Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Disk2vhd : Disk2VHD hangs at ca. 60%

January 9, 2017, 11:10 pm
$
0
0
Author: MaxTric
Subject: Disk2VHD hangs at ca. 60%
Posted: 10 January 2017 at 7:10am

Hello and happy new year Smile

I have a bootcamp installation and from this I try to export the Windows7x64 to VHD. 3 Years ago this worked. Now the Disk2VHD process gets stucked at about 60%. I can just press cancel and kill the disk2vhd processes via taskmanager.
What could be the problem or can I somehow see logs or any indications for the problem?
In eventvwr I see that at sometime the security-SPP process started, could that be the problem?

Thanks in advance, best regards!
Max
Search

BgInfo : WinPE 10 64Bit & BGInfo v4.20 Application Error

January 10, 2017, 9:17 am
$
0
0
Author: mdubya
Subject: WinPE 10 64Bit & BGInfo v4.20 Application Error
Posted: 10 January 2017 at 5:17pm

After more testing I'm starting to think this may be somehow driver related.

The NIC driver being loaded is the Microsoft Hyper-V Network Adapter. If I enable networking by running WPEINIT upon boot up, and then follow that command with: X:\Windows\BgInfo\BGInfo.exe X:\Windows\BgInfo\BgInfo.bgi /timer:0 /accepteula then it is at this point BGInfo will generate the application error seen above. If, on the other hand, I do not enable WinPE networking, then BGInfo launches as expected. Again, this is only in the virtual world (Hyper-V and VMWare), physical machines work like a charm.

I'm not sure many (any) of you are running BGInfo in exactly this way, but if you do have any suggestions, I would greatly appreciate them.

-Mike


Edited by mdubya - 42 minutes ago at 5:18pm

Process Monitor : How to end a capture?

January 10, 2017, 10:32 am
$
0
0
Author: pmatula
Subject: How to end a capture?
Posted: 10 January 2017 at 6:32pm

Hi,
you can stop the trace via File -> Capture Events. 
you can save the trace via File -> Save...

More common is to use the icons below. The 2nd and 3rd icon will be relevant. 


Process Monitor : Procmon64 crashes on Exchange 2010

January 11, 2017, 3:46 am
$
0
0
Author: FrankG
Subject: Procmon64 crashes on Exchange 2010
Posted: 11 January 2017 at 11:46am

Three weeks on holiday and still no idea?

Miscellaneous Utilities : SysMon 5.2 - not installing on 2016+secure boot

January 11, 2017, 7:17 am
$
0
0
Author: pscookiemonster
Subject: SysMon 5.2 - not installing on 2016+secure boot
Posted: 11 January 2017 at 3:17pm

Ran into the same issue (presumably).  Vanilla Hyper-V guest, defender service is running.

Miscellaneous Utilities : Sysmon filtering (bug?)

January 11, 2017, 10:38 am
$
0
0
Author: johnmccash
Subject: Sysmon filtering (bug?)
Posted: 11 January 2017 at 6:38pm

I just ran into this same issue & figured out the answer. From the usage info: "You can use both include and exclude rules for the same tag, where exclude rules override include rules. Within a rule, filter conditions on the same field have OR behavior, whereas conditions on different fields have AND behavior."

So your rule only excludes ImageLoad events where both the Signature and Image conditions are met.

BTW, according to the comment, it sounds like you're attempting to log unsigned images that are being loaded. I believe the 'Signature' condition actually applies to the executable doing the loading, rather than to the binary being loaded.

(note that it would be cool if there were a way to do this)


John

Site Bugs : Forum Updates

January 11, 2017, 12:22 pm
$
0
0
Author: GrofLuigi
Subject: Forum Updates
Posted: 11 January 2017 at 8:22pm

No issue, but could a larger font be used?

Although browsers have zoom function, I think the default is too tiny.

I didn't write a private message because I think this might be open for discussion.

GL


Process Monitor : Windows XP and PM 3.31

January 11, 2017, 12:56 pm
$
0
0
Author: GrofLuigi
Subject: Windows XP and PM 3.31
Posted: 11 January 2017 at 8:56pm

Is 3.20 available for download somewhere (from trusted source)?

*** Edit: Found it on Internet Archive Wayback Machine in the snapshot of https://technet.microsoft.com/en-us/sysinternals/bb896645 made on 6th of April 2016. Most of the other snapshots threw an error on the .zip file. ***




Edited by GrofLuigi - 1 hour 44 minutes ago at 9:39pm
Search

Miscellaneous Utilities : Sysmon filtering (bug?)

January 11, 2017, 1:29 pm
$
0
0
Author: johnmccash
Subject: Sysmon filtering (bug?)
Posted: 11 January 2017 at 9:29pm

Actually, I stand corrected. It looks like the Signature condition for the ImageLoad event does apply to the image being loaded rather than the image doing the loading.
John

Miscellaneous Utilities : Sysmon ProcessAccess Filtering

January 11, 2017, 2:24 pm
$
0
0
Author: johnmccash
Subject: Sysmon ProcessAccess Filtering
Posted: 11 January 2017 at 10:24pm

I'm looking for better documentation on this. Can somebody point me to a reference for the various GrantedAccess values? Also, what does it look like in this log data when something like Mimikatz opens the lsass process to extract password data?
Thanks
John

Miscellaneous Utilities : Sysmon 5.02 - enable registry logging?

January 11, 2017, 4:46 pm
$
0
0
Author: hybrid
Subject: Sysmon 5.02 - enable registry logging?
Posted: 12 January 2017 at 12:46am

Is there any configuration required to enable the registry monitoring?
I don't see any command line switches, but what about if you're using a config file?

I can't find any documentation on it.

I'm testing on a workstation and it doesn't seem to be logging any of the new event IDs.

Disk2vhd : Disk2VHD run by PSExec

January 12, 2017, 2:07 am
$
0
0
Author: Mirac
Subject: Disk2VHD run by PSExec
Posted: 12 January 2017 at 10:07am

Hello.Faced with such a problem - Disk2VHP running on the remote machine (virtual Hyper-V) using bat file with the code:
psexec \\192.168.10.88 disk2vhd.exe * \\192.168.10.150\f$\Reserv_Vhd\Vps-blessed.vhd
turns to run the application itself, it can be seen in the task manager ... but the app does nothing. infinitely just hanging in there.
If I run a piece of code
disk2vhd.exe * \\192.168.10.150\f$\Reserv_Vhd\Vps-blessed.vhd
on the machine itself - everything works fine.
What am I doing wrong?

Miscellaneous Utilities : Sysmon filtering (bug?)

January 12, 2017, 2:14 am
$
0
0
Author: shureek
Subject: Sysmon filtering (bug?)
Posted: 12 January 2017 at 10:14am

Thanks, I didn't see that info about AND behavior on different fields. Now I see that it works as described. But I need to exclude all ImageLoad events with signature from Microsoft or Windows and also I want to exclude all ImageLoad events where Image is *postgres.exe
My new config is:

        <ImageLoad onmatch="exclude">
            <!-- Log all images except if it's Microsoft or Windows signed -->
            <Signature condition="contains">Microsoft</Signature>
            <Signature condition="contains">Windows</Signature>
        </ImageLoad>
        <ImageLoad onmatch="exclude">
            <!-- Don't log postgresql activity (it's too huge) -->
            <Image condition="is">C:\Program Files\PostgreSQL\9.4.2-1.1C\bin\postgres.exe</Image>
        </ImageLoad>

But now I get error
RuleEngine Error: Multiple rule filters of the same type

Utilities Suggestions : How to Convert OST File into PST?

January 12, 2017, 2:37 am

Miscellaneous Utilities : SYSMON Uninstall Issue

January 12, 2017, 7:32 am
$
0
0
Author: ckuderna
Subject: SYSMON Uninstall Issue
Posted: 12 January 2017 at 3:32pm

Hi,

i've been trying to upgrade from Sysmon 3 to the current version. Unfortunately I tried to install sysmon using sysmon -i config.xml before uninstalling the old version. sysmon complains and tells me to uninstall first.
But when I do this, my Windows 10 1607 Enterprise crashes with a BSOD (memory management error in symondrv.sys).
So now I can't uninstall and cannot install either :-(

I tried to unregister the service (sc delete sysmon), now sysmon -i says: "the driver sysmondrv is already registered".

How can I get out of this "loop"?

Search

Miscellaneous Utilities : Sysmon 5.02 - enable registry logging?

January 12, 2017, 4:34 pm
$
0
0
Author: hybrid
Subject: Sysmon 5.02 - enable registry logging?
Posted: 13 January 2017 at 12:34am

Got it.

<!-- Log Registry Events -->
    <RegistryEvent onmatch="exclude" />

Miscellaneous Utilities : Event Collection - any changes required for 5.02?

January 12, 2017, 4:37 pm
$
0
0
Author: hybrid
Subject: Event Collection - any changes required for 5.02?
Posted: 13 January 2017 at 12:37am

I've tested Sysmon 5.02 on a couple of machines - both of which seem to have stopped sending to our WEC's.
Is there anything different with the manifest etc that might cause this?

The machines go inactive on the collectors... I'm assuming because they don't send any events.

BgInfo : WinPE 10 64Bit & BGInfo v4.20 Application Error

January 12, 2017, 8:53 pm
$
0
0
Author: WindowsStar
Subject: WinPE 10 64Bit & BGInfo v4.20 Application Error
Posted: 13 January 2017 at 4:53am

Please remember that X:\Windows is a protected OS folder. Installing software there is a big no-no. I would change that to the best practices and what MS would like you to use X:\Program Files\BGInfo. See if that helps. -WS

Miscellaneous Utilities : Sysmon Feature Requests

January 13, 2017, 7:15 am
$
0
0
Author: johnmccash
Subject: Sysmon Feature Requests
Posted: 13 January 2017 at 3:15pm

Hi Everyone,
I've just recently started looking into deploying sysmon in an enterprise. I'm really impressed with the included capabilities. However, it seems likely to me that issues could arise with version control for the sysmon binary and configuration.

If I may, I'd like to suggest a couple of fairly simple and easy to implement changes that might mitigate these issues:
  • When the sysmon service starts up, it should issue a log entry indicating the version of sysmon that is installed
  • When the sysmon service starts up, it should also issue a log entry with a rule dump or hash of the currently installed configuration

The above two changes will help significantly in large deployments, where updates to either the binary or the configuration might fail in individual cases, as well as highlighting instances where filtering rules may have been changed without authorization.

Another suggestion, somewhat more difficult to implement, would be to provide a method for configuring sysmon via Group Policy. It looks like Carlos Perez (DarkOperator) did some of this for sysmon 1.0 back in 2014, so it's doable (the config is apparently stored in a binary registry value named Rules, under HKLM\SYSTEM\CurrentControlSet\services\SysmonDrv\Parameters). I've no idea exactly how much work it would be to update the custom .admx file he created, or exactly how well that worked in that version.


Thoughts?

John

BgInfo : SCCM Deployment - BgInfo

January 13, 2017, 7:19 am
$
0
0
Author: DHeinz
Subject: SCCM Deployment - BgInfo
Posted: 13 January 2017 at 3:19pm

I have successfully deployed BgInfo and its corresponding configuration file as part of our image. All data is displayed with the exception of the custom items that I created using a VBS script. The following files are copied over to the computer as part of the image;
  • BgInfo.exe
  • wstat.bgi
  • OnlyIPV4Address.vbs
  • OSArchitecture.vbs
  • OSInfo.vbs

I have used the following vbs script to install using a command line;

On Error Resume Next
 
'Create the c:\IT\BgInfo folder
If not objFSO.FolderExists("C:\IT\BgInfo") Then
 objFSO.CreateFolder("C:\IT\BgInfo")
End If
 
'Copy the bginfo files
intErrorCode = intErrorCode + objFSO.CopyFile(objShell.CurrentDirectory & "\Bginfo.exe", "C:\IT\BgInfo\")
intErrorCode = intErrorCode + objFSO.CopyFile(objShell.CurrentDirectory & "\OnlyIPv4Address.vbs", "C:\IT\BgInfo\")
intErrorCode = intErrorCode + objFSO.CopyFile(objShell.CurrentDirectory & "\OSArchitecture.vbs", "C:\IT\BgInfo\")
intErrorCode = intErrorCode + objFSO.CopyFile(objShell.CurrentDirectory & "\OSInfo.vbs", "C:\IT\BgInfo\")
intErrorCode = intErrorCode + objFSO.CopyFile(objShell.CurrentDirectory & "\wstat.bgi", "C:\IT\BgInfo\")
'Add the bginfo shortcut to the run registry key
intErrorCode = intErrorCode + objshell.RegWrite("HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BgInfo", "C:\IT\BgInfo\Bginfo.exe /accepteula /ic:\IT\BgInfo\wstat.bgi /timer:0", "REG_SZ")
objShell.Run "C:\IT\BgInfo\Bginfo.exe /accepteula /ic:\IT\BgInfo\wstat.bgi /timer:0"
 
'Cleanup
Set objShell = Nothing
Set objFSO = Nothing
'return errorcode for install to SCCM
WScript.Quit(intErrorCode)
 
 
What am I missing?


Edited by DHeinz - 9 minutes ago at 3:23pm
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>