# Windows 7: Computer finding corrupt files in SFC and explorer.exe using 75% CPU.

 26 Jul 2014 #1 BlazingFury1996 Windows 7 HP 64 bit. 14 posts Poole, Dorset, GB Computer finding corrupt files in SFC and explorer.exe using 75% CPU. Hello Seveners, I come to you with yet ANOTHER PC problem I am encountering! I have been having trouble with my Windows installation recently (crashes and lag are increasing), so I decided to run a SFC /scannow scan on my computer. After completing it, it told me I have corrupt files that it couldn't fix! To top this off, explorer.exe is eating my CPU usage. Anywhere from 30% to 85% is the average, but it likes to steady out at about 75%. The SFC scan came back with a CBS.log file, which I will attach. Please could someone go over it and tell me what is going on with my Windows installation? Many thanks! PS. The log file is too big to be uploaded as a .log alone (it's more than double the forums limits), so I have put it into a ZIP for ya. My System Specs
 27 Jul 2014 #2 NoelDP Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10 21,391 posts Wales - hopefully in the pub The SFC scan shows the following problem... Code:  Line 37448: 2014-07-26 22:39:43, Info CSI 00000319 [SR] Repairing 1 components Line 37449: 2014-07-26 22:39:43, Info CSI 0000031a [SR] Beginning Verify and Repair transaction Line 37452: 2014-07-26 22:39:43, Info CSI 0000031c [SR] Cannot repair member file [l:22{11}]"connmgr.CHM" of Server-Help-CHM.connmgr.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 37455: 2014-07-26 22:39:43, Info CSI 0000031e [SR] Cannot repair member file [l:22{11}]"connmgr.CHM" of Server-Help-CHM.connmgr.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 37456: 2014-07-26 22:39:43, Info CSI 0000031f [SR] This component was referenced by [l:252{126}]"Server-Help-Package.ClientHomePremium~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.Server-Help-Package.ClientHomePremium-Update" I'll post a fix protocol for that in a few minutes. As far as your Explorer problems are concerned, I'd be thinking about either disk corruption, or malware - Click on Start > All Programs > Accessories Right-click on the Command Prompt entry Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up. At the Command prompt, type CHKDSK C: /R and hit the Enter key. You will be told that the drive is locked, and the CHKDSK will run at the next boot - hit the Y key, and then reboot. The CHKDSK will take a few hours depending on the size of the drive, so be patient! After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) . Please download and install Malwarebytes Anti-malware (free version) from http://www.malwarebytes.org/products/malwarebytes_free/ - UNtick 'Enable free trial of MBAM PRO' at the end of the installation - and update it, then run a full scan in your main account, and Quick scans in any other user accounts. Delete everything it finds My System Specs
 27 Jul 2014 #4 BlazingFury1996 Windows 7 HP 64 bit. 14 posts Poole, Dorset, GB Quote: Originally Posted by NoelDP The SFC scan shows the following problem... Code:  Line 37448: 2014-07-26 22:39:43, Info CSI 00000319 [SR] Repairing 1 components Line 37449: 2014-07-26 22:39:43, Info CSI 0000031a [SR] Beginning Verify and Repair transaction Line 37452: 2014-07-26 22:39:43, Info CSI 0000031c [SR] Cannot repair member file [l:22{11}]"connmgr.CHM" of Server-Help-CHM.connmgr.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 37455: 2014-07-26 22:39:43, Info CSI 0000031e [SR] Cannot repair member file [l:22{11}]"connmgr.CHM" of Server-Help-CHM.connmgr.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch Line 37456: 2014-07-26 22:39:43, Info CSI 0000031f [SR] This component was referenced by [l:252{126}]"Server-Help-Package.ClientHomePremium~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.Server-Help-Package.ClientHomePremium-Update" I'll post a fix protocol for that in a few minutes. As far as your Explorer problems are concerned, I'd be thinking about either disk corruption, or malware - Click on Start > All Programs > Accessories Right-click on the Command Prompt entry Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up. At the Command prompt, type CHKDSK C: /R and hit the Enter key. You will be told that the drive is locked, and the CHKDSK will run at the next boot - hit the Y key, and then reboot. The CHKDSK will take a few hours depending on the size of the drive, so be patient! After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) . Please download and install Malwarebytes Anti-malware (free version) from http://www.malwarebytes.org/products/malwarebytes_free/ - UNtick 'Enable free trial of MBAM PRO' at the end of the installation - and update it, then run a full scan in your main account, and Quick scans in any other user accounts. Delete everything it finds Thanks! I have taken a look into the explorer issue. I think it may be a corrupt file. It's just finding the blighter! I already use Malwarebytes, so I can confirm it's not malware. I'll try your other method in a minute and let you know ASAP. Regards, Ben My System Specs
 28 Jul 2014 #6 NoelDP Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10 21,391 posts Wales - hopefully in the pub Good - that's cured the file error. There is an interesting error in the background of your CBS log - Code: 2014-07-26 23:38:25, Info CBS Loading offline registry hive: ntuser.dat, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Users/default/ntuser.dat' from path '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\default\ntuser.dat'. 2014-07-26 23:38:25, Info CBS Failed to load offline ntuser.dat hive from '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\default\ntuser.dat' into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Users/default/ntuser.dat'. [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT] 2014-07-26 23:38:25, Info CBS Failed to load default user registry hive. [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT] I wouldn't normally worry about this type of error, but this one is surrounded by successful loads - which makes me think that you may have a corrupt user profile registry hive Please open an Elevated Command Prompt, and run the following commands ICACLS C:\Users\Default\ntuser.dat ATTRIB C:\Users\Default\ntuser.dat DIR C:\Users\Default /AR ICACLS C:\Users\Default post the results. Here are some instructions to make life easier 1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt. 2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once. 3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response. My System Specs
 28 Jul 2014 #7 BlazingFury1996 Windows 7 HP 64 bit. 14 posts Poole, Dorset, GB Quote: Originally Posted by NoelDP Good - that's cured the file error. There is an interesting error in the background of your CBS log - Code: 2014-07-26 23:38:25, Info CBS Loading offline registry hive: ntuser.dat, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Users/default/ntuser.dat' from path '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\default\ntuser.dat'. 2014-07-26 23:38:25, Info CBS Failed to load offline ntuser.dat hive from '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\default\ntuser.dat' into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Users/default/ntuser.dat'. [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT] 2014-07-26 23:38:25, Info CBS Failed to load default user registry hive. [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT] I wouldn't normally worry about this type of error, but this one is surrounded by successful loads - which makes me think that you may have a corrupt user profile registry hive Please open an Elevated Command Prompt, and run the following commands ICACLS C:\Users\Default\ntuser.dat ATTRIB C:\Users\Default\ntuser.dat DIR C:\Users\Default /AR ICACLS C:\Users\Default post the results. Here are some instructions to make life easier 1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt. 2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once. 3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response. Hi again. Thanks for spotting this. I ran the commands as you requested: Output from the ECP window were as follows: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>ICACLS C:\Users\Default\ntuser.dat C:\Users\Default\ntuser.dat: The system cannot find the file specified. Successfully processed 0 files; Failed processing 1 files C:\Windows\system32>ATTRIB C:\Users\Default\ntuser.dat File not found - C:\Users\Default\ntuser.dat C:\Windows\system32>DIR C:\Users\Default /AR Volume in drive C is Ben's Drive Volume Serial Number is 4005-D1F9 Directory of C:\Users\Default File Not Found C:\Windows\system32>ICACLS C:\Users\Default C:\Users\Default NT AUTHORITY\SYSTEM: (I)(OI)(CI)(F) BUILTIN\Administrators: (I)(OI)(CI)(F) BUILTIN\Users: (I)(RX) BUILTIN\Users: (I)(OI)(CI)(IO)(GR,GE) Everyone: (I)(RX) Everyone: (I)(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files No idea if this could be causing the problem, but my entire HDD is encrypted with a 128 bit twofish encryption algorithm. I am not sure if I read the error correctly, but could this be causing the Write error? regards, Ben My System Specs
 28 Jul 2014 #8 NoelDP Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10 21,391 posts Wales - hopefully in the pub I don't think encryption is the problem here, but I could be wrong. I'm not exactly sure of the importance of the Default hive - but I suspect that it's the basic hive used in creation of new profiles, and isn't much used in normal circumstances. Certainly the lack of the file would create the Access Denied error I saw. There's another error in your log - I missed it earlier thinking it was the same error, but it could be the source of the error... Code: 2014-07-26 23:38:26, Info CBS Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/DEFAULT 2014-07-26 23:38:26, Error CBS Failed to load offline store from boot directory: '\\?\T:\' and windows directory: '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\' [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT] 2014-07-26 23:38:26, Error CBS Failed to initialize store parameters with boot drive: T: and windows directory: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\ [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT] Please run the following commands and post the results. ICACLS C:\Windows\System32\config\DEFAULT ATTRIB C:\Windows\System32\config\DEFAULT DIR C:\Windows\System32\config\DEFAULT*.* /AR ICACLS C:\Windows\System32\config My System Specs
 28 Jul 2014 #9 BlazingFury1996 Windows 7 HP 64 bit. 14 posts Poole, Dorset, GB I see. Commands have been run and the ECP window showed me this: Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>ICACLS C:\Windows\System32\config\DEFAULT C:\Windows\System32\config\DEFAULT NT AUTHORITY\SYSTEMI)(F) BUILTIN\AdministratorsI)(F) Successfully processed 1 files; Failed processing 0 files C:\Windows\system32>ATTRIB C:\Windows\System32\config\DEFAULT A C:\Windows\System32\config\DEFAULT C:\Windows\system32>DIR C:\Windows\System32\config\DEFAULT*.* /AR Volume in drive C is Ben's Drive Volume Serial Number is 4005-D1F9 Directory of C:\Windows\System32\config File Not Found C:\Windows\system32>ICACLS C:\Windows\System32\config C:\Windows\System32\config NT SERVICE\TrustedInstallerCI)(F) NT AUTHORITY\SYSTEMOI)(CI)(F) BUILTIN\AdministratorsOI)(CI)(F) CREATOR OWNEROI)(CI)(IO)(F) Successfully processed 1 files; Failed processing 0 files C:\Windows\system32> My System Specs
 28 Jul 2014 #10 NoelDP Win 7 x64 Home Premium (and x86 VirtualBox VM)/Win10 21,391 posts Wales - hopefully in the pub That all looks normal as well - let's have a look at the file itself... Run the following commands and post the results. DIR C:\Windows\System32\config\DEFAULT*.* REG QUERY HKU\.DEFAULT My System Specs