Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

BgInfo : Help for BGINDO MSXML3 issue

January 29, 2017, 11:13 am
$
0
0
Author: super5200
Subject: Help for BGINDO MSXML3 issue
Posted: 29 January 2017 at 7:13pm

Can someone help me figure out what is going on with this. I am trying to run the following BGINFO with a VBSCRIPT for PIBLICIP and I get an error> Here is what info I can supply.
 
1. Running WIN 10
 
2. Run the BGINFO as administrator
 
3. Here is the BGINFO window trying to run.
 

Boot Time:                                            <BootTime>

Host Name:                                           <HostName>

IE Version:                                             <IEVersion>

IP Address:                                            <IPAddress>

publicip:                                                <publicip>

Logon Domain:                                    <LogonDomain>

Logon Server:                                       <LogonServer>

MAC Address:                                       <MACAddress>

Memory:                                                 <Memory>

OS Version:                                           <OSVersion>

Processors:                                           <Processors>

Service Pack:                                         <ServicePack>
 
4. Here is the publicip Script:
 
im o
Set o = CreateObject("MSXML2.XMLHTTP")
o.open "GET", "http://ifconfig.me/ip", False
o.send
echo o.responseText
(interesting the script shows MSXML2 not the 3 that the error shows and if I change to 3 that also does not work)
 
Search

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

January 29, 2017, 12:48 pm
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 29 January 2017 at 8:48pm

Originally posted by hlmtre hlmtre wrote:

I'm having a similar issue with (probably) a driver interrupting the CPU and I couldn't identify a driver from the WPA logs.


you also have the ACPI.sys issue. search this topic for solutions (re-flash BIOS, clean cpu cooler fans)

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

January 29, 2017, 12:50 pm
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 29 January 2017 at 8:50pm

Originally posted by popman popman wrote:

Except for a new HW there is nothing I can do I guess (overclocking, maybe?)


set the Powerplan in Windows to High Performance (disables all power saving features) and look what happens.

Internals : Weird memory usage

January 29, 2017, 12:52 pm
$
0
0
Author: MagicAndre1981
Subject: Weird memory usage
Posted: 29 January 2017 at 8:52pm

windows 10 uses memory compression (instead of paging them) so it can have more data in RAM.


Autoruns : Which Background Processes Can Be Disabled Safely?

January 29, 2017, 1:36 pm
$
0
0
Author: koolx
Subject: Which Background Processes Can Be Disabled Safely?
Posted: 29 January 2017 at 9:36pm

Originally posted by KungFu KungFu wrote:

Hello Koolx,

This is a forum in which members try to help each other. If the answer is not what you want or expect or if you don't read the answers well than it's not very nice to react like this.


The answer did not answer my question specifically, since it was apples and oranges. If you cant understand this then you shouldnt comment on this forum.

Internals : Weird memory usage

January 29, 2017, 9:12 pm
$
0
0
Author: LMiller7
Subject: Weird memory usage
Posted: 30 January 2017 at 5:12am

Commit charge and RAM usage are totally different things. They are not related. Commit charge is not RAM usage, pagefile usage, or any combination of the two. The commit charge is difficult to explain and I don't have time right now.

Without memory compression the commit limit is RAM size + pagefile size - a small overhead.

Miscellaneous Utilities : Sysmon 5.02 certificate expired !!

January 30, 2017, 6:12 am
$
0
0
Author: prm
Subject: Sysmon 5.02 certificate expired !!
Posted: 30 January 2017 at 2:12pm

Sysmon 5.02 certificate expired !!

Miscellaneous Utilities : Sysmon 5.02 certificate expired !!

January 30, 2017, 6:33 am
$
0
0
Author: prm
Subject: Sysmon 5.02 certificate expired !!
Posted: 30 January 2017 at 2:33pm

Does anyone from Microsoft read posts on this forum ?
Search

Internals : Scan non domain joined machines with sysinternals

January 30, 2017, 8:13 am
$
0
0
Author: cheerspal
Subject: Scan non domain joined machines with sysinternals
Posted: 30 January 2017 at 4:13pm

Hi,

I have tried running msinfo on remote machines and also Windowssysinternals tools but they bring back the same info as Lansweeper, genericinfo that’s taken from the Citrix VDI session and not the actual physical machine.

I am running the commands from PS but all I can get back it the virtual session information. I need to be able to get to the machines that are running these VDI sessions and acquire the specs, OS versions from them.

Has anyone done this previously or could they point me in the right direction?

Thanks,


Disk2vhd : Program fails

January 30, 2017, 9:21 am
$
0
0
Author: Partsguy
Subject: Program fails
Posted: 30 January 2017 at 5:21pm

It hangs for 20+ mins then says "An error occurred starting the webserver. The application should be restarted." Could it be tied to the mac of the laptop it came from?

Utilities Suggestions : OST to PST Converter for Recovering Lost Emails

January 30, 2017, 9:53 am
$
0
0
Author: olafburch
Subject: OST to PST Converter for Recovering Lost Emails
Posted: 30 January 2017 at 5:53pm

To migrate inaccessible OST file to PST format, users are recommended to use a reliable and effective third party OST to PST Converter tool. User can use the trial version of OST to PST tool which can be downloaded from this website https://www.datarepairtools.com/ost-to-pst-converter.html and evaluate its performance and exclusive features. In addition, the software provides remarkable support to the all MS Outlook 2016, 2013 (both 32 bit and 64 bit), 2010, 2007, 2003, 2002 and 2000 versions and compatible with all Windows operating systems like Windows 10, 8.1, 8, 7, Vista, XP, 2000 and 98.

Process Monitor : Use ProcMon for random reboots

January 30, 2017, 10:31 am
$
0
0
Author: ghwalk
Subject: Use ProcMon for random reboots
Posted: 30 January 2017 at 6:31pm

Don't know where else to turn so I'll ask here.

I have a random reboot problem on a Win10/64 ASUS Hero Viii / Intel i7/6700K machine, SSD drives, Seasonic Platinum 660, all stock, no overclock. All updates, drivers, malware clean etc.

Here's the thing: no matter what I do I cannot get a BSOD, a dump file, error number, nothing. I've told windows not to reboot, give me a dump file but nothing.
After the random reboot the only item in the Event Viewer is Critical #41 - A reboot just occurred. Thanks, knew that.

Picture this - you're sitting in front of your monitor reading something and someone else hits the reset button on your computer case.

That's exactly how it is, you just reboot back to the desktop - no warnings, no error messages or numbers.

And random meaning it's sometimes a week between reboots and other time 3 or 4 hours.

I needed to see all events in the last few seconds before a reboot so I thought ProcMonitor would be just the thing.
Problem is I found out that the saved files are corrupt unless ProcMon closes properly which of course does not happen.

Since it happens even at a clean desktop with no activity I'm leaning toward a hardware problem so I have HWMonitor running and could theoretically write voltages and such out to a file every second, flush the write buffers, etc, but not sure if that is too practical.

Any ideas would be helpful.


Thanks


John

Process Explorer : Native Images

January 30, 2017, 12:40 pm
$
0
0
Author: camerost
Subject: Native Images
Posted: 30 January 2017 at 8:40pm

I have built some native binaries that are registered in the windows assembly cache in order to avoid the JIT latency. When I run process explorer, I see the original (non-native) filename in the process tree, which makes me think that for some reason the native image is not being executed.

However, when I select the executable and turn on the lower pane with DLL info, it lists both binaries - the native (.ni.exe) and the original (.exe) as dependent binaries. This makes me think that maybe it is running the native image. But if so, why do I see the managed executable? If windows was definitively running the native image, I suppose I would expect the managed.exe name to be replaced by that one.

Has anyone else encountered this issue?

I am doing some important performance work, and I need to be sure which binary is running.

Thanks,
-Cameron

Miscellaneous Utilities : Sysmon 5.02 certificate expired !!

January 31, 2017, 12:54 am
$
0
0
Author: MSFT_markc
Subject: Sysmon 5.02 certificate expired !!
Posted: 31 January 2017 at 8:54am

Hi Prm
Thank you for bringing this to our attention. I spoke with our build engineer who confirmed that internal builds already contain the new certificate which will be included with the forthcoming Sysmon update. In the meantime the existing certificate should be good because the binaries are timestamped and the timestamp is within the valid certificate range.
 
Regards
 
Mark

Process Monitor : Use ProcMon for random reboots

January 31, 2017, 3:38 am
$
0
0
Author: Dax1792
Subject: Use ProcMon for random reboots
Posted: 31 January 2017 at 11:38am

You have to enable the Boot Logging option. Procmon will start logging at the next start-up and will continue until shutdown/crash or until Procmon is run again. The log file created in this mode will survive a crash. The next run of Procmon allows you to convert the logfile to a pml file.
Note that enable Boot Logging only applies to the next boot.   
Search

Process Explorer : Native Images

January 31, 2017, 8:32 am
$
0
0
Author: camerost
Subject: Native Images
Posted: 31 January 2017 at 4:32pm

I seem to have answered my own question. If you see the .ni.exe executable in the 'dll' lower tab section - it means that the native image IS the one running. Ignore the filename in the tree on top and also the non-native filename listed in the lower tab.

Perhaps it would be easier to see what's happening if the UI reflected this in a more obvious way, but I see that this may be an edge case as user scenarios go...

-Cam

Miscellaneous Utilities : Sysmon ProcessAccess Filtering

January 31, 2017, 8:40 am
$
0
0
Author: johnmccash
Subject: Sysmon ProcessAccess Filtering
Posted: 31 January 2017 at 4:40pm

For the record, I found documentation that appears to describe this structure on page 50 of http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/[MS-DTYP].pdf

In testing, it appears that Sysmon gives a GrantedAccess value of 0x143a when you call Invoke-Mimikatz. From the above linked doc, I'm interpreting this as:

Generic Execute

Generic All

Reserved (This one seems odd - It's #4 in the least significant byte)

MaxAccess (which should only be set on the request, but I'm assuming comes backin the response because it was set there)

Synchronize

Write DACL


That 'Max Access' bit (#6 in the least significant byte) seems likely to be a reliable signature for Mimikatz activity.


Thoughts?

Process Monitor : Use ProcMon for random reboots

January 31, 2017, 10:01 am
$
0
0
Author: ghwalk
Subject: Use ProcMon for random reboots
Posted: 31 January 2017 at 6:01pm

I see. I will try this.

However, since there could be days between reboots I wrote an app that starts ProcMon, lets it run for 60 minutes, stops ProcMon, deletes all the pml files, restarts procmon. This was my attempt to limit the file usage.
Since I don't know exactly what I'm looking for I have no filters in place so there are sometimes 70 - 80 300 mb files.

If I use this method can I restart ProcMon every time with the Boot Logging option on and this will preserve the log file? I'll give it a try anyway.

Thanks

John

Troubleshooting : MS Remote Assistance DCE/RPC Troubleshooting

January 31, 2017, 12:15 pm
$
0
0
Author: jparrish
Subject: MS Remote Assistance DCE/RPC Troubleshooting
Posted: 31 January 2017 at 8:15pm

We have been using MSRA in order to remotely view a user's screen for troubleshooting in our organization. It has been exactly the tool we need to see exactly what it is they are seeing. But for some reason it has broken down for particular Admin accounts.

We have a Domain Admin account that used to be shared between all IT staff but have since made individual Domain Admin accounts. Only the old Domain Admin account is able to use MSRA. All other Domain Admins AND our Enterprise Admin account result in error. All Domain Admins are able to conduct powershell remoting, use RDS on workstations and servers in our domain, and use RSAT Tools without any error. I've checked our GPOs, Firewall settings, security settings, etc. Everything looks correct.

On running a packet capture, the process seems different when it comes to the DCE/RPC process, it looks like different interfaces are being used between the old DA account (DA Old) and all other DA accounts (DA Other). Here are some key differences in the DCERPC traffic:

  • DA Old attempt receives an initial RemoteGetClassObject response of 962 bytes while DA Other attempt has the same response at only 178 bytes. (data inside is encrypted)
  • DA Old sends multiple Alter_context request and response packets between the machines. DA Other, after receiving the RemoteGetClassObject response sees only a few Alter_context request and response packets.
  • DA Other results in ISystemActivator interface RemoteCreateInstance request which receives back a RemoteCreateInstance response containing [Hresult: REGDB_E_CLASSNOTREG] and terminates DCOM communication.
  • DA Old results in IRemUnknown2 interface RemRelease request and response packets and then a continuous TCP stream as the client waits for the user response from the host.

I do not know much of anything about Distributed COM or RPC and all the interfaces and operations behind it, but I just do not understand why two accounts in the exact same security groups would lead to two different processes like this. Any insight on this?? If you would like to know specific packet info regarding RPC interfaces and objects, let me know.

Process Explorer : Native Images

January 31, 2017, 12:23 pm
$
0
0
Author: MagicAndre1981
Subject: Native Images
Posted: 31 January 2017 at 8:23pm

use WPR/WPA/Perfview/xperf to see image load and .net binding/load/fusion events:



Here you can see that mstest.exe load ni dll of mscorlib.dll.
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>