Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Process Explorer : MobaXterm constant "Other IO"

June 27, 2016, 6:54 am
$
0
0
Author: paulmedynski
Subject: MobaXterm constant "Other IO"
Posted: 27 June 2016 at 1:54pm

Hi folks,

I'm using MobaXtem as my X-Server on my Win7 box.  It works well and I don't really have any problems with it.  However, I have noticed that it constantly uses ~30KB of "Other IO" and ~1.5% CPU as soon as it loads, even when no X sessions are active.  This can be seen in Process Explorer in the "Other IO Delta Bytes" and "CPU" columns respectively.  I've tried using Process Monitor to see what the "Other IO" actually is, but no events show up at all.  Only typical disk and network IO show up.  I have Process Explorer and Process Monitor (Apr 18, 2016 package) running side by side, and I can see the Other IO in PE, but no events at all in PM.

Is there any way to see exactly what MobaXterm is doing that PE is tracking as "Other IO"?

Thanks!
-Paul
Search

Malware : Viveice Hijack

June 27, 2016, 2:32 pm

Troubleshooting : BSOD

June 27, 2016, 5:59 pm
$
0
0
Author: poolboy
Subject: BSOD
Posted: 28 June 2016 at 12:59am

Hi,
I have 3 x windows 7 Ultimate machines which periodically (every 1 hour) gives me a BSOD. The BSOD comes up with an impersonating_worker_thread Bug check string.
 
The only thing I can think is that we have loaded a new veriosn of MYOB Accounting software but they say it has nothing to do with their software.
Can somebody look at the attached minidump files and suggest some idea's.
 
thanks for your helpuploads/51230/mels_machine.zip

Miscellaneous Utilities : Proxy aware network connects

June 27, 2016, 7:02 pm
$
0
0
Author: hybrid
Subject: Proxy aware network connects
Posted: 28 June 2016 at 2:02am

Is there any way in Sysmon to log the URL of a proxy aware network connection?
Logging port 80 and 443 are kind of useless from a Security aspect if the connection is made to a proxy server, as you can't check it against known malicious addresses.

BgInfo : Getting Only Active Network Cards with their speed

June 27, 2016, 9:45 pm
$
0
0
Author: WindowsStar
Subject: Getting Only Active Network Cards with their speed
Posted: 28 June 2016 at 4:45am

Without access to your systems it would be difficult for me to write a script that could capture the data you need. Typically you have to do a bunch of testing, rebooting, checking if non-admin logs vs admin. etc. etc.

BgInfo : Getting Only Active Network Cards with their speed

June 27, 2016, 10:06 pm
$
0
0
Author: boe_d
Subject: Getting Only Active Network Cards with their speed
Posted: 28 June 2016 at 5:06am

Thanks.   Is there a place to request features in the next BGinfo?

Miscellaneous Utilities : PendMove movefile ... doesn't

June 28, 2016, 5:24 am
$
0
0
Author: Noxolos
Subject: PendMove movefile ... doesn't
Posted: 28 June 2016 at 12:24pm

A parameter for overwriting an existing file would be great!
I hope to see this feature in a future release of MoveFile.

As Telcontar already said, an exclamation mark in front of the destination entry is all we need.

MoveEx by Frank Westlake from ss64.net supports this feature by default:
https://www.raymond.cc/blog/why-are-you-asked-to-restart-after-install-or-uninstall-software/
http://ss64.net/westlake/nt/index.html

Sadly the tool is not completely compatible to 64-bit operating systems:
When you try to move files below the C:\Windows\System32 directory the OS replaces the string with C:\Windows\SysWOW64.
Apart from this it just works.

This feature has already been requested by MagisterAstri in this thread:
http://forum.sysinternals.com/topic8979.html

Regards
Noxolos

Process Monitor : Name not found

June 28, 2016, 7:23 am
$
0
0
Author: patton
Subject: Name not found
Posted: 28 June 2016 at 2:23pm

Running process monitor for only a few minutes I got 54,000 Name not found. 18,000 Reparse. 5,000 File blocked with only readers.
With so many errors where should be the starting point for troubleshooting?
Search

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

June 28, 2016, 9:39 am
$
0
0
Author: ironmanco
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 28 June 2016 at 4:39pm

I turned off MSE and things seems to be MUCH better. Nothing I saw pointed to this but it seems that was a good portion of the issue. No option to use a different sound card. We have about 20,000 of these laptops through our company so I don't think it's hardware related.

Process Monitor : Name not found

June 29, 2016, 4:35 am
$
0
0
Author: Dax1792
Subject: Name not found
Posted: 29 June 2016 at 11:35am

It doesn't indicate anything abnormal.
 
Two minutes on my laptop
FILE LOCKED WITH ONLY READERS   3661  (Not BLOCKED)
NAME NOT FOUND                          76999
REPARSE                                          5371
 
FILE LOCKED WITH ONLY READERS and REPARSE wouldn't be considered errors. A lot of NAME NOT FOUND responses come from Windows searching the Registry for optional entries.
 
What problem are you trying to solve?

Miscellaneous Utilities : SysMon - add Authenticode hash

June 29, 2016, 6:25 am
$
0
0
Author: GregAskew
Subject: SysMon - add Authenticode hash
Posted: 29 June 2016 at 1:25pm

Would it be possible to add the Authenticode hash to the list of hashes to collect? 

This would enable getting hashes for AppLocker difficult to retrieve files, such as temporary files created only during setup.

PsTools : PSList Not Working From Windows Server 2008 R2

June 29, 2016, 7:38 am
$
0
0
Author: RC_Crusher07
Subject: PSList Not Working From Windows Server 2008 R2
Posted: 29 June 2016 at 2:38pm

Found a resolution!

It was discovered that Microsoft Update KB3165191 (Link: https://support.microsoft.com/en-us/kb/3165191) causes an issue with how NetBios resolves DNS names outside of the local subnet.

From the linked Microsoft article above, this is what I was able to do to resolve the issue:

After you install this security update, the following changes are applied:
  • NETBIOS communication outside of the local subnet is hardened. Therefore, by default, some features that depend on NETBIOS (such as SMB over NETBIOS) will not work outside the local subnet. To change this new default behavior, create the following registry entry:
    SUBKEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
    Value Name: AllowNBToInternet
    Type: Dword
    Value: 1
After I created this registry entry, I had to reboot, and then everything started working as expected again!

This resolution worked on the server, and some PCs that started to expierence this issue after update KB3165191.

Miscellaneous Utilities : VMMAP + windows 8+

June 29, 2016, 2:59 pm
$
0
0
Author: michal.p
Subject: VMMAP + windows 8+
Posted: 29 June 2016 at 9:59pm

Are you guys planning to fix this bug or have a workaround?  

I just hit the same problem where I am trying to trace memory allocations for a 32bit process (which probably runs out of memory) and 32-bit VMMAP crashes (when started from Ctrl+P menu, Launch and trace a new process) ... it (judging by procexp) probably runs out of memory just as well... Clap

Starting VVMAP -64 and attaching to our process shows grayed out Call Tree... and Trace... 

Michal
(using VMMap 3.21)

Miscellaneous Utilities : DbgView and Windows 10

June 30, 2016, 2:57 am
$
0
0
Author: Ford Prefect
Subject: DbgView and Windows 10
Posted: 30 June 2016 at 9:57am

I got a similiar problem on win10.
I'm configuring DbgView to buffer debug output at next boot.
During system startup a message is displayed, that buffering is in progress.
After login in I start dbgview as admin, but there seems to be nothing buffered - dbgview is only capturing debug output from the point in time I started it after reboot.

Any advice?

Regards,
Ford

Miscellaneous Utilities : DbgView and Windows 10

June 30, 2016, 6:26 am
$
0
0
Author: alanadams
Subject: DbgView and Windows 10
Posted: 30 June 2016 at 1:26pm

A colleague of mine indicated they had this kind of trouble too, but I hadn't had reason to test whether I was seeing that same behavior now.  I just now tested on a Surface 4 Pro with Windows 10 x64 TH2 (10586) with all Windows Updates up to June 29, 2016 in a Secure Boot configuration.
 
But I'm still seeing the intended and desired outcome.  I have my own boot-mode filter driver initialization output successfully showing up in the DebugView window, so I know I'm seeing more than just "output that occurred after I started the DebugView UI again."  And I can tell from the time stamps that I'm seeing output that occurred during the boot, too.
 
So I would have said it's all still working, even with all the latest Windows 10 updates that have arrived since I last tried.
 
One "gotcha" I can think of right now that would explain "I run DebugView but only get new output being captured" would be if I didn't run DebugView using "Run as Administrator".  Such that even though the DBGV.SYS driver is running and buffering captured output, the user-mode DebugView UI component doesn't have sufficient access to configure or talk to him to retrieve that queued output.
 
Also, if you ran DebugView again /after/ setting "Log Boot" successfully, that can interfere too.  Running DebugView again (even with Run as Administrator) will have "Capture Kernel" still selecting by default, but when DebugView tries to honor the "Capture Kernel" setting this will fail because of the already-configured "DBGV.SYS" instance that was configured for "Log Boot" and is just waiting for you to shut down.  So after performing all the steps to configure Log Boot successfully, once you close DebugView, don't re-open DebugView to check your settings again or anything like that.
 
Just to be clear, what I did during my capture boot mode test on Windows 10 just now was:
 
1. Launch DbgView.exe using "Run as Administrator".  (Actually, I just change my shortcut's "Compatibility" tab to always do this for me so that I don't forget.)
 
2. In the Capture menu, enable "Win32", "Global Win32", "Kernel", "Verbose Kernel Output" and "Pass-Through".  Now the DBGV.SYS driver will have been started, in response to selecting "Kernel".
 
3. Go to the Windows\System32\Drivers directory and rename DBGV.SYS to "DBGV.2.SYS" or similar, so that the original DBGV.SYS file name is now available again.
 
4. In the Capture menu, now select "Log Boot".  This will write and configure the DBGV.SYS driver again for use at next boot.
 
5. Close DebugView.  Reboot the machine.
 
6. Once logged back in to the desktop, launch DbgView.exe using "Run as Administrator".
 
7. Observe that queued output from the current boot is immediately loaded into the DebugView window, and then capture continues from that point for any future output.
 
Hopefully some piece of that helps.
 
-Alan
Search

Autoruns : Autorun 13.52

June 30, 2016, 7:41 am
$
0
0
Author: parkd1
Subject: Autorun 13.52
Posted: 30 June 2016 at 2:41pm

Is there a change log for version 13.52? Thanks

Autoruns : 13.52 autoruns64.exe

June 30, 2016, 10:52 am
$
0
0
Author: EdKiefer
Subject: 13.52 autoruns64.exe
Posted: 30 June 2016 at 5:52pm

I notice version 13.52 gives x64 versions.
But seems like there bug in it, with this version I see many pink entree's in scheduler, drivers etc.
But when I check path say on a service like "Diagtrack" the image path shows "C;\windows\syswow64\diagtrack.dll" . Now there no file there but when I go to "jump to entree" all paths in that key associated with diagtrack are in system32 folder "%SystemRoot%\system32\diagtrack.dll"

So it appears its getting mixed up on x64 path .

Autoruns : 13.52 autoruns64.exe

June 30, 2016, 10:58 am
$
0
0
Author: EdKiefer
Subject: 13.52 autoruns64.exe
Posted: 30 June 2016 at 5:58pm

I forgot to mention to hitting refresh give me different results, different entries marked pink.

I am using "hide MS" and "windows entries'" option on.

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

June 30, 2016, 3:48 pm
$
0
0
Author: ironmanco
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 30 June 2016 at 10:48pm

Originally posted by ironmanco ironmanco wrote:

I turned off MSE and things seems to be MUCH better. Nothing I saw pointed to this but it seems that was a good portion of the issue. No option to use a different sound card. We have about 20,000 of these laptops through our company so I don't think it's hardware related.


As a final follow up to this issue I found the root cause. It was me.

During a business trip about a month ago, during the flight, I changed my power plan to be locked at using the lowest CPU and GPU resources and therefore using the least amount of power. Typically - the power plan will change this and when plugged in, it would then return back to normal. My issue was that I wanted it to charge as fast as possible during this time as well, so I locked it in at the lowest performance level.

As soon as I changed the power profile back to normal everything started working faster...much faster.

So - bottom line it wasn't the audio driver, 3rd party software, MSE or anything really to do with software - or hardware for that matter....it was me.

Utilities Suggestions : API spy

June 30, 2016, 5:16 pm
$
0
0
Author: emkuk
Subject: API spy
Posted: 01 July 2016 at 12:16am

Hi,

It would be helpful to have a lightweight Microsoft utility which would monitor API calls for all new and existing processes.

Here is an example:  A "to be determined" process is opening a handle to service but not closing the handle. The application the service belongs to tries to remove the service but the handle remains which sends the service it into a pending delete state causing issues for the application.

How do you know which process called OpenService for Service Name X?

Given this scenario it would great if there was a Windows utility you could run to monitor one or more API calls and possibly the parameters passed to them.

Many thanks.

Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>