ebook img

Troubleshooting with the Windows Sysinternals Tools 2nd Edition PDF

689 Pages·2016·32.46 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Troubleshooting with the Windows Sysinternals Tools 2nd Edition

ptg18144896 Troubleshooting with the Windows Sysinternals Tools ptg18144896 Mark Russinovich Aaron Margosis PUBLISHED BY Microsoft Press A division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2016 by Mark Russinovich and Aaron Margosis All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number: 2014951871 ISBN: 978-0-7356-8444-7 Printed and bound in the United States of America. First Printing Microsoft Press books are available through booksellers and distributors worldwide. If you need support related to this book, email Microsoft Press Support at [email protected]. Please tell us what you think of this book at http://aka.ms/tellpress. This book is provided “as-is” and expresses the author’s views and opinions. The views, opinions and information expressed in this book, including URL and other Internet website references, may change without notice. ptg18144896 Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. Microsoft and the trademarks listed at http://www.microsoft.com on the “Trademarks” webpage are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. Acquisitions Editor: Devon Musgrave Developmental Editor: Carol Dillingham Project Editor: Carol Dillingham Editorial Production: Waypoint Press Technical Reviewer: Christophe Nasarre; Technical review services provided by Content Master, a member of CM Group, Ltd. Copyeditor: Roger LeBlanc Indexer: Christina Palaia Cover: Twist Creative • Seattle Contents at a glance PART I GETTING STARTED CHAPTER 1 Getting started with the Sysinternals utilities 3 CHAPTER 2 Windows core concepts 15 CHAPTER 3 Process Explorer 41 CHAPTER 4 Autoruns 113 PART II USAGE GUIDE CHAPTER 5 Process Monitor 145 CHAPTER 6 ProcDump 193 CHAPTER 7 PsTools 219 CHAPTER 8 Process and diagnostic utilities 259 CHAPTER 9 Security utilities 301 ptg18144896 CHAPTER 10 Active Directory utilities 351 CHAPTER 11 Desktop utilities 373 CHAPTER 12 File utilities 389 CHAPTER 13 Disk utilities 401 CHAPTER 14 Network and communication utilities 423 CHAPTER 15 System information utilities 437 CHAPTER 16 Miscellaneous utilities 461 PART III TROUBLESHOOTING—“THE CASE OF THE UNEXPLAINED…” CHAPTER 17 Error messages 467 CHAPTER 18 Crashes 495 CHAPTER 19 Hangs and sluggish performance 509 CHAPTER 20 Malware 545 CHAPTER 21 Understanding system behavior 607 CHAPTER 22 Developer troubleshooting 631 This page intentionally left blank ptg18144896 Table of Contents Foreword .......................................................xix Introduction ....................................................xxi PART I GETTING STARTED Chapter 1 Getting started with the Sysinternals utilities 3 Overview of the utilities ............................................3 The Windows Sysinternals website. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Downloading the utilities .....................................7 Running the utilities directly from the web .....................10 Single executable image .....................................11 The Windows Sysinternals forums .............................11 Windows Sysinternals site blog ...............................12 Mark’s blog ................................................12 ptg18144896 Mark’s webcasts ............................................13 Sysinternals license information ....................................13 End User License Agreement and the /accepteula switch ........13 Frequently asked questions about Sysinternals licensing .........14 Chapter 2 Windows core concepts 15 Administrative rights .............................................16 Processes, threads, and jobs .......................................19 User mode and kernel mode ......................................20 Handles .........................................................21 Application isolation ..............................................22 App Containers .............................................23 Protected processes .........................................28 Call stacks and symbols ...........................................30 What is a call stack? .........................................30 What are symbols? ..........................................31 Configuring symbols ........................................33 v Sessions, window stations, desktops, and window messages ...........35 Remote desktop services sessions .............................36 Window stations ............................................37 Desktops ..................................................37 Window messages ..........................................39 Chapter 3 Process Explorer 41 Procexp overview ................................................41 Measuring CPU consumption ................................43 Administrative rights ........................................44 Main window ....................................................45 Process list .................................................45 Customizing column selections ...............................55 Saving displayed data .......................................69 Toolbar reference ...........................................69 Identifying the process that owns a window ...................71 Status bar ..................................................71 ptg18144896 DLLs and handles ................................................72 Finding DLLs or handles .....................................73 DLL view ...................................................74 Handle view ................................................79 Process details ...................................................83 Image tab .................................................84 Performance tab ............................................86 Performance Graph tab .....................................87 GPU Graph tab .............................................88 Threads tab ................................................89 TCP/IP tab .................................................89 Security tab ................................................90 Environment tab ............................................91 Strings tab .................................................92 Services tab ................................................93 .NET tabs ..................................................94 Job tab ....................................................95 Thread details ...................................................96 Verifying image signatures ........................................99 vi Contents VirusTotal analysis ...............................................100 System information ..............................................102 CPU tab ..................................................103 Memory tab ..............................................103 I/O tab ...................................................105 GPU tab ..................................................106 Display options .................................................108 Procexp as a Task Manager replacement ...........................109 Creating processes from Procexp ............................109 Other user sessions ........................................109 Miscellaneous features ...........................................110 Shutdown options .........................................110 Command-line switches ....................................110 Restoring Procexp defaults ..................................110 Keyboard shortcut reference .....................................111 Chapter 4 Autoruns 113 ptg18144896 Autoruns fundamentals ..........................................115 Disabling or deleting autostart entries .......................117 Autoruns and administrative permissions .....................117 Verifying code signatures ...................................118 VirusTotal analysis .........................................119 Hiding entries .............................................120 Getting more information about an entry ....................122 Viewing the autostarts of other users ........................122 Viewing ASEPs of an offline system ..........................123 Changing the font .........................................123 Autostart categories .............................................124 Logon ....................................................124 Explorer ..................................................126 Internet Explorer ..........................................127 Scheduled Tasks ...........................................128 Services ..................................................129 Drivers ...................................................129 Codecs ...................................................130 Boot Execute ..............................................130 Contents vii Image hijacks .............................................131 AppInit ...................................................132 KnownDLLs ...............................................133 Winlogon .................................................133 Winsock providers .........................................134 Print monitors .............................................135 LSA providers .............................................135 Network providers .........................................135 WMI .....................................................136 Sidebar gadgets ...........................................136 Office ....................................................136 Saving and comparing results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 Saving as tab-delimited text ................................137 Saving in binary (.arn) format ...............................137 Viewing and comparing saved results ........................138 AutorunsC ......................................................138 Autoruns and malware ...........................................141 ptg18144896 PART II USAGE GUIDE Chapter 5 Process Monitor 145 Getting started with Procmon ....................................146 Events .........................................................148 Understanding the column display defaults ...................149 Customizing the column display .............................151 Event Properties dialog box .................................153 Displaying profiling events ..................................158 Finding an event ...........................................159 Copying event data ........................................160 Jumping to a registry or file location .........................160 Searching online ...........................................160 Filtering, highlighting, and bookmarking ...........................161 Configuring filters .........................................161 Configuring highlighting ...................................164 Bookmarking ..............................................165 Advanced output ..........................................165 Saving filters for later use ...................................166 viii Contents Process Tree ....................................................168 Saving and opening Procmon traces ...............................169 Saving Procmon traces .....................................169 Procmon XML schema ......................................171 Opening saved Procmon traces ..............................174 Logging boot, post-logoff, and shutdown activity ...................175 Boot logging ..............................................175 Keeping Procmon running after logoff .......................177 Long-running traces and controlling log sizes ......................178 Drop filtered events ........................................178 History depth .............................................178 Backing files ..............................................179 Importing and exporting configuration settings ....................180 Automating Procmon: command-line options ......................180 Analysis tools ...................................................183 Process Activity Summary ..................................183 ptg18144896 File Summary .............................................184 Registry Summary .........................................186 Stack Summary ............................................187 Network Summary .........................................188 Cross Reference Summary ..................................189 Count Occurrences ........................................189 Injecting custom debug output into Procmon traces ................190 Toolbar reference ...............................................191 Chapter 6 ProcDump 193 Command-line syntax ...........................................195 Specifying which process to monitor ..............................198 Attach to existing process ..................................198 Launch the target process ..................................199 Working with Universal Windows Platform applications ........200 Auto-enabled debugging with AeDebug registration ..........201 Specifying the dump file path ....................................203 Specifying criteria for a dump ....................................204 Monitoring exceptions ...........................................208 Contents ix

Description:
An app can call a Windows Runtime (WinRT). API to request access to a WinRT API to display the File Open picker to the user, allowing the user to choose a file. Because this user He started to panic, breaking out into a sweat and calling the flight attendant to bring him a stiff drink (actually,
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.