Fast as a speeding bullet, it's Super Windows Process! How to catch?
April 13, 2016 12:06 PM
WindowsFilter: All of a sudden, a super fast "MS-DOS"-like process has emerged that begins and quickly ends on my Windows 10 desktop. It seems to be encountering an error of some kind, near as my speed-reading can detect. I have no idea what this process is, and it happens every 30 minutes or so. If I am in a fullscreen program, it kicks me out to the desktop, sometimes disrupting or occasionally crashing the program. How do I best diagnose and solve this problem?
I can't quite figure out why this would have started based on my recent computing habits. I haven't installed any odd programs, or (I think?) recently uninstalled any programs.
I'm wondering if one step would be to, perhaps, record my screen? I've never done so... if that's something that makes sense, is there a particular free screen-recording program that one would recommend?
And if I can figure out "what" is doing this process, what are best practices for eliminating it, for good? I am guessing it's something orphaned, but I could be wrong.
I can't quite figure out why this would have started based on my recent computing habits. I haven't installed any odd programs, or (I think?) recently uninstalled any programs.
I'm wondering if one step would be to, perhaps, record my screen? I've never done so... if that's something that makes sense, is there a particular free screen-recording program that one would recommend?
And if I can figure out "what" is doing this process, what are best practices for eliminating it, for good? I am guessing it's something orphaned, but I could be wrong.
You might be able to find the cause in the logs:
Right click on 'Computer' icon, click on Manage, double click on Event Viewer.
Under 'Summary of Administrative Events' check the various events to see if anything looks plausible.
I just realized that these instructions are for Windows 7, but there must be a Windows 10 analog to them.
Good luck!
posted by Don_K at 12:21 PM on April 13, 2016
Right click on 'Computer' icon, click on Manage, double click on Event Viewer.
Under 'Summary of Administrative Events' check the various events to see if anything looks plausible.
I just realized that these instructions are for Windows 7, but there must be a Windows 10 analog to them.
Good luck!
posted by Don_K at 12:21 PM on April 13, 2016
If its a separate program running, Install Microsoft Process Explorer, start it running, then in the options menu, change "Difference Highlight Duration" to its maximum value(which might only be 9 seconds, which isnt as long as id wish), then whenever you see the process pop up, it should stay in process explorer highlighted in dark red for that long(options->configure colors to see what the different colors mean). You should be able to right click the process and see its command string/path in the properties and help diagnose whats going on. You may want to use the file menu-> show details for all processes after you start process explorer, if you have admin credentials.
If its a console window from an already running program, and not a separate process, this procedure won't help unfortunately. memail me with any questions.
posted by TheAdamist at 12:25 PM on April 13, 2016
If its a console window from an already running program, and not a separate process, this procedure won't help unfortunately. memail me with any questions.
posted by TheAdamist at 12:25 PM on April 13, 2016
If it's happening on a schedule. Check the task scheduler. You can see what's being run and at what time. From there you can delete the task if need be.
How to access task scheduler:
Click the lower-left Start button, enter schedule in the empty box and select Schedule tasks from the results. Way 2: Turn on Task Scheduler via Search. Tap the Search button on the taskbar, type schedule in the blank box and choose Schedule tasks. Way 3: Open it in the Control Panel.
posted by bleucube at 12:25 PM on April 13, 2016
How to access task scheduler:
Click the lower-left Start button, enter schedule in the empty box and select Schedule tasks from the results. Way 2: Turn on Task Scheduler via Search. Tap the Search button on the taskbar, type schedule in the blank box and choose Schedule tasks. Way 3: Open it in the Control Panel.
posted by bleucube at 12:25 PM on April 13, 2016
I have this happen before and it was with MSI Client update tool. It loads on startup. You can run task manager and disable services that run at startup. That might do it too.
Here's a link on how to do it.
posted by bleucube at 12:28 PM on April 13, 2016
Here's a link on how to do it.
posted by bleucube at 12:28 PM on April 13, 2016
If you have a recent iPhone-- take a slowmo video of the error, then replay it and you'll be able to see the error clearly. #techlifehack ;)
posted by Static Vagabond at 12:30 PM on April 13, 2016
posted by Static Vagabond at 12:30 PM on April 13, 2016
First do check the scheduled tasks. If that's what's doing it, that'll be the easiest way to find it. But it certainly could be the case that some other program is periodically doing this itself.
It's totally not friendly or easy, but Process Monitor (by the same group at MS who did Process Explorer, suggested by TheAdamist) is an incredibly powerful tool for figuring out what the heck's going on on a Windows machine. The challenge is that there's always a ton of stuff going on, so it can be difficult to find what you want.
ProcMon can use quite a big of memory. If this is really happening every half hour, I would just start it a minute before you expect the window to pop up, and after you see it, stop the capture. You'll have a bajillion registry and file events. There's a few ways to set the filter, but the easiest is probably to use Ctrl+F to find "process" until when you find one that says "Process Create", right click on "Process Create" and choose "Include 'Process Create'". That will add a filter to only show events where the Operation is Process Create. In this list, the Process Name and PID columns will show the parent process, and the Path column refers to the path to created process's exe. If you double click on an entry, you can see details, which include the command line of the process.
Starting a console app normally involves several processes for stuff like managing the actual window itself. Expect to see csrss.exe and conhost.exe, which are just part of that plumbing and aren't the real culprit.
posted by aubilenon at 12:53 PM on April 13, 2016
It's totally not friendly or easy, but Process Monitor (by the same group at MS who did Process Explorer, suggested by TheAdamist) is an incredibly powerful tool for figuring out what the heck's going on on a Windows machine. The challenge is that there's always a ton of stuff going on, so it can be difficult to find what you want.
ProcMon can use quite a big of memory. If this is really happening every half hour, I would just start it a minute before you expect the window to pop up, and after you see it, stop the capture. You'll have a bajillion registry and file events. There's a few ways to set the filter, but the easiest is probably to use Ctrl+F to find "process" until when you find one that says "Process Create", right click on "Process Create" and choose "Include 'Process Create'". That will add a filter to only show events where the Operation is Process Create. In this list, the Process Name and PID columns will show the parent process, and the Path column refers to the path to created process's exe. If you double click on an entry, you can see details, which include the command line of the process.
Starting a console app normally involves several processes for stuff like managing the actual window itself. Expect to see csrss.exe and conhost.exe, which are just part of that plumbing and aren't the real culprit.
posted by aubilenon at 12:53 PM on April 13, 2016
Windows 10 has built-in screen recording (I think it's part of the XBox app). The keyboard command to bring up the Game Bar is Windows key + G (it will ask you if this is a game, just check the box).
posted by under_petticoat_rule at 1:12 PM on April 13, 2016
posted by under_petticoat_rule at 1:12 PM on April 13, 2016
This thread is closed to new comments.
posted by EndsOfInvention at 12:14 PM on April 13, 2016