Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Utilities Suggestions : Tools to trace WMI requests

February 8, 2018, 10:41 am
$
0
0
Author: MagicAndre1981
Subject: Tools to trace WMI requests
Posted: 08 February 2018 at 6:41pm

use xperf to capture WMI calls and look for the ClientId to see which process is doing the action:

https://i.stack.imgur.com/N9HtQ.png

https://superuser.com/a/949470
Search

Process Explorer : Weird Process is it x86 or X64?

February 8, 2018, 10:46 am
$
0
0
Author: Abdelrahman
Subject: Weird Process is it x86 or X64?
Posted: 08 February 2018 at 6:46pm

Dear MagicAndre1981,
Thanks for replying but I can't use ProcessHacker in the office because it's blocked by IT Security
But out of curiosity what would it show?

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

February 8, 2018, 10:47 am
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 08 February 2018 at 6:47pm

Originally posted by Splurgeworthy Splurgeworthy wrote:



I've updated every driver I can find, but I still get ntoskrnl causing huge CPU usage.

Here's my original performance log; fingers crossed you can see what it is.

you have ACPI.sys issues. check all steps from this topic:

https://superuser.com/a/1135317

Troubleshooting : Need help with Ntoskrnl thread causing high CPU

February 8, 2018, 11:07 am
$
0
0
Author: MagicAndre1981
Subject: Need help with Ntoskrnl thread causing high CPU
Posted: 08 February 2018 at 7:07pm

Originally posted by Fabio465 Fabio465 wrote:

@MagicAndre1981
AS many other have done over the years, I'm also asking you for help about the "system" process taking up a lot of my CPU (25%). USing process Explorer I found out that this is the faulty thread --> "ntoskrnl.exe!ExQueryDepthSList+0x158.


I only see ndis.sys as cause. I see you use VPNs, try to remove it and also update all network related code/drivers

Process Explorer : Cannot view DLL list for some applications

February 8, 2018, 11:08 am
$
0
0
Author: lamikamhsn
Subject: Cannot view DLL list for some applications
Posted: 08 February 2018 at 7:08pm

Environment - Windows 10 Enterprise, x64.  
Proc exp version 16.21
I have full Admin rights in the machine

We have a 32-bit application installed (actually several exes).  For one of them, when I try to look at the dll list in the bottom pane, nothing comes up.  If  I double click on the process to see the properties, the path field shows "access denied".   However on other applications, the DLL pane comes up just fine.  How is that possible?

Process Explorer : Weird Process is it x86 or X64?

February 8, 2018, 11:09 am
$
0
0
Author: MagicAndre1981
Subject: Weird Process is it x86 or X64?
Posted: 08 February 2018 at 7:09pm

ask your IT to unblock it. it is the open source alternative for Process Explorer. So look if it shows correct data.

Utilities Suggestions : Tools to trace WMI requests

February 8, 2018, 11:12 am
$
0
0
Author: Loic
Subject: Tools to trace WMI requests
Posted: 08 February 2018 at 7:12pm

Hi MagicAndre1981thanks for your reply. I'm already able to retrieve these informations from Windows eventlog. But it lacks the volume of data sent in the query's response. In fact some wmi class contains pretty huge number of information and it's hard top tell wich ones without runing the queries, see what I mean?

Utilities Suggestions : Tools to trace WMI requests

February 8, 2018, 10:18 pm
$
0
0
Author: Loic
Subject: Tools to trace WMI requests
Posted: 09 February 2018 at 6:18am

FYI this is what I'm using to get the number of wmi queries that have ran in the last 4 hours
$wmilog=Get-WinEvent -ListLog "*wmi*" |select -expand logname
Get-WinEvent -FilterHashtable @{logname=$wmilog ;id=5858;starttime=((get-date).AddHours(-4))}  |
 ?{$_.message -match "execquery"} |select @{name="request";expression={($_.message.split(';')[5]).split('-')[1] }} |Grou
p-Object request |select count,name |sort count -desc | ft -AutoSize -Wrap
this give me this result
Count Name
----- ----
    6  ROOT\CIMV2 : SELECT ChassisTypes FROM Win32_SystemEnclosure 
    4  root\ccm\policy\machine : select Sign, Encrypt from InventoryClientAuthenticationConfig where
      InventoryActionID="{00000000
    2  root\cimv2 : select MaxClockSpeed from Win32_Processor 
    2  ROOT\CIMV2 : SELECT * FROM Win32_PCMCIAControllerDevice 
    1  root\CIMV2 : SELECT SMBIOSAssetTag FROM Win32_SystemEnclosure  
    1  root\CIMV2 : SELECT uuid FROM win32_computersystemproduct  
    1  ROOT\CIMV2 : SELECT ID FROM Win32_ServerFeature 
    1  ROOT\CIMV2 : SELECT SerialNumber FROM Win32_OperatingSystem 
    1  root\Microsoft\Windows\DeviceGuard : SELECT AvailableSecurityProperties FROM Win32_DeviceGuard  
    1  root\Microsoft\Windows\DeviceGuard : SELECT SecurityServicesRunning FROM Win32_DeviceGuard  

Search

Miscellaneous Utilities : Zoom it on Windows 10

February 9, 2018, 3:23 am
$
0
0
Author: daniel.galizi
Subject: Zoom it on Windows 10
Posted: 09 February 2018 at 11:23am

Hi Guys.
I fixed all the issues with ZoomIt. (Thanks God!! LOLLOL)
I'm running windows 10 with two screens, extended. One screen is High DPI.
what you'll need:
*deactivate the option "Run when windows starts"
*Create a shortcut and put it inside the windows start folder
*activate: Disable display scalling on high DPI settings

after that, everything is working fine...

ZoomIt is back!

Utilities Suggestions : Tools to trace WMI requests

February 9, 2018, 10:01 am
$
0
0
Author: MagicAndre1981
Subject: Tools to trace WMI requests
Posted: 09 February 2018 at 6:01pm

but this doesn't show the ProcessId which is important to see which tool calls the WMI

Utilities Suggestions : Tools to trace WMI requests

February 9, 2018, 10:44 am
$
0
0
Author: Loic
Subject: Tools to trace WMI requests
Posted: 09 February 2018 at 6:44pm

This is not what I was looking for in this case but the PID is also available in the eventlog

Miscellaneous Utilities : RAMMAP Error refreshing database

February 10, 2018, 3:17 am
$
0
0
Author: truandale
Subject: RAMMAP Error refreshing database
Posted: 10 February 2018 at 11:17am

Originally posted by MagicAndre1981 MagicAndre1981 wrote:

1.32 is out Check if it works now all the time

Thank you for adviсe. It was same problem. Now RamMap 1.50 is working for my Microsoft Windows 10 x64 [Version 10.0.16299.192].


Edited by truandale - 1 hour 16 minutes ago at 11:17am

BgInfo : Windows 10 WiFi (SSID and Network Band) Properties

February 10, 2018, 12:20 pm
$
0
0
Author: nlsdg
Subject: Windows 10 WiFi (SSID and Network Band) Properties
Posted: 10 February 2018 at 8:20pm

This has been asked before (and answered) in this forum.
You can use WMI or a VBS script to get almost any information you want into BgInfo.
See https://forum.sysinternals.com/showing-ssid_topic31284.html for the script.

Regarding the network band: after some Google searches, it seems there is a frequency in the WMI MSNdis_80211_ConfigurationInfo class. The property is DSInfo. Didn't see any complete script. But this info should point you in the right direction.

BgInfo : How to remove BgInfo

February 10, 2018, 7:48 pm
$
0
0
Author: alibaba
Subject: How to remove BgInfo
Posted: 11 February 2018 at 3:48am

It's just a wallpaper that you can change to the original style in the desktop background.
 

Miscellaneous Utilities : AD Explorer bug - groups with > 1500 members

February 11, 2018, 3:45 am
$
0
0
Author: pb3000
Subject: AD Explorer bug - groups with > 1500 members
Posted: 11 February 2018 at 11:45am

Hi Everyone,

I've come across what seems to be a bug with AD Explorer - I'm running version 1.44 which I believe is the latest.

It has to do with enumeration of the member attribute of Active Directory groups with more than 1500 members. It appears that if a group has more than 1500 members then the contents of the member attribute of the group are not correctly enumerated Confused

In all cases if I drill down to the group in AD Explorer and look at its properties, I see 2 entries for the member attribute. The first entry has a count of 0 while the second entry has a count of 1500 - irrespective of the actual amount of users in the group.

Finally if I drill into any of the 2 member attribute entries, no values are listed Confused

Given that Mark Russinovich has moved on to greater things (CTO Microsoft Azure), I assume that this forum is the best way to report bugs rather than the m*******@microsoft.com address given in Help > About in the software?



Search

BgInfo : BGInfo Wallpaper folder quirkiness

February 12, 2018, 11:45 am
$
0
0
Author: rdege
Subject: BGInfo Wallpaper folder quirkiness
Posted: 12 February 2018 at 7:45pm

I am experiencing a problem/issue with bginfo locating the wallpaper image.  Per our AD/GPO admin, the company  workstations use a Desktop wallpaper that is located in C:\Windows\System32\oobe\info\backgrounds.  However, bginfo is unable to navigate to that subfolder, even though it's accessible to All Users.

Steps to reproduce the problem:
1) Open BGInfo
2) Click Background button
3) Select Use these settings and Wallpaper position as stretch
4) Click the ... button for Wallpaper Bitmap.  When you navigate to the C:\Windows\System32\oobe, the only two items that are visible is the en-US folder and the background.bmp file.

If I use Windows Explorer, I am able to see the info folder, and cd into it (see attached image).  Finally, the ultimate in quirkiness.  If I manually copy the company wallpaper into the C:\Windows\System32\oobe folder, the file will not be displayed when browsing for it via bginfo.  The only two items that bginfo will display in the oobe folder are en-US and background.bmp.  It will not display any sub-folders, or custom image files that I put into the oobe folder.

I must be missing something.  what gives? Confused

BgInfo : BGInfo Wallpaper folder quirkiness

February 12, 2018, 11:49 am

BgInfo : BGInfo Wallpaper folder quirkiness

February 12, 2018, 10:42 pm
$
0
0
Author: WindowsStar
Subject: BGInfo Wallpaper folder quirkiness
Posted: 13 February 2018 at 6:42am

Looks like you are using the wrong location. You should be using Windows 7 (C:\Windows\Web\Wallpaper) or Windows 10 (C:\Windows\Web\Wallpaper\Windows).

BgInfo : BGInfo Wallpaper folder quirkiness

February 13, 2018, 4:12 am
$
0
0
Author: rdege
Subject: BGInfo Wallpaper folder quirkiness
Posted: 13 February 2018 at 12:12pm

You are correct, Windows does have a designated location for wallpapers.  However, that shouldn't stop you from using storing a wallpaper image in a different location, such as your Pictures folder, or a folder on a data drive.

Be that as it may, I'm more curious why BGInfo does not allow you to select an image that exists below C:\Windows\System32\oobe.  If I use Firefox to attach an image to an email in gmail, I'm able to navigate to the info folder without issue.  So not all applications have this problem.  Is this a bug or a feature?  If it's a bug, I'm glad I was able to find it.  If it's a feature, I'm genuinely curious why it was setup that way.

Miscellaneous Utilities : Sysmon PipeEvent

February 13, 2018, 12:27 pm
$
0
0
Author: Nemo7891
Subject: Sysmon PipeEvent
Posted: 13 February 2018 at 8:27pm

Has anyone gotten any of the PipeEvent messages to log with Sysmon? I am getting very spotty results. Tried it with 7.01 on Win7 and it worked up until a reboot and now i can't get it to work despite numerous reboots and re-installs. And that was a "good" outcome. On other systems I can't get it to log any relevant events, neither Pipe Connected nor Pipe Created, even though I expect hundreds if not thousands of events. Tried with v6.10 and wasn't able to generate any either. I am trying with a very basic install options:
sysmon -n -i h * -accepteula
and my config is totally sparse:
<Sysmon schemaversion="4.00">
<HashAlgorithms>md5,sha1,sha256,imphash</HashAlgorithms>
<EventFiltering>
<PipeEvent onmatch="exclude">
</PipeEvent>
</EventFiltering>
</Sysmon>

Any suggestions?
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>