book

Troubleshooting with the Windows Sysinternals Tools

by Mark Russinovich, Aaron Margosis

October 2016

Intermediate to advanced

688 pages

21h 41m

English

Microsoft Press

Read now

Unlock full access

Tools the book coversThe history of SysinternalsWho should read this bookAssumptionsOrganization of this bookConventions and features in this bookSystem requirementsLate-breaking changesAcknowledgmentsErrata, updates, and book supportFree ebooks from Microsoft PressWe want to hear from youStay in touch
Overview of the utilitiesThe Windows Sysinternals websiteDownloading the utilitiesRunning the utilities directly from the webSingle executable imageThe Windows Sysinternals forumsWindows Sysinternals site blogMark’s blogMark’s webcastsSysinternals license informationEnd User License Agreement and the /accepteula switchFrequently asked questions about Sysinternals licensing
Administrative rightsProcesses, threads, and jobsUser mode and kernel modeHandlesApplication isolationApp ContainersProtected processesCall stacks and symbolsWhat is a call stack?What are symbols?Configuring symbolsSessions, window stations, desktops, and window messagesRemote desktop services sessionsWindow stationsDesktopsWindow messages

Procexp overviewMeasuring CPU consumptionAdministrative rightsMain windowProcess listCustomizing column selectionsSaving displayed dataToolbar referenceIdentifying the process that owns a windowStatus barDLLs and handlesFinding DLLs or handlesDLL viewHandle viewProcess detailsImage tabPerformance tabPerformance Graph tabGPU Graph tabThreads tabTCP/IP tabSecurity tabEnvironment tabStrings tabServices tab.NET tabsJob tabThread detailsVerifying image signaturesVirusTotal analysisSystem informationCPU tabMemory tabI/O tabGPU tabDisplay optionsProcexp as a Task Manager replacementCreating processes from ProcexpOther user sessionsMiscellaneous featuresShutdown optionsCommand-line switchesRestoring Procexp defaultsKeyboard shortcut reference
Autoruns fundamentalsDisabling or deleting autostart entriesAutoruns and administrative permissionsVerifying code signaturesVirusTotal analysisHiding entriesGetting more information about an entryViewing the autostarts of other usersViewing ASEPs of an offline systemChanging the fontAutostart categoriesLogonExplorerInternet ExplorerScheduled TasksServicesDriversCodecsBoot ExecuteImage hijacksAppInitKnownDLLsWinlogonWinsock providersPrint monitorsLSA providersNetwork providersWMISidebar gadgetsOfficeSaving and comparing resultsSaving as tab-delimited textSaving in binary (.arn) formatViewing and comparing saved resultsAutorunsCAutoruns and malware
Getting started with ProcmonEventsUnderstanding the column display defaultsCustomizing the column displayEvent Properties dialog boxDisplaying profiling eventsFinding an eventCopying event dataJumping to a registry or file locationSearching onlineFiltering, highlighting, and bookmarkingConfiguring filtersConfiguring highlightingBookmarkingAdvanced outputSaving filters for later useProcess TreeSaving and opening Procmon tracesSaving Procmon tracesProcmon XML schemaOpening saved Procmon tracesLogging boot, post-logoff, and shutdown activityBoot loggingKeeping Procmon running after logoffLong-running traces and controlling log sizesDrop filtered eventsHistory depthBacking filesImporting and exporting configuration settingsAutomating Procmon: command-line optionsAnalysis toolsProcess Activity SummaryFile SummaryRegistry SummaryStack SummaryNetwork SummaryCross Reference SummaryCount OccurrencesInjecting custom debug output into Procmon tracesToolbar reference
Command-line syntaxSpecifying which process to monitorAttach to existing processLaunch the target processWorking with Universal Windows Platform applicationsAuto-enabled debugging with AeDebug registrationSpecifying the dump file pathSpecifying criteria for a dumpMonitoring exceptionsDump file optionsMiniplus dumpsProcDump and Procmon: Better togetherRunning ProcDump noninteractivelyViewing the dump in the debugger
Common featuresRemote operationsTroubleshooting remote PsTools connectionsPsExecRemote process exitRedirected console outputPsExec alternate credentialsPsExec command-line optionsProcess performance optionsRemote connectivity optionsRuntime environment optionsPsFilePsGetSidPsInfoPsKillPsListPsLoggedOnPsLogListPsPasswdPsServiceQueryConfigDependSecurityFindSetConfigStart, Stop, Restart, Pause, ContinuePsShutdownPsSuspendPsTools command-line syntaxPsExecPsFilePsGetSidPsInfoPsKillPsListPsLoggedOnPsLogListPsPasswdPsServicePsShutdownPsSuspendPsTools system requirements
VMMapStarting VMMap and choosing a processThe VMMap windowMemory typesMemory informationTimeline and snapshotsViewing text within memory regionsFinding and copying textViewing allocations from instrumented processesAddress space fragmentationSaving and loading snapshot resultsVMMap command-line optionsRestoring VMMap defaultsDebugViewWhat is debug output?The DebugView displayCapturing user-mode debug outputCapturing kernel-mode debug outputSearching, filtering, and highlighting outputSaving, logging, and printingRemote monitoringLiveKdLiveKd requirementsRunning LiveKdKernel debugger target typesOutput to debugger or dump fileDump contentsHyper-V guest debuggingSymbolsLiveKd examplesListDLLsHandleHandle list and searchHandle countsClosing handles
SigCheckWhich files to scanSignature verificationVirusTotal analysisAdditional file informationOutput formatMiscellaneousAccessChkWhat are “effective permissions”?Using AccessChkObject typeSearching for access rightsOutput optionsSysmonEvents recorded by SysmonInstalling and configuring SysmonExtracting Sysmon event dataAccessEnumShareEnumShellRunAsAutologonLogonSessionsSDeleteUsing SDeleteHow SDelete works
AdExplorerConnecting to a domainThe AdExplorer displayObjectsAttributesSearchingSnapshotsAdExplorer configurationAdInsightAdInsight data captureDisplay optionsFinding information of interestFiltering resultsSaving and exporting AdInsight dataCommand-line optionsAdRestore
BgInfoConfiguring data to displayAppearance optionsSaving BgInfo configuration for later useOther output optionsUpdating other desktopsDesktopsZoomItUsing ZoomItZoom modeDrawing modeTyping modeBreak TimerLiveZoom
StringsStreamsNTFS link utilitiesJunctionFindLinksDisk Usage (DU)Post-reboot file operation utilitiesPendMovesMoveFile
Disk2VhdSyncDiskViewContigDefragmenting existing filesAnalyzing fragmentation of existing filesAnalyzing free-space fragmentationCreating a contiguous fileDiskExtLDMDumpVolumeID
PsPingICMP PingTCP PingPsPing server modeTCP/UDP latency testTCP/UDP bandwidth testPsPing histogramsTCPViewWhois
RAMMapUse CountsProcessesPriority SummaryPhysical PagesPhysical RangesFile SummaryFile DetailsPurging physical memorySaving and loading snapshotsRegistry Usage (RU)CoreInfo–c: Dump information on cores–f: Dump core feature information–g: Dump information on groups–l: Dump information on caches–m: Dump NUMA access cost–n: Dump information on NUMA nodes–s: Dump information on sockets–v: Dump only virtualization-related featuresWinObjLoadOrderPipeListClockRes
RegJumpHex2DecRegDelNullBluescreen Screen SaverCtrl2Cap
Troubleshooting error messagesThe Case of the Locked FolderThe Case of the File In Use ErrorThe Case of the Unknown Photo Viewer ErrorThe Case of the Failing ActiveX RegistrationThe Case of the Failed Play-ToThe Case of the Installation FailureThe troubleshootingThe analysisThe Case of the Unreadable Text FilesThe Case of the Missing Folder AssociationThe Case of the Temporary Registry ProfilesThe Case of the Office RMS ErrorThe Case of the Failed Forest Functional Level Raise
Troubleshooting crashesThe Case of the Failed AV UpdateThe Case of the Crashing Proksi UtilityThe Case of the Failed Network Location Awareness ServiceThe Case of the Failed EMET UpgradeThe Case of the Missing Crash DumpThe Case of the Random Sluggishness
Troubleshooting hangs and sluggish performanceThe Case of the IExplore-Pegged CPUThe Case of the Runaway WebsiteThe Case of the Excessive ReadyBoostThe Case of the Stuttering Laptop Blu-ray PlayerThe Case of the Company 15-Minute LogonsThe Case of the Hanging PayPal EmailsThe Case of the Hanging Accounting SoftwareThe Case of the Slow Keynote DemoThe Case of the Slow Project File OpensThe Compound Case of the Outlook Hangs
Troubleshooting malwareStuxnetMalware and the Sysinternals utilitiesThe Stuxnet infection vectorStuxnet on Windows XPLooking deeperFiltering to find relevant eventsStuxnet system modificationsThe .PNF filesWindows 7 elevation of privilegeStuxnet revealed by the Sysinternals utilitiesThe Case of the Strange RebootsThe Case of the Fake Java UpdaterThe Case of the Winwebsec ScarewareThe Case of the Runaway GPUThe Case of the Unexplained FTP ConnectionsThe Case of the Misconfigured ServiceThe Case of the Sysinternals-Blocking MalwareThe Case of the Process-Killing MalwareThe Case of the Fake System ComponentThe Case of the Mysterious ASEP
The Case of the Q: DriveThe Case of the Unexplained Network ConnectionsThe Case of the Short-Lived ProcessesThe Case of the App Install RecorderThe Case of the Unknown NTLM Communications
The Case of the Broken Kerberos DelegationThe Case of the ProcDump Memory Leak

Content preview from Troubleshooting with the Windows Sysinternals Tools

Chapter 20. Malware

Malware causes more than its fair share of computer problems. Of course, by definition it always performs actions that are not in your best interest. Sometimes it tries to do so quietly without your noticing its presence. Other times, it makes itself unavoidably obvious, such as with the scareware described in “The Case of the Winwebsec Scareware” and “The Case of the Process-Killing Malware” in this chapter. Like a lot of legitimate software, sometimes malware is just poorly written. Unlike most legitimate software, though, malware often actively tries to prevent its discovery or removal.

Here are the cases in this chapter:

Stuxnet is one of the most sophisticated malware attacks ever mounted. Here, the Sysinternals utilities ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, Seventh Edition

Publisher Resources

ISBN: 9780133986549Purchase book

Troubleshooting with the Windows Sysinternals Tools

by Mark Russinovich, Aaron Margosis

Chapter 20. Malware

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, Seventh Edition

CompTIA Security+ SY0-701

The Linux Command Line, 2nd Edition

The Complete Cybersecurity Bootcamp, 2nd Edition

Publisher Resources

Chapter 20. Malware

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Windows Internals, Part 1: System architecture, processes, threads, memory management, and more, Seventh Edition

CompTIA Security+ SY0-701

The Linux Command Line, 2nd Edition

The Complete Cybersecurity Bootcamp, 2nd Edition

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.