Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

PsTools : psloglist show wrong event message

February 9, 2017, 8:50 pm
$
0
0
Author: kyamauchi
Subject: psloglist show wrong event message
Posted: 10 February 2017 at 4:50am

On Windows 10 version 1607 and Windows Server 2016, psloglist show wong event message about system time changed event (Log: System, Event id: 1, Event source: Microsoft-Windows-Kernel-General).
 
On Windows 10 version 1607 and Windows Server 2016:

 C:\> psloglist system -i 1 -o Microsoft-Windows-Kernel-General
System log on \\WIN10US:
[4142] Microsoft-Windows-Kernel-General
   Type:     INFORMATION
   Computer: win10us
   Time:     2/10/2017 1:10:49 PM   ID:       1
   User:     NT AUTHORITY\LOCAL SERVICE
Possible detection of CVE: 2017-02-10T04:10:49.688000000Z

Additional Information: 2017-02-10T04:10:49.305018700Z
This Event is generated when an attempt to exploit a known vulnerability (2017-02-10T04:10:49.688000000Z) is detected.

This Event is raised by a User mode process.

On Windows 8.1 (and also Windows 10 version 1511, 1507):
C:\> psloglist system -i 1 -o Microsoft-Windows-Kernel-General
System log on \\WIN81DEMO:
[9631] Microsoft-Windows-Kernel-General
   Type:     INFORMATION
   Computer: win81demo
   Time:     2/10/2017 1:27:42 PM   ID:       1
   User:     NT AUTHORITY\LOCAL SERVICE
Message text not available.  Insertion strings:
 2017-02-10T04:27:42.563000000Z 2017-02-10T04:27:43.143449900Z 1 
 
Also, Windows's built-in Get-EventLog has same problem. Get-WinEvent is correct.
Search

Miscellaneous Utilities : SysMon 5.2 - not installing on 2016+secure boot

February 10, 2017, 3:11 am
$
0
0
Author: thomasbc-dk
Subject: SysMon 5.2 - not installing on 2016+secure boot
Posted: 10 February 2017 at 11:11am

Ran into this very same issue on our Windows 10 clients, with Anniversary update on, when secure boot is disabled. sysmon installation is possible, but not with secure boot on. then it fails with that exact error.
 
is it sysmon installaton that needs to be tweaked or is it windows?

Troubleshooting : Sysmon v5.02 can not log filecreate and dlls load?

February 10, 2017, 7:41 am
$
0
0
Author: Alexander9899
Subject: Sysmon v5.02 can not log filecreate and dlls load?
Posted: 10 February 2017 at 3:41pm

Hi. Send please reply. There is a solution? 

Miscellaneous Utilities : Portmon 3.03 trouble

February 10, 2017, 7:48 am

Miscellaneous Utilities : AccessChk Descriptor Flag

February 10, 2017, 8:08 am
$
0
0
Author: TimKehoe
Subject: AccessChk Descriptor Flag
Posted: 10 February 2017 at 4:08pm

I ran AccessChk & AccessChk64 and have a question.  I had thought that the descriptor flag of SE_DACL_PROTECTED meant that permissions would not be inherited in this flagged folder.  But in the folder I see both explicit and inherited permissions (INHERITED_ACE) as shown below.  Do I have the meaning of the control switch wrong?
 
Accesschk v6.02 - Reports effective permissions for securable objects
Copyright (C) 2006-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
e:\sysdata\prod\CentralFiles
  DESCRIPTOR FLAGS:
      [SE_DACL_PRESENT]
      [SE_DACL_PROTECTED]
  OWNER: BUILTIN\Administrators
  [0] ACCESS_ALLOWED_ACE_TYPE: US\CentFiles
          [OBJECT_INHERIT_ACE]
          [CONTAINER_INHERIT_ACE]
 FILE_ADD_FILE
 FILE_ADD_SUBDIRECTORY
 FILE_LIST_DIRECTORY
 FILE_READ_ATTRIBUTES
 FILE_READ_EA
 FILE_TRAVERSE
 FILE_WRITE_ATTRIBUTES
 FILE_WRITE_EA
 DELETE
 SYNCHRONIZE
 READ_CONTROL
...
  [4] ACCESS_ALLOWED_ACE_TYPE: US\DataServices
          [OBJECT_INHERIT_ACE]
          [CONTAINER_INHERIT_ACE]
          [INHERITED_ACE]
 FILE_LIST_DIRECTORY
 FILE_READ_ATTRIBUTES
 FILE_READ_EA
 FILE_TRAVERSE
 SYNCHRONIZE
 READ_CONTROL

Miscellaneous Utilities : AccessChk Descriptor Flag

February 10, 2017, 8:24 am
$
0
0
Author: TimKehoe
Subject: AccessChk Descriptor Flag
Posted: 10 February 2017 at 4:24pm

Addition info:  This was running on a Windows 2008 R2 Enterprise Server

BgInfo : Script not working?

February 10, 2017, 9:19 am
$
0
0
Author: CChipman
Subject: Script not working?
Posted: 10 February 2017 at 5:19pm

@echo off
cd\
Call "C:\BGinfo\BGinfo.exe" "C:\BGinfo\Bginfo.bgi" /taskbar /silent
exit
 Leaves a cmd on screen. if i do 
@echo off
cd\
Start "C:\BGinfo\BGinfo.exe" "C:\BGinfo\Bginfo.bgi" /taskbar /silent
exit
The program just sits on screen with the timer

BgInfo : Wallpaper Changes - BgInfo Dissapears

February 10, 2017, 9:45 am
$
0
0
Author: DHeinz
Subject: Wallpaper Changes - BgInfo Dissapears
Posted: 10 February 2017 at 5:45pm

I am deploying BgInfo via SCCM, the image completes, BgInfo is displayed but as soon as the user changes their desktop wallpaper it vanishes.
 
I have tried adjusting the settings on the Background tab, "copy user's wallpaper settings" and I have also tried adjusting the Desktop tab, User Desktop "Do not alter this wallpaper"
 
In the end, I want the BgInfo to remain on the desktop regardless of the user changing it.
Search

Process Explorer : Process Explorer leaks non-paged pool

February 10, 2017, 9:57 am
$
0
0
Author: amc
Subject: Process Explorer leaks non-paged pool
Posted: 10 February 2017 at 5:57pm

My non-paged pool increases by about 100MB/hour when Process Explorer is running. I've seen this with both v16.20 and v16.12; I don't have any other versions to hand.

I normally run PE elevated. If I run it non-elevated, the leak is significantly slower (perhaps it depends on the number of processes being reported?).

poolmon shows that four tags are leaking: File, FMFc, Io and FOCX.

FltMgr has these filters:
Filter Name                     Num Instances
------------------------------  -------------
wcnfs                                   0
SAVOnAccess                             5
storqosflt                              0
wcifs                                   0
FileCrypt                               0
luafv                                   1
Sophos Endpoint Defense                 3
npsvctrig                               1
FileInfo                                5
Wof                                     3

I've seen this on two different Win10 workstations, both before and after the Anniversary Update.

PsTools : psexec The system cannot find the file specified

February 10, 2017, 6:44 pm
$
0
0
Author: stevenba
Subject: psexec The system cannot find the file specified
Posted: 11 February 2017 at 2:44am

Yet another: "The system cannot find the file specified"

psexec64 -d -i  -u xxx -p xxx \\frontdesk2 "\\frontdesk2\c$\windows\system32\notepad.exe    WORKS
psexec64 -d -i  -u xxx -p xxx \\frontdesk2 "\\frontdesk2\c:\windows\system32\notepad.exe    WORKS
psexec64 -d -i  -u xxx -p xxx \\frontdesk2 "\\frontdesk2\c:\windows\system32\regedt32.exe    FAILS

following message for all fails:
The system cannot find the file specified

(new.txt exists and is in the following folders
psexec64 -d -i  -u xxx -p xxx \\frontdesk2 "\\frontdesk2\c$\windows\system32\new.txt"    FAILS
psexec64 -d -i  -u xxx -p xxx \\frontdesk2 "\\frontdesk2\c:\windows\system32\new.txt"    FAILS
psexec64 -d -i  -u xxx -p xxx \\frontdesk2 "\\frontdesk2\c$\executes\new.txt"    FAILS
psexec64 -d -i  -u xxx -p xxx \\frontdesk2 "\\frontdesk2\c:\executes\new.txt"    FAILS

Note:
From the same machine attempting psexec64 which fails to start 'new.txt' , a program running a 'Process.start()' from a command button to a file path in a text box with IDENTICAL "\\frontdesk2\c$\executes\new.txt" WORKS

Any and all help appreciated.

(Most current version of psexec64).

Thanks,
Steve

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

February 12, 2017, 11:58 am
$
0
0
Author: ralrra
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 12 February 2017 at 7:58pm

Hello MagicAndre,

i have the same problem like the most people here, sometimes (not always) high CPU load caused by "ntoskrnl.exe whea attempt physical page offline".
My system is a Zotac ZBOX nano CI543 with an (for me) unkown chipset and an Intel Core i5-6200U.
Sometimes without any dedicated reason I have the ntoskrnl.exe at 25% CPU load (which basically means it uses one complete core).

It might be caused by Video or Audi playback but sometimes it occurs also if i have only the Desktop an no running program.

I will send you the etl file via dropbox link as PM. Hope you can help me!!!
Thanks a lot.
Best regards
Ralrra

Miscellaneous Utilities : Junctions v1.07 ChangeLog?

February 12, 2017, 12:02 pm
$
0
0
Author: Melchior
Subject: Junctions v1.07 ChangeLog?
Posted: 12 February 2017 at 8:02pm

I just noticed that last year on "Published: July 4, 2016" that junctions had its first update in years... ^_^ :)
which I am very much happy to see...

Just there was never a change log mentioning what was changed...
So that is my question...

https://technet.microsoft.com/en-us/sysinternals/bb896768.aspx

Miscellaneous Utilities : Junctions v1.07 ChangeLog?

February 12, 2017, 12:10 pm
$
0
0
Author: Melchior
Subject: Junctions v1.07 ChangeLog?
Posted: 12 February 2017 at 8:10pm

ok.. having actually opened the junctions.zip archive now.. I just noticed you now have both
32bit and 64bit versions of junctions... was that the only change?

Miscellaneous Utilities : adinsight monitor crash

February 12, 2017, 5:16 pm
$
0
0
Author: kyamauchi
Subject: adinsight monitor crash
Posted: 13 February 2017 at 1:16am

On Windows 8.1 ja-jp and Windows 10 ja-jp (sometimes en-us), I run adinsight and capture ldap events. When I select one event from event view for show in detail view, adinsight crash with "Active Directory LDAP monitor has stopped working".

Troubleshooting : convert ost to pst outlook

February 13, 2017, 7:48 am
$
0
0
Author: manuelvallsedu
Subject: convert ost to pst outlook
Posted: 13 February 2017 at 3:48pm

Hello,

I was trying to convert ost file to pst file format, but .ost file that is corrupt and I'm unable to recover of the emails by scanexe.

Any ideas - best way to recover my valuable emails to Outlook pst? Would be so appreciated!

Thank you

Search

Miscellaneous Utilities : Use of Junction on folders w/ and w/o backslash

February 13, 2017, 8:04 am
$
0
0
Author: CabbageCat
Subject: Use of Junction on folders w/ and w/o backslash
Posted: 13 February 2017 at 4:04pm

Hello, first off, thanks for the many years of Sysinternals use. This tool helped my IT career and helped me understand Windows & computers in general on a deeper level.

I'm trying to understand why I get different results when I include backslash in the junction command.

First example includes a backslash for c:\apps\. Example 2 does not have a backslash. 

Why am I getting different results?

Example 1:

C:\>junction c:\apps\

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

No matching files were found.

Example 2:

C:\>junction c:\apps

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\apps: JUNCTION
   Substitute Name: e:\dropbox\apps


C:\>

Process Explorer : Native Images

February 13, 2017, 10:38 am
$
0
0
Author: MagicAndre1981
Subject: Native Images
Posted: 13 February 2017 at 6:38pm

ok, I don't create web application/IIS, so I never tried this.

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

February 13, 2017, 10:40 am
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 13 February 2017 at 6:40pm

Originally posted by golgothe golgothe wrote:


Thank a lot, my notebook work find now.


you're welcome :)

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

February 13, 2017, 10:43 am
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 13 February 2017 at 6:43pm

Originally posted by ralrra ralrra wrote:

Hello MagicAndre,

i have the same problem like the most people here, sometimes (not always) high CPU load caused by "ntoskrnl.exe whea attempt physical page offline".


the trace shows that ntoskrnl.exe!KeZeroPages causes the CPU usage. I only know Chrome with HW acceleration causes it. But you use firefox, maybe firefox has a similar issue. try to disable HW acceration in the firefox options. If this doesn't fix it, stop some tools until you see which program causes it.

Process Explorer : Process Explorer leaks non-paged pool

February 13, 2017, 11:04 am
$
0
0
Author: MagicAndre1981
Subject: Process Explorer leaks non-paged pool
Posted: 13 February 2017 at 7:04pm

Download this profile from my dropbox (https://www.dropbox.com/s/7223cz93m6wbww1/PoolTagLeak_ProcExp.wprp?dl=0), store it on harddrive, open a cmd.exe as admin, run wpr -start PoolTagLeak_ProcExp.wprp && timeout -1 && wpr -stop C:\PoolUsage.etl, try to repro the pool usage grow and press a key to stop logging and analyze the ETL with WPA:

https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-48-WPT-Memory-Analysis-Pool

and look if ProcessExplorer is the cause of the leak.
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>