book

Troubleshooting with the Windows Sysinternals Tools

Name: Troubleshooting with the Windows Sysinternals Tools
ISBN: 9780133986549

by Mark Russinovich, Aaron Margosis

October 2016

Intermediate to advanced

688 pages

21h 41m

English

Microsoft Press

Read now

Unlock full access

Cover
Title Page
Copyright Page
Contents at a glance
Table of Contents
Foreword
Introduction
Tools the book coversThe history of SysinternalsWho should read this bookAssumptionsOrganization of this bookConventions and features in this bookSystem requirementsLate-breaking changesAcknowledgmentsErrata, updates, and book supportFree ebooks from Microsoft PressWe want to hear from youStay in touch
Part I: Getting started
Chapter 1. Getting started with the Sysinternals utilities
Overview of the utilitiesThe Windows Sysinternals websiteDownloading the utilitiesRunning the utilities directly from the webSingle executable imageThe Windows Sysinternals forumsWindows Sysinternals site blogMark’s blogMark’s webcastsSysinternals license informationEnd User License Agreement and the /accepteula switchFrequently asked questions about Sysinternals licensing
Chapter 2. Windows core concepts
Administrative rightsProcesses, threads, and jobsUser mode and kernel modeHandlesApplication isolationApp ContainersProtected processesCall stacks and symbolsWhat is a call stack?What are symbols?Configuring symbolsSessions, window stations, desktops, and window messagesRemote desktop services sessionsWindow stationsDesktopsWindow messages

Chapter 3. Process Explorer
Procexp overviewMeasuring CPU consumptionAdministrative rightsMain windowProcess listCustomizing column selectionsSaving displayed dataToolbar referenceIdentifying the process that owns a windowStatus barDLLs and handlesFinding DLLs or handlesDLL viewHandle viewProcess detailsImage tabPerformance tabPerformance Graph tabGPU Graph tabThreads tabTCP/IP tabSecurity tabEnvironment tabStrings tabServices tab.NET tabsJob tabThread detailsVerifying image signaturesVirusTotal analysisSystem informationCPU tabMemory tabI/O tabGPU tabDisplay optionsProcexp as a Task Manager replacementCreating processes from ProcexpOther user sessionsMiscellaneous featuresShutdown optionsCommand-line switchesRestoring Procexp defaultsKeyboard shortcut reference
Chapter 4. Autoruns
Autoruns fundamentalsDisabling or deleting autostart entriesAutoruns and administrative permissionsVerifying code signaturesVirusTotal analysisHiding entriesGetting more information about an entryViewing the autostarts of other usersViewing ASEPs of an offline systemChanging the fontAutostart categoriesLogonExplorerInternet ExplorerScheduled TasksServicesDriversCodecsBoot ExecuteImage hijacksAppInitKnownDLLsWinlogonWinsock providersPrint monitorsLSA providersNetwork providersWMISidebar gadgetsOfficeSaving and comparing resultsSaving as tab-delimited textSaving in binary (.arn) formatViewing and comparing saved resultsAutorunsCAutoruns and malware
Part II: Usage guide
Chapter 5. Process Monitor
Getting started with ProcmonEventsUnderstanding the column display defaultsCustomizing the column displayEvent Properties dialog boxDisplaying profiling eventsFinding an eventCopying event dataJumping to a registry or file locationSearching onlineFiltering, highlighting, and bookmarkingConfiguring filtersConfiguring highlightingBookmarkingAdvanced outputSaving filters for later useProcess TreeSaving and opening Procmon tracesSaving Procmon tracesProcmon XML schemaOpening saved Procmon tracesLogging boot, post-logoff, and shutdown activityBoot loggingKeeping Procmon running after logoffLong-running traces and controlling log sizesDrop filtered eventsHistory depthBacking filesImporting and exporting configuration settingsAutomating Procmon: command-line optionsAnalysis toolsProcess Activity SummaryFile SummaryRegistry SummaryStack SummaryNetwork SummaryCross Reference SummaryCount OccurrencesInjecting custom debug output into Procmon tracesToolbar reference
Chapter 6. ProcDump
Command-line syntaxSpecifying which process to monitorAttach to existing processLaunch the target processWorking with Universal Windows Platform applicationsAuto-enabled debugging with AeDebug registrationSpecifying the dump file pathSpecifying criteria for a dumpMonitoring exceptionsDump file optionsMiniplus dumpsProcDump and Procmon: Better togetherRunning ProcDump noninteractivelyViewing the dump in the debugger
Chapter 7. PsTools
Common featuresRemote operationsTroubleshooting remote PsTools connectionsPsExecRemote process exitRedirected console outputPsExec alternate credentialsPsExec command-line optionsProcess performance optionsRemote connectivity optionsRuntime environment optionsPsFilePsGetSidPsInfoPsKillPsListPsLoggedOnPsLogListPsPasswdPsServiceQueryConfigDependSecurityFindSetConfigStart, Stop, Restart, Pause, ContinuePsShutdownPsSuspendPsTools command-line syntaxPsExecPsFilePsGetSidPsInfoPsKillPsListPsLoggedOnPsLogListPsPasswdPsServicePsShutdownPsSuspendPsTools system requirements
Chapter 8. Process and diagnostic utilities
VMMapStarting VMMap and choosing a processThe VMMap windowMemory typesMemory informationTimeline and snapshotsViewing text within memory regionsFinding and copying textViewing allocations from instrumented processesAddress space fragmentationSaving and loading snapshot resultsVMMap command-line optionsRestoring VMMap defaultsDebugViewWhat is debug output?The DebugView displayCapturing user-mode debug outputCapturing kernel-mode debug outputSearching, filtering, and highlighting outputSaving, logging, and printingRemote monitoringLiveKdLiveKd requirementsRunning LiveKdKernel debugger target typesOutput to debugger or dump fileDump contentsHyper-V guest debuggingSymbolsLiveKd examplesListDLLsHandleHandle list and searchHandle countsClosing handles
Chapter 9. Security utilities
SigCheckWhich files to scanSignature verificationVirusTotal analysisAdditional file informationOutput formatMiscellaneousAccessChkWhat are “effective permissions”?Using AccessChkObject typeSearching for access rightsOutput optionsSysmonEvents recorded by SysmonInstalling and configuring SysmonExtracting Sysmon event dataAccessEnumShareEnumShellRunAsAutologonLogonSessionsSDeleteUsing SDeleteHow SDelete works
Chapter 10. Active Directory utilities
AdExplorerConnecting to a domainThe AdExplorer displayObjectsAttributesSearchingSnapshotsAdExplorer configurationAdInsightAdInsight data captureDisplay optionsFinding information of interestFiltering resultsSaving and exporting AdInsight dataCommand-line optionsAdRestore
Chapter 11. Desktop utilities
BgInfoConfiguring data to displayAppearance optionsSaving BgInfo configuration for later useOther output optionsUpdating other desktopsDesktopsZoomItUsing ZoomItZoom modeDrawing modeTyping modeBreak TimerLiveZoom
Chapter 12. File utilities
StringsStreamsNTFS link utilitiesJunctionFindLinksDisk Usage (DU)Post-reboot file operation utilitiesPendMovesMoveFile
Chapter 13. Disk utilities
Disk2VhdSyncDiskViewContigDefragmenting existing filesAnalyzing fragmentation of existing filesAnalyzing free-space fragmentationCreating a contiguous fileDiskExtLDMDumpVolumeID
Chapter 14. Network and communication utilities
PsPingICMP PingTCP PingPsPing server modeTCP/UDP latency testTCP/UDP bandwidth testPsPing histogramsTCPViewWhois
Chapter 15. System information utilities
RAMMapUse CountsProcessesPriority SummaryPhysical PagesPhysical RangesFile SummaryFile DetailsPurging physical memorySaving and loading snapshotsRegistry Usage (RU)CoreInfo–c: Dump information on cores–f: Dump core feature information–g: Dump information on groups–l: Dump information on caches–m: Dump NUMA access cost–n: Dump information on NUMA nodes–s: Dump information on sockets–v: Dump only virtualization-related featuresWinObjLoadOrderPipeListClockRes
Chapter 16. Miscellaneous utilities
RegJumpHex2DecRegDelNullBluescreen Screen SaverCtrl2Cap
Part III: Troubleshooting—“The Case of the Unexplained...”
Chapter 17. Error messages
Troubleshooting error messagesThe Case of the Locked FolderThe Case of the File In Use ErrorThe Case of the Unknown Photo Viewer ErrorThe Case of the Failing ActiveX RegistrationThe Case of the Failed Play-ToThe Case of the Installation FailureThe troubleshootingThe analysisThe Case of the Unreadable Text FilesThe Case of the Missing Folder AssociationThe Case of the Temporary Registry ProfilesThe Case of the Office RMS ErrorThe Case of the Failed Forest Functional Level Raise
Chapter 18. Crashes
Troubleshooting crashesThe Case of the Failed AV UpdateThe Case of the Crashing Proksi UtilityThe Case of the Failed Network Location Awareness ServiceThe Case of the Failed EMET UpgradeThe Case of the Missing Crash DumpThe Case of the Random Sluggishness
Chapter 19. Hangs and sluggish performance
Troubleshooting hangs and sluggish performanceThe Case of the IExplore-Pegged CPUThe Case of the Runaway WebsiteThe Case of the Excessive ReadyBoostThe Case of the Stuttering Laptop Blu-ray PlayerThe Case of the Company 15-Minute LogonsThe Case of the Hanging PayPal EmailsThe Case of the Hanging Accounting SoftwareThe Case of the Slow Keynote DemoThe Case of the Slow Project File OpensThe Compound Case of the Outlook Hangs
Chapter 20. Malware
Troubleshooting malwareStuxnetMalware and the Sysinternals utilitiesThe Stuxnet infection vectorStuxnet on Windows XPLooking deeperFiltering to find relevant eventsStuxnet system modificationsThe .PNF filesWindows 7 elevation of privilegeStuxnet revealed by the Sysinternals utilitiesThe Case of the Strange RebootsThe Case of the Fake Java UpdaterThe Case of the Winwebsec ScarewareThe Case of the Runaway GPUThe Case of the Unexplained FTP ConnectionsThe Case of the Misconfigured ServiceThe Case of the Sysinternals-Blocking MalwareThe Case of the Process-Killing MalwareThe Case of the Fake System ComponentThe Case of the Mysterious ASEP
Chapter 21. Understanding system behavior
The Case of the Q: DriveThe Case of the Unexplained Network ConnectionsThe Case of the Short-Lived ProcessesThe Case of the App Install RecorderThe Case of the Unknown NTLM Communications
Chapter 22. Developer troubleshooting
The Case of the Broken Kerberos DelegationThe Case of the ProcDump Memory Leak
Index
About the Authors
Survey
Code Snippets

Overview

Optimize Windows system reliability and performance with Sysinternals

IT pros and power users consider the free Windows Sysinternals tools indispensable for diagnosing, troubleshooting, and deeply understanding the Windows platform. In this extensively updated guide, Sysinternals creator Mark Russinovich and Windows expert Aaron Margosis help you use these powerful tools to optimize any Windows system’s reliability, efficiency, performance, and security. The authors first explain Sysinternals’ capabilities and help you get started fast. Next, they offer in-depth coverage of each major tool, from Process Explorer and Process Monitor to Sysinternals’ security and file utilities. Then, building on this knowledge, they show the tools being used to solve real-world cases involving error messages, hangs, sluggishness, malware infections, and much more.

Windows Sysinternals creator Mark Russinovich and Aaron Margosis show you how to:

Use Process Explorer to display detailed process and system information

Use Process Monitor to capture low-level system events, and quickly filter the output to narrow down root causes

List, categorize, and manage software that starts when you start or sign in to your computer, or when you run Microsoft Office or Internet Explorer

Verify digital signatures of files, of running programs, and of the modules loaded in those programs

Use Autoruns, Process Explorer, Sigcheck, and Process Monitor features that can identify and clean malware infestations

Inspect permissions on files, keys, services, shares, and other objects

Use Sysmon to monitor security-relevant events across your network

Generate memory dumps when a process meets specified criteria

Execute processes remotely, and close files that were opened remotely

Manage Active Directory objects and trace LDAP API calls

Capture detailed data about processors, memory, and clocks

Troubleshoot unbootable devices, file-in-use errors, unexplained communication, and many other problems

Understand Windows core concepts that aren’t well-documented elsewhere

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Mastering Windows Security and Hardening - Second Edition

Publisher Resources

ISBN: 9780133986549Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills