Troubleshooting with the Windows Sysinternals Tools

Book description

Optimize Windows system reliability and performance with Sysinternals

IT pros and power users consider the free Windows Sysinternals tools indispensable for diagnosing, troubleshooting, and deeply understanding the Windows platform. In this extensively updated guide, Sysinternals creator Mark Russinovich and Windows expert Aaron Margosis help you use these powerful tools to optimize any Windows system’s reliability, efficiency, performance, and security. The authors first explain Sysinternals’ capabilities and help you get started fast. Next, they offer in-depth coverage of each major tool, from Process Explorer and Process Monitor to Sysinternals’ security and file utilities. Then, building on this knowledge, they show the tools being used to solve real-world cases involving error messages, hangs, sluggishness, malware infections, and much more.

Windows Sysinternals creator Mark Russinovich and Aaron Margosis show you how to:

  • Use Process Explorer to display detailed process and system information

  • Use Process Monitor to capture low-level system events, and quickly filter the output to narrow down root causes

  • List, categorize, and manage software that starts when you start or sign in to your computer, or when you run Microsoft Office or Internet Explorer

  • Verify digital signatures of files, of running programs, and of the modules loaded in those programs

  • Use Autoruns, Process Explorer, Sigcheck, and Process Monitor features that can identify and clean malware infestations

  • Inspect permissions on files, keys, services, shares, and other objects

  • Use Sysmon to monitor security-relevant events across your network

  • Generate memory dumps when a process meets specified criteria

  • Execute processes remotely, and close files that were opened remotely

  • Manage Active Directory objects and trace LDAP API calls

  • Capture detailed data about processors, memory, and clocks

  • Troubleshoot unbootable devices, file-in-use errors, unexplained communication, and many other problems

  • Understand Windows core concepts that aren’t well-documented elsewhere

  • Table of contents

    1. Cover
    2. Title Page
    3. Copyright Page
    4. Contents at a glance
    5. Table of Contents
    6. Foreword
    7. Introduction
      1. Tools the book covers
      2. The history of Sysinternals
      3. Who should read this book
        1. Assumptions
      4. Organization of this book
      5. Conventions and features in this book
      6. System requirements
      7. Late-breaking changes
      8. Acknowledgments
      9. Errata, updates, and book support
      10. Free ebooks from Microsoft Press
      11. We want to hear from you
      12. Stay in touch
    8. Part I: Getting started
      1. Chapter 1. Getting started with the Sysinternals utilities
        1. Overview of the utilities
        2. The Windows Sysinternals website
          1. Downloading the utilities
          2. Running the utilities directly from the web
          3. Single executable image
          4. The Windows Sysinternals forums
          5. Windows Sysinternals site blog
          6. Mark’s blog
          7. Mark’s webcasts
        3. Sysinternals license information
          1. End User License Agreement and the /accepteula switch
          2. Frequently asked questions about Sysinternals licensing
      2. Chapter 2. Windows core concepts
        1. Administrative rights
        2. Processes, threads, and jobs
        3. User mode and kernel mode
        4. Handles
        5. Application isolation
          1. App Containers
          2. Protected processes
        6. Call stacks and symbols
          1. What is a call stack?
          2. What are symbols?
          3. Configuring symbols
        7. Sessions, window stations, desktops, and window messages
          1. Remote desktop services sessions
          2. Window stations
          3. Desktops
          4. Window messages
      3. Chapter 3. Process Explorer
        1. Procexp overview
          1. Measuring CPU consumption
          2. Administrative rights
        2. Main window
          1. Process list
          2. Customizing column selections
          3. Saving displayed data
          4. Toolbar reference
          5. Identifying the process that owns a window
          6. Status bar
        3. DLLs and handles
          1. Finding DLLs or handles
          2. DLL view
          3. Handle view
        4. Process details
          1. Image tab
          2. Performance tab
          3. Performance Graph tab
          4. GPU Graph tab
          5. Threads tab
          6. TCP/IP tab
          7. Security tab
          8. Environment tab
          9. Strings tab
          10. Services tab
          11. .NET tabs
          12. Job tab
        5. Thread details
        6. Verifying image signatures
        7. VirusTotal analysis
        8. System information
          1. CPU tab
          2. Memory tab
          3. I/O tab
          4. GPU tab
        9. Display options
        10. Procexp as a Task Manager replacement
          1. Creating processes from Procexp
          2. Other user sessions
        11. Miscellaneous features
          1. Shutdown options
          2. Command-line switches
          3. Restoring Procexp defaults
        12. Keyboard shortcut reference
      4. Chapter 4. Autoruns
        1. Autoruns fundamentals
          1. Disabling or deleting autostart entries
          2. Autoruns and administrative permissions
          3. Verifying code signatures
          4. VirusTotal analysis
          5. Hiding entries
          6. Getting more information about an entry
          7. Viewing the autostarts of other users
          8. Viewing ASEPs of an offline system
          9. Changing the font
        2. Autostart categories
          1. Logon
          2. Explorer
          3. Internet Explorer
          4. Scheduled Tasks
          5. Services
          6. Drivers
          7. Codecs
          8. Boot Execute
          9. Image hijacks
          10. AppInit
          11. KnownDLLs
          12. Winlogon
          13. Winsock providers
          14. Print monitors
          15. LSA providers
          16. Network providers
          17. WMI
          18. Sidebar gadgets
          19. Office
        3. Saving and comparing results
          1. Saving as tab-delimited text
          2. Saving in binary (.arn) format
          3. Viewing and comparing saved results
        4. AutorunsC
        5. Autoruns and malware
    9. Part II: Usage guide
      1. Chapter 5. Process Monitor
        1. Getting started with Procmon
        2. Events
          1. Understanding the column display defaults
          2. Customizing the column display
          3. Event Properties dialog box
          4. Displaying profiling events
          5. Finding an event
          6. Copying event data
          7. Jumping to a registry or file location
          8. Searching online
        3. Filtering, highlighting, and bookmarking
          1. Configuring filters
          2. Configuring highlighting
          3. Bookmarking
          4. Advanced output
          5. Saving filters for later use
        4. Process Tree
        5. Saving and opening Procmon traces
          1. Saving Procmon traces
          2. Procmon XML schema
          3. Opening saved Procmon traces
        6. Logging boot, post-logoff, and shutdown activity
          1. Boot logging
          2. Keeping Procmon running after logoff
        7. Long-running traces and controlling log sizes
          1. Drop filtered events
          2. History depth
          3. Backing files
        8. Importing and exporting configuration settings
        9. Automating Procmon: command-line options
        10. Analysis tools
          1. Process Activity Summary
          2. File Summary
          3. Registry Summary
          4. Stack Summary
          5. Network Summary
          6. Cross Reference Summary
          7. Count Occurrences
        11. Injecting custom debug output into Procmon traces
        12. Toolbar reference
      2. Chapter 6. ProcDump
        1. Command-line syntax
        2. Specifying which process to monitor
          1. Attach to existing process
          2. Launch the target process
          3. Working with Universal Windows Platform applications
          4. Auto-enabled debugging with AeDebug registration
        3. Specifying the dump file path
        4. Specifying criteria for a dump
        5. Monitoring exceptions
        6. Dump file options
        7. Miniplus dumps
        8. ProcDump and Procmon: Better together
        9. Running ProcDump noninteractively
        10. Viewing the dump in the debugger
      3. Chapter 7. PsTools
        1. Common features
          1. Remote operations
          2. Troubleshooting remote PsTools connections
        2. PsExec
          1. Remote process exit
          2. Redirected console output
          3. PsExec alternate credentials
          4. PsExec command-line options
          5. Process performance options
          6. Remote connectivity options
          7. Runtime environment options
        3. PsFile
        4. PsGetSid
        5. PsInfo
        6. PsKill
        7. PsList
        8. PsLoggedOn
        9. PsLogList
        10. PsPasswd
        11. PsService
          1. Query
          2. Config
          3. Depend
          4. Security
          5. Find
          6. SetConfig
          7. Start, Stop, Restart, Pause, Continue
        12. PsShutdown
        13. PsSuspend
        14. PsTools command-line syntax
          1. PsExec
          2. PsFile
          3. PsGetSid
          4. PsInfo
          5. PsKill
          6. PsList
          7. PsLoggedOn
          8. PsLogList
          9. PsPasswd
          10. PsService
          11. PsShutdown
          12. PsSuspend
        15. PsTools system requirements
      4. Chapter 8. Process and diagnostic utilities
        1. VMMap
          1. Starting VMMap and choosing a process
          2. The VMMap window
          3. Memory types
          4. Memory information
          5. Timeline and snapshots
          6. Viewing text within memory regions
          7. Finding and copying text
          8. Viewing allocations from instrumented processes
          9. Address space fragmentation
          10. Saving and loading snapshot results
          11. VMMap command-line options
          12. Restoring VMMap defaults
        2. DebugView
          1. What is debug output?
          2. The DebugView display
          3. Capturing user-mode debug output
          4. Capturing kernel-mode debug output
          5. Searching, filtering, and highlighting output
          6. Saving, logging, and printing
          7. Remote monitoring
        3. LiveKd
          1. LiveKd requirements
          2. Running LiveKd
          3. Kernel debugger target types
          4. Output to debugger or dump file
          5. Dump contents
          6. Hyper-V guest debugging
          7. Symbols
          8. LiveKd examples
        4. ListDLLs
        5. Handle
          1. Handle list and search
          2. Handle counts
          3. Closing handles
      5. Chapter 9. Security utilities
        1. SigCheck
          1. Which files to scan
          2. Signature verification
          3. VirusTotal analysis
          4. Additional file information
          5. Output format
          6. Miscellaneous
        2. AccessChk
          1. What are “effective permissions”?
          2. Using AccessChk
          3. Object type
          4. Searching for access rights
          5. Output options
        3. Sysmon
          1. Events recorded by Sysmon
          2. Installing and configuring Sysmon
          3. Extracting Sysmon event data
        4. AccessEnum
        5. ShareEnum
        6. ShellRunAs
        7. Autologon
        8. LogonSessions
        9. SDelete
          1. Using SDelete
          2. How SDelete works
      6. Chapter 10. Active Directory utilities
        1. AdExplorer
          1. Connecting to a domain
          2. The AdExplorer display
          3. Objects
          4. Attributes
          5. Searching
          6. Snapshots
          7. AdExplorer configuration
        2. AdInsight
          1. AdInsight data capture
          2. Display options
          3. Finding information of interest
          4. Filtering results
          5. Saving and exporting AdInsight data
          6. Command-line options
        3. AdRestore
      7. Chapter 11. Desktop utilities
        1. BgInfo
          1. Configuring data to display
          2. Appearance options
          3. Saving BgInfo configuration for later use
          4. Other output options
          5. Updating other desktops
        2. Desktops
        3. ZoomIt
          1. Using ZoomIt
          2. Zoom mode
          3. Drawing mode
          4. Typing mode
          5. Break Timer
          6. LiveZoom
      8. Chapter 12. File utilities
        1. Strings
        2. Streams
        3. NTFS link utilities
          1. Junction
          2. FindLinks
        4. Disk Usage (DU)
        5. Post-reboot file operation utilities
          1. PendMoves
          2. MoveFile
      9. Chapter 13. Disk utilities
        1. Disk2Vhd
        2. Sync
        3. DiskView
        4. Contig
          1. Defragmenting existing files
          2. Analyzing fragmentation of existing files
          3. Analyzing free-space fragmentation
          4. Creating a contiguous file
        5. DiskExt
        6. LDMDump
        7. VolumeID
      10. Chapter 14. Network and communication utilities
        1. PsPing
          1. ICMP Ping
          2. TCP Ping
          3. PsPing server mode
          4. TCP/UDP latency test
          5. TCP/UDP bandwidth test
          6. PsPing histograms
        2. TCPView
        3. Whois
      11. Chapter 15. System information utilities
        1. RAMMap
          1. Use Counts
          2. Processes
          3. Priority Summary
          4. Physical Pages
          5. Physical Ranges
          6. File Summary
          7. File Details
          8. Purging physical memory
          9. Saving and loading snapshots
        2. Registry Usage (RU)
        3. CoreInfo
          1. –c: Dump information on cores
          2. –f: Dump core feature information
          3. –g: Dump information on groups
          4. –l: Dump information on caches
          5. –m: Dump NUMA access cost
          6. –n: Dump information on NUMA nodes
          7. –s: Dump information on sockets
          8. –v: Dump only virtualization-related features
        4. WinObj
        5. LoadOrder
        6. PipeList
        7. ClockRes
      12. Chapter 16. Miscellaneous utilities
        1. RegJump
        2. Hex2Dec
        3. RegDelNull
        4. Bluescreen Screen Saver
        5. Ctrl2Cap
    10. Part III: Troubleshooting—“The Case of the Unexplained...”
      1. Chapter 17. Error messages
        1. Troubleshooting error messages
        2. The Case of the Locked Folder
        3. The Case of the File In Use Error
        4. The Case of the Unknown Photo Viewer Error
        5. The Case of the Failing ActiveX Registration
        6. The Case of the Failed Play-To
        7. The Case of the Installation Failure
          1. The troubleshooting
          2. The analysis
        8. The Case of the Unreadable Text Files
        9. The Case of the Missing Folder Association
        10. The Case of the Temporary Registry Profiles
        11. The Case of the Office RMS Error
        12. The Case of the Failed Forest Functional Level Raise
      2. Chapter 18. Crashes
        1. Troubleshooting crashes
        2. The Case of the Failed AV Update
        3. The Case of the Crashing Proksi Utility
        4. The Case of the Failed Network Location Awareness Service
        5. The Case of the Failed EMET Upgrade
        6. The Case of the Missing Crash Dump
        7. The Case of the Random Sluggishness
      3. Chapter 19. Hangs and sluggish performance
        1. Troubleshooting hangs and sluggish performance
        2. The Case of the IExplore-Pegged CPU
        3. The Case of the Runaway Website
        4. The Case of the Excessive ReadyBoost
        5. The Case of the Stuttering Laptop Blu-ray Player
        6. The Case of the Company 15-Minute Logons
        7. The Case of the Hanging PayPal Emails
        8. The Case of the Hanging Accounting Software
        9. The Case of the Slow Keynote Demo
        10. The Case of the Slow Project File Opens
        11. The Compound Case of the Outlook Hangs
      4. Chapter 20. Malware
        1. Troubleshooting malware
        2. Stuxnet
          1. Malware and the Sysinternals utilities
          2. The Stuxnet infection vector
          3. Stuxnet on Windows XP
          4. Looking deeper
          5. Filtering to find relevant events
          6. Stuxnet system modifications
          7. The .PNF files
          8. Windows 7 elevation of privilege
          9. Stuxnet revealed by the Sysinternals utilities
        3. The Case of the Strange Reboots
        4. The Case of the Fake Java Updater
        5. The Case of the Winwebsec Scareware
        6. The Case of the Runaway GPU
        7. The Case of the Unexplained FTP Connections
        8. The Case of the Misconfigured Service
        9. The Case of the Sysinternals-Blocking Malware
        10. The Case of the Process-Killing Malware
        11. The Case of the Fake System Component
        12. The Case of the Mysterious ASEP
      5. Chapter 21. Understanding system behavior
        1. The Case of the Q: Drive
        2. The Case of the Unexplained Network Connections
        3. The Case of the Short-Lived Processes
        4. The Case of the App Install Recorder
        5. The Case of the Unknown NTLM Communications
      6. Chapter 22. Developer troubleshooting
        1. The Case of the Broken Kerberos Delegation
        2. The Case of the ProcDump Memory Leak
    11. Index
    12. About the Authors
    13. Survey
    14. Code Snippets

    Product information

    • Title: Troubleshooting with the Windows Sysinternals Tools
    • Author(s): Mark Russinovich, Aaron Margosis
    • Release date: October 2016
    • Publisher(s): Microsoft Press
    • ISBN: 9780133986549