Process Monitor : SetBasicInformationFile

December 7, 2016, 7:22 am

≫ Next: Troubleshooting : Suspended Processes

≪ Previous: Process Monitor : SetBasicInformationFile

$

0

0

Author: Dax1792
Subject: SetBasicInformationFile
Posted: 07 December 2016 at 3:22pm

Time values CreationTime, LastAccessTime, LastWriteTime, and ChangeTime are expressed in absolute system time format. Absolute system time is the number of 100-nanosecond intervals since the start of the year 1601 in the Gregorian calendar.

 

From https://msdn.microsoft.com/en-us/library/windows/hardware/ff545762(v=vs.85).aspx

 

The program has sent zeroes to the function.

---

Troubleshooting : Suspended Processes

December 7, 2016, 1:51 pm

≫ Next: PsTools : psexec -u doesn't work running as System user?

≪ Previous: Process Monitor : SetBasicInformationFile

$

0

0

Author: OverlordQ
Subject: Suspended Processes
Posted: 07 December 2016 at 9:51pm

Something is putting processes into a suspended state when starting them which causes it to take 2-3 minutes to launch even simple things like notepad. Any way to see what is suspending the processes and resuming them?

PsTools : psexec -u doesn't work running as System user?

December 8, 2016, 12:55 pm

≫ Next: PsTools : psexec -u doesn't work running as System user?

≪ Previous: Troubleshooting : Suspended Processes

$

0

0

Author: js2010
Subject: psexec -u doesn't work running as System user?
Posted: 08 December 2016 at 8:55pm

As the System user, if I run this, I get "Access is denied." and errorlevel 5.  How can I get it to work?  I'm trying to create a profile in a script:

psexec -u user1 cmd

PsTools : psexec -u doesn't work running as System user?

December 8, 2016, 1:21 pm

≫ Next: Process Monitor : Entry point intialize SRWLOCK

≪ Previous: PsTools : psexec -u doesn't work running as System user?

$

0

0

Author: tamahome
Subject: psexec -u doesn't work running as System user?
Posted: 08 December 2016 at 9:21pm

Sometimes when you ask a question, the answer comes to you:

psexec -h -u user1 cmd

Process Monitor : Entry point intialize SRWLOCK

December 8, 2016, 2:14 pm

≫ Next: Process Monitor : Entry point intialize SRWLOCK

≪ Previous: PsTools : psexec -u doesn't work running as System user?

$

0

0

Author: bataradena
Subject: Entry point intialize SRWLOCK
Posted: 08 December 2016 at 10:14pm

I'm using a XP-32 Professional machine and when I  try to install the "Process Monitor" program I'm getting a very strange error.

 

**Error:

Entry point initialize SRWLOCK could not be located in the dynamic Link Library Kernel32.dll.

 

Doing a quick Goggle Search this type of error is something to do with the wrong or type version for the operating system it being installed into?

 

 

 

 

Process Monitor : Entry point intialize SRWLOCK

December 8, 2016, 3:19 pm

≫ Next: PsTools : PsExec Slow with Firewall Disabled

≪ Previous: Process Monitor : Entry point intialize SRWLOCK

$

0

0

Author: LMiller7
Subject: Entry point intialize SRWLOCK
Posted: 08 December 2016 at 11:19pm

The initializeSRWLOCK function does not exist in XP. It was introduced with Vista.

The current version of Process Monitor is not compatible with XP. Vista or later is required. This is stated on the download page for Process Monitor.

PsTools : PsExec Slow with Firewall Disabled

December 8, 2016, 8:04 pm

≫ Next: Process Explorer : ** Process Explorer Bugs **

≪ Previous: Process Monitor : Entry point intialize SRWLOCK

$

0

0

Author: eunjoochung
Subject: PsExec Slow with Firewall Disabled
Posted: 09 December 2016 at 4:04am

I had the same problem. Then I changed the network connection type from public to home network.. It takes like 2~3 seconds now. Hope it works.

Process Explorer : ** Process Explorer Bugs **

December 9, 2016, 7:01 am

≫ Next: Disk2vhd : BUG of Disk2vhd on Dynamic Volumes

≪ Previous: PsTools : PsExec Slow with Firewall Disabled

$

0

0

Author: hurda
Subject: ** Process Explorer Bugs **
Posted: 09 December 2016 at 3:01pm

16.20 (maybe happening earlier too):

When enabling all five tray-icons and then disabling any one of them, a CPU-graph-trayicon is added, which doesn't change the displayed graph, even when the disabled tray-icon is the CPU-icon.

That broken icon stays as long as PE is running.

Edited by hurda - 22 hours 47 minutes ago at 3:02pm

---

Disk2vhd : BUG of Disk2vhd on Dynamic Volumes

December 9, 2016, 10:25 am

≫ Next: Troubleshooting : Need help with Ntoskrnl thread causing high CPU

≪ Previous: Process Explorer : ** Process Explorer Bugs **

$

0

0

Author: fairytale
Subject: BUG of Disk2vhd on Dynamic Volumes
Posted: 09 December 2016 at 6:25pm

I used to backup my file with Disk2vhd.
and then, clean my disk and reinstall System.
after, I mount the vhd and get all my files.
No problem.

But But But But But But But But But But But But But

But oneday, I backup my files on Dynamic Volumes(striped with 3 gpt disk) with Disk2vhd. I got 3 vhdx files.
after I clean my disk and mount the vhdx files, mount failed.............

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

December 9, 2016, 12:31 pm

≫ Next: Internals : audiodg.exe thread weirdness

≪ Previous: Disk2vhd : BUG of Disk2vhd on Dynamic Volumes

$

0

0

Author: RobJ
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 09 December 2016 at 8:31pm

Hey MagicAndre, think you have time to look at this??

TID   CPU    CSwitch Delta      Start Address
68    2.01    399                      ntoskrnl.exe!KeGetCurrentProcessorNumberEx+0x34
64    1.51    210                      ntoskrnl.exe!KeGetCurrentProcessorNumberEx+0x34
60    0.57    216                      ntoskrnl.exe!KeGetCurrentProcessorNumberEx+0x34
48    0.94    346                      ntoskrnl.exe!KeGetCurrentProcessorNumberEx+0x34

Can't seem to isolate the issue and these 4-5 guys are driving me nuts eating up the cpu. 
Pls help if you have time.

Rob

Internals : audiodg.exe thread weirdness

December 10, 2016, 3:09 am

≫ Next: Process Explorer : Control Flow Guard disabled

≪ Previous: Troubleshooting : Need help with Ntoskrnl thread causing high CPU

$

0

0

Author: cabaisma
Subject: audiodg.exe thread weirdness
Posted: 10 December 2016 at 11:09am

My audiodg.exe was access denied. What is the remedy and the action for this? Anyone can help me please..

Process Explorer : Control Flow Guard disabled

December 10, 2016, 11:15 am

≫ Next: Troubleshooting : Need help with Ntoskrnl thread causing high CPU

≪ Previous: Internals : audiodg.exe thread weirdness

$

0

0

Author: MagicAndre1981
Subject: Control Flow Guard disabled
Posted: 10 December 2016 at 7:15pm

try ProcessHacker to see if this also doesn't display it correctly.

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

December 10, 2016, 11:17 am

≫ Next: Process Explorer : Control Flow Guard disabled

≪ Previous: Process Explorer : Control Flow Guard disabled

$

0

0

Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 10 December 2016 at 7:17pm

you need to share the ETL so that I can analyze it in depth.

Process Explorer : Control Flow Guard disabled

December 10, 2016, 11:32 am

≫ Next: Autoruns : [BUG REPORT] Autoruns can't see HKCU\...\Run entry

≪ Previous: Troubleshooting : Need help with Ntoskrnl thread causing high CPU

$

0

0

Author: Mr.X
Subject: Control Flow Guard disabled
Posted: 10 December 2016 at 7:32pm

MagicAndre1981 wrote: try ProcessHacker to see if this also doesn't display it correctly.

Apparently PH shows it correctly:

Autoruns : [BUG REPORT] Autoruns can't see HKCU\...\Run entry

December 10, 2016, 12:27 pm

≫ Next: Process Monitor : Help finding error

≪ Previous: Process Explorer : Control Flow Guard disabled

$

0

0

Author: pol
Subject: [BUG REPORT] Autoruns can't see HKCU\...\Run entry
Posted: 10 December 2016 at 8:27pm

Hi

I tracked weird bug. Try to import this REG file:

Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Blokada ekranu przy logowaniu"="rundll32.exe user32.dll,LockWorkStation"

Sysinternals don't see that entry. I tried on many versions.
Can you track and fix it?
(Windows 10 64-bit)

Best regards
Tom

---

Process Monitor : Help finding error

December 10, 2016, 5:22 pm

≫ Next: Process Explorer : Shared Memory not backed by file not shown in stat

≪ Previous: Autoruns : [BUG REPORT] Autoruns can't see HKCU\...\Run entry

$

0

0

Author: glatzfront
Subject: Help finding error
Posted: 11 December 2016 at 1:22am

Trying to find the cause of an event viewer error caused by Dropbox.I have run a boot scan and then filtered it with - (process, DbxSvc.exe, include) and (results, success, exclude). This has left 39 results but I don't know how to interpret them. Any help would be appreciated.

How do I post the 39 results? Copy and paste looks disorganized.

 

Process Explorer : Shared Memory not backed by file not shown in stat

December 10, 2016, 6:16 pm

≫ Next: Process Monitor : Running process monitor in safe mode

≪ Previous: Process Monitor : Help finding error

$

0

0

Author: KuldipRindani
Subject: Shared Memory not backed by file not shown in stat
Posted: 11 December 2016 at 2:16am

I have question w.r.t to display of Shared Memory counters which are not backed by physical file on disk.

Both the tools process explorer and vmmap (specifically)- don't show up this memory in process statistics, unless it is mapped by process during usage.

I have a process which creates a unnamed shared memory of around 10GB during its run to keep data received over network, and depending upon user action it maps and then unmap this memory for displaying.

but when this memory is not mapped into process space both the tools dont show this memory towards process.

can you please advise if this limitation of these tools or I'm missing something here.

Thanks.

Process Monitor : Running process monitor in safe mode

December 10, 2016, 10:23 pm

≫ Next: Autoruns : Autoruns source code?

≪ Previous: Process Explorer : Shared Memory not backed by file not shown in stat

$

0

0

Author: tjsepka
Subject: Running process monitor in safe mode
Posted: 11 December 2016 at 6:23am

A topic in this forum talks about adding a registry key for a driver in order to allow procmon to run in safe mode:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PROCMON23.sys]
@="Driver"

This will white list the driver in safe mode with networking.

Can anyone explain where the @=""Driver" belongs?  Is the value for its default key?  Should the value literally be the text string @="Driver", or is the post implying the default value be "Driver" (with or without the quote marks)?

And also, what is meant by "This will white list the driver in safe mode with networking."?

Additionally, I'd like the option to do boot logging when booting into safe  mode, if it works.

The forum topic I'm referring to is:

http://forum.sysinternals.com/safe-mode-process-monitor-device-driver_topic24607.html

Autoruns : Autoruns source code?

December 11, 2016, 5:15 am

≫ Next: Troubleshooting : Suspended Processes

≪ Previous: Process Monitor : Running process monitor in safe mode

$

0

0

Author: forumarbei
Subject: Autoruns source code?
Posted: 11 December 2016 at 1:15pm

Hi,
I have the following question.
Is the source code for the Sysinternals-tool "autoruns" and other sysinternals-tool available?
Many thanks
regards
Jogi

Troubleshooting : Suspended Processes

December 11, 2016, 8:24 am

≫ Next: Miscellaneous Utilities : ListDLLs

≪ Previous: Autoruns : Autoruns source code?

$

0

0

Author: sredna
Subject: Suspended Processes
Posted: 11 December 2016 at 4:24pm

This sounds like something a silly AV/protection product would do and it might take a while if it tries to access a server that is unavailable.

 

You could manually suspend all non-Microsoft processes with Process Explorer and see if the problem still exists...