After Windows Update Laptop Keeps Accessing Disk and Fan Kicks In

  • Thread starter Thread starter Antony Scerri
  • Start date Start date
A

Antony Scerri

Hi

I did a check through previous post and a few people seem to have had
similar problems without specific details, so im going in for as much detail
as I have. I have a relatively new laptop (Nov 2007, not used much as
migrated from old machine which i hung onto). The machine hasnt got filled
with dust, and till the exact time of the automatic update was behaving fine.

Yesterday I used Windows/Microsoft updates to apply the latest updates, i
only got 7 of them including office updates. The scan for updates took a long
time, 2 minutes nearly, with the CPU at 100%. I hadnt had this the last time
i ran it. Anyway after it finished and i applied the updates i noticed the
fan kicking in a lot more even when no CPU activity was visible using Task
Mananger. Anyway I checked for restore points and noted one for Software
Distribution Service 3, which i thought was odd as this came out some while
back from what i remember so why would it only now decide to install it. My
old laptop (which was about 3 years old at the time) had a similar issue with
Automatic updates, taking several hours to complete a scan one time after
which it had a similar problem.

So I tried going back to a restore point from the morning which finished,
but the machine still behaves the same. Having been using it for a day now i
can tell that the fan kicks in into high RPM without any jump in CPU usage.
If there is significant CPU usage it iwll kick in but take a long time to
finish up. I noticed that the IO Read Bytes for CSRSS.EXE keeps going up now,
and my machine keeps accessing the disk every second or so in a constant
pulsing noise.

On my old laptop I had similar issues. As I had restore points i went and
did what i tried on my old machine, looking at the registry for any odd
changes. I compared two from previous days 16th 13th May and nothing
significant. When i compared the system hive for 16th vs 20th (snapshot from
today) i found that the [HKEY_USERS\myuser\ControlSet001\Control\Session
Manager\Power] key had the ACPolicy and DCPolicy values changed, several
bytes of the hex values in both cases. I cannot explain these changes as I
havent explicitly made any changes myself.

So im now left with a laptop where the fan is making more noise than normal
like its idling at a higher RPM all the time, with sporadic burst for no
apparent reason. I'm hoping someone else might have come across similar
issues, as i believe its something to do with an update/patch then effecting
part of the OS.

Thanks

Tony
 
Now i have had more time on this machine to experience the problem, its
definitely something very strange. My machine will now sit here for minutes,
over 5 easily (yesterday it did this for 15 minutes plus) with the fan going
constantly. I have done nothing myself like launch an app or use any
intensive feature of one Being a laptop I assume this is the CPU fan given
the noise and hot air its kicking out. Again im not launching anything and
Task Manager shows no CPU usage from any process yet it appears the machine
is clearly heating up doing work.

Still the disk is being accessed every second or so most of the time with
only csrss.exe showing any signs of reading bytes. Not sure if this is
related or not.

Is it possible for something to hide itself from task manager. Im pretty
techie so the one thing thats crossing my mind is it a root kit? I dont know
a great deal about these, so hoping someone out there does. My only other
though is whether the throttle settings for when the fans start up and how
long they run for could have been modified by something, would these be in
the ACPolicy and DCPolicy reg values i noted had changed?

Tony
 
Antony Scerri said:
Now i have had more time on this machine to experience the problem, its
definitely something very strange. My machine will now sit here for
minutes,
over 5 easily (yesterday it did this for 15 minutes plus) with the fan
going
constantly. I have done nothing myself like launch an app or use any
intensive feature of one Being a laptop I assume this is the CPU fan given
the noise and hot air its kicking out. Again im not launching anything and
Task Manager shows no CPU usage from any process yet it appears the
machine
is clearly heating up doing work.

Still the disk is being accessed every second or so most of the time with
only csrss.exe showing any signs of reading bytes. Not sure if this is
related or not.

Is it possible for something to hide itself from task manager. Im pretty
techie so the one thing thats crossing my mind is it a root kit? I dont
know
a great deal about these, so hoping someone out there does. My only other
though is whether the throttle settings for when the fans start up and how
long they run for could have been modified by something, would these be in
the ACPolicy and DCPolicy reg values i noted had changed?
It's probably the fan blocked with stuff. Try running SpeedFan to see, then
take out the filters and heatsinks and clean them. Worked for me, the
heatsink had a piece of fluff in it the size of a small African country.
Don't forget to reapply Arctic Silver to the processor before replacing the
heatsinks and don't get it on the pins :-)
..
 
Like i said in my first post. The machine has been working fine until 19th
when i applied the updates and then wham it started behaving odd, after a
particular long winded scan by the automatic updates process. I know my
machines behaviour pretty well given i live on the thing all day and having
had my last laptop go down the same route its a bit odd. So i doubt very
much its dust and the like, i keep the area pretty clean arounnd this
machine. The behaviour when CPU usage goes up is also different as it starts
to ramp up the fan almost as soon as CPU starts to climb it used to wait for
a while and then only when it got above say 30% would it kick in. The odd
blip wouldnt start the fan racing where as now it does, and it takes a while
to calm down again.

I did start looking into the power and processor policies on my old machine
think maybe something corrupted those, but havent bothered on this new one,
thought i'd try the news groups first now having had two machines do the ame
thing figured others must have too. Luckily its relatively new setup i could
get the thing wiped and start again.

Tony
 
I believe in coincidence :-)

It has exactly the symptoms mine had, and I'm in an airconditioned room,
filtered air, etc to 20C constantly, the laptop never leaves the desk.

SpeedFan will tell you all, it's a very useful program IMHO.

But if it isn't that, please let us know the outcome. I have a problem with
XP using loads of CPU even when locked, and I never find out what it is, but
I can see it on the SpeedFan graph and logs. When I unlock, the CPU goes
back down to 20%

Weird.
 
Right i have tried out something else to try and pinpoint the disk access a
bit more precisely. I started with diskmon and that shows 6-8 blocks of 8
bytes being written to the disk every second or so, but doesnt give a process
ID. So i then tried the latest procmon.exe and this shows something very odd.

The AGRSMMSG.EXE process is accessing the registry a LOT. Now i dont know
whether this is normal or not, but looks odd to me. Then mixed up in these
are registry access by LMS.EXE, SERVICES.EXE and blocks of LSASS.EXE now and
then. This is all without me doing anything and all my apps and background
utilities closed. I have included a few lines from the log at the bottom.

This looks a little suspicious, like something is polling away in the
background unecessarily.

Tony

29575 10:30:09.0441381 services.exe 1748 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{e2d1ff34-3458-49a9-88da-8e6915ce9be5} SUCCESS Desired Access: All Acces
29576 10:30:09.0441777 services.exe 1748 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses SUCCESS
29577 10:30:09.0442035 services.exe 1748 RegQueryValue HKLM\System\CurrentControlSet\Control\DeviceClasses\{e2d1ff34-3458-49a9-88da-8e6915ce9be5}\Default NAME NOT FOUND Length: 44
29578 10:30:09.0442199 services.exe 1748 RegEnumKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{e2d1ff34-3458-49a9-88da-8e6915ce9be5} NO
MORE ENTRIES Index: 0, Length: 51
29579 10:30:09.0442370 services.exe 1748 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{e2d1ff34-3458-49a9-88da-8e6915ce9be5} SUCCESS
29580 10:30:09.0443479 LMS.exe 652 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{E2D1FF34-3458-49A9-88DA-8E6915CE9BE5} SUCCESS Desired
Access: Rea
29581 10:30:09.0444054 LMS.exe 652 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{e2d1ff34-3458-49a9-88da-8e6915ce9be5} SUCCESS
29582 10:30:09.0444303 LMS.exe 652 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses SUCCESS
29583 10:30:09.1219189 AGRSMMSG.exe 2052 RegOpenKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS Desired Access: Query Value, Set Valu
29584 10:30:09.1220460 AGRSMMSG.exe 2052 RegQueryValue HKLM\SOFTWARE\Agere\SoftModem\MsgStopRequest NAME NOT FOUND Length: 14
29585 10:30:09.1220684 AGRSMMSG.exe 2052 RegCloseKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS
29586 10:30:09.1220857 AGRSMMSG.exe 2052 RegOpenKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS Desired Access: Query Valu
29587 10:30:09.1221256 AGRSMMSG.exe 2052 RegQueryValue HKLM\SOFTWARE\Agere\SoftModem\ActiveModems SUCCESS Type: REG_BINARY, Length: 4, Data: 00 00 00 0
29588 10:30:09.1221472 AGRSMMSG.exe 2052 RegCloseKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS
29589 10:30:09.2312781 AGRSMMSG.exe 2052 RegOpenKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS Desired Access: Query Value, Set Value

Note the AGSRMMSG.EXE entries are repeated over and over, sometimes ten
times (within a second) to every block of LMS and SERVICES entries.
 
If you're not using the modem, disable agrsmmsg.exe in the starup axis.
http://www.processlibrary.com/en/directory/files/agrsmmsg/

Unless an driver update or the SoftModem Assistant was included with the
updates, than the issue is related to the modem.
You can see the specific updates that were installed by opening Event
Viewer and check the System event log.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============
 
Thanks. I was looking at disabling the device, but a few of the sites which
describe the various apps/dlls etc said not to unless really necessary.

I did check the updates but couldn't find anything i hadnt expected, and
nothing obviously looks out of place. Its more like something corrupted the
device database, and IRQs something like that, now things are out of synch. I
know someone wirh the same laptop so im going to compare fan trip points and
processor policy settings to see if anything is now different.

Tony


MowGreen said:
If you're not using the modem, disable agrsmmsg.exe in the starup axis.
http://www.processlibrary.com/en/directory/files/agrsmmsg/

Unless an driver update or the SoftModem Assistant was included with the
updates, than the issue is related to the modem.
You can see the specific updates that were installed by opening Event
Viewer and check the System event log.

MowGreen [MVP 2003-2008]
===============
*-343-* FDNY
Never Forgotten
===============



Antony said:
Right i have tried out something else to try and pinpoint the disk access a
bit more precisely. I started with diskmon and that shows 6-8 blocks of 8
bytes being written to the disk every second or so, but doesnt give a process
ID. So i then tried the latest procmon.exe and this shows something very odd.

The AGRSMMSG.EXE process is accessing the registry a LOT. Now i dont know
whether this is normal or not, but looks odd to me. Then mixed up in these
are registry access by LMS.EXE, SERVICES.EXE and blocks of LSASS.EXE now and
then. This is all without me doing anything and all my apps and background
utilities closed. I have included a few lines from the log at the bottom.

This looks a little suspicious, like something is polling away in the
background unecessarily.

Tony

29575 10:30:09.0441381 services.exe 1748 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{e2d1ff34-3458-49a9-88da-8e6915ce9be5} SUCCESS Desired Access: All Access
29576 10:30:09.0441777 services.exe 1748 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses SUCCESS
29577 10:30:09.0442035 services.exe 1748 RegQueryValue HKLM\System\CurrentControlSet\Control\DeviceClasses\{e2d1ff34-3458-49a9-88da-8e6915ce9be5}\Default NAME NOT FOUND Length: 44
29578 10:30:09.0442199 services.exe 1748 RegEnumKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{e2d1ff34-3458-49a9-88da-8e6915ce9be5} NO
MORE ENTRIES Index: 0, Length: 512
29579 10:30:09.0442370 services.exe 1748 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{e2d1ff34-3458-49a9-88da-8e6915ce9be5} SUCCESS
29580 10:30:09.0443479 LMS.exe 652 RegOpenKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{E2D1FF34-3458-49A9-88DA-8E6915CE9BE5} SUCCESS Desired
Access: Read
29581 10:30:09.0444054 LMS.exe 652 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{e2d1ff34-3458-49a9-88da-8e6915ce9be5} SUCCESS
29582 10:30:09.0444303 LMS.exe 652 RegCloseKey HKLM\System\CurrentControlSet\Control\DeviceClasses SUCCESS
29583 10:30:09.1219189 AGRSMMSG.exe 2052 RegOpenKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS Desired Access: Query Value, Set Value
29584 10:30:09.1220460 AGRSMMSG.exe 2052 RegQueryValue HKLM\SOFTWARE\Agere\SoftModem\MsgStopRequest NAME NOT FOUND Length: 144
29585 10:30:09.1220684 AGRSMMSG.exe 2052 RegCloseKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS
29586 10:30:09.1220857 AGRSMMSG.exe 2052 RegOpenKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS Desired Access: Query Value
29587 10:30:09.1221256 AGRSMMSG.exe 2052 RegQueryValue HKLM\SOFTWARE\Agere\SoftModem\ActiveModems SUCCESS Type: REG_BINARY, Length: 4, Data: 00 00 00 00
29588 10:30:09.1221472 AGRSMMSG.exe 2052 RegCloseKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS
29589 10:30:09.2312781 AGRSMMSG.exe 2052 RegOpenKey HKLM\SOFTWARE\Agere\SoftModem SUCCESS Desired Access: Query Value, Set Value

Note the AGSRMMSG.EXE entries are repeated over and over, sometimes ten
times (within a second) to every block of LMS and SERVICES entries.
 
Back
Top