Computer finding corrupt files in SFC and explorer.exe using 75% CPU.

[BlazingFury1996]

Hello Seveners,

I come to you with yet ANOTHER PC problem I am encountering!

I have been having trouble with my Windows installation recently (crashes and lag are increasing), so I decided to run a SFC /scannow scan on my computer. After completing it, it told me I have corrupt files that it couldn't fix!

To top this off, explorer.exe is eating my CPU usage. Anywhere from 30% to 85% is the average, but it likes to steady out at about 75%.

The SFC scan came back with a CBS.log file, which I will attach. Please could someone go over it and tell me what is going on with my Windows installation?

Many thanks!

PS. The log file is too big to be uploaded as a .log alone (it's more than double the forums limits), so I have put it into a ZIP for ya.

 

[NoelDP]

The SFC scan shows the following problem...

 Line 37448: 2014-07-26 22:39:43, Info                  CSI    00000319 [SR] Repairing 1 components
 Line 37449: 2014-07-26 22:39:43, Info                  CSI    0000031a [SR] Beginning Verify and Repair transaction
 Line 37452: 2014-07-26 22:39:43, Info                  CSI    0000031c [SR] Cannot repair member file [l:22{11}]"connmgr.CHM" of Server-Help-CHM.connmgr.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
 Line 37455: 2014-07-26 22:39:43, Info                  CSI    0000031e [SR] Cannot repair member file [l:22{11}]"connmgr.CHM" of Server-Help-CHM.connmgr.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
 Line 37456: 2014-07-26 22:39:43, Info                  CSI    0000031f [SR] This component was referenced by [l:252{126}]"Server-Help-Package.ClientHomePremium~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.Server-Help-Package.ClientHomePremium-Update"

I'll post a fix protocol for that in a few minutes.

As far as your Explorer problems are concerned, I'd be thinking about either disk corruption, or malware -


Click on Start > All Programs > Accessories
Right-click on the Command Prompt entry
Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.
At the Command prompt, type
CHKDSK C: /R
and hit the Enter key.
You will be told that the drive is locked, and the CHKDSK will run at the next boot - hit the Y key, and then reboot.
The CHKDSK will take a few hours depending on the size of the drive, so be patient!
After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) .


Please download and install Malwarebytes Anti-malware (free version) from http://www.malwarebytes.org/products/malwarebytes_free/ - UNtick 'Enable free trial of MBAM PRO' at the end of the installation - and update it, then run a full scan in your main account, and Quick scans in any other user accounts.

Delete everything it finds

 

[NoelDP]

I've uploaded a file - bf6aa.zip - to my OneDrive at Noel's OneDrive
Please download and save it.

Right-click on the saved file and select Extract all...
Change the target to C:\ and click on Extract
Close all windows (it would be a good idea to print these instructions!)

Now reboot to the Repair Environment - as soon as the machine restarts, start tapping F8 - this should bring up the Advanced Boot Menu, at the top of which should be the option 'Repair my Computer'
Pick that
You'll have to log in with your username and password.

Pick the option to use a Command Prompt
At the prompt type
DIR C:\bf6aa
hit the enter key - if you get a 'Not Found' error try
DIR D:\bf6aa
or
DIR E:\bf6aa



The drive letter in use when you find the folder will need to be substituted (for<drive>) into the following command...



XCOPY <drive>:\bf6aa <drive>:\windows\winsxs /y /i /s /v /h



(e.g. XCOPY P:\wfire P:\windows\winsxs /y /i /s /v /h )



run the command (it should take almost no time) and when the prompt returns, type
EXIT
and hit the Enter key to exit Command Prompt - reboot to Normal Mode Windows.

Now run SFC /SCANNOW in an Elevated Command Prompt
then reboot and upload the new CBS.log file to your reply

 

[BlazingFury1996]

The SFC scan shows the following problem...

 Line 37448: 2014-07-26 22:39:43, Info                  CSI    00000319 [SR] Repairing 1 components
 Line 37449: 2014-07-26 22:39:43, Info                  CSI    0000031a [SR] Beginning Verify and Repair transaction
 Line 37452: 2014-07-26 22:39:43, Info                  CSI    0000031c [SR] Cannot repair member file [l:22{11}]"connmgr.CHM" of Server-Help-CHM.connmgr.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
 Line 37455: 2014-07-26 22:39:43, Info                  CSI    0000031e [SR] Cannot repair member file [l:22{11}]"connmgr.CHM" of Server-Help-CHM.connmgr.Resources, Version = 6.1.7600.16385, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, hash mismatch
 Line 37456: 2014-07-26 22:39:43, Info                  CSI    0000031f [SR] This component was referenced by [l:252{126}]"Server-Help-Package.ClientHomePremium~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.Server-Help-Package.ClientHomePremium-Update"

I'll post a fix protocol for that in a few minutes.

As far as your Explorer problems are concerned, I'd be thinking about either disk corruption, or malware -


Click on Start > All Programs > Accessories
Right-click on the Command Prompt entry
Select Run as Administrator and accept the UAC prompt - the Elevated Command Prompt window should pop up.
At the Command prompt, type
CHKDSK C: /R
and hit the Enter key.
You will be told that the drive is locked, and the CHKDSK will run at the next boot - hit the Y key, and then reboot.
The CHKDSK will take a few hours depending on the size of the drive, so be patient!
After the CHKDSK has run, Windows should boot normally (possibly after a second auto-reboot) .


Please download and install Malwarebytes Anti-malware (free version) from http://www.malwarebytes.org/products/malwarebytes_free/ - UNtick 'Enable free trial of MBAM PRO' at the end of the installation - and update it, then run a full scan in your main account, and Quick scans in any other user accounts.

Delete everything it finds

Thanks! I have taken a look into the explorer issue. I think it may be a corrupt file. It's just finding the blighter! I already use Malwarebytes, so I can confirm it's not malware.

I'll try your other method in a minute and let you know ASAP.

Regards,

Ben

 

[BlazingFury1996]

I've uploaded a file - bf6aa.zip - to my OneDrive at Noel's OneDrive
Please download and save it.

Right-click on the saved file and select Extract all...
Change the target to C:\ and click on Extract
Close all windows (it would be a good idea to print these instructions!)

Now reboot to the Repair Environment - as soon as the machine restarts, start tapping F8 - this should bring up the Advanced Boot Menu, at the top of which should be the option 'Repair my Computer'
Pick that
You'll have to log in with your username and password.

Pick the option to use a Command Prompt
At the prompt type
DIR C:\bf6aa
hit the enter key - if you get a 'Not Found' error try
DIR D:\bf6aa
or
DIR E:\bf6aa



The drive letter in use when you find the folder will need to be substituted (for<drive>) into the following command...



XCOPY <drive>:\bf6aa <drive>:\windows\winsxs /y /i /s /v /h



(e.g. XCOPY P:\wfire P:\windows\winsxs /y /i /s /v /h )



run the command (it should take almost no time) and when the prompt returns, type
EXIT
and hit the Enter key to exit Command Prompt - reboot to Normal Mode Windows.

Now run SFC /SCANNOW in an Elevated Command Prompt
then reboot and upload the new CBS.log file to your reply

Thank you so much! After running this through, SFC is now showing no integrity violations. Very happy indeed!

I have attached the new log (.zip again) just to double check, but I think it's all good!

Also (if you wouldn't mind), please could you explain what the error I was getting actually was? I am just intrigued for future reference.

Regards,

Ben

 

[NoelDP]

Good - that's cured the file error.
There is an interesting error in the background of your CBS log -

2014-07-26 23:38:25, Info                  CBS    Loading offline registry hive: ntuser.dat, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Users/default/ntuser.dat' from path '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\default\ntuser.dat'.
2014-07-26 23:38:25, Info                  CBS    Failed to load offline ntuser.dat hive from '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\default\ntuser.dat' into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Users/default/ntuser.dat'. [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT]
2014-07-26 23:38:25, Info                  CBS    Failed to load default user registry hive. [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT]

I wouldn't normally worry about this type of error, but this one is surrounded by successful loads - which makes me think that you may have a corrupt user profile registry hive

Please open an Elevated Command Prompt, and run the following commands

ICACLS C:\Users\Default\ntuser.dat
ATTRIB C:\Users\Default\ntuser.dat
DIR C:\Users\Default /AR
ICACLS C:\Users\Default

post the results.


Here are some instructions to make life easier
1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt.
2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.
3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.

 

[BlazingFury1996]

Good - that's cured the file error.
There is an interesting error in the background of your CBS log -

2014-07-26 23:38:25, Info                  CBS    Loading offline registry hive: ntuser.dat, into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Users/default/ntuser.dat' from path '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\default\ntuser.dat'.
2014-07-26 23:38:25, Info                  CBS    Failed to load offline ntuser.dat hive from '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Users\default\ntuser.dat' into registry key '{bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Users/default/ntuser.dat'. [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT]
2014-07-26 23:38:25, Info                  CBS    Failed to load default user registry hive. [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT]

I wouldn't normally worry about this type of error, but this one is surrounded by successful loads - which makes me think that you may have a corrupt user profile registry hive

Please open an Elevated Command Prompt, and run the following commands

ICACLS C:\Users\Default\ntuser.dat
ATTRIB C:\Users\Default\ntuser.dat
DIR C:\Users\Default /AR
ICACLS C:\Users\Default

post the results.


Here are some instructions to make life easier
1) To open an Elevated Command Prompt Window (the ECP window), click on Start, All Programs, Accessories – then right-click on Command Prompt, and select Run as Administrator. Accept the UAC prompt.
2) To run the commands easier, highlight the block of commands, and right-click on the highlight – select Copy. In the CP Window, click on the black/white icon at top left – select Paste. The commands will run but may not complete the last command, so hit the Enter Key once.
3) To copy the results... click on the Black/White icon in the top left, and select Edit... 'Select All', and hit the Enter key - then use Ctrl+V or r-click+Paste to paste it into your response.

Hi again. Thanks for spotting this. I ran the commands as you requested:

Output from the ECP window were as follows:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ICACLS C:\Users\Default\ntuser.dat
C:\Users\Default\ntuser.dat: The system cannot find the file specified.
Successfully processed 0 files; Failed processing 1 files

C:\Windows\system32>ATTRIB C:\Users\Default\ntuser.dat
File not found - C:\Users\Default\ntuser.dat

C:\Windows\system32>DIR C:\Users\Default /AR
Volume in drive C is Ben's Drive
Volume Serial Number is 4005-D1F9

Directory of C:\Users\Default

File Not Found

C:\Windows\system32>ICACLS C:\Users\Default
C:\Users\Default NT AUTHORITY\SYSTEM: (I)(OI)(CI)(F)
BUILTIN\Administrators: (I)(OI)(CI)(F)
BUILTIN\Users: (I)(RX)
BUILTIN\Users: (I)(OI)(CI)(IO)(GR,GE)
Everyone: (I)(RX)
Everyone: (I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files

No idea if this could be causing the problem, but my entire HDD is encrypted with a 128 bit twofish encryption algorithm. I am not sure if I read the error correctly, but could this be causing the Write error?

regards,

Ben

 

[NoelDP]

I don't think encryption is the problem here, but I could be wrong.

I'm not exactly sure of the importance of the Default hive - but I suspect that it's the basic hive used in creation of new profiles, and isn't much used in normal circumstances.
Certainly the lack of the file would create the Access Denied error I saw.


There's another error in your log - I missed it earlier thinking it was the same error, but it could be the source of the error...

2014-07-26 23:38:26, Info                  CBS    Unloading offline registry hive: {bf1a281b-ad7b-4476-ac95-f47682990ce7}GLOBALROOT/Device/HarddiskVolumeShadowCopy1/Windows/System32/config/DEFAULT
2014-07-26 23:38:26, Error                 CBS    Failed to load offline store from boot directory: '\\?\T:\' and windows directory: '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\' [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT]
2014-07-26 23:38:26, Error                 CBS    Failed to initialize store parameters with boot drive: T: and windows directory: [URL="file://\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\"]\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\[/URL] [HRESULT = 0x80070013 - ERROR_WRITE_PROTECT]

Please run the following commands and post the results.

ICACLS C:\Windows\System32\config\DEFAULT
ATTRIB C:\Windows\System32\config\DEFAULT
DIR C:\Windows\System32\config\DEFAULT*.* /AR
ICACLS C:\Windows\System32\config

 

[BlazingFury1996]

I see.

Commands have been run and the ECP window showed me this:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ICACLS C:\Windows\System32\config\DEFAULT
C:\Windows\System32\config\DEFAULT NT AUTHORITY\SYSTEMI)(F)
BUILTIN\AdministratorsI)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ATTRIB C:\Windows\System32\config\DEFAULT
A C:\Windows\System32\config\DEFAULT

C:\Windows\system32>DIR C:\Windows\System32\config\DEFAULT*.* /AR
Volume in drive C is Ben's Drive
Volume Serial Number is 4005-D1F9

Directory of C:\Windows\System32\config

File Not Found

C:\Windows\system32>ICACLS C:\Windows\System32\config
C:\Windows\System32\config NT SERVICE\TrustedInstallerCI)(F)
NT AUTHORITY\SYSTEMOI)(CI)(F)
BUILTIN\AdministratorsOI)(CI)(F)
CREATOR OWNEROI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>

 

[NoelDP]

That all looks normal as well -
let's have a look at the file itself...

Run the following commands and post the results.


DIR C:\Windows\System32\config\DEFAULT*.*
REG QUERY HKU\.DEFAULT

 

[BlazingFury1996]

Good to hear!

Results are:

C:\Windows\system32>DIR C:\Windows\System32\config\DEFAULT*.*
Volume in drive C is Ben's Drive
Volume Serial Number is 4005-D1F9

Directory of C:\Windows\System32\config

28/07/2014 05:22 2,883,584 DEFAULT
1 File(s) 2,883,584 bytes
0 Dir(s) 76,455,018,496 bytes free

C:\Windows\system32>REG QUERY HKU\.DEFAULT

HKEY_USERS\.DEFAULT\AppEvents
HKEY_USERS\.DEFAULT\Control Panel
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\EUDC
HKEY_USERS\.DEFAULT\Keyboard Layout
HKEY_USERS\.DEFAULT\Printers
HKEY_USERS\.DEFAULT\Software
HKEY_USERS\.DEFAULT\SYSTEM

Regards,

Ben

 

[NoelDP]

That's only about half the size of my DEFAULT hive - but it contains an extra Key (AppEvents)

I wonder if there is corruption there?

The .log files also appear to be missing - and one should be created whenever the hive is loaded.

I'm not sure what to make of this!

Please boot to Safe Mode and try copying the C:\Windows\System32\config\DEFAULT file to your desktop (I know it can't be done in Normal mode - not sure about Safe Mode) then reboot to Normal Mode, and upload the copy - I'll take a look.