Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

PsTools : Add an .reg file on remote machine

May 13, 2016, 7:31 am
$
0
0
Author: paul508
Subject: Add an .reg file on remote machine
Posted: 13 May 2016 at 2:31pm

This hasn't worked for me, My script is:
 
REGEDIT4
@echo off
CLS
REM This file assumes you have psexec installed
REM Ask for machine name or IP
set /p machine= Please enter the machine name or ip:
REM check for workstation online, if not exit
ping %machine% | find "Reply"
if errorlevel 1 goto :offline
if errorlevel 0 goto :install
:offline
echo Workstation not online
pause
exit
:install
 copy "Q:\tools\pstools\pstools\*.*" \\local computer\c$\windows\system32\
 copy "Q:\tools\pstools\pstools\*.*" \\%machine%\c$\windows\system32\
 copy "Q:\Applications\fix.reg" \\%machine%\c$\windows\system32\
 
rem regini -m \\%machine% reg_Multisz_file c$\temp\fix.reg
regedit.exe /i \\%machine%\c$\temp\fix.reg
rem \\%machine%\c$\temp\fix.reg regini -m \\%machine% -b
rem psexec -u -p cmd /s \\%machine%\c$\windows\system32\regedt32.exe
rem \\%machine%\c$\temp\fix.reg
rem PsExec \\%machine% -u -p reg.exe import \c$\windows\system32\fix.reg
 
if errorlevel 1 goto :remove
if errorlevel 0 goto :remove
pause
<< Reg file fix.reg>>
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 
As you can see I have tried several command versions the active one is my most successful though that just runs the fix.reg file from the remote computer and updates my local machine so its not really that successful
 
Can anyone see anything I have incorrect?


Edited by paul508 - 13 hours 29 minutes ago at 2:33pm
Search

Process Monitor : Can I trace a cold boot with Process Monitor?

May 13, 2016, 11:51 am
$
0
0
Author: DudgeonousTweet
Subject: Can I trace a cold boot with Process Monitor?
Posted: 13 May 2016 at 6:51pm

Hello Monitors,
 
I have been struggling for some days to get Process Monitor boot logging to work across a cold boot.  Can this be made to work?  Has anyone gotten this to work?
 
Thank you.

Miscellaneous Utilities : Can't open RAMMap files

May 13, 2016, 2:44 pm
$
0
0
Author: jbays
Subject: Can't open RAMMap files
Posted: 13 May 2016 at 9:44pm

We are using RAMMap 1.50 on a Windows 2008 R2 server.  We save RMP files using File --> Save from the menu and by using the DOS command line.

However, we can't open the RMP files after they are saved.  (No matter which method was used to save them.)  We get an error message that says: "Error importing file: The file is not accessible, or is not a valid XML file"

Any ideas for us?

I have downloaded RAMMap 1.50 for my Windows 10 PC.  I can save and open RMP files without issues.  However, I can not open RMP files saved from the Windows 2008 R2 server on the Windows 10 PC.  I get the same error message.

I CAN take the RMP files saved from the Windows 10 PC and open them in the RAMMap.exe that is on the Windows 2008 server.

So I moved the EXE from my Windows 10 PC and saved it to the Windows 8 server.  I opened it as the administrator and saved a RMP file.  It would not load the file it just saved.  I got the same error message as before.

Miscellaneous Utilities : Process Explorer and VAS

May 14, 2016, 5:30 am
$
0
0
Author: l52
Subject: Process Explorer and VAS
Posted: 14 May 2016 at 12:30pm

can someone help me?

Wink

Process Explorer : P.E. crashes - server with 2900 processes

May 14, 2016, 6:54 pm

Process Monitor : Can I trace a cold boot with Process Monitor?

May 14, 2016, 6:58 pm
$
0
0
Author: pinscomputer
Subject: Can I trace a cold boot with Process Monitor?
Posted: 15 May 2016 at 1:58am

what version of windows are you using?

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

May 14, 2016, 7:16 pm
$
0
0
Author: pinscomputer
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 15 May 2016 at 2:16am

@shadownow,
 
magicandre must be on vacation....
 
I took a look at the ETL file you posted and it appears that the high cpu usage is coming from:
hal.dll!HalpReadPCIConfig
 
magicandre has already addressed a similar problem with user BRUCETHEMOOSE here:
 
note that there are several postings from bruce describing how he attempted to solve the problem


Edited by pinscomputer - 2 hours 7 minutes ago at 2:20am

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

May 14, 2016, 7:33 pm
$
0
0
Author: pinscomputer
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 15 May 2016 at 2:33am

@jbm622,
 
magicandre must be on vacation....
 
I took a look at the ETL file you posted and based on the data you captured in that trace, it appears that the high cpu usage is coming from:
ntoskrnl.exe!RtlpTestMemoryRandomUp
 
magicandre has addressed a similar concern in several other posts including his response to user HENBRUAS here:
 
what the trace you captured shows is normal background idle maintenance, specifically RAM test.
Search

Miscellaneous Utilities : Can't open RAMMap files

May 14, 2016, 7:37 pm
$
0
0
Author: pinscomputer
Subject: Can't open RAMMap files
Posted: 15 May 2016 at 2:37am

can only suggest to try and capture a process monitor trace on the R2 server and see if it indicates the reason that RAMMAP is not opening the file.
 
you can post a link to the procmon trace and other users may be able to help analyze it.

Miscellaneous Utilities : Process Explorer and VAS

May 14, 2016, 7:41 pm

Autoruns : How did Autoruns pick out the bad guy?

May 14, 2016, 10:52 pm
$
0
0
Author: Phil NoOp
Subject: How did Autoruns pick out the bad guy?
Posted: 15 May 2016 at 5:52am

There was only one entry in the autoruns scheduled task tab, and that was the bad guy.
This task was running the following exe, on user logon. jffjziyse.exe.
How did it pick this task, out of all the other crap load of tasks?
What was the difference between this and all those others.
 
jffjziyse.exe was located in the user\AppData\roaming folder.
There was also another file in this folder, tor.exe, and it was hooking into Conhost.exe.
I picked this up with procexp.
 
I wasn't able to logon to my internet banking. It all acted out like a hack to get my logon details.
 
Sysinternals to the rescue. Thank you very much Sysinternals.ClapClapClapClapClap
 

Miscellaneous Utilities : Process Explorer and VAS

May 14, 2016, 11:33 pm
$
0
0
Author: l52
Subject: Process Explorer and VAS
Posted: 15 May 2016 at 6:33am

thanks for your help!

Process Monitor : Can I trace a cold boot with Process Monitor?

May 15, 2016, 7:25 am
$
0
0
Author: DudgeonousTweet
Subject: Can I trace a cold boot with Process Monitor?
Posted: 15 May 2016 at 2:25pm

Windows 7 Home Premium.

Process Monitor : Can I trace a cold boot with Process Monitor?

May 15, 2016, 4:53 pm
$
0
0
Author: pinscomputer
Subject: Can I trace a cold boot with Process Monitor?
Posted: 15 May 2016 at 11:53pm

I tested both cold boot and restart trace capture with process monitor and have not experiences any problems.
 
to capture a boot trace:
start process monitor,
select <options> then <enable boot logging>
exit process monitor
shut down your computer
power up your computer
at the point you want to stop the boot capture, start process monitor.
process monitor will detect that a boot trace was capture and will prompt you to save the bootlog file.
 
there are two Microsoft created videos that you can review for additional information about process monitor:
 
 

Internals : How antivirus can able to open files which is shar

May 16, 2016, 12:39 am
$
0
0
Author: Rutvik
Subject: How antivirus can able to open files which is shar
Posted: 16 May 2016 at 7:39am

Hi,

How antivirus can able to open the File in read mode eventhough is share denied for reading and writing.

Let me explain in detail:
In my application i am using fopen() with "_SH_DENYRW" /* deny read/write mode */ and after this antivirus can able to open the file in read mode. So due to this some times other windows functions like SetEndOfFile is failed.
Search

Miscellaneous Utilities : sysmon 4.0 possible bug?

May 16, 2016, 4:34 am
$
0
0
Author: stumpyuk
Subject: sysmon 4.0 possible bug?
Posted: 16 May 2016 at 11:34am

I have confirmed that this bug exists in both the  sysmon + sysmon64 4.0 versions.   This has only been tested on Windows 8.1 Enterprise.   After installing sysmon 4.0 with the below config file, no commands executed in the terminal showed up in the sysmon operational event log.

Here is my complete config file:

<Sysmon schemaversion="2.0">
    <!--LastModified 03052016 -->
  <!-- Capture MD5 Hashes -->
    <HashAlgorithms>MD5</HashAlgorithms>
    <EventFiltering>
<ProcessCreate onmatch="include">
<Image condition="contains">Powershell.exe</Image>
<Image condition="contains">cmd.exe</Image>
<CommandLine condition="contains">Powershell.exe</CommandLine>
<CommandLine condition="contains">cmd.exe</CommandLine>
<ParentImage condition="contains">Powershell.exe</ParentImage>
<ParentImage condition="contains">cmd.exe</ParentImage>
<ParentCommandLine condition="contains">Powershell.exe</ParentCommandLine>
<ParentCommandLine condition="contains">cmd.exe</ParentCommandLine>
</ProcessCreate>
<ProcessTerminate default="exclude"></ProcessTerminate>
    </EventFiltering>
</Sysmon>

I then uninstalled sysmon 4.0 and changed the schema version to 2.0 in my config file.  I then installed sysmon 3.2 using the above config file.   I typed some terminal commands and confirmed that event logs were generated for those commands.    

I then changed the schema version to 3.0 in the config file, uninstalled sysmon 3.2 and installed sysmon 4.0 with the config file.   No new typed commands appeared in the event logs.   I noted that the old event logs, captured with sysmon 3.2 were no longer rendered correctly in event viewer.   The text details from the event log are below


Log Name:      Microsoft-Windows-Sysmon/Operational
Source:        Microsoft-Windows-Sysmon
Date:          16/05/2016 10:58:15
Event ID:      1
Task Category: Process Create (rule: ProcessCreate)
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      Win8-WKGRP
Description:
The description for Event ID 1 from source Microsoft-Windows-Sysmon cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event: 

30
16/05/2016 09:58:15.257 AM
EV_RenderedValue_2.00
3752
C:\Windows\System32\NETSTAT.EXE
netstat  -ano
C:\Users\Adrian\Desktop\sysmon\
Win8-WKGRP\Adrian
EV_RenderedValue_8.00
2847571
1
High
MD5=305A78210CAF782EB331359F10C2BD9C
EV_RenderedValue_13.00
3552
C:\Windows\System32\cmd.exe
"C:\Windows\system32\cmd.exe" 

The publisher has been disabled and its resource is not available. This usually occurs when the publisher is in the process of being uninstalled or upgraded


Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
    <EventID>1</EventID>
    <Version>4</Version>
    <Level>4</Level>
    <Task>1</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2016-05-16T09:58:15.257660900Z" />
    <EventRecordID>481</EventRecordID>
    <Correlation />
    <Execution ProcessID="3820" ThreadID="600" />
    <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
    <Computer>Win8-WKGRP</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data Name="SequenceNumber">30</Data>
    <Data Name="UtcTime">16/05/2016 09:58:15.257 AM</Data>
    <Data Name="ProcessGuid">{DB4F96E5-99B7-5739-0000-0010C8796300}</Data>
    <Data Name="ProcessId">3752</Data>
    <Data Name="Image">C:\Windows\System32\NETSTAT.EXE</Data>
    <Data Name="CommandLine">netstat  -ano</Data>
    <Data Name="CurrentDirectory">C:\Users\Adrian\Desktop\sysmon\</Data>
    <Data Name="User">Win8-WKGRP\Adrian</Data>
    <Data Name="LogonGuid">{DB4F96E5-9861-5739-0000-002053732B00}</Data>
    <Data Name="LogonId">0x2b7353</Data>
    <Data Name="TerminalSessionId">1</Data>
    <Data Name="IntegrityLevel">High</Data>
    <Data Name="Hashes">MD5=305A78210CAF782EB331359F10C2BD9C</Data>
    <Data Name="ParentProcessGuid">{DB4F96E5-98E5-5739-0000-001035A63300}</Data>
    <Data Name="ParentProcessId">3552</Data>
    <Data Name="ParentImage">C:\Windows\System32\cmd.exe</Data>
    <Data Name="ParentCommandLine">"C:\Windows\system32\cmd.exe" </Data>
  </EventData>
</Event>

In the General Details section, the Data field names are missing (although they are present in the XML section of the log).   The config file relies on those Data field names in order to capture the logs.   Could this be related to the problem?

Miscellaneous Utilities : Deteting New H/W is in endless search

May 16, 2016, 7:09 am
$
0
0
Author: jeanrouge
Subject: Deteting New H/W is in endless search
Posted: 16 May 2016 at 2:09pm

Hi I am virtualising a few old machines.
A Win 2003 SP2 machine has been sitting "Detecting new devices" for over an hour.
The VM is configured to same specs (CPU/Core and Memory).
Has anyone had the same experience and how did they solve it please?

Earlier this morning I virtualised an XPPro SP3 machine but had to go through SAFE mode after getting the BSOD and then CHKDSK.  Quite a few files have been deleted but I have them backed up.

Thanks
Jean

Troubleshooting : Auto-cad files won't open

May 16, 2016, 8:05 am
$
0
0
Author: AkseliJaakkola
Subject: Auto-cad files won't open
Posted: 16 May 2016 at 3:05pm

Restored data and auto-cad files won't open. Have the.bak files that auto-cad saves during work performed on .dwg files. 

My understanding is rename the .bak to .dwg and the file will open, however itgive an error the file cannot be opened. 
Anyone seen this before and know how to open auto-cad .bak files?

Troubleshooting : hibernate very slow

May 16, 2016, 12:37 pm
$
0
0
Author: MagicAndre1981
Subject: hibernate very slow
Posted: 16 May 2016 at 7:37pm

no, the trace is corrupted (tons of missing events)

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

May 16, 2016, 12:45 pm
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 16 May 2016 at 7:45pm

Originally posted by Shadonow Shadonow wrote:

Hello, this is my first time on the forum, but I've noticed that alot of people here have been getting help with this Ntoskrnl issue. I'm just like many others here, its going between 15% of my CPU to a stupid 40%+, and I've got a GTX 970M and a i7-6700HQ in here. So whatever is going on that it is eating 40% of my CPU is obviously bringing me down, hard.


you also have the ACPI.sys issue. Try one of the suggestions whuch were already posted
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>