events 443 dismounting removable drives, 339 distinguished names (DNs), finding, 289 DLL extension, 26 DLL injection, 296 DLL load failures, troubleshooting, 387–389 DLL Properties dialog box, 72 DLL tab, 69–70 DLL view, 39, 67–77 columns in, 70–71 customizing, 69–71 DllMain function, 162 DLLs AppInit DLLs, 162 description and publisher information, 169 executable images, loading as, 255 export tables, 26 finding, 68–69 malicious DLLs, 433–436 mapping, 162 properties of, 72–73, 90 relocated, 71, 255 viewing, 69–73, 253–255 domain account passwords, setting, 196–197 domain administrators, enumerating and restoring deleted objects, 307 domain connections, saving, 288 domain registration lookups, 353 domains connecting to, 287–288 deleted objects in, restoring, 306–307 SIDs of, 185–186 whois lookups, 352 downloaded content, unblocking, 327 downloading utilities, 7–8 unblocking .zip files, 8–9 driver files, 11 drivers autostarting, 159 bugs in, 159 configuration information, 199–200 dependencies, 200, 200–201 disabling or deleting, 159 error control for, 200 searching for, 202 security information, 201 status information, 198–199 types of, 198, 200 Drop Filtered Events option, 129 dump files. See also ProcDump; process dump files critical sections in, 421–422 generating, 424 kernel-memory dump files, 249–253 obtaining, 421 dump of processes, 53, 227–237 dynamic attributes, 46 dynamic disks, 347–348 E effective permissions, 267–268 reporting, 267–275 Effective Permissions Tool, 267 elevation of privilege, 19 window messaging and, 35 elevation-of-privilege attacks, interactive services and, 199 embedded manifests displaying, 261–262 dumping, 266 embedded nulls, deleting registry keys with, 378–379 Encapsulating Security Payload (ESP), 179 encrypted files, deleting securely, 285–286 Encrypting File System (EFS), 283 encryption, IPsec with ESP (Encapsulating Security Payload) for, 179 End-User License Agreement (EULA), 13–14 on remote computers, 178 endpoint addresses, resolving, 82 endpoints, viewing, 351–355 environment variables, viewing, 84–85 error messages, troubleshooting, 383–404 error severity levels, 241 escape character (^), 176–177 Event Class filters, 117 event data, copying, 115, 140 event errors, viewing, 303 Event Filters dialog box, 304 event IDs, 192, 195 event-log messages, 192, 194 event logs clearing, 196 defragmenting, 345–346 exporting, 195 registered name, 196 viewing records of, 192–196 Event Properties dialog box, 108–113 Event tab, 109–110 file attribute codes, 109 navigation buttons, 109 Process tab, 111–112 Stack tab, 112–113 event records comma-delimited fields, 194 displaying, 192–196 event IDs, 195 event sources, 195 event type, 195 filtering, 194–195 hex dump format, 194 most recent, 195 number to display, specifying, 194 order of, 194 event sources, 192, 195 Event Time Results reports, 305 Event Tracing for <strong>Windows</strong> (ETW), 128 events capturing, 103 context menu filter options, 118–119 debug output events, 141–142 details about, viewing, 108– 110, 109 filtered, dropping from log file, 129 www.it-ebooks.info
444 events events (continued) filtering and highlighting in Procmon, 116–122 finding, 115 Load Image events, 104 Process Profiling events, 114 Procmon-captured, 104–116, 138 profiling events, 114 reporting on, 305 searching online, 116 sequence number, 298 Thread Profiling events, 114 time of day, 104 viewing associated events, 303 Events report, 305 Events with Details reports, 305 Exchange Server CPU spikes, troubleshooting, 423–424 high item count folders, 425 troubleshooting problems with, 420–426 EXE files, 26 description and publisher information, 169 hijacks of, 161 executable code, functions, 24–26 executable files, 21 details about, 265 digital signatures on, 262 EXE or DLL, 26 properties of, 90 scanning for, 265 verification of, 72 executable images, 54 DLLs loaded as, 255 path to, 54, 432 in process address space, 112 properties of, 78–79 verifying, 91–92 execution on remote computers, PsExec for, 176–184 exit codes, 177, 198 of PsInfo, 188 Explorer.exe, autostart entries related to, 155 export tables, 26 exporting event logs, 195 from VMMap, 212 external storage devices, removing, 339 F F5 key, 46 FAT drives, changing ID number, 350 file access delays, troubleshooting, 415–419 redirecting, 394–395 file activity summary of, 136–137 viewing, 102. See also Process Monitor (Procmon) file associations, changing, 161 File Errors dialog box, 341 file extensions of EXEs and DLLs, 26 file and folder operations, listing by, 137 file fragmentation, display of, 342 file handles, 256–257 file hashes, calculating, 261–286 file locations, jumping to, 115–116 file management utilities, 325–334 file mapping objects, 22, 257 file mappings listing, 71 mapped views of, 216 Filemon, 102 filtering capabilities, 116 file names, overwriting, 286 “File not found” autostart entries, 169–170 file objects, sharing mode, 76 file reads noncached, 417 re-reads, 418 file and registry virtualization, disabling, 20 file shares enumerating, 277–278 permissions on, changing, 278 security settings on, 277 violations of, 401–404 file signatures, verifying, 149– 150, 169 File Summary dialog box, 136–137 file system activity, capturing, 104 autostart locations, 145 file system buffers, flushing to disk, 339 file system objects, reporting, 326–328 file utilities, 5 files alternate data streams, 326 attributes of, 109–110 clusters, locating, 343 defragmentation of, 344–345 deleting securely, 284–286 effective permissions on, 267 in-use, identifying, 256–260 mapping into memory, 365 moving, renaming, and deleting, scheduling, 334 multiple paths to, 328 opened remotely, listing, 184–185 properties of, viewing, 71 searching for, 71 searching for strings in, 325 Filter dialog box, 117–118 filtered access tokens, 18 filtering AdInsight data, 303–304 advanced output, 120–121 boot logging and, 129 configuring, 117–119 context menu options, 118–119 debug output, 242–243 Drop Filtered Events option, 129 events in Procmon, 116–122 resetting filters, 118 rule sets, importing, 131 rules, adding, 117 rules, editing and removing, 117–118 www.it-ebooks.info
- Page 1 and 2:
www.it-ebooks.info
- Page 3 and 4:
PUBLISHED BY Microsoft Press A Divi
- Page 5 and 6:
www.it-ebooks.info
- Page 7 and 8:
www.it-ebooks.info
- Page 9 and 10:
viii Table of Contents 2 Windows Co
- Page 11 and 12:
x Table of Contents Process Tree .
- Page 13 and 14:
xii Table of Contents PsLogList. .
- Page 15 and 16:
xiv Table of Contents Object Type .
- Page 17 and 18:
xvi Table of Contents 14 System Inf
- Page 19 and 20:
www.it-ebooks.info
- Page 21 and 22:
www.it-ebooks.info
- Page 23 and 24:
xxii Introduction layout, I set out
- Page 25 and 26:
xxiv Introduction Microsoft had bee
- Page 27 and 28:
xxvi Introduction Part III, “Trou
- Page 29 and 30:
xxviii Introduction Errata & Book S
- Page 31 and 32:
www.it-ebooks.info
- Page 33 and 34:
4 Part I Getting Started Table 1-1
- Page 35 and 36:
6 Part I Getting Started Utility LD
- Page 37 and 38:
8 Part I Getting Started FIGURE 1-2
- Page 39 and 40:
10 Part I Getting Started Running t
- Page 41 and 42:
12 Part I Getting Started FIGURE 1-
- Page 43 and 44:
14 Part I Getting Started Because t
- Page 45 and 46:
16 Part I Getting Started unrestric
- Page 47 and 48:
18 Part I Getting Started For more
- Page 49 and 50:
20 Part I Getting Started FIGURE 2-
- Page 51 and 52:
22 Part I Getting Started ■ The c
- Page 53 and 54:
24 Part I Getting Started “System
- Page 55 and 56:
26 Part I Getting Started is not av
- Page 57 and 58:
28 Part I Getting Started symbolic
- Page 59 and 60:
30 Part I Getting Started The debug
- Page 61 and 62:
32 Part I Getting Started Terminal
- Page 63 and 64:
34 Part I Getting Started access on
- Page 65 and 66:
36 Part I Getting Started With UIPI
- Page 67 and 68:
www.it-ebooks.info
- Page 69 and 70:
40 Part II Usage Guide ■ Tooltips
- Page 71 and 72:
42 Part II Usage Guide Procexp repr
- Page 73 and 74:
44 Part II Usage Guide is simply th
- Page 75 and 76:
46 Part II Usage Guide Updating the
- Page 77 and 78:
48 Part II Usage Guide Tooltips Hov
- Page 79 and 80:
50 Part II Usage Guide On Windows V
- Page 81 and 82:
52 Part II Usage Guide FIGURE 3-6 D
- Page 83 and 84:
54 Part II Usage Guide FIGURE 3-7 T
- Page 85 and 86:
56 Part II Usage Guide Process Perf
- Page 87 and 88:
58 Part II Usage Guide FIGURE 3-9 T
- Page 89 and 90:
60 Part II Usage Guide FIGURE 3-10
- Page 91 and 92:
62 Part II Usage Guide By default,
- Page 93 and 94:
64 Part II Usage Guide FIGURE 3-13
- Page 95 and 96:
66 Part II Usage Guide You can disp
- Page 97 and 98:
68 Part II Usage Guide FIGURE 3-18
- Page 99 and 100:
70 Part II Usage Guide FIGURE 3-20
- Page 101 and 102:
72 Part II Usage Guide Peering Deep
- Page 103 and 104:
74 Part II Usage Guide FIGURE 3-23
- Page 105 and 106:
76 Part II Usage Guide ■ Access M
- Page 107 and 108:
78 Part II Usage Guide The Properti
- Page 109 and 110:
80 Part II Usage Guide FIGURE 3-27
- Page 111 and 112:
82 Part II Usage Guide TCP/IP Tab A
- Page 113 and 114:
84 Part II Usage Guide In most circ
- Page 115 and 116:
86 Part II Usage Guide Click the Sa
- Page 117 and 118:
88 Part II Usage Guide FIGURE 3-35
- Page 119 and 120:
90 Part II Usage Guide FIGURE 3-37
- Page 121 and 122:
92 Part II Usage Guide Some reasons
- Page 123 and 124:
94 Part II Usage Guide available to
- Page 125 and 126:
96 Part II Usage Guide running on t
- Page 127 and 128:
98 Part II Usage Guide Command-Line
- Page 129 and 130:
www.it-ebooks.info
- Page 131 and 132:
102 Part II Usage Guide Because mil
- Page 133 and 134:
104 Part II Usage Guide Events Tabl
- Page 135 and 136:
106 Part II Usage Guide As an NTSTA
- Page 137 and 138:
108 Part II Usage Guide Application
- Page 139 and 140:
110 Part II Usage Guide File Attrib
- Page 141 and 142:
112 Part II Usage Guide ■ When th
- Page 143 and 144:
114 Part II Usage Guide Displaying
- Page 145 and 146:
116 Part II Usage Guide invoked by
- Page 147 and 148:
118 Part II Usage Guide without per
- Page 149 and 150:
120 Part II Usage Guide Configuring
- Page 151 and 152:
122 Part II Usage Guide FIGURE 4-15
- Page 153 and 154:
124 Part II Usage Guide Saving Proc
- Page 155 and 156:
126 Part II Usage Guide If Procmon
- Page 157 and 158:
128 Part II Usage Guide When lookin
- Page 159 and 160:
130 Part II Usage Guide History Dep
- Page 161 and 162:
132 Part II Usage Guide Automating
- Page 163 and 164:
134 Part II Usage Guide ■ Line 4
- Page 165 and 166:
136 Part II Usage Guide File Summar
- Page 167 and 168:
138 Part II Usage Guide FIGURE 4-28
- Page 169 and 170:
140 Part II Usage Guide Cross Refer
- Page 171 and 172:
142 Part II Usage Guide BOOL WriteP
- Page 173 and 174:
www.it-ebooks.info
- Page 175 and 176:
146 Part II Usage Guide FIGURE 5-1
- Page 177 and 178:
148 Part II Usage Guide Disabling o
- Page 179 and 180:
150 Part II Usage Guide Files for w
- Page 181 and 182:
152 Part II Usage Guide Viewing ASE
- Page 183 and 184:
154 Part II Usage Guide Per-User AS
- Page 185 and 186:
156 Part II Usage Guide Per-User AS
- Page 187 and 188:
158 Part II Usage Guide Per-User an
- Page 189 and 190:
160 Part II Usage Guide Codecs The
- Page 191 and 192:
162 Part II Usage Guide Command Pro
- Page 193 and 194:
164 Part II Usage Guide Winsock Pro
- Page 195 and 196:
166 Part II Usage Guide Saving and
- Page 197 and 198:
168 Part II Usage Guide The CSV for
- Page 199 and 200:
170 Part II Usage Guide ■ A defau
- Page 201 and 202:
172 Part II Usage Guide Incidentall
- Page 203 and 204:
174 Part II Usage Guide Alternate C
- Page 205 and 206:
176 Part II Usage Guide What this m
- Page 207 and 208:
178 Part II Usage Guide Redirected
- Page 209 and 210:
180 Part II Usage Guide PsExec Comm
- Page 211 and 212:
182 Part II Usage Guide The -s opti
- Page 213 and 214:
184 Part II Usage Guide Note The re
- Page 215 and 216:
186 Part II Usage Guide Use of full
- Page 217 and 218:
188 Part II Usage Guide In the prec
- Page 219 and 220:
190 Part II Usage Guide Note PsList
- Page 221 and 222:
192 Part II Usage Guide on the netw
- Page 223 and 224:
194 Part II Usage Guide By default,
- Page 225 and 226:
196 Part II Usage Guide the event l
- Page 227 and 228:
198 Part II Usage Guide example, al
- Page 229 and 230:
200 Part II Usage Guide The config
- Page 231 and 232:
202 Part II Usage Guide Find One of
- Page 233 and 234:
204 Part II Usage Guide Option Disp
- Page 235 and 236:
206 Part II Usage Guide To suspend
- Page 237 and 238:
208 Part II Usage Guide depend serv
- Page 239 and 240:
www.it-ebooks.info
- Page 241 and 242:
212 Part II Usage Guide FIGURE 7-1
- Page 243 and 244:
214 Part II Usage Guide FIGURE 7-3
- Page 245 and 246:
216 Part II Usage Guide Allocations
- Page 247 and 248:
218 Part II Usage Guide ■ Shared
- Page 249 and 250:
220 Part II Usage Guide When you co
- Page 251 and 252:
222 Part II Usage Guide ■ The mem
- Page 253 and 254:
224 Part II Usage Guide FIGURE 7-9
- Page 255 and 256:
226 Part II Usage Guide ■ .TXT Th
- Page 257 and 258:
228 Part II Usage Guide Command-Lin
- Page 259 and 260:
230 Part II Usage Guide To avoid an
- Page 261 and 262:
232 Part II Usage Guide You can use
- Page 263 and 264:
234 Part II Usage Guide and results
- Page 265 and 266:
236 Part II Usage Guide Capturing A
- Page 267 and 268:
238 Part II Usage Guide static meth
- Page 269 and 270:
240 Part II Usage Guide You can ann
- Page 271 and 272:
242 Part II Usage Guide the crash d
- Page 273 and 274:
244 Part II Usage Guide Highlightin
- Page 275 and 276:
246 Part II Usage Guide ■ Limit L
- Page 277 and 278:
248 Part II Usage Guide To view deb
- Page 279 and 280:
250 Part II Usage Guide LiveKd Requ
- Page 281 and 282:
252 Part II Usage Guide This comman
- Page 283 and 284:
254 Part II Usage Guide ListDLLs re
- Page 285 and 286:
256 Part II Usage Guide Handle Hand
- Page 287 and 288:
258 Part II Usage Guide FIGURE 7-19
- Page 289 and 290:
260 Part II Usage Guide Timer : 7 T
- Page 291 and 292:
262 Part II Usage Guide FIGURE 8-1
- Page 293 and 294:
264 Part II Usage Guide ■ Signing
- Page 295 and 296:
266 Part II Usage Guide displays ha
- Page 297 and 298:
268 Part II Usage Guide Note that t
- Page 299 and 300:
270 Part II Usage Guide Object Type
- Page 301 and 302:
272 Part II Usage Guide Although th
- Page 303 and 304:
274 Part II Usage Guide effective p
- Page 305 and 306:
276 Part II Usage Guide is explicit
- Page 307 and 308:
278 Part II Usage Guide Click on a
- Page 309 and 310:
280 Part II Usage Guide ShellRunAs
- Page 311 and 312:
282 Part II Usage Guide [1] Logon s
- Page 313 and 314:
284 Part II Usage Guide The only wa
- Page 315 and 316:
286 Part II Usage Guide The second
- Page 317 and 318:
288 Part II Usage Guide FIGURE 9-1
- Page 319 and 320:
290 Part II Usage Guide Objects You
- Page 321 and 322:
292 Part II Usage Guide FIGURE 9-5
- Page 323 and 324:
294 Part II Usage Guide The current
- Page 325 and 326:
296 Part II Usage Guide You can scr
- Page 327 and 328:
298 Part II Usage Guide FIGURE 9-11
- Page 329 and 330:
300 Part II Usage Guide To view inf
- Page 331 and 332:
302 Part II Usage Guide AdInsight m
- Page 333 and 334:
304 Part II Usage Guide To configur
- Page 335 and 336:
306 Part II Usage Guide AdInsight c
- Page 337 and 338:
www.it-ebooks.info
- Page 339 and 340:
310 Part II Usage Guide When you st
- Page 341 and 342:
312 Part II Usage Guide In addition
- Page 343 and 344:
314 Part II Usage Guide selected, B
- Page 345 and 346:
316 Part II Usage Guide the data it
- Page 347 and 348:
318 Part II Usage Guide FIGURE 10-9
- Page 349 and 350:
320 Part II Usage Guide provide a w
- Page 351 and 352:
322 Part II Usage Guide Drawing Mod
- Page 353 and 354:
324 Part II Usage Guide LiveZoom Wh
- Page 355 and 356:
326 Part II Usage Guide The followi
- Page 357 and 358:
328 Part II Usage Guide FIGURE 11-2
- Page 359 and 360:
330 Part II Usage Guide into subdir
- Page 361 and 362:
332 Part II Usage Guide By default,
- Page 363 and 364:
334 Part II Usage Guide This sample
- Page 365 and 366:
336 Part II Usage Guide FIGURE 12-1
- Page 367 and 368:
338 Part II Usage Guide disk), Disk
- Page 369 and 370:
340 Part II Usage Guide Volume Perm
- Page 371 and 372:
342 Part II Usage Guide FIGURE 12-7
- Page 373 and 374:
344 Part II Usage Guide ■ One lin
- Page 375 and 376:
346 Part II Usage Guide FIGURE 12-1
- Page 377 and 378:
348 Part II Usage Guide sizing, and
- Page 379 and 380:
350 Part II Usage Guide VolumeID Wh
- Page 381 and 382:
352 Part II Usage Guide executables
- Page 383 and 384:
354 Part II Usage Guide ■ System
- Page 385 and 386:
356 Part II Usage Guide ■ Process
- Page 387 and 388:
358 Part II Usage Guide FIGURE 14-6
- Page 389 and 390:
360 Part II Usage Guide costs on NU
- Page 391 and 392:
362 Part II Usage Guide FIGURE 14-8
- Page 393 and 394:
364 Part II Usage Guide FIGURE 14-1
- Page 395 and 396:
366 Part II Usage Guide FIGURE 14-1
- Page 397 and 398:
www.it-ebooks.info
- Page 399 and 400:
370 Part II Usage Guide and endpoin
- Page 401 and 402:
372 Part II Usage Guide FIGURE 13-3
- Page 403 and 404:
374 Part II Usage Guide FIGURE 13-5
- Page 405 and 406:
376 Part II Usage Guide adjacent if
- Page 407 and 408:
378 Part II Usage Guide Hex2Dec If
- Page 409 and 410:
380 Part II Usage Guide his audienc
- Page 411 and 412:
www.it-ebooks.info
- Page 413 and 414:
384 Part III Troubleshooting—”T
- Page 415 and 416:
386 Part III Troubleshooting—”T
- Page 417 and 418:
388 Part III Troubleshooting—”T
- Page 419 and 420:
390 Part III Troubleshooting—”T
- Page 421 and 422: 392 Part III Troubleshooting—”T
- Page 423 and 424: 394 Part III Troubleshooting—”T
- Page 425 and 426: 396 Part III Troubleshooting—”T
- Page 427 and 428: 398 Part III Troubleshooting—”T
- Page 429 and 430: 400 Part III Troubleshooting—”T
- Page 431 and 432: 402 Part III Troubleshooting—”T
- Page 433 and 434: 404 Part III Troubleshooting—”T
- Page 435 and 436: 406 Part III Troubleshooting—”T
- Page 437 and 438: 408 Part III Troubleshooting—”T
- Page 439 and 440: 410 Part III Troubleshooting—”T
- Page 441 and 442: 412 Part III Troubleshooting—”T
- Page 443 and 444: 414 Part III Troubleshooting—”T
- Page 445 and 446: 416 Part III Troubleshooting—”T
- Page 447 and 448: 418 Part III Troubleshooting—”T
- Page 449 and 450: 420 Part III Troubleshooting—”T
- Page 451 and 452: 422 Part III Troubleshooting—”T
- Page 453 and 454: 424 Part III Troubleshooting—”T
- Page 455 and 456: 426 Part III Troubleshooting—”T
- Page 457 and 458: 428 Part III Troubleshooting—”T
- Page 459 and 460: 430 Part III Troubleshooting—”T
- Page 461 and 462: 432 Part III Troubleshooting—”T
- Page 463 and 464: 434 Part III Troubleshooting—”T
- Page 465 and 466: 436 Part III Troubleshooting—”T
- Page 467 and 468: 438 AdInsight AdInsight (continued)
- Page 469 and 470: 440 BgInfo BgInfo (continued) Rich
- Page 471: 442 DebugView DebugView (continued)
- Page 475 and 476: 446 HKLM\System\CurrentControlSet\C
- Page 477 and 478: 448 malware malware (continued) Aut
- Page 479 and 480: 450 paging files, defragmenting pag
- Page 481 and 482: 452 Process Monitor (Procmon) Proce
- Page 483 and 484: 454 PsShutdown PsShutdown (continue
- Page 485 and 486: 456 Security Reference Monitor Secu
- Page 487 and 488: 458 Sysinternals utilities Sysinter
- Page 489 and 490: 460 unhandled exceptions, process d
- Page 491 and 492: 462 Windows 7 Windows 7 (continued)
- Page 493 and 494: www.it-ebooks.info
- Page 495 and 496: www.it-ebooks.info
- Page 497: What do you think of this book? We