Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Miscellaneous Utilities : RAMMAP Error refreshing database

December 23, 2015, 1:56 pm
$
0
0
Author: Batchman
Subject: RAMMAP Error refreshing database
Posted: 23 December 2015 at 9:56pm

version 1.4 same error on win 10 pro x64 version 1511
Search

Miscellaneous Utilities : Sysmon Generating Memory Error

December 23, 2015, 3:12 pm
$
0
0
Author: qcjacobo
Subject: Sysmon Generating Memory Error
Posted: 23 December 2015 at 11:12pm

I am getting the following the error below when trying to add certain entries to my XML configuration file.  An example might be an exclusion of a specific destination port.  Note that I have other destination ports in this case configured which work just fine.  While I can replicate the issue (even after a reboot), it seems to be inconsistent in terms of why I am hitting the error.

Error is as follows:

Loading configuration file with schema version 2.00
Sysmon schema version: 2.01
!! RuleEngine: Failed to allocate memory (Last error: Not enough storage is available to complete this operation.).
Error: Failed to correctly compute rule binary format.

Note this is on a Windows 7 64-bit system running the most current version of sysmon.

Miscellaneous Utilities : RAMMap on Windows 10

December 23, 2015, 4:22 pm
$
0
0
Author: fernandk
Subject: RAMMap on Windows 10
Posted: 24 December 2015 at 12:22am

Hello!

I came here to report that RamMap is not working with Windows 10 build 10586 but it seems who needed to be aware of it already is, that's a definite relief.. I tried loading RAMMap today because I noticed a huge ammount of RAM had been leaked during my OS session.

I need RamMap to diagnose what is causing the leak. I suspect it has something to do with hibernation. I use hibernation very often, at least twice a day, when I go out to launch and when I go to sleep, my OS session is the same for as long as it can, sometimes it dures a month. It's been like that for several years with Windows 7 and 8.0.

But since I installed Windows 10 - one month ago - my session doesn't go as far as a week. There's too much memory leak I end up having to restart the PC to clear the RAM. I have 32 gigs of RAM, today it hit 22 gigs of RAM with ALL user's installed programs and services turned off. I closed it all, everything I could find I killed until only critical system's programs ans services were open. And there was still 22 gigs of RAM being occupied. 

Well, that's my history. It's been fun. Guess I'll have to wait for RamMAP to be updated so I can start digging this issue again. =D


Edited by fernandk - 8 hours 7 minutes ago at 12:23am

Troubleshooting : Converting OST to PST File

December 23, 2015, 11:16 pm
$
0
0
Author: Stivenmend
Subject: Converting OST to PST File
Posted: 24 December 2015 at 7:16am

Manual technique to convert OST to PST file. Which can help outlook user for conversion of OST to PST format.

1) First you create a new PST file in outlook.
2) Than used Achived method for copy all OST file data to new PST file.
3) Export method is also a simply way to convert OST file data to a new PST file format.
4) Move Ost file data is also a technique to drag OST file data to a new PST file.

If this manual technique is not recover all the OST file data than you used 3rd party recovery tools.

Get more information conversion of OST to PST Visit: http://bit.ly/1RNDQuy

Troubleshooting : Having troubles with NSI windows 7 service.

December 24, 2015, 3:44 am
$
0
0
Author: DarkghostX
Subject: Having troubles with NSI windows 7 service.
Posted: 24 December 2015 at 11:44am

Originally posted by pinscomputer pinscomputer wrote:

if you want to try and further debug to isolate the problem to the NSI service, you can try and temporarily move NSI service to its own servichost.

 
see the following video starting at timestamp 6min 51sec
 
 
and this Microsoft blog:
 

I will check that out. Is there any danger in doing that? How will it help me to locate the source of what is causing NSI to bug out?

A small update, I had a thought after reading people talking about their NSI service problems and decided to try something. I had ESET block off the network, and waited several hours. My guess was correct, the memory did not increase by any noticeable amount. After leaving the network blocked for an extended period of time (more than 12 hours) the NSI memory went from around 335,000 to about 42,000.

Does this new info matter? If nothing else at least I have a workaround for the time being but I still want to fix this aggravating issue.

Thank you for being willing to help me on this issue, I really appreciate it.


Edited by DarkghostX - 21 hours 9 minutes ago at 11:46am

Process Explorer : feature: dll functions

December 24, 2015, 3:45 am
$
0
0
Author: tairch
Subject: feature: dll functions
Posted: 24 December 2015 at 11:45am

as a malware researcher, there is a feature enhancement i would like to see in process explorer.
in process explorer there is already a useful utility to see the dll files a process uses- but even more important are the functions out of the dll it actually uses.
i tried to find other software who shows the functions as well, unfortunately without success.
out of despair, now i take memory dumps and try to find the functions with yara signatures...
so here is my suggestion:
expand the dll view utility, to show the functions it actually uses out of the dll as well, and in real time.
it would make a lot of difference in trying to prove malware functionality!


Process Explorer : feature: dll functions

December 24, 2015, 10:58 pm
$
0
0
Author: MagicAndre1981
Subject: feature: dll functions
Posted: 25 December 2015 at 6:58am

copy depends.exe next to Procexp.exe and you can access depends to show the requested data

Disk2vhd : [Feature request] EFI partition support

December 25, 2015, 2:54 am
$
0
0
Author: alexZZZ
Subject: [Feature request] EFI partition support
Posted: 25 December 2015 at 10:54am

Hi,
Would it be possible to add support for EFI partition in disk2vhd?
I'm trying to do a P2V into a hypervisor that boots in EFI mode.
Search

Internals : Excel recovery .xls

December 25, 2015, 11:32 pm
$
0
0
Author: karenheureux
Subject: Excel recovery .xls
Posted: 26 December 2015 at 7:32am


To repair corrupted Excel Files,  I always try  Open and Repair function of MS Excel first. It is built-in repair function that helps me fix my corrupt .xlsx files and open them. As it is a built-in feature, it has a drawback. It might not work in severe corruption issues. In such situation, we can try a third-party Excel recovery tool  which can fix any kinds of error and corruption use any repair tool to fix your problem instantly. Errors Displayed by Corrupted Excel File "The file is corrupt and cannot be opened" "error in module 1" "unspecified error" "undefined reference"

It can easily fix corrupt Excel (.XLS/.XLSX) files and restore everything (including charts, chartsheets, cell comments, worksheet properties Etc.

Take a look to the solution:-  http://www.softmagnat.com/excel-recovery.html


Internals : Update .hlp files to work with Windows

December 26, 2015, 7:27 pm
$
0
0
Author: MaxxPowerr
Subject: Update .hlp files to work with Windows
Posted: 27 December 2015 at 3:27am

Since Sysinternals has been owned by Microsoft for a good while now, why in the world aren't the help files that come with the utilities updated to work with the new, modern Windows - like 7, 8, and 10?  Or are these going to stay that way forever like so many other broken things in Windows that were present as far back as XP? 
 

Miscellaneous Utilities : Tcpview displaying name not number for Local Port

December 26, 2015, 8:10 pm
$
0
0
Author: Hayton
Subject: Tcpview displaying name not number for Local Port
Posted: 27 December 2015 at 4:10am

Why does Tcpview display a name instead of a port number?

Today, in the list of Chrome processes, I saw two which were unusual. One had opened a local port identified as "ingreslock", the other a local port with the name "pptp".

"ingreslock" is Port 1524 and allegedly is used by hackers to infiltrate Trojans onto a PC in order to provide a backdoor to that system. I do not have an Ingres database on my system.

"pptp" is Point-to-Point Tunneling Protocol, used when setting up a VPN - according to Juniper this equates to Port 1723. That protocol is old and insecure. I do not use a VPN.

The list entries stayed visible for a couple of minutes and then the processes ended. I didn't get a screenshot so I didn't get the PID or remote port. Without the PID I can't be sure if these two processes were Chrome itself or an add-on or plug-in.

It's possible that the use of those names instead of a port number is the result of a quirk in Tcpview, but I've never seen this happen for non-system processes. Has anyone else ever seen this behaviour?

Troubleshooting : Having troubles with NSI windows 7 service.

December 27, 2015, 6:35 am
$
0
0
Author: pinscomputer
Subject: Having troubles with NSI windows 7 service.
Posted: 27 December 2015 at 2:35pm

Originally posted by DarkghostX DarkghostX wrote:


I will check that out. Is there any danger in doing that? How will it help me to locate the source of what is causing NSI to bug out?

there should be no problems.  the process outlined in the video is built into the operating system.  The idea is to move the service to its own servicehost container so that specific service can be monitored instead of all the services that are, by default/design, bundled into a single service when the operating system is launched.

 

Originally posted by DarkghostX DarkghostX wrote:


A small update, I had a thought after reading people talking about their NSI service problems and decided to try something. I had ESET block off the network, and waited several hours. My guess was correct, the memory did not increase by any noticeable amount. After leaving the network blocked for an extended period of time (more than 12 hours) the NSI memory went from around 335,000 to about 42,000.

Does this new info matter? If nothing else at least I have a workaround for the time being but I still want to fix this aggravating issue.

Thank you for being willing to help me on this issue, I really appreciate it.
 
there is not enough information to make any informed decision on what does & does not matter.
 
I am not familiar enough with resource monitor to know how you were able to have resource monitor focus an individual service in a svchost container.  From my limited use of the resource monitor tool, it appears to show the performance of the entire svchost container, which means resource monitor is giving the performance of more than 1 service.
 
Andrew Richards & Chad Beeder have both made the point that the likelihood of an error in a windows process that has been around for a long time is small.  It might happen but probably not.
 
There is more likely an issue in a user mode process.
 
In debugging, you have to start somewhere, look at the results of your testing, then either continue to narrow down the problem in your area of search or change the hypothesis and look elsewhere.
 

Miscellaneous Utilities : RAMMAP Error refreshing database

December 27, 2015, 1:27 pm
$
0
0
Author: dandar3
Subject: RAMMAP Error refreshing database
Posted: 27 December 2015 at 9:27pm

@MagicAndre1981
Same as previous poster, can you please ask Mark for an update for Windows 10 x64 (build 10586) and thank you both!

Autoruns : process picked up by PE but not Autoruns

December 27, 2015, 2:22 pm
$
0
0
Author: ChaosEngine
Subject: process picked up by PE but not Autoruns
Posted: 27 December 2015 at 10:22pm

Remove a startup application 

If you're trying to remove a program and can not find it in the StartUp folder (usually C:\WINDOWS\Start Menu\Programs\StartUp), then it may be launching from one of the registry keys below. To remove it, delete the value associated with the program you want to remove.

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

It may also be loaded from the [Load] or [Run] sections of your WIN.INI file, found in the Windows directory.

Internals : Networked Computers Description Windows 10

December 27, 2015, 6:11 pm
$
0
0
Author: RodHorning
Subject: Networked Computers Description Windows 10
Posted: 28 December 2015 at 2:11am

Any chance of a Sysinternals utility to address this issue:

In Windows 8 (perhaps in Windows 7 also) the description of the computers on your network could be obtained by creating a folder, usually on your desktop, namedNetwork.{208d2c60-3aea-1069-a2d7-08002b30309d}

When you opened this folder all the computers attached to your network were displayed ALONG WITH THE COMPUTER DESCRIPTION. 

With many computers on a network the computer description is often needed to know which computer contains the directory to which you want to map a network drive.

In WINDOWS 10 this no longer works.  The folder with the name Network.{208d2c60-3aea-1069-a2d7-08002b30309d} can be created.  It does say Network (the name of the network).  When you open the folder it has an icon for Entire Network.  Unfortunately the Entire Network folder is empty.  (Opening the standard Windows folder shows the networked computers but does not show the computer description).

I found a response to a similar question for Windows 7 or 8 that said the non-display of the computer description in the standard Windows folder was by design.  I never could understand why but the workaround was acceptable. 

Search

Troubleshooting : Having troubles with NSI windows 7 service.

December 28, 2015, 12:04 am
$
0
0
Author: DarkghostX
Subject: Having troubles with NSI windows 7 service.
Posted: 28 December 2015 at 8:04am

Originally posted by pinscomputer pinscomputer wrote:

Originally posted by DarkghostX DarkghostX wrote:

I will check that out. Is there any danger in doing that? How will it help me to locate the source of what is causing NSI to bug out?
there should be no problems.  the process outlined in the video is built into the operating system.  The idea is to move the service to its own servicehost container so that specific service can be monitored instead of all the services that are, by default/design, bundled into a single service when the operating system is launched.

 

Originally posted by DarkghostX DarkghostX wrote:

A small update, I had a thought after reading people talking about their NSI service problems and decided to try something. I had ESET block off the network, and waited several hours. My guess was correct, the memory did not increase by any noticeable amount. After leaving the network blocked for an extended period of time (more than 12 hours) the NSI memory went from around 335,000 to about 42,000.

Does this new info matter? If nothing else at least I have a workaround for the time being but I still want to fix this aggravating issue.

Thank you for being willing to help me on this issue, I really appreciate it.
 
there is not enough information to make any informed decision on what does & does not matter.
 
I am not familiar enough with resource monitor to know how you were able to have resource monitor focus an individual service in a svchost container.  From my limited use of the resource monitor tool, it appears to show the performance of the entire svchost container, which means resource monitor is giving the performance of more than 1 service.
 
Andrew Richards & Chad Beeder have both made the point that the likelihood of an error in a windows process that has been around for a long time is small.  It might happen but probably not.
 
There is more likely an issue in a user mode process.
 
In debugging, you have to start somewhere, look at the results of your testing, then either continue to narrow down the problem in your area of search or change the hypothesis and look elsewhere.
 

In the Resource Monitor, in the CPU tab, there is a handle that refers to services. When SVCHost was taking up 50% cpu I checked the resource monitor and found that the service causing it was NSI. I have attached two zip files with images that shows the resource monitor.


That was what made me think that the problem stemmed from NSI in the first place. The SVCHost would rapidly inflate in memory usage, up until the point where it would start gobbling up half the cpu as well. After going into the resource monitor and checking to see what services were taking up all the cpu, that is where I found NSI.

I get that the real cause of the issue with SVCHost might stem from somewhere else, but I have not been able to find out what causes the SVCHost issue in the first place thus I cannot track it further.

Recently I have resorted to blocking/disconnecting from the network unless I am at the laptop. This has mitigated the issue but in the interest of actually fixing it, I will keep the connection to the network active and try what you suggest. After setting NSI as its own SVCHost, what should I look for afterwards and how? If the problem does not stem from NSI, should I just try and set each of those services to a different SVCHost?

Sorry to ask questions about the process but I recently tried to fix an issue I had regarding a note in my action center that claimed an update was not successfully completed and yet there was two listings in update history as both failure and successful. Long story short I had windows update eating lots of CPU, SFC commands were unhelpful, and yet I somehow fixed that pooch-screw after much stress. So I am a little wary regarding how finicky this POS is.

Thank you helping me on this, I have found that troubleshooting issues that seem to stem from MS services can be like having teeth pulled.


Edited by DarkghostX - 3 hours 56 minutes ago at 8:06am

Process Monitor : Procmon unable to capture File System events

December 28, 2015, 12:30 am
$
0
0
Author: CBruce
Subject: Procmon unable to capture File System events
Posted: 28 December 2015 at 8:30am

Procmon (ver 3.2) is unable to capture File System events on a Samsung Slate ... Windows 10 Pro x64 - 4GB RAM - a 60GB SSD as the only drive.

I've reinstalled Procmon - reset filters to defaults - and tried with both Virtual Memory and a Dedicated File as [Backing files].

It works normally on a Win 8.1 Pro x64 desktop with a SSD drive and on a Win-XP Pro x64 desktop with a SATA HD drive.

I didn't see any forum content related to the issue.

Has anyone else seen this behavior?

Thanks,
CBruce

Process Explorer : feature: dll functions

December 28, 2015, 2:37 am
$
0
0
Author: tairch
Subject: feature: dll functions
Posted: 28 December 2015 at 10:37am

that solved the problem, thank you!

Process Explorer : Image is not showing x64 or x86 on latest version

December 28, 2015, 12:54 pm
$
0
0
Author: artisticcheese
Subject: Image is not showing x64 or x86 on latest version
Posted: 28 December 2015 at 8:54pm

Process Explorer v16.05 does not show wether image is x86 or x64. Running it as adminstrator. Tried to paste image here but realized forum restrictions probably were not updated since 2000s (10 kB upload image limit ?)

G


Troubleshooting : Having troubles with NSI windows 7 service.

December 28, 2015, 9:57 pm
$
0
0
Author: MagicAndre1981
Subject: Having troubles with NSI windows 7 service.
Posted: 29 December 2015 at 5:57am

analyze the cpu usage with xperf/WPA:

https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-42-WPT-CPU-Analysis
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>