Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Troubleshooting : Understanding Behind the Scene

June 13, 2016, 7:28 am
$
0
0
Author: Dax1792
Subject: Understanding Behind the Scene
Posted: 13 June 2016 at 2:28pm

Program Files has a space in it. You need to put the file path in quotes  - "C:\Program Files\whatever". 
Search

Autoruns : File not found problems

June 13, 2016, 8:11 am
$
0
0
Author: LMiller7
Subject: File not found problems
Posted: 13 June 2016 at 3:11pm

autoruns is a 32 bit program and as such has some limitations when running under a 64 bit OS. Such programs must run in an artificial 32 bit environment and do not always have a true picture of reality. They will in some cases be unable to see files that exist and may see different files than a 64 bit program like Windows Explorer.

Internals : Lost OE mail in recent months and years.

June 13, 2016, 8:11 am
$
0
0
Author: AllanHutchison
Subject: Lost OE mail in recent months and years.
Posted: 13 June 2016 at 3:11pm

Greatings!

Some timeago it happend that I lost (in my inbox) about 6 months of emails in the waythat there was year 2013, part of 2014 and whole 2015. So there were some emailsmissing in the middle. I did not deleted them or similar.
Now I got the same problem. In the inbox I am missing 3 months of emails forthis year.
My files are not larger than 2GB, so its not this kind of problem.
I believe there could be some corruption in index or sth similar. What programsdo you suggest to test/repair my email database files?

Thank you!

Miscellaneous Utilities : High CPU usage server 2012

June 13, 2016, 9:09 am
$
0
0
Author: MagicAndre1981
Subject: High CPU usage server 2012
Posted: 13 June 2016 at 4:09pm

The high CPU usage occurs because of srv2.sys calls.

Line #DPC/ISRProcessStack TagStackCountTimeStamp% Weight
2
System (4)

18041
80,29
3

Other[Root]17240
76,72
4


  ntoskrnl.exe!KiStartSystemThread17240
76,72
5


  ntoskrnl.exe!PspSystemThreadStartup17240
76,72
6


  |- ntoskrnl.exe!ExpWorkerThread17234
76,70
7


  |    |- srv2.sys!SrvProcWorkerThreadCommon16510
73,47
8


  |    |    ntoskrnl.exe!KeExpandKernelStackAndCalloutInternal16510
73,47
9


  |    |    |- ntoskrnl.exe!KiSwitchKernelStackContinue16500
73,43
10


  |    |    |    ntoskrnl.exe!KySwitchKernelStackCallout16500
73,43
11


  |    |    |    |- srv2.sys!SrvProcpWorkerThreadProcessWorkItems16497
73,42
12


  |    |    |    |    |- srv2.sys!SrvProcessPacket13955
62,11
13


  |    |    |    |    |    |- srv2.sys!Smb2ExecuteProviderCallback12120
53,95
14


  |    |    |    |    |    |    |- srv2.sys!Smb2ExecuteCreate8691
38,68
15


  |    |    |    |    |    |    |    |- srv2.sys!Smb2ExecuteCreateReal8683
38,65
16


  |    |    |    |    |    |    |    |    |- srv2.sys!SrvCreateFile6892
30,68
17


  |    |    |    |    |    |    |    |    |    |- ntoskrnl.exe!IoCreateFileEx6114
27,21
18


  |    |    |    |    |    |    |    |    |    |    |- ntoskrnl.exe!IopCreateFile6106
27,18
19


  |    |    |    |    |    |    |    |    |    |    |    |- ntoskrnl.exe!ObOpenObjectByName6013
26,76
20


  |    |    |    |    |    |    |    |    |    |    |    |    |- ntoskrnl.exe!ObpLookupObjectName5765
25,66
21


  |    |    |    |    |    |    |    |    |    |    |    |    |    |- ntoskrnl.exe!IopParseFile3051
13,58
22


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- ntoskrnl.exe!IopParseDevice3035
13,51
23


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- fltmgr.sys!FltpCreate2712
12,07
24


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- fltmgr.sys!FltpLegacyProcessingAfterPreCallbacksCompleted1407
6,26
25


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- Ntfs.sys!NtfsFsdCreate1070
4,76
26


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- ntoskrnl.exe!KeExpandKernelStackAndCalloutInternal947
4,21
27


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- Ntfs.sys!NtfsCommonCreateCallout941
4,19
28


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- Ntfs.sys!NtfsCommonCreate935
4,16
29


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- Ntfs.sys!NtfsFindStartingNode539
2,40
30


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- Ntfs.sys!NtfsFindPrefix230
1,02
31


  |    |    |    |    |    |    |    |    |    |    |    |   &nbsp

Edited by MagicAndre1981 - 23 minutes ago at 4:16pm

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

June 13, 2016, 9:11 am
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 13 June 2016 at 4:11pm

@xtrm

so it works after disabling the scheduled tasks?

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

June 13, 2016, 9:12 am
$
0
0
Author: ironmanco
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 13 June 2016 at 4:12pm

MagicAndrew1981 - shot you a PM. Not sure if you had a chance to look at it. Thx!

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

June 13, 2016, 9:12 am
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 13 June 2016 at 4:12pm

Originally posted by ironmanco ironmanco wrote:


No luck. System is still dragging. I haven't been able to find the 3rd party software that is causing the issue and I disabled audio enhancements as well.

Other ideas?


I still see Realtek driver calls in AudioDG.exe:

Line #DPC/ISRProcessStack TagStackCountTimeStamp% Weight
6


  |- ntdll.dll!RtlUserThreadStart4853
2,00
7


  |    kernel32.dll!BaseThreadInitThunk4853
2,00
8


  |    |- AudioEng.dll!CAudioPump::OutputPumpWorkRoutine4628
1,90
9


  |    |    |- AudioEng.dll!CAudioProcessor::Process4549
1,87
10


  |    |    |    |- AudioEng.dll!CAudioProcessor::ProcessEachAPO4501
1,85
11


  |    |    |    |    |- RltkAPO64.dll!?3944
1,62
12


  |    |    |    |    |    |- RltkAPO64.dll!?3924
1,61
13


  |    |    |    |    |    |    |- RltkAPO64.dll!?3920
1,61
14


  |    |    |    |    |    |    |    |- RltkAPO64.dll!?3899
1,60
15


  |    |    |    |    |    |    |    |    |- RltkAPO64.dll!?3892
1,60
16


  |    |    |    |    |    |    |    |    |    |- RltkAPO64.dll!?3840
1,58
17


  |    |    |    |    |    |    |    |    |    |    |- R4EEL64A.dll!?3584
1,47
18


  |    |    |    |    |    |    |    |    |    |    |    |- R4EEL64A.dll!?3582
1,47
19


  |    |    |    |    |    |    |    |    |    |    |    |    |- R4EEL64A.dll!?3575
1,47
20


  |    |    |    |    |    |    |    |    |    |    |    |    |    |- R4EED64A.dll!?3574
1,47
21


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- R4EED64A.dll!?3573
1,47
22


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- R4EED64A.dll!?3572
1,47
23


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    R4EED64A.dll!?3572
1,47
24


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- R4EED64A.dll!?3554
1,46
25


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- R4EED64A.dll!?3547
1,46
26


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- R4EED64A.dll!?3538
1,45
27


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- R4EED64A.dll!?3488
1,43
28


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- R4EED64A.dll!?2628
1,08
29


  |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |    |- R4EED64A.dll!?2039
0,84


Also try different driver versions.

Autoruns : File not found problems

June 13, 2016, 10:25 am
$
0
0
Author: John22
Subject: File not found problems
Posted: 13 June 2016 at 5:25pm

Originally posted by Dax1792 Dax1792 wrote:

Is the C really missing at the beginning of the file paths for the others?


Yes. See picture:




Search

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

June 13, 2016, 10:28 am

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

June 13, 2016, 10:44 am
$
0
0
Author: xtrm
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 13 June 2016 at 5:44pm

Originally posted by MagicAndre1981 MagicAndre1981 wrote:

@xtrm

so it works after disabling the scheduled tasks?

yes.

Miscellaneous Utilities : High CPU usage server 2012

June 13, 2016, 11:06 am
$
0
0
Author: sandeepkelley
Subject: High CPU usage server 2012
Posted: 13 June 2016 at 6:06pm

Yes I have applied it on one of the affected server after the required backup. Now will observe it for a week as usage comes back to normal for 2-3 days even with a normal reboot. Again. Thanks for all your efforts.

Autoruns : File not found problems

June 13, 2016, 12:27 pm
$
0
0
Author: Dax1792
Subject: File not found problems
Posted: 13 June 2016 at 7:27pm

You should check if it is the same in the Registry. Do these actually work? Maybe someone or something has removed the C to disable the function.

Miscellaneous Utilities : Contig reporting 0xc0000304 ?

June 13, 2016, 2:21 pm
$
0
0
Author: MikeS
Subject: Contig reporting 0xc0000304 ?
Posted: 13 June 2016 at 9:21pm

I have a newly GPT formatted NTFS volume.  It is 767 GB total with 620 GB free (~147 GB used). Although the drive is not NTFS compressed, one specific directory tree is NTFS compressed. 
Running Contig 1.7 (Contig.exe -v o:\$mft) reports:
 
Contig v1.7 - Makes files contiguous
Copyright (C) 1998-2012 Mark Russinovich
Sysinternals - www.sysinternals.com
------------------------
Processing o:\$Mft:
Scanning file...
Scanning disk...
File is 5000051 physical clusters in length.
File is in 101883 fragments.
Moving 51261 clusters at file offset cluster 4 to disk cluster 181899104
Move cluster status: 0xc0000304
File size: 20480262144 bytes
Fragments before: 101883
Fragments after : 101883
------------------------
Processing o:\$Mft::$BITMAP:
Scanning file...
o:\$Mft::$BITMAP is already in 1 fragment.
------------------------
Summary:
     Number of files processed   : 2
     Number of files defragmented: 1
     Average fragmentation before: 50942 frags/file
     Average fragmentation after : 50942 frags/file
 
 
Any suggestions for avoiding excessive MFT fragmentation?
Any suggestions for flattening out the existing MFT fragmentation?
 
I am concerned that even with a small percentage of the drive used, the MFT is already badly fragmented.
There are many small files on the drive.  The access pattern is unusual in that files are written once, never updated, then after a few months, kept forever or deleted.
 
NTFS on the volume was configured using:

fsutil behavior setdisablelastaccess 1

fsutil behavior set disable8dot3 1

fsutil behavior set mftzone 2

Autoruns : File not found problems

June 13, 2016, 3:19 pm
$
0
0
Author: John22
Subject: File not found problems
Posted: 13 June 2016 at 10:19pm

In the registry are for any "file not found" only one key "Default" (German: "Standard") with data like this (example):

{40f3f5ae-2494-375a-9386-fb458686ce4f}

The export file of this key shows this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\MagentaShareFileExtensionCreate]
@="{40f3f5ae-2494-375a-9386-fb458686ce4f}"

which refers to this entry in the registry:

[HKEY_CLASSES_ROOT\CLSID\{40f3f5ae-2494-375a-9386-fb458686ce4f}]
@="MagentaShareFileExtensionCreate"

[HKEY_CLASSES_ROOT\CLSID\{40f3f5ae-2494-375a-9386-fb458686ce4f}\InprocServer32]
@="mscoree.dll"
"Assembly"="MagentaShareFileExtensionCreate, Version=4.20.2.0, Culture=neutral, PublicKeyToken=0bfb89422b61d530"
"Class"="MagentaShareFileExtensionCreate.MagentaShareFileExtensionCreate"
"RuntimeVersion"="v4.0.30319"
"ThreadingModel"="Both"
"CodeBase"="file:///C:/Program Files (x86)/Telekom/MagentaCLOUD/ShellExtensions/MagentaShareFileExtensionCreate.dll"

[HKEY_CLASSES_ROOT\CLSID\{40f3f5ae-2494-375a-9386-fb458686ce4f}\InprocServer32\4.20.2.0]
"Assembly"="MagentaShareFileExtensionCreate, Version=4.20.2.0, Culture=neutral, PublicKeyToken=0bfb89422b61d530"
"Class"="MagentaShareFileExtensionCreate.MagentaShareFileExtensionCreate"
"RuntimeVersion"="v4.0.30319"
"CodeBase"="file:///C:/Program Files (x86)/Telekom/MagentaCLOUD/ShellExtensions/MagentaShareFileExtensionCreate.dll"

Autoruns : File not found problems

June 13, 2016, 5:11 pm
$
0
0
Author: Dax1792
Subject: File not found problems
Posted: 14 June 2016 at 12:11am

That looks to be fine to me. It looks like a bug in parsing the name.
 
You should report it to Mark. His email address is in the Autoruns help.
Search

Process Explorer : ** Process Explorer Bugs **

June 14, 2016, 4:23 am
$
0
0
Author: brolf
Subject: ** Process Explorer Bugs **
Posted: 14 June 2016 at 11:23am

>>icegood:
>>PE v 16.12 wrongly shous memory usage in case it takes > 1 Gb. It shows 1K instead:

I have exactly the same issue. On Win7 and Win10 (both x64).
The original task manager shows the same strange values.
Visual Studio is a good example. After loading a very large project,
it shows 1k or 2k for Private Bytes and Working Set instead of Values >1000.
For processes that consume less than a gb of memory, the values are shown correctly in kb.

Any advice how to fix that is very welcome.




Edited by brolf - 5 hours 42 minutes ago at 11:26am

Miscellaneous Utilities : TCPView Feature Request

June 14, 2016, 8:57 am
$
0
0
Author: 0xG
Subject: TCPView Feature Request
Posted: 14 June 2016 at 3:57pm

Hi,
Because I'm doing a lot of privacy work these days, I find myself using this tool more and more.
A couple of features I'd like to see:
  • "Close connection" requires a few mouse clicks. A "Ctrl-T" hot-key would be much handier (that's how aports.exe used to work).
  • Many connections show up as "System Process", even though they are opened by other executables.  I'm not sure why, but it would be really helpful to dig deeper into these (if possible).

Thanks for the consideration!

Autoruns : Microsoft Project doesn't open file

June 14, 2016, 12:06 pm
$
0
0
Author: JackByrne
Subject: Microsoft Project doesn't open file
Posted: 14 June 2016 at 7:06pm

Hello, Ihave a user here who cannot open all project files.  Upon trying to open it, Project 2007crashes.   I havestarted project first, then removed the file from the disabled items list, andit still crashes.  Everyone else is ableto open this file.  I have saved the fileto his desktop, still crashes.  I havelogged on as myself on his computer, still crashes.  I uninstalled Symantec Endpoint Protection,still crashes.  I uninstalled, cleanedthe registry, then reinstalled Project, still crashes.  I updated the rest of his Office suite to2007, with service pack 2, still crashes. I installed service pack 2 for Project, still crashes.  I have run Microsoft diagnostics, but itdoesnt find anything.  So I have not beenable to figure this out, and I have run out of ideas.  I want to avoid as much as possible a fullrebuild on this machine because of all the user settings and software that hehas installed on this.  Does anyone haveany other suggestions as to what might be causing this to crash?  Thank you!

Miscellaneous Utilities : C program memory leaks and vmmap

June 14, 2016, 12:28 pm
$
0
0
Author: tedsung44
Subject: C program memory leaks and vmmap
Posted: 14 June 2016 at 7:28pm

I have a straight C program that shows no memory leaks in purify on Windows and no leaks in purify on Linux and valgrind on linux.  I'm confused by what I'm observing in vmmap.

This program calls sleep just prior to exiting (and all the memory has been freed at this point).
I run it with vmmap and when the program hits the call to sleep, I would have anticipated
vmmap showing no Type Heap (Private Data) row entries around since all the calls to free the allocated
memory have been executed.  Instead, I see  multiple entries with Heap(Private Data) which have a size of 16 MB and 8 to 400 K committed.

Is this an indication my program is leaking memory or is there another explanation for this?

Thanks,

Ted

Autoruns : File not found problems

June 14, 2016, 2:15 pm
$
0
0
Author: John22
Subject: File not found problems
Posted: 14 June 2016 at 9:15pm

I have sent him an email and he sent me a new version of Autoruns. The drive letter "C" is now in the file paths and the entries are no longer highlighted in yellow.
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>