Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Troubleshooting : Deleted VMkbd.sys, no input from keyboard

May 6, 2015, 4:36 pm
$
0
0
Author: beepee
Subject: Deleted VMkbd.sys, no input from keyboard
Posted: 06 May 2015 at 11:36pm

the vmkbd.sys in \windows\system32\drivers\ is not initially in windows 8, aded by vmware.
disabling the vmkbd service disables the keyboard and mouse touch pad in my laptop.
However, with an USB mouse and on-screen-keyboard it was possible to logon and select a restore point that worked. Still had vmkbd.sys.
It acts like a virus program! It even can capture all your keyboard entries and do whatever bad with it.
Search

BgInfo : Show AD description

May 6, 2015, 5:43 pm
$
0
0
Author: banshii
Subject: Show AD description
Posted: 07 May 2015 at 12:43am

Hello,

Is it possible to show the description set for the Active Directory computer object? (right-click computer object in AD, click properties, description field)

If this is possible, how?

Thank you!

Miscellaneous Utilities : Need help with procdump.

May 6, 2015, 7:18 pm
$
0
0
Author: pinscomputer
Subject: Need help with procdump.
Posted: 07 May 2015 at 2:18am

not sure if it is a typo in the command line you posted....
the -e switch can be either "-e" or "-e 1"
 
I believe the command line should be
c:\path_to_procdump\procdump.exe -accepteula -e 1 -f c0000005-w myapp.exe -ma c:\dumpsfilewritelocation
 
there are 3 video training guides covering procdump here.  They are a little dated but still have valid information.
 
 
 

BgInfo : Show AD description

May 6, 2015, 9:51 pm
$
0
0
Author: WindowsStar
Subject: Show AD description
Posted: 07 May 2015 at 4:51am

Yes you can use a VBScript to get that information and display it. -WS

Process Monitor : Monitoring GetProcAddress?

May 6, 2015, 9:59 pm
$
0
0
Author: MagicAndre1981
Subject: Monitoring GetProcAddress?
Posted: 07 May 2015 at 4:59am

there is no tool from sysinternals, but try APIMonitor:

http://www.rohitab.com/apimonitor

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

May 6, 2015, 10:02 pm
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 07 May 2015 at 5:02am

yeah, looks much better now.

I use Speedfan to lower the fan on my Dell Inspirion 15R SE. Try if it also works for your Latitude D830.

http://www.almico.com/sfarticle.php?id=5

Miscellaneous Utilities : Need help with procdump.

May 6, 2015, 11:08 pm
$
0
0
Author: slmax
Subject: Need help with procdump.
Posted: 07 May 2015 at 6:08am

Thanks, WER " it works!"

Process Monitor : Catching incoming network requests

May 6, 2015, 11:13 pm
$
0
0
Author: rossmcm
Subject: Catching incoming network requests
Posted: 07 May 2015 at 6:13am

Answering my own question:

It's easy, just select Filter/Enable advanced output and you get everything.  Bear in mind that logs can get very big very quickly.  You might like to also use the Filter/Drop filtered events option so that you only save events that match whatever filters you have in use.

To give you some idea of sort of scale we are talking about, an overnight run of a task generated 30 million lines in the log, and the associated data when saved to a PML file (ProcMon/s native format) was 12Gb in size - even with Drop filtered events enabled. However, this zipped down to 1.6 Gb.

Search

Process Monitor : ** Feature request list **

May 6, 2015, 11:17 pm
$
0
0
Author: rossmcm
Subject: ** Feature request list **
Posted: 07 May 2015 at 6:17am

My feature - the ability to save the log to a text file (no XML, no CSV - just a representation of what's on screen).

This would make it easy to use existing text file tools like Grep, and editors/viewers that can handle very large files.



BgInfo : Show AD description

May 7, 2015, 10:18 am
$
0
0
Author: banshii
Subject: Show AD description
Posted: 07 May 2015 at 5:18pm

Hi, thank you for pointing me in the right direction. Unfortunately, I am very unfamiliar with vbscript. Upon lots of searching google how to get an AD computer object descriptoin, I have come up blank.

Is there anyone here who is more familiar with vbscript than I am that can provide me with a simple vbscript to pull the computer objects description from active directory for use with wbinfo? Or at least point me to a link I can figure it out?

Thank you!

Internals : pHandleEntryList inside sharedInfo is null

May 7, 2015, 10:28 am
$
0
0
Author: alias1
Subject: pHandleEntryList inside sharedInfo is null
Posted: 07 May 2015 at 5:28pm

found that you can use 
DWORD SharedInfo = (void *)GetProcAddress(LoadLibraryA("user32"), "gSharedInfo");


but ServerInfo.cHandleEntries is 0, back to OP problem.

BgInfo : error while update database

May 7, 2015, 12:10 pm
$
0
0
Author: mgranto
Subject: error while update database
Posted: 07 May 2015 at 7:10pm

This is still an unresolved issue, and I'm having to use the older version.  Any word on an update/fix/workaround?

BgInfo : Show AD description

May 7, 2015, 3:44 pm
$
0
0
Author: banshii
Subject: Show AD description
Posted: 07 May 2015 at 10:44pm

Answered here:

http://community.spiceworks.com/topic/938827-vbscript-to-pull-ad-computer-description-for-bginfo?page=1#entry-4598521

BgInfo : Show AD description

May 7, 2015, 11:10 pm
$
0
0
Author: WindowsStar
Subject: Show AD description
Posted: 08 May 2015 at 6:10am

Wow that is the super hard way. Here is simple VBScript to get computer description.
 
' Get Computer Description v1.1.vbs
' Programmed by WindowsStar- Copyright (c) 2015
' Special BGInfo Script - Free to Use
' --------------------------------------------------------
 
On Error Resume Next
 
Set objSysInfo = CreateObject("ADSystemInfo")
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
Echo objComputer.Description
 

Miscellaneous Utilities : Sysmon 3.0: ImageLoad Rule Not Working

May 8, 2015, 11:17 am
$
0
0
Author: mxatone
Subject: Sysmon 3.0: ImageLoad Rule Not Working
Posted: 08 May 2015 at 6:17pm

That is correct, I made more investigation with the help of another user who provided his full configuration.

I identified the problem and fixed it. I will also add additional unitesting to ensure this issue does not come back.

Thanks for your help!
Search

Miscellaneous Utilities : Sysmon 3.0 Issue: "Signing queue is full"

May 8, 2015, 11:36 am
$
0
0
Author: qcjacobo
Subject: Sysmon 3.0 Issue: "Signing queue is full"
Posted: 08 May 2015 at 6:36pm

I am seeing thousands of events from Event ID 7 where the "Signed" field contains the following string: "failed: Failed to open file for signature check".  Hoping this is a "bug" and not expected behavior.  Given the sheer numbers within a short period of time, it would be difficult to enable this functionality on a larger scale.  Note that this seemed to be an issue when booting the machine up as I did not see this much after that.  Aside from the "noise factor", I guess my biggest concern is missing data that may be relevant to a security investigation. 

Please advise.

Process Monitor : Can't start procmon

May 9, 2015, 2:14 am
$
0
0
Author: Kattz
Subject: Can't start procmon
Posted: 09 May 2015 at 9:14am

This hack doesn't seem to work anymore - at least for me.

I at least got a UAC prompt when I ran the new file.  That's more than I had before.

I have had this notebook for years and I have never had a problem with running any SysInternals tools before.

My specs are:   AMD Athlon X2 Dual-Core QL-62
4 GB of Ram
       Windows 7 SP 1
Kaspersky AV
MS SDK v 7.1
Visual Studio Community 2012
and that's it.

Any suggestions would be appreciated. I'm stumped.

Thanks.

Process Monitor : Can't start procmon

May 9, 2015, 2:15 am

Process Monitor : Serious: ISP blocks me when ProcMon is running

May 10, 2015, 2:57 am
$
0
0
Author: reyaz
Subject: Serious: ISP blocks me when ProcMon is running
Posted: 10 May 2015 at 9:57am

The problem is rather serious: my ISP blocks my internet VPN connection after I run ProcMon for a few minutes. Then I have to call them and ask to unblock me.

They say they detect a lot of forbidden traffic, namely - Link-Local Multicast Name Resolution (LLMNR). There is so much of it their systems mark it as flood and thus block me.

I've tested a lot of scenarios and everything confirms this - ProcMon is the reason. This happens when I start actual monitoring.

In ProcMon, "Show Network Activity" is disabled, "Show Resolved Network Addresses" is also disabled. Only file system and registry monitoring are enabled. I've already tried blocking ProcMon in my Windows Firewall completely, it didn't help. My PC is also virus-free. I don't have this problem with any other software.

I'm using fully updated Windows 8.1 x64.

How can I debug this issue and fix it? Please don't suggest using 3rd party firewall software.



Edited by reyaz - 21 hours 16 minutes ago at 10:07am

Miscellaneous Utilities : TCPView is not showing Sent/Received bytes

May 10, 2015, 6:18 pm
$
0
0
Author: systemuser
Subject: TCPView is not showing Sent/Received bytes
Posted: 11 May 2015 at 1:18am

Okay, this is weird.

After months and months and months of absolutely no packet/byte count display using (possibly two versions of) TCPView, today I tried it out again and they're back!

This is using the same last version of TCPView that did not work completely before.

So what changed?

Well...I made the mistake of installing the optional Windows 8.1 Update that was offered within the last week - KB3022345 without actually reading what it was all about. When I found out that it was essentially the enabling of a keylogger et al with zero benefit to the user (me), I attempted to UNinstall it and that broke. So I spent hours tracking down a method to uninstall it and eventually found this: http://www.networkworld.com/article/2226753/microsoft-subnet/how-users-are-fixing-windows-8-1-update-install-problems.html

which purports to be a fix of some type that would then allow a corrupt update file to be uncorrupted so that darn "patch" could be removed. To make this short story a little longer, those set of steps failed and I could NOT, still, remove that unwanted "optional" update, so I simply disabled the "Diagnostic Tracking Service" and hope I'm still rather private.

But after all that - the install of that keylogger, the attempt to use Windows Update Uninstall to remove it, then most of the steps at the link above, TCPView started showing packet and byte counts again!

Yay!

So - you guys who know the networking internals thoroughly and actually know what the steps I took DO (not me! not me!) now have a strong clue about what caused the counts to disappear and what caused the counts to reappear.

Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>