Fix High Hardware Interrupts on HP Probook 6540b

A few days back I discovered an “issue” with new installation of Windows XP on HP Probook 6540b laptops (have read reports on the internet about 6440b behaving the same). What I noticed is that after installing all the drivers from the HP website, computer appeared sluggish, especially disk operations, opening task manager was a 5 second task. The solution to this problem was to obtain the latest disk controller drivers from the Intel Website and then install a specific controller type, instead of letting Windows choose automatically. But first, time for this small disclaimer:

The steps below should be attempted after you have backed up your Windows installation and/or relevant documents, please do not attempt this procedure before doing a backup of your system. Double, triple, quadruple check that the problems I am describing here exactly match your hardware, software and symptoms observed. This procedure can damage your operating system, possibly even the hardware, this post comes with no warranties, it is not supported by HP, Intel or any other vendor as far as I know. Also this post is valid at the time of writing, new fixed drivers may appears by the time you are reading this, making it obsolete.

Symptoms and Conditions

  • Sluggish Disk performance
  • Sluggish computer performance when doing disk based operations
  • BIOS is configured to use IDE mode not AHCI mode for SATA disks (you configured for IDE because AHCI was not working)
  • Device Manager is showing a primary IDE channel device configured for PIO mode only – you cannot select UDMA mode
  • Using SysInternals Process Explorer reveals 25% CPU is Hardware Interrupts when accessing disk continuously (on an i5 cpu that is 1 core…spread over all 4 cores). Interrupts usage goes down when disk is idle.
  • Your storage controllers are detected as:
    • “Intel(R) 5 Series/3400 Series Chipset Family 2 port Serial ATA Storage Controller”
    • “Intel(R) 5 Series/3400 Series Chipset Family 4 port Serial ATA Storage Controller”
  • The Storage Controllers detected above have Hardware ID’s:
    • PCI\VEN_8086&DEV_3B2D
    • PCI\VEN_8086&DEV_3B2E

Trials and Errors

As you can see starting from the High Hardware interrupts up to device being put into PIO mode, it is clear that there is some driver issue somewhere. What you can try and watch it fail:

  • Delete disk controller devices then use scan for hardware changes so windows will reinstall drivers. After reboot you will see the problem still exists.
  • Delete disk controller devices then download latest Intel drivers, automatically choose which driver to install. After reboot you will see no changes, same device will be detected, same drivers installed.
  • Reinstall OS re-add drivers one by one, you will have the same problem.

The solution

You need to manually select a device driver to install from the driver package for Intel’s Rapid Storage Technology (I think the former name for these drivers, in general, was Matrix Storage Manager). The problem is that the drivers that come with Windows can only use PIO Mode, and the driver package from Intel does not contain the Hardware ID’s you found above. The drivers do work, to get them to work you have to either:

  1. Manually install drivers selecting a specific device driver to install
  2. Hack the driver files so they include your device ID’s (“hardcore” option, try #1 before you go there 🙂 )

Option 1 – Do a manual driver install

This works mostly after you installed the operating system. here’s what you need to do exactly:

  • Download the driver package
  • Using Device Manager delete storage controllers from the laptop
  • In Device Manager click “Scan for hardware changes“, the New Hardware Wizard appears
  • Choose don’t search Windows Update
  • Next choose “Install from specific location
  • Next choose “Don’t search I will choose driver to install
  • On the next screen click on “have disk” and point it to the location of the extracted driver files. Click OK to close driver selection. List will be populated with a bunch of devices
  • From the devices list select “Intel(R) 5 Series 6 Port SATA AHCI Controller
  • Click OK and correct drivers should install now. If you are asked to reboot, choose OK
  • After the reboot go into the BIOS, change SATA mode to AHCI. If you keep SATA mode to IDE your XP install will BSOD (the reason is you added SATA drivers to XP, and the controller talks IDE, if left unconfigured)
  • Now you should see that your devices are installed correctly and you have no more hardware interrupts. Also the Disk Controllers section in Device Manager looks different, fewer devices left there.

Option 2 – Hack the Driver files

This option is useful if you want to make a driver package for an unattended installation or just want to have a set of drivers that will work “out of the box”. What we will do in short is add a few lines of code to the files in the driver package, pointing the Hardware ID’s to the Intel(R) 5 Series 6 Port SATA AHCI Controller” we manually installed with Option 1. Here’s how to do it:

  • Extract drivers to a folder, you should have these files inside among some other txt’s:
  • Open iaAHCI.inf file for editing and search at the end of the file for the “strings” section. Look for the string “PCI\VEN_8086&DEV_3B2F&CC_0106.DeviceDesc” which matches to the Intel 5 series 6 port controller . As you can see after the DEV_ follows “3B2F”, pretty similar to our Hardware ID’s:
    • PCI\VEN_8086&DEV_3B2D
    • PCI\VEN_8086&DEV_3B2E
  • Before the DEV_3B2F line create 2 new lines where you duplicate the DEV_3B2F line, BUT you replace 3B2F with the last 4 characters from the other device ID’s (one line will have 3B2D the other 3B2E). The point is to have the Hardware ID’s of your controller point to the correct driver name.
  • Now we have to track any place in the document where “3B2F” appears and add the same text for Hardware ID’s 3B2F and 3B2E. The section you are looking for to add lines are in “[INTEL_HDC.ntx86]“, there is a line containing 3b2f, add 1 line for each Hardware ID.
  • Save iaAHCI.inf and close it
  • Update Disk Controller drivers by pointing Windows hardware wizard to your modifed .inf file

With this inf file Windows should be able to install the driver it needs without you having to select which driver to install from the list. The logic is that now Windows knows where to find the correct drivers, because the Hacked Intel Driver contains the device ID’s Windows is looking for.

Option 2+, unattended installs

This next section is about changing the TXTSETUP.OEM so you can do unattended installations using this hacked INF file. You can follow the Intel guide to injecting drivers for “F6 Install”, but you need to change the TXTSETUP.OEM file that comes with this package. Do following:

  • From the driver package Open TXTSETUP.OEM for editing.
  • In the iaAHCI.inf section look for the “Intel(R) 5 Series 6 Port SATA AHCI Controller”. To the left of that string is the text “iaAHCI_5_1”.
  • Do a search for the string “iaAHCI_5_1” in the document, you should find a section called “[HardwareIds.scsi.iaAHCI_5_1]”.
  • When found copy it and the line after it ( looks like “id = “PCI\VEN_8086&DEV_3B2F&CC_0106″,”iaStor””) 2 times. The 2 copies you can change instead of being 3B2F to 3B2D and 3B2E respectively.
  • In the end you should have 3 “hardwareIDs” sections, 1 with 3B2F, the original and the other 2 Hardware ID’s you need.
  • Save and close TXTSETUP.OEM.
  • Follow Intel’s “F6 install” procedure to deploy Windows XP using these modified files (all the files in the package + modded iaAHCI.inf and TXTSETUP.OEM)
  • You must configure BIOS to use AHCI mode, drives will not work with IDE mode (didn’t for me)

Phew, this was a long and “hard” post. I hope the general idea is clear:

For installing from windows just make sure to select the controller I mentioned (the 6 port device) when doing the complete manual install.

For the hacked inf and OEM files double check and triple check the changes you are making. the point is to add the HW ID’s to the INF file, so it will install the drivers the same way as for the Hardware ID ending with 3B2F.

My best guess is that this mess-up is due to some slightly different versions or ID’s being stamped erroneous onto the controllers when they were shipped. I hope this was helpful, please report back any mistakes you notice.

Restrict USB Storage Devices on Windows XP

This is one of those topics that are probably on the top 10 to do’s of anyone’s list when it comes to securing their Windows desktops. Whether it is plain dictatorship, security/confidentiality concerns/requirements, unpatched OS’s, weak/no AV solutions, the golden POLP (Principle Of Least Privileges) may force you to come up with a solution to this problem. If you are using anything else (XP, 2000, 2003 Server) except the newer versions of Windows (Vista, 7) which allow you to do this via a GPO setting, you are out of luck, there is no GPO setting or quick-fix that works.

As a short history, I went through CIA documents that were published (can’t find them anymore), Forums, Microsoft KB’s, Whitepapers, and finally came up at the other end of the tunnel with a working process.

The goal is to devise a process of denying access to USB Storage that meets following criteria:

  • Must be implemented at OS level
  • Must be deployed scripted/automatically and/or via GPO
  • Must not cripple other OS functionality (e.g. installing printer/scanner drivers)
  • Must be fully reversible by Administrators only
  • Must be working regardless if USB Storage was used before the process is put in place

The solution – explained

For disabling USB Storage there are 2 situations to cover:

  • No USB storage ever installed, user must not be able to install device
  • USB storage was previously installed by user or admin, user must not be able to use USB Storage again

Both scenarios are covered in these 6 steps:

  1. Copy usbstor.inf, usbstor.pnf, usbstor.sys to their default locations, as if a USB storage device would be installed.
  2. Restrict access to the 3 files mentioned above. We will use an implicit DENY for the local “SYSTEM” Account for these files.
  3. Remove Registry Keys that handle USB Storage device startup: HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR and HKLM\SYSTEM\ControlSet001\Services\USBSTOR and HKLM\SYSTEM\ControlSet002\Services\USBSTOR
  4. Replace USB Storage related registry keys with specially crafted keys that disable startup of the USB Storage driver
  5. Apply an implicit DENY for the local SYSTEM Account on the Registry Keys mentioned above
  6. Insert USB Storage device, wait for it to be detected by OS and marvel at the fact it won’t let you install the device 🙁 🙂

For enabling USB Storage these steps must be taken from an Account that is member of the Administrators Group

  1. Remove restrictions placed on the ubstor.* files.
  2. Remove following specially crafted Registry Keys: HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR and HKLM\SYSTEM\ControlSet001\Services\USBSTOR and HKLM\SYSTEM\ControlSet002\Services\USBSTOR
  3. Remove restrictions placed on the registry keys from above
  4. Delete incompletely installed USB storage devices fron Device Manager and Reboot Computer
  5. Insert USB Storage device, wait for it to be detected by OS/go to device manager and refresh device list and marvel at the fact it works 🙂

Implementation – explained

For implementing this in a scripted manner we will use batch scripting, I’m going for a low level approach, assuming you don’t have vbs / powershell on hand, vbs would be rather complicated anyway and Powershell is not installed by default on the OS. You do have some prerequisites:

  • reg.exe (available by default on XP)
  • A network share
  • set-acl (open source utility – get it, copy to a network share of choice and be happy it exists)

Disabling USB

  • The 3 usbstor files mentioned earlier, 2 are available by default (usbstor.inf and usbstor.pnf) under %WINDIR%\inf. The 3rd, usbstor.sys, unless a usb storage device was previously installed is not present. Find it under %WINDIR%\Driver Cache\i386\ or the other cab files there. Extract it from the cab file to the network share.
  • The piece of code that disables USB is written below, but requires that set-acl, the specified .txt, .reg, usbstor.sys files be present in the same directory from which it is executed
::Copy ubstor.sys
xcopy /R /H /Y %CD%\usbstor.sys %windir%\system32\drivers

::Secure USBSTOR.* files with ACE (only Local Administrators Full Control, local "SYSTEM" denied Full Control)
SetACL.exe -on "c:\windows" -ot file -actn restore -bckp "%CD%\usbstor_ACL.txt"

::Delete settings related to USBSTOR Service
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /f

::Add special crafted registry keys
regedit /s "%CD%\disable_usb.reg"

::Secure keys from above with ACE (only Local Administrators Full Control, local "SYSTEM" denied Full Control)
SetACL.exe -on "hklm\SYSTEM" -ot reg -actn restore -bckp "%CD%\HKLM_ControlSet.txt"
  • Line 5 of the code uses a file that contains a specially formatted ACL applicable to the 3 usbstor files. To generate a different ACL, use the syntax below for each file you are interested in. When you are finished you can merge all text files in a single text file and add it to the script.
SetACL.exe -on "c:\windows\inf\usbstor.inf" -ot file -actn list -lst "f:sddl;w:d,s,o,g;s:b" -bckp "%CD%\usbstor_inf_ACL.txt"
  • REG command is used to delete any data that may exist in the specified registry keys (think previous installed USB Storage)
  • Once the Registry is clean of the keys, we then push a customized reg file (find it at the end of the post), that essentially changes this:

USBSTOR driver points to the file you defined (usbstor.sys, that you just set a restrictive ACL on)

DeviceCount equals zero 🙂

DeviceStartUp Type is set to Disabled (more details here)

Other standard settings for that key

  • Line 16 of code, similar to the ACL for USBSTOR Files, configures the security for the registry keys we added. To customize the ACL, change it to your liking then export the ACL using the command below and update the batch code to include it.
SetACL.exe -on "hklm\SYSTEM\CurrentControlSet\Services\usbstor" -ot reg -actn list -lst "f:sddl;w:d,s,o,g;s:b" -bckp "%CD%\HKLM_CurrentControlSet.txt"

Enabling USB

This is just a question of reversing the changes made by the Disabling process. The following piece of code does just that:

::enable inheritance of permissions
SetACL.exe -on "c:\windows\inf\usbstor.inf" -ot file -actn setprot -op "DACL:np;SACL:np"
SetACL.exe -on "c:\windows\inf\usbstor.pnf" -ot file -actn setprot -op "DACL:np;SACL:np"
SetACL.exe -on "c:\windows\system32\drivers\usbstor.sys" -ot file -actn setprot -op "DACL:np;SACL:np"

::clear any non-inherited ACE
SetACL.exe -on "c:\windows\inf\usbstor.inf" -ot file -actn clear -clr "dacl,sacl"
SetACL.exe -on "c:\windows\inf\usbstor.pnf" -ot file -actn clear -clr "dacl,sacl"
SetACL.exe -on "c:\windows\system32\drivers\usbstor.sys" -ot file -actn clear -clr "dacl,sacl"

::deleting custom Registry Keys
REG DELETE HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR /f
  • As you can see we are enabling inheritance of permissions, clearing any ACE defined explicitly on that object (the ones we pushed actually) and removing the Registry keys we also pushed. Make sure the user running this enabling process has rights to change these objects (in our case he is member of the Local Administrators Group)
  • After this is done manually clean it of any hidden installed USB Storage devices and reboot the computer. After the reboot replugging the device should allow you to install and use it again.

Phew, this was also a long post, but believe me, reaching this compressed format was a lot of work :).

Now I’ve attached this zip file containing the contents of what I’ve been talking about, it should be usable out of the box.

There is also there question I guess of securing these files so that they apply to users but users can’t get to them to “help themselves”, but that is another topics for another post perhaps.

As always any feedback is welcomed.