Helping people with computers... one answer at a time.

A program crashing overnight can be difficult to diagnose. We'll start by looking at what programs are running, and starting, when you're not around.

For the past week, something starts running after midnight and it causes the blue "screen of death" - is there a way of trying to find out what is starting up at that time?

A couple of approaches come to mind.

We can certainly look at the Task Scheduler to see if there's something specific that has been configured to run at the time you're concerned about.

But that's limited to scheduled tasks.

So I'll describe an approach that will log all the software starting on your machine - at least, as long as you have a Windows edition better than "Home".

Task Scheduler

"Process tracking ... [is] a handy tool to answer that 'what the heck is running?' question"

Windows includes a comprehensive task scheduling feature that, honestly, I wish more programs would use instead of leaving small applications running constantly.

It can also be used to schedule tasks to run at specific times every day. For example, I use it to run a script on each of my computers overnight so that they copy a bunch of data around my network for backup and synchronization while I'm not using the machines.

In the Windows 7 Control Panel, click on System and Security, and then Schedule Tasks to fire up the Task Scheduling applet:

Windows 7 Task Scheduler

In Windows XP, the tool is somewhat simpler, and accessed via Control Panel, Performance and Maintenance, Scheduled Tasks.

Windows XP's scheduled tasks

In XP you can see the list of scheduled tasks and the time they're to run right away.

In Windows 7, just expand the items in the left hand column and click on each to see the assorted scheduled items associated with each:

Windows 7 Task Scheduler showing a task

In either case, you can see which programs are scheduled to run. If one happens to be scheduled for shortly before the time you're interested in, then perhaps that's the culprit.

Just Audit What Runs

Both XP and 7 (and Vista, of course) include the ability to audit and log what programs start up and when. The downside is that the interface to manage this logging is not available in the "Home" versions of Windows.

Warning: Process tracking can slow your machine down, so you definitely don't want to leave it on all the time. That being said, it's a handy tool to answer that "what the heck is running?" question; overnight or at other times.

To turn on process auditing (both versions of Windows):

  • Open the "Run" dialog box - easiest is by typing holding down the Windows key and typing R.

  • Enter gpedit.msc and press OK. This is the group policy editor.

  • Once the Group Policy editor is up and running, expand Computer Configuration, Windows Settings (by clicking on the boxed plus sign or triangles to its left).

  • Expand Security Settings, then Local Policies and then click on Audit Policy.

That should have you at something looking much like this:

Windows 7 Audit Process Tracking

(That's Windows 7, Windows XP looks similar.)

  • Double click on Audit process tracking.

  • Check the box labeled Success for Audit these attempts.

Windows 7 Audit Process Tracking Option

"OK" your way back out and you're good to go.

Let that run over night. Perhaps set it up before you go to bed, so as not to impact your work prior.

Event Viewer

The tool to look at the results is Event Viewer. It's a mess, but we can extract the information we need.

Run "eventvwr", and then in the Windows Logs, click on the Security log:

Windows 7 Event Viewer looking at Process Auditing Events

What you will find is a log full of security audit entries; lots of security audit entries. In this example, I've highlighted an entry that resulted from my opening a Windows Command prompt - "cmd.exe".

I think you'll be surprised at how much software is coming and going, even when the system is "doing nothing".

Your job now is to look through these just prior to the crash to see what was running, what was starting and so on.

One caveat: after all this, what you're looking for may not be here. (But I think it will.) The problem is that ... well ... your system crashed. If the crash happens right at some program being started, we're assuming that the system has had enough time to actually write the event to the event log. One of the reasons event logging slows down your system, I believe, is that it likely takes extra steps to ensure that the log is updated and on disk each time it writes an entry.

Article C4539 - November 10, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

4 Comments
Bob.
November 11, 2010 7:08 AM

Hi Leo. It seems that you are the new target for spammers - every new article since the 8th has had a spam-sell message on it.

Actually once a day, 7 days a week, my assistants scan all newly posted comments and remove spam. That means that spam could live for up to around 24 hours.
Leo
11-Nov-2010

Lloyd Drinen
November 16, 2010 4:49 PM

RUNNING WINDOWS 7 Just thought I would check out my Task Scheduler and I get..
task BackgroundConfigSurveyor: The task image is corrupt or has been tampered with. Can this be fixed?
I can still see what is scheduled to run.
Thanks. Lloydtml

I'd have you try the System File Checker: What is the System File Checker, and how do I run it?
Leo
17-Nov-2010

Siegfried
November 16, 2010 9:44 PM

I use autoruns.exec for scheduled tasks, just untick

Peter
November 18, 2010 10:24 AM

Hello Leo,

From time to time I also encounter problems with the Black Screen of Death. For that I use the free program 'BluescreenView' of Nirsoft (http://www.nirsoft.net/utils/blue_screen_view.html).
It scans all the minidump files created during 'blue screen of death' crashes, and displays the information about all crashes in one table. It marks the drivers that their addresses found in the crash stack, so you can locate the suspected drivers that possibly caused the crash.
It's not a solution for every problem but at least it gives you a clue which driver could be suspicious.
Peter

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.