Quantcast
Channel: Sysinternals Forums
Viewing all 10386 articles
Browse latest View live

Process Monitor : solution to NAME COLLISION in temp folders

June 13, 2013, 4:19 pm
$
0
0
Author: mikegrok
Subject: solution to NAME COLLISION in temp folders
Posted: 13 June 2013 at 11:19pm

I work in IT for a company who has a number of vertical applications. The developer who wrote the application in this case sits about 20 feet from me, so I will not find solutions to my problems on the internet in general, because the applications only run on a single computer, so I have to get into the grit of things to find out the problems.

I keep seeing "path not found", "Name not found", and "NAME COLLISION" errors in procmon when I run it on her server.


Part two also applies to "NAME COLLISION" result when doing the CreateFile operation with Synchronize in the details.

This solution applies to "NAME COLLISION" errors during createfile in the folders:
C:\Users\ username goes here \Appdata\LocalLow - the location of the dummy file backing the disk cache
C:\Users\ username goes here \Appdata\Local\Temp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows

The solution is to login via remote desktop to the user who the task is running.
Disable IE ESC
You can get there by pressing start, then typing, "Server Manager". "Configure IE ESC" is on the right hand side under "Security Information" section.
Launch Internet explorer.
Complete the internet explorer setup with default settings.
I am not sure if this is needed:
    Go to Internet Options, click Connections, click Setup, choose "Browse the Internet", Click OK

Now the folder structure is there for the files to be created in, unlike manually creating this folder structure that gets purged on reboot, now the folder structure gets recreated every boot.

Since these are temp files, they don't actually exist anywhere until they are closed. These folders are used for dynamically compiled applications. For instance I have an application that has 8 worker processes. Each worker process gets compiled on the fly (C sharp thing), and the exe is located in this folder with only the DLLs it needs, to lower the ram footprint of the processes. However on launch, there are persistent errors, until it finally works. What happens is that as soon as the compiler closed the file, the antivirus scans the file. Once the antivirus application is complete, the worker process gets launched.

So you have two options, depending on your needs.
1, stay safe.
!!! WARNING Don't do this if you browse the web on this computer, SERVERS ONLY.
2, tell your antivirus to ignore these folders.

Best of luck,
-Michael
Please post if this was helpful to you, or if you have some insight to make a better solution. This reduced the runtime of my hourly process from 65 minutes (crashing every other run) to 45 minutes.
Search

Process Monitor : Extracting Useful Procmon.exe data

June 13, 2013, 5:15 pm
$
0
0
Author: a-mahint
Subject: Extracting Useful Procmon.exe data
Posted: 14 June 2013 at 12:15am

I am wondering if anyone has ever attempted to extract some of the data that is found using Procmon.exe?

I am trying to build a simple PowerShell progress bar to basically be an adapter on top of an underlying DISM.exe Image capture/application.

My plan is to somehow extract the Offset property under the Detail field in Process Monitor and use it to construct a percentage of total bytes transferred. Basically do:

Percentage Done = (Offset)/(Total Size of image in bits) * 100

This will give me a fairly accurate number. However, I have no idea how to get to this offset value. Would the only way to be to create a low level C program that does basically what Process Monitor does to get that info? Or is there an easier utility like powershell that can get it also?

Suggestions?

PsTools : PSExec Script Help Please

June 13, 2013, 9:45 pm
$
0
0
Author: WindowsStar
Subject: PSExec Script Help Please
Posted: 14 June 2013 at 4:45am

@cornfedboy
 
If your organization has approved PowerShell then you don't need psexec at all. You can do everything directly in PowerShell, plus it will work better.
 
Do some googeing on how to run PowerShell on remote machine or against remote machines.
 
psexec is more for command line or CMD scripts where there is no built-in way to access a remote machine.
 
I hope that helps. -WS

Process Explorer : Unable to verify mssearch, sqlmangr, sqlservr.exe

June 14, 2013, 11:51 pm
$
0
0
Author: MagicAndre1981
Subject: Unable to verify mssearch, sqlmangr, sqlservr.exe
Posted: 15 June 2013 at 6:51am

You use a OS which is dead for 3 years and care about 3 digitally signed files? You should upgrade very soon to at least 2003 Server which gets updates till 2015.

Process Explorer : Unable to verify mssearch, sqlmangr, sqlservr.exe

June 14, 2013, 11:56 pm
$
0
0
Author: Johnny Lee
Subject: Unable to verify mssearch, sqlmangr, sqlservr.exe
Posted: 15 June 2013 at 6:56am

MagicAndre1981 Not the answer I’m looking for help with. -10



Edited by Johnny Lee - 18 hours 2 minutes ago at 6:58am

Process Monitor : Procmon Durations wrong?

June 15, 2013, 5:47 am
$
0
0
Author: GuyHoozdis
Subject: Procmon Durations wrong?
Posted: 15 June 2013 at 12:47pm

Timing Resolution/granularity

Consider the two APIs GetTickCount() and QueryPerformanceCounter()... I'll let you google the details... or bing it, you can bing that sh** too.

The timestamps ProcMon provides are, more than likely, created using a call to GetTickCount().  In contrast, the duration column would be calculated by taking the difference between two calls to QueryPerformanceCounter() (e.g. duration = t2 - t1).


@skelker
Looking at the last set of data you provided I would say that everything is in working order.  If you add the duration to the timestamp (both data points taken from the same row in your table) the result will equal the timestamp of the next row (+/- error; see topic #1).

I suspect the dataset from the post before that (your first post, skelker) has a typo in the data.

Process Explorer : Unable to verify mssearch, sqlmangr, sqlservr.exe

June 15, 2013, 8:40 am
$
0
0
Author: GuyHoozdis
Subject: Unable to verify mssearch, sqlmangr, sqlservr.exe
Posted: 15 June 2013 at 3:40pm

I don't have a system to replicate your situation, but I'll try my best to answer your question.

Originally posted by Johnny Lee Johnny Lee wrote:

[...] how would I know if mssearch.exe, sqlmangr.exe, and sqlservr.exe has been digitally signed or not? 


If I understand your question you would like to verify the integrity of mssearch.exe, sqlmangr.exe, and sqlservr.exe; by which you mean, these binaries were provided by Microsoft and they have not been modified by any third-party since you have received them.

If you haven't already, you might consider installing the entire SysInternals Suite onto your target machine.  You will find a tool called sigcheck in that suite, but you can download it as an individual application too.

You should pay attention to the -i and -h switches for sigcheck; in particular, the "catalog" field of the -i switch will, in the case of a signed file, indicate how the signature is stored on the system.  Microsoft system files are most commonly stored in an archive separate from the binary, but third party binaries are more likely to have the digitial signature embedded into the binary itself.  In the latter case you can use a PE viewer or even the strings tool to locate the embedded signature information.

Now here is some bad news.  I don't think that you can expect sqlmangr.exe or sqlservr.exe to be signed on the platform you are using.  That means that you will have to leverage the file hashes that are provided via the -h switch mentioned above.  Furthermore, you will have to locate "clean" versions of each of those binaries you mentioned so that you can compare your file hash to the hash of the known-good binary.


Reference
Here are some MSDN pages that might be helpful if you want/need to understand more about these topics/details.
  1. Understanding Digital Signatures
  2. Understanding Authenticode
  3. Microsoft's CryptoAPI Tools Reference

Process Explorer : Thread Start Address and Call Stack

June 15, 2013, 10:03 am
$
0
0
Author: GuyHoozdis
Subject: Thread Start Address and Call Stack
Posted: 15 June 2013 at 5:03pm

Remember: You want to install Debugging Tools for Windows and then configure Process Explorer/Monitor (or any debugging tools) to use Microsoft's symbol server so that the stack traces are not gibberish.

Quote Sometimes the thread start address is in format of "module!function+offset" while other times its something like "module+offset"

I think that you will see the "module+offset" form when it is the main executable (e.g. iTunesHelper.exe+0x17C0 or SomeThirdPartyApp.exe+0x1390) of an application that you do not have the debugging symbols for.  In contrast, take a look at notepad after you are configured to use MS symbols.  You should see notepad.exe!WinMainCRTStartup as the thread's start address.

If you have ever written a C/C++ program it is important to note that WinMainCRTStartup is not the same as the main entry point you defined, typically WinMain for applications based on the Windows API and simply main for applications based on the Standard Library. when you wrote your application.  WinMainCRTStartup is some boilerplate code that your compiler adds in for you to setup the runtime environment and invokes the main thread for your application.

Quote In this stack, shouldnt "chrome.exe!SetPrinterInfo+0x6d20" be the first function to be called?

Part of your confusion might be due to the complex nature of the application you are looking at for an example.  Notepad is a much simpler example to start with and the same ideas still apply when you consider more complex applications.

Below is a stack trace for the single thread that is created when notepad.exe is executed.  I have symbols installed, but for all intents and purposes this is the same as the stack trace that you provided in your post.

From our thread, which started at offset WinMainCRTStartup, we see the stack trace below citing the OS's ring-0 and ring-3 (kernel and userland respectively)  code that gets called/executed every time a process/thread is started.  Moreover, you can see that the newly created thread calls into WinMain where, if this were an application that you wrote, the code you actually wrote would begin.
 
[code]
ntoskrnl.exe!KiSwapContext+0x7a
ntoskrnl.exe!KiCommitThreadWait+0x1d2
ntoskrnl.exe!KeWaitForSingleObject+0x19f
win32k.sys!memset+0x7a47
win32k.sys!memset+0x7ae9
win32k.sys!memset+0x6138
win32k.sys!memset+0x623d
win32k.sys!memset+0x7c11
ntoskrnl.exe!KiSystemServiceCopyEnd+0x13
USER32.dll!NtUserGetMessage+0xa
USER32.dll!GetMessageW+0x34
notepad.exe!WinMain+0x182
kernel32.dll!BaseThreadInitThunk+0xd
ntdll.dll!RtlUserThreadStart+0x1d
[/code\

The offsets that you see here, take WinMain+0x182 as an example, are the points where another call instruction (that's an assembly language instruction) was executed.  Here we see that WinMain called into GetMessageW which called into ....  it goes on and on.

One final point concerning modules, function names, offsets, and why you should be using symbols if possible.  Consider the example you started off with; chrome.exe!SetPrinterInfo+0x62D0.  You should be interpreting that as "SetPrinterInfo is the closest human-friendly symbol that I can give you and the instruction pointer, right now, is 25,296 bytes past that symbol".  If you had symbols for chrome you would find that you are inside an entirely different function and that the SetPrinterInfo  function is no where near 25,296 bytes long- there are several functions defined between there and here.


I hope that all makes sense.

There is no substitute for tracing through some simple code with a debugger.  I highly recommend doing that- it is very insightful.

Good luck!

Search

BgInfo : BgInfo - Computer info from AD/DC ?

June 15, 2013, 1:13 pm
$
0
0
Author: WindowsStar
Subject: BgInfo - Computer info from AD/DC ?
Posted: 15 June 2013 at 8:13pm

Confused. Do you mean ADUC, AC/DC is a Band or it has other meanings.
 
Next: Your computer name and Active Directory Name are the same??
 
Are you looking for the FQN? or the DN? do you have an example?

Process Explorer : Unable to verify mssearch, sqlmangr, sqlservr.exe

June 15, 2013, 1:52 pm
$
0
0
Author: Johnny Lee
Subject: Unable to verify mssearch, sqlmangr, sqlservr.exe
Posted: 15 June 2013 at 8:52pm

Thank you Guy Hoozdis … you do understand my question. 

I like you mentioning to install the entire Sysinternals Suite and plan on looking into this more. My only concern is on the Sysinternals Suite page I could not locate the list of operating systems that the download will run on.  In learning of Process Explorer this past week and then going to their download page, I noticed the version there is 15.31 and is not listed to run on my older system, which led me to search out the highest version that runs on my older system and download it. 

Just took a look at Sigcheck page, same problem as mentioned in first paragraph, the version does not run on older system. I’ll do a look-up for the latest version that will run on my older system and download it. This appears to look like a very helpful utility to verify that images are digitally signed, nice tip, and thank you. 

I’ve found the additional information/reference you provided me (and others looking for this) to be extremely informative. In my case of clean versions of each of the binaries mentioned I’ll be able to get them off the installation CD, I think. My reasoning for saying “I think” is due to not knowing if the mentioned binaries would have changed at all when Service Pack 4 was downloaded and installed over the top of the CD install. 

Worthy to mention here those binaries on the server were off the CD, had been working good, and are in question now after a severe crash that has left the databases unable to connect. Before just jumping in an removing and replacing them I’m trying to understand if possible if they are part of the overall crash problem i.e. no longer clean. 

Process Monitor : Procmon spawns itself infinitely

June 15, 2013, 2:07 pm
$
0
0
Author: Mark
Subject: Procmon spawns itself infinitely
Posted: 15 June 2013 at 9:07pm

I cannot reproduce the issue. Please capture a process monitor log of the recursive standard-user launch from an admin account and post it so that I can take a look. 

Process Explorer : Unable to verify mssearch, sqlmangr, sqlservr.exe

June 15, 2013, 5:25 pm
$
0
0
Author: GuyHoozdis
Subject: Unable to verify mssearch, sqlmangr, sqlservr.exe
Posted: 16 June 2013 at 12:25am

Quote I like you mentioning to install the entire Sysinternals Suite[...]

I'm glad you found my advice helpful.  The SysInternals tools are indispensable; they always have been.

Quote [...] does not run on older system.  I’ll do a look-up for the latest version that will run on my older system and download it.

Hopefully you found some success here, but I am skeptical about what you will be able to turn up for a few different reasons.
  1. The API calls used by SigCheck were not implemented in Windows 2000 Adv. Svr.
  2. I seem to recall a legitimate MS upgrade, like a service pack, that invalidated all of the OS files' digital signatures.  This might be an issue for your scenario too; in which case, digital signatures would be broken and that would be the expected scenario.  Your only option here would be to verify matching hashes between your binaries and known-good versions of the same binary.
  3. As another forum member indicated, Windows 2000 Advanced Server has reached/passed it's end-of-life date and is not officially supported by Microsoft anymore and there is good reason for that.  I understand that you may have some reason or requirement that is forcing you into your situation.  I feel for you.  Your task is not impossible, but you have your cut out for you.

Honestly, I would take a step back and re-consider exactly what your problem is, any constraints you have, and what your goal(s) or desired outcome is.  Just take a few minutes to mentally walk through it before you re-commit yourself to the path you have been following.


In your last post you mentioned

Quote [...] after a severe crash that has left the databases unable to connect
.
  1. Do you fear/suspect that malicious code precipitated the crash?  Hopefully not; which means, that hardware failure, power failure, unintentional software failure, or maybe human error.  No matter how you slice it, you are left with some corruption that is resulting in the "[database's failure] to connect". 
  2. Have you captured a ProcMon trace that covers the scenario? You may have to manually start your SQL server so that you can get ProcMon running before the failure happens.  Otherwise, you will need to enable BootLogging and live with the disadvantage of not being able to collect network events when using the BootLogging feature.
  3. Do you have backups of your data?  If you do then maybe it would be easier to stand-up a new server instance and restore the data from backup files.  Even better, maybe your database files are not compromised and the problem connecting is related to the binaries.  That might mean that you wouldn't need backups to successfully restore your database into a freshly installed server.
  4. What is the paranoia vs. cost-conscious demeanor on your team?  Consider the man-hours that you are facing to fix and then maintain the issue before you.  It would probably be more cost effective to pay for server resources from (pick your favorite F100 technology company).  The catch is that you/your team have to reconcile the fact that your data is somewhat less under your control.
  5. ...

That should get your juices flowing.  You might still decide that your original path is the correct one, but a quick sanity check is... well, sane.

If you do decide to continue down your original path and still want help I can offer a few more approaches.  The simplest being something like "use FC.exe to compare two binaries" and up to the more complicated/involved Windows Debugging Tools (postmortem debugging from crash dumps, possibly live debugging (local/ring-3), or kernel debugging (requires multiple systems).

Process Explorer : Unable to verify mssearch, sqlmangr, sqlservr.exe

June 15, 2013, 5:37 pm

Process Monitor : [HELP] The length parameter in the "Detail" column

June 16, 2013, 7:38 am
$
0
0
Author: mohit
Subject: [HELP] The length parameter in the "Detail" column
Posted: 16 June 2013 at 2:38pm

First of all i would like to congratulate the team - a very helpful tool you have delivered to the community!
So while monitoring, i have an entry with the operation "RegQueryKey" which results in "Buffer Overflow" and Detail as : Query: Full, Length :176
What is that length of? Is it the length of the Key or something else?
Thanks a lot!

Autoruns : Feature request - ShellServiceObjects

June 16, 2013, 7:52 am
$
0
0
Author: GrofLuigi
Subject: Feature request - ShellServiceObjects
Posted: 16 June 2013 at 2:52pm

Any comment on this? Embarrassed


Search

Autoruns : Autoruns can not find 32-bit drivers on x64

June 16, 2013, 8:07 am
$
0
0
Author: GrofLuigi
Subject: Autoruns can not find 32-bit drivers on x64
Posted: 16 June 2013 at 3:07pm

I think the following two images tell the story pretty good...


PortTalk.sys exists in C:\Windows\SysWOW64\drivers\ . All that Autoruns would need to do is to respect the WOW64 flag.

(Edit: Something shrinks the images so they are unreadable. You need to click through on them twice to see them in original size.)

GL




Edited by GrofLuigi - 10 hours 44 minutes ago at 3:16pm

Autoruns : Feature request - ShellServiceObjects

June 16, 2013, 9:41 am
$
0
0
Author: Mark
Subject: Feature request - ShellServiceObjects
Posted: 16 June 2013 at 4:41pm

Look for this in the next update.

Autoruns : Feature request - ShellServiceObjects

June 16, 2013, 10:08 am
$
0
0
Author: GrofLuigi
Subject: Feature request - ShellServiceObjects
Posted: 16 June 2013 at 5:08pm

Thank you!


Process Explorer : Thread Start Address and Call Stack

June 16, 2013, 11:33 am
$
0
0
Author: ThunderCats
Subject: Thread Start Address and Call Stack
Posted: 16 June 2013 at 6:33pm

Hi GuyHoozdis,

Thanks alot for such an insightful explanation. The part of my problem is that i am not from computer science background and have never done application development but i have general idea how functions are called within a code/program.
One last thing that i would like to ask is as you mentioned in your post(with notepad example), its thread start address is Notepad.exe!WinMainCRtSartup.Here is what you wrote

"From our thread, which started at offset WinMainCRTStartup"

WinMainCRTStartup is starting at offset with regards to who? Notepad.exe module or something else. There is another example from Mark's book in which a thread named "rdyboost.sys+0xee0a" is consuming high cpu and he concluded that thread was starting in Rdyboost.sys module.

Thanks

Process Explorer : Thread Start Address and Call Stack

June 16, 2013, 1:21 pm
$
0
0
Author: GuyHoozdis
Subject: Thread Start Address and Call Stack
Posted: 16 June 2013 at 8:21pm

Originally posted by ThunderCats ThunderCats wrote:

WinMainCRTStartup is starting at offset with regards to who? Notepad.exe module or something else.

You are correct; with respect to Notepad.

Quote There is another example from Mark's book in which a thread named "rdyboost.sys+0xee0a" is consuming high cpu and he concluded that thread was starting in Rdyboost.sys module.

That is correct.  The term module refers to an executable image that has been loaded into memory.  Each of these file formats; *.exe, *.dll, and *.sys are based upon the same file format.  It is called the Portable Executable File Format and is derived from the older COFF specification.

Glad I was able to help!  Best of luck.


Viewing all 10386 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>