0

I was profiling an application I am developing, and I saw unusual explorer.exe processor usage, almost 15%!

This is very high for explorer, I launched process explorer and then I saw this:

enter image description here

I click "kill" and explorer works fine..

this happens every time explorer restarts / startsup.. How can I detect which application or what is causing that thread to launch and how do I prevent it from launching? My explorer works fine without it.

I suspect this is a virus but none of my AV software detects it..

Can anyone help me out?

Gizmo
  • 1,990
  • 1
  • 24
  • 50
  • See: http://stackoverflow.com/questions/11235279/debugging-rtluserthreadstart-in-process-explorer – slhck Mar 20 '13 at 17:58
  • 2
    connect a debugger and look for the thread that is burning CPU. – Raymond Chen Mar 20 '13 at 18:30
  • use xperf to get the cause: http://www.msfn.org/board/index.php?showtopic=140264 If you're unsure, zip and upload the ETL file. – magicandre1981 Mar 20 '13 at 19:15
  • I'm analyzing that ETL file I got, if I won't be able to identify the issue I'll upload it. –  Mar 21 '13 at 21:15
  • hm that tutorial uses another version of the ETL viewer? I can't find all of the options, here is the ETL file: [click](http://meet-helmond.nl/latency.zip), the process is explorer.exe with thread id 2208 which is causing the huge CPU usage. –  Mar 21 '13 at 21:33
  • yes, I use the old xperfview.exe which is better compared to the new WPA.exe. Btw, please use @MagicAndre1981 so that I get notified that you replied to me. I'll analyze the file now and post an answer. – magicandre1981 Mar 27 '13 at 05:32

1 Answers1

2

You have a 3rd party components which creates dynamically code (green) and this code creates snapshots of programs (red) with this function: kernel32.dll!CreateToolhelp32Snapshot

enter image description here

Use AutoRuns and ShellExView to disable all 3rd party tools until you find the code which causes your CPU usage.

magicandre1981
  • 27,895
  • 5
  • 86
  • 127
  • hm, GetProcessInformation... virus? ; o I'll try it now, thanks! –  Mar 27 '13 at 10:27
  • worked, thankyou, don't know which one it was but disabled ALL 3rd party extensions as for now. –  Mar 27 '13 at 10:38