This article is for troubleshooting a hanging problem related to the DualShield Windows Logon client. 

On the machine where the hanging problem is observed, install the following 3 tools.

1. WinDBG

Download the installer from https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools

Note: the installer is enough, no need to download ISO.


Windbg is a part of Windows SDK, you only need to select the component called "Debugging Tools for Windows".
 

By default, Windbg will be installed in to the folder "C:\Program Files (x86)\Windows Kits\10\Debuggers".  We will use this folder in the other two tools below.

2. Process Explorer

Download it from https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

This is a zip file. Unzip it. The executable is called procexp64.exe on x64 system, otherwise is called procexp.exe.

Run the execuatble procexp64.exe or procexp.exe.

Select Options | Configure Symbols...

Change the Dbghelp.dll path to:

C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll

This is the default installation folder of Windbg. Make sure it exists.

Change the Symbols path to:

SRV*c:\websymbols*http://msdl.microsoft.com/download/symbols;C:\Windows\System32

Finally, create a folder called "websymbols" on the C drive.


3. Process Monitor

Download it from https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Configure the symbols the same way as in Process Explorer.

DasCredProv.pdb

Finally, contact Deepnet Security for a copy of DasCredProv.pdb (different Window logon agent has different pdb file)

Then, save the file into the folder "C:\Windows\System32" where DasCredProv.dll also resides.

Troubleshooting 

When a windows process "LogonUI.exe" appears to be consuming a large amount of CPU time, then it is probably in the hanging state. Follow the steps below to collect data for troubleshooting.

From another machine, remote access to the machine where the 3 tools are installed (assume rdp is enabled on the target machine), login to it with a local admin account.

Run the Process Explorer

You should see the process "LogonUI.exe" (under winlogon.exe).

Right click it, choose Properties…, then tab Threads. You should see some threads with the name "DasCredProv.dll! ..."

Select each of them one by one(especially the one with high CPU), then click the button "Stack", you should see something like that.

Press the button "Copy All" to copy out the stack to clipboard. Then, open Notepad and paste the content from the clipboard into the Notepad. Save the content to a file.

Next,  run the Process Monitor as a admin

Switch off capturing, clean existing content, and click the filter icon to add a filter below:

PID is xxx

where xxx is the PID of LogonUI.exe. You can find PID using the Process Explorer or Task Manager. See below:

Now, switch on capturing. Then, input something on the Windows logon screen at the physical console. You should see some activities.


Save the activities into a file.





  • No labels