You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

On the machine where the hanging problem is observed, install the following 3 tools.
1, WinDBG
Download the installer from {+}https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools+
Note: the installer is enough, no need to download ISO.

Windbg is a part of Windows SDK, you can just select one component called "Debugging Tools for Windows".


By default, Windbg will be installed to the folder "C:\Program Files (x86)\Windows Kits\10\Debuggers", we will use the path in the other two tools later.
2, Process Explorer
Download it from {+}https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer+
This is a zip file. Unzip it, run procexp64.exe (on x64 system, otherwise use procexp.exe).
Configure the symbols at Options | Configure Symbols...

Change the Dbghelp.dll path to, "C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll" (This is from Windbg installation. Make sure it exists)
Change the Symbols path to "SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;C:\Windows\System32" (Please create a folder called "websymbols" under C drive)

3, Process Monitor
Download it from {+}https://docs.microsoft.com/en-us/sysinternals/downloads/procmon+
Also configure the symbols (just like in Process Explorer).
Now it is time to have a try.
Please ask for DasCredProv.pdb file from the provider Deepnet Security (different Window logon agent has different pdb file), save the file into the folder "C:\Windows\System32" where DasCredProv.dll resides.
Now from another machine, remote access to the machine where the 3 tools are installed (assume rdp is enabled on the target machine), login it with its local admin account.
Run Process Explorer,

You should see the process "LogonUI.exe" (under winlogon.exe). Right click it, choose Properties…, then tab Threads. You should see some threads which started from DasCredProv.dll!xxxx

Select one of them, then click the button "Stack", you should see something like that.

Now let us try Process Monitor. Run it with admin,

Switch off capturing, and remove the all collected content, add a filter "PID is xxx" (find the actual  PID of LogonUI.exe with Process Explorer or Task Manager).

Switch on capturing, ask someone to input something on the logon screen at the physical console. You should see some activities.


You can save the activities into file.

Play these two tools until you are confident. The next  thing we can do is to wait.

Once the hanging problem happens again, access the machine with RDP, using the local admin account.
Run Process Explorer, check the tab Threads of LogonUI.exe. Take a snapshot. If  some of threads (started from DasCredProv) are using some CPU,  Check their stacks. Press the button "Copy All" to copy out the stack to clipboard. Send it to us along with the snapshot.
Next run Process Monitor, add PID filter (we are only interested in the particular process LogonUI.exe), then start to capture, we expect to see some activities, please save them into a file. Send it to us.