Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Troubleshooting : Understanding Behind the Scene

June 19, 2016, 8:43 pm
$
0
0
Author: dw85745
Subject: Understanding Behind the Scene
Posted: 20 June 2016 at 3:43am

Dax1792:

Thanks that worked.

Search

PsTools : psshutdown -m does not display any message

June 20, 2016, 6:40 am
$
0
0
Author: mastabog
Subject: psshutdown -m does not display any message
Posted: 20 June 2016 at 1:40pm

I'm on Win 8.1 x64, logged in as the main user which has admin rights, and with UAC disabled.

If I do in a cmd prompt
psshutdown -d -c -m "Going to sleep" -t 120 -v 120

it responds with
PsShutdown v2.52 - Shutdown, logoff and power manage local and remote systems
Copyright (C) 1999-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

Local system is scheduled to suspend in 00:02:00.

but no message is displayed (it does correctly go to sleep in 2 minutes though).

I tried with/without -c and also -v, and also tried an elevated cmd prompt - to no avail.

What am I missing?


Edited by mastabog - 5 hours 3 minutes ago at 1:43pm

PsTools : psshutdown -m does not display any message

June 20, 2016, 6:59 am

Troubleshooting : Sysmon v4 Not Logging Network Connections

June 20, 2016, 7:59 am

Process Explorer : Hang in Processs properties window

June 20, 2016, 9:29 am
$
0
0
Author: bartoli
Subject: Hang in Processs properties window
Posted: 20 June 2016 at 4:29pm

For those having the problem but not willing to kill teamviewer, a solution is to go to HKLM/Software/Wow6432Node/TeamViewer, and to create a DWORD key called EnableHooks and leave it to 0
.
As side effects, this will disable a bit of teamviewer integration in windows, like the button you can see at the right of the menu bar to allow sharing the window with an other teamviewer user

Miscellaneous Utilities : It shows a blue screen after x seconds

June 20, 2016, 11:28 am
$
0
0
Author: MagicAndre1981
Subject: It shows a blue screen after x seconds
Posted: 20 June 2016 at 6:28pm

do you mean a BSOD or which blue screen do you talk about?

Development : Process environment variables

June 21, 2016, 1:53 am
$
0
0
Author: tasya
Subject: Process environment variables
Posted: 21 June 2016 at 8:53am

Hi! I need to get environment variable of a random process. When I was on XP I wrote the next code:

#define UNICODE

#include <windows.h>
#include <stdio.h>
#include <locale.h>

typedef LONG NTSTATUS;

#define ProcessBasicInformation 0

typedef struct _PROCESS_BASIN_INFORMATION {
    NTSTATUS  ExitStatus;
    PVOID     PebBaseAddress;
    ULONG_PTR AffinityMask;
    LONG      BasePriority;
    HANDLE    UniqueProcessId;
    HANDLE    InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;

NTSTATUS (__stdcall *NtQueryInformationProcess)(
    HANDLE ProcessHandle,
    UINT   ProcessInformationClass,
    PVOID  ProcessInformation,
    ULONG  ProcessInformationLength,
    PULONG ReturnLength
);

ULONG (__stdcall *RtlNtStatusToDosError)(
    NTSTATUS Status
);

BOOLEAN LocateSignatures(HMODULE mod) {
  if (!(NtQueryInformationProcess = (PVOID)GetProcAddress(
    mod, "NtQueryInformationProcess"
  ))) return FALSE;
  
  if (!(RtlNtStatusToDosError = (PVOID)GetProcAddress(
    mod, "RtlNtStatusToDosError"
  ))) return FALSE;
  
  return TRUE;
}

int wmain(int argc, WCHAR* argv[]) {
  WCHAR   *app, *buf, *tmp;
  DWORD    pid;
  HANDLE  proc;
  PVOID   rupp;
  PVOID    env;
  NTSTATUS nts;
  PROCESS_BASIC_INFORMATION pbi;
  MEMORY_BASIC_INFORMATION  mbi;
  
  if (argc != 2) {
    app = wcsrchr(argv[0], '\\');
    wprintf(L"Usage: %s [PID]\n", app ? ++app : argv[0]);
    return -1;
  }
  
if (!LocateSignatures(GetModuleHandle(L"ntdll.dll"))) {
    return -1;
  }
  
  pid = _wtoi(argv[1]);
  if (!(proc = OpenProcess(
    PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid
  ))) {
    return -1;
  }
  
  if (!(nts = NtQueryInformationProcess(
    proc, ProcessBasicInformation, &pbi, sizeof(pbi), NULL
  ))) {
    if (ReadProcessMemory(
      proc, (PCHAR)pbi.PebBaseAddress + 0x10, &rupp, sizeof(rupp), NULL
    )) {
      if (ReadProcessMemory(
        proc, (PCHAR)rupp + 0x48, &env, sizeof(env), NULL
      )) {
        if (!VirtualQueryEx(proc, env, &mbi, sizeof(mbi))) {
     CloseHandle(proc);
          return -1;
        }
        
        buf = (WCHAR *)malloc(mbi.RegionSize);
        if (ReadProcessMemory(
          proc, mbi.BaseAddress, buf, mbi.RegionSize, NULL
        )) {
          tmp = buf;
          while (*tmp) {
            printf("%.*S\n", wcslen(tmp), tmp);
            tmp += wcslen(tmp) + 1;
          }
        }
        free(buf);
      }
    }
  }
  CloseHandle(proc);
  
  return 0;
}

But on Win7 it doesn't work. How to fix this? Thnx for advace

Miscellaneous Utilities : WinOBJ - devices

June 21, 2016, 4:35 am
$
0
0
Author: ianoz
Subject: WinOBJ - devices
Posted: 21 June 2016 at 11:35am

Hi Guru's,

Need to know what some devices being listed in WinOBJ are and also whether malicious or not. Comes from a Windows 2012 R2 server.

FakeVid1, FakeVid2 ....

Any suggestions on the following.uploads/51207/winobj-screenshot-fakevid.zip

Also any decent documentation for this product, help file doesn't open in Windows 10.

Thanks in advance.
Search

Troubleshooting : I want free or paid to recover the Access databa

June 21, 2016, 7:40 am
$
0
0
Author: Graversen
Subject: I want free or paid to recover the Access databa
Posted: 21 June 2016 at 2:40pm

I have found that occasionally opening the database with a differentversion of Access will "fix" the problem.  So, if you are working in A2010, try openingwith A2007 or A2013.  If it is an .mdbfile, try A2003.  I had a database in.mdb format that seemed to corrupt on alternate Tuesdays if the sky wasclear.  We normally used A2010 to open itbut we had some old computers around and opening it in A2003 frequently fixedthe problem.  Of course, you have nooptions if you are using features available in only a single version.

Or another way if the above recommendation will not help you , you cantry the best program from all that I used this Access Recovery Toolbox. Thereis a demo version and you can check  willit is useful  for you or not.  http://www.oemailrecovery.com/access_recovery.html

Troubleshooting : I want free or paid to recover the Access databa

June 21, 2016, 7:41 am

Miscellaneous Utilities : Foxpro file viewer

June 21, 2016, 8:57 am
$
0
0
Author: BryanNeilson
Subject: Foxpro file viewer
Posted: 21 June 2016 at 3:57pm

Isn’t there a file withthe same name as the file with the .DBT extension but with an extension of .DBFsomewhere near? The .dbt file is a memo file associated with a .dbf (dBase,Foxpro) database file. If you already have any application which will open thistype of file. E.g., foxpro, dBase, Access etc. You can open the .dbf file andthe application will automatically extract from the .dbt file the correspondingdata. If you do not have the .dbf file then it is a little bit morecomplicated. The .dbt structure is basically flat text, with some pointers init relating to the records in the original .dbf file. You can open this usingnotepad and extract the text which is stored in it quite easily but without theoriginal database you do not know to which records it refers.

If.dfb file not opened or corrupted,you can use a DBF Recovery Toolbox. Maybe you will solve the issue that way. http://www.oemailrecovery.com/dbf_recovery.html

Miscellaneous Utilities : Foxpro file viewer

June 21, 2016, 9:01 am

PsTools : PSList Not Working From Windows Server 2008 R2

June 21, 2016, 11:15 am
$
0
0
Author: RC_Crusher07
Subject: PSList Not Working From Windows Server 2008 R2
Posted: 21 June 2016 at 6:15pm

I have a remote machine that is running Windows XP that I am attempting to use pslist against. When I use my local workstation (Windows 7 - 64 Bit) I am able to retrieve the information I am expecting.

Syntax used:

pslist \\some.pc.name.com ProcessName -u UserName -p PassWord

I can also do this:

pslist \\xxx.xxx.xxx.xxx ProcessName -u UserName -p PassWord (Where the x's stand for the IP associated to some.pc.name.com)

But for some reason when I am on the server (Windows Server 2008 R2 Standard - 64 Bit), I am not getting the same results. When I run the first command, with 'some.pc.name.com' I receive an error message like the following:

pslist v1.28 - Sysinternals PsList
Copyright ⌐ 2000-2004 Mark Russinovich
Sysinternals

Failed to take process snapshot on some.pc.name.com.
Make sure that the Remote Registry service is running on the remote system, that
 you havefirewall ports allow RPC access, and your account has read access the f
ollowing key on the remote system:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib

But when I use the second command with the IP address on the server, it works just fine and returns the results I expect.

I want to avoid having to use the IP address since it will cause a good amount of extra coding and verifying steps, within a script I am writing, to ensure I am acting against the expected machines.

Has anyone seen this before or know what might be causing it? Any help is greatly appreciated, thank you!

Internals : Lost OE mail in recent months and years.

June 21, 2016, 1:55 pm
$
0
0
Author: bjerre
Subject: Lost OE mail in recent months and years.
Posted: 21 June 2016 at 8:55pm

Are themissing email typically missing from the oldest ones or the newest ones.

Is it possible that someone has created an another identity and you are lookingat the wrong set of files.
Check the time and date on the inbox
There are hundreds of repair utilities available  on the net - 90% ofwhich will allow you to run the recovery and show you the results - but notactually recover them until until you buy the program.
If that doesn't work you will have to restore from a Backup.

If youhaven’t a Backup start looking what dbx files you have in  the locationyou find   OE main menu> Tools | Options . on the Maintenance tab, youshould press the Store Folder button

if you have more than one - the files you are looking for can be there
here is how to repair OE - it suggests a rpair software also OE-Mail Recovery:   http://www.oemailrecovery.com/faq-outlook-express-dbx-location.html http://www.oemailrecovery.com/repair-outlook-express.html

Internals : Lost OE mail in recent months and years.

June 21, 2016, 2:00 pm
Search

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

June 21, 2016, 2:06 pm
$
0
0
Author: ironmanco
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 21 June 2016 at 9:06pm

Originally posted by MagicAndre1981 MagicAndre1981 wrote:

in the latest trace you send me via PM I see a large CPU usage of the SYSTEM process. Here it comes from Zeoring the memory (ntoskrnl.exe!KeZeroPages) before Windows can put new data into the memory. If your browser is (is based on) Chrome, this is known and happens due to HW acceleration of the browser. Turn this off.

NExt you have a high CPU usgae of svchost.exe which is the Windows Update service and scans for new updates:

This is super slow. I posted on superuser an guide how to improve search speed:

http://superuser.com/a/996072/174557

The audiodg.exe CPU usage still comes from Audio APO processing.


I turned HW accell off on both Chrome and FF. I don't actively use any other browsers. I also already have the KB fix installed for the WUS.

I've tried a few different audio drivers but it doesn't seem to make a difference.

Sorry to keep harping on this but I'm really at a loss on what is causing this. Here is another capture with HW accell turned off (since the fix for WUS was already installed).


Autoruns : "The system cannot find the file specified"

June 21, 2016, 4:42 pm
$
0
0
Author: spleenharvester
Subject: "The system cannot find the file specified"
Posted: 21 June 2016 at 11:42pm

So in my thread here: http://forum.sysinternals.com/autoruns-and-winpe_topic31991.html I detailed an issue about how when you use 'analyse offline system' you can't untick many objects (or if you can, you can't tick them again afterwards, or the settings don't save). I have some more details.


Versions of Autoruns I have tried: v13.51, v13.01, v12.00, v11.31. All have exactly the same problem.


What this affects: initially thought this only affected WinPE, but exactly the same thing happens from a full Windows 10 64-bit installation acting on another Windows 10 64-bit installation (probably others affected but this is my environment). The online functions work perfectly, however.


What I found: The only softwares affected are those under HKLM\Software. Seemingly, when viewing with Process Monitor, Autoruns tries to access but does not attempt to create HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled. If this key is created manually, Autoruns does not attempt to create any entries within it.


Further note: If I boot into the 'target' offline image I can uncheck and check the 'affected' entries without a hitch, so there is presumably a bug in Autoruns somewhere.


Any help would be appreciated.

Troubleshooting : Sysmon on Windows Server 2008 R2 stops working

June 22, 2016, 3:01 am
$
0
0
Author: ace
Subject: Sysmon on Windows Server 2008 R2 stops working
Posted: 22 June 2016 at 10:01am

Hi,

we have installed sysmon 4.0 on Windows Server 2008 R2. This works only until the server is rebooted. After the reboot sysmon service is running but it writes no logs.

Is the incompatibility with 2k8 R2 servers intended?

Regards,
Stefan

Troubleshooting : Repair Exchange Priv1/Pub1.edb

June 22, 2016, 6:56 am
$
0
0
Author: jordanwilliam
Subject: Repair Exchange Priv1/Pub1.edb
Posted: 22 June 2016 at 1:56pm

FantasticEDB Converter Tool successfully Repair Exchange (priv1. Or pub1.)Data into PSTfile with emails attachment and properties. This EDB to PST Software fluently works on alldamaged EDB database and Export EDB data to Outlook (.PST). It split large PSTfile from 1GB to 5GB.

Read more- http://www.convert.edbtopsttool.com/



Edited by jordanwilliam - 5 hours 3 minutes ago at 1:58pm

Process Explorer : unable to extract 64-bit image

June 22, 2016, 8:49 am
$
0
0
Author: bahnjee
Subject: unable to extract 64-bit image
Posted: 22 June 2016 at 3:49pm

Late to the party but I thought I'd add my solution anyway...
 
Tips in previous posts helped me to see that when I try to run ProcExp.exe, it extracts a ProceExp64.exe to my TEMP folder (C:\users\<username>\AppData\Local\TEMP).  I tried running this newly extracted file but still no joy.
 
So....I copied that newly extracted file to my Program Files folder (where all my other Sysinternals tools live) and ran it from there.  Yay!  It runs now.
 
Thanks to those that pointed me (us) in the right direction.
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>