>> >>>> If something looks out of whack there, investigate. Modules that >>>> are loaded outside the \Windows path are not needed. >>>> >>>>> I'm not going to look at that clock matter, unless you tell me to. >>>>> One thing at a time...... >>>> >>>> You don't need to bother with the time service, set your clock >>>> manually and keep the time service disabled until you fix the >>>> hibernate problem. You can check the current time here: >>>> http://www.time.gov/ >>>> >>>> So, what's the thing with the 3 hour hibernate... does it hibernate >>>> at 2 hours? Or 1 hour? >>>> >>>> There are six Windows NT critical services, you have more than >>>> thirty running services. Hibernation (probably) can't run on the >>>> six services but weeding the list probably won't hurt your >>>> troubleshooting efforts. >>>> >>>> Candidates for outright removal (for troubleshooting set to manual >>>> start): >>>> >>>> Automatic Updates >>>> Distributed Link Tracking Client >>>> DNS Client >>>> Error Reporting Service >>>> Fast User Switching Compatibility >>>> Network Location Awareness (NLA) >>>> Print Spooler >>>> Remote Access Connection Manager >>>> Secondary Logon >>>> Server >>>> Task Scheduler >>>> TCP/IP NetBIOS Helper >>>> WebClient >>>> >>>> >>>> Note: The Server service is the biggest hole on your computer. >>>> When this service is running the drawbridge is down. If you don't >>>> want anybody in, pull up the drawbridge. Remote services can't >>>> execute if the Server service is disabled. >>>> >>>> John >>> >>> John, the 3 hours is just a typo. Don't sweat it. >>> >>> I'll set all those to Manual and see if anything changes. >> >> Okay, now 0930....Did as suggested. All above now Manual. >> Started 6:45 A.M., at 0800 it reverted to Desktop, and at >> 8:05 monitor was dark and power light flashing. I stopped >> it and got following Events, net start and tasklist. >> Note one request, that chkdsk/r be run because of corrupt etc. >> First time that came around. Note other events, especially at start of >> run. >> >>> These Windows services are started: >>> >>> COM+ Event System >>> Cryptographic Services >>> DCOM Server Process Launcher >>> DHCP Client >>> Event Log >>> Fast User Switching Compatibility >>> Help and Support >>> IPSEC Services >>> Network Connections >>> Network Location Awareness (NLA) >>> Plug and Play >>> Protected Storage >>> Remote Access Connection Manager >>> Remote Procedure Call (RPC) >>> Security Accounts Manager >>> Server >>> Shell Hardware Detection >>> System Event Notification >>> Telephony >>> Terminal Services >>> Themes >>> Windows Audio >>> Windows Firewall/Internet Connection Sharing (ICS) >>> Windows Management Instrumentation >>> Wireless Zero Configuration >>> Workstation >>> >>> The command completed successfully. >>> >> >> Image Name PID Services >> ========================= ====== >> ============================================= >> System Idle Process 0 N/A >> System 4 N/A >> smss.exe 1200 N/A >> csrss.exe 1280 N/A >> winlogon.exe 1312 N/A >> services.exe 1356 Eventlog, PlugPlay >> lsass.exe 1368 PolicyAgent, ProtectedStorage, SamSs >> svchost.exe 1536 DcomLaunch, TermService >> svchost.exe 1636 RpcSs >> svchost.exe 1792 AudioSrv, CryptSvc, Dhcp, EventSystem, >> FastUserSwitchingCompatibility, helpsvc, >> lanmanserver, lanmanworkstation, Netman, >> Nla, RasMan, SENS, SharedAccess, >> ShellHWDetection, TapiSrv, Themes, >> winmgmt, >> WZCSVC >> explorer.exe 632 N/A >> ctfmon.exe 1548 N/A >> EditPadLite.exe 1720 N/A >> cmd.exe 1808 N/A >> tasklist.exe 356 N/A >> wmiprvse.exe 228 N/A >> >> Event Type: Error >> Event Source: DCOM >> Event Category: None >> Event ID: 10005 >> Date: 4/1/2010 >> Time: 6:40:36 AM >> User: COMPAQ-2006\Compaq_Owner >> Computer: COMPAQ-2006 >> Description: >> DCOM got error "The service cannot be started, either because it is >> disabled or because it has no enabled devices associated with it. " >> attempting to start the service MDM with arguments "" in order to run >> the server: >> {0C0A3666-30C9-11D0-8F20-00805F2CD064} >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> >> Event Type: Error >> Event Source: DCOM >> Event Category: None >> Event ID: 10005 >> Date: 4/1/2010 >> Time: 6:35:10 AM >> User: COMPAQ-2006\Compaq_Owner >> Computer: COMPAQ-2006 >> Description: >> DCOM got error "The service cannot be started, either because it is >> disabled or because it has no enabled devices associated with it. " >> attempting to start the service MDM with arguments "" in order to run >> the server: >> {0C0A3666-30C9-11D0-8F20-00805F2CD064} >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> >> Event Type: Error >> Event Source: Ntfs >> Event Category: Disk >> Event ID: 55 >> Date: 4/1/2010 >> Time: 6:42:47 AM >> User: N/A >> Computer: COMPAQ-2006 >> Description: >> The file system structure on the disk is corrupt and unusable. Please >> run the chkdsk utility on the volume R:. >> >> For more information, see Help and Support Center at >> http://go.microsoft.com/fwlink/events.asp. >> Data: >> 0000: 0d 00 00 00 02 00 4e 00 ......N. >> 0008: 02 00 00 00 37 00 04 c0 ....7..� >> 0010: 00 00 00 00 32 00 00 c0 ....2..� >> 0018: 00 00 00 00 00 00 00 00 ........ >> 0020: 00 00 00 00 00 00 00 00 ........ >> >> Event Type: Error >> Event Source: Service Control Manager >> Event Category: None >> Event ID: 7026 >> Date: 4/1/2010 >> Time: 6:44:25 AM >> User: N/A >> Computer: COMPAQ-2006 >> Description: >> The following boot-start or system-start driver(s) failed to load: >> ftsata2 >> KLIF > > > Is that an updated and current list of started Windows services? Yes, John, I generate it anew every time I make one of these hibernation runs, so that you can see it right with the Events. > > You discussed about those two drivers with another poster not too long ago. Yes, and now I'll answer your queries: > > ftsata2: Do you now, or did you at any time have a Promise controller > installed? No, I do not now, and never did. This basic HP machine came with one hard drive, and cabling and slots for two more, which I added. I select which drive to run by interrupting boot process and telling it. > > KLIF: Do you now or did you at any time have Kaspersky AV software > installed on the machine? No, I have used Norton AV steadily for at least 15 years. From the days when Norton was impossible to work with, to the present, where they fix boo-boos by Chat and remote control of their software. > > The chkdsk message... What do you have stored on volume R? Oh, I missed that it was referring to volume R. I have numerous 'restore points' of which that volume is one. I generate these every month or so, using the Save & Restore feature of Norton System Works, which used to be PowerQuest Partition Magic. I keep these in case I have to recreate a system as it was as of an earlier date). I'll chkdsk it routinely but I think we can ignore that Event. > > Bill L.
From: Unknown on 1 Apr 2010 10:57
Thanks. Without sitting at your machine and observing various items I can only go through the process of elimination. It seems something is calling for the internet about every hour. May I ask what you mean when you say Norton fixes their Boo-boos by remote control? "William B. Lurie" <billurie(a)nospam.net> wrote in message news:%23AjmLjS0KHA.332(a)TK2MSFTNGP04.phx.gbl... > Unknown wrote: >> Can you verify the default time is still 0x00093a80 in the registry. If >> it is trying to sync your clock >> too often then perhaps that would prevent hibernation. Savings time >> changeover >> would not be affected. >> "William B. Lurie" <billurie(a)nospam.net> wrote in message >> news:Ok%2360vQ0KHA.6108(a)TK2MSFTNGP06.phx.gbl... >>> Unknown wrote: >>>> Curiosity question. Did you at any time alter the time interval for >>>> when you sync your clock? >>>> Check your registry at: >>>> HKEY_LOCAL_MACHINE\System\currentcontrolset\services\w32Time\TimeProviders\NTPclient >>>> in right pane special poll interval is a hexidecimal count in seconds. >>>> For one week (XP default time) it is 0x00093a80 (604800) >>>> "William B. Lurie" <billurie(a)nospam.net> wrote in message >>> No, I've never been there. It of course did the Savings Time changeover >>> with no hitch at all. This problem goes back way beyond 10 days >>> ago....... >> >> > Just to check back with you, UNk, I checked and my > setting is indeed as you showed, for SpecialPollInterval. > Back to the drawing board......... |