Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

PsTools : PSEXEC - Format output log

September 20, 2017, 7:29 am
$
0
0
Author: DHeinz
Subject: PSEXEC - Format output log
Posted: 20 September 2017 at 2:29pm

You cannot vote on your own post
0

I am currently running a bat file to run a clear the KMS cache.

cmd line;

psexec @KMS.txt cscript c:\Windows\System32\slmgr.vbs /ckms > "\\PCName\C$\Users\Me\Desktop\KMS Activation\ClearCache.log"

The problem is the log file list the individual pc names after the success or failure message rather than next to it.

Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Installed product key 11111-11111-11111-11111-11111 successfully.
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Installed product key 11111-11111-11111-11111-11111 successfully.
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.
Installed product key 11111-11111-11111-11111-11111 successfully.
\\12345-3-A010000:
\\67899-5-A000001:
\\98765-1-A-00002:

Is there a way to format the output so that the name is next to the actual success or failure?



Edited by DHeinz - 3 minutes ago at 2:56pm
Search

Miscellaneous Utilities : Sysmon login loop

September 21, 2017, 1:56 am
$
0
0
Author: Geriden
Subject: Sysmon login loop
Posted: 21 September 2017 at 8:56am

In case anybody is interested or experiencing the same issue, i've been offered a fix from "SwiftOnSecurtiy" that seems to have done the trick.

I've edited my config.xml <Sysmon schemaversion="3.30"> and changed the value to 3.40
Re-inserted the <ImageLoad> parameters and all is working well :)

I'll post back here if anything changes but all has been well for the past day.

Autoruns : Suggestion: autorunsc - Proxy aware

September 21, 2017, 7:20 am
$
0
0
Author: spaz1729
Subject: Suggestion: autorunsc - Proxy aware
Posted: 21 September 2017 at 2:20pm

We have this issue as well. You can set the winhttp proxy and it will allow the lookup.

Netsh winhttp set proxy proxy-server=PROXYSERVER:PORT bypass-list="EXCLUSIONS"

the bypass list section is optional.

Development : Enumerate all SetCoalescableTimer() timers?

September 22, 2017, 12:49 am
$
0
0
Author: red-ray
Subject: Enumerate all SetCoalescableTimer() timers?
Posted: 22 September 2017 at 7:49am

Is there a way to enumerate all active timers started with SetTimer() or SetCoalescableTimer() please? I wish to do this for all processes/windows, but thus far have not been able to find out how to do this and suspect it may not be possible.

Below you can see I have managed to do this for CreateWaitableTimer(), use NtQuerySystemInformation( SystemHandleInformation, ... ) and then scan for handles to Timer objects.

If I need to I can do this in my kernel mode driver, but obviously would prefer to do this totally in user mode.

I only really need this to work on Windows 7 and later, but ideally would support earlier versions of Windows and the CreateWaitableTimer() reporting works on NT V4.00 and later.
 

Site Bugs : Image uploading not working: 500 server error

September 22, 2017, 1:25 am
$
0
0
Author: red-ray
Subject: Image uploading not working: 500 server error
Posted: 22 September 2017 at 8:25am

I can confirm I was getting the same, but managed to upload an image after several attempts

Development : How acess my device using CreateFile() api?

September 22, 2017, 2:00 am

Miscellaneous Utilities : Closing multiple handles

September 22, 2017, 2:07 am
$
0
0
Author: TommyC
Subject: Closing multiple handles
Posted: 22 September 2017 at 9:07am

I understand the implications of closing multiple handles without vetting each one beforehand. However, the third party developer has troubleshot this issue with us over several days and can't find a root cause since we currently are using the application outside of scope.

A new application solution is on the way but in the mean time I would like to have a slightly less ghastly workaround to our current issue than to kill the process and/or restart the server.

Also, the handle leak is almost certainly caused in event handles and net call handles which should minimize the fallout if we close them (as opposed to closing file handles which most of the time leads to data corruption).

What I'm looking for is a way to automate closing all handles of a specific type should the total amount of handles for PID x surpass a given cutoff (for instance 3000 handles)

Shouldn't be impossible with a for loop and using handle.exe but I'm stumped. I can't seem to parse the output from handle.exe and filter by handle type.

Both handle.exe and ProcessExplorer in and of themselves only allow manually closing handles one by one and when this issue gets out of handle we can easily have well beyond 100k handles.

PsTools : How to convert OLM to PST?

September 22, 2017, 2:28 am
$
0
0
Author: crickwilli
Subject: How to convert OLM to PST?
Posted: 22 September 2017 at 9:28am

If you want to convert OLM to PST file format using an effective professional tool Kernel for OLM to PST Converter Tool. This tool easy to converts all email items such as mails, attachments, contacts and calendar events to PST format. The OLM to PST tool is more compatible with Windows 10 and Office 365. It supports all versions of MS Outlook 2016, 2013, 2010, 2007 for Windows (both 32 and 64 Bit Versions) . To know more detail click here - http://www.olmfileconverter.net


Search

Process Explorer : Process Explorer shows erroneous process

September 22, 2017, 5:57 am
$
0
0
Author: wdlusen
Subject: Process Explorer shows erroneous process
Posted: 22 September 2017 at 12:57pm

My Process Explorer (and my Visual Studio "Attach" dialog) is showing a process that does NOT show in the Task Manager "Processes" tab (but it does show in the Task Manager "Details" tab).  Strangely, this process has persisted with the same PID across hard boots of my system.  The process is listed in ProcExp as CPU=Suspended with minimal resources being used (Private Bytes=72k and Working Set=32k) and a blank Description.

When I try to KILL the process using Process Explorer or Task Manager, I'm given "Access Denied".  When I try to create a dump (mini or full) I get the message "Error writing dump file: Only part of a ReadProcessMemory or WriteProcessMemory request was complete."  I tried this running ProcExp normally and running "as Administrator" with the same results.

This process is an experimental EXE that I created.  I launch it from the Command Prompt in Administrator mode and it runs as a service under my user context.

Does anyone know how I can clean up this (what I can only describe as a ghost) process?

Thanks.

BgInfo : BGInfo "accumulates" values

September 22, 2017, 8:37 am
$
0
0
Author: dkarr
Subject: BGInfo "accumulates" values
Posted: 22 September 2017 at 3:37pm

For quite a while now, when I update the BGInfo background, it prints multiple values for many properties that should only have a single value. For instance, the "MAC Address" property has 12 different MAC addresses. Similarly for "Network Speed", "Network Type", and "Subnet Mask". There are also 12 values for "Network Card", although I would expect more than one network card. There are duplicates in the list, however.

I get the same result if I clear the background and then rerun BGInfo.

BgInfo : BGInfo "accumulates" values

September 22, 2017, 9:55 am
$
0
0
Author: dkarr
Subject: BGInfo "accumulates" values
Posted: 22 September 2017 at 4:55pm

(I started using SysInternals tools 11 years ago, and I still only rank a "Newbie"? :) )

Autoruns : reverse changes

September 22, 2017, 8:43 pm
$
0
0
Author: shinnen
Subject: reverse changes
Posted: 23 September 2017 at 3:43am

Hi,
    I made some bad changes while running Windows 7, and now my computer won't boot up. Right now I'm running from my clone. What can I do to reverse the screw up?
Thanks,
...... john

Autoruns : reverse changes

September 22, 2017, 8:50 pm
$
0
0
Author: shinnen
Subject: reverse changes
Posted: 23 September 2017 at 3:50am

Oops! I ran my last good configuration and it's running fine now.
Sorry about that.
Thanks,
.... john

Autoruns : [BUG REPORT] v13.80 problem

September 23, 2017, 8:26 am
$
0
0
Author: layman
Subject: [BUG REPORT] v13.80 problem
Posted: 23 September 2017 at 3:26pm

Not only that, but timestamps in the 64-bit version are ludicrous.  4/5/1923? 4/3/1953? 3/12/1910? !!!

Miscellaneous Utilities : SigCheck/ Program Manifests

September 23, 2017, 6:47 pm
$
0
0
Author: AS2020
Subject: SigCheck/ Program Manifests
Posted: 24 September 2017 at 1:47am

          I discovered the SigCheck utility the other night and like most of the Sysinternals family of utilities, it looks like a real lifesaver when it is needed. An application vendor whose product generates a UAC prompt whenever the program is run insisted that it wasn't anything the program was doing, but rather some vague, unspecified "problem with the user account." The only "problem" was that it was a standard user account, though they claimed that the program did not need administrator privileges and refused to help me any further.

          Highly annoyed, I started digging around for a real answer, which led me to SigCheck. I dumped the program's manifest, and sure enough, it contained the following line:

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

          Of course, this is what is generating the UAC prompt as far as I can tell. I created a "RunAsInvoker" shim with the Application Compatibility Toolkit and after that, no UAC prompt, and it seems to run fine otherwise. The vendor claims that over 5,000 other sites do not have or need this fix. My contention now is that if that is true, and the other sites are running the same executable in Windows 7, 8, or 10, they must be working around the problem in essentially one of three other ways: either disabling UAC, giving the user account administrator privileges, or giving the staff an administrator password, all of which I find unacceptable in today's environment. I can't imagine anything else that an average IT administrator would implement; even the Application Compatibility Toolkit is really an advanced topic. The vendor will not explain exactly how these other sites are running the program without one of the workarounds I suggested; essentially, all I am getting is stonewalling. It seems to me that simply removing the line in the manifest would fix this without lowering security.

          I am sick of application vendors that do not understand basic Windows architecture, don't give a hoot about security, and refuse to fix their products, and I am planning to make an issue of this until they fix the program. Am I missing anything? Without lowering security, is there any other way to work around a manifest that requests administrator privileges? I just want to make sure I'm on solid ground here before I make a fool of myself.

          -- Andrew

Edited by AS2020 - 6 hours 18 minutes ago at 1:50am
Search

Autoruns : I need some help

September 24, 2017, 9:15 pm
$
0
0
Author: menagerie
Subject: I need some help
Posted: 25 September 2017 at 4:15am

Ive been battling with a hacker for quite some time now, his motive is theft of bandwidth from other aps and to get routing points for proxy use. his signature is that he utilizes software already installed on the system. I got tired of it ran dariks boot and nuke, he came back I downloaded a copy of parted magic and used the clam av to scan all the drives and installation media sur enough,there was a win 32 exloit on the win 7 pro disk and three armadillo packers on the win 7 home premium iso I had downloaded from microsoft.
this is what I fouund after unning avg boot cd, kaspersky rescue, bit defender and one other i dont remember all of these reported no problems. so I started looking at the sysinternals scans from process explorer and process monitor. hijack this was downloaded and run four times booting between each run.
I found hidden locked files in the users folder after trying to reassign permissions it woulod not change. that folder was deleted and along with hijack this and the sysinternals autoruns I cleaned up some more processes with "unknown" listed when verification was requested. despite everything I have tried I am left with 11 to 14 entries that autostart everytime the computer boots. Ive included autorun log ,process explorer log , hijack this log and process monitor log. file is stored here on mediafire
https://www.mediafire.com/file/81oz2n5q6pdpxpl/New%20folder%20%282%29.zip
any suggestions on clearing these system root files shown on thw hijack this log would be appreciated I dont even know  how to find and edit this root location, its the same ones at everyboot so theres something hidden in  that root folder that is autostarting these processes

Process Monitor : Want: Find Registry Keys Left By Free Trial

September 24, 2017, 10:31 pm
$
0
0
Author: otcbullship
Subject: Want: Find Registry Keys Left By Free Trial
Posted: 25 September 2017 at 5:31am

I used the process monitor to find processes that were left by a free trial software.
For my own educational purpose, I want to systematically find what kind of registry keys it leaves behind.
It's not really obvious to find those keys and how can I do my approach systematically?
Thanks!

Miscellaneous Utilities : Sysmon login loop

September 25, 2017, 5:04 am
$
0
0
Author: Geriden
Subject: Sysmon login loop
Posted: 25 September 2017 at 12:04pm

After a week or so of testing im afraid the issue has returned :(

Back to the drawing board.

Autoruns : Autoruns Feature Request (dll hijacking detection)

September 25, 2017, 8:51 am
$
0
0
Author: johnmccash
Subject: Autoruns Feature Request (dll hijacking detection)
Posted: 25 September 2017 at 3:51pm

I have a suggestion for a  new feature for Autoruns. I'd like it to flag possible instances of dll search path hijacking for autorun entries. Would it be possible to, for each entry, scan the associated DLL search path and identify any duplicate filenames found in different elements of the path?

I'm particularly interested in the ability to detect 'AtomBombing', which employs dll search path hijacking, and is described in full at http://https://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions.

Thoughts?
John McCash

Process Monitor : Want: Find Registry Keys Left By Free Trial

September 25, 2017, 3:29 pm
$
0
0
Author: sredna
Subject: Want: Find Registry Keys Left By Free Trial
Posted: 25 September 2017 at 10:29pm

Try something like regshot on a fresh machine. Obviously trial software will use some dirty tricks to hide their information so not everything will be visible even with monitoring tools. (It might use a keys modified date and other metadata)
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>