Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Internals : Change handle access mask

April 15, 2015, 2:42 am
$
0
0
Author: Chris_SHX
Subject: Change handle access mask
Posted: 15 April 2015 at 9:42am

Hello,

I want to change (revoke some access) handle access mask.
I haven't found anything documented about doing this.

I have a kernelmode driver and only one way I saw is to enumerate using ZwQuerySystemInformation and close using ZwDuplicateObject, but I dont want to close specific handle, but only change it's access rights. How to do that?


Edited by Chris_SHX - 14 hours 20 minutes ago at 9:43am
Search

BgInfo : Showing SSID

April 15, 2015, 4:33 am
$
0
0
Author: Ralmeida
Subject: Showing SSID
Posted: 15 April 2015 at 11:33am

Hello!

I'm trying "somehow" to put in my BGinfo the SSID from the wireless network that the users of the company are connected too. But I cant manage that.

Anyone has any idea? Any command or script?


Thank you!

BgInfo : Multiple NICs

April 15, 2015, 9:01 am
$
0
0
Author: Ethan316
Subject: Multiple NICs
Posted: 15 April 2015 at 4:01pm

Thanks, Appreciate anything you can find out.
 
Ethan.

Process Explorer : procexp no longer starts with Windows

April 15, 2015, 11:57 am
$
0
0
Author: rfcdvc45
Subject: procexp no longer starts with Windows
Posted: 15 April 2015 at 6:57pm

Have had procexp.exe for several years, but recently it has stopped auto-starting with Windows.  The process is not shown in Taskmanager and there is no icon in the notification area.  I have tried placing a procexp shortcut in:
"C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
and also in:
"C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"

Still no autostart in either scenario. 

Can someone please advise?

Thanks in advance...

Core i7 950, 6GB RAM, Windows 8 Pro 64-bit, Process Explorer v16.05

Site Bugs : psexec on unix?

April 15, 2015, 2:33 pm
$
0
0
Author: betusr3
Subject: psexec on unix?
Posted: 15 April 2015 at 9:33pm

Since code.google.com is dying soon, here's the new link:

https://github.com/CoreSecurity/impacket/blob/master/examples/psexec.py

cheers

Process Explorer : Searching for processes

April 15, 2015, 7:40 pm
$
0
0
Author: Mits2015
Subject: Searching for processes
Posted: 16 April 2015 at 2:40am

Running Win7 x64 Pro.

I've been using PE since its early days and I always appreciated that when searching for a specific process by typing its first letter in the main window, it was always possible to cycle instantly through processes by repeating the same letter.

I just deleted my old PE version, replaced it with the current one (16.05), and noticed that now I have to wait 3-4 seconds before PE accepts repeat keystrokes. For example, if I press 's' repeatedly, PE jumps to the first process starting with 's' and then ignores all further keystrokes until I pause for 3-4 seconds.

I am sure that many old timers have developed the same habit when searching for a process. It's a very minor annoyance, but since I am not sure whether  this a new bug or a new feature, I'd appreciate if somebody would replicate this change in PE behaviour. TIA.

Process Explorer : Searching for processes

April 16, 2015, 7:19 am
$
0
0
Author: Dax1792
Subject: Searching for processes
Posted: 16 April 2015 at 2:19pm

It's a delay of about a second for me. Hitting the key a quickly as possible is ignored.

Miscellaneous Utilities : Understanding Streams

April 16, 2015, 8:53 am
$
0
0
Author: Frank C
Subject: Understanding Streams
Posted: 16 April 2015 at 3:53pm

Hello,
 I would like to learn how to use Streams (File and Disk Utilities) to remove potential dangerous  ADS data from files reported by Spybot 2.4.
I don't understand the meaning of the -s operator "Recurse subdirectories".
My test was on this file reported by Spybot 2.4;
File:"Unknown ADS", C:\Users\Owner\Documents\My Kindle Content\Treasure-Island.azw
my command was:
streams -s "C:\Users\Owner\Documents\My Kindle Content\Treasure-Island.azw"
I used quotes because of embedded blanks in the path.
The result was " No files with streams found."
What is the correct way to use Streams?
Thanks
Frank C
Search

Process Explorer : procexp no longer starts with Windows

April 16, 2015, 8:55 am
$
0
0
Author: pinscomputer
Subject: procexp no longer starts with Windows
Posted: 16 April 2015 at 3:55pm

try the following
 
1.  remove all the "shortcuts" you put in place.
 
2.  start process explorer by double clicking on the the file
3.  once process explorer starts, select <file> and then <show details for  all processes>
4.  now select <options> and then <run at logon>
 
restart your machine and see if process explorer starts up automatically.
 
If this doesn't work, you can try and delete the registry key for process explorer and then repeat steps 2 thru 4.
 
 

Miscellaneous Utilities : Understanding Streams

April 16, 2015, 9:11 am
$
0
0
Author: pinscomputer
Subject: Understanding Streams
Posted: 16 April 2015 at 4:11pm

from the sysinternals administrators reference:
 
Sysinternals Streams examines files and directories you specify and reports the names and
sizes of any alternate streams it encounters. You can search directory structures and list
all the files and directories with ADSes. Optionally, you can also delete those streams—for
example, to unblock downloaded content. Its command-line syntax is
 
streams [-s] [-d] file_or_directory
 
The file_or_directory parameter is mandatory and accepts wildcards. For example, the command
 
streams *.exe
 
examines all file system objects ending in “.exe” in the current directory and lists those that have ADSes with output like the following:
 
C:\Users\Abby\Downloads\msvbvm50.exe:
       :Zone.Identifier:$DATA 26
 
In this example, the file msvbvm50.exe has a 26-byte ADS called “Zone.Identifier”.
 
You can see that stream’s content by running
 
more < msvbvm50.exe:Zone.Identifier
 
at a command prompt.
 
The –s option examines directories recursively, and the –d option deletes ADSes that it finds.
For example, the command
streams -s -d C:\Users\Abby\Downloads
 
searches in and under Abby’s Downloads folder, reporting on and deleting any ADSes it
finds. Streams reports the names of alternate streams that it deletes.

Miscellaneous Utilities : Understanding Streams

April 16, 2015, 10:41 am
$
0
0
Author: Frank C
Subject: Understanding Streams
Posted: 16 April 2015 at 5:41pm

Thanks pinscomputer,
I got it to work!
Frank C

PsTools : psexec run_file

April 17, 2015, 1:54 am
$
0
0
Author: mjocham
Subject: psexec run_file
Posted: 17 April 2015 at 8:54am

Hello there,

my psexec script runs perfectly, but as soon as I change the computername to a runfile is says "cannot find the file specified", no matter if the serverlist.txt is stored in a share or locally

psexec \\fsw488v01 ==> works
psexec @\\servername\wuinstall\serverlist.txt ==> does not work

Any ideas?

Best regards, Marcus

Miscellaneous Utilities : Sysmon prohibits deleting of image

April 17, 2015, 6:07 am
$
0
0
Author: virmusic
Subject: Sysmon prohibits deleting of image
Posted: 17 April 2015 at 1:07pm

As sysmon by default calculates a hash on loading an image into memory, deletion of the image after having run it is not possible, since the file is locked through sysmon during the calculation of the hash.
> run a large image (e.g. 2GB executable) and immediately delete it: a warning occurs stating the action cannot be accomplished since the file is opened by sysmon.
 
Any idea how to omit this? - Can sysmon be run without calculating a hash per image? -
 
thank you very much
virmusic

PsTools : Remote Install of MSI packages using PSExec

April 17, 2015, 7:22 am
$
0
0
Author: Prakash Lawana
Subject: Remote Install of MSI packages using PSExec
Posted: 17 April 2015 at 2:22pm

1. Download the latest Silverlight installation package from the Silverlight website.

2. You will get a silverlight.exe. Run silverlight.exe /x to extract the content

3. Now extract the silverlight.msp from the silverlight.7z file (you can use the free 7-Zip tool to do that).

psexec -u "DOMAIN\Username" -p "PASSWORD" @(Text File)Desktop.txt -e -s msiexec /i \\Sharing Path\Silverlight\silverlight.msi /quiet

psexec -u "DOMAIN\Username" -p "PASSWORD" @(Text File)Desktop.txt -e -s msiexec /p "\\Sharing Path\Silverlight\Silverlight.msp" /quiet

Miscellaneous Utilities : newbi help with LiveKD

April 17, 2015, 7:30 am
$
0
0
Author: rogerv
Subject: newbi help with LiveKD
Posted: 17 April 2015 at 2:30pm

Hi

I'm trying to get Livekd to work on a server 2012 hyper-v to get a memory dump of a running vm. I've downloaded the Windows 8.1 SDK (debugger tools only) and livekd and placed kd in the same directory. I can run livekd with the folowing command "livekd -hvl" and get a list of running vm's. However when i try to run
"livekd -hv vmnamehere -p -o c:\memdumps\memory.dmp i get the following error:
 
Error resolving symbol KdVersionBlock: 126
Failed to resolve KdVersionBlock - 126
Failed to load guest symbols - 126
Failed to prepare hypervisor session for debugger - error 126

Can anybody help me get started here please ?
Search

Miscellaneous Utilities : Sysmon prohibits deleting of image

April 17, 2015, 10:19 am
$
0
0
Author: mxatone
Subject: Sysmon prohibits deleting of image
Posted: 17 April 2015 at 5:19pm

Currently, it cannot be run without the hashing functionality. We might consider it for a future version but it will restrict the features available.

Miscellaneous Utilities : Sysmon 2 Infinite Forking

April 17, 2015, 10:20 am
$
0
0
Author: mxatone
Subject: Sysmon 2 Infinite Forking
Posted: 17 April 2015 at 5:20pm

Yes, it is related to how we extract the x64 binary on the temporary directory.

I wrote a fix for this problem for 3.0. This new version should be released next week.

Process Explorer : unable to extract 64-bit image

April 17, 2015, 6:21 pm
$
0
0
Author: Tony Stewart
Subject: unable to extract 64-bit image
Posted: 18 April 2015 at 1:21am

Did you try Right mouse run as Admin?

%temp% must not be restricted from user, since it is needed for extraction.

Process Explorer : Feature request - display sandboxed processes

April 18, 2015, 9:33 am
$
0
0
Author: caught
Subject: Feature request - display sandboxed processes
Posted: 18 April 2015 at 4:33pm

Windows 7 Pro x86 32bit SP1 Build 7106
Firefox 37.0.1


1.  I would like to see PE display sandboxed (www.sandboxie.com) processes without having to set the view to show processes from all users. 

I would also like to see processes like the adobe flash plug-in displayed in processes when running the browser sandboxed or unsandboxed, as the Windows task Manager does. When I run Firefox, I find that the flash player causes many problems with the browser, so it often becomes convenient to kill the flash or player plugin and restart it.

BgInfo : Showing SSID

April 19, 2015, 4:33 pm
$
0
0
Author: WindowsStar
Subject: Showing SSID
Posted: 19 April 2015 at 11:33pm

Here you go:
 
on error resume next
Private Sub GetWMI(WMIArray, WMIQuery)
On error resume Next
   Set WMIClass = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\wmi")
   If not(WMIClass is nothing) Then Set WMIArray = WMIClass.ExecQuery(WMIQuery)
End Sub

Function SSID()
On error resume Next
    Call GetWMI(objMSNdis_80211_ServiceSetIdentifierSet, "Select * from MSNdis_80211_ServiceSetIdentifier Where active=true")
   For Each objMSNdis_80211_ServiceSetIdentifier in objMSNdis_80211_ServiceSetIdentifierSet
       ID = ""
       For i = 0 to objMSNdis_80211_ServiceSetIdentifier.Ndis80211SsId(0)
           ID = ID & chr(objMSNdis_80211_ServiceSetIdentifier.Ndis80211SsId(i + 4))
       Next
       SSID = ID
   Next
End Function
echo SSID()


Edited by WindowsStar - 2 hours 21 minutes ago at 11:34pm
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>