Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Miscellaneous Utilities : Using ProcDump for svchost

March 10, 2017, 11:25 am
$
0
0
Author: Mark_E
Subject: Using ProcDump for svchost
Posted: 10 March 2017 at 7:25pm

Never mind, I mistakenly thought -x specified the location to store the log files, once I remove that it worked correctly.
Search

BgInfo : Muitliple IP and Mac

March 12, 2017, 1:07 pm
$
0
0
Author: WindowsStar
Subject: Muitliple IP and Mac
Posted: 12 March 2017 at 8:07pm

I wrote VBS Scripts and posted them here that do just what you want. I don't know if they still work haven't used BGInfo in years. I am sure a quick search will find them. -WS

BgInfo : Permanent Display

March 12, 2017, 1:09 pm
$
0
0
Author: WindowsStar
Subject: Permanent Display
Posted: 12 March 2017 at 8:09pm

You should be able to change the wallpaper, save. Then change it back the solid color and it will go away. -WS

BgInfo : Error: Missing Rights to change desktop settings

March 12, 2017, 1:11 pm
$
0
0
Author: WindowsStar
Subject: Error: Missing Rights to change desktop settings
Posted: 12 March 2017 at 8:11pm

This maybe the same problem as 2012R2 and Windows 8.1 had. Try turning off UAC. -WS

PsTools : Psexec failed on windows 10

March 12, 2017, 10:52 pm
$
0
0
Author: hobbie hobbie
Subject: Psexec failed on windows 10
Posted: 13 March 2017 at 5:52am

Windows Password Manager

is a free manager for XP and windows password issues and it works as good as can be expected. In addition,the main thing is to stop using the external hard disk until you use this tool, and avoid writing any files to it.I used it few times.it's free and it works as good as can be expected. The main thing is to stop using the external hard disk until you use this tool, and avoid writing any files to it


BgInfo : Error: Missing Rights to change desktop settings

March 13, 2017, 1:17 am
$
0
0
Author: FriedhelmEichin
Subject: Error: Missing Rights to change desktop settings
Posted: 13 March 2017 at 8:17am

I can try it, to test if there is a conjunction between the problem and the UAC.
 
But turning off the UAC is  no solution !!!
This is not allowed on much machines by Domain policies.
 
So what else can I do?
 
Regards Friedhelm

PsTools : Using Pexec command in Bat file

March 13, 2017, 7:17 am
$
0
0
Author: girishnehte
Subject: Using Pexec command in Bat file
Posted: 13 March 2017 at 2:17pm

Hi,

I am very much new to PSTools. I have to run a batch file on a remote machine which I can achieve very easily. I have one question.
I have created a bat file on machine A. The commands are like that:

Cmd1: Copy certain files from Machine A to machine B.
Cmd2: Copy a bat file from machine A to machine B
Cmd3: PsExec command to connect aommand prompt of machine B .
Cmd4: Here I am trying to run the bat file I have copied in Cmd2 on machine B. 

When I run the bat file with the above 4 commands. first three commands run successfully, but after third command I can see the cmd prompt of machine B connected but it does not execute Cmd4 to execute the bat file on machine B. Can anybody please help me, how I can achieve this i.e. copying bat file to machine B and executing the same on single click.

Miscellaneous Utilities : Update livekd.exe mirror dump to not need kd.exe

March 13, 2017, 6:53 pm
$
0
0
Author: tzimmer
Subject: Update livekd.exe mirror dump to not need kd.exe
Posted: 14 March 2017 at 1:53am

Hello.
Could livekd.exe be updated so that the stub kd.exe file is not needed for mirror dumps (livekd.exe -ml -o)?

Thanks.
Search

Troubleshooting : Win10 freeze/hangs

March 14, 2017, 1:54 am
$
0
0
Author: knarf
Subject: Win10 freeze/hangs
Posted: 14 March 2017 at 8:54am

Hello,
Is there any software available which can detect or guard when and why win10 freezes or hangs?
It quite often happens that the taskbar and application windows do not respond to clicks
I have to restart the machine.
version 5111 build 10586.753
Off course i'm trying several tweaks like turn off background apps, winsock reset, vidoe driver updates.
tnx
frank

Autoruns : [BUG REPORT] Autoruns64 13.62 is utterly broken

March 14, 2017, 2:34 am
$
0
0
Author: neprogrammiruemiy
Subject: [BUG REPORT] Autoruns64 13.62 is utterly broken
Posted: 14 March 2017 at 9:34am

Decided to update to 13.7. Autoruns64 is weirding out: everytime I hit F5 (Refresh), it would show me different and seemingly random service entries, which never happened before. Moreover, after a few refreshes I'd get a messagebox telling me that Autoruns "Could not get WMI subscriptions: The wait operation timed out".

Is there something wrong with my machine or the Autoruns64 is indeed broken as hell?

PsTools : Psexec failed on windows 10

March 14, 2017, 7:58 am
$
0
0
Author: RGIO
Subject: Psexec failed on windows 10
Posted: 14 March 2017 at 2:58pm

Well after a lot of research I realised that the problem was in front of my nose, the psexec version that i had was 1.62 so I updated it to 2.2 and added the -h parameter all works perfectly

Sometimes the problem is not as difficult as appears, thanks

 

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

March 14, 2017, 10:32 am
$
0
0
Author: Alecajuice
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 14 March 2017 at 5:32pm

Ok, so the new driver seems to have solved the high CPU issue, but now I randomly crash with BSOD stopcode DRIVER_POWER_STATE_FAILURE. Is this an issue with the driver I installed?
Here is the minidump file for the BSOD:


Edited by Alecajuice - 22 hours 26 minutes ago at 5:57pm

Miscellaneous Utilities : Event ID 1 stops logging, Sysmon 6.00/6.01

March 14, 2017, 3:02 pm
$
0
0
Author: username872
Subject: Event ID 1 stops logging, Sysmon 6.00/6.01
Posted: 14 March 2017 at 10:02pm

Hello,

We recently began piloting a large expansion of Sysmon and are testing v/6.00 and now 6.01 (to see if it fixed the issue), coming from V3.10.

We are testing against both Windows 7 and Windows 10 and recently noticed an issue on Windows 7 workstations.  We are first removing Sysmon 3.10 as well as ensuring the Sysmon.exe and sysmondrv.sys are removed from C:\Windows\.  After the uninstall of the old version we attempt to install 6.00/6.01 with the following parameters:

"Sysmon64.exe -accepteula -i *config filepath here*".  Sysmon appears to successfuly install and validates our config file (we've also tested with defaults to confirm it's not our config causing the issue).  Here's where things are strange... On Windows 10, everything is working perfectly as expected without a hiccup but on Windows 7 machines we now immediately receive a popup informing us that the sysmondrv.sys driver is not digitally signed and therefor unsupported by Windows 7.  The only option at this point is to close the notice and return to the command prompt where Sysmon shows that it is running successfully.  At this time, all events from Sysmon are logging correctly (We are using all events minus Image Loads) and see the data in event viewer and our SIEM accordingly.

The issue is that as soon as the workstation is rebooted, EventID 1 (Process creation) stops logging entirely, both on the host in event viewer and obviously subsequently in our SIEM.  All other event types continue to to log correctly and we see them but creation events are not being generated.  Restarts of the Sysmon service or more reboots of the host do not fix the issue.  If we uninstall Sysmon and reinstall again, the process logging immediately returns but once again stops following a reboot.

Has anyone run into similar issues and if so, have you determined why the sysmondrv.sys driver is no longer signed for Windows 7 but appears to be signed/functioning for Windows 10?  After hours of troubleshooting, our best guess is that this driver is the issue and to be honest it's driving us nuts!

Thanks!

Process Explorer : Tcpview stopped displaying

March 14, 2017, 7:37 pm
$
0
0
Author: shocker65
Subject: Tcpview stopped displaying
Posted: 15 March 2017 at 2:37am

It stopped showing the sent and received packets. It quit a couple days ago and I re downloaded it with no improvement.

Any suggestions ?
Thank you in advance. 

Miscellaneous Utilities : Sigcheck - link date / signing date

March 14, 2017, 9:32 pm
$
0
0
Author: Dercha
Subject: Sigcheck - link date / signing date
Posted: 15 March 2017 at 4:32am

Hi,

I have a question about the report gather with sigcheck.exe

I run the sigcheck on somee files, the report gather are with signing date while some with link date. I roughly understand the signing date was the date the ppl sign their digital signature on it.

What are the link date then? Is it modification date, date when download or date when ppl meddle with the file properties? Or none of the given.
Please kindly help share with me what is it.
Search

Utilities Suggestions : Solution to Convert OST File to PST File

March 15, 2017, 2:01 am
$
0
0
Author: jessicamarcotte
Subject: Solution to Convert OST File to PST File
Posted: 15 March 2017 at 9:01am

OST and PST both are used in MS Outlook where OST stands for Offline Storage Table and PST for Personal Storage Table. As the name defines that OST, is an offline folder which is used to save the exchange server data. You can use OST file, when you are not connected with the server.Outlook, a client-based email application for Microsoft users.There are two methods using which you can complete OST to PST conversion manually. You can archive your Mail data and export PST files if your Outlook is working properly. But if you have OST files and your Outlook is not working then install Outlook again and convert OST file to PST . I would like to mention that it is suggested to go for OST to PST Converter is an excellent conversion utility which performs secure conversion of OST into PST file format.All the converted items can be saved in EML, MSG, RTF, PDF and HTML extensions. It easily arranges scanned emails according to Attachment, Type, To, From, Date, Subject, Importance and Type.

In addition to that, it provides several other benefits.

Download the free trial version to scan & preview your convertible mail items.




Edited by jessicamarcotte - 7 hours 21 minutes ago at 9:02am

Miscellaneous Utilities : ProcDump fails to generate dumpfile

March 15, 2017, 3:35 am
$
0
0
Author: geirendre
Subject: ProcDump fails to generate dumpfile
Posted: 15 March 2017 at 10:35am

Our problem is that Word hangs like once a day on many computers.
'Not responding' , and error Message 'WINWORD.EXE version 15.0.4893.1000 stopped interacting with Windows and was shut down.' in the Eventlog.
 
I tried to capture a dumpfile of the hang with ProcDump, but it fails to generate a dump when Word hangs.
I uploaded ProcDump.exe to the remote computer and startet it with Powershell remoting like this:
Invoke-Command -ComputerName ABC123 -ScriptBlock { C:\Data\Dumps\Procdump.exe -accepteula -ma -h WINWORD.EXE c:\data\dumps }
I get a normal response from the command with this at the end:
Press Ctrl-C to end monitoring without terminating the process.
So the command looks Ok, but when Word hangs, nothing happens.
Any suggestions?
 

Miscellaneous Utilities : Can't remove usb drive - used but not used

March 15, 2017, 6:50 am
$
0
0
Author: kayax
Subject: Can't remove usb drive - used but not used
Posted: 15 March 2017 at 1:50pm

Hi,
when I try to remove my usb drive from my win10 pro machine it says Windows would not be able to stop the device.
When I run the command "handle -a | findstr "F:" " I see a few lines containing the "F" drive letter and starting with a HEX-value(e.g. 5B4),
which I suppose is the handle(?) followed by "File  (R--)" and a path like "F:\$Extend\$RmMetadata\$Txf...".
But I can't see any $-Folders on the usb drive.

The question is now how can I handles of my usb drive?

handle -c 5B4 (or with the decimal value) doesn't work.

Thanks


Edited by kayax - 2 hours 29 minutes ago at 1:54pm

Disk2vhd : Unable to boot converted VHDX

March 15, 2017, 11:24 am
$
0
0
Author: rkoett
Subject: Unable to boot converted VHDX
Posted: 15 March 2017 at 6:24pm

I ran into a similar problem recently. In my case the problem occurred when the disk I originally imaged was initialized as GPT instead of the older MBR. This can be seen by mounting the VHDX, then running DISKPART from a command prompt and typing "list disk". (There will be a * shown under the "Gpt" column). If you then type "list volume", you may see the problem I encountered. There is a system partition (around 100MB in my case) listed as type "RAW". On the physical system this is listed as type "FAT32". The failure to properly image this partition is what caused the boot failures in my case.

If you are encountering the same problem, here are the steps I took to fix it. I would suggest making a backup copy of your VHDX file before trying these steps:

* Boot the VM from Windows install media (.ISO file)
* Select Repair your computer, Troubleshoot, Command prompt
* Run diskpart
* type "select disk 0"
* type "list partition" to get the System partition number)
* Select the System partition (e.g. type "select partition 3")
* format quick fs=fat23 label="System"
* assign letter=S
* exit
* bcdedit /createstore
* bootrec /RebuildBCD
* (type "Y" to accept the detected parameters)
* bcdboot C:\Windows /s S: /f UEFI
* Reboot the VM

As I said, these steps worked for me. There are other possible solutions I haven't tried. One suggestion I read was that temporarily assigning a drive letter to the system partition on the original disk before running disk2vhd allows it to be detected and imaged as the correct type instead of "RAW". Another approach involves converting the virtual disk from GPT format to MBR format. I have not looked into the details of how that might be done.

Miscellaneous Utilities : Sigcheck - link date / signing date

March 15, 2017, 2:58 pm
$
0
0
Author: Dax1792
Subject: Sigcheck - link date / signing date
Posted: 15 March 2017 at 9:58pm

In computing, a linker or link editor is a computer program that takes one or more object files generated by a compiler and combines them into a single executable file, library file, or another object file.

Linker (computing) - Wikipedia

It seems SigCheck provides the link date when the executable file is unsigned.

 
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>