Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Process Monitor : What does Boot Logging do?

May 28, 2015, 10:03 am
$
0
0
Author: stan2b
Subject: What does Boot Logging do?
Posted: 28 May 2015 at 5:03pm

Being new to this forum I am not sure exactly what this does.  Does it create a log at boot time that can be accessed later?  Or, does it do something else?

Thank you!
Search

Process Explorer : Is this Win 7 64bit csrss.exe virited?

May 28, 2015, 10:44 am
$
0
0
Author: E.J.Glass
Subject: Is this Win 7 64bit csrss.exe virited?
Posted: 28 May 2015 at 5:44pm

Hi
I have seen two copies of csrss.exe in the run of Process Explorer, and can't figure out why there are two. Also is csrss.exe supposed to have this extra stuff on after the .exe part? (the added stuff looks like opening ports or something)

=====
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
=====

The same file is loading up with csrss.exe it is conhost.exe and each occurrence of the conhost file has a different set of numbers after the .exe part as well.

=====
\??\C:\Windows\system32\conhost.exe "-19462917881928618761-14517701611313678421-1909588746-743542847-290976386389256608
=====
and the other is:
=====
\??\C:\Windows\system32\conhost.exe "251829604-254933148129903086818709497291982502722-82799778550413321-274352356
=====

What is all this extra stuff after the .exe part of each file?
Any help would be great or is someone could look at their copies of these files in the system32 folder(win 7 64bit)

Process Monitor : Procmon 3.11 crashes on my system

May 28, 2015, 11:04 am
$
0
0
Author: MagicAndre1981
Subject: Procmon 3.11 crashes on my system
Posted: 28 May 2015 at 6:04pm

thanks. I wrote Mark a Mail with the link. Let's wait for a response.

Process Explorer : Is this Win 7 64bit csrss.exe virited?

May 28, 2015, 1:32 pm
$
0
0
Author: E.J.Glass
Subject: Is this Win 7 64bit csrss.exe virited?
Posted: 28 May 2015 at 8:32pm

Thanks I have found my answer.


BgInfo : Support for Powershell for Custom Info

May 29, 2015, 12:28 am
$
0
0
Author: WindowsStar
Subject: Support for Powershell for Custom Info
Posted: 29 May 2015 at 7:28am

We have been begging Mark for years to update this application but he doesn't seem to want to. -WS

BgInfo : Showing SSID

May 29, 2015, 1:18 am
$
0
0
Author: Ralmeida
Subject: Showing SSID
Posted: 29 May 2015 at 8:18am

I'm going to test this in different environment.
Thanks for all the help! :)

Troubleshooting : High CPU usage due to srv.sys!

May 29, 2015, 6:35 am
$
0
0
Author: tama
Subject: High CPU usage due to srv.sys!
Posted: 29 May 2015 at 1:35pm

Hey,

i'm stuck in my researches and i would really appreciate some of your expertise.
I already checked many google results and this thread:
but my problem differs a little bit and due to lack of knowledge concerning stack traces i am not moving forward anymore.

So i configured symbols in Process Explorer and found the System Process (PID 4) to be the one who is using most CPU time. In the properties it is showing me many threads with the start address srv.sys!WorkerThread. When i try hitting the button "Stack" it returns "Unable to access thread".

FYI:
- Server 2008 R2 (virtualized) on a Fujitsu Primergy TX100 S3, Intel Xeon E3 1220, 32GB RAM
- I checked the server for Antivirus software such as McAffee, Norton and usual suspects
- I ran Malwarebytes Anti-Rootkit
- We have many clients connecting to this server starting in the morning at 9am. The clients shut down at round about 6pm. During this time we have the most cpu usage (which is a legit process). But it is constantly 25-35% for the System PID4 process.

Do you have any suggestion how to breakdown this problem to the core and get to know which driver/process troubles us?
If you need any further details, please let me know. Thanks in advance!

Cheers 
tama


Edited by tama - 2 hours 22 minutes ago at 1:56pm

Process Monitor : What does Boot Logging do?

May 29, 2015, 6:52 am
$
0
0
Author: pinscomputer
Subject: What does Boot Logging do?
Posted: 29 May 2015 at 1:52pm

from the sysinternals admins reference:
 
When you Enable Boot Logging from the Options menu, Procmon configures its driver to run
as a boot start driver that loads very early in the boot sequence at the next system startup,
before most other drivers. Procmon’s driver will log activity into %windir%\Procmon.PMB
and it will continue logging through shutdown or until you run Procmon again. Thus, if you
don’t run Procmon during a boot session, you’ll capture a trace of the entire boot-to-shutdown
cycle. As a boot start driver, it remains loaded very late into the shutdown sequence.

After the boot-start driver loads, it changes its startup configuration to be a demand-start
driver for subsequent boots. Consequently, when you enable boot logging, it is only for the
next boot. To enable boot logging for subsequent boots, you must explicitly enable it again
each time.

When you run Procmon, it looks to see whether an unsaved boot log has been generated,
either from the current session or from a previous boot session. If Procmon finds one, it asks
you whether and where you want to place the processed boot log output file. (See Figure
4-19.) Procmon then opens and displays the saved log. If you do not save the boot log to
another location, it will be overwritten the next time you capture a boot-time log.
When looking at boot-time activity, remember that the System process is the only process
early in a boot and that activity originating from the System process is filtered by default.
Choose Advanced Output on the Filter menu to see System process activity.

Note that tracing of network events depends on Event Tracing for Windows (ETW) and is not
available in boot logs. Also, Process and Thread Profiling events are not captured during boot
logs either. Finally, note that Procmon does not configure its boot logging to run during Safe
Mode.

If you configure boot logging and the system crashes early in the boot, you can deactivate
the boot logging by choosing the Last Known Good option from the Windows boot menu.
Press F8 during Windows startup to access this option.
 
Search

Troubleshooting : High CPU usage due to srv.sys!

May 29, 2015, 7:41 am
$
0
0
Author: pinscomputer
Subject: High CPU usage due to srv.sys!
Posted: 29 May 2015 at 2:41pm

unless you downloaded and installed the debugging tools for windows from the SDK, it is unlikely that you have the correct DBGHELP.dll file to completely utilize symbols.
 
since you already have the sysinternals tools, an easy step would be to run process monitor.
 
after capturing a log, set the process monitor filter to PID = 4
 
also, in the filter selection screen, UNCHECK "process name" IS "system".
 
see if this reveals anything.
 
you can post the process monitor log file and maybe other forum members might be able to provide additional assistance.
 
the next step would be to download and install the windows performance toolkit and capture an xperf trace and post it.
 
there are members in this forum (if on-line today) that can help create the trace command and review the xperf trace data.
 
 
 


Edited by pinscomputer - 1 hour 34 minutes ago at 2:44pm

Troubleshooting : High CPU usage due to srv.sys!

May 29, 2015, 11:09 am
$
0
0
Author: MagicAndre1981
Subject: High CPU usage due to srv.sys!
Posted: 29 May 2015 at 6:09pm

use xperf/ETW to trace CPU usage:

https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-42-WPT-CPU-Analysis

Miscellaneous Utilities : Events in event log not displaying all information

May 29, 2015, 1:23 pm
$
0
0
Author: Olegas
Subject: Events in event log not displaying all information
Posted: 29 May 2015 at 8:23pm

I’m not able to recreate the problem you are experiencing, but I wanted to share some notes.

When SysMon is getting installed, it creates manifest file in C:\Users\<username>\AppData\Local\Temp\ folder, then it starts wevtutil.exe to install the manifest.
Something like:  "C:\Windows\system32\wevtutil.exe" im "C:\Users\<username>\AppData\Local\Temp\xxxxxxx.tmp", where im is “install-manifest   Install event publishers and logs from manifest.”

Wevtutil, in turn, will create a new channel under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
and it will register a new publisher under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{GUID}, where GUID value is going to match between the newly created channel and the publisher.

You can also query details of the publisher in question via
wevtutil gp "Microsoft-Windows-Sysmon"

I would suggest reviewing your environment to make sure that GUIDs match between the channel and the publisher, and make sure that resource file name and message file names are pointing to the sysmon.exe binary and that the binary is the same version as what you have installed.

One of the ways I was purposely able to break my environment and experience the same behavior is by pointing ResourceFileName and MessageFileName within HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{SysMon GUID}\, to a different binary, then reboot my machine. It is essentially the same as breaking source name for a component that logs to standard Application or System event log.

I hope that helps.
Olegas

Autoruns : Autoruns v13.4 ignores HKCU hooks for Explorer

May 30, 2015, 12:59 am
$
0
0
Author: Aditza
Subject: Autoruns v13.4 ignores HKCU hooks for Explorer
Posted: 30 May 2015 at 7:59am

bump..

just tested Autoruns v13.4 published on May 26th 2015.. (digital signature time stamp says created on May 24th) - the bug is still present, HKCU entries for Explorer are ignored :(

Edit: as a side note, the Dropbox development team seems to have listened to my complaints, Dropbox series 3.6.x upgrade installers ( 3.6.2 and now 3.6.4 ) have stopped re-adding context menu entries after i de-activated them with autoruns (yay!). I think only a fresh install will add them or upgrading to a major version.


Edited by Aditza - 8 hours 56 minutes ago at 8:04am

Troubleshooting : Laptop activation speed changes

May 30, 2015, 2:16 am
$
0
0
Author: janetjb
Subject: Laptop activation speed changes
Posted: 30 May 2015 at 9:16am

I'm not computer savvy, but I've observed much about my laptop, and I'm seeking help with distressing performance glitches. This is an HP Presario CQ50 Compaq, Windows 7 laptop, browsing mostly with Chrome (43 Stable), and relying almost completely on Microsoft programs, including MSE for security (although I often also run MBAM as a secondary malware scanner).   I'm hoping for help with or advice regarding performance issues, primarily response times. I experienced the same issue when by myself and connected to my own, individualized network (Verizon modem) for many years, but even more so now that I'm sharing internet access with a household of busy media users. Internet use isn't the only way this problem manifests itself, though; I also experience it when trying to open desktop folders and files. My problem: speed variation. I don't at all mind the super-fast reactions (yay, that!), but I'm exasperated by constant slow-downs. The slow-downs vary. I can be zipping along, and suddenly hit a snag. The snag can be a tolerable delay, but increasingly the delays are unbearably prolonged. The speed is more like: Click-wait 3 minutes-click-black screen-click-wait 3 minutes-click-page begins to materialize-wait longer-page finally there or desktop file finally has opened. Tabs, links, folders -- all are subject to impossibly long (or no) response times. Even Google notices, and now keeps asking me if I'd like to continue waiting for the requested web page to open or give up. Again, this phenomenon isn't restricted to online activity, but also to my ground level folders, files, or programs (i.e., opening Word 2007). Attaching email files is ridiculously nonproductive, as is switching tabs. Sometimes my signals seem to get lost or have to rest on my task bar. The signal will "get lost" usually when I'm trying to attach email files. At this point, I'm taken to my desktop Computer folder, and abandoned there -- I guess to figure it out myself or find my own way home (just kidding). Recently, I've found that I can't really use my laptop in the morning, but occasionally become lucky in the afternoon (1 p.m., 3 p.m. -- something like that), and my speed returns to its expected pace (or even much faster than customary). As stated earlier, this sort of variation was equally true when I was by myself, as it is now when I'm sharing with a whole household. I've tried cleaning, malware scanning (nothing found), and other forum-suggested tricks -- but nothing has made any difference at all. I suspect rootkits, but can't find any, and can't afford to look much, at least not with outside, expert help. Perhaps my heat sink is clogged or paste has gummed up something -- although the fan still whirs. I'm doubtful of engineering problem, only because the speed is intermittently okay -- but there could be something structural causing intermittent difficulties, I guess. I don't know. ?

Any ideas? Solutions?

Thanks for whatever help you can provide (even advice).   I appreciate your work.

--janet jb

Miscellaneous Utilities : contig on win 2012R2 CSV drives

May 30, 2015, 8:21 am
$
0
0
Author: ncriggar
Subject: contig on win 2012R2 CSV drives
Posted: 30 May 2015 at 3:21pm

Jay,

Since you're trying to run it on network storage, why not just try running it on yesterday's backup machine. Or, you could just create a virtual machine to test it on. I would think that would be a reliable method for a NAS or SAN.

PsTools : PsExec does not work with Windows Task Scheduler

May 30, 2015, 8:57 am
$
0
0
Author: ncriggar
Subject: PsExec does not work with Windows Task Scheduler
Posted: 30 May 2015 at 3:57pm

Get PsExec out of Oracle's maintenance folder and Try moving PsExec to the System32 folder, and configure the scheduled task to run as the local administrator with the highest privileges.

Use >> c:\startlog.txt instead of the > %START_LOG%, so it is outputting the result to a clean text file, rather than (what I assume is) Oracle's log file.  Remember, you're trying to output the messages from PsExec as well as stop.bat to the log file, because the snag is probably with PsExec.

What does the stop.bat file do?  Does it stop an Oracle DB service, or an ODBC connection?  If so, you may need to try using a different utility from within Oracle's architecture.  When working with Sybase SQL for instance, I have found that sometimes you need to use a DBSVC command, while other times a DBSTOP command will suffice.  It's all a matter of intent.

Finally, after relocating PsExec to system32, since you are trying to run the command interactively, you may need to use ICACLS to modify those INTERACTIVE DESKTOP permissions Try this command from CMD prompt or a batch file:

ICACLS "%WINDIR%\System32\PsExec.exe" /grant INTERACTIVE:FMRX

(you will probably need to be logged in as the local admin to do this, because in most enterprise environments, System32 only grants FMRX permissions by default to Local Admins and Trusted Installers).
Search

Troubleshooting : Laptop activation speed changes

May 30, 2015, 9:57 am
$
0
0
Author: MagicAndre1981
Subject: Laptop activation speed changes
Posted: 30 May 2015 at 4:57pm

Originally posted by janetjb janetjb wrote:

and relying almost completely on Microsoft programs, including MSE for security


Remove MSE and tr a different AV tool. MSE is extremely slow and cause perf issues.

Troubleshooting : Laptop activation speed changes

May 30, 2015, 6:55 pm
$
0
0
Author: janetjb
Subject: Laptop activation speed changes
Posted: 31 May 2015 at 1:55am

MagicAndre1981:

Thanks for replying. I'll try your suggestion, and report back. However, I'm wondering: How would MSE interference explain the variation in performance, the sometimes incredible slowness interrupted occasionally by very brief periods of normal or faster-than-usual speeds? Also: Is that why my laptop gets so hot (something I didn't mention earlier) despite an apparently functioning fan, because MSE makes the laptop work too hard? Whatever, as stated above, I'll completely remove MSE, substitute something else, test, and (if that would be o.k.) post an update here.

Thanks.

jjb

Troubleshooting : High CPU usage due to srv.sys!

June 1, 2015, 1:38 am
$
0
0
Author: tama
Subject: High CPU usage due to srv.sys!
Posted: 01 June 2015 at 8:38am

May i send you a trace via pm? I am not able to track down the causing function because the output shows some question marks.

I installed symbols in Windows Performance Analyzer and am now able to see, that the function "RtlpIsNameInExpressionPrivate" in Module "ntoskrnl.exe" is using a lot of CPU time. Any clue what this is supposed to tell me?


Greetings


Edited by tama - 7 hours 1 minutes ago at 10:21am

Troubleshooting : Laptop activation speed changes

June 1, 2015, 1:42 am
$
0
0
Author: janetjb
Subject: Laptop activation speed changes
Posted: 01 June 2015 at 8:42am

Reply Update:

Unfortunately, I've decided my issue is primarily hardware-related -- perhaps something involving the heat sink, but I'm not sure. Either way, I'll try to find a trustworthy mechanic to help me with this, but will also keep your MSE suggestion in mind, as an alternative to the much more troublesome structural engineering approach.

Thanks very much. I appreciate your work, and generosity.

--janetjb

Miscellaneous Utilities : Desktops and win8 sleep mode

June 1, 2015, 4:28 am
$
0
0
Author: bspratt22
Subject: Desktops and win8 sleep mode
Posted: 01 June 2015 at 11:28am

virtual Desktops work perfectly until computer put to sleep; then desktops 2-4 loose the task bar/start at bottom even task manager.  The apps is still running but you cannot do anything else with windows 2-4.  #1 works fine.  Anyone have a workaround?  Thanks - Bill
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>