Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Miscellaneous Utilities : Nonpaged pool in RAMMap and in PE are different

March 17, 2013, 12:59 pm
$
0
0
Author: MagicAndre1981
Subject: Nonpaged pool in RAMMap and in PE are different
Posted: 17 March 2013 at 7:59pm

Poolmon is part of the Win8 WDK.
Search

Process Explorer : ** Process Explorer Bugs **

March 17, 2013, 2:50 pm
$
0
0
Author: gethooks
Subject: ** Process Explorer Bugs **
Posted: 17 March 2013 at 9:50pm

Originally posted by Dr Who Dr Who wrote:

Spotted a small problem in v.15.23, when selecting 'Users' from the menubar, then select your user name or another from the list you able to 'Send Message...', if you do the message is truncated based upon the bite count, I guess.


+1! I've been sending messages to users that I didn't realize were being truncated, in some cases large portions. This is still a problem in 15.3 both x86 and x64. For anyone in a similar situation use Windows' msg.exe to do the same thing but without that problem.

Process Monitor : logical Prefetcher

March 17, 2013, 3:44 pm
$
0
0
Author: ThunderCats
Subject: logical Prefetcher
Posted: 17 March 2013 at 10:44pm

Hello,

I am trying to find the function responsible for prefetch files. When i run procmon and open the command prompt, i can see that it opens the prefetch file located in System root\prefetch folder but when i check the call stack for the thread, i see many functions called but dont know which one is used for opening the prefetch file. Below is the call stack

0     fltmgr.sys     FltRequestOperationStatusCallback + 0xeb5     0x8c9cfaeb     C:\Windows\system32\drivers\fltmgr.sys
1     fltmgr.sys     FltGetIrpName + 0xc5c     0x8c9d29f0     C:\Windows\system32\drivers\fltmgr.sys
2     fltmgr.sys     FltProcessFileLock + 0x18b2     0x8c9e61fe     C:\Windows\system32\drivers\fltmgr.sys
3     fltmgr.sys     FltProcessFileLock + 0x1f6b     0x8c9e68b7     C:\Windows\system32\drivers\fltmgr.sys
4     ntoskrnl.exe     IofCallDriver + 0x64     0x8384b012     C:\Windows\system32\ntoskrnl.exe
5     ntoskrnl.exe     NtQueryInformationThread + 0x417e     0x83a1ef83     C:\Windows\system32\ntoskrnl.exe
6     ntoskrnl.exe     PsReferenceImpersonationToken + 0x5df     0x83a2215e     C:\Windows\system32\ntoskrnl.exe
7     ntoskrnl.exe     ObOpenObjectByName + 0x165     0x83a60c35     C:\Windows\system32\ntoskrnl.exe
8     ntoskrnl.exe     NtQueryInformationThread + 0x171f     0x83a1c524     C:\Windows\system32\ntoskrnl.exe
9     ntoskrnl.exe     NtOpenFile + 0x2a     0x83a728ba     C:\Windows\system32\ntoskrnl.exe
10     ntoskrnl.exe     ProbeForRead + 0x16e5     0x83a4ee62     C:\Windows\system32\ntoskrnl.exe
11     ntoskrnl.exe     RtlMapGenericMask + 0x1cc2     0x83a3fb3f     C:\Windows\system32\ntoskrnl.exe
12     ntoskrnl.exe     SePrivilegeObjectAuditAlarm + 0x205     0x83a4b915     C:\Windows\system32\ntoskrnl.exe
13     ntoskrnl.exe     NtOpenThreadTokenEx + 0x169e     0x83a44e3d     C:\Windows\system32\ntoskrnl.exe
14     ntdll.dll     RtlUserThreadStart     0x77ae7078     C:\Windows\System32\ntdll.dll

Any suggestions?

Thanks

Autoruns : Increase font size

March 17, 2013, 4:46 pm
$
0
0
Author: Dax1792
Subject: Increase font size
Posted: 17 March 2013 at 11:46pm

There's Font on the Option menu.

Miscellaneous Utilities : Nonpaged pool in RAMMap and in PE are different

March 17, 2013, 4:48 pm
$
0
0
Author: Dax1792
Subject: Nonpaged pool in RAMMap and in PE are different
Posted: 17 March 2013 at 11:48pm

NonPaged means physical = virtual

Miscellaneous Utilities : Nonpaged pool in RAMMap and in PE are different

March 18, 2013, 7:21 am
$
0
0
Author: loverboy
Subject: Nonpaged pool in RAMMap and in PE are different
Posted: 18 March 2013 at 2:21pm

Originally posted by Dax1792 Dax1792 wrote:

NonPaged means physical = virtual
 
So which one is correct?
 
RAMMap --> 727 MB
Process Explorer --> 81 MB
Process Hacker --> 79 MB
Windbg (6.12) --> 210 GB (!)
Windbg (6.11) --> 1.9 GB

PsTools : PsInfo v1.77 : list of software

March 18, 2013, 7:29 am
$
0
0
Author: KnutB
Subject: PsInfo v1.77 : list of software
Posted: 18 March 2013 at 2:29pm

I can confirm this and have noticed the following:

I am quering the same target computer (Win 7 Pro 64 bit) with psinfo \\COMPUTER -s.

When I run this command on a machine with Windows XP Pro 32 bit, the output is totally different from the output when running psinfo on a machine with Windows 7 Pro 64 bit. Both times I use the same domain admin account to run psinfo.
When I put both outputs together, the list is complete.

PSInfo run under XP lists about 30 items, run under Win 7 it lists about 200 products.

Also the service pack is only reported corrctly when run under XP.

For example, iTunes is only found when psinfo is run on the XP machine.

Can it be possible that psinfo is quering different databases on the target depending on the source operating system? Or can it be a bug regarding 32/64bit operating systems?

Miscellaneous Utilities : Nonpaged pool in RAMMap and in PE are different

March 18, 2013, 8:49 am
$
0
0
Author: MagicAndre1981
Subject: Nonpaged pool in RAMMap and in PE are different
Posted: 18 March 2013 at 3:49pm

which values does poolmon tell you? For me they are all nearly the same.

Which Windows do you use? I'm using Win8 64Bit here on this Laptop.
Search

Miscellaneous Utilities : Nonpaged pool in RAMMap and in PE are different

March 18, 2013, 9:52 am
$
0
0
Author: loverboy
Subject: Nonpaged pool in RAMMap and in PE are different
Posted: 18 March 2013 at 4:52pm

I wasn't able to download Poolmon
Could you kindly upload it somewhere?
 
*EDIT*
I tried with the method shown here
but I get a message error
Poolmon: Query perf Failed (returned: c0000004)
 
I have Windows 7 Home Premium 64bit
Is the error due to the fact that poolmon was 32bit?
That's a problem when there is no official link other than downloading a complete Kit
I don't want to install anything new on this PC, but I would like only to use a (somewhat) portable application like Poolmon


Edited by loverboy - 9 hours 32 minutes ago at 5:28pm

Miscellaneous Utilities : Nonpaged pool in RAMMap and in PE are different

March 18, 2013, 1:06 pm
$
0
0
Author: Dax1792
Subject: Nonpaged pool in RAMMap and in PE are different
Posted: 18 March 2013 at 8:06pm

Originally posted by loverboy loverboy wrote:

Originally posted by Dax1792 Dax1792 wrote:

NonPaged means physical = virtual
 
So which one is correct?
 
RAMMap --> 727 MB
Process Explorer --> 81 MB
Process Hacker --> 79 MB
Windbg (6.12) --> 210 GB (!)
Windbg (6.11) --> 1.9 GB
 
Who knows? I can't see the source code (apart from Process Hacker). Pity wj32 doesn't seem to be around.

Miscellaneous Utilities : Nonpaged pool in RAMMap and in PE are different

March 18, 2013, 2:22 pm
$
0
0
Author: loverboy
Subject: Nonpaged pool in RAMMap and in PE are different
Posted: 18 March 2013 at 9:22pm

OK
 
In the same picture the result of Poolmon, Process Hacker, Process Explorer, RAMMap

 
    
Poolmon --> 62.640 kB
Process Explorer --> 62.640 kB
Process Hacker --> 61.16 M (*1024 --> almost 62.640 kB)
RAMMap --> 721.580 kB
 
So it is clear that RAMMap has a BIG bug to be fixed in NonPaged Pool indication (at least on my Windows 7 Home Premium 64bit)
 
Who tells Mark to fix it?

 


Edited by loverboy - 5 hours 12 minutes ago at 9:48pm

Autoruns : Safe Entries

March 18, 2013, 7:16 pm
$
0
0
Author: BearPup
Subject: Safe Entries
Posted: 19 March 2013 at 2:16am

Can't really believe this hasn't come up before, but a search showed no results. How can one mark an entry as safe or give it a "Y" designation?

I have several programs that I have added to the autostart process of Windows that I know are safe, have used for years, and in one case, had written for me. I would like to mark these as known "Y" entries and not have them flagged as either unknown or questionable. If we can mark an entry for disabling or deleting, shouldn't we also be able to mark those that we know are safe?

If there's a way, I haven't found it yet! And if we currently can't, can we please have an option to mark a safe entry that way in future versions?  Thank you.

Regards, BearPup

Troubleshooting : Trouble using Xperf on a Windows XP sp3 machine

March 19, 2013, 11:54 am
$
0
0
Author: MagicAndre1981
Subject: Trouble using Xperf on a Windows XP sp3 machine
Posted: 19 March 2013 at 6:54pm

AHCI should be enabled in the BIOS: Which motherboard do you use?

Process Explorer : Sysinternals Process Explorer has stopped working

March 19, 2013, 11:56 am
$
0
0
Author: MagicAndre1981
Subject: Sysinternals Process Explorer has stopped working
Posted: 19 March 2013 at 6:56pm

Use Windows Error reporting (http://msdn.microsoft.com/en-us/library/bb787181%28VS.85%29.aspx) to generate a full dumnp of the crashing PE (set DumpType to 2 to get a full dump).

Zip, upload the dmp to SkyDrive and send Mark a Mail with the link.

Troubleshooting : Trouble using Xperf on a Windows XP sp3 machine

March 19, 2013, 12:14 pm
$
0
0
Author: wyvern83
Subject: Trouble using Xperf on a Windows XP sp3 machine
Posted: 19 March 2013 at 7:14pm

It's an ABIT IP35 Pro XE. http://www.newegg.com/Product/Product.aspx?Item=N82E16813127050
Search

Process Explorer : How to Find Windows Process

March 19, 2013, 3:31 pm
$
0
0
Author: LMiller7
Subject: How to Find Windows Process
Posted: 19 March 2013 at 10:31pm

That information is correct. You can aim the pointer at a control but this isn't useful as any control will be owned by the same process as the parent window. You can't aim the pointer at the PE window itself because it isn't visible, and you already know who owns it anyway. 

Process Explorer : How to Find Windows Process

March 19, 2013, 5:34 pm
$
0
0
Author: diligentinquirer
Subject: How to Find Windows Process
Posted: 20 March 2013 at 12:34am

Ok, I'll with your approval, will go ahead and try to work it out on my now. But really need to know just what do you mean by "control" & etc. please. FYI, just have not been at any (control?) yet.

BTW, our form discussion has hit Google, which is actively reporting on this subject matter.Wink

Process Explorer : How to Find Windows Process

March 19, 2013, 5:56 pm
$
0
0
Author: LMiller7
Subject: How to Find Windows Process
Posted: 20 March 2013 at 12:56am

A control is used by an application to interact with the user. This would be a pushbutton, checkbox, toolbar, etc. They are a specialized kind of window. 

Troubleshooting : Detecting & plugging memory leaks

March 19, 2013, 6:44 pm
$
0
0
Author: callumd
Subject: Detecting & plugging memory leaks
Posted: 20 March 2013 at 1:44am

hi all, this is my first post so please pardon my ignorance. I am new to sysinternals & I know that this question may have been asked in the past but I couldn't find a satisfactory answer. I look after few servers & one of them slowed. Now user suspects that it is a memory leak & would like me to investigate but I don't know where to start & how to proceed once I start. Its a a Windows 2008 R2 SP1 virtual machine with SQL2008 R2 installed. Its got 6 GB of RAM & paging file of 2 GB. My questions are;
1) How do I detect if there's a memory leak?
2) How to tell which application is having memory leak?
3) What tools can be used in order to determine?
4) How can I plug the memory leak if I find one?
I thank you in advance for your help.

Troubleshooting : Detecting & plugging memory leaks

March 19, 2013, 10:14 pm
$
0
0
Author: MagicAndre1981
Subject: Detecting & plugging memory leaks
Posted: 20 March 2013 at 5:14am

To see the memory usage in detail you should use RAMMap. Read this link how to use it and what the values mean:

http://blogs.technet.com/b/askperf/archive/2010/08/13/introduction-to-the-new-sysinternals-tool-rammap.aspx
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>