Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Process Monitor : Drop Filtered Events not working

July 12, 2017, 10:17 am
$
0
0
Author: grantdavis2
Subject: Drop Filtered Events not working
Posted: 12 July 2017 at 5:17pm

Using v3.33 drop filtered events does not seem to work properly.  The status in the lower left shows the event count continuing to increment.  I had an older version on a different system (v3.05) and using it works as expected.


Edited by grantdavis2 - 6 minutes ago at 5:35pm
Search

Malware : Gpu based paravirtualization rootkit, all os vulne

July 12, 2017, 2:14 pm
$
0
0
Author: JackMove
Subject: Gpu based paravirtualization rootkit, all os vulne
Posted: 12 July 2017 at 9:14pm

Well its been a little while, I guess I'll add some more of my observations here...

Several indiciations have led me to believe that utility smart meters are somehow involved. Maybe only in some cases, and maybe not officially, but it seems like the industrial, low-level communication networks they use are somehow being exploited and used to access private home devices.

I also wouldnt rule out some type of new, over-reaching lawful intercept technology being implemented. Using Wireshark on any of my home computers shows a few FC protocol initial connections made by a Cray Comm "device" upon each physical ethernet connection (plugging it in to any other device). The captured packets unfortunately dont offer much data. This behavior is observed even when connecting isolated machines (all traditional wireless hardware physically removed) via ethernet to switches or routers that are also offline. The mac address shows it belongs to Cray Comm but they are originating from the machine I'm on. Cray Comm does not make any consumer devices as far as i know. I believe theyre known for large data acquisition devices.

Also, using nmap and similar tools on my local network has revealed signs that the whole network has been virtualized. I can only see it with certain configurations of the app but when i do i see a "host" on every single IP on my home network. A handful with unknown mac addresses, most of which are fake (first few characters not associated with any OUI). The ones that do resolve belong to Cisco/Linksys, Microchip Technology, and Liteon, to name a few.

There are other clues, for instance, I have a router with a built in touch screen (so i can change the settings without having to connect a potentially compromised device to it). Whenever i change the password and then try to connect a device to it with the new password, it always hangs for a while and usually fails. It doesnt connect successfully until the second attempt. Some data from Nmap also has suggested that devices appearnto not have the same identity they just had, etc.


well thats all the fun info i can recall right now. i look forward to seeing what others post.

Miscellaneous Utilities : Event ID 1 stops logging, Sysmon 6.00/6.01

July 13, 2017, 6:21 am
$
0
0
Author: Nemo7891
Subject: Event ID 1 stops logging, Sysmon 6.00/6.01
Posted: 13 July 2017 at 1:21pm

Last year we upgraded from 3.10 to 4.12 and experienced a very similar bug. Starting with a very vanilla install that initially appeared to have worked, after a reboot only Event ID 3 (Network Connection) would be logged. This was seen across all systems running 4.12 and as a result we downgraded back to 3.10 and are still running it. Recently though I noticed that on about 2% of our systems running 3.10 we still ONLY see Network Connection events. Others work just fine and a reboot does not solve the problem. Is this related and was it finally fixed in 6.2 or is this something different?

Utilities Suggestions : Procexp / TCPView port search

July 15, 2017, 12:49 am
$
0
0
Author: hemlock
Subject: Procexp / TCPView port search
Posted: 15 July 2017 at 7:49am

show unconnected endpoints option.

by my knowledge port column is there by default, should be. actually pretty sure you cant add/remove columns, so yah.

will show all programs and ports, most are internal processes localhost, but programs listening on other ports local and remote are potential 'open ports'.

talking about tcpview

Utilities Suggestions : tcpview refresh

July 15, 2017, 12:55 am
$
0
0
Author: hemlock
Subject: tcpview refresh
Posted: 15 July 2017 at 7:55am

i would think it helpful if it were possible to create a hook to driver to send refresh to tcpview, allow tcpview docked in system tray, and send flash or notification on new or blocked connection.
i tried using WFN freeware alhpa, but this interface is much better, plus it just stopped working after attempting to update. could be used as a firewall notification.
after the action takes place, one could then go to their tcpview window, see the new connection highlighted, and manually make a rule for it.

Troubleshooting : xperf showing high DPC in DX12, now what?

July 15, 2017, 6:06 pm
$
0
0
Author: Anastasiosy
Subject: xperf showing high DPC in DX12, now what?
Posted: 16 July 2017 at 1:06am

Hi,

I've been trying to troublehoot sudden freezes of my PC and have used LatencyMon to identify the drivers with the highest ISR count as per below



Digging into this a bit more using XPerf, it appears that my system is producing an abnormally high number of interrupts when calling DxgkpCalibrateGpuiTimerDpc in dxgkrnl.sys and also FxInterrupt::_InterruptDpcThunk in wdf01000.sys as highlighted in the DPC/ISR timeline by module below.

The question is, what can I do about this?
Can I disable DX12 or this calibration of the timer? Any other idea? Thanks in advance.


Autoruns : Search Online not work when MSEdge default

July 16, 2017, 9:39 am
$
0
0
Author: GregoryV
Subject: Search Online not work when MSEdge default
Posted: 16 July 2017 at 4:39pm

Still broke with Edge as default browser

Process Explorer : EDGE browser breaks Online Search

July 16, 2017, 9:48 am
$
0
0
Author: GregoryV
Subject: EDGE browser breaks Online Search
Posted: 16 July 2017 at 4:48pm

using process explorer 64 bit v16.21 on new win10 home 64 bit, edge default browser.
pressing ctrl-m (search online) gives an error message in procmon, procexp/64 & autoruns/64
the messages' process has a command line of
"C:\windows\system32\LaunchWinApp.exe" "? someprocess.exe" 
search works with chrome or ie as default.
(clicking web link in help-about works with any default browser)


Search

Internals : Windows GPO Editor vs programmatic registry edit

July 16, 2017, 1:44 pm
$
0
0
Author: TheLopper
Subject: Windows GPO Editor vs programmatic registry edit
Posted: 16 July 2017 at 8:44pm

How is it that I may freely change GPO settings via the editor as opposed to making a change to the registry via a C++ program or command line?

For example:

If I wanted to disable the Properties option from the Recycle Bin context menu I can do that if I open up the Local Group Policy Editor and goto "Local Computer Policy > User Configuration > Administrative Templates > Desktop > Remove Properties from the Recycle Bin context menu", enable the policy, which sets a value under the key, "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", with the name NoPropertiesRecycleBin and a value of 1. And everything works fine.

Now let's say I directly modify/create/access this key, say from a C++ program, or even the command line, why do I get an an Access Denied Error?


Edited by TheLopper - 40 minutes ago at 8:46pm

Process Monitor : Implementation Funcs of Operations

July 16, 2017, 3:19 pm
$
0
0
Author: WinLoader
Subject: Implementation Funcs of Operations
Posted: 16 July 2017 at 10:19pm

Hello,
I use ProcMon all day every day and I would like to learn which WIN32, NTDLL and/or ntoskrnl functions are implemented for the File System "Operations" listed in ProcMon. Is there any direct correlation or indexing that will tell me this information?

For example, I want to know which API calls are behind "Load Image" and "CreateFileMapping".

As a secondary question, is there any relation of the Operation name to its underlying implementation's function name? For example, there is a API called CreateFileMapping in Kernel32 but there is no API called "Load Image" (with a space). The lower the implementation details I can get, the better. I'm trying to find out exactly which Nt, Zw, Mm, etc... Funcs that these ops correspond to. Thanks.

BgInfo : A little love for 64bit?

July 17, 2017, 1:46 am
$
0
0
Author: MitchW
Subject: A little love for 64bit?
Posted: 17 July 2017 at 8:46am

+1 from me too!

Process Monitor : how to analyze promon logs

July 17, 2017, 4:44 am
$
0
0
Author: boopathi
Subject: how to analyze promon logs
Posted: 17 July 2017 at 11:44am

Hi,
i have a problem in installing Office 2013. I captured the logs and do not know how to analyze it and what is causing the installation failure. 
Uploaded the setuplog and proc mon log in the below URL. Kinldy help me
https://1drv.ms/f/s!Aj2wii50lHANhFj30Fkr5xREhhJC

BgInfo : A little love for 64bit?

July 17, 2017, 10:30 am

RootkitRevealer Usage : Blocking antivirus programs

July 18, 2017, 3:12 am
$
0
0
Author: JaremySoulmate
Subject: Blocking antivirus programs
Posted: 18 July 2017 at 10:12am

You could try restarting your PC in "Safe mode with networking" and see if you can do any malware removal actions? Additionally, you could try running RKill to kill a majority of malicious processes (Not certain it works on rootkits). 
Let me know if it helps.

Utilities Suggestions : OST 2 PST Converter

July 18, 2017, 5:39 am
$
0
0
Author: RusselWood
Subject: OST 2 PST Converter
Posted: 18 July 2017 at 12:39pm

Recover or convert inaccessible or damaged Exchange OST mailbox data, I would like to refer an excellent third party solution, Convert OST to PST. The software is also capable to convert multiple OST files to PST in a single attempt. To get more information about the software, visit- https://www.kerneldatarecovery.com/convert-ost-to-pst.html
Search

Troubleshooting : Security and Kernel Dumps

July 18, 2017, 10:11 am
$
0
0
Author: cantoris
Subject: Security and Kernel Dumps
Posted: 18 July 2017 at 5:11pm

I've identified a third-party DLL as the potential cause of an occasional blue screen I've been getting. The [small] developer wants me to upload them a Kernel Dump.

I'm concerned as to the security implications of doing this. Though I have no reason to be suspicious of the developer, what would I be exposing by providing a Kernel Dump?

Thanks for your thoughts!

Miscellaneous Utilities : autologon command line

July 18, 2017, 10:38 am
$
0
0
Author: xerxes2985
Subject: autologon command line
Posted: 18 July 2017 at 5:38pm

from the autologon page this is the command line options it shows. However, even when doing this, it prompts for me to accept EULA. I am trying to automate this tool to be used for 90 computers. Any help on how I can eliminate the EULA prompt?

autologon user domain password

Miscellaneous Utilities : Autologon - Windows 10 Domain Joined

July 18, 2017, 10:38 am
$
0
0
Author: xerxes2985
Subject: Autologon - Windows 10 Domain Joined
Posted: 18 July 2017 at 5:38pm

First,

I've gotten Autologon to work on a Windows 10 domain joined computer that is plugged into Ethernet. However, if the system is WiFi only, it will not work, even with the Wireless profile configured to authenticate before logon.

Second,

What is the commandline switch to accept the EULA, so that I can utilize this tool via SCCM to turn on the functionality for 90+ computers.


Edited by xerxes2985 - 1 hour 34 minutes ago at 7:30pm

Process Monitor : Implementation Funcs of Operations

July 18, 2017, 4:04 pm
$
0
0
Author: sredna
Subject: Implementation Funcs of Operations
Posted: 18 July 2017 at 11:04pm

These are process operations, not FS operations in ProcMon IIRC.
CreateFileMapping might be NtCreateSection and not actually CreateFileMapping. Load Image is probably LdrLoadDll (LoadLibrary) or a section loaded and mapped as SEC_IMAGE (on a phone right now, can't check).
 
You can just check the stack for the operation to see which functions are called...

BgInfo : A little love for 64bit?

July 18, 2017, 9:13 pm
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>