Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Autoruns : AutoRuns Compare - All entries green

March 31, 2014, 1:15 pm
$
0
0
Author: BillL
Subject: AutoRuns Compare - All entries green
Posted: 31 March 2014 at 8:15pm

Hi,
 
As part of our Compliance procedures we run AutoRuns each month after applying the monthly MS patches.  We then compare the current run to last month's run and check for differences.  Normally when we do the compare a few green entries show up such as the virus definetion files that have changed.  This month every entry is green.  The timestamps on the files look normal, like the files have not been changed. 
 
I've tried this with both version 11.70 and 11.21 and get the same results.  The server is running Windows Server 2008 R2.
 
Anybody else experience this?
 
Thanks.
Search

Autoruns : AutoRuns Compare - All entries green

March 31, 2014, 1:58 pm

Autoruns : Missing Driver Files

March 31, 2014, 2:05 pm

Autoruns : AutoRuns Compare - All entries green

March 31, 2014, 2:06 pm
$
0
0
Author: BillL
Subject: AutoRuns Compare - All entries green
Posted: 31 March 2014 at 9:06pm

I agree.  I have be seeng a few entires coming up green that made no sense for a while now but this is the first time that all of them are green.

Process Monitor : ** Feature request list **

March 31, 2014, 4:19 pm
$
0
0
Author: jookie57
Subject: ** Feature request list **
Posted: 31 March 2014 at 11:19pm

In response to this feature request (which appears to have been asked twice by the same anonymous user):

Originally posted by noname noname wrote:

Feature request 2: Often, it is not enough to exclude an exact path (like C:\Windows\System32\KernelBase.dll). Instead, we most likely want to exclude entire directories (e.g. C:\Windows\System32\). When right-clicking a path, there should be the option to exclude that path, or any parent path of it. Example: I click on "C:\Windows\System32\KernelBase.dll" and get:

Exclude "C:\Windows\System32\KernelBase.dll"
Exclude "C:\Windows\System32\" (StartsWith)
Exclude "C:\Windows\" (StartsWith)
Exclude "C:" (StartsWith)

There was a new feature added in v3.05 that should give you similar functionality:

Quote Process Monitor v3.05: ... This update adds a context-menu entry that opens the filter edit dialog with contents prepopulated with the specified row and column value.

Source: http://blogs.technet.com/b/sysinternals/archive/2013/06/04/updates-autoruns-v11-6-process-explorer-v15-31-process-monitor-v3-05-sigcheck-v1-92.aspx

To use this feature with your example, right-click on a path that contains 'C:\Windows\System32\KernelBase.dll' > select Edit Filter 'C:\Windows\System32\KernelBase.dll'


(sorry for the bad screenshot; 10K is very limiting)

The Filter dialogue box will pop up with 'C:\Windows\System32\KernelBase.dll' populated and the control focus on the logic condition box:


(notice the selection focus on 'is' box; use down arrow to quickly change)

From there, it's easy to change "is" to "contains" and remove the parts of the path you wish to exclude.

Process Monitor : ** Feature request list **

March 31, 2014, 4:31 pm
$
0
0
Author: jookie57
Subject: ** Feature request list **
Posted: 31 March 2014 at 11:31pm

In response to this:

Originally posted by negrumanuel negrumanuel wrote:

I often need to filter only by read only events or write events. a right click option to do this would be great. so for example once the write view mode is enabled any actions on the files or registry  that have to do with read (enum, query....etc) would be filtered out. the viceversa applies.. when in read view mode...all the write/modify actions will be filtered out.

You should be able to do this with a Category filter.

First, add the Category column. Options > Select Columns > check Category (the last one on left under Event Details).

There are four Categories:
  1. Read
  2. Read Metadata
  3. Write
  4. Write Metadata

You can set a filter for these by right-clicking in the Category column and choosing Include or Exclude.

Or, you can manually build the filter in the Filter dialogue box. A favorite filter of mine is to show only writes, which does what you wish by hiding all read activity.

Category is Write then Include



Edited by jookie57 - 3 hours 8 minutes ago at 11:52pm

Process Monitor : ** Feature request list **

March 31, 2014, 4:51 pm
$
0
0
Author: jookie57
Subject: ** Feature request list **
Posted: 31 March 2014 at 11:51pm

I know I'm pretty late to the party on these, but maybe I can still help someone...

In response to this:

Originally posted by waylander waylander wrote:

If there any possibility of adding in a feature to the CLI to take a large process monitor file and parse it with a filter to a smaller output file it would be a lifesaver. 

Something similar to what you can do with Tshark for wireshark traces, and with the netmon command line switches.

I have tried this 
procmon /OpenLog Non_working.PML /LoadConfig ProcmonConfiguration.
pmc /Quiet /SaveAs output.pml

But the resultant file was just the same size as the input file. I had selected drop filtered events and the filter did work in the loaded trace.

It looks like you could use the new /saveapplyfilter switch added in version v3.1:

Quote Process Monitor v.3.1: This release adds ... a new switch, /saveapplyfilter, which has Process Monitor apply the current filter to the output file as it saves it.

Source: http://blogs.technet.com/b/sysinternals/archive/2014/03/07/updates-process-explorer-v16-02-process-monitor-v3-1-psexec-v2-1-sigcheck-v2-03.aspx

Add the new switch at the end of you command line:
procmon.exe /OpenLog Non_working.PML /LoadConfig ProcmonConfiguration.pmc /Quiet /SaveAs output.pml /saveapplyfilter
I tested this and it seems to work as you requested.


Edited by jookie57 - 3 hours 8 minutes ago at 11:52pm

Autoruns : Missing Driver Files

March 31, 2014, 6:49 pm
$
0
0
Author: jimsrtn1
Subject: Missing Driver Files
Posted: 01 April 2014 at 1:49am

Thanks for reply, yes I saw entries in registry but was wondering if they were used by Vista,
Already deleted  windows.old.
Do you know if these files are used in Vista.
If they are will a service create them or do they have be installed or is it just legacy stuff?
 
Search

Process Monitor : no tree-view

March 31, 2014, 8:15 pm
$
0
0
Author: xiaoyuantcm
Subject: no tree-view
Posted: 01 April 2014 at 3:15am

I've had the similar situation before with an odd question on the treeview control. However, I can't remember how I fixed that.

Internals : Annoying list view scrolling behaviour

March 31, 2014, 8:24 pm
$
0
0
Author: xiaoyuantcm
Subject: Annoying list view scrolling behaviour
Posted: 01 April 2014 at 3:24am

I also never noticed this before, very interesting topic. I never did those kind of things on the listview control.

Autoruns : Missing Driver Files

March 31, 2014, 8:38 pm
$
0
0
Author: Dax1792
Subject: Missing Driver Files
Posted: 01 April 2014 at 3:38am

They are not used. Seems like someone forgot to remove the entries when Vista was built. They are gone in Windows 7.

Process Monitor : New to Sysinternals

March 31, 2014, 10:36 pm
$
0
0
Author: MagicAndre1981
Subject: New to Sysinternals
Posted: 01 April 2014 at 5:36am

post some pictures of RAMMap so that I can see the RAM usage.

Troubleshooting : W7 permission denied

March 31, 2014, 10:38 pm
$
0
0
Author: MagicAndre1981
Subject: W7 permission denied
Posted: 01 April 2014 at 5:38am

we need the PML file and not a HTML file.

Process Monitor : Very Slow Boot Time

April 1, 2014, 3:54 am
$
0
0
Author: JohnVich
Subject: Very Slow Boot Time
Posted: 01 April 2014 at 10:54am

you should use krojam cleaner program. it deletes all bugs and unwanted files and help in speeding up your system, i tried it as well good results.....

BgInfo : Group Policy forced wallpaper

April 1, 2014, 7:53 am
$
0
0
Author: N9X
Subject: Group Policy forced wallpaper
Posted: 01 April 2014 at 2:53pm

Hey everyone!

Does anyone use group policy to force a wallpaper for users and also successfully use BGInfo?

If you do, what is your setup like?

I am having issues where it will work for certain users, but for other users it wont copy the desktop wallpaper and just puts the text up with a black background.


Thank you for any possible help!! Big smile
Search

Process Explorer : ** Feature Requests **

April 1, 2014, 8:56 am
$
0
0
Author: bugmenot
Subject: ** Feature Requests **
Posted: 01 April 2014 at 3:56pm

In the "System information" view, I would like the graphs and tooltips to display values to 3 significant figures (possibly more in the tooltips)

I often want to compare two points in time (before and after an action) and readings like "3.9GB vs 4.0GB" do not provide enough precision.

Process Monitor : Very Slow Boot Time

April 1, 2014, 10:15 am
$
0
0
Author: MagicAndre1981
Subject: Very Slow Boot Time
Posted: 01 April 2014 at 5:15pm

cleaner tools improve NOTHING.

BgInfo : Great BGInfo Replacement

April 1, 2014, 2:45 pm
$
0
0
Author: N9X
Subject: Great BGInfo Replacement
Posted: 01 April 2014 at 9:45pm

I have just been playing with this as i was looking for a good replacement as well, but is there a good way to get it positioned correctly so you can use a single .ini file for a variety of different sized monitors?

Miscellaneous Utilities : Sdelete Limitation for USB Flash Drive?

April 2, 2014, 12:14 pm
$
0
0
Author: Intuit
Subject: Sdelete Limitation for USB Flash Drive?
Posted: 02 April 2014 at 7:14pm

About "Wear leveling" ...

http://en.wikipedia.org/wiki/Wear_levelling


Without using the "-C" parameter (clean free space) or the "-Z" parameter (zero free space), the file may not be securely deleted; and remain present on the storage medium.

Process Monitor : jump to ... ctrl-j does not (always) work

April 2, 2014, 2:21 pm
$
0
0
Author: ack-hh
Subject: jump to ... ctrl-j does not (always) work
Posted: 02 April 2014 at 9:21pm

right-click an entry, then click on "jump to ..." -- ok
left-click an entry, then press ctrl-j -- does not work
left-click an entry, then press cursor key, then press ctrl-j -- ok

thx for this wonderful software!
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>