I was asked to look into an issue where a team of 20 users were having to wait for 20 – 30 seconds for files to open from Office applications. The usual solutions of rebuilding profiles and Pc’s, had been tried and the network had been checked for errors with no results.
Although on the surface this appeared to be a network issue, I thought I’d start with process monitor. Fortunately for me the issue was easy to replicate. On half the users screen I had Excel open poised ready to open a troublesome file and on the other half I had process monitor available so I could start and stop it quickly.
Despite being able to stop and start ProcMon quickly I still managed to capture nearly 60,000 events. This is way to much for analysis so I filtered on the Excel process because that was the one doing (or not) all the work.
This led to a more manageable 11,290 events. This still sounds like a lot, and it is if you have to read through them all. However there is a simple and quicker approach when dealing with performance issues.
Once you’ve filtered to you’re faulting processes simply scroll down and look for the gaps. If you concentrate on the seconds, you can scroll down quite fast and the jump in numbers will be obvious.
In this case the issue was at event 10,018. As you can see there’s a 26 second gap between events 10017 and 10018 and unsurprisingly the event with the result of BAD NETWORK PATH was the culprit.
When I looked in Windows Explorer there wasn’t a G: drive mapped. I ran NET USE from command prompt and it listed the G: drive. I ran a NET USE /Delete G: and the problem went away. It turned out that, that particular team had a G drive mapped to a server that had recently been decommissioned. Excel was trying to enumerate a drive that no longer existed so timed out.
What I found interesting was the problematic event was after the 26 second pause, I expected it to be before the gap. It goes to show when you’re using the technique you need to look at both sides of the gap.
From start to finished it took me about 20 minutes to find the root cause of the problem. Before the issue reached me it had been open for over a week and four different technicians, with different skill sets had taken a look at it. It just goes to show that with a little technique and the right tools at your disposal you can make yourself look quite clever.