Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Autoruns : Export the result to CSV file

June 18, 2014, 9:54 am
$
0
0
Author: davehull
Subject: Export the result to CSV file
Posted: 18 June 2014 at 4:54pm

Ah, yes, I've experienced this too. I have a Powershell wrapper script that's part of a different project. You might give it a try. For the most part, it is able to parse Autorunsc's csv output into Powershell objects.

https://github.com/davehull/Kansa/blob/master/Modules/ASEP/Get-Autorunsc.ps1

This expects Autorunsc.exe to be in $env:systemroot, which is generally C:\Windows\. If you copy Autorunsc.exe to your %systemroot%, download the Get-Autorunsc.ps1 script above and unblock it either by using streams -d Get-Autorunsc.ps1 or unblock-file or via the Explorer properties GUI, then run it from the command line as follows:

.\Get-Autorunsc.ps1 | ConvertTo-CSV -Delimiter "`t" -notypeinformation | % { $_ -replace "`"" } | set-content autorunsoutput.tsv

You'll get a copy of the Autoruns output as a tab separated values file that *should* open nicely in Excel. I don't claim that the parsing is 100% accurate, but in my experience running the above across thousands of machines, it generally works well.
Search

Autoruns : every time..

June 18, 2014, 12:34 pm
$
0
0
Author: mac_mayank
Subject: every time..
Posted: 18 June 2014 at 7:34pm

Every time i log on to the system i saw 2-3 windows opened automatically please tell me why this is happening this is to annoying .. 

Process Monitor : Problem goes away when procmon.exe is runnnig

June 18, 2014, 1:35 pm
$
0
0
Author: frnkrobts
Subject: Problem goes away when procmon.exe is runnnig
Posted: 18 June 2014 at 8:35pm

I have a customer who intermittently has an issue when a program is making a MAPI call to Outlook. The program will crash or Outlook will hang or some combination of both.
 
I run procmon.exe on the system and the reported issue can not be replicated. I've seen this when trying to chase down other issues with our software.
 
This mainly happens on W2K3 and W2K8 terminal servers. (99.9%)
 
Has anyone ever seen that?
 
 

Autoruns : every time..

June 18, 2014, 9:29 pm
$
0
0
Author: MagicAndre1981
Subject: every time..
Posted: 19 June 2014 at 4:29am

Look with Autoruns.exe for strange startup entries. You can also use ProcessExplorer, drag&drop the crosshair from the toolbar to the Window to see which programs display the Window and use autorus to remove those tools from startup-

Process Monitor : Very Slow Boot Time

June 19, 2014, 8:51 am
$
0
0
Author: dxcarnadi
Subject: Very Slow Boot Time
Posted: 19 June 2014 at 3:51pm

@MagicAndre1981

The boot-time of my computer is about 140 seconds.
A 3 years old Dell Laptop with Windows-7 64.

Can you please analyse this file?

https://www.dropbox.com/s/a8ft251bis0mrmj/boot_BASE%2BCSWITCH_1.zip

Thank you for your help.

Process Monitor : Very Slow Boot Time

June 19, 2014, 9:00 am
$
0
0
Author: tamahome
Subject: Very Slow Boot Time
Posted: 19 June 2014 at 4:00pm

It says some info is missing when I try to load it.  I don't see a big i/o process, but there's 150 boot processes and 100 services starting up.  Andre is better at this than me though.  Maybe make the 3rd party services 'auto delayed' instead of 'auto'.  Or buy an ssd.  :) 




Edited by tamahome - 14 hours 49 minutes ago at 4:03pm

Process Monitor : Very Slow Boot Time

June 19, 2014, 9:11 am
$
0
0
Author: MagicAndre1981
Subject: Very Slow Boot Time
Posted: 19 June 2014 at 4:11pm

the HDD is busy for 60s. The best is really to buy a SSD. I'll buy the MX100 the next days:

http://geizhals.de/crucial-mx100-512gb-ct512mx100ssd1-a1122682.html?t=v&vl=de&va=b

BgInfo : Updating USER.BMP

June 19, 2014, 10:47 am
$
0
0
Author: CrashR
Subject: Updating USER.BMP
Posted: 19 June 2014 at 5:47pm

Updating USER.BMP

I remote into a bunch of WIN2K8 servers via RDP.

When they lock, I don't see the machine.bmp which is different than older MS operating systems.
On top of that our naming conventions for servers is very generic, so when I have a few RDP windows open, its tough for me to determine which machine I want to log back into.

The next best thing for me to use seems to be updating the %ProgramData%\Microsoft\User Account Pictures\user.bmp after enabling GPEDIT > Computer Configuration > Administrative Templates > User Accounts > Enable the default

I've created a BGI file that:
1) Is set to 5 inches wide via Set Position
2) Centered at top via Set Position
3) Saved into C:\ProgramData\Microsoft\User Account Pictures\user.bmp via Bitmap > Location
4) Doesn't save to any wallpaper via Desktops

My question is:
Can I limit the size of the output area?
It currently is creating a bitmap 1152 x 864 which is size of desktop.  I have to use PAINT to crop it to around 400 x 400.  I see that the original is square.

Either that, or does anyone have any better suggestions for getting Logon Desktop for Terminal Services users to work
Search

Process Monitor : [Feature request] managed stack traces

June 20, 2014, 6:08 am
$
0
0
Author: managed2
Subject: [Feature request] managed stack traces
Posted: 20 June 2014 at 1:08pm

Support for managed stack frames was implemented in Process Explorer. It would be very helpful if the Process Monitor supported them also. I hope since the work has been done for ProcExp it should be relatively easy to generalize the code for the ProcMon. Are there any plannings to support such a feature?

Thank you.


Edited by managed2 - 17 hours 57 minutes ago at 1:08pm

Autoruns : Strange items in BootExecute

June 20, 2014, 7:14 am
$
0
0
Author: CET
Subject: Strange items in BootExecute
Posted: 20 June 2014 at 2:14pm

I think the problem is being caused by the Session Manager settings. Shouldn't the BootExecute Type be REG_MULTI_SZ  and the Data be autocheck? if so how do I correct the Type and Data registry settings?

Thanks for any additional assistance.

Process Explorer : 11.0 and Vista x64 - Unable to extract x64 image

June 20, 2014, 7:50 am
$
0
0
Author: stepanijin
Subject: 11.0 and Vista x64 - Unable to extract x64 image
Posted: 20 June 2014 at 2:50pm

This helped me. PE worked fine, but after some point this error message started to pop-up

Unable to extract x64 image. Run Process Explorer from a writeable directory.

Reason: my TEMP folder was deleted. I assumed that Windows would auto-create it, but  that was not the case. So, PE tried to extract 64 bit version to TEMP, but since destination folder didnt exist it wasn't able to extract the 64 bit image.

Solution - create the TEMP folder if you deleted it.
Hopefully, Sysinternals add couple lines to the code so that PE.exe checks
 if (if TEMP doesnot exist){
                              Print "No TEMP folder. Create it? Y(Recommended)/N"
                              If (User Input is N) {Die "no destination folder to extract to"}
                              If (User Input is Y)  {mkdir TEMP or Die "cant make TEMP"}
                              }
Hope that helps.
Stepan
                              

Autoruns : Strange items in BootExecute

June 20, 2014, 8:23 am
$
0
0
Author: Dax1792
Subject: Strange items in BootExecute
Posted: 20 June 2014 at 3:23pm

The data should be autocheck autochk *

Autoruns : Strange items in BootExecute

June 20, 2014, 9:07 am
$
0
0
Author: CET
Subject: Strange items in BootExecute
Posted: 20 June 2014 at 4:07pm

Thanks, but how do I Edit/Correct that?

Autoruns : Strange items in BootExecute

June 20, 2014, 9:09 am
$
0
0
Author: nullptr
Subject: Strange items in BootExecute
Posted: 20 June 2014 at 4:09pm

Paste the content of the following code box into notepad and Save as type: All Types (*.*), File name: bootfix.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,\
  00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00

Double click and allow to merge with the registry.


Edited by nullptr - 14 hours 55 minutes ago at 4:10pm

Autoruns : Strange items in BootExecute

June 20, 2014, 10:37 am
$
0
0
Author: CET
Subject: Strange items in BootExecute
Posted: 20 June 2014 at 5:37pm

nullptr-

Many, many thanks-I believe that took care of the problem. The yellowed items in Autoruns are now linked to Session Manager AutorunsDisabled. Is it safe to delete the AutorunsDisabled registry folder? Thanks again!
Search

Miscellaneous Utilities : Handle Utility - Error loading driver

June 20, 2014, 5:36 pm
$
0
0
Author: Billk70
Subject: Handle Utility - Error loading driver
Posted: 21 June 2014 at 12:36am

I am running into a crazy issue on a Windows 2008 R2 machine while trying to run the handle utility. When I try and run it, it simple says:
 
C:\Upload>handle
Handle v3.51
Copyright (C) 1997-2013 Mark Russinovich
Sysinternals - www.sysinternals.com
Error loading driver:
A
The 'A' I believe simple means Access Denied.
 
Now if I run PSEXEC -i -s -d CMD
 
Then run the same utlity under the nt authority\system account. The utility runs fine and receive the standard output.
I can run this on a series of other Windows 2008 R2 in the same domain without any issues. So trying to find what may have changed with the build to cause this.
I have looked in the local security policy, such as 'Load and unload drivers' and have permission. I simple can't figure out what would be stopping this utility from loading.
Any help would be greatly appreciated.
 
Thanks.
 
-Bill

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

June 21, 2014, 2:57 am
$
0
0
Author: DoubleE
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 21 June 2014 at 9:57am

Hi MagicAndre,
 
Further research shows that many different hardware and/or driver problems can cause this problem.  Different solutions for the same symptoms are reported by many people in different forums, including BIOS and driver updates, bad hardware (motherboards, Ethernet adapters, etc.), and driver settings for a variety of hardware such as video, WiFi, and Ethernet adapters.  I'm sure you already know this, but I'll mention it for anyone researching this topic.
 
In my case, ACPI.sys+0x1af7c was causing a high interrupt, DPC, and context switch rate (~ 100,000/sec) and hence high CPU usage.  Searching for "ACPI.sys+0x1af7c" narrowed down the results so using this offset (or whatever offset others may have), as reported in Process Explorer, might be helpful to others.  I assume that this is the binary offset into ACPI.sys which locates where in the acpi.sys driver this is happening so may help narrow down the problem.
 
After trying many things, I found a forum entry with a suggestion to disable the Ethernet adapter's "Wake on Magic Packet" and "Wake on Pattern Match" in the driver's Advanced Tab in Device Manager.  This worked instantly for me without even having to reboot.  My adapter also has a "Wake on Magic Packet from power off state" option.  Either of the first two options mentioned above will cause the problem, but this last one can remain enabled without issue.  My adapter is an Intel I217-LM in a Dell E6540 laptop.
 
Here's the link to the original forum post:
 
 
I would upload a screen shot from my Ethernet adapter's settings menu but it exceeds the size allowed. 
 
So I'm a satisfied customer Big smile and maybe this entry will help someone else.  Your suggestions pushed me in the right direction to find an answer.
 
Thanks for your help,
DoubleE
 

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

June 21, 2014, 8:37 am
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 21 June 2014 at 3:37pm

ok, thanks for haring your solution :)

Process Monitor : procmon v3.10 Can't Open Help File

June 21, 2014, 1:10 pm
$
0
0
Author: Rusty.Not
Subject: procmon v3.10 Can't Open Help File
Posted: 21 June 2014 at 8:10pm

Yes. W7 and W8.1 have a  KB that offers a WinHlp32.exe from "Official Microsoft Download Center"Wink

http://support.microsoft.com/kb/917607/en-us

I post here to recommend this help file be included in next Sysinternals Suite version.

Utilities Suggestions : W8.1 Can't Open ".hlp" Files

June 21, 2014, 1:26 pm
$
0
0
Author: Rusty.Not
Subject: W8.1 Can't Open ".hlp" Files
Posted: 21 June 2014 at 8:26pm

MS no longer includes support for the old .hlp extension. But they do offer a work-around if you look hard.
W7 and W8.1 have a  KB article that offers a WinHlp32.exe from the "Official Microsoft Download Center"Wink

http://support.microsoft.com/kb/917607/en-us

I post here to recommend this help file be included in next Sysinternals Suite version too. Thumbs Up

Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>