thread degraded mode ... the sequel.

I've run in thread degraded mode for 2 or 3 weeks
without a hitch before, this time I wasn't so lucky. After about
6 hours explorer spun up taking 50% CPU (given it's a HT machine, that
usually means 1 thread spinning endlessly). Heuve! That
just won't do. But we can merely degrade this thread too ... once we
find it ...

So I ctrl-C in the debugger window that got started from part 1 ...

Alternatively: If you don't have debugger attached up to the process yet,
you can do so, by going to the C:\debuggers directory (expained in part 1), typing "tlist" to
find the Process ID (PID) of the explorer.exe process, and then run "ntsd
-p <PID>".

At the debug prompt we type "!runaway", which gives you something like this:

0:076> !runaway

User Mode Time

Thread Time

73:1acc 0 days 6:36:51.328

1:ec0 0 days 1:39:27.203

15:1ac 0 days 0:06:01.640

12:f94 0 days 0:05:44.281

... deleted the other ~80 threads ...

The time column is cumulative CPU time the thread has used.

At this point you 'g' the debugger, wait for a short timed interval,
then hit ctrl-C again to re-break into the debugger. I waited 30
seconds myself, and then re-run the !runaway command ...

0:082> !runaway

User Mode Time

Thread Time

73:1acc 0 days 6:37:21.359

1:ec0 0 days 1:39:28.406

15:1ac 0 days 0:06:01.671

12:f94 0 days 0:05:44.281


You can see from the blue that
thread 73 is our culprit, as it's cumulative CPU time went up by nearly
exactly 30 seconds. Note the culprit thread isn't guaranteed to
be the top thread, but it was in my case.

So the "~f" command from the first blog affects the "current" thread in
the debugger, which you can see above is thread 82, not exactly, well
... not at all what is desired. We want thread 73 to be frozen
though, so here is how you freeze a specific thread:

0:082> ~73f

0:082> g

Now I'm back to normal, CPU settles down, go back to work.

Sometime later the next thing is I AV'd when I typed a search in the MSN Desktop
Search box on the task bar see the bottom of my start bar ... since MSN DS was the source of the
original issue, not sure
why I'd have expected that to work (I can be really stupid sometimes, I'll blog more about that), one more thread to freeze and
then 'g' the process.

The last thing that AV'd is <window>-E. Don't know why that AV'd, but don't care I can live without file explorer.

Though I am not sure I can live without desktop search ... I sense a reboot is in my future ...