New
#11
I should explain the method behind the madness because this is a common scenario...
The "does the mouse move" question is actually much more important, and the answer is much more telling than it perhaps seems. Deep in the guts of the OS lies a prioritisation mechanism based around the "interrupt request level" (IRQL).
Everything that can be termed an "application" always runs at the lowest possible IRQL - 0 (zero), also called "passive" IRQL. Above 2 lie the so-called "Device IRQL" (DIRQL) levels assigned to particular hardware peripherals. For the sake of the argument, say the USB mouse works at IRQL=2 and the PS/2 keyboard is assigned (say) 17.
There's a very interesting rule which says that once the processor is running at an elevated (non-passive) IRQL, it cannot be interrupted by any tasks whose IRQL is less than or equal (sound familiar? IRQL_NOT_LESS_OR_EQUAL). The kernel's own "dispatcher" which chooses which thread will run next runs at IRQL=2. Hence, if something should cause the IRQL to go to 2 or above for extended periods of time, even the dispatcher will be unable to run until the IRQL comes back down below 2.
The key point is that you have to be a kernel-mode component in order to raise the processor IRQL. In other words, you're either the kernel itself, one of the OS drivers, or a 3rd-party driver. Apps and code running in user-mode are completely prevented from messing about with this stuff.
In this instance, the fact that the mouse pointer wasn't moving was strongly suggestive of a hang which occurred at elevated DIRQL above that of a (USB or PS/2) mouse. Something had raised IRQL to a high level and then gotten stuck, to the detriment of the rest of the OS which was no longer able to obtain processor time.
By a process of elimination, it's not the OS or it would be happening to all of us. Hence, it's a 3rd-party driver running in kernel-mode. Which 3rd-party driver? Obviously, one which would be interested in the fact that somebody had just attempted to access a share.... some type of "security" driver.... the AV or a 3rd-party firewall.