I like the fact that Microsoft is NOT using OneCare for its employees:) . Also I find your articles where you troubleshoot stuff very interesting.

Brilliant diagnosis!!!

Mark, we've seen that problem before as well when we're trying to compress files for our nightly polling process on our XP machines.  They're used as POS terminals and have McAfee Virusscan loaded.  We kept getting sites that failed polling or had corrupt files until we figured out that McAfee was trying to open the files and scan them at the same time our polling process was running.  McAfee has yet to fix the bug in their app, so we just set an exclusion on the folder as well.

As always - excellent write-up.

BTW

http--blogs.technet.com-photos-markrussinovich-images-1702272-original.aspx

is broken. No picture there!

Wow, that sucks. Note to self: Don't compress directly to remote network shares!

Now that you work at Microsoft, I presume you get to look at the source code, so you can see the actual offending code. Do you file bugs against Windows when you find such issues?

I had almost exactly the same issue with WinRAR at most of the workstations at university labs. Whenever i asked it to compress a given setof files, it returned a dialog saying "no files to compress". There was a workaround to that which some students invented, but having read your case study of windows compression, i hope i will be able to address the issue downright :) Im an avid user of process explorer and process monitor at my home mostly using it to check activity of my PC and my software projects, though now you have given me an insight into how to troubleshoot with your magical softwares:) I wish i could attend your presentations on 14th/16th but im just like.... 10,000 miles away :( I hope we cud get a recording of it or notes online (youtube anyone?)

Thanks Mark, that was very informative.  I love those kind of examples as I'm an avid user of all your tools.  Cheers.

Sorry for the grammar pedantry: "bared a closer look" should be "bore a closer look".

Hi Mark,

A couple of remarks caught my attention:

"Antivirus should be invisible to the system, so the error revealed a bug in eTrust."

and your observation that the bug was fixed in a later release.

I am curious as to what APIs are available to AV software to allow it to open or otherwise access files without interfering with the operation of other applications? We are a software vendor and some of our customers have reported issues where AV software interferes with our software in a similar way to the scenario outline above. Eventually we resorted to retrying file opens a certain number of times when access violations were encountered.

Any further insight into this issue would be valuable.

I always install Total Commander as the first program after a clean install and never, ever, use Explorer for anything filerelated. Will not start in the near future either by the looks of things...

BR

I don't know if this is Mark's blog so much as Process Explorer's blog. :P

Try winzip. It works great.

Even with "fewer" file operations, it will still be no where as fast as winzip.

Hello, dear Mark !

First, i thank you very much for your Sysinternals Suite - it's very useful toolset for almost every Russian sysadmin.

Now are the questions:

1) If i have a tree full of zero-filled files (like ones created by p2p clients but not yet completed with download), how can i make them all sparse and reclaim zero-filled space until completion ?

2) How can i tell the system to create ALL future files under given folder as sparse ?

3) What archiver can compress and extract sparse files without "unrolling" them ?

If where is no easy way to do so, may you write one more utility for your awesome suite ? All p2p users will be thankful for you !

Interesting analysis, as usual.  Thank you for sharing it!

Regarding the astounding inefficiency of Explorer's ZIP compression, I rather optimistically ascribed it to MS throwing a bone to the likes of those who sell WinZip and WinRAR.  "Why should I buy your software when I could just use what's built into Windows?"  "Because that stuff is horribly slow - just try compressing more than a handful of files.  You'll be there all day!"

It is interesting to hear that this problem might actually be solved in Vista SP1.

This is great! You use procmon so well. Can you please tell me where can I get more information on the actions generated in the "Result" by procmon? For example, NAME NOT FOUND, SHARING VIOLATION, NAME COLLISION. It would be great if the information on these topics are in-depth.

Thanks...

Mark, you are great as usual.

Now, what about the version of Zipfldr.dll you were using and the new Vista SP1 Zipfldr.dll?

Do you know if MS is going to fix it in XP SP2c as well?

Hello Mark,

       I'm a regular visitor to your blog and a big fan of all your work! I would love to see more crash dump investigations.

Thank You!

Excellent blog and toolset, thank you - I must use ProcMon more frequently, but get a bit overwhelmed by the mass of info, so FileMon is still my regular file i/o spy. Interesting that although Explorer is reporting the excessive file i/o, it is the compression program which is inefficient. I had similar probs trying to convince a software supplier that it was their product and not the Windows DLL which was inefficient. I'm sure many programmers curse the Russinovich file i/o tools for exposing their shoddy coding.

For the record, Microsoft does in fact use its own antivirus software... just not OneCare, per se.  

OneCare is a consumer product, in the same way that "Norton Antivirus 2008" is for home users.  The corporate product is known as "Forefront Client Security", which is analogous to "Symantec Antivirus Enterprise Edition" and is in heavy rotation throughout Redmond across 30,000+ systems.

So why is Mark using eTrust still?  Well, most of the people outside of Redmond aren't using FCS yet.  It's just not deployed everywhere yet as it was RTMed just earlier this year, and it's not likely that Microsoft will ever use it's own AV/AS exclusively being that eTrust is doing the job well and in technologies like these Microsoft often uses multiple products, in the same way that there are HP, Dell, IBM, and Toshiba computers in rotation within IT.

On my work computer Innoculate Kill is also used as the default anti-virus program, which is a quite old version. It also interferes with Visual C++ 6.0 (file share violation) and Recycle Bin (refreshes a lot). It's quite interesting.

Second vote for 7-Zip. Free, open source, handles RAR files, and so much faster than the ZIP capability built in to Windows.

http://www.7-zip.org/

> to still give vendors like WinZIP or WinRAR a reason to sell their product

...and 7-zip/jZip are evil monsters to wipe them out :-)

I think, no one would care about built-in archiving speed, it is not big problem novadays. The fact that only ZIP is supported in Windows of all the compression formats - that is main advantage of 3rd party vendors