How To Diagnose a Suddenly Slow Windows Computer?

Ensign Taco writes "I'm sure nearly every one of us has had it happen. All of a sudden your Windows PC slows to a crawl for no apparent reason. Yeah, we all like Linux because it doesn't do annoying things like this, but the Windows desktop still reigns supreme in most managed LAN work environments. I'm running XP with 4G of RAM and a decent CPU, and everything was fine, until one day — it wasn't. I've run spybot, antivirus, and looked at proc explorer — no luck. There is no one offending, obvious process. It seems every process decides to spike at once at random intervals. So I'm wondering if there's a few wizards out there that know what to look at. Could this be a very clever virus that doesn't run as a process? Or could this just be some random application error that's causing bad behavior? I've encountered this a few times with Windows PCs, but the solution has always been to just add more hardware. Has anyone ever successfully diagnosed this kind of issue?" And whether such a problem is related to malware or not, what steps would you take next?

Check the HDD

[Fez]

Very commonly this happens when a hard drive reverts to PIO mode after Windows decides it has seen a few errors from the drive. You can verify this by looking at the properties of the IDE Controller to which the drive is connected in device manager. (IDE ATA/ATAPI Controllers/Primary IDE Channel/Advanced Settings tab, for example)

There is a VBScript that resets the drive back to DMA mode, and is effective if that is indeed the case.

This could also be an early sign of hard drive failure. I've seen plenty of drives that passed diagnostics but were very, very slow. Try checking the SMART data with something like HDTune.

Re:Check the HDD

[Nefarious+Wheel]

That does figure high in my list of potential causes, but generally I clear the dll and prefetch cache and reboot before I start worrying about hardware. Especially if you've been running a diverse series of programs on it.

Re:Check the HDD

[gad_zuki!]

Its also worth mentioning that you'll see disk errors in the event log. The source will be 'disk.' Is the disk working hard. Use filemon to see whats going on.

The asker should also look in the event log for any warnings or errors that started at the time of the slowness.

He should also do a netstat -a to see what active internet connections are working. If youre seeing lots of connects to port 25 someplace then you are running a mass mailing trojan. Investigate any suspicious connections. You can use tcpview for more info.

He should also boot up with a linux live disc or a PE disc like UBCD4WIN. If the slowness is still there then its most likely a hardware issue. UBCD4win also has a bunch of utilities with easy to use GUIs like HDTune. He can run an antivirus or spybot from the PE environment too for a second opinion.

Lastly, when you fix the issue you should remove your wife from the administrators group and just make her a user or power user. When she needs to install software or whatever just have her log in as admin.

Re:Check the HDD

[HermMunster]

Lol, that's pretty funny seeing as both are malware. Yeah, I know you know. Others might not.

Re:Check the HDD

[bdwebb]

Hmm...the prefetch cache is only used when a call is made by commonly used programs. Clearing the prefetch cache is only really useful to rid yourself of extra unnecessary files when you uninstall programs as Windows will simply rebuild the directory.

Since we're trying to diagnose a cause of sudden sluggishness, clearing the prefetch won't really do anything unless the HDD is full. A quick review of the prefetch directory, however, is a good indicator of which programs have been running. I usually take a look to see if I can spot anything out of the ordinary.

Other helpful ideas:

- Disable system restore before you do anything...irritating spyware and virii can hide here and restore themselves
- Download and run X-Ray PC (freeware) and run an online analysis of your processes...will give you a good/bad/unknown triage for some processes and allow you to kill them.
- Start>Run> msconfig.exe and check your startup processes...do a quick google search for anything you don't recognize and if it is not a necessary startup process, kill it. Having a shitload of processes running at startup can bring your system to its knees. Usually, for a desktop XP machine, between 28 and 35 processes is ideal on a fresh boot. For a laptop it can be up to 50...depends on what utilities are required to make your touchpad/buttons/wireless/etc work.
- Start>Run> msconfig.exe and check your services. Check 'hide all Microsoft services' and do a quick scan to make sure no extra junk services are hiding here. If you lose functionality to something on startup that you want, you can either just turn it back on or, if necessary, boot into safe mode and turn it on.
- Download Crap Cleaner and run the registry scan to see how many junk items you have in your registry. Review the causes and fixes to all the issues you find...you're usually okay doing a fix all but I check them just in case (this is your registry after all...never hurts to back it up either.)
- Add/remove any programs that you don't recognize or don't use. All this extra junk does nothing to help you. Additionally, if you can pinpoint one or two programs that were installed around the time your computer started having issues, definitely uninstall them and check your performance after (probably run ccleaner again to ensure they are completely gone).
- Restart your machine and check msconfig and xraypc again to ensure that nothing you killed came back...if it did, you've got a virus or spyware.
- If you still have issues, try running one of many drive fitness test tools to determine whether or not you have bad sectors or possibly a bad HDD altogether. Some tools will even allow you to repair the bad sectors but usually if you've got bad sectors you should start looking at a new HDD soon.
- If you have the option, pull the HDD and hook it up to a test rig and run a Housecall scan on the drive.
- Run Rootkit Revealer to determine whether or not you have a rootkit installed on your machine. Rootkits are nasty as hell but you can usually find additional info via a google search on how to rid yourself of them.
- When all else fails, a clean install is usually the best way to get your system back up to snuff. It is a pain in the fucking ass and no one likes to do it until you remember what it is like having a clean install. Just make a list of your programs, do a backup of your data, and format that sucker.

Hope some of that is helpful...a lot of the other comments I see here are great things to check as well (right below me I see gad zuki! mention netstat -a to check your active connections...also very useful) so bookmark this page and try everything. If nothing else, you'll learn some new tricks.

Process Explorer

I'll be the first of many to suggest:

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Hmmmm.

[SatanicPuppy]

Not a lot to go on, though as a freebie, XP doesn't do jack with that extra gig of RAM...You could put in 100gigs and it won't use any more than 3 (less you're using the 64 bit version, iirc).

Rootkits can run "under the radar". Might want to try software like RootKitRevealer, or Blacklight. A crappy one might grab a ton of cycles for a minute, but most of them are less intrusive.

Everything spiking at once sounds like that stupid "System Restore" process, or maybe a big swap dump (which is weird with that much RAM, but you know, it's windows.) Stupid programs like Norton can grab a huge chunk of resources every now and then for no discernable reason. Maybe some peripheral is crapping out?

Barring malware, I'd start writing down what's running when it spikes, and see if that tells you anything. Lot of programs can cause momentary spikes, but background processes usually don't. You could try testing some of the hardware but without anything specific to look for, you're going to have a hell of a time finding something.

Re:Hmmmm.

[suricatta]

Not a lot to go on, though as a freebie, XP doesn't do jack with that extra gig of RAM...You could put in 100gigs and it won't use any more than 3 (less you're using the 64 bit version, iirc).

Just FYI, the reason for this is because with 32 bits, you're system is limited to 2^32 bits of address space = 4GB of memory in total, which has to include both RAM and the memory on your graphics card.

So in many cases, users with 4GB of RAM will only see 3GB becuase they have a 1GB graphics card. It follows that if a user only have a 512MB graphics card, then they will see (and XP will use) 3.5GB RAM.

This is not a design flaw for XP, it's a limitation if the 32 bit architecture. Switching to 64 bits solves this because then your total address space increases to 2^64 = 16EB. Which ought to be enough for anyone ;-)

Re:Hmmmm.

[cbhacking]

Accurate but oversimplified - video cards aren't the only drivers that are mapped into memory space, just (usually) the biggest thing.

If your drivers support it (many don't, which is why it's disabled by default - a driver which lacks support will cause crashes with this option) you can add /pae
to the boot.ini file to enable Physical Address Extension in the kernel. PAE uses an extra 4 bits for internal memory addressing, resulting in up to 64GB of RAM being addressable. Individual processes will still run with only 4GB memory spaces. However, Windows will map some of its physical memory above the 4GB mark, allowing drivers their accustomed memory mapping (assuming the driver developer didn't make assumptions that PAE violates, like that the address space stops hard at 0xFFFFFFFF).

Second on the drive thing

[Sycraft-fu]

But rather than just checking SMART, get the manufacturer's test program. All the HD makers have one, just get the one appropriate for yours. It's the sort of thing you boot from CD and let run for a few hours, but it is the way to go. SMART can report ok even when a drive is dying but it is extremely rare (though possible) that the manufacturer's diags give it a pass when it is dying.

Check that, since a dying drive often makes things really slow (in part because it starts remapping lots of bad sectors).

Re:Second on the drive thing

[speeDDemon+(nw)]

SMART has its uses, and a quick and easy check is to use the program 'speedfan' as this has a built in feature to read AND analyze (requires net connection) your HDD's smart information, By no means the be all and end all, but it is the quickest way I know to identify a failing hard drive.

Re:Second on the drive thing

[g0es]

But rather than just checking SMART, get the manufacturer's test program. All the HD makers have one, just get the one appropriate for yours.

Careful, some manufactures have utilities that just check SMART and don't actually do a test.

Re:Second on the drive thing

[athakur999]

I've had a Linux box slow to a crawl for the same reason, so definitely good advice if you're experiencing random slowness regardless of what OS you're running. When I ran top I could see the "iowait" percentage was near 100% frequently and also saw many drive-related error messages in the system log.

Re:Second on the drive thing

[Klaus_1250]

http://hddscan.com/

Checks SMART, can perform all SMART test (e.g. offline), gives loads of information on the drives internals and it can scan the disk surface using the disk-controller chip only (e.g no data transfer over the cable). The latter is really useful to test the surface and speed of a USB-HD.

Re:Second on the drive thing

[DennisZeMenace]

What the manufacturer's test programs do is *precisely* run the SMART diagnostic test, so save yourself a CD-R. All they do is run the long self test. All SMART-friendly HDDs support the short (1 to 2 minutes) and long (1 to 2 hours) diagnostic tests, the latter doing an exhaustive sector scan. Boot a Linux live CD and type "sudo smartctl -t long /dev/sda", and voila.

A damaged disk cannot pass that test, not unless something is utterly borked with the firmware (*cough* seagate *cough*).

Re:Second on the drive thing

[ChienAndalu]

Wrong. Some do extended surface read-write-scans and offer options like disk erase etc. Like this here for example.

Re:Second on the drive thing

[DennisZeMenace]

You may want to try this with a live Linux USB key or CD. It varies based on the Hw RAID controller, but most of the time the physical disks that are part of the RAID are visible in Linux (for example with a LSI HW Raid controller). Not as block devices (/dev/sda, ...), but as generic SCSI devices (/dev/sg0, /dev/sg1). It is possible to run the smartctl tool on those directly.

SMART provides a lot of data, some of which is crap :-) but some of which is very useful. In particular, the error log:

# smartctl -l error /dev/sg0

Any disk with a non-empty error log you should consider replacing. Also, always run the short diagnostic tests:

# smartctl -t short /dev/sg0
# [wait 2 minutes]
# smartctl -l selftest /dev/sg0

safe mode

[madcat2c]

Run for a while in safe mode and see if the problem persist. If it doesn't, then its probably a service gone haywire. Most likely candidates are printer services, anti virus services, scanner services.

The Case of the Slow System

[Fast+Thick+Pants]

Mark Russinovich has an enlightening blog entry called The Case of the Slow System that might serve as an example of how, if you are are one of the planet's top 10 Windows experts, you can, with persistence, luck, and the proper tools, solve one of the obscure problems that are slowing down your wife's computer. This particular case pertains to Vista, but the general techniques are applicable to XP as well.

bad fan?

[Monoman]

Some systems will slow down the CPU if it gets too hot. Check the fans and the temp in the CMOS if it can report it.

background defragmenting

[xonen]

XP and Vista have the 'feature' of automated background defragmenting enabled by default, you might wish to disable this.

From: http://www.kessels.com/Jkdefrag/

How do I disable the Windows built-in defragger?

Windows 2000 & 2003:

The built-in defragger is not started automatically.
Windows XP:

1. Download the free * Tweak UI utility from Micorosft.

2. Click on 'General' and untick the 'Optimise hard disk when idle' box.

Windows Vista:

1. Start -> All Programs -> Accessories -> System Tools -> Disk Defragmenter

2. Untick the "Run on a schedule (recommended)" box.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

diagnostics

[datapharmer]

check in this order: virus (look both for viruses and malware and bad scanners... I've seen antivirus scanner updates hose systems... use more than one virus scanner and more than one malware scanner but NOT AT THE SAME TIME!), drivers (might be badly written ,corrupt, or for wrong hardware), rogue processes (startup, services, etc), hardware (run chkdsk /f and defrag, check bios settings and make sure smart hd is enabled if possible and run a memory test), replace cables such as IDE that tend to corrode and cause errors, then start checking components (graphics, memory slots - use just one stick - if it improves use the same stick in another slot until there is a problem or you get to a stick that is causing problems) pci, dongles and adapters) If that fails run linux like you should have done in the first place. ;-)

Re:Use process explorer

[The+MAZZTer]

FYI DiskMon and FileMon have been superseded by ProcMon. I used it the other day because there were pinned items on my Start Menu I couldn't delete, so a simple filter for RegWriteValue when I pinned or unpinned something and I was able to find where the list lived and wiped it.

How I do it

The general procedure I use is:

1) Get and install Debugging Tools for Windows for your platform.

2) Run kernrate.exe from the resource kit tools to determine if the problem is an I/O or CPU limit. (See here for how to get symbolic usage information.) If you do not see anything hogging the CPU, it's an I/O problem and you should go to step 5.

3) It's a CPU problem, so use the information from kernrate to figure out who's bogarting the CPU. If the process is services.exe, rundll32.exe, or System, you need to use something like Process Explorer to determine which file actually contains the code which is executing.

4) If that doesn't work, it may really be an I/O problem or a rootkit. If you suspect a rootkit, your main options are reinstallation or forensic analysis using something like a boot CD, TSK, and the NIST hash database to audit your machine for bad files.

5) Run Process Monitor and see who's responsible for all the I/O.

6) If that doesn't reveal anything, it might be a driver problem. Use Process Explorer to see if you have excessive DPCs (the Windows equivalent of a top half interrupt handler). Use kernrate to zoom in and see which driver is causing them.

Re:Sorry

[Yvan256]

Congratulations, you just invented a new word!