VMware Communities
sbsyncro
Contributor
Contributor

NTVDM.exe process maxing out CPU

After a bit of research it looks like this is a Windows process for running 16-bit (DOS) programs under NT variants (Win2K, XP, WinNT). When I boot my VM, I am getting a DOS command window in the foreground with the title C:\Windows\System32\userinit.exe

There is nothing being displayed in this command window (just a flashing cursor), but while it is open, there is a process "ntvdm.exe" that is consuming 99% of the CPU continuously.

If I kill the DOS window by clicking the red "X", I get an "End Program" pop-up confirmation, to which I click "End Now". Once I do this, the NTDVM.exe process disappears from the task list

What 16-bit process is trying to run when Windows is booting?

I cannot get Windows to run reliably under VMware yet, and this seems to be the culprit...

Reply
0 Kudos
6 Replies
RiteshK
Enthusiast
Enthusiast

Hi,

Are you sure it is NTVDM.exe or NTDVM.exe ,if it is NTDVM.exe then it means your PC is infected..Ntdvm.exe is Trojan/Backdoor.

Kill the process ntdvm.exe and remove ntdvm.exe from Windows startup.

If it is NTVDM.exe ( ntvdm.exe is process that belongs to the Windows 16-bit Virtual Machine. It provides an environment for a 16-bit process to execute on a 32-bit platform. This program is important for the stable and secure running of your computer and should not be terminated. )

You can also have a look at below link:

http://www.file.net/process/ntvdm.exe.html

Message was edited by: RiteshK

Reply
0 Kudos
sbsyncro
Contributor
Contributor

It is definitely ntvdm.exe, the Windows process for running 16-bit apps

Reply
0 Kudos
vvegas
Enthusiast
Enthusiast

There are several possibilities for this problem, but I don't think any of them relate to Fusion. But do provide the details of your system - version of Fusion, Guest OS, service packs applied, etc.

You should also consider the time it will take to diagnose/troubleshoot/repair this problem versus backing up your data and building a new guest OS.

Is this guest part of a domain? If so, check with the admin if they are using any script tools like Scriptlogic, which may cause this command prompt box.

I would do a full antivirus and spyware/malware scan. userinit.exe is commonly targeted.

WoodyZ posted the following in another forum post dealing with userinit.exe:

When logging into Windows by default, Winlogon runs Userinit.exe, which

runs logon scripts, reestablishes network connections, and then starts

Explorer.exe, the Windows user interface and in the Windows Registry it

is located at "HKLM\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\userinit" and its value it

"C:\WINDOWS\system32\userinit.exe,". Note the comma after the .exe and

what this means it it support multiple executables before or after the

userinit.exe a long as they are separated by the coma. This Registry

Key is a know target for viruses, malware, spyware, etc and without

verifying what the value of the Registry Key is and that the program

it's pointing to is legitimate I would have to examine the system

myself to further diagnose.

Anyway If I had that happen I'd be booting the system, physical or

virtual, with a Live OS CD/DVD/ISO Image that contained the tools

necessary to examine that Registry Key and verify it is only pointing

to "C:\WINDOWS\system32\userinit.exe," and that the target file is

legitimate. If one knows what they are doing and has the right tools

this is very easy to check however if you don't fall into this category

then it's a pain in the neck to deal with so you could use VMDKMounter

to mount the Virtual Machine's virtual hard drive to recover any user

data and then build a new Virtual Machine. You can also try a repair

install of the Guest OS however that too requires addition steps beyond

what's documented in VMware Fusion Help File to accomplish however its

been covered many time in the forum so searching the forum you should

be able to find how to do a Windows XP Repair Install or Google it too.

Reply
0 Kudos
sbsyncro
Contributor
Contributor

Thanks vvegas,

I think you might be onto something with the question about the domain membership - I did just join my vm to a domain, and since I am out of the office right now, the login script might be calling resources that are not accessible... I'll check on that

If this fails, I think I'll be reinstalling everything (and snap-shotting every step of the way!)

Reply
0 Kudos
sbsyncro
Contributor
Contributor

OK, I seem to have resolved this problem. Apparently some Windows files must have become corrupted or got deleted, or something else went wrong while installing SP3 or Office. I dug out my CD for Windows XP Pro SP2 and then opened up a command window and used SFC /scannow

After completing a full scan (while I was out doing stuff) it did not throw any errors, but all seems to be working normally now (very slow boot times, but hey, its Windows, after all...) Smiley Happy

Reply
0 Kudos
sbsyncro
Contributor
Contributor

Used SFC /Scannow command in DOS window to run a full scan of the file system. It seems to have done the trick

Reply
0 Kudos