• Search for:

• Non-technical

  • ChrisEccleston.com
  • SteamyKitchen.com food blog

• Technical

  • BootZilla tech CD
  • Computer America
  • gur.in/j/ – PC help site
  • Lunarsoft Forums
  • Lunarsoft.net
  • PC Tech MediX
  • Simon’s PC Services
  • Symantec Sucks

• Categories

  Select Category Activism  (1) American Idol  (1) Apple  (1) Computer America  (6) Data recovery  (4) Delphi  (4) Dial-a-fix  (54) djlizard  (5) Fixes  (34) General  (49) Hack  (7) Hardware  (1) Help  (1) History  (1) Internet Explorer 8  (1) Linux  (2) Mac  (1) Medical  (3) Microsoft  (11)    7  (1) Music  (6) Non-technical  (3) Ranting  (7) Sabrina  (2) Security  (11) Software  (86) Stupid  (10) Technical  (50) Viruses  (5) Vista  (16) Windows 2000  (6) Windows Update  (2) XP  (10) Zealotry  (1)

• Archives

  Select Month January 2010  (1) September 2009  (1) July 2009  (2) January 2009  (1) December 2008  (2) November 2008  (1) October 2008  (2) August 2008  (2) July 2008  (1) June 2008  (2) December 2007  (4) October 2007  (18) September 2007  (3) August 2007  (7) July 2007  (1) June 2007  (2) May 2007  (3) April 2007  (3) March 2007  (3) February 2007  (6) January 2007  (2) December 2006  (2) November 2006  (6) October 2006  (12) September 2006  (8) August 2006  (4) July 2006  (1) June 2006  (16) May 2006  (5) April 2006  (4) March 2006  (9) February 2006  (7) January 2006  (8) December 2005  (7) November 2005  (14) October 2005  (1) September 2005  (5) August 2005  (10) July 2005  (14) June 2005  (15)

Internet Explorer 8 is not supported by Dial-a-fix at this time. If you have IE 8 installed and run Dial-a-fix, you may receive many "Error 127" messages because Internet Explorer 8 replaces a lot of registerable components with non-registerable ones. This is OK – simply ignore all of the errors. Dial-a-fix is still able to do its thing on other files, and the no damage has been done to your system during these error messages.

A future version of Dial-a-fix will support Internet Explorer 8 by ignoring those unregisterable components.

It will support Vista.

Does anyone know why Dial-a-fix sometimes gets an "unspecified error" while trying to unregister MSXML3.DLL? It seems to be new because it's never done that in the past. Apparently you can immediately try it again and Dial-a-fix will then be able to unregister/re-register it. It's weird.

(Update: see the comments for a possible explanation. Short version: just run the same parts of Dial-a-fix again and you shouldn't get the error. If you still have trouble with Windows Updates, try clicking "Flush SoftwareDistribution".)

Superfail part 1
Superfail part 2

Thanks to astute reader Nate Coffey and Dial-a-fix, we've found another DLL registration bug.

The current version of wuaueng.dll provided to Windows 2000 service pack 4 clients has a bug in its DllInstallServer.

In the first picture is a "before" screenshot that shows that all of the SvcHost key values are here. This is a freshly installed Windows 2000 machine that only has Service Pack 4:

In this second picture, I have visited Windows Update, gotten the latest Windows Update client, closed my browser, and then unregistered the DLL using regsvr32 /u:

In this third picture, I have re-registered the DLL using regsvr32 /i, but it caused an error (0×80070057) and only one key was put back. The netsvcs key is lost at this point. In order to fix this, merge this default SvcHost key .reg file.

The error code 0×80070057 is E_INVALIDARG, or invalid parameters/arguments.

The current version of Dial-a-fix will accidentally trigger this because of the malformed DllInstallServer in wuaueng.dll. Once a new, fixed version of the Windows Update client is pushed out, Dial-a-fix will be able to help you again. I'll be filing this as a bug with Microsoft – I hope they fix it.

Edit: be sure to read Superfail part 2 for the solution for afflicted machines.

Twice in 24 hours I've come across "WinBudget" which is some garbage BHO (filename matrix.dll) that gets installed somehow. A few of our customers who don't even venture that deep into the internet (and I know for a fact they don't surf porn sites or download pirated software) got infected by it somehow. I'm guessing it might have been an Outlook/Outlook Express/Internet Explorer zero-day exploit or something.

That was ridiculously easy to remove using RogueRemover and Spybot, but neither were able to find the odd infection left behind:

If you search your drives for folders called 'bak' you may find backup copies of executables from several popular software packages such as Adobe (several products), Nero, Apple (iTunes and Quicktime), Incredimail, Realplayer, Java, and even Norton Antivirus. If you move the contents of each bak folder to its parent directory and overwrite, the infection is gone. Thanks, stupid virus, for making backup copies before infecting files.

The best way to find these folders is like this:
Start > Run > cmd.exe (to get a command prompt)
dir /a /b /s bak

You'll get a list of affected applications. Go into each 'bak' folder and move whatever is in there one level up.

cd bak
move *.* ..

(yes you want to overwrite)

Thanks, WinBudget, or whatever the fuck you are.

Edit: I also found out that WinBudget sticks one or more entries in Internet Explorer's trusted zone list. One is called whataboutadog (dot com) and one is whataboutarabit (sic) (dot com).

This was an odd one – and Googling for "can't double click" is pretty difficult. You get a lot of folks telling you to do the things you already checked (double click speed, try swapping buttons and see if right-clicking twice works, etc).

I decided to create another user as a test and I found out that the new user could double click just fine, so that means the problem probably lies in HKEY_CURRENT_USER. It was immediately obvious:

DoubleClickHeight and DoubleClickWidth were blank. Not 0, but blank. Why were they blank?! The system was heavily infected but I don't see why a virus/spyware object would set this. Maybe they thought it was funny. I sure didn't. I tried everything else before figuring this out.

(I think) this means that every double click is counted as an accidental double click because these settings seem to control how far apart your double clicks can be before it counts as a drag. If you set it really high (and your double click rate is really low) you can drag an icon all the way across the screen and click again and it will cancel the drag and activate the object!

Also, why are these REG_SZ instead of REG_DWORD? Is there some point to it being a string?

After I fixed this problem, I went over to a co-worker's machine and blanked out the values.

—

_{The 2.3 version of Wordpress is annoying the crap out of me.}

I was going to edit the previous post, but making a new post will bump everyone's RSS, etc, so I am just making this stub to paste the URLs for each hour:
* 06/15/07 – Hour 1
* 06/15/07 – Hour 2

Don't forget about FREE Dial-a-fix support at Lunarsoft.net! Even if I'm too busy to be around, the regulars there know Dial-a-fix better than anyone and can definitely lead you in the right direction. Also, they'll help you with general computer/tech support problems too, not just with Dial-a-fix.

(Note: this is an article for technicians, so common technical terminology and procedures will not be spelled out.)

Most technicians are familiar with the issue where optical drives disappear from My Computer, only to be found in Device Manager with an exclamation point on them, indicating a problem.

Most technicians also have no idea what filter drivers are, or how this can happen, so I'm here to explain this and show you the proper way to repair a driver whose filter chain is broken.

I've noticed that most people completely blast all of the filter drivers away until it works, and although that works, it's really not the best way to go about things, especially since the other filters might be working properly. Also, don't you want to know the why and the how? This problem can apply to more than just optical drives.

Background information

A filter driver intercepts requests/communication in order to extend or replace functionality in the driver or hardware that it is filtering. There are three types of filter that you should know about: bus filter drivers, upper filter drivers, and lower filter drivers.

A bus filter driver extends functionality (usually for proprietary features) on a bus driver, such as ACPI. An ACPI filter driver, for example, could add additional power management modes or communicate with proprietary modifications to ACPI (such as in laptops).

An upper filter driver filters data between the main driver and the application/operating system service. Microsoft's example: a keyboard filter driver could perform additional security checks before passing the data along to the application or OS/module that is receiving the data.

A lower filter driver filters data between the hardware itself and the main driver, providing extra security/stability or translating proprietary communication into a standard language for the main driver. A good example of this is when you press a button on a piece of hardware: you may have only pressed the button once, but internally, the button may have made electrical contact repeatedly within mere milliseconds, sending more than one signal when only one was intended. A filter driver can recognize that this isn't intended behavior, and can refine the data to expected specifications (it turns multiple contacts into the intended 1 contact). This way, the main driver receives a stream of cleaned/stable data, and from the end user's perspective, everything is OK. Since hardware is physical and anything can go wrong, filter drivers are quite necessary for operating system sanity.

There are two ways to install a filter driver in Windows: at the class level, and at the device level. If you install a keyboard class filter driver, EVERY keyboard you ever install will be filtered by it. If you only install it on the device level (which is done by unique device ID), then it will only filter the exact device that you put it on originally and all other devices, even in the same class, will be unaffected.

Troubleshooting

Here's the part everyone is really reading this for. How do you know when you have a filter driver problem, and how do you properly solve it?

If you go into Device Manager and see a device with an exclamation point on it (CD-ROM or not) you should not immediately try to remove and refresh it. Double-click the device so you can see the error code. If it's anything other than "the drivers aren't installed for this device", then you should click the Details tab.

Pull down the drop-down box on the Details tab and look at the following four items:

• Device Upper Filters
• Device Lower Filters
• Class Upper Filters
• Class Lower Filters

In each of these sections, there may be zero or more items. Note the name of each item in each section. They are all drivers, so they should be in %systemroot%\System32\Drivers with a .sys extension. If you investigate your CD-ROM drive's filter drivers and notice GEARAspiWDM (for example), then you should find a corresponding GEARAspiWDM.sys file in the %systemroot%\System32\Drivers folder. If you don't find a corresponding file, then you've found a broken driver chain. Your next course of action is to either find the .sys file and put it in System32\Drivers and reboot, or remove the registry entry and reboot. In most cases you'll just be removing the registry entry that is pointing to a non-existent driver.

How does this happen? If you uninstall iTunes (for instance) then it will remove the GEARAspiWDM.sys file and its filter driver entry from the registry. If you then System Restore to a date prior to this uninstallation, it may or may not put back the .sys file but it will definitely put back the registry entry, and thus the filter chain will be broken. This can happen with any device, as all are capable of hosting filter drivers above or below the main driver. Again, this is not exclusive to that well-known CD-ROM drive problem.

Removing the registry entry

If the missing file came from either of the two "Class" filter categories, drill-down in Regedit to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class. Hit CTRL+F and type the entry as you saw it in Device Manager (i.e., "GEARAspiWDM" — without the .sys part) and try to find it. It should quickly bring you directly to the Upper or Lower filters value that contains this driver's reference. Double click the value that it was found in (in the right-hand pane of Regedit), and remove just the line of the missing file, leaving everything else alone (specifically anything that DOES actually exist in %systemroot%\System32\Drivers). Make sure there's only one item per line and that there are no blank lines and that you are modifying the intended driver. The (Default) value of every class key should describe the class' name in English (i.e., "DVD/CD-ROM Drives")

If the missing file name came from either of the two "Device" filter categories, drill-down to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum. Hit CTRL+F and type the entry as you saw it in Device manager, etc, and remove the line in the same way as explained in the paragraph above this one. If more than one device is using this particular filter, then you will have to search again and remove it from each device.

After you've discovered and removed the offending filter driver entry from the registry, restart the computer. All should be well again at this point, if it was indeed just a filter driver problem. Try not to attempt to remove and reinstall the driver before at least rebooting first, as it should be fixed on the next system startup.

Ah, I see that Vista's preview handlers crash twice as often as XP's shmedia and shimgvw handlers.

If you open a folder full of movies and pictures, you can almost guarantee COM Surrogate will crash constantly until it gets through every file you have (and it trudges through every subdirectory to do so).

In Explorer, click Organize > Folder and Search Options (or Tools > Folder Options), then go to the View tab. Checkmark Always show icons, never thumbnails.

Edit: As Simon has pointed out in the comments below, the main cause is usually third-party software (of which I was afflicted when I wrote this post). I'm sure one of those retarded codec packs causes it for most people (dear god people, stop using codec packs and just get VLC Player).

Simon Zerafa stated:

The main culprit seems to be older versions of Nero (the Vista Upgrade advisor flags these as incompatible with Vista) and DivX players.

It seems to be caused by third party players and applications that patch those functions in XP / Vista to allow previews in Explorer.

Updating the affected software to Vista compatible versions seem to be the best course of action. Failing that, find Vista-compatible alternatives.

I fixed my first Vista problem last week. My boss brought in his Vista RC1 machine and it was acting oddly. Explorer.exe would take 50% CPU usage (two core CPU) and the Start Menu's pin list wouldn't show up at all. Everything else was working properly (including the All Programs list, and other functions of the Start Menu).

I had to find out whether the pin list problem was the cause or the effect, so I began searching the internet for the location of the pin list. It's nearly impossible to find this information.

After a half hour of digging around with Sysinternals Filemon and Regmon, I wasn't getting anywhere. I used Sysinternals strings.exe on shell32.dll (which I had previously discovered is where the pin list calls & code are stored) and finally found out where the pin list is stored: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
The value Favorites contains the pin list itself. I found that on this Vista machine, there was nothing wrong with the Favorites value. It was the ProgramsCache value that had become corrupted. After deleting the key and restarting Explorer, the pin list came back up and all of the CPU usage went away. Problem solved. (This all works the same in Windows XP.)

Next Page →