Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Computer finding corrupt files in SFC and explorer.exe using 75% CPU.

26 Jul 2014   #1
BlazingFury1996

Windows 7 HP 64 bit.
 
 
Computer finding corrupt files in SFC and explorer.exe using 75% CPU.

Hello Seveners,

I come to you with yet ANOTHER PC problem I am encountering!

I have been having trouble with my Windows installation recently (crashes and lag are increasing), so I decided to run a SFC /scannow scan on my computer. After completing it, it told me I have corrupt files that it couldn't fix!

To top this off, explorer.exe is eating my CPU usage. Anywhere from 30% to 85% is the average, but it likes to steady out at about 75%.

The SFC scan came back with a CBS.log file, which I will attach. Please could someone go over it and tell me what is going on with my Windows installation?

Many thanks!

PS. The log file is too big to be uploaded as a .log alone (it's more than double the forums limits), so I have put it into a ZIP for ya.


My System SpecsSystem Spec
.
27 Jul 2014   #2
NoelDP

Microsoft Community Contributor Award Recipient

Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10
 
 

The SFC scan shows the following problem...
Code:
 Line 37448: 2014-07-26 22:39:43, Info                  CSI    00000319 [SR] Repairing 1 components
 Line 37449: 2014-07-26 22:39:43, Info                  CSI    0000031a [SR] Beginning Verify and Repair transaction
 Line 37452: 2014-07-26 22:39:43, Info                  CSI    0000031c [SR] Cannot repair member file [l:22{11}]"connmgr.CHM" of Server-Help-CHM.connmgr.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
 Line 37455: 2014-07-26 22:39:43, Info                  CSI    0000031e [SR] Cannot repair member file [l:22{11}]"connmgr.CHM" of Server-Help-CHM.connmgr.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
 Line 37456: 2014-07-26 22:39:43, Info                  CSI    0000031f [SR] This component was referenced by [l:252{126}]"Server-Help-Package.ClientHomePremium~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.Server-Help-Package.ClientHomePremium-Update"
I'll post a fix protocol for that in a few minutes.

As far as your Explorer problems are concerned, I'd be thinking about either disk corruption, or malware -


Click on Start > All Programs > Accessories
Right-click on the Command Prompt entry
Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.
At the Command prompt, type
CHKDSK C: /R
and hit the Enter key.
You will be told that the drive is locked, and the CHKDSK will run at the next boot - hit the Y key, and then reboot.
The CHKDSK will take a few hours depending on the size of the drive, so be patient!
After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) .


Please download and install Malwarebytes Anti-malware (free version) from http://www.malwarebytes.org/products/malwarebytes_free/ - UNtick 'Enable free trial of MBAM PRO' at the end of the installation - and update it, then run a full scan in your main account, and Quick scans in any other user accounts.

Delete everything it finds
My System SpecsSystem Spec
27 Jul 2014   #3
NoelDP

Microsoft Community Contributor Award Recipient

Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10
 
 

I've uploaded a file - bf6aa.zip - to my OneDrive at Noel's OneDrive
Please download and save it.

Right-click on the saved file and select Extract all...
Change the target to C:\ and click on Extract
Close all windows (it would be a good idea to print these instructions!)

Now reboot to the Repair Environment - as soon as the machine restarts, start tapping F8 - this should bring up the Advanced Boot Menu, at the top of which should be the option 'Repair my Computer'
Pick that
You'll have to log in with your username and password.

Pick the option to use a Command Prompt
At the prompt type
DIR C:\bf6aa
hit the enter key - if you get a 'Not Found' error try
DIR D:\bf6aa
or
DIR E:\bf6aa



The drive letter in use when you find the folder will need to be substituted (for<drive>) into the following command...



XCOPY <drive>:\bf6aa <drive>:\windows\winsxs /y /i /s /v /h



(e.g. XCOPY P:\wfire P:\windows\winsxs /y /i /s /v /h )



run the command (it should take almost no time) and when the prompt returns, type
EXIT
and hit the Enter key to exit Command Prompt - reboot to Normal Mode Windows.

Now run SFC /SCANNOW in an Elevated Command Prompt
then reboot and upload the new CBS.log file to your reply
My System SpecsSystem Spec
.

27 Jul 2014   #4
BlazingFury1996

Windows 7 HP 64 bit.
 
 

Quote   Quote: Originally Posted by NoelDP View Post
The SFC scan shows the following problem...
Code:
 Line 37448: 2014-07-26 22:39:43, Info                  CSI    00000319 [SR] Repairing 1 components
 Line 37449: 2014-07-26 22:39:43, Info                  CSI    0000031a [SR] Beginning Verify and Repair transaction
 Line 37452: 2014-07-26 22:39:43, Info                  CSI    0000031c [SR] Cannot repair member file [l:22{11}]"connmgr.CHM" of Server-Help-CHM.connmgr.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
 Line 37455: 2014-07-26 22:39:43, Info                  CSI    0000031e [SR] Cannot repair member file [l:22{11}]"connmgr.CHM" of Server-Help-CHM.connmgr.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
 Line 37456: 2014-07-26 22:39:43, Info                  CSI    0000031f [SR] This component was referenced by [l:252{126}]"Server-Help-Package.ClientHomePremium~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.Server-Help-Package.ClientHomePremium-Update"
I'll post a fix protocol for that in a few minutes.

As far as your Explorer problems are concerned, I'd be thinking about either disk corruption, or malware -


Click on Start > All Programs > Accessories
Right-click on the Command Prompt entry
Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.
At the Command prompt, type
CHKDSK C: /R
and hit the Enter key.
You will be told that the drive is locked, and the CHKDSK will run at the next boot - hit the Y key, and then reboot.
The CHKDSK will take a few hours depending on the size of the drive, so be patient!
After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) .


Please download and install Malwarebytes Anti-malware (free version) from http://www.malwarebytes.org/products/malwarebytes_free/ - UNtick 'Enable free trial of MBAM PRO' at the end of the installation - and update it, then run a full scan in your main account, and Quick scans in any other user accounts.

Delete everything it finds
Thanks! I have taken a look into the explorer issue. I think it may be a corrupt file. It's just finding the blighter! I already use Malwarebytes, so I can confirm it's not malware.

I'll try your other method in a minute and let you know ASAP.

Regards,

Ben
My System SpecsSystem Spec
27 Jul 2014   #5
BlazingFury1996

Windows 7 HP 64 bit.
 
 

Quote   Quote: Originally Posted by NoelDP View Post
I've uploaded a file - bf6aa.zip - to my OneDrive at Noel's OneDrive
Please download and save it.

Right-click on the saved file and select Extract all...
Change the target to C:\ and click on Extract
Close all windows (it would be a good idea to print these instructions!)

Now reboot to the Repair Environment - as soon as the machine restarts, start tapping F8 - this should bring up the Advanced Boot Menu, at the top of which should be the option 'Repair my Computer'
Pick that
You'll have to log in with your username and password.

Pick the option to use a Command Prompt
At the prompt type
DIR C:\bf6aa
hit the enter key - if you get a 'Not Found' error try
DIR D:\bf6aa
or
DIR E:\bf6aa



The drive letter in use when you find the folder will need to be substituted (for<drive>) into the following command...



XCOPY <drive>:\bf6aa <drive>:\windows\winsxs /y /i /s /v /h



(e.g. XCOPY P:\wfire P:\windows\winsxs /y /i /s /v /h )



run the command (it should take almost no time) and when the prompt returns, type
EXIT
and hit the Enter key to exit Command Prompt - reboot to Normal Mode Windows.

Now run SFC /SCANNOW in an Elevated Command Prompt
then reboot and upload the new CBS.log file to your reply
Thank you so much! After running this through, SFC is now showing no integrity violations. Very happy indeed!

I have attached the new log (.zip again) just to double check, but I think it's all good!

Also (if you wouldn't mind), please could you explain what the error I was getting actually was? I am just intrigued for future reference.

Regards,

Ben
My System SpecsSystem Spec
28 Jul 2014   #6
NoelDP

Microsoft Community Contributor Award Recipient

Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10
 
 

Good - that's cured the file error.
There is an interesting error in the background of your CBS log -
Code:
2014-07-26 23:38:25, Info                  CBS    Loading offline registry hive: ntuser.dat, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Users/default/ntuser.dat' from path '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\default\ntuser.dat'.
2014-07-26 23:38:25, Info                  CBS    Failed to load offline ntuser.dat hive from '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\default\ntuser.dat' into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Users/default/ntuser.dat'. [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT]
2014-07-26 23:38:25, Info                  CBS    Failed to load default user registry hive. [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT]
I wouldn't normally worry about this type of error, but this one is surrounded by successful loads - which makes me think that you may have a corrupt user profile registry hive

Please open an Elevated Command Prompt, and run the following commands

ICACLS C:\Users\Default\ntuser.dat
ATTRIB C:\Users\Default\ntuser.dat
DIR C:\Users\Default /AR
ICACLS C:\Users\Default

post the results.


Here are some instructions to make life easier
1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt.
2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.
3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.
My System SpecsSystem Spec
28 Jul 2014   #7
BlazingFury1996

Windows 7 HP 64 bit.
 
 

Quote   Quote: Originally Posted by NoelDP View Post
Good - that's cured the file error.
There is an interesting error in the background of your CBS log -
Code:
2014-07-26 23:38:25, Info                  CBS    Loading offline registry hive: ntuser.dat, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Users/default/ntuser.dat' from path '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\default\ntuser.dat'.
2014-07-26 23:38:25, Info                  CBS    Failed to load offline ntuser.dat hive from '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\default\ntuser.dat' into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Users/default/ntuser.dat'. [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT]
2014-07-26 23:38:25, Info                  CBS    Failed to load default user registry hive. [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT]
I wouldn't normally worry about this type of error, but this one is surrounded by successful loads - which makes me think that you may have a corrupt user profile registry hive

Please open an Elevated Command Prompt, and run the following commands

ICACLS C:\Users\Default\ntuser.dat
ATTRIB C:\Users\Default\ntuser.dat
DIR C:\Users\Default /AR
ICACLS C:\Users\Default

post the results.


Here are some instructions to make life easier
1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt.
2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.
3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.

Hi again. Thanks for spotting this. I ran the commands as you requested:

Output from the ECP window were as follows:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ICACLS C:\Users\Default\ntuser.dat
C:\Users\Default\ntuser.dat: The system cannot find the file specified.
Successfully processed 0 files; Failed processing 1 files

C:\Windows\system32>ATTRIB C:\Users\Default\ntuser.dat
File not found - C:\Users\Default\ntuser.dat

C:\Windows\system32>DIR C:\Users\Default /AR
Volume in drive C is Ben's Drive
Volume Serial Number is 4005-D1F9

Directory of C:\Users\Default

File Not Found

C:\Windows\system32>ICACLS C:\Users\Default
C:\Users\Default NT AUTHORITY\SYSTEM: (I)(OI)(CI)(F)
BUILTIN\Administrators: (I)(OI)(CI)(F)
BUILTIN\Users: (I)(RX)
BUILTIN\Users: (I)(OI)(CI)(IO)(GR,GE)
Everyone: (I)(RX)
Everyone: (I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

No idea if this could be causing the problem, but my entire HDD is encrypted with a 128 bit twofish encryption algorithm. I am not sure if I read the error correctly, but could this be causing the Write error?

regards,

Ben
My System SpecsSystem Spec
28 Jul 2014   #8
NoelDP

Microsoft Community Contributor Award Recipient

Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10
 
 

I don't think encryption is the problem here, but I could be wrong.

I'm not exactly sure of the importance of the Default hive - but I suspect that it's the basic hive used in creation of new profiles, and isn't much used in normal circumstances.
Certainly the lack of the file would create the Access Denied error I saw.


There's another error in your log - I missed it earlier thinking it was the same error, but it could be the source of the error...
Code:
2014-07-26 23:38:26, Info                  CBS    Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/DEFAULT
2014-07-26 23:38:26, Error                 CBS    Failed to load offline store from boot directory: '\\?\T:\' and windows directory: '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\' [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT]
2014-07-26 23:38:26, Error                 CBS    Failed to initialize store parameters with boot drive: T: and windows directory: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\ [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT]
Please run the following commands and post the results.

ICACLS C:\Windows\System32\config\DEFAULT
ATTRIB C:\Windows\System32\config\DEFAULT
DIR C:\Windows\System32\config\DEFAULT*.* /AR
ICACLS C:\Windows\System32\config
My System SpecsSystem Spec
28 Jul 2014   #9
BlazingFury1996

Windows 7 HP 64 bit.
 
 

I see.

Commands have been run and the ECP window showed me this:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ICACLS C:\Windows\System32\config\DEFAULT
C:\Windows\System32\config\DEFAULT NT AUTHORITY\SYSTEMI)(F)
BUILTIN\AdministratorsI)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ATTRIB C:\Windows\System32\config\DEFAULT
A C:\Windows\System32\config\DEFAULT

C:\Windows\system32>DIR C:\Windows\System32\config\DEFAULT*.* /AR
Volume in drive C is Ben's Drive
Volume Serial Number is 4005-D1F9

Directory of C:\Windows\System32\config

File Not Found

C:\Windows\system32>ICACLS C:\Windows\System32\config
C:\Windows\System32\config NT SERVICE\TrustedInstallerCI)(F)
NT AUTHORITY\SYSTEMOI)(CI)(F)
BUILTIN\AdministratorsOI)(CI)(F)
CREATOR OWNEROI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>
My System SpecsSystem Spec
28 Jul 2014   #10
NoelDP

Microsoft Community Contributor Award Recipient

Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10
 
 

That all looks normal as well -
let's have a look at the file itself...

Run the following commands and post the results.


DIR C:\Windows\System32\config\DEFAULT*.*
REG QUERY HKU\.DEFAULT
My System SpecsSystem Spec
Reply

 Computer finding corrupt files in SFC and explorer.exe using 75% CPU.




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Windows 7 won't boot, SFC found corrupt files, hdd/files still intact
I get a windows boot error 0xc000000e if I try to boot into safe mode or launch startup repair through through windows boot manager. I tried using a windows 7 recovery usb but startup repair says it cannot repair the problem automatically. Through the command line I ran chkdsk /f and /r multiple...
Performance & Maintenance
Need help finding location of files
I recently got an SSD and followed this guide to set it up properly How to: Setup SSD boot drive with secondary Hard disc optimization My problem is that once I finished it and everything was quick, I was too stupid to not back up at all and I cut/paste the contents of the user folder's video,...
Software
Search not finding files
I recently needed to find some files (MS Word which contained a specific word). From Windows Explorer, I selected the root of the directory in which I thought the files resided, entered the word I wanted to find in the Search box, and 16 files were found. I then repeated the search using a...
General Discussion
Recorded TV thru MC; finding files
I recorded TV with Media Center in Windows Vista, I now have Win 7 Home Premium. The hard drive that Vista was on is now a secondary drive, how can I find the recorded TV files and can I import them into Win 7 MC?
Media Center
It's EXPLORER.EXE Not Finding USB Drives
After careful inspection I believe it is 'explorer.exe' that has the bug when it comes to the problem of Windows 7 not finding your connected external usb drive. Everything else detects the usb drives....except 'explorer.exe'. Someone PLEASE tell this to Microsoft as I am about to spread all...
Hardware & Devices
Finding files
I'd appreciate a little help with a problem I'm having in finding files. I suspect it might have to do with Libraries which I don't fully understand. If I go to C:\music I can see any number of music files located there. But when using another program and their option to "browse", when I go...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:57.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App