SOLUTION: Windows 10 Start Menu text is unreadable / too dark

This problem seems to affect primarily Haswell-based notebooks with Intel HD Graphics drivers in use.  I have not yet seen it affect Broadwell chipsets, but it may.

The issue is that the Start Menu text is too dark — and in fact, it becomes gradually darker — and illegible, fading into the background of the Start Menu.  While it seems likely that a Windows 10 setting (or theme) should be to blame, it actually is neither.

The problem is the Intel Graphics driver, which includes a setting that purports to implement application-specific fixes.  To correct the problem, all you have to do is disable the setting and reboot the PC:

  1. Right-click the Desktop and choose Graphics Properties…
  2. Choose 3D.
  3. Under Application Optimal Mode, click Disable.
  4. Reboot the PC.

The problem is solved!

It’s likely in the future that Intel will correct their driver optimization presets for the Windows 10 desktop windows manager / Explorer.exe, but until that day, this is the correct workaround.

SOLUTION: Windows Update cannot currently check for updates, because the service is not running.

A common problem following the replacement of a hard drive (or other low-level storage-related change, such as a storage driver or interface change) is a broken Windows Update.  I’ve been seeing this more and more frequently, in fact, on Windows 7 machines after performing drive recoveries and installing a new drive.

The exact message is:

Windows Update cannot currently check for updates, because the service is not running.  You may need to restart your computer.

While lots of solutions are offered across the internet for this problem, ultimately, it’s actually relatively simple: the storage driver is frequently to blame.  Specifically, the Intel storage driver (generally iaStor.sys), which comes as a part of the Intel Matrix Storage Manager package (renamed to Intel Rapid Storage Technology on later versions of Windows).

It’s been documented in other places as well that this is in fact the root of the problem.

Problem is, there are different versions of the Intel Matrix Storage Manager for each manufacturer — so it isn’t always possible to simply download the latest version directly from Intel and install it.

The HP version of that driver is listed above, and it will indeed work for many systems in question.  For other manufacturers, it’s best to search for the driver manually and download it directly from the PC manufacturer’s web site.  You can use search terms such as:

intel rapid storage technology driver ich10r site:dell.com vista 32-bit

To locate a suitable version for your particular situation.

If this still does not correct your issue, you may need to follow up the driver upgrade with a reset of the Windows Update repository:

  1. Open an elevated Command Prompt (Run as Administrator).
  2. Type the following commands (pressing ENTER after each one):
    1. net stop wuauserv
    2. net stop bits
  3. Open a Windows Explorer window and navigate to %WINDIR% (e.g., normally C:\Windows).
  4. Rename SoftwareDistribution to SoftwareDistribution.old.
  5. Return to the elevated Command Prompt and type these commands:
    1. net start wuauserv
    2. net start bits

This procedure has corrected the problem on all of the PCs where I’ve encountered it thus far.

SOLUTION: Malware extensions continually reload within Chrome even after reinstallation

Greetings again random internet-surfing technology enthusiasts,

Today, I’d like to tackle a puzzling issue that many techs encounter with regard to disinfecting Chrome and problematic extensions that manifest within it.  Of course, anyone with any technical expertise is aware of the fact that browser extensions are currently one of the hottest attack vectors for unsuspecting users’ machines, but removing and keeping such extensions from reloading is another matter entirely.  Some of examples of these include:

  • AdBlocker (not the legitimate and excellent AdBlock)
  • Vosteran Search
  • WebProtector
  • and many, many others

Most techs use some degree of automatic scanning and removal tools, and that’s fine, provided they don’t rely on them exclusively (as it doesn’t work… something I’ve covered countless times in the past).  However, even those who dabble in manual or assisted-manual disinfection procedures have probably found that Chrome is one of the most problematic items to permanently clean on a user’s PC.  This is ironic because Chrome also happens to be the browser I recommend to my clients for safety and speed currently (and it has been for quite some time).  Does that mean that we should move on to a different browser choice instead?

Fortunately, nope.  There is indeed a pretty universal solution to this problem, and today I’ll reveal it to you.  For purposes of illustration, we’ll choose the third example extension I listed above for today’s explanation (WebProtector).

Each Chrome extension is affiliated with a unique identifier to help users locate and install the extension from the Chrome Web Store.  WebProtector’s, for instance, happens to be kfecnpmgnlnbmipaogfhoacoioifjgko.  The Web Store does indeed host this extension in spite of its fraudulence; and Google, for all their great work in producing a relatively safe browser in Chrome, have done a pretty terrible job of keeping the store cleaned of such filth.  The problem with WebProtector (and many of these other extensions) is that even after they’re cleaned from the computer and all other malware is removed, the users may find that they reload themselves regardless later on with little or no warning.  You might think that completely uninstalling Chrome, removing all directories on the system relating to Chrome, and cleaning/resetting the user’s Chrome Data profile (as I described in another post recently) should logically solve the problem.  But it doesn’t.  The extension yet again reloads itself upon future reinstallations.

The answer to the puzzle is Policies in the Windows registry.  Chrome stores its policies in the following two keys:

  • HKCU\Software\Policies\Google
  • HKLM\Software\Policies\Google

Under these keys you will find a subkey called Extensions; it is from this key that Chrome is instructed to load the infected extensions upon each reinstallation and subsequently thereafter at regular intervals.  Simply deleting these keys (provided the user is not reliant on any policies in Chrome for administrative purposes) will prevent the behavior.  At an elevated command prompt, try typing these commands:

REG DELETE “HKCU\Software\Policies\Google” /f
REG DELETE “HKLM\Software\Policies\Google” /f

Specifically, the autoinstall keys that are likely being used are:

HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForceList

HKCU\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForceList

However I like to remove the entire Policies key on most machines as other suspect keys are also often used, such as whitelisting of bad extensions and even blacklisting of good ones.

It also goes without saying that the extension itself must first be removed for this to work.  That includes killing the keys relating to it in the following locations:

  • HKLM\SOFTWARE\Google\Chrome\Extensions\
  • HKCU\SOFTWARE\Google\Chrome\Extensions\

As well as the associated files within the user’s Chrome User Data directory.  If you’re really just looking to clean sweep the entire program, you can follow my previous instructions to backup the user’s Bookmarks and other personal items and then simply wipe out all related keys and files after uninstalling Chrome.  This will finally solve the problem!

SOLUTION: CPU Throttling on Dell Latitude Ultrabooks (E7440, E7240) after power exceptions

Recently I have seen multiple instances (fairly rarely, but nevertheless) of the newer Dell Latitude Ultrabooks (circa 2013/2014 models, E7440 and E7240 specifically) throttling CPU frequencies under exceptional power conditions (such as possibly a misbehaving AC adapter or extremely low battery condition while under load).  I haven’t confirmed the exact circumstances which lead to this behavior, but I do know of a solution.

I first noticed this when a client recently reported sluggish operation of his brand-new E7440 Ultrabook… which, of course, made little sense considering the blazingly-fast parts (SSD included) that we purchased for him.  I checked the software briefly and saw no issues which would suggest configuration problems.  However, upon opening Task Manager, under the Performance tab, the CPU frequencies were reportedly below 400 MHz permanently–which, of course, is incredibly low considering the max Turbo Boost frequency of the i5 Haswell CPU he had of 2.8 GHz.  Fortunately, I had seen this problem once before.

My theory is that it is likely related to power disruption conditions, as I have only thus far seen it happen in circumstances where an AC adapter was not providing proper voltage or where the machine was in a very low battery state while sustaining heavy CPU loads for some reason (Windows Updates, etc.).  The machine responds by throttling CPU clock rates to protect itself from possible damage, but the problem is that it never reverts from this throttled state until it is powered off and the battery is removed.

Fortunately, the solution is easy, if not a bit difficult to discover.  All that is required is a BIOS update to the latest firmware available from Dell (support.dell.com, search for your particular model).  In my most recent client’s case, an upgrade from A05 to A15 immediately corrected the problem.  It remains to be seen whether it recurs, but I do not expect it to given the last instance I saw, where we did just the same thing and the problem was permanently corrected.

Poweliks: Widespread malware without a filesystem object

Preliminary note:  This process will normally remove Poweliks from a system.  However, Poweliks is merely a tiny fraction of what is usually also alongside it on an infected system; after all, it is a downloader.  So if you’re trying DIY disinfection, just be advised that there is a very good chance that your system is still infected even after this process by multiple other malware families.  I would advise hiring a professional in your local area to assist with the job instead of risking your personal information and data!

I’ve long been preaching that scanners just don’t do the trick as a universal, one-size-fits-all solution to malware, and that’s precisely because they can’t possibly catch everything.  The latest zero-day threats will always find a way to evade even the best antimalware tools in some capacity, and because of that, a complete reliance on scanners for either proactive blocking of threats or removal of existing embedded threats is misguided and will always run into trouble.

This latest threat, which has now been circulating for a few months, is a perfect example of this.  It’s called Poweliks, and it’s unique for one very specific reason: it infects the system without the use of a filesystem component at all.  Now, it’s not like this is the first threat to accomplish such things; before it, we had such interesting specimens as the TDL4 rootkit, which created a hidden, encrypted partition at the end of the drive containing the rootkit’s code, which was loaded at each boot before the Windows partition.  Eventually, however, this rootkit was identifiable (at least, somewhat) via the presence of a conspicuous (and suspicious) 10 MB or so empty space (RAW) at the end of a drive.  And it was easy to kill: simply delete that partition from offline and set the proper Windows partition as active.

Poweliks uses a totally different approach: it embeds itself in the system’s registry in an encrypted key that actually contains the body of the malware as opposed to mere settings and program data (as is intended for the Windows registry to contain).  The identity of the key has changed across variants, but the most recent one I’ve seen is:

HKEY_LOCAL_MACHINE\Software\classes\clsid\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32

What about symptoms?  Well, they’re not all that clear-cut.  The machine will certainly be slower than normal.  Apart from that, it may simply be generally infected, as that’s what Poweliks is all about: downloading other infections.  The problem is that you cannot search for a particular process in memory or even a file on the hard drive, as no file exists and the process is always a completely legitimate one.

However, at least as of currently, it is not random.  The most recent process which has been associated with Poweliks infections is dllhost.exe.  It’s a totally normal process, so seeing it running by no means indicates infection.  However, seeing it running persistently and for long periods of time is a bit more suspicious if you’re having other symptoms.  And if you close dllhost.exe using Task Manager and it repeatedly reappears in multiple instances, it’s a really suspicious scenario.  You’ll also likely see tons of other random (normally legitimate) processes running which should not need to be running.  These can’t be specified here as they are random.

For further diagnosis, however, you can download Process Explorer to inspect the genealogy of the processes that are currently running.  It’s a dead giveaway: if dllhost.exe is launching dozens of other processes, you know it’s Poweliks.

Removal

This isn’t so bad at all if you know how to tackle it!

The easiest way to handle it is to prepare with a tool that can handle removal first.  In this case, I recommend RogueKiller.

NOTE:  This tool isn’t to be used lightly, especially by those who aren’t thoroughly familiar with computer repair.  By design, it is heavy on false positives, so take care when agreeing to remove what it flags as suspicious.

Try the following approach:

  1. Open RogueKiller; allow the prescan to finish.  Run a scan.
  2. Once the scan completes, look for its detection of Poweliks on the Registry tab.  Be sure it is selected for removal.
  3. Open Process Explorer.  Pause all dllhost.exe processes.  Kill all processes below any dllhost.exe process once the processes have been paused.
  4. Click Delete on the RogueKiller window and immediately reboot the system.

With any luck, upon reboot, the malware will be gone.  By pausing the process with Process Explorer, you essentially negate the malware’s ability to detect its neutralization via watchdog processes that relaunch the dllhost parent process after it’s killed.  That enables disinfection to take place before the malware is relaunched and the registry key is reinfected.

Of course, to repeat myself, keep in mind that Poweliks is merely a tiny fraction of what is usually also alongside it on an infected system; after all, it is a downloader.  So if you’re trying DIY disinfection, just be advised that there is a very good chance that your system is still infected even after this process by multiple other malware families.  I would advise hiring a professional in your local area to assist with the job instead of risking your personal information and data!

Guide: Western Digital WD5000F032 External Hard Drive Disassembly

Everyone who does any sort of data recovery knows that Western Digital external hard drives can be a real pain to break into if they fail.  While I’ve found plenty of extremely helpful visual guides to disassembly of these models in the past, the model I received today for repair wasn’t among them.  It’s a WD5000F032 (also WD5000C032, and perhaps other similar model numbers as well), and the method to disassemble it is completely different.

So I took it upon myself to create a guide of my own.  Hope this helps you!

Western Digital WD5000F032 external hard drive Disassembly

Western Digital WD5000F032 external hard drive Disassembly

Step 1 - Remove the rubber liner

Step 1 – Remove the rubber liner

Step 2a - Press the plastic tabs on top...

Step 2a – Press the plastic tabs on top…

Step 2b - ...and bottom

Step 2b – …and bottom

Step 3 - Slide the contents out of the shell casing

Step 3 – Slide the contents out of the shell casing

Step 4 - Remove screws

Step 4 – Remove screws

Step 5 - Remove more screws

Step 5 Step 5 – Remove more screws

Step 6 - Remove the final screw

Step 6 – Remove the final screw

Step 7 - (Optional) remove the drive from the bracket

Step 7 – (Optional) remove the drive from the bracket

SOLUTION: Google Chrome process will not close; Chrome will not re-open

A frustrating issue that I have encountered on multiple recent customers’ PCs is an inability to completely close all Google Chrome processes–and, even more frustratingly, a consequent inability to reopen Chrome once it has been closed on the machine.  This happens regardless of whether the Continue running background apps when Google Chrome is closed checkbox is checked in Settings.

Two workarounds exist: either reboot the machine or open Task Manager and kill the hanging chrome.exe process that is responsible for this problem.  But, of course, this is no long-term solution.

Fortunately I have found the long-term solution!  Keep in mind it may be different in your case depending on the cause, but it appears that this problem is always a product of one of two conditions:

  1. A problematic plugin/extension, or
  2. Corrupt User Data of some sort.

For sake of justification, in the case of my customers’ machines, the first one was caused by a problematic QuickTime plugin (disabling it fixed the problem), and the second one was a corrupt Cookies store–one which could not be cleared using the Clear Browsing Data dialog.

In light of this, there is a relatively easy way to solve either.  Here is the process by which I propose you approach the solution in your particular case:

  1. First, open Chrome and navigate to chrome:plugins.  Disable all plugins and restart the browser.  You may have to kill chrome.exe manually once and then reopen/reclose the browser to test this.  If the behavior persists, reenable the plugins one-by-one to narrow down the one which is responsible.
  2. If this doesn’t work, reenable all plugins, then navigate next to chrome:extensions and disable all extensions next.  Repeat the close/open process to see if the behavior persists.

If this still doesn’t work, now that you’ve ruled out any plugin/extension issues, you’ll need to employ this final phase of the fix, which involves locating corrupt User Data and fixing it.

METHOD 1: From The Ground Up

The first approach involves recreating a new User Data store for your Chrome profile.  This is the most surefire way of correcting the issue as it involves working from the ground up with a new profile and reintroducing customizations (such as Bookmarks, Preferences, etc.) until you find one which is a problem (in my case, it was Cookies).  Here’s how it works:

  1. Open up a folder browser window (a Windows Explorer window) on your PC and navigate to the folder %LOCALAPPDATA%\Google\Chrome
  2. Inside this folder, you will find a subfolder called User Data.  Make sure Chrome is closed (including the hanging chrome.exe process), then rename this folder to something such as User Data.old
  3. Open Chrome again and close it.  Voila, no problems.
  4. Note that a new User Data folder has now been created which is blank.  Here’s the tricky part.  The new profile doesn’t have any of your previous data in it (as you probably noticed).  If you’re simply using a roaming Google Chrome profile (such as one where you sign in while opening the browser) to retain your settings, it’s as easy as signing in again to repopulate your stuff.  But if you aren’t, you’ll need to manually copy over the data from the corrupt profile.  To do so:
    1. Navigate to %LOCALAPPDATA%\Google\Chrome\User Data.old\Default to get to the old corrupt profile data that you are no longer using.
    2. Open another folder browser window and navigate to the new profile data here: %LOCALAPPDATA%\Google\Chrome\User Data\Default 
    3. Close Chrome (if it isn’t already) and copy over the following user data files within this folder one at a time, opening and closing Chrome in-between each time to check for a hanging chrome.exe process after the file is copied:
      1. Archived History
      2. Bookmarks
      3. Extension Cookies
      4. Favicons
      5. History
      6. Login Data
      7. Preferences
      8. Shortcuts
      9. Top Sites
      10. Visited Links
    4. If you copy a file and the behavior reappears, that’s obviously your culprit.  In my case, it was Cookies, which you’ll notice I didn’t even list above because I bet that’s what your problem is too!

METHOD 2: From The Top Down

You can reverse this method if you want to try and retain as much as possible of your profile (i.e., if you have a ton of extensions installed that you don’t want to redownload–though to restore those you can technically also simply copy the subfolders within the Default folder as well that relate to them).  First I would create a backup of the User Data folder before beginning just in case, and afterwards I’d begin renaming suspect files one by one until you find the culprit.  Start with Cookies and go through the rest of the files in the Default folder until you find the problem.

Thank goodness this is solved!  It’s an annoying one.

SOLUTION: Microsoft Outlook 2013 hangs at “Loading Profile…” after Office Update

Now here’s an interesting conundrum.  A recent update to Microsoft Office 2013 that’s being pushed out automatically to clients results in some of them being unable to open Outlook 2013.  Instead of running normally, the program will hang at the “Loading Profile” stage of launch, as though the profile is corrupt (if you haven’t already checked this, it could actually be the case instead of course).  A workaround is to open Outlook using the well-known /safe command line switch; but this is merely a workaround (which in turn disables all add-ons), not a permanent solution.

For a much more reasonable resolution, try this instead:

  1. Run regedit (Start > Run > type regedit and press ENTER)
    1. On Windows 8, Win + R; type regedit and press ENTER
  2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Common
  3. Right-click, select New > Key and name it Graphics
  4. Select the Graphics key you just created, right-click in the right panel and choose New > DWORD (32-bit) Value and name it DisableHardwareAcceleration.
  5. Double-click the new value and assign it a value of 1.
  6. Close regedit and try opening Outlook again.

This should fix the problem.  I first stumbled upon the solution when I realized that opening my TeamViewer Remote Support program while Outlook was loading kicked it into launching, which suggested either a network- or graphics-related cause (as TV affects both of those when launching).  The original solution listed here came from the Microsoft Office 2013 Issues Blog, though the symptoms listed are different from these.

Hope this helps! 🙂

SOLUTION: Dell Laptops Hang on Reboot/Shutdown after Windows 8.1 update

I’ve recently encountered a pretty new issue involving some Dell laptops where the system will simply hang at a black screen, completely blank, when a shutdown or restart is initiated.  This behavior occurs following the installation of the free Windows 8.1 update.  There is no evidence present in the Event Log or anywhere else to indicate what might be to blame, and nothing on the internet that I could find references the issue.

In my case, I encountered the problem while setting up around 10 Dell Latitude E7240 (Latitude 12 7000 Series) notebook computers for my clients.  The solution, as it turns out, is pretty simple.

As usual, it’s a driver which is to blame for the problem.  I first stumbled across the solution while troubleshooting when I decided to disable the wireless adapters (Wi-Fi and Bluetooth) using the hardware wireless switch on the side of the computer before shutting down.  You’ll notice that while Airplane Mode is on, the system reboots/shuts down just fine.

It’s because of the Dell Wireless 1601 WiFi/BT driver that’s preinstalled; for whatever reason, the Bluetooth portion of it is incompatible with Windows 8.1.  Explicitly disabling Bluetooth also fixes the problem, confirming that this is the source of the issue.

To correct it once and for all, here’s what you need to do:

  1. Download this driver from Dell.
  2. Choose to Extract Without Installing and specify a location of your choice.
  3. Wait a few seconds for the confirmation dialog to appear, then click View Folder.
  4. Double-click the Install_CD subfolder to open it.
  5. Run setup.exe and follow the instructions.
  6. Reboot the computer.

The problem is solved!

I presume this most likely affects all Dell computers running the A01 version of the driver.  I hope this solution has helped you!

SOLUTION: Windows Vista In-Place Upgrade fails when PowerShell is installed

This one’s quick and easy.  On multiple occasions, I’ve encountered problems with Windows Vista performing an in-place upgrade (in situations where conventional repairs are not sufficient and such measures are necessary) if the client’s machine has Windows PowerShell installed.  PowerShell is listed as incompatible with the upgrade procedure by the Setup process.  Usually, it’s as easy as removing it via Control Panel > Programs and Features > Turn Windows features on or off, but on more than one occasion, when a workstation is really screwed up, this process fails.

In those cases there are two other options you can try.  The first is to head to Programs and Features, choose View installed updates, and remove Windows Management Framework Core, which is the update associated with PowerShell.  If this STILL doesn’t fix it, however, there’s one surefire way to do so:

  • Simply rename the directory %SYSTEMROOT%\System32\WindowsPowerShell (where %SYSTEMROOT% is the system environment variable for the Windows directory).

This easy workaround will allow the upgrade to proceed, which will usually fix most serious problems with a Vista installation and pave the way for updates and other corrections before wrapping up the work.  It’s just another way I’ve been able to avoid a reinstallation of Windows under circumstances which would normally seem to suggest it as the only option.