1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Constant disk activity, DCOM not disabling

Discussion in 'Windows 7' started by adabo, Nov 10, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. adabo

    adabo Thread Starter

    Joined:
    Nov 10, 2011
    Messages:
    6
    Hi guys! I'm having trouble lately with my current 64 bit install of Windows 7. It seems that the disk activity is just constant and rarely takes a break. I've taken a look using Procmon and identified that quite a bit of the activity stems from "-k DcomLaunch". I tried disabling Dcom, but failed. Here are the steps I've taken:

    1. Run Microsoft Security Essential scan (Clean)
    2. Run Spybot Search and Destroy (Removed a couple usual adware)
    3. Run Dcombobulator (Procmon still reporting Registry read/writes from DcomLaunch)
    4. Manually disabling Dcom using this guide (Procmon still reporting same Registry Activity)

    When I tried step 4 and rebooted, I found that the box was still unchecked from step 4 of the technet guide, but Procmon still shows the same Registry activity.

    Initial Google searches resulted in something related to my sound, possibly my onboard realtek.

    Here are a few sample lines from Procmon:
    Code:
    4:46:02.9704947 PM	svchost.exe	716	RegCreateKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses	REPARSE	Desired Access: All Access
    4:46:02.9705288 PM	svchost.exe	716	RegCreateKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses	SUCCESS	Desired Access: All Access
    4:46:02.9705490 PM	svchost.exe	716	RegOpenKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}	SUCCESS	Desired Access: All Access
    4:46:02.9705662 PM	svchost.exe	716	RegCloseKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses	SUCCESS	
    4:46:02.9705784 PM	svchost.exe	716	RegQueryValue	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\Default	NAME NOT FOUND	Length: 44
    4:46:02.9705897 PM	svchost.exe	716	RegEnumKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}	SUCCESS	Index: 0, Name: ##?#USB#VID_045E&PID_0719#FE78A4E0#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}
    4:46:02.9706062 PM	svchost.exe	716	RegOpenKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_0719#FE78A4E0#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}	SUCCESS	Desired Access: Read
    4:46:02.9706202 PM	svchost.exe	716	RegEnumKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_0719#FE78A4E0#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}	SUCCESS	Index: 0, Name: #
    4:46:02.9706317 PM	svchost.exe	716	RegOpenKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_0719#FE78A4E0#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\#	SUCCESS	Desired Access: Read
    4:46:02.9706456 PM	svchost.exe	716	RegOpenKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_0719#FE78A4E0#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\#\Control	SUCCESS	Desired Access: Read
    4:46:02.9706582 PM	svchost.exe	716	RegQueryValue	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_0719#FE78A4E0#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\#\Control\Linked	SUCCESS	Type: REG_DWORD, Length: 4, Data: 1
    4:46:02.9706708 PM	svchost.exe	716	RegCloseKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_0719#FE78A4E0#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\#\Control	SUCCESS	
    4:46:02.9706811 PM	svchost.exe	716	RegQueryValue	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_0719#FE78A4E0#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\#\SymbolicLink	SUCCESS	Type: REG_SZ, Length: 148, Data: \\?\USB#VID_045E&PID_0719#FE78A4E0#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}
    4:46:02.9706933 PM	svchost.exe	716	RegCloseKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_0719#FE78A4E0#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\#	SUCCESS	
    4:46:02.9707029 PM	svchost.exe	716	RegEnumKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_0719#FE78A4E0#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}	SUCCESS	Index: 1, Name: Control
    4:46:02.9707162 PM	svchost.exe	716	RegEnumKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_0719#FE78A4E0#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}	NO MORE ENTRIES	Index: 2, Length: 512
    4:46:02.9707284 PM	svchost.exe	716	RegCloseKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}\##?#USB#VID_045E&PID_0719#FE78A4E0#{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}	SUCCESS	
    4:46:02.9707400 PM	svchost.exe	716	RegEnumKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}	NO MORE ENTRIES	Index: 1, Length: 512
    4:46:02.9707509 PM	svchost.exe	716	RegCloseKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses\{ec87f1e3-c13b-4100-b5f7-8b84d54260cb}	SUCCESS	
    4:46:02.9708118 PM	svchost.exe	716	RegQueryKey	C:\Windows\system32\svchost.exe -k DcomLaunch	HKLM\System\CurrentControlSet\Control\DeviceClasses	SUCCESS	Query: HandleTags, HandleTags: 0x0
    Thanks for any and all suggestions/help. Much appreciation in advance. -adabo
     
  2. Elvandil

    Elvandil

    Joined:
    Aug 1, 2003
    Messages:
    51,988
    Disabling DCOM, if you ever succeeded, would make your machine virtually useless. You need it.

    You are most likely infected.
     
  3. adabo

    adabo Thread Starter

    Joined:
    Nov 10, 2011
    Messages:
    6
    However, if I am infected, how can I find out? Spybot is all I have.
     
  4. Elvandil

    Elvandil

    Joined:
    Aug 1, 2003
    Messages:
    51,988
    By some estimates, 80% of infections are not caught by anti-virus. Often, a hidden process is responsible for high CPU usage and it may not even show in Task Manager. DCOM typically uses a lot of CPU since it is involved with many processes (but not that much). So it would be a good idea to check with the Malware forum for a cleanup. Go there and look at the "stickies" at the top.

    I still use Spybot because it catches a lot of things, but it is not at the top of the list for experts on good antimalware. Malwarebytes is better.
     
  5. adabo

    adabo Thread Starter

    Joined:
    Nov 10, 2011
    Messages:
    6
    Thank you, Elvandil. It's strange if it is some virus, because my computer is new and running fine, aside from this quirk. I'll head over to the malware forum for help as you suggested.
     
  6. jiml8

    jiml8 Guest

    Joined:
    Jul 2, 2005
    Messages:
    2,634
    I dunno...

    I have just been sitting here monitoring my Windows 7 virtual machine and wondering what all the hard drive activity is about. Been monitoring it from both within the OS using the performance monitor and from outside using tools in the Linux host.

    My system is NOT infected. It hasn't even been allowed on the internet in months, and I never use it for browsing even when I do take it on the internet.

    It's been busy though. Not a lot of processor activity, but a considerable amount of hard drive activity and I'm not sure what all is going on.

    I do know that MS SQL Server service is constantly hitting the hard drive when it is running even if no querying is underway. So, to check this out, I stopped it. Finally got down to where only the System image was hitting the hard drive, but it is hitting it steadily at around 500K writes per second.

    I'm not sure what it is doing, exactly, but this behavior sometimes continues for hours then stops for awhile. I have come to consider it normal behavior for Win7.
     
  7. Rockn

    Rockn

    Joined:
    Jul 29, 2001
    Messages:
    21,334
    The indexing service is pretty much always running and looking for changes and unless you tell it not to it will index every drive on the box and email.
     
  8. adabo

    adabo Thread Starter

    Joined:
    Nov 10, 2011
    Messages:
    6
    Thing is, I've disabled the indexing Windows feature and System Restore (temporarily). I rarely need to do a system restore anyway.

    Probably going to run some tests on a clean win 7 install. Test after each driver install.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1026332

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice