Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Process Monitor : Looong shutdown

January 26, 2017, 12:52 pm
$
0
0
Author: ams
Subject: Looong shutdown
Posted: 26 January 2017 at 8:52pm

Hi:
New to sysinternals so sorry if this has been discussed, though I did search. I have a recently upgraded (from Win7) Lenovo M91 now running Win10 Pro 64. On shutdown the screen goes dark quickly but the power and HDD lights stay on for more than 4 minutes. Used procmon and filtered for events longer than 1 second and found a bunch, including 4 of about 60 second each, all involving Norton Antivirus, plus others of about 10 seconds involving explorer. Here are the Norton ones:

4:22:39.7298471 PM    NAV.exe    6772    IRP_MJ_DIRECTORY_CONTROL    C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_22.8.1.14\NCO    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_LAST_WRITE    60.3120569
4:22:39.9059944 PM    NAV.exe    6772    IRP_MJ_DIRECTORY_CONTROL    C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\yvs88d8q.default    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_LAST_WRITE    60.0264777
4:22:39.9337334 PM    NAV.exe    6772    IRP_MJ_DIRECTORY_CONTROL    C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_LAST_WRITE    59.9986876
4:22:39.9844722 PM    NAV.exe    6772    IRP_MJ_DIRECTORY_CONTROL    C:\ProgramData\Norton\{B7B64E4E-97E8-48AA-AF62-F11B5FF9819D}\E24186529D446B3D4190430EFEE81A2A    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_FILE_NAME, FILE_NOTIFY_CHANGE_LAST_WRITE    60.0731771

The logfile has been uploaded, but just in case here are some of the explorer ones.

4:22:49.4859863 PM    Explorer.EXE    9696    IRP_MJ_DIRECTORY_CONTROL    C:\temp\sysinternals    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_DIR_NAME    11.5930047
4:22:49.4864661 PM    Explorer.EXE    9696    IRP_MJ_DIRECTORY_CONTROL    C:\temp\sysinternals    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_FILE_NAME, FILE_NOTIFY_CHANGE_ATTRIBUTES, FILE_NOTIFY_CHANGE_LAST_WRITE    11.5926372
4:22:49.7276168 PM    Explorer.EXE    9696    IRP_MJ_DIRECTORY_CONTROL    C:\temp    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_DIR_NAME    11.3378949
4:22:49.7284070 PM    Explorer.EXE    9696    IRP_MJ_DIRECTORY_CONTROL    C:\temp    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_FILE_NAME, FILE_NOTIFY_CHANGE_ATTRIBUTES, FILE_NOTIFY_CHANGE_LAST_WRITE    11.3372209
4:22:50.2151931 PM    Explorer.EXE    9696    IRP_MJ_DIRECTORY_CONTROL    C:\Users\admin\Videos    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_DIR_NAME    10.8599104
4:22:50.2162217 PM    Explorer.EXE    9696    IRP_MJ_DIRECTORY_CONTROL    C:\Users\admin\Videos    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_FILE_NAME, FILE_NOTIFY_CHANGE_ATTRIBUTES, FILE_NOTIFY_CHANGE_LAST_WRITE    10.8589697
4:22:50.2171740 PM    Explorer.EXE    9696    IRP_MJ_DIRECTORY_CONTROL    C:\Users\admin\Music    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_DIR_NAME    10.8554780
4:22:50.2180986 PM    Explorer.EXE    9696    IRP_MJ_DIRECTORY_CONTROL    C:\Users\admin\Music    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_FILE_NAME, FILE_NOTIFY_CHANGE_ATTRIBUTES, FILE_NOTIFY_CHANGE_LAST_WRITE    10.8547141
4:22:50.2191023 PM    Explorer.EXE    9696    IRP_MJ_DIRECTORY_CONTROL    C:\Users\admin\Pictures    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_DIR_NAME    10.8548467
4:22:50.2201504 PM    Explorer.EXE    9696    IRP_MJ_DIRECTORY_CONTROL    C:\Users\admin\Pictures    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_FILE_NAME, FILE_NOTIFY_CHANGE_ATTRIBUTES, FILE_NOTIFY_CHANGE_LAST_WRITE    10.8540138
4:22:50.2210316 PM    Explorer.EXE    9696    IRP_MJ_DIRECTORY_CONTROL    C:\Users\admin\Documents    CANCELLED    Type: NotifyChangeDirectory, Filter: FILE_NOTIFY_CHANGE_DIR_NAME    10.8493918

Not sure what do do next, so any suggestions are welcome.
Thanks 
Search

Miscellaneous Utilities : AccessChk

January 26, 2017, 1:01 pm
$
0
0
Author: dadeniji
Subject: AccessChk
Posted: 26 January 2017 at 9:01pm

Can I get a it of help on help on how to use accesschk against virtual accounts such as "NT Service\MSSQLSERVER".

I tried
set _user=NT Service\MSSQLSERVER
rem set _user=NT Service
rem set _user=MSSQLSERVER
rem set _user=SERVICE\MSSQLSERVER-S-1-5-5-0-100511
 
AccessChk -a "%_user%"

But, getting back

Error enumerating account rights for NT Service\MSSQLSERVER:
A specified privilege does not exist.
No matching objects found.

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

January 26, 2017, 1:02 pm
$
0
0
Author: DDR
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 26 January 2017 at 9:02pm

Hello, probably you can help me, I tried to figure it out by myself using this method http://www.msfn.org/board/topic/140263-how-to-get-the-cause-of-high-cpu-usage-by-dpc-interrupt/

But frankly I cannot understand what causes the issue. My CPU use rises upto 99% It's very complicated for me to start the process to get the etl file, I had to write the script which starts the following commands upon CPU riches 70%.:
1. xperf -on latency -stackwalk profile
2. xperf -d DPC_Interrupt.etl
Second command never had a chance to start my computer froze. I had to power it down after 30 mins, kernel.etl was created and that's what I'm sending you. It's right here (dropbox):
http://bit.ly/2jtyAkD
Please take a look and PM me if you can help.
Thank you very much!!! I appreciate your time!

Miscellaneous Utilities : accesschk help

January 26, 2017, 1:30 pm
$
0
0
Author: dadeniji
Subject: accesschk help
Posted: 26 January 2017 at 9:30pm

Desmando:

Couple of suggestions

1) Can you try an actual folder and not something in your desktop

2) Creating a folder such as c:\book will suffice


Sample posted below:


set _folder=E:\BAK
 
set _principalSelf=%USERDOMAIN%\%USERNAME%
 
rem List all permissions on this folder
AccessChk -nobanner -d "%_folder%"
 
REM User me has access
AccessChk -nobanner "%_principalSelf%" "%_folder%"
 
REM User me has no access ( -n )
AccessChk -nobanner -n "%_principalSelf%" "%_folder%"

Miscellaneous Utilities : accesschk help

January 26, 2017, 1:53 pm
$
0
0
Author: desmando
Subject: accesschk help
Posted: 26 January 2017 at 9:53pm

No change. accesschk still shows me as having RW access to the files. The effective access tab in the security settings correctly shows I don't have access.

The one thing is that I am the owner of the file so I can take ownership. Is that enough to confuse accesschk?

Miscellaneous Utilities : accesschk help

January 26, 2017, 2:00 pm
$
0
0
Author: dadeniji
Subject: accesschk help
Posted: 26 January 2017 at 10:00pm

Yes, please change ownership to someone else.

Autoruns : Search Online not work when MSEdge default

January 27, 2017, 1:44 am
$
0
0
Author: kyamauchi
Subject: Search Online not work when MSEdge default
Posted: 27 January 2017 at 9:44am

On Windows 10 and Default Browser Microsoft Edge, Autoruns(and also Procmon, Procexp) 's Search Online Feature not work. LaunchWinApp.exe show daialogbox
 
--------------------------------------------------------------------------------------------------------------
(X) ? <search text>
--------------------------------------------------------------------------------------------------------------
(X) Windows cannot find '? <search text>'. Make sure you typed the name correctly, and then try again.
--------------------------------------------------------------------------------------------------------------
 
If I change default my browser to Internet Explorer, Search Online work.

BgInfo : SCCM Deployment - BgInfo

January 27, 2017, 2:05 am
$
0
0
Author: CMTR
Subject: SCCM Deployment - BgInfo
Posted: 27 January 2017 at 10:05am

Hi David,

I can't answer your actual question, but might be able to help by suggesting to use a WMI Query instead of a custom VBS script. It would be worth exploring the following WMI Browse options:
SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True
SELECT AddressWidth FROM Win32_Processor
SELECT Version FROM Win32_OperatingSystem

etc

Cheers,
Clive
Search

Troubleshooting : SQL database in status SUSPECT

January 27, 2017, 2:20 am
$
0
0
Author: crickwilli
Subject: SQL database in status SUSPECT
Posted: 27 January 2017 at 10:20am

There are many reasons due to corrupt or damaged SQL database like Hardware problem, File system errors, Virus attacks, Accidently system shutdown and Human errors. I suggest an effective professional tool, SQL repair. With the help of this tool quickly recovers all tables, stored procedure, functions, views, rules, triggers and associated Primary Key, Unique keys, data types & all other components. It supports all versions of MS SQL server and Windows OS versions. Visit here - http://www.sql.mdfrepair.net







 

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

January 27, 2017, 9:11 am
$
0
0
Author: hlmtre
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 27 January 2017 at 5:11pm

MagicAndre1981, can I PM you or otherwise provide a link for an ETL trace? I'm having a similar issue with (probably) a driver interrupting the CPU and I couldn't identify a driver from the WPA logs.

Disk2vhd : Program fails

January 27, 2017, 1:12 pm
$
0
0
Author: Partsguy
Subject: Program fails
Posted: 27 January 2017 at 9:12pm

After using disk2vhd I am able to boot the 32 bit xp vhd using virtualbox but the program that i want to use will not start. It works on the old xp laptop. The software is Cat SIS 2006. What could the issue be?

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

January 27, 2017, 3:07 pm
$
0
0
Author: popman
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 27 January 2017 at 11:07pm

Hi MagicAndré,

I have been digging for days and weeks into my audio glitch problem and it is driving me nuts.
I finally got WPR and WPA installed and it seems to be NTOSKrnl.sys that causes the gliches. This is also what LatencyMon tells me.
But this is also where I get lost. I tried to analyze by your explanation two post earlier, but failed.
Maybe you check out the ETL file? http://bit.ly/2jymNnO
Many Thanks!

 


Edited by popman - 2 hours 30 minutes ago at 11:32pm

Miscellaneous Utilities : AccessChk

January 28, 2017, 10:04 am
$
0
0
Author: dadeniji
Subject: AccessChk
Posted: 28 January 2017 at 6:04pm

My original query was

set _user=NT Service\MSSQLSERVER
AccessChk -nobanner -a "%_user%"  

But, it should have been

set _user=NT Service\MSSQLSERVER
AccessChk -nobanner -a "%_user%"  *

The difference being that the privilege been queried is needed.

We are using * as a placeholder for all

Crediting Aaron Margosis.

Process Monitor : Looong shutdown

January 28, 2017, 11:51 am
$
0
0
Author: MagicAndre1981
Subject: Looong shutdown
Posted: 28 January 2017 at 7:51pm

you use the wrong tool. Use WPRUI, select 1st level, cpu, disk, file, network and scenario "shutdown" and runs to 1. Click on start, this captures a shutdowntrace. Zip the ETL and share (onedrive share link) it here

Disk2vhd : Program fails

January 28, 2017, 11:52 am
$
0
0
Author: MagicAndre1981
Subject: Program fails
Posted: 28 January 2017 at 7:52pm

and? What fails? Which error message do you get?
Search

Miscellaneous Utilities : Need to monitor overall disk activity

January 28, 2017, 11:54 am
$
0
0
Author: MagicAndre1981
Subject: Need to monitor overall disk activity
Posted: 28 January 2017 at 7:54pm

do what I tell you and use WPRUI/WPA.

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

January 28, 2017, 11:55 am
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 28 January 2017 at 7:55pm

Originally posted by DDR DDR wrote:

Please take a look and PM me if you can help.
Thank you very much!!! I appreciate your time!


the kernel.etl is useless, this is a temporary file. I need the other generated file.

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

January 28, 2017, 12:10 pm
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 28 January 2017 at 8:10pm

@hlmtre yes, send the link or post the link here.

@popman

you get DPC issues because of kernel calls:

Total = 3258 for module ntoskrnl.exe
Elapsed Time, >      512 usecs AND <=     1024 usecs,     36, or   1.10%
Elapsed Time, >     1024 usecs AND <=     2048 usecs,     45, or   1.38%
Elapsed Time, >     2048 usecs AND <=     4096 usecs,    155, or   4.76%
Elapsed Time, >     4096 usecs AND <=     8192 usecs,     86, or   2.64%
Total,                                                  3258

I see power management calls (ntoskrnl.exe!PpmPerfAction, ntoskrnl.exe!PpmPerfApplyProcessorState). your Intel Core 2 Quad CPU and the BIOS are very old so this old HW is not Win10 compatible.

Internals : Weird memory usage

January 28, 2017, 7:54 pm
$
0
0
Author: martix
Subject: Weird memory usage
Posted: 29 January 2017 at 3:54am

I have the following 2 regularly observed phenomena I'd like to find an explanation for:
1. Current commit is regularly higher than Physical usage + Pagefile size. What's up with that? Shouldn't that be impossible?
2. Sometimes this reaches extreme levels where Current commit is more than double physical memory usage! What could that mean?

This is on windows 10, as reported by Process Explorer.

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

January 29, 2017, 1:16 am
$
0
0
Author: popman
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 29 January 2017 at 9:16am

Thanks, MagicAndré.

That is probably why I could not isolate a single cause for the glitches.... Confused

The glitches came with the anniversary update I think.....

Except for a new HW there is nothing I can do I guess (overclocking, maybe?)




Edited by popman - 1 hour 11 minutes ago at 9:23am
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>