Case of the Frozen Device Driver Uninstall

So I found on my Windows 7 x64 SP1 machine any device driver I tried to uninstall, Device Manager just froze…going on five minutes I thought this is a bit ridiculous. Restarted the machine twice and still had the same issue. Tried several different devices, problem applied to everyone I tried. Better find out what’s going on.

image

So what I did is I launched ResMon.exe which has a really simple way of telling us what is causing a program to hang. I did this by right clicking the .exe and selecting Analyze Wait Chain

image

So here I can see thread 2084 is waiting on DcomLaunch service with Process ID 764

image\

Finding the mmc.exe process with PID 4668 in Process Explorer (http://live.sysinternals.com/procexp.exe) we right click it and select Properties. In the Threads tab we can see why it’s frozen:

image

I also looked at threads in the relevant SvcHost.exe however I’m not clear what’s going on here.

image

So this time I launch Process Monitor (http://live.sysinternals.com/ProcMon.exe) I repeat the process again – finding the hung thread in MMC.exe using ResMon. Then I create a filter in ProcMon to only view that thread, in this case TID is 5940:

image

The ProcMon log reminds me of something obvious…why didn’t I check setupapi.dev.log??? A great thing about ProcMon is you often find apps write log files somewhere, even if you didn’t know about it….

image

However looking at the log doesn’t give me much of a clue. No errors or anything out of the ordinary. So I go to last MMC.exe event in the ProcMon log, right clicked it and chose Properties. Then on the Stack tab:

image

Whenever I see 3rd party DLLs involved I tend to rate them as high risk, and will try to rule them out first. ino_fltr.sys is part of CA Etrust Anti-Virus. So I disabled it temporarily (be very cautious whenever disabling Anti-Virus, and be sure to re-enable it afterwards)

In this case I disabled 3 services used by the Anti-Virus

image

I restarted my machine, and voila – I can uninstall device drivers now. After uninstalling my device driver I re-enabled the services and ensured they were started.

Strange things which I will probably never know the answer to:

  • After re-enabling Anti-Virus could not reproduce the problem – any device driver uninstalled almost instantly
  • Tested on multiple devices with same Windows 7 image and same Anti-Virus software could not reproduce the problem again.

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in ProcMon, Troubleshooting and tagged , , , , , . Bookmark the permalink.

2 Responses to Case of the Frozen Device Driver Uninstall

  1. Great investigative work. Bummer, since a correlation is not causation, that you couldn’t find a definitive answer.

  2. Hi, I gad similar issue. The touchpad on my XE700T1C laptop wasn’t working. A related device. the “Samsung USB Port Input Device” wasn’t going to uninstall and analyzing the wait chain revealed nothing, even after 30 mins. So I did a reset of windows 8. Still not working. SO i left it overnight, turn it on but still not working. Then i still some playing around on the touchpad ad button mashing with Fn+F6 (enable touchpad – which i tried heaps of beforehand) and then it just worked. I suspect hardware issue.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s