I have a customer, whose computer can't start the print spooler
service on booting. It dies simply and if I start the service, for
some time it runs ok. However, it dies unexpectedly.
I found an ppt document which frequently kills the service when it's
printed using a usb printer.
I captured the event of spoolsv.exe using sysinternals procmon.exe,
but I couldn't decifer them, so I ask some help in interpreting the
events. Following is some part when debugger is started.
=3D=3D=3D+=3D=3D=3D+=3D=3D=3D
HKCU
\Control Panel\Desktop","SUCCESS","Desired Access: Read"
5:29:56.6846369","spoolsv.exe","3772","RegQueryValue","HKCU\Control
Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
\Control Panel\Desktop","SUCCESS",""
5:29:56.6846646","spoolsv.exe","3772","RegCloseKey","HKCU","SUCCESS",""
5:29:56.6846844","spoolsv.exe","3772","RegOpenKey","HKCU","SUCCESS","Desire=
d
Access: Maximum Allowed"
HKCU
\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT
FOUND","Desired Access: Read"
HKCU
\Control Panel\Desktop","SUCCESS","Desired Access: Read"
5:29:56.6847377","spoolsv.exe","3772","RegQueryValue","HKCU\Control
Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
\Control Panel\Desktop","SUCCESS",""
5:29:56.6847654","spoolsv.exe","3772","RegCloseKey","HKCU","SUCCESS",""
5:29:56.6847852","spoolsv.exe","3772","RegOpenKey","HKCU","SUCCESS","Desire=
d
Access: Maximum Allowed"
HKCU
\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT
FOUND","Desired Access: Read"
HKCU
\Control Panel\Desktop","SUCCESS","Desired Access: Read"
5:29:56.6848375","spoolsv.exe","3772","RegQueryValue","HKCU\Control
Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
\Control Panel\Desktop","SUCCESS",""
5:29:56.6848651","spoolsv.exe","3772","RegCloseKey","HKCU","SUCCESS",""
5:29:56.6849107","spoolsv.exe","3772","RegOpenKey","HKCU","SUCCESS","Desire=
d
Access: Maximum Allowed"
HKCU
\Software\Policies\Microsoft\Control Panel\Desktop","NAME NOT
FOUND","Desired Access: Read"
HKCU
\Control Panel\Desktop","SUCCESS","Desired Access: Read"
5:29:56.6849643","spoolsv.exe","3772","RegQueryValue","HKCU\Control
Panel\Desktop\MultiUILanguageId","NAME NOT FOUND","Length: 256"
\Control Panel\Desktop","SUCCESS",""
5:29:56.6849923","spoolsv.exe","3772","RegCloseKey","HKCU","SUCCESS",""
,"HKLM
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP
Officejet K7100 Series\PrinterDriverData","SUCCESS","Desired Access:
Read/Write"
5:29:56.6851917","spoolsv.exe","3772","RegQueryValue","HKLM\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Officejet K7100
Series\PrinterDriverData\InstallationComplete","SUCCESS","Type:
REG_DWORD, Length: 4, Data: 0"
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP
Officejet K7100 Series\PrinterDriverData","SUCCESS",""
5:29:56.6852875","spoolsv.exe","3772","RegOpenKey","HKCU","SUCCESS","Desire=
d
Access: Read/Write"
HKCU
\Printers\Connections\,,PARKJUYUN,USB001, Port","NAME NOT
FOUND","Desired Access: Read/Write"
,"HKCU
\Printers\DevModePerUser","SUCCESS","Desired Access: Read/Write"
5:29:56.6853722","spoolsv.exe","3772","RegCloseKey","HKCU","SUCCESS",""
\Printers\DevModePerUser","SUCCESS","Query: Cached, SubKeys: 0,
Values: 4"
5:29:56.6854113","spoolsv.exe","3772","RegQueryValue","HKCU\Printers
\DevModePerUser\\\PARKJUYUN\USB001, Port","NAME NOT FOUND","Length:
144"
\Printers\DevModePerUser","SUCCESS",""
5:29:56.6854789","spoolsv.exe","3772","RegOpenKey","HKCU","SUCCESS","Desire=
d
Access: Read/Write"
HKCU
\Printers\Connections\,,PARKJUYUN,USB001, Port","NAME NOT
FOUND","Desired Access: Read/Write"
,"HKCU
\Printers\DevModePerUser","SUCCESS","Desired Access: Read/Write"
5:29:56.6855485","spoolsv.exe","3772","RegCloseKey","HKCU","SUCCESS",""
\Printers\DevModePerUser","SUCCESS","Query: Cached, SubKeys: 0,
Values: 4"
5:29:56.6855772","spoolsv.exe","3772","RegQueryValue","HKCU\Printers
\DevModePerUser\\\PARKJUYUN\USB001, Port","NAME NOT FOUND","Length:
144"
\Printers\DevModePerUser","SUCCESS",""
5:29:56.6856560","spoolsv.exe","3772","RegOpenKey","HKCU","SUCCESS","Desire=
d
Access: Read/Write"
HKCU
\Printers\Connections\,,PARKJUYUN,USB001, Port","NAME NOT
FOUND","Desired Access: Read/Write"
,"HKCU
\Printers\DevModePerUser","SUCCESS","Desired Access: Read/Write"
5:29:56.6857253","spoolsv.exe","3772","RegCloseKey","HKCU","SUCCESS",""
\Printers\DevModePerUser","SUCCESS","Query: Cached, SubKeys: 0,
Values: 4"
5:29:56.6857546","spoolsv.exe","3772","RegQueryValue","HKCU\Printers
\DevModePerUser\\\PARKJUYUN\USB001, Port","NAME NOT FOUND","Length:
144"
\Printers\DevModePerUser","SUCCESS",""
5:29:56.6858463","spoolsv.exe","3772","RegOpenKey","HKCU","SUCCESS","Desire=
d
Access: Read/Write"
HKCU
\Printers\Connections\,,PARKJUYUN,USB001, Port","NAME NOT
FOUND","Desired Access: Read/Write"
,"HKCU
\Printers\DevModePerUser","SUCCESS","Desired Access: Read/Write"
5:29:56.6859178","spoolsv.exe","3772","RegCloseKey","HKCU","SUCCESS",""
\Printers\DevModePerUser","SUCCESS","Query: Cached, SubKeys: 0,
Values: 4"
5:29:56.6859477","spoolsv.exe","3772","RegQueryValue","HKCU\Printers
\DevModePerUser\\\PARKJUYUN\USB001, Port","NAME NOT FOUND","Length:
144"
\Printers\DevModePerUser","SUCCESS",""
HKLM
\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows NT
x86\Drivers\version-3\HP Officejet K7100 Series","SUCCESS","Desired
Access: Read"
5:29:56.6861237","spoolsv.exe","3772","RegQueryValue","HKLM\System
\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers
\Version-3\HP Officejet K7100 Series\DEMFileName","NAME NOT
FOUND","Length: 144"
\System\CurrentControlSet\Control\Print\Environments\Windows NT
x86\Drivers\Version-3\HP Officejet K7100 Series","SUCCESS",""
5:29:56.6861843","spoolsv.exe","3772","RegOpenKey","HKCU","SUCCESS","Desire=
d
Access: Maximum Allowed"
,"HKCU
\Software\Hewlett-Packard\DEMFileData\HP Officejet K7100
Series","SUCCESS","Desired Access: Read"
5:29:56.6862486","spoolsv.exe","3772","RegCloseKey","HKCU","SUCCESS",""
5:29:56.6862687","spoolsv.exe","3772","RegQueryValue","HKCU\Software
\Hewlett-Packard\DEMFileData\HP Officejet K7100 Series\DEMFile","NAME
NOT FOUND","Length: 144"
\Software\Hewlett-Packard\DEMFileData\HP Officejet K7100
Series","SUCCESS",""
5:29:56.6873772","spoolsv.exe","3772","QueryNameInformationFile","C:
\WINDOWS\system32\spool\drivers
\w32x86\3\hpoh7103.BUD","SUCCESS","Name: \WINDOWS\system32\spool
\drivers\w32x86\3\hpoh7103.BUD"
\WINDOWS\system32\spool\drivers\w32x86\3\hpoh7103.BUD","SUCCESS",""
HKLM
\Software\Microsoft\Windows NT\CurrentVersion
\AeDebug","SUCCESS","Desired Access: Query Value"
5:29:56.6881834","spoolsv.exe","3772","RegQueryValue","HKLM\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\AeDebug\Auto","SUCCESS","Type:
REG_SZ, Length: 4, Data: 1"
5:29:56.6881982","spoolsv.exe","3772","RegQueryValue","HKLM\SOFTWARE
\Microsoft\Windows NT\CurrentVersion\AeDebug
\Debugger","SUCCESS","Type: REG_SZ, Length: 52, Data: drwtsn32 -p %ld -
e %ld -g"
\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug","SUCCESS",""
\WINDOWS\system32\faultrep.dll","SUCCESS","CreationTime: 2004-08-04 =BF=C0=
=C0=FC
12:53:14, LastAccessTime: 2008-08-19 =BF=C0=C8=C4 5:25:21, LastWriteTime:
2004-08-04 =BF=C0=C0=FC 12:53:14, ChangeTime: 2007-08-29 =BF=C0=C8=C4 4:55:=
14,
AllocationSize: 81,920, EndOfFile: 79,872, FileAttributes: A"
C:
\WINDOWS\system32\faultrep.dll","SUCCESS","Desired Access: Execute/
Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-
Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete,
AllocationSize: n/a, Impersonating: PARKJUYUN\Administrator,
OpenResult: Opened"
=3D=3D=3D+=3D=3D=3D+=3D=3D=3D
I guess it's indicating the spoolsv.exe is looking for the USB port
info but couldn't and dies. Is my guess right?
What can cause this?
TIA
--
Daewon YOON