Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


This article is for troubleshooting a hanging problem related to the DualShield Windows Logon client. 

On the machine where the hanging problem is observed, install the following 3 tools.

1

...

. WinDBG

Download the installer from {+}https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools+
Image Added

Note: the installer is enough, no need to download ISO. Image Removed


Windbg is a part of Windows SDK, you can just select one only need to select the component called "Debugging Tools for Windows".
Image Removed
 

By default, Windbg will be installed in to the folder "C:\Program Files (x86)\Windows Kits\10\Debuggers", we .  We will use the path this folder in the other two tools laterbelow.

2

...

. Process Explorer

Download it from {+}https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer+

This is a zip file. Unzip it, run . The executable is called procexp64.exe (on  on x64 system, otherwise use is called procexp.exe). Configure the symbols at

Options Run the execuatble procexp64.exe or procexp.exe.

Image Added

Select Options | Configure Symbols...

Image Removed Image Added

Change the Dbghelp.dll path to, ":

C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll

...

This is from the default installation folder of Windbg installation. Make sure it exists) .

Change the Symbols path to ":

SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;C:\Windows\System32

...

Finally, create a folder called "websymbols" under on the C drive) . Image Removed


3

...

. Process Monitor

Download it from {+}https://docs.microsoft.com/en-us/sysinternals/downloads/procmon+ Also configure

Configure the symbols (just like the same way as in Process Explorer). Now it is time to have a try.
Please ask for DasCredProv.pdb file from the provider Deepnet Security

DasCredProv.pdb

Finally, contact Deepnet Security for a copy of DasCredProv.pdb (different Window logon agent has different pdb file)

Then, save the file into the folder "C:\Windows\System32" where DasCredProv.dll also resides. Now from

Troubleshooting 

When a windows process "LogonUI.exe" appears to be consuming a large amount of CPU time, then it is probably in the hanging state. Follow the steps below to collect data for troubleshooting.

From another machine, remote access to the machine where the 3 tools are installed (assume rdp is enabled on the target machine), login to it with its a local admin account.

Run the Process Explorer,

You should see the process "LogonUI.exe" (under winlogon.exe).

Right click it, choose Properties…, then tab Threads. You should see some threads which started from with the name "DasCredProv.dll! xxxx ..."

Select one of them, then click the button "Stack", you should see something like that.
Now let us try Process Monitor. Run it with admin,

Press the button "Copy All" to copy out the stack to clipboard. Then, open Notepad and paste the content from the clipboard into the Notepad. Save the content to a file.

Next,  run the Process Monitor as a admin

Switch off capturing, clean existing content, and remove the all collected content, click the filter icon to add a filter "below:

PID is xxx

...

where xxx is the PID of LogonUI.exe with . You can find PID using the Process Explorer or Task Manager). See below:

Switch

Now, switch on capturing. Then, ask someone to input something on the Windows logon screen at the physical console. You should see some activities.


You can save

Save the activities into a file.
Play these two tools until you are confident. The next  thing we can do is to wait.Once the hanging problem happens again, access the machine with RDP, using the local admin account.
Run Process Explorer, check the tab Threads of LogonUI.exe. Take a snapshot. If  some of threads (started from DasCredProv) are using some CPU,  Check their stacks. Press the button "Copy All" to copy out the stack to clipboard. Send it to us along with the snapshot.
Next run Process Monitor, add PID filter (we are only interested in the particular process LogonUI.exe), then start to capture, we expect to see some activities, please save them into a file. Send it to us.
Anchor_GoBack_GoBack