Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Miscellaneous Utilities : Livekd - error 998

February 29, 2016, 2:07 am
$
0
0
Author: hmelk
Subject: Livekd - error 998
Posted: 29 February 2016 at 10:07am

Hi, I am using Livekd to attempt to dump memory of a hypervisor guest when I get this error Message:

C:\Windows\system32>livekd -hv "Win10" -p -o w10hv.dmp

LiveKd v5.40 - Execute kd/windbg on a live system
Sysinternals - www.sysinternals.com
Copyright (C) 2000-2015 Mark Russinovich and Ken Johnson

DeterminePagingMode: Failed to read partition registers
Failed to determine partition paging mode - 998
Failed to load guest symbols - 998
Failed to prepare hypervisor session for debugger - error 998.

The host OS is Windows 10 Enterprise 10586 and the guest OS is Windows 10 Enterprise. Anyone else familiar With this error Message? Perhaps it is related to recent changes in Windows 10?
Search

Miscellaneous Utilities : Zoomit issue with Win10 Display Scaling

February 29, 2016, 10:19 am
$
0
0
Author: tolgabalci
Subject: Zoomit issue with Win10 Display Scaling
Posted: 29 February 2016 at 6:19pm

When Windows 10 Display Scaling is more that 100% (Typical for presentations) the Draw command automatically zooms in a bit and the right side of the screen cannot be scrolled over to.

Same thing With any of the zoom features.  You can zoom in and move around only part of the screen when Windows 10 Display Scaling is more than 100%.

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

March 1, 2016, 10:40 pm
$
0
0
Author: jdennis187
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 02 March 2016 at 6:40am

Magic Andre-

I have PM'd you an ETL file can you please look at it.

Thanks! Smile

James

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

March 2, 2016, 8:09 am
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 02 March 2016 at 4:09pm

Most cpu usage comes from the game Starcraft II. At the End I see some CPU usage from SYSTEm which comes from ACPI.sys This could be caused by CPU overheating. Have you checked the max temp of your Intel Core i7 920?

PsTools : Couldn't install PSEXESVC service on Windows 10

March 2, 2016, 10:51 am
$
0
0
Author: Bshrum
Subject: Couldn't install PSEXESVC service on Windows 10
Posted: 02 March 2016 at 6:51pm

We have an application in MS Access that prints invoices in languages other than English.  It is currently running on a Windows 7 machine.  Our primary system is an IBM iSeries, which controls when the invoices are printed.  An IBM service runs on the Win7 machine that receives the command and runs it.

PsExec works great on the Windows 7 system.  On our new Windows 10 (unfortunately, Home Edition) system the same command does not work.

     PsExec -i 1 -u userName -p password "C:\Program Files (x86)\Microsoft Office\Office12
     \MSACCESS.EXE" C:\Invoices\INVOICE1.ACCDB

When I run the above command I receive the following:
   The handle is invalid.                  
   Connecting to local system...           
   Couldn't install PSEXESVC service:      
   Connecting to local system...

If it is run from a normal command prompt on the local machine I get:
   Couldn't install PSEXESVC service:
   Access is denied.

If I run the command prompt as an administrator, it works fine.

I've been going over this and other forums and have tried the net use \\machine\Admin$ user:myUser myPassword suggestion, but I get system error 5, access denied (which also happens if I run it locally in a normal command prompt.

I've tried caching the credentials from the remote machine with:

   cmdkey.exe /add:MACHINE_NAME_HERE /user:MACHINE_NAME_HERE\Administrator /pass:PASSWORD_HERE
   psexec.exe \\MACHINE_NAME_HERE -i notepad
   cmdkey.exe /delete:MACHINE_NAME_HERE

The first command returns "CMDKEY: Credential added successfully".  The PsExec command fails with the same error as above.
The second cmdkey returns "CMDKEY: Element not found"

I've turned UAC off but no luck.  I've added the -h option, but that doesn't work, either.  It feels like PsExec needs to run with elevated privileges but I don't know how to do that. 

We're not on a domain (small company).

Any help would be greatly appreciated.

Barry

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

March 2, 2016, 11:01 am
$
0
0
Author: jdennis187
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 02 March 2016 at 7:01pm

Originally posted by MagicAndre1981 MagicAndre1981 wrote:

Most cpu usage comes from the game Starcraft II. At the End I see some CPU usage from SYSTEm which comes from ACPI.sys This could be caused by CPU overheating. Have you checked the max temp of your Intel Core i7 920?

I will check if that is the case and run RealTemp while playing Starcraft2. Starcraft 2 is known to use a lot of CPU so that is normal. However, the fans aren't really firing up super high while the problem occurs so i dont' think its temps...


Edited by jdennis187 - Yesterday at 7:02pm

PsTools : Error communicating with PSExec service (Azure)

March 2, 2016, 11:57 am
$
0
0
Author: sakeller_us
Subject: Error communicating with PSExec service (Azure)
Posted: 02 March 2016 at 7:57pm

I have had no problems using PSExec with my on-premises systems, however, I just setup a test system on Azure and I'm getting the "Error establishing communication with PsExec service" error when trying to run a command prompt using "NT AUTHORITY\Network Service"...

psexec -u "nt authority\network service" cmd.exe

Actual Error:
Error establishing communication with PsExec service on <system>:
The system cannot find the file specified.

Steps taken:
I checked the various settings that been mentioned, as well as the firewall settings and everything seems to be right.  I even tried using Process Monitor to see if anything stood out there, but I didn't see anything.

Additional Test:
I was able to use psexec -u "myAdminUser" cmd.exe but of course it has a password... based on what I have seen I'm guessing this is something specific to trying to run as Network Service... but, I need to do this for testing.

Any thoughts on what might be different on Azure that is not allowing me to do this?

Regards,
Steve Keller

Miscellaneous Utilities : TCPView: Top Line Cut-Off

March 2, 2016, 12:14 pm
$
0
0
Author: BadMon
Subject: TCPView: Top Line Cut-Off
Posted: 02 March 2016 at 8:14pm

TCPView: Top Line Cut-Off

I am having difficulty reading the top line of the connection table.  The top of the top line is cut-off about half way down.

It happens no matter how the information is sorted.

Actually, now that I am looking at it again, the top line (the one that is cut-off) is actually a duplicate of the second line.

I just realized this when I attempted to scroll up and the cursor stopped at the second line.

However, when on the second line, the information is displayed in reverse video but the top (cut-off) line is not.

I am running TCPView version 3.05  (July 25th, 2011)
Search

Miscellaneous Utilities : WIN7 x64 freezes after logon

March 3, 2016, 6:55 am
$
0
0
Author: kevine
Subject: WIN7 x64 freezes after logon
Posted: 03 March 2016 at 2:55pm

WIN 7 x64 domain joined physical machine. Sysmon 3.20 installed. Machine freezes very soon after logging on with domain credentials. Logging on with local credentials, the machine does not freeze.

Has anyone else seen this?

-Kevin

PsTools : Error communicating with PSExec service (Azure)

March 3, 2016, 7:31 am
$
0
0
Author: sakeller_us
Subject: Error communicating with PSExec service (Azure)
Posted: 03 March 2016 at 3:31pm

I resolved the issue.  It is not specific to Azure, but due to initial OOB configuration for a new domain & system.  Need to do the following:

 1. Make sure to specify the "-i" interactive option...
     psexec -i -u "nt authority\network service" cmd.exe

2. Make sure to enable port 445 on the Windows Firewall (local machine)
    a. Open windows firewall
    b. Sort by Local Port
    c. Select all lines associated with port 445
    d. Select Enable

3. Make sure network discovery is enabled
   a. Right click network tray icon
   b. Select Open Network and Sharing Center
   c. select "Change advanced sharing settings"
   d. Turn "On" network discovery for appropriate network profiles (domain for my scenario)

NOTE: If you turn on Network Discovery and then return to "Change advanced Sharing settings" and find that it is turned off.  See the following:
http://serverfault.com/questions/69296/cannot-enable-network-discovery-on-windows-server-2008-r2?rq=1

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

March 3, 2016, 11:29 am
$
0
0
Author: jdennis187
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 03 March 2016 at 7:29pm

Originally posted by MagicAndre1981 MagicAndre1981 wrote:

Most cpu usage comes from the game Starcraft II. At the End I see some CPU usage from SYSTEm which comes from ACPI.sys This could be caused by CPU overheating. Have you checked the max temp of your Intel Core i7 920?

Well....

By investigating CPU heat issues i decided to open up my case and clean all the fans. Turns out one of the power cords for the CPU came out so there was only one powering it. How the computer was even working so well without one of the power cords for the CPU is crazy, but I think I am all set!

Thanks,

James

PsTools : The specified network name is no longer available

March 3, 2016, 1:58 pm
$
0
0
Author: posconsulting
Subject: The specified network name is no longer available
Posted: 03 March 2016 at 9:58pm

What did you do to resolve the issue?

Development : WinVerifyTrust

March 4, 2016, 4:50 am
$
0
0
Author: Karthik
Subject: WinVerifyTrust
Posted: 04 March 2016 at 12:50pm


Thank you wj32, molotov and all of you... I have been a silent and ardent spectator and learner for quite long. No words for the remarkable jobs you guys do and this site itself. :)

Thanks to the original author a_d_13. Kudos :)

I was working on something similar. I believe one particular question people had in mind (or I may be wrong) is how to use a particular catalog to find if signature is valid. The code posted does solve much of the problem but I think that specific part is missing (again probably people just wanted this solution). I did find similar queries in other forums. The solution I found is rather very simple. We have to ensure that the catalog file(s) are available in catroot when we are scanning with CryptCATAdminEnumCatalogFromHash(). This call is by default searching the existing catalog databases(s). So if I want my catalog to be looked into , I need to stage that into catroot first.

We need to add just two calls
CryptCATAdminAddCatalog()
and we do not want to bloat my catalog databases with catalogs that I am analyzing (well part of my job so I have a whole lot of them), so  I do a
CryptCATAdminRemoveCatalog in the end of the code.

The other thing I wanted to say is sigcheck when used to scan a driver that has an embedded signature but some how "carries" invalid signature if scanned via catalog, it still returns signed. To be specific when KMCS signing policy is followed, PnP signing policy somehow gets superseded. I hope I am not doing anything wrong here. 

-Sreejith. D. Menon
DELL

Development : Discuss: HOWTO: Verify digital signature of a file

March 4, 2016, 4:57 am
$
0
0
Author: Karthik
Subject: Discuss: HOWTO: Verify digital signature of a file
Posted: 04 March 2016 at 12:57pm


[Sorry for the re-post. I see this is the primary thread]

Thank you wj32, molotov and all of you... I have been a silent and ardent spectator and learner for quite long. No words for the remarkable jobs you guys do and this site itself. :)

Thanks to the original author a_d_13. Kudos :)

I was working on something similar. I believe one particular question people had in mind (or I may be wrong) is how to use a particular catalog to find if signature is valid. The code posted does solve much of the problem but I think that specific part is missing (again probably people just wanted this solution). I did find similar queries in other forums. The solution I found is rather very simple. We have to ensure that the catalog file(s) are available in catroot when we are scanning with CryptCATAdminEnumCatalogFromHash(). This call is by default searching the existing catalog databases(s). So if I want my catalog to be looked into , I need to stage that into catroot first.

We need to add just two calls
CryptCATAdminAddCatalog()
and we do not want to bloat my catalog databases with catalogs that I am analyzing (well part of my job so I have a whole lot of them), so  I do a
CryptCATAdminRemoveCatalog in the end of the code.

The other thing I wanted to say is sigcheck when used to scan a driver that has an embedded signature but some how "carries" invalid signature if scanned via catalog, it still returns signed. To be specific when KMCS signing policy is followed, PnP signing policy somehow gets superseded. I hope I am not doing anything wrong here.

-Sreejith. D. Menon
DELL

BgInfo : Problem with Non-Admin domain users with slideshow

March 4, 2016, 11:23 am
$
0
0
Author: ABrescia
Subject: Problem with Non-Admin domain users with slideshow
Posted: 04 March 2016 at 7:23pm

Windows 7 64 and 32 bit computers. In a domain using A/D authentication.
BGInfo 4.21 and a bgi configuration file is located in c:/programdata/BGInfo/
The exe and bgi are called from a reg entry in HKLM Software/Microsoft/Windows/currentVersion/Run with a value of C:\ProgramData\BGInfo\Bginfo.exe C:\ProgramData\BGInfo\bgcfg.bgi /timer:0 /silent /nolicprompt
 
Everything works perfectly with the exception of a domain user who has multiple images selected as background with slideshow. If the user has admin rights then BGInfo will save the new theme with the temp image , set it to tile ( which is ok because it does not tile) . For our domain users who do not have admin rights, when they login, BGInfo runs, saves the temp image but the slide show still runs and sets the theme back to having multiple images selected which now display tiled during the slide show.
 
It is as if the non-admin users are allowed to run BGInfo but it does not complete saving the theme changes?
 
Andy
Search

PsTools : PsInfo /s /c outputs everything on one line

March 6, 2016, 5:58 pm
$
0
0
Author: deleteandkill
Subject: PsInfo /s /c outputs everything on one line
Posted: 07 March 2016 at 1:58am

I am trying to get the output of PsInfo into a .csv file that I can look at with Excel.  The command:
psinfo.exe /s > Test.txt AND psinfo.exe /s > Test.csv
print out the lines the same as they appear on the screen without the /s switch, but the commands
psinfo.exe /s /c > Test.csv  AND psinfo.exe /s /c > Test.txt
print out everything on one line, which is of course useless for opening as a .csv file.

* Have I got the switches wrong?
* Is this a bug?
* If it is a bug, is there a known workaround?

Miscellaneous Utilities : MSDaRT or Locksmith

March 6, 2016, 8:48 pm
$
0
0
Author: adamcarricki
Subject: MSDaRT or Locksmith
Posted: 07 March 2016 at 4:48am

The Wheeling locksmith helps you to change the passwords of windows accounts which includes administrator accounts .Accounts password can be changed  even when they have been lost or forgotten

PsTools : psexec encrypt password

March 7, 2016, 5:19 am
$
0
0
Author: kvkh
Subject: psexec encrypt password
Posted: 07 March 2016 at 1:19pm

I have a problem with the following scenario:
I want to use psexec with password in a batch . But, the user should not see the password .

In this Internet-posst http://www.windowsecurity.com/articles-tutorials/misc_network_security/PsExec-Nasty-Things-It-Can-Do.html is written, that psexec is available with the password hash instead of password. I have tested, but without success.

Is there another way to encrypt the password ?

Many thanks for your help and support!
Regards,
Rainer

Process Explorer : AVG antivirus detection

March 7, 2016, 9:29 am
$
0
0
Author: toph25
Subject: AVG antivirus detection
Posted: 07 March 2016 at 5:29pm

Hello, every update my AVG antivirus detects Process Explorer :
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options/taskmgr.exe\\Debegger
AVG Antivirus_Exceptions
Can you fix this bug false positive?

Development : OpenProcessToken ACCESS_DENIED (5)

March 7, 2016, 9:42 am
$
0
0
Author: winsysintuser
Subject: OpenProcessToken ACCESS_DENIED (5)
Posted: 07 March 2016 at 5:42pm

Very late answer:

From OpenProcessToken documentation (https://msdn.microsoft.com/en-us/library/windows/desktop/aa379295%28v=vs.85%29.aspx), it states "[t]he process must have the PROCESS_QUERY_INFORMATION access permission."


Also, documentation for OpenProcess (https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320%28v=vs.85%29.aspx) states "[i]f the specified process is the System Process (0x00000000), the function fails and the last error code is ERROR_INVALID_PARAMETER. If the specified process is the Idle process or one of the CSRSS processes, this function fails and the last error code is ERROR_ACCESS_DENIED because their access restrictions prevent user-level code from opening them."

Given that it states user-level, kernel-level access may be a workaround.
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>