ERUNT Registry backup massively delayed by A.V. ???

Last year I found that on start-up ERUNT took about 8 Seconds to create a 55 MB Registry Hive backup.

In the last few months I have seen it typically take 60 Seconds, and sometimes it freezes for a few minutes.

I assume that HIPS would be more consistent if that was guilty of behaviour blocking / stalling,
but that different virus signatures cause different A.V. scan delays on different days.

I would prefer zero delays.

Is there any reason why I should not exclude the relevant files from scanning ?

Should I exclude from scanning both the registry hives being copied, and also the ERUNT folder destination ?

Regards
Alan

Can you confirm this is caused by the AV? Try by disabling the AV and restart your computer several times.

When with the AV disabled the problem does not happen it is caused by the AV. In that case you would you be so kind to post your findings in [Testcase]AV problems with XP after January 17 or 18 and follow the instructions by umesh in https://forums.comodo.com/antivirus-bugs/testcaseav-problems-with-xp-after-january-17-or-18-t50548.0.html .

That topic is specifically meant to deal with slowdowns caused by AV signatures. It would help Comodo a lot.

I will fully investigate tomorrow and report back

I dare not disable A.V. tonight, otherwise I will forget to enable it before I start browsing tomorrow.

My memory is not what it used to be,
but Comodo is far worse - in the good old days of version 2.4-ish the Comodo Icon in the notification tray would remind me if I had forgotten to re-enable protection.
I accept that flames licking the sides of the icon are a cute gimmick to indicate traffic in progress,
but I would far rather have a reminder that protection was disabled for an installation/reboot,
especially since on occasions the installation has taken to long and instead of the reboot I have shutdown for bed, and the following morning I have started up and everything looks fine - and in the afternoon I panic as a remember I should have re-activated my protection.
End of rant.

Regards
Alan

Windows has a broken leg ! ! !

Until 17/01/2010 ERUNT took only 8 seconds to create a registry backup upon start-up.
Since 6/02/2010 it has taken 4 or 5 times as long.
(I purged the backups in-between those dates when I thought I had no further use for them.)

In the midst of the start-up chaos when Windows is too busy fiddling with prefetch files and all the rest of the variable nonsense to bother looking at me on the keyboard, ERUNT was previously able to do its job in 8 Seconds.
Right now with a totally quiescent system and 100 % availability of all resources, it takes 18 Seconds

Recent changes that may be implicated :-
An in-situ upgrade from Comodo 3.13 to 3.14 ;
Installation of Microsoft BootVis and use for analysis (but not yet used for “repair”) ;
Use of Process Explorer and Process Monitor ;
Use of Windows WMIDiag which said it would only analyse and not repair,
BUT I have my suspicions about that.
I also rebuilt the repository - living dangerously because I am about to restore a disk image.

I will now do further tests on the system as it is,
and then restore the system as it was before 17/01/2010.
Then I will carefully repeat all the above changes and identify the culprit and report back.
I may be gone a while ! ! !

Regards
Alan

ERUNT TIMINGS :-

On 17/01/2010 ERUNT took
8 Seconds to create the whole Registry hive backup of 16 files totalling 42.3 MB in 16 files and 7 Folders,
which includes 2 seconds to create the 21 MB file “SOFTWARE”
and 2 seconds to create the 12.2 MB file “SYSTEM”.

On 6/02/2010 ERUNT took
20 Seconds to create the whole Registry hive backup of 16 files totalling 42.3 MB in 16 files and 7 Folders,
which includes 2 seconds to create the 21 MB file “SOFTWARE”
and 8 seconds to create the 12.2 MB file “SYSTEM”.

On 14/02/2010 ERUNT took
46 Seconds to create the whole Registry hive backup of 16 files totalling 42.4 MB in 16 files and 7 Folders,
which includes 14 seconds to create the 21 MB file “SOFTWARE”
and 10 seconds to create the 12.2 MB file “SYSTEM”.

If I understand things correctly then at 17-01 and at 06-06 the boot conditions under which Erunt worked were identical in the sense that the same programs booted with Windows?

The measurement of 14-02 includes other analysis also starting with Windows producing an even longer processing time for Erunt. Is that correct?

If that is correct and you disable all the mentioned recently added analysis tools Erunt how long would the Erunt processing take? Can you try that?

I removed Process Explorer from my startup script and rebooted,
but that did not alter performance.

According to the event logs
06/02/2010 12:50:01 Installed BootVis
06/02/2010 21:18:01 Faulting application bootvis.exe, version 1.0.0.1, faulting module mfc42.dll
06/02/2010 20:58:44 The driver disabled the write cache on device \Device\Harddisk0\DR0.

I will not name names, but I have my suspicions ! ! ! !

I have only used Bootvis to SHOW me what it sees on start-up.
I have yet to ask it to fix anything.

Solution :-

Computer Management / System Tools / Device Manager / Disk Drives / Samsung HM160HC / Policies
Optimize for quick removal - unchecked and greyed out
Optimize for performance - checked BUT GREYED OUT
Enable write caching on the disc - UNCHECKED but not greyed out
Now checked and performance fixed
n.b. neither of the “Optimzes” options can be modified - they are stuck at greyed out.
Creation of an Erunt Backup took 19.7 Seconds before fix, and 6.6 seconds after.
CMD.EXE took 9.1 Seconds before fix and 2.36 Seconds after when copying the backup via
XCOPY C:\WINDOWS\ERDNT\AutoBackup\17-02-2010 C:\WINDOWS\ERDNT\AutoBackup\AGAIN /E /I /Q.

NB ERUNT has to retrieve NTUSER.DAT from various user profiles to create a composite backup,
whilst CMD.EXE has Windows permissions / obstacles when simply copying the composite.

There are a few other worrying details in the event logs.
I would appreciate advise upon any tool that will allow me to rapidly search the event logs without the aggravation of individually selecting and inspecting the permissions of each event.

Regards
Alan

I can’t think of a tool to rapidly search event logs.

It looks like the performance issue was caused by the unsolicited disabling of the disk cache by Bootvis. What version of Bootvis are you using?

The Readme.rtf file says
“This package contains Microsoft Bootvis v1.3.37, dated May 22, 2003.”

BootVis.exe / Properties / Version says
product Name :- PerfVis NT Performance Tool
Product Version:- 1, 0, 0, 1
Nowhere can I see in the properties anything that looks like v1.3.37

I decided last year that I would have to restore a disc image of how things were before I first rebuilt the repository, so I could get a better understanding of any damage that may have been done.
Since that decision I have been gathering knowledge and diagnostic tools with the assurance that no permanent damage will happen - even if Windows is destroyed I have a Boot CD that can restore the disc images.

I think it is time to restore.
The system is still sick even though Disc speed is now corrected, so further testing is of no value.

I ran the WMI Diagnosis Utility – Version 2.0
http://www.microsoft.com/downloads/details.aspx?familyid=d7ba3cd6-18d1-4d05-b11e-4c64192ae97d&displaylang=en

That was supposed to analyse but make no changes - but it did alter a date-stamp and may have altered the contents of a file.
I do not remember when I ran that tool, but perhaps that caused 4 off WinMgmt warnings
12/02/2010 22:14:29 to 22:23:15
“A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.”

I have recently noticed “issues” every start-up in log files within C:\WINDOWS\system32\wbem\Logs

FRAMEWORK.LOG :-
Shell Name Explorer.exe in Registry not found in process list. 02/17/2010 15:30:06.272 thread:1532 [d:\xpsp\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.959]
Unable to locate Shell Process, Impersonation failed. 02/17/2010 15:30:06.282 thread:1532 [d:\xpsp\admin\wmi\wbem\providers\win32provider\common\implogonuser.cpp.971]
Login Warning - provider with that name already existed, overridden with latest provider login (root\cimv2:Win32_ComputerSystemWindowsProductActivationSetting) 02/17/2010 15:30:42.534 thread:2348 [d:\xpsp\admin\wmi\wbem\sdk\framedyn\wbemglue.cpp.2252]
Login Warning - provider with that name already existed, overridden with latest provider login (root\cimv2:Win32_ComputerSystemWindowsProductActivationSetting) 02/17/2010 19:00:48.877 thread:2668 [d:\xpsp\admin\wmi\wbem\sdk\framedyn\wbemglue.cpp.2252]
Login Warning - provider with that name already existed, overridden with latest provider login (root\cimv2:Win32_ComputerSystemWindowsProductActivationSetting) 02/18/2010 09:35:57.028 thread:2728 [d:\xpsp\admin\wmi\wbem\sdk\framedyn\wbemglue.cpp.2252]
Login Warning - provider with that name already existed, overridden with latest provider login (root\cimv2:Win32_ComputerSystemWindowsProductActivationSetting) 02/19/2010 07:33:06.713 thread:2712 [d:\xpsp\admin\wmi\wbem\sdk\framedyn\wbemglue.cpp.2252]

I am concerned that this starts with an Impersonation failure, whatever that may be,
and assume that HiPerfCooker_v1 “caused a security violation … not correctly impersonate”.

I have drive D:, but there is no d:\xpsp\admin\wmi.… - so what is that all about ?

WBEMMESS.LOG
NTEventLogEventConsumer=“SCM Event Log Consumer” with error code 80041033.
WMI will reload and retry.
(Fri Feb 19 07:33:49 2010.121775) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Fri Feb 19 07:33:49 2010.121775) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Fri Feb 19 07:33:49 2010.121785) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Fri Feb 19 07:33:49 2010.121795) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Fri Feb 19 07:33:49 2010.121805) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Fri Feb 19 07:33:49 2010.121815) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Fri Feb 19 07:33:49 2010.121825) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Fri Feb 19 07:33:49 2010.121835) : NT Event Log Consumer: could not retrieve sid, 0x80041002
(Fri Feb 19 07:33:49 2010.121845) : NT Event Log Consumer: could not retrieve sid, 0x80041002

WMIPROV.LOG
(Wed Feb 17 15:33:17 2010.296636) : WDM call returned error: 4200
(Wed Feb 17 19:04:25 2010.297978) : WDM call returned error: 4200
(Thu Feb 18 09:39:35 2010.301363) : WDM call returned error: 4200
(Fri Feb 19 07:36:53 2010.305869) : WDM call returned error: 4200

WBEMCORE.LOG
(Fri Feb 19 07:33:06 2010.79133) : GetUserDefaultLCID failed, restorting to system verion
(Fri Feb 19 07:33:09 2010.81697) : GetUserDefaultLCID failed, restorting to system verion
(Fri Feb 19 07:33:10 2010.83480) : GetUserDefaultLCID failed, restorting to system verion
(Fri Feb 19 07:48:42 2010.1015179) : GetUserDefaultLCID failed, restorting to system verion
(Fri Feb 19 07:48:42 2010.1015279) : GetUserDefaultLCID failed, restorting to system verion
(Fri Feb 19 07:48:42 2010.1015289) : GetUserDefaultLCID failed, restorting to system verion

Regards
Alan