Question High System Usage, using Process Monitor:"Interrupt", and WDF01000.sys are the culprits , hwo to pinpoint?

Toggle sidebar Toggle sidebar
CyberBonk

CyberBonk

Prominent
Dec 7, 2023
11
0
510
aRMZjd.jpg
Pbs8R7.jpg
VfMtIz.jpg

Hey Guys, so imma try to keep it short, lots of things happened, i have a Legion Slim 7 16IRH8, have high system usage, trying to diagnose with the help of ChatGPT, installed process Explorer and identified some details, i have lots of ISRs from the WDF driver, which chatgpt says that is a framework used by other drivers so this makes it harder to pinpoint, i just wanna know the culprit




some backstory:, originally i had and issue with ( i don't remember now), that made me contact Microsoft support live chat (again bad idea, dont do that), and basically the bad step that he made is that he updated al teh network adapters , insluding my ethernet to usb TP-link adapter that uses realtek driver,
this driver caused a BSOD (it is a mix of a bad driver and something related to my 1000Hz polling rate mouse and usb controller (according to chatgpt, anyways diagnosed the issue and downgraded the driver to a one from 2015 and the BSODs stopped (i also learned how to read minidumps using the debugger)

now after all of this i found two things, windows defender high cpu usage at idle ( fixed it by uninstalling DefenderUI and running a Full scan overnight), and now high cpu usage from interrupts, and my fans are kicking, never stopping on idle, at this point im just thinking of nuking and reinstalling but i have lots and lots of data that i cant just back up and i dont have multiple partitions , just one, so cant like partition and reset the windows partition everytime i like, so that option is only available the next summer break

other things i have tried (with chatgpt's help) like driver verifier: "verifier /standard /all" or something near, that should induce a BSOD with the curplit driver but nothing happened except a very laggy system until i ran "verifier /reset" and "verifier /query" returned nothing

for now how do i diagnose or just live with it untill next summer?
 
Sort by date Sort by votes
Regardless of whether you have removable storage or partitions, or neither, you will encounter a system failure and the need to retrieve your mission critical data becomes of the utmost importance but you're unable to do so as you can't access your drive/platform, is inevitably going to happen.

That being said, backup your data, then proceed to tinker with your system.

Give the first suggestion in this thread;
https://answers.microsoft.com/en-us...ing-real/efcf6eda-df52-4cae-a8dd-710389b0f9c6
a go and see if that helps.
 
Upvote 0 Downvote
Lutfij said:
Regardless of whether you have removable storage or partitions, or neither, you will encounter a system failure and the need to retrieve your mission critical data becomes of the utmost importance but you're unable to do so as you can't access your drive/platform, is inevitably going to happen.

That being said, backup your data, then proceed to tinker with your system.

Give the first suggestion in this thread;
https://answers.microsoft.com/en-us...ing-real/efcf6eda-df52-4cae-a8dd-710389b0f9c6
a go and see if that helps.
Click to expand...
hi, thanks for replying

TLDR: right now i was able to get my windows to a stable state but with that interrupt issue, for now im just searching for a way to identify the culprit driver that is Causing those interrupts

well, yeah , i use my laptop mostly for studying and i do have games on the device, so the data itself isnt important, but the pain i will have is having to reinstall all the needed apps and reconfigure them, and some of the slides and projects that are already on the internet whether on GitHub or on Moodle or my Un's oneDrive,

so that type of data is just hard to backup without making a physical system clone in the first place so i will just stick to standard recovery methods if such things happens to me,

i have a USB with Ventoy that has win11 24H2, GhostSpectre win11(does have some recovery capabilities, Ubuntu LTS 24 [for a project,still learning], Partition Wizard LiveBootable, and HirenBoot (it is outdated i know, when im free i will research for better alternatives)


about the link i checked it, microsoft support as always, never been helpful , he just suggested the Generic answer of doing DISM and SFC and to post the details on Feedback hub, which i used alot and never got replies

would be helpful it they just straight told me what tool to use and what to check for and handle the rest, but instead caused me that issue but randomly updating drivers in the first place
 
Upvote 0 Downvote
Wdf01000.sys is the microsoft interface for a bunch of drivers.
generally, the problem is going to be in one 3rd party driver that is using the interface.

if you change the memory dump type to kernel and force a memory dump on a working system, I can try to read the log entries for Wdf01000.sys often drivers do not use the correct format or fail to make any log entries.
debug command would be
!wdflogdump Wdf01000
(only available on a kernel dump)
!wdfkd.wdfcrashdump loader
will show the list of logs, sometimes you can find errors in some subsystem log.
this command will check to see if the wdf01000.sys has be modified or replaced (will show first 50 changes)
!chkimg -lo 50 -db !Wdf01000

if you want, force a kernel dump and provide the large memory.dmp file of the working system and I can take a quick look. (best if the system is showing the problem at the time of the dump)

you can kill processes as a crude attempt to see what effects the number of isr calls.
(i would start with the microphone process as a guess)
nahimic3.exe which is suspended on your machine.
used to enhance sound performance in games
 
Last edited:
Upvote 0 Downvote
johnbl said:
Wdf01000.sys is the microsoft interface for a bunch of drivers.
generally, the problem is going to be in one 3rd party driver that is using the interface.

if you change the memory dump type to kernel and force a memory dump on a working system, I can try to read the log entries for Wdf01000.sys often drivers do not use the correct format or fail to make any log entries.
debug command would be
!wdflogdump Wdf01000
(only available on a kernel dump)
!wdfkd.wdfcrashdump loader
will show the list of logs, sometimes you can find errors in some subsystem log.
this command will check to see if the wdf01000.sys has be modified or replaced (will show first 50 changes)
!chkimg -lo 50 -db !Wdf01000

if you want, force a kernel dump and provide the large memory.dmp file of the working system and I can take a quick look. (best if the system is showing the problem at the time of the dump)

you can kill processes as a crude attempt to see what effects the number of isr calls.
(i would start with the microphone process as a guess)
nahimic3.exe which is suspended on your machine.
used to enhance sound performance in games
Click to expand...
thanks for the info,

yesterday last night after a lot of digging i tried windows Performance Recorder, and win perf Analyzer, and returned two drivers causing issues, one is related to the TP-link ethernet to usb adapter that uses realtek driver
this one later caused me random BSODs for no reason that even happened in safe mode with networking but not in safe mode, found it, downgraded it, works fine now,

other curplit was the Nvidia driver (which i did downgrade from 576.02 to 566.36, so now 566.36 is the culprit), now downgraded again to my Lenovo's nvidia driver which is old but doesnt have the issue for now


so , a nice debugging journey that i dont wanna experience again ,nice
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom