Mark III Systems Blog

Mark III Tips: Identifying Common Causes of Hangs, Crashes and Freezes in Windows

Windows is one of the most popular operating systems on the planet today with a daily estimated usage of about 1.5 billion users globally, and this number continues to climb.  Over the years, Microsoft has released quite a few major Windows editions from MS-DOS, Windows 3.1, NT, 2000, XP, 8.1 to the latest Windows 10, which has proven to be one of the most successful in recent years.

But no matter how successful, well developed, clean, and well-maintained an OS is, over time a computer can suffer from system failure due to system critical errors and application conflicts from programs installed.

System administrators spend much of their time analyzing and troubleshooting Windows crashes and application hangs on a regular basis, which also is the most common source of user disruption when working with Win32/Win64 applications.

There are many different causes for application crashes and hangs, and not all of them manifest in an unresponsive UI. However, an unresponsive UI is one of the most common hangs reported which also tends to receive the highest number of support calls for both detection as well as recovery internally within an organization and externally.

Performing a root cause analysis can be extremely challenging and often requires an extensive knowledge of the underlying OS; knowing how the application was developed and integrated with the OS often requires a Windows expert with multiple technical skills including, but not limited to Kernel System Files, DLL, COM objects, WMI, Registry, .INI, Environment Variables, .NET are just a few key components to consider while troubleshooting.  In addition, other factors to consider are intensive application processes, memory leaks, applications conflicts, malware, and viruses, which can contribute to a non-responsive application UI, crashes, and hangs.

Regular system maintenance such as security patches, antivirus definition updates, and system clean up should improve the health of a system and prevent it from crashes.  However, sometimes maintenance can actually have an adverse effect, if not planned well.

WhatIsHangs? An Administrator & Developer Troubleshooting Software Best Friend

WhatIsHangs? from Nifsoft, is a small but useful application designed to help administrators and developers identify the potential causes when crashes and application hangs occur.

The detailed reports provided regarding Call Stack, Stack Data, Process Registers and Memory Data are designed to help administrators and developers to determine the actual cause which contributed to the application crash or hang.

In addition, a list of .DLL files and related strings generated by WhatIsHang can be extremely useful for the administrator and developer to determine the actual cause.

When Windows or a running application hangs, the user interface abruptly stops responding, and you cannot determine what has caused the problem or how to troubleshoot the issue.

This utility tries to detect the software or process that is currently hung and displays helpful information that may allow you to sort out and understand what exactly is at the root of such unexpected behavior.

How to use WhatIsHang?

WhatIsHang is required to be in an active mode to process, monitor and display information for the hung application. Once it detects a hung application, from the upper pane, a user needs to select the desired process name from the list and press F9.

WhatIsHang will then inspect the hung application and display all relevant information in the lower pane.

If WhatIsHang unable to detect any hung application, the upper pane will be empty, until any hung software is detected. See sample text report displayed below:

Understanding the WhatIsHang Reports

First, you should be aware that there are 2 types of hung problems:

1- The program hangs in a single system/Kernel/API call. This means that the program requests to do something from the OS (like opening or reading a file) but the OS function does not return and thus causes the program to hang.

2- The program hangs because there is an infinite loop, very long loop, or recursive calls. When WhatIsHang detects the first hang problem, the report will contain only one system call snapshot. When WhatIsHang detects the second hang problem, the report will contain 3 snapshots of 3 random execution points.

Here is some information about every section of the WhatIsHang report:

  • Remarks: This section displays general hints that may give you a first impression of what might be wrong with the hanging problem. The first remark always specifies the type of the detected hang problem - whether it is a single system call problem or infinite loop/very long loop problem. Additional remarks might be displayed according to the call stack of the hang problem. For example, if a filename on a remote computer is detected, WhatIsHang will display a warning that this network access might cause the problem.
  • Strings found in the stack:WhatIsHang collects the strings from the calls made by the hang program and displays them in this section. These strings might give you a clue of what is wrong in the hang program.
  • Modules found in the stack:This section displays the list of DLL files found in the calls made by the hang program. It might be especially useful for hang problems of Windows Explorer, because if the problem is caused by 3-party software, you will probably find the DLL of the problematic software in the list.
  • Execute Address (For Programmers):The execution memory address that the hang problem was detected.
  • Call Stack (For Programmers):Displays the calls found in the stack, like every debugger software does.
  • Stack Data (For Programmers):Displays values, addresses, and string points found in the stack.
  • Processor Registers (For Programmers):Displays the current values of the basic processor registers (ECX, EBX, EAX etc.…)
  • Memory Data:WhatIsHang collects the memory content of all valid memory pointers found in the calls of the hanging program. This section displays all memory data found by WhatIsHang in 'Hex Dump' format, and it might give you more clues of what might cause the hang.
  • All Threads:This section simply displays the list of all threads found in the hang program.

 All Threads Report

There is a new experimental report that displays information about all running threads instead of showing only the main user interface thread that stopped responding.

This type of report might be useful when multiple threads are involved in the hanging problem (Example when the main user interface thread waits for another thread to complete).

You can get this report by pressing Ctrl+F9, be aware that this report might be very large on multithreaded applications.

Translating WhatIsHang to other languages

To translate WhatIsHang to other languages, follow the instructions below:

1- Run WhatIsHang with /savelangfile parameter: exe /savelangfile
A file named WhatIsHang_lng.ini will be created in the folder of WhatIsHang utility.

2- Open the created language file in Notepad or in any other text editor.

3 - Translate all string entries to the desired language. Optionally, you can also add your name and/or a link to your Web site. (Translator Name and Translator URL values) If you add this information, it will be used in the 'About' window.

4- After you finish the translation, Run WhatIsHang, and all translated strings will be loaded from the language file. If you want to run WhatIsHang without the translation, simply rename the language file, or move it to another folder.

In a VDI and Non-VDI environment running the WhatIsHang utility, another useful piece of software that can be extremely helpful when there is a need to monitor and identify what has changed to a computer, especially when a new application is installed, is a utility called InstallWatch Pro.

With a Before and After snapshot, this tool is particularly useful in identifying Systems Files and Registry Changes, Added, Deleted & Modified.  A well-thought-out exported option for HKEY_LOCAL_MACHINE & HKEY_CURRENT_USER is also available for added convenience.

InstallWatch Pro

  • Files and locations that this application installed

  • Exported Registry Feature for added convenience


The software above and referenced is provided "AS IS" without any warranty, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The author will not be liable for any special, incidental, consequential, or indirect damages due to loss of data or any other reason.