I have been having some issues with explorer.exe hanging when I create a new folder.
If I use Analyse Wait Chain in the Resource Monitor it says "One or more threads of explorer.exe are waiting to finish network I/O".
When I look at the offending thread in Process Explorer it reveals nothing interesting:
ntdll.dll!ZwWaitForMultipleObjects+0xa
KERNELBASE.dll!GetCurrentThread+0x36
kernel32.dll!WaitForMultipleObjectsEx+0xb3
USER32.dll!PeekMessageW+0x1cd
USER32.dll!MsgWaitForMultipleObjectsEx+0x2a
USER32.dll!MsgWaitForMultipleObjects+0x20
SHELL32.dll!SHAppBarMessage+0x41e
SHELL32.dll!DragAcceptFiles+0x2a3c
SHELL32.dll!DragAcceptFiles+0x2a4f
SHELL32.dll!Ordinal211+0x124
SHELL32.dll!SHChangeNotification_Unlock+0x12f4
USER32.dll!GetSystemMetrics+0x2b1
USER32.dll!IsDialogMessageW+0x19b
USER32.dll!IsDialogMessageW+0x1e1
ntdll.dll!KiUserCallbackDispatcher+0x1f
USER32.dll!PeekMessageW+0xba
USER32.dll!PeekMessageW+0x89
SHELL32.dll!SHChangeNotification_Unlock+0xd9f
SHELL32.dll!Ordinal885+0x1407
SHLWAPI.dll!SHRegGetUSValueW+0x306
kernel32.dll!BaseThreadInitThunk+0xd
ntdll.dll!RtlUserThreadStart+0x21
While I was looking at the explorer.exe threads I did notice a fair few that talk about ETW (Event Tracing for Windows) so obviously explorer.exe uses tracing.
So I decided to try and user TraceView.exe to try and listen in on the explorer.exe traces.
The problem is TraceView requires some difficult-to-come-by stuff… either pdbs, or CTL files, and .TMF files. I tried using the explorer.pdb that comes with the Windows SDK but that did not work. I do not see explorer.exe in the "named providers". And I have no idea where to locate the ctl or .TMF files for explorer.exe.
So the question is: Is there a way to view the ETW trace messages from explorer?
Or shall I just not bother and go back to the age old technique of disabling every explorer extenion one-by-one in the hope its one of them. (Prefer the former as I like to get to the bottom of things!!)
Best Answer
I don't know if you've seen them, but Mark Russinovich of Microsoft (formerly of SysInternals who originally wrote Process Explorer) writes regular articles on his blog about diagnosing Windows problems using the Sysinternals tools.
This one demonstrates his process as he tries to track down an intermittent Explorer hang (which almost certainnly isn't the same as yours but does show the process he uses) http://blogs.technet.com/markrussinovich/archive/2005/08/28/the-case-of-the-intermittent-and-annoying-explorer-hangs.aspx
He uses other techniques (including grabbing the symbols from MS servers) diagnosing slow Windows performance here: http://blogs.technet.com/markrussinovich/archive/2008/09/24/3126858.aspx