Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Miscellaneous Utilities : newbi help with LiveKD

April 20, 2015, 2:13 am
$
0
0
Author: rogerv
Subject: newbi help with LiveKD
Posted: 20 April 2015 at 9:13am

So further investigation, used the following cmd:

livekd -hv vmnamehere -p -o c:\memdump\memory.dmp -vsym

and it loads symbols for ntoskrnl.exe then seems to fail saying it cannot find ntkrnlmp.pdb - file not found.

I've tried pointing windbg.exe for symbols at a loal path but that does not seem to help. Can anybody give guidence here please ?
Search

PsTools : procdump to capture process not running as service

April 20, 2015, 5:02 am
$
0
0
Author: capricorn80
Subject: procdump to capture process not running as service
Posted: 20 April 2015 at 12:02pm

Hi!
 
I have backup software with service name Agent. The software contains compoundfileanalyzer.exe process that is crashing. I cannnot filter on computerfileanalyzer as its not running as service.
 
I get many crahes for computerfileanalyzer.exe and in the event log i can see its pointing to KernalBase.dll.
 
Is there way i can capture a dump for this computerfileanalyzer.exe and use the debug tool to get more information.
 
Thanks

Miscellaneous Utilities : newbi help with LiveKD

April 20, 2015, 5:50 am
$
0
0
Author: rogerv
Subject: newbi help with LiveKD
Posted: 20 April 2015 at 12:50pm

Ok, so finally got it working. Not sure what 'fixed' the issue but i carried out the following:

ran livekd with no switches and acepted all defaults
ran (and reran) a set command for setting the _NT_SYMBOL_PATH variable
copied kernel32.dll & ntoskrnl.exe from guest to symbol location
copied livekd.exe to the x32 debug folder as well as the x64 folder
Closed all the command prompts
opened up new cmd prompt (with admin rights)

and now the command works. Not sure which of the above fixed the issue.

Miscellaneous Utilities : Sysmon2 Gigs Of Memory

April 20, 2015, 7:08 am
$
0
0
Author: SittingOvation
Subject: Sysmon2 Gigs Of Memory
Posted: 20 April 2015 at 2:08pm

Hello,

I've been testing out Sysmon 2 on a test VM that I have. The VM is a base install of Windows 7 x64, no added programs aside from chrome browser and notepad++. I configured Sysmon 2 to turn on all the bells and whistles. I am then utilizing a script to keep up with Sysmon's event output and extract information.

I started getting errors after it was running for over a day that indicated resources were critically low, causing failures. Sure enough, Sysmon2 appears to be hogging 1.6 Gigs of memory. I have rebooted the VM and sysmon is back down to 30 MB total memory use.

Process Explorer : Incorrect virtual size

April 20, 2015, 5:36 pm
$
0
0
Author: 7abib0
Subject: Incorrect virtual size
Posted: 21 April 2015 at 12:36am

Hello,

Does anyone know why Process Explorer might show these weird values for VS ?


Process Explorer : Incorrect virtual size

April 20, 2015, 10:02 pm
$
0
0
Author: MagicAndre1981
Subject: Incorrect virtual size
Posted: 21 April 2015 at 5:02am

the values are fine. this is the impact of Control Flow Guard since the November Update Rollup for Windows 8.1:

In order to function, CFG requires the use of optimized bitmaps in order to determine the validity of indirect calls, and on 64-bit Windows, this bitmap requires 2 TB of space.

http://www.alex-ionescu.com/?p=246

Process Monitor : Can't start procmon

April 21, 2015, 8:11 am
$
0
0
Author: capstoner
Subject: Can't start procmon
Posted: 21 April 2015 at 3:11pm

I am no longer able to run procmon on my system.  I have used procmon many times before on this same system without problems.  I installed the very latest version (as of Apr 21, 2015) in hopes that the newest version would have fixed a bug, but even the new version does not run.
I have tried to run as my normal domain user and also as administrator.
 
Here are the details of my system:
Dell Precision 7600
16GB RAM
Win 7x64 with all latest security updates
Trend Micro Office Scan
 
I would like to reiterate that I have used Procmon many times before on this same system,
with the same OS and other software, including the TrendMicro anti-virus. 
 
Also, I do not see anything in the event viewer, but perhaps I am not looking in the correct places.
 
Has anyone else had this sort of problem?
 

Process Monitor : Can't start procmon

April 21, 2015, 8:29 am
Search

PsTools : procdump to capture process not running as service

April 21, 2015, 8:32 am
$
0
0
Author: pinscomputer
Subject: procdump to capture process not running as service
Posted: 21 April 2015 at 3:32pm

It is not very clear what problem you are trying to solve....
 
If you have the sysinternals tools downloaded to your computer, PROCDUMP should be able to capture a dump file of "computerfileanalyzer.exe" with the following process:
 
 
create a directory c:\dumps
procdump -ma computerfileanalyzer.exe c:\dumps\analyzer.dmp
 
there are other optional flags that can be added to the command.   These are listed on the sysinternals web page for procdump here:
 
 

Process Monitor : Can't start procmon

April 21, 2015, 9:07 am
$
0
0
Author: pinscomputer
Subject: Can't start procmon
Posted: 21 April 2015 at 4:07pm

have you tried, as was suggested in the link you posted, to run PROCMON in 32 bit mode to isolate the problem as X32 vs. X64?
from the sysinternals admin reference:
 
To simplify packaging, distribution, and portability without relying on installation programs,
all of the Sysinternals utilities are single 32-bit executable images that can be launched
directly.
 
They embed any additional files they might need as resources and extract them
either into the folder in which the program resides or, if that folder isn’t writable (for
example, if it’s on read-only media), into the current user’s %TEMP% folder. The program
deletes extracted files when it no longer needs them.
 
 
would suggest you open an administrative command prompt and execute:
SET
 
look for entries similar to the following windows 7 defaults:
TEMP=C:\Users\owner\AppData\Local\Temp
TMP=C:\Users\owner\AppData\Local\Temp
 
you can check to make sure TEMP directory is present by using the following process:
 
press the START (globe)
enter %TEMP% in the "search programs and files" box
press enter
 
does an EXPLORER window open showing the TEMP directory & its file contents?

Autoruns : Autoruns v13/v13.1/v13.2/v13.3 ignores HKCU hooks

April 21, 2015, 9:36 am
$
0
0
Author: Aditza
Subject: Autoruns v13/v13.1/v13.2/v13.3 ignores HKCU hooks
Posted: 21 April 2015 at 4:36pm

bump..

just tested Autoruns v13.3 published on april 20th.. (digital signature by Microsoft says April 8th)... it still ignores HKCU hooks on my system.
v12.03 is the last one that works properly so far.


Edited by Aditza - 10 hours 27 minutes ago at 4:45pm

Miscellaneous Utilities : Handle.exe Error Loading Driver

April 21, 2015, 10:31 am
$
0
0
Author: erickulcyk
Subject: Handle.exe Error Loading Driver
Posted: 21 April 2015 at 5:31pm

Hello, I am trying to delete handles owned by Visual studio during an msbuild run.  I am using the command:

handle.exe -p devenv $(TargetDir) > $(IntermediateOutputPath)TargetHandles.txt

Occasionally on some machines I get the following output in TargetHandles.txt:

Handlev3.5

Copyright(C) 1997-2012 Mark Russinovich

Sysinternals- www.sysinternals.com

 

Errorloading driver:

T

 

I know there have been sever threads before about Error loading driver, but all the ones I have seen have Access Denied in them, not just the single letter "T".  Does anyone know what that means?

 

Thanks,

Eric

Miscellaneous Utilities : TCPView not displaying new connections

April 21, 2015, 2:15 pm
$
0
0
Author: systemuser
Subject: TCPView not displaying new connections
Posted: 21 April 2015 at 9:15pm

At some point my ancient 64bit Windows 8.1 hardwire-network-connected machine stopped displaying any byte/packet counter numbers via TCPview. I have no clue what caused this since it worked fine sometime ago; simply due to number of variables there could be any causes, tcpview or not.

Using a copy of the TCPview program I was able to see packet/byte counts on a different Windows 8.1 64bit machine - that machine is a nonPRO Windows 8.1 64bit laptop, the nonworking machine is a PRO Windows 8.1 64bit desktop; both use different networking interfaces.

This remains the case.

I suspect some change via Windows Update hit something, though whether that was a normal Windows Update or simply an optional device driver update is unknown.

But, in any case, TCPView works fine otherwise for anything other than byte/packet counts. I've been looking around for alternatives recently and will get back here if I find something that works.

I grabbed and have briefly used Wireshark for something else and that, with WAY too much info, can catch and display anything on the machine so that's currently my fallback.

Process Explorer : Strange font in some columns

April 21, 2015, 3:36 pm
$
0
0
Author: mymyxin
Subject: Strange font in some columns
Posted: 21 April 2015 at 10:36pm

Hi,

I do have a strange font in some columns, other columns aren't affected.
Did already try the tip to delete the HKEY_CURRENT_USER\Software\Sysinternals\Process Explorer
key but problem still exists.

Here an example how it looks like.



Any ideas?

Sorry, forgot to mention that it runs on Windows 7 Professional 64bit SP1.

Thank you
myxin


Edited by mymyxin - 3 hours 51 minutes ago at 11:21pm

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

April 21, 2015, 4:02 pm
$
0
0
Author: Emvy
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 21 April 2015 at 11:02pm

Hi Andre, I'm having the same error after typing what you said. xperf: error: NT Kernel Logger: Cannot create a file when that file already exists <0xb7> But I think it's because I misspell some of the commands you mentioned. Can you help with this please?
Search

Process Monitor : Bug: memory leak in ProcMon 3.10

April 22, 2015, 11:23 am
$
0
0
Author: LMiller7
Subject: Bug: memory leak in ProcMon 3.10
Posted: 22 April 2015 at 6:23pm

The best way to check for a memory leak is to look at the Commit size of the process. The Private working set is under control of the system memory manager and can vary widely over time depending on system usage.

Process Monitor : Bug: memory leak in ProcMon 3.10

April 22, 2015, 11:40 am
$
0
0
Author: ctvarner
Subject: Bug: memory leak in ProcMon 3.10
Posted: 22 April 2015 at 6:40pm

Upon further consideration, this may not be a true "leak" per se, by the strict definition of the word - ProcMon may still have handles to every last byte it has allocated, and may be perfectly capable of freeing every single one when it reaches a point in the code that would attempt to do so.  Perhaps it would be more accurate to say that ProcMon is using ever-increasing amounts of memory, as measured by both private working set and commit size, without necessarily concluding that this increase is due to a memory leak.
The same ProcMon process described in my original post is still running, with all the same parameters, history depth, filters, still no MyExecutable.exe process to monitor so no events displayed, etc.  Per task manager, when I first added the "commit size" column a few minutes ago, private working set had increased to 144k, and commit size was 159k.  I let it sit for another 5-10 minutes;  private working set is now about 147k, and commit size has ticked up to 163k. 
 

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

April 22, 2015, 11:52 am
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 22 April 2015 at 6:52pm

Stop any other tool which uses ETW (ResMon, ProcessHacker)

http://www.msfn.org/board/topic/155479-xperf-error-nt-kernel-logger-cannot-create-a-file-when-that-file-al/

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

April 22, 2015, 12:40 pm
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 22 April 2015 at 7:40pm

I got the file, but I can't see any high CPU usage from the kernel. Run the xperf command when you have the issue.

Autoruns : advice from MS tech support and errors

April 22, 2015, 2:07 pm
$
0
0
Author: mikesndbs
Subject: advice from MS tech support and errors
Posted: 22 April 2015 at 9:07pm

Thanks, will have a go
Viewing all 10386 articles
Browse latest View live
Search

Latest Images

7 clever tricks Primark does to keep you walking & buying more than you need...

7 clever tricks Primark does to keep you walking & buying more than you need...

July 20, 2025, 5:14 am
Art for Everyone! Autism advocacy, local stories, and indigenous pride in one...

Art for Everyone! Autism advocacy, local stories, and indigenous pride in one...

July 20, 2025, 5:06 am
Paintings of English Downs 2

Paintings of English Downs 2

July 20, 2025, 4:30 am
How Kerala Women Rescued a Dying Forest and Turned It Into a Safe Haven for...

How Kerala Women Rescued a Dying Forest and Turned It Into a Safe Haven for...

July 20, 2025, 3:30 am
Met Eireann warns of heavy rain & spot flooding for DAYS before big...

Met Eireann warns of heavy rain & spot flooding for DAYS before big...

July 20, 2025, 1:14 am
Who is Kevin Lerena’s wife Geraldine?

Who is Kevin Lerena’s wife Geraldine?

July 20, 2025, 12:57 am
Man stabs woman, baby to death inside Queens home, police say

Man stabs woman, baby to death inside Queens home, police say

July 19, 2025, 11:00 pm
Ang papel ni whistleblower Julie Patidongan sa kaso ng mga nawawalang sabungero

Ang papel ni whistleblower Julie Patidongan sa kaso ng mga nawawalang sabungero

July 19, 2025, 9:45 pm
Telangana Human Rights Commission (TGHRC) seeks report from revenue dept on...

Telangana Human Rights Commission (TGHRC) seeks report from revenue dept on...

July 19, 2025, 7:29 pm
Crisis-hit NHS fat cats raking in MASSIVE salaries as frontline services cry...

Crisis-hit NHS fat cats raking in MASSIVE salaries as frontline services cry...

July 19, 2025, 2:11 pm
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>