Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Process Explorer : A really dumb question????

March 24, 2017, 7:55 am
$
0
0
Author: MagicAndre1981
Subject: A really dumb question????
Posted: 24 March 2017 at 2:55pm

looks like PE crashed. look in eventlog for more details
Search

Process Explorer : PE won't open

March 24, 2017, 7:58 am

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

March 24, 2017, 7:59 am
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 24 March 2017 at 2:59pm

I still can't download it. upload it somewhere else (zippyshare.com, mediafire.com, https://mega.nz/)

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

March 24, 2017, 9:25 am
$
0
0
Author: GrimKodiak
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 24 March 2017 at 4:25pm

OK, try my dropbox this link should allow you to download the 7z compressed file
https://www.dropbox.com/sh/yso34uanx27ktdt/AACCwHGUBoe-OUYFcEusKQ1Ea?dl=0
thanks again and sorry for the problem.
GrimKodiak
https://www.dropbox.com/s/s5scbq3ssqy3s9l/highCPUUsage.7z?dl=0
or try that one more direct link to the file.


Edited by GrimKodiak - 3 hours 4 minutes ago at 4:30pm

Development : Enumeration of global hooks with Access Violation

March 24, 2017, 10:04 am
$
0
0
Author: flashcoder
Subject: Enumeration of global hooks with Access Violation
Posted: 24 March 2017 at 5:04pm

With code below i'm able to enumerate and unhook all global hooks created by SetWindowsHookEx function in Windows 7 x64 and upper.

Already when this code is tested with Windows 7 x86 comes a Access Violation on following line:

if (pHandle->bType != TYPE_HOOK) continue;

When i uncomment these two lines:

printf("Found hook at %p", HookInfo);
printf(" Handle: %08llX %s %2d %d\n\n", HookInfo->Handle, (Unhooked) ? ("Unhook OK!") : ("Unhook Fail"), HookInfo->HookType, HookInfo->Flags);

Access Violation happen after second printf() execution.

Some suggestion about what is causing this error?

Complete code:

// test.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <windows.h>
#include <WinNT.h>

//#define _WIN64

#define TYPE_HOOK   5

BOOL Unhooked = FALSE;

using namespace std;

typedef struct _HANDLEENTRY {
    PVOID pHead;
    PVOID pOwner;
    BYTE bType;
    BYTE bFlags;
    WORD wUniq;
} HANDLEENTRY, *PHANDLEENTRY;

typedef struct _SERVERINFO {
    WORD            wRIPFlags;
    WORD            wSRVIFlags;
    WORD            wRIPPID;
    WORD            wRIPError;
    ULONG           cHandleEntries;
} SERVERINFO, *PSERVERINFO;

typedef struct _SHAREDINFO {
    PSERVERINFO psi;
    PHANDLEENTRY aheList;
    ULONG HeEntrySize;
    ULONG_PTR pDispInfo;
    ULONG_PTR ulSharedDelta;
    ULONG_PTR awmControl;
    ULONG_PTR DefWindowMsgs;
    ULONG_PTR DefWindowSpecMsgs;
} SHAREDINFO, *PSHAREDINFO;

typedef struct _HOOK_
{
    HANDLE Handle;
    ULONG LockObj;
    PVOID ThreadInfo;
    PVOID Desktop1;
    PVOID Self;
    PVOID NextHook;
    LONG HookType; 
    PVOID FunctionAddress;
    ULONG Flags;
    ULONG ModuleHandle;
    PVOID Hooked;
    PVOID Desktop2;
    ULONG bitField;
} HOOK_;

SHAREDINFO* GetgSharedInfo() {

    SHAREDINFO* gSharedInfo = NULL;
    HMODULE   huser32 = NULL;

    huser32 = LoadLibrary(L"user32.dll");
    if (huser32 == NULL)
    {
        printf("LoadLibrary faild\n");
        return 0;
    }

    gSharedInfo = (SHAREDINFO*)GetProcAddress(huser32, "gSharedInfo");
    if (gSharedInfo != NULL)
    {
        return gSharedInfo;
    }

    return NULL;
}

void EnumHandles3264(SHAREDINFO *pSharedInfo)
{
    struct _TEB* pTeb = NtCurrentTeb();
#ifdef _WIN64
    ULONGLONG offset = *(ULONGLONG*)(((BYTE*)pTeb) + 0x800 + 0x28);
#else
    ULONG offset = *(ULONG*)(((BYTE*)pTeb) + 0x6CC + 0x1C);
#endif
    ULONG cHandleEntries = *((ULONG *)((ULONG)pSharedInfo->psi + 8));
    HANDLEENTRY *Handle = (HANDLEENTRY*)pSharedInfo->aheList;
    for (ULONG i = 0; i < cHandleEntries; ++i)
    {
        HANDLEENTRY* pHandle = Handle++;
        HOOK_* HookInfo = (HOOK_*)((UINT_PTR)pHandle->pHead - offset);

        if (pHandle->bType != TYPE_HOOK) continue;
        if (HookInfo)
        {
            Unhooked = UnhookWindowsHookEx((HHOOK)HookInfo->Handle);
            //printf("Found hook at %p", HookInfo);
            //printf("Handle: %08llX %s %2d %d\n\n", HookInfo->Handle, (Unhooked) ? ("Unhook OK!") : ("Unhook Fail"), HookInfo->HookType, HookInfo->Flags);

        }

    }

}

//////// In main() funtion: ////////

EnumHandles3264(GetgSharedInfo());



PsTools : running psinfo without stderr

March 24, 2017, 10:39 am
$
0
0
Author: dale.sykora
Subject: running psinfo without stderr
Posted: 24 March 2017 at 5:39pm

Hello,
  We currently use psinfo -s in bat install/update scripts to gather installed software information (name&version).  We would like to move this functionality to ansible, but are running into issues as psinfo sends info to stderr and ansible thinks the command fails.  We could use win_shell rather than win_command in ansible, but that has the side effect that it shows always changed.
  
  Other than redirection "2>NULL", is there a hidden option or other method to keep psinfo from sending to stderr?

  If this is not possible, then where does psinfo lookup application info that cannot be found via wmic product.  For example Notepad++  Is this in the registry somewhere?

Thanks in advance for your helpful replies.

Thanks,

Dale

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

March 24, 2017, 12:01 pm
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 24 March 2017 at 7:01pm

ok, the new link works. The issue is caused by the driver stdriverx64.sys:

https://i.stack.imgur.com/6nvDx.png

This is a audio streaming/capture driver. So update this tool.

http://www.nch.com.au/soundtap/index.html

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

March 24, 2017, 5:20 pm
$
0
0
Author: GrimKodiak
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 25 March 2017 at 12:20am

OK great thanks for the info, but I dont even have that program installed so how do I go about removing it??

Search

Utilities Suggestions : BKF Recovery

March 25, 2017, 3:01 am
$
0
0
Author: kurtwilder
Subject: BKF Recovery
Posted: 25 March 2017 at 10:01am


There are so many users who back up their data using the NTBackup Tool in Windows XP, then clean install/upgrade to Windows 7 or Windows Vista and later realize that Windows 7/Vista do not include the NTBackup Tool to restore data from the .BKF archive. If you have critical data contained in a NTBackup file (.BKF) and want to repair corrupt or damaged BKF files and restore invaluable data which have been lost due to any reason with expert and reliable BKF Recovery Tool , utility which is capable to flawlessly repair corrupt or formatted BKF files and restores the same in it perfectly

  • Repairs BKF files which have been created with using Backup Exec through Veritas or Windows NTBackup
  • Scan output saved in DAT file to resume the recovery process later
  • Repair BKF files that are corrupted due to CRC errors
  • Support recovery from .BKF, .CTF, and .FD backup files
  • Easy to Use with GUI interface, No technical skill required
  • 30 Days MoneyBack Guarantee

Free trial version of BKF Recovery software, Free version will recover your .bkf file efficiently and will see you the preview of recover data, which you can check it.



Edited by kurtwilder - 9 hours 57 minutes ago at 10:01am

Utilities Suggestions : QuickBooks Repair Tool

March 25, 2017, 3:03 am
$
0
0
Author: kurtwilder
Subject: QuickBooks Repair Tool
Posted: 25 March 2017 at 10:03am

Corruption in the QBW files is very common thus it is very important to be careful while using it. If you face corruption issue in your QuickBook file or you are unable to access it then to get rid of this situation you need to use a professional Quickbook Repair Tool helps you to recover corrupted or damaged QBW files without any data loss. It can easily recover all types of information such as customers, vendors and company’s information.It strategically designed to support several country-based QuickBooks software versions like USA, UK, Australia, Canada, South Africa, Germany and New Zealand. It also repairs QBW files made in QuickBooks 2007, 2008, 2009, 2011, 2010, 2013, 2012, 2014, 2015, 2016 and the latest 2017 version.

Utilities Suggestions : How to Repair Outlook PST Free of Cost?

March 25, 2017, 3:39 am
$
0
0
Author: kurtwilder
Subject: How to Repair Outlook PST Free of Cost?
Posted: 25 March 2017 at 10:39am

If you're having corruption in Outlook PST and you want to repair PST file in best possible way, the very first thing you should go for is Inbox Repair tool, commonly known as scanpst.exe, you can scan corrupt PST file for errors and repair it without paying any bug.  Before you can run scanpst.exe, you must locate its working PST  file on your system.However, scanpst.exe is limited to fix only header or minor corruption issues. Sometimes it may fail or not work if corruption is extreme. In such situation, you should try a professional Outlook PST Recovery is fast, simple and powerful utility. Outlook PST Recovery software is extensively designed with features to facilitate users to repair and restore Personal Storage (PST) files.

Troubleshooting : Win10 freeze/hangs

March 25, 2017, 6:11 am
$
0
0
Author: knarf
Subject: Win10 freeze/hangs
Posted: 25 March 2017 at 1:11pm

mmm, the system reserved partition is too small.
I've tried some repartition software but on this partition the resize option are greyed out.
Any thoughts on this?
Is is possible to move this partition to a new (larger) partition?

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

March 25, 2017, 1:53 pm
$
0
0
Author: GrimKodiak
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 25 March 2017 at 8:53pm

Ok well did a search in regedit and found two stdriver folder and backed them up and then deleted them ,rebooted but then my but then one of my svhosts was goin crazy saw my sound was off and cpu and Disk was goin nuts reinstalled drivers for audio device and now everything is running good, do you think i need to do anything else in trying to remove that stdriverx64.sys, also did a search in c drive and found nothing but I closed it near its end, and no NCH app folders anywhere, as near as I could tell.

thanks
GrimKodiak

Process Explorer : PE won't open

March 26, 2017, 7:32 am
$
0
0
Author: richengels
Subject: PE won't open
Posted: 26 March 2017 at 2:32pm

Tried several times but unable to produce dump.  I set a page file size of 20 GB for my 8 GB system on the boot drive and tried  the options to write a complete memory dump, automatic dump, active memory dump but no dump is taken.

I will just revert to 15.31 which works.

Malware : Gpu based paravirtualization rootkit, all os vulne

March 26, 2017, 7:12 pm
$
0
0
Author: lil_king420
Subject: Gpu based paravirtualization rootkit, all os vulne
Posted: 27 March 2017 at 2:12am

Absolutely!!!  Clap

Smartphones are FAILsec 100%.
Search

Malware : Gpu based paravirtualization rootkit, all os vulne

March 26, 2017, 7:23 pm
$
0
0
Author: lil_king420
Subject: Gpu based paravirtualization rootkit, all os vulne
Posted: 27 March 2017 at 2:23am

Vault 7 was released by Wikileaks this month... Titled

Vault 7: CIA Hacking Tools Revealed

https://wikileaks.org/ciav7p1/index.html

I think it is safe to say this thread is beyond justified and very important to all of us.  I hope it remains available indefinitely and should never be removed for any excuse.

Knowledge is free... understand it... THEN SHARE!!!

Disobey... together... we remove the control!   Expect us all.   ✌ 👊



PsTools : psshutdown service delay

March 26, 2017, 9:04 pm
$
0
0
Author: johnhoh
Subject: psshutdown service delay
Posted: 27 March 2017 at 4:04am

Hi,
I'm successfully using psshutdown to put my home PCs to sleep, however it takes longer than I'd like. 
Even using this command with a timeout of 1 second:

psshutdown -d -f -t 1 \\computer1

it results in computer1 going to sleep in perhaps 30 seconds.  After playing with the "-t" setting I got it DOWN to 30 seconds from 50 seconds, meaning even though my timeout value is only 1 second, the whole process still takes 30 seconds (because of the time to start the service?).

 It appears that there is a delay before the command is actually executed on computer1, as there is a message on the originating machine that reads "Starting psshutdown service on computer1...." and that lasts for 20 or 25 seconds. 

How can I make that ""starting service" delay go to zero?  Thanks.

Process Explorer : Can't get back to original Task Manager

March 27, 2017, 4:15 am
$
0
0
Author: pmatula
Subject: Can't get back to original Task Manager
Posted: 27 March 2017 at 11:15am

Hi RWS Webman, 
you'll find under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe a new string value with the name "debugger". 
Delete the debugger value and taskmgr should be available again. 

Process Explorer : Can't get back to original Task Manager

March 27, 2017, 5:51 am
$
0
0
Author: RWS Webman
Subject: Can't get back to original Task Manager
Posted: 27 March 2017 at 12:51pm

That folder is empty. There are no values in there.

Thank you.

Process Explorer : Can't get back to original Task Manager

March 27, 2017, 6:46 am
$
0
0
Author: pmatula
Subject: Can't get back to original Task Manager
Posted: 27 March 2017 at 1:46pm

Thats the way how the feature works. 

Could you please open a powershell prompt and fire up this: 
Get-ChildItem -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe*"
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>