Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Process Explorer : Autostart data sometimes missing (16.05)

May 11, 2015, 10:43 am
$
0
0
Author: dcbarry
Subject: Autostart data sometimes missing (16.05)
Posted: 11 May 2015 at 5:43pm

Hmmm...


Autostart data seems to appear and disappear in both process and singe process view at random --- at least, not in any discernable  process.


In looking around, havent seen this mentioned.   ANy thoughts?   Bug or user error?

d.

Search

Miscellaneous Utilities : TCPView is not showing Sent/Received bytes

May 11, 2015, 12:05 pm
$
0
0
Author: systemuser
Subject: TCPView is not showing Sent/Received bytes
Posted: 11 May 2015 at 7:05pm

[My sincere apologies for replying to my own replies, however I think the actual sequence of events/discoveries is important]

Okay, I found the problem with byte and packet counts not appearing under TCPview.

There is a file called "fastprox.dll". If this file exists then at least SOME Steam games cease to work with a shaderapidx9.dll error - in particular in my case, the Portal 2 game ceases to work. As such, the fix for the Steam game(s) is to rename the "fastprox.dll" file to something else (that is, remove the file essentially). This works great for game playing and is what I did months ago.

But that might (apparently) breaks some WMI functionality.

When I made the previous post noting I was getting byte/packet counts again after months with tcpview, I hadn't tried out Portal 2 again. Today I did after thinking about this weirdness and it broke. When I "fixed" Portal 2 by renaming fastprox.dll, TCPView broke.

This was tested multiple times back and forth.

So, at least in my case, the lack of byte/packet counts under TCPView was caused by the renaming of fastprox.dll.

This file is in C:\Windows\SysWOW64\wbem

====

The reason the counts reappearred as noted in the previous post is because the steps mentioned in the link in the previous post includes automatically restoring files that shouldn't have disappeared...like fastprox.dll...

Miscellaneous Utilities : Events in event log not displaying all information

May 11, 2015, 2:10 pm
$
0
0
Author: dfranciscus
Subject: Events in event log not displaying all information
Posted: 11 May 2015 at 9:10pm

After installing sysmon on a Windows 7 and then a Server 2012 R2 machine, I am getting the same behavior where the events all state "The description for Event ID 1 from source Microsoft-Windows-Sysmon cannot be found". This is a sample event.

-----------------------------------

The description for Event ID 3 from source Microsoft-Windows-Sysmon cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event: 

5/11/2015 8:08 PM
EV_RenderedValue_1.00
720
C:\Windows\system32\svchost.exe
NT AUTHORITY\NETWORK SERVICE
tcp
False
172.16.52.58
localhostname
62080
False
172.16.52.205
hostname.domain.edu
135
epmap

The publisher has been disabled and its resource is not available. This usually occurs when the publisher is in the process of being uninstalled or upgraded


------------------------------------------


I installed sysmon by doing:

 .\Sysmon.exe -i -n -accepteula

Then...

sysmon -c -n -l -h md5,sha1,sha256

I also tried 

sysmon -m to update the manifest but to no avail.

Any ideas?

PsTools : psexec access denied on target machine W2K8

May 11, 2015, 9:31 pm
$
0
0
Author: Muhammimi
Subject: psexec access denied on target machine W2K8
Posted: 12 May 2015 at 4:31am

Hi;
I encountered a situation where the PSEXEC executed on source machine running windows 2008 R2 Service Pack 1 Build 7601 and received an error "access denied"

psexec \\192.168.100.103 -u domain\administrator -p p@w0rd \\192.168.100.104\ncircle\ncircle_prereq.bat

PsExec could not start \\192.168.100.104\ncircle\ncircle_prereq.bat on 192.168.1
  00.103:
  Access is denied.

The target machine is running windows 2008  Service Pack 2 Build 6002 platform and joined to AD domain. I also confirmed the pre-req on target machine for PSEXEC is meet as below;

1) Workstation service is running
2) Server service is running
3) The Admin$ share is available
4) Printer and File Sharing is active
5) UAC is disabled
6) LocalAccountTokenFilterPolicy (reg_dword) = 1 

I had also ran this command and the result is positive. 

net use \\192.168.100.103\Admin$ /user:administrator 
dir \\192.168.100.103\Admin$ 
net use \\192.168.100.103\Admin$ /delete 

Hence, need to know what next action I need to troubleshoot pertaining to "access denied" issue.

Please advice.

Thanks

BgInfo : BGInfo - Mcafee Virus Scan 8.7 Variables

May 12, 2015, 3:33 am
$
0
0
Author: tsvyak07
Subject: BGInfo - Mcafee Virus Scan 8.7 Variables
Posted: 12 May 2015 at 10:33am

hello, my dear friend, i used your script,but this not working ,i get message error ,please tell me what the problem ?

Error evaluating scripted field 'GetMcAfeeInfo'
Microsoft VBScript runtime error
Line 5, position 0
Variable is undefined: 'WScript'
[OK] 


Miscellaneous Utilities : Desktops and Autoit (German)

May 12, 2015, 4:34 am
$
0
0
Author: Silvermoon
Subject: Desktops and Autoit (German)
Posted: 12 May 2015 at 11:34am

Hallo Forum

XP (sp3)

Sorry ich spreche kein Englisch.Exclamation

 

Ich möchte mit „Autoit“ die einzelnen Desktop aktivieren.

Mit:

Send("!3") ……….(Alt + 3)

Es funktioniert auch.

Aber danach ist der komplette Tasten Modus fehlerhaft.Confused

Wie kann ich Programm – technisch auf die einzelnen Desktop umschalten?Cry

Danke für eure Hilfe

Silvermoon

PsTools : PsExec Couldn't access, The handle is invalid

May 12, 2015, 6:04 am
$
0
0
Author: M__A__K
Subject: PsExec Couldn't access, The handle is invalid
Posted: 12 May 2015 at 1:04pm

I am trying to execute batch scripts at remote machine using PsExec from my c# code.
This is how my command look like:
..\PsExec.exe \\machine_ip -u User -p Password -s -e -accepteula path_to_script_at_shared_folder.bat

For some machine it works well but for others I always have next error:
Couldn't access "remote machine":
The handle is invalid.

When I try to execute same script from console, it works well.

I can't be sure that problem is in my code (because it work for other machine).
I can't be sure that problem is in PsExec tool or machine configuration (because it work from console).

I need some info about reasons of PsExec error to determine this bug.

P.S. I didn't attach c# code but if it can help I can do this.

Site Suggestions : Sysmon - Event Filtering

May 12, 2015, 7:04 am
$
0
0
Author: ster07
Subject: Sysmon - Event Filtering
Posted: 12 May 2015 at 2:04pm

Hi,

Currently, I can only filter sysmon events on individual fields. I would like to be able to create complex filters. As an example, I want to filter out a networkconnection where sourceport = 137 AND Image = System. I also would want to filter on CIDR notations (i.e., show me connections to non rfc-1918 addresses).
Search

Utilities Suggestions : TCPView/TCPVCon show more socket options

May 12, 2015, 11:12 am
$
0
0
Author: Runar
Subject: TCPView/TCPVCon show more socket options
Posted: 12 May 2015 at 6:12pm

I can't find any utility giving me details about the TCP sessions in Windows.
Would be Nice to show if SO_KEEPALIVE is enabled or not.
Even greater if you also could add the option to enable SO_KEEPALIVE on specific TCP sessions.
This will enhance TCPView/TCPVCon greatly!
 
Or is there a utility that have this already that I haven't found?
 

Process Explorer : Newbie here, need help

May 12, 2015, 1:19 pm
$
0
0
Author: Bass85
Subject: Newbie here, need help
Posted: 12 May 2015 at 8:19pm

This program seems very good for many uses, but not sure I am using it correctly or using the correct program.

Problem and Need:
I use Adobe CC for my video creation use.  For one show, I may have 50 or more projects.  Some projects for special effects, others to test an idea and other (the most important) the segments that will be used for a given show.  

If I create a special effect in one project, I may import it to another and so on.  It gets rather complicated when the final for a given show wraps up, because I would like to save the needed files only and delete files not used.Confused

Example: I may make a special effect like a ghost appearing (ghost-appear-3.proj).  Then import this into another project (ghost-appear-with audio fx.proj) where I add sound effects, and import that in to another project (gh-appear-people&dog.proj) a video of a dog with people.  Then import that last video where I add text across the screen in yet another project.

Problem:  I may import the above project into the final project "TV show #453.proj" along with 100 others just like it.  By the time I get to the end, I have used at best 5% of the video, audio, text and other files that were taken for this project "TV show #453.proj".  But to know which files are used in the final project and used sub-projects is very time consuming.

What would be best:  To see all files used in the final project "TV show #453.proj" to make sure they are saved at their current location.  AND to delete all unused files.

Question:  Will this program accomplish the "What would be best task" above?  If not, what will?

Thanks in advance for any help on this issue. Confused


Internals : Network binding order

May 12, 2015, 2:36 pm
$
0
0
Author: mvekaria
Subject: Network binding order
Posted: 12 May 2015 at 9:36pm

Dear All,
 
I have a problem with one of our software vendors called safend or now know as Wave.
the software protects anyone from writing to these keys below.
 
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\HwOrder]
"ProviderOrder"="RDPNP,LanmanWorkstation,webclient"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order]
"ProviderOrder"="RDPNP,LanmanWorkstation,webclient"
 
products like Symantec, and cixtrix use these keys to add drivers.
I cannot for the life of me find a ms article that says 3rd party vendors should not block these keys.
 
please help
 
Kind Regards
 
Mansukh

Process Explorer : Process DEP status

May 13, 2015, 3:20 am
$
0
0
Author: taci
Subject: Process DEP status
Posted: 13 May 2015 at 10:20am

I'm trying to set the DEP status dynamically at start-up in an app I develop and am using Process Explorer to check the DEP status and find out why this is failing. I notice that some of my processes DEP status is shown as just 'DEP' while others are shown as 'DEP (permanent)'. What is the difference between these two states please?

Process Explorer : Process DEP status

May 13, 2015, 7:16 am
$
0
0
Author: J i m s t e r
Subject: Process DEP status
Posted: 13 May 2015 at 2:16pm

Aaron Margosis posted this about DEP if it's of any use to you:



Since DEP is the result of a memory operation (attempt to execute memory that has not been marked for execution), it won't show up in Procmon, which monitors file, registry and network events, and process events such as processes and threads starting and stopping and image files being mapped into the address space.
 
However, you can monitor a DEP exception with Procdump, which now adds its output to the Procmon stream as "Debug Output Profiling" events.  You need to Show Profiling Events (last button on the toolbar) to see these events.  The Debug Output Profiling events are associated with Procdump, since it's the process producing the events.

Process Monitor : win 10 & boot logging

May 13, 2015, 8:08 am
$
0
0
Author: Ford Prefect
Subject: win 10 & boot logging
Posted: 13 May 2015 at 3:08pm

Hi all,
I would like to enable the Boot Logging option on a win 10 box to trace some activities during startup, but procmon23.sys cannot be written (or accessed on a win 10 upgraded from win 8.1).
Any advice?

Utilities Suggestions : TCPView/TCPVCon show more socket options

May 13, 2015, 9:15 am
$
0
0
Author: nicolas2k
Subject: TCPView/TCPVCon show more socket options
Posted: 13 May 2015 at 4:15pm

Hi developper,

Is it possible to add a filter of "State" : ETA, SYN, CLOSE etc. ?

Many thanks

Nicolas

Search

Process Explorer : Error replacing Task Manager: Access is denied.

May 13, 2015, 9:17 am
$
0
0
Author: Briahas
Subject: Error replacing Task Manager: Access is denied.
Posted: 13 May 2015 at 4:17pm

Still, no changes.

No one interested in this option?

Process Monitor : win 10 & boot logging

May 13, 2015, 11:28 am
$
0
0
Author: MagicAndre1981
Subject: win 10 & boot logging
Posted: 13 May 2015 at 6:28pm

use xbootmgr from the SDK/WPT instead to capture a boot trace

PsTools : psloggedon doesn't give complete results

May 13, 2015, 2:23 pm
$
0
0
Author: kbuff
Subject: psloggedon doesn't give complete results
Posted: 13 May 2015 at 9:23pm

I'm running pslogged (v1.34) on from a DC with my DA credentials, searching across the domain for instances of my server admin account logged on via RDP - it's time for a password change.

However, it's not finding all of my logons (I know about several active RDP sessions, and it's only reporting on a couple of them.)

The form of the command I'm using is either:

     psloggedon -d kbuff
or
     psloggedon kbuff

The DCs on which I entered the commands are either Win2k8R2 or Win2012R2. DFL/FFL is 2003. The servers on which I have RDP sessions are a mix of 2003 R2/SP2, 2008R2 or 2012R2.

Known bug, or is there something I can do to get better results?

Kurt

Autoruns : LSA Providers tab 'File not found'

May 13, 2015, 2:50 pm
$
0
0
Author: TenOf11
Subject: LSA Providers tab 'File not found'
Posted: 13 May 2015 at 9:50pm

Version: 13.30

On the LSA Providers tab, items with full paths are appended with the wrong extension and have a status of 'File not found'.

For example, an entry in 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages
may be written without an extension, such as 
C:\Program Files\MyApp\MyLSAPackage

According to Microsoft, all LSA packages are dynamic link libraries (extension DLL). https://msdn.microsoft.com/en-us/library/windows/desktop/aa374733(v=vs.85).aspx

For some reason, Autoruns appends .exe to the value and states 
File not found: C:\Program Files\MyApp\MyLSAPackage.exe
In version 11 of Autoruns, it appended .dll and the file was found. This version is appending .exe and not finding the file.

Is anyone else experiencing this?

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

May 13, 2015, 11:46 pm
$
0
0
Author: fsm1234
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 14 May 2015 at 6:46am

Hi MagicAndre,

I am having similar problems. My CPU is being used 10-30% without any programs running. Using the Windows Performance analyzer, I ran a CPU sampling summary table. It shows ntoskrnl.exe taking up more that 50% of usage. I am trying to see why but I cannot figure it out. Can you please help?

Thank you



Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>