Windows sysinternals

More documents

Recommendations

Info

Sysinternals utilities 457 snapshots (continued) of disks, 335 of kernel memory, 249 loading, 226 of memory allocations, 218–220 opening, 288 saving, 225–226 string data and, 220 timelines of, 219 soft links, NTFS support for, 328 software applications auto-starting, 145. See also autostarts information about, 188 software installation failures, troubleshooting, 391–396 software updates, errors with, 385–386 solid state drives, defragmentation and, 344 Solomon, David, 43, 101 sparse files, deleting securely, 285–286 SPI, 164 Spooler service, 164 spyware, 157 SQL Server databases, BgInfo data, writing to, 316 srvsvc named pipe, 184 stack, 22. See also call stacks viewing, 82 Stack button, 90 stack memory, 217 Stack Summary dialog box, 138–139 stack traces. See also call stacks examining, 416 saving, 113 summary of, 138–139 symbols, viewing, 126 third-party drivers in, 418 standby memory, 361 Star Wars IV: A New Hope, 150 start command, 202 Start menu, launching utilities from, 7–8 start types for services, setting, 202 Startup folders, ASEPs of, 153 startup processes, 49–51 startup scripts, 153 Status Bar tab, 67 StockViewer, 410–411 stop command, 202 storage, thread-local, 22 Streams, 326–328 unblocking .zip files with, 9 strings definition of, 73 image and memory strings, 85 in mapped files, 72–73 saving to text file, 86 Strings, 325–326 command-line syntax, 325 malware behaviors, detecting, 432–433 Strings dialog box, 220–221 subfunctions, 24 SUBST associations, 188 suspend count, 206 suspended processes, 52 in process list, 44 SuspendThread API, 206 suspension of processes, 205–206 Svchost.exe, 158, 159 symbol files, 26–28, 126 building of, 27 default locations, 29 details in, 27 downloading, 27 symbol servers, 27 symbolic links creating, 329 link targets, navigating to, 371 NTFS support for, 328 symbols, 26–28 configuring, 28–30 instrumented processes and, 222 for kernel memory dump, 252–253 for LiveKdD.SYS, 251 symbols path, 29 Microsoft public symbols, 30 Sync, 339–340 sync utility, 339 .sys file extension, 159 Sysinternals Live, 10 displaying directory, 10 UNC path, 10 Sysinternals Site Discussion blog, 12 Sysinternals source code, 14 Sysinternals utilities, 7. See also Autoruns; Process Explorer (Procexp); Process Monitor (Procmon); PsTools suite AccessChk, 267–275 AccessEnum, 275–277 AdExplorer, 287–296 AdInsight, 296–306 administrative rights for, 16 AdRestore, 306–307 Autologon, 280 benefits of, 3 BgInfo, 309–318 Bluescreen Screen Saver, 379–380 ClockRes, 375 community support forum, 3 Contig, 344–345 CoreInfo, 367–369 Ctrl2Cap, 380 DebugView, 237–249 Desktops, 318–320 Disk2Vhd, 335–337 DiskExt, 347 Diskmon, 337–339 Disk Usage (DU), 331–333 DiskView, 341–344 distribution of, 14 downloading, 7–8 driver files, 11 embedded resources, 11 error message troubleshooting, 383–404 EULA acceptance, 178 FindLinks, 330–331 Handle, 256–260 Hex2Dec, 378 Junction, 329–330 launching, 7 LDMDump, 347–349 license information, 13–14 ListDLLs, 253–255 LiveKd, 249–253 LoadOrder, 373–374 www.it-ebooks.info
458 Sysinternals utilities Sysinternals utilities (continued) LogonSessions, 280–283 malware blocking access to, 427–429 Microsoft support, 3, 14 MoveFile, 334 new features, utilities, and bug fixes, 3 number of copies, 14 overview, 3–6 PageDefrag, 345–346 PendMoves, 333–334 PipeList, 374–375 Portmon, 353–358 ProcDump, 227–237 process state, viewing with, 211–260 ProcFeatures, 369–370 RAMMap, 359–367 RegDelNull, 378–379 RegJump, 377 running from Web, 10 SDelete, 283–286 ShareEnum, 277–278 ShellRunAs, 278–280 SigCheck, 261–267 single executable images, 11 Streams, 326–328 Strings, 325–326 symbolic information, 28–30 Sync, 339–340 TCPView, 351–353 32-bit and 64-bit system support, 11 VMMap, 211–227 VolumeID, 350 Web site, 6–13 Whois, 353 WinObj, 370–373 ZoomIt, 320–324 Sysinternals Web site, 6–13 SysinternalsBluescreen.scr, 379 System account, executing programs in, 176, 182 system activity boot activity, logging, 127–128 log of, 123–126 system clock, current resolution, 375 System Configuration Utility (msconfig.exe), 145–146 System.Diagnostics.Debug class, 237 System.Diagnostics.Trace class, 237 System event log displaying records of, 192 PsShutdiown errors, 205 system files, defragmenting, 345–346 system hangs and crashes, troubleshooting, 127 System Idle Process, 48 system information, 187–188 desktop wallpaper, displaying as, 309–318 memory usage, monitoring, 355 viewing, 92–95 System Information dialog box, 92–94 system information utilities, 6, 359–376 system performance KnownDLLs and, 162 noncached reads impact on, 417–418 on-access virus scans and, 418–419 troubleshooting, 405–426 system performance metrics, 92–95 System process high CPU usage, troubleshooting, 408–410 logging activity of, 128 system processes, 43, 48 system requirements for PsTools utilities, 208–209 system resources, access to, 15–20 system shutdown, logging activity of, 127–129 System start drivers, load order, 373 system-start services, 200 system startup, kernel-mode debug output at, 241 system uptime, 187 system volumes, capturing images of, 336 systemwide commit charge, 65 T tab-delimited text, saving Autoruns scans as, 166 target processes directory for, 183 interactive running, 182 limited rights execution, 183 priority of, setting, 180 process tree of, 189 runtime environment, 181–184 scheduling on multiprocessor systems, 181 secure Winlogon desktop environment, 182–183 terminating, 188–189 tracing, 214 Task Manager CPU usage calculation, 41 vs. Process Explorer, 96–97 processes, viewing in, 39 replacing and restoring, 96–97 Show Processes From All Users option, 431–432 Users tab, 97 Task Scheduler, 146, 158 Taskkill.exe, 189 TCP endpoints, viewing, 82, 351–353 TCP operations, metrics on, 62–63 TCP port 2020 connections, 248 TCPView, 351–353 connected endpoints, viewing, 352 Resolve Addresses option, 352 update options, 351–352 Whois lookups, 352 tdx driver (NetIO Legacy TDI Support Driver), 200 TechEd presentations, 13 terminal server sessions capturing output of, 240–241 interactive desktops as, 238 www.it-ebooks.info
Page 1 and 2:
www.it-ebooks.info
Page 3 and 4:
PUBLISHED BY Microsoft Press A Divi
Page 5 and 6:
www.it-ebooks.info
Page 7 and 8:
www.it-ebooks.info
Page 9 and 10:
viii Table of Contents 2 Windows Co
Page 11 and 12:
x Table of Contents Process Tree .
Page 13 and 14:
xii Table of Contents PsLogList. .
Page 15 and 16:
xiv Table of Contents Object Type .
Page 17 and 18:
xvi Table of Contents 14 System Inf
Page 19 and 20:
www.it-ebooks.info
Page 21 and 22:
www.it-ebooks.info
Page 23 and 24:
xxii Introduction layout, I set out
Page 25 and 26:
xxiv Introduction Microsoft had bee
Page 27 and 28:
xxvi Introduction Part III, “Trou
Page 29 and 30:
xxviii Introduction Errata & Book S
Page 31 and 32:
www.it-ebooks.info
Page 33 and 34:
4 Part I Getting Started Table 1-1
Page 35 and 36:
6 Part I Getting Started Utility LD
Page 37 and 38:
8 Part I Getting Started FIGURE 1-2
Page 39 and 40:
10 Part I Getting Started Running t
Page 41 and 42:
12 Part I Getting Started FIGURE 1-
Page 43 and 44:
14 Part I Getting Started Because t
Page 45 and 46:
16 Part I Getting Started unrestric
Page 47 and 48:
18 Part I Getting Started For more
Page 49 and 50:
20 Part I Getting Started FIGURE 2-
Page 51 and 52:
22 Part I Getting Started ■ The c
Page 53 and 54:
24 Part I Getting Started “System
Page 55 and 56:
26 Part I Getting Started is not av
Page 57 and 58:
28 Part I Getting Started symbolic
Page 59 and 60:
30 Part I Getting Started The debug
Page 61 and 62:
32 Part I Getting Started Terminal
Page 63 and 64:
34 Part I Getting Started access on
Page 65 and 66:
36 Part I Getting Started With UIPI
Page 67 and 68:
www.it-ebooks.info
Page 69 and 70:
40 Part II Usage Guide ■ Tooltips
Page 71 and 72:
42 Part II Usage Guide Procexp repr
Page 73 and 74:
44 Part II Usage Guide is simply th
Page 75 and 76:
46 Part II Usage Guide Updating the
Page 77 and 78:
48 Part II Usage Guide Tooltips Hov
Page 79 and 80:
50 Part II Usage Guide On Windows V
Page 81 and 82:
52 Part II Usage Guide FIGURE 3-6 D
Page 83 and 84:
54 Part II Usage Guide FIGURE 3-7 T
Page 85 and 86:
56 Part II Usage Guide Process Perf
Page 87 and 88:
58 Part II Usage Guide FIGURE 3-9 T
Page 89 and 90:
60 Part II Usage Guide FIGURE 3-10
Page 91 and 92:
62 Part II Usage Guide By default,
Page 93 and 94:
Page 95 and 96:
66 Part II Usage Guide You can disp
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
72 Part II Usage Guide Peering Deep
Page 103 and 104:
Page 105 and 106:
76 Part II Usage Guide ■ Access M
Page 107 and 108:
78 Part II Usage Guide The Properti
Page 109 and 110:
Page 111 and 112:
82 Part II Usage Guide TCP/IP Tab A
Page 113 and 114:
84 Part II Usage Guide In most circ
Page 115 and 116:
86 Part II Usage Guide Click the Sa
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
92 Part II Usage Guide Some reasons
Page 123 and 124:
94 Part II Usage Guide available to
Page 125 and 126:
96 Part II Usage Guide running on t
Page 127 and 128:
98 Part II Usage Guide Command-Line
Page 129 and 130:
www.it-ebooks.info
Page 131 and 132:
102 Part II Usage Guide Because mil
Page 133 and 134:
104 Part II Usage Guide Events Tabl
Page 135 and 136:
106 Part II Usage Guide As an NTSTA
Page 137 and 138:
108 Part II Usage Guide Application
Page 139 and 140:
110 Part II Usage Guide File Attrib
Page 141 and 142:
112 Part II Usage Guide ■ When th
Page 143 and 144:
114 Part II Usage Guide Displaying
Page 145 and 146:
116 Part II Usage Guide invoked by
Page 147 and 148:
118 Part II Usage Guide without per
Page 149 and 150:
120 Part II Usage Guide Configuring
Page 151 and 152:
Page 153 and 154:
124 Part II Usage Guide Saving Proc
Page 155 and 156:
126 Part II Usage Guide If Procmon
Page 157 and 158:
128 Part II Usage Guide When lookin
Page 159 and 160:
130 Part II Usage Guide History Dep
Page 161 and 162:
132 Part II Usage Guide Automating
Page 163 and 164:
134 Part II Usage Guide ■ Line 4
Page 165 and 166:
136 Part II Usage Guide File Summar
Page 167 and 168:
Page 169 and 170:
140 Part II Usage Guide Cross Refer
Page 171 and 172:
142 Part II Usage Guide BOOL WriteP
Page 173 and 174:
www.it-ebooks.info
Page 175 and 176:
Page 177 and 178:
148 Part II Usage Guide Disabling o
Page 179 and 180:
150 Part II Usage Guide Files for w
Page 181 and 182:
152 Part II Usage Guide Viewing ASE
Page 183 and 184:
154 Part II Usage Guide Per-User AS
Page 185 and 186:
156 Part II Usage Guide Per-User AS
Page 187 and 188:
158 Part II Usage Guide Per-User an
Page 189 and 190:
160 Part II Usage Guide Codecs The
Page 191 and 192:
162 Part II Usage Guide Command Pro
Page 193 and 194:
164 Part II Usage Guide Winsock Pro
Page 195 and 196:
166 Part II Usage Guide Saving and
Page 197 and 198:
168 Part II Usage Guide The CSV for
Page 199 and 200:
170 Part II Usage Guide ■ A defau
Page 201 and 202:
172 Part II Usage Guide Incidentall
Page 203 and 204:
174 Part II Usage Guide Alternate C
Page 205 and 206:
176 Part II Usage Guide What this m
Page 207 and 208:
178 Part II Usage Guide Redirected
Page 209 and 210:
180 Part II Usage Guide PsExec Comm
Page 211 and 212:
182 Part II Usage Guide The -s opti
Page 213 and 214:
184 Part II Usage Guide Note The re
Page 215 and 216:
186 Part II Usage Guide Use of full
Page 217 and 218:
188 Part II Usage Guide In the prec
Page 219 and 220:
190 Part II Usage Guide Note PsList
Page 221 and 222:
192 Part II Usage Guide on the netw
Page 223 and 224:
Page 225 and 226:
196 Part II Usage Guide the event l
Page 227 and 228:
198 Part II Usage Guide example, al
Page 229 and 230:
200 Part II Usage Guide The config
Page 231 and 232:
202 Part II Usage Guide Find One of
Page 233 and 234:
204 Part II Usage Guide Option Disp
Page 235 and 236:
206 Part II Usage Guide To suspend
Page 237 and 238:
208 Part II Usage Guide depend serv
Page 239 and 240:
www.it-ebooks.info
Page 241 and 242:
Page 243 and 244:
Page 245 and 246:
216 Part II Usage Guide Allocations
Page 247 and 248:
218 Part II Usage Guide ■ Shared
Page 249 and 250:
220 Part II Usage Guide When you co
Page 251 and 252:
222 Part II Usage Guide ■ The mem
Page 253 and 254:
Page 255 and 256:
226 Part II Usage Guide ■ .TXT Th
Page 257 and 258:
228 Part II Usage Guide Command-Lin
Page 259 and 260:
230 Part II Usage Guide To avoid an
Page 261 and 262:
232 Part II Usage Guide You can use
Page 263 and 264:
234 Part II Usage Guide and results
Page 265 and 266:
236 Part II Usage Guide Capturing A
Page 267 and 268:
238 Part II Usage Guide static meth
Page 269 and 270:
240 Part II Usage Guide You can ann
Page 271 and 272:
242 Part II Usage Guide the crash d
Page 273 and 274:
244 Part II Usage Guide Highlightin
Page 275 and 276:
246 Part II Usage Guide ■ Limit L
Page 277 and 278:
248 Part II Usage Guide To view deb
Page 279 and 280:
250 Part II Usage Guide LiveKd Requ
Page 281 and 282:
252 Part II Usage Guide This comman
Page 283 and 284:
254 Part II Usage Guide ListDLLs re
Page 285 and 286:
256 Part II Usage Guide Handle Hand
Page 287 and 288:
Page 289 and 290:
260 Part II Usage Guide Timer : 7 T
Page 291 and 292:
Page 293 and 294:
264 Part II Usage Guide ■ Signing
Page 295 and 296:
266 Part II Usage Guide displays ha
Page 297 and 298:
268 Part II Usage Guide Note that t
Page 299 and 300:
270 Part II Usage Guide Object Type
Page 301 and 302:
272 Part II Usage Guide Although th
Page 303 and 304:
274 Part II Usage Guide effective p
Page 305 and 306:
276 Part II Usage Guide is explicit
Page 307 and 308:
278 Part II Usage Guide Click on a
Page 309 and 310:
280 Part II Usage Guide ShellRunAs
Page 311 and 312:
282 Part II Usage Guide [1] Logon s
Page 313 and 314:
284 Part II Usage Guide The only wa
Page 315 and 316:
286 Part II Usage Guide The second
Page 317 and 318:
Page 319 and 320:
290 Part II Usage Guide Objects You
Page 321 and 322:
Page 323 and 324:
294 Part II Usage Guide The current
Page 325 and 326:
296 Part II Usage Guide You can scr
Page 327 and 328:
Page 329 and 330:
300 Part II Usage Guide To view inf
Page 331 and 332:
302 Part II Usage Guide AdInsight m
Page 333 and 334:
304 Part II Usage Guide To configur
Page 335 and 336:
306 Part II Usage Guide AdInsight c
Page 337 and 338:
www.it-ebooks.info
Page 339 and 340:
310 Part II Usage Guide When you st
Page 341 and 342:
312 Part II Usage Guide In addition
Page 343 and 344:
314 Part II Usage Guide selected, B
Page 345 and 346:
316 Part II Usage Guide the data it
Page 347 and 348:
Page 349 and 350:
320 Part II Usage Guide provide a w
Page 351 and 352:
322 Part II Usage Guide Drawing Mod
Page 353 and 354:
324 Part II Usage Guide LiveZoom Wh
Page 355 and 356:
326 Part II Usage Guide The followi
Page 357 and 358:
Page 359 and 360:
330 Part II Usage Guide into subdir
Page 361 and 362:
Page 363 and 364:
334 Part II Usage Guide This sample
Page 365 and 366:
Page 367 and 368:
338 Part II Usage Guide disk), Disk
Page 369 and 370:
340 Part II Usage Guide Volume Perm
Page 371 and 372:
Page 373 and 374:
344 Part II Usage Guide ■ One lin
Page 375 and 376:
Page 377 and 378:
348 Part II Usage Guide sizing, and
Page 379 and 380:
350 Part II Usage Guide VolumeID Wh
Page 381 and 382:
352 Part II Usage Guide executables
Page 383 and 384:
354 Part II Usage Guide ■ System
Page 385 and 386:
356 Part II Usage Guide ■ Process
Page 387 and 388:
Page 389 and 390:
360 Part II Usage Guide costs on NU
Page 391 and 392:
Page 393 and 394:
Page 395 and 396:
Page 397 and 398:
www.it-ebooks.info
Page 399 and 400:
370 Part II Usage Guide and endpoin
Page 401 and 402:
Page 403 and 404:
Page 405 and 406:
376 Part II Usage Guide adjacent if
Page 407 and 408:
378 Part II Usage Guide Hex2Dec If
Page 409 and 410:
380 Part II Usage Guide his audienc
Page 411 and 412:
www.it-ebooks.info
Page 413 and 414:
384 Part III Troubleshooting—”T
Page 415 and 416:
Page 417 and 418:
Page 419 and 420:
Page 421 and 422:
Page 423 and 424:
Page 425 and 426:
Page 427 and 428:
Page 429 and 430:
Page 431 and 432:
Page 433 and 434:
Page 435 and 436: 406 Part III Troubleshooting—”T
Page 467 and 468: 438 AdInsight AdInsight (continued)
Page 469 and 470: 440 BgInfo BgInfo (continued) Rich
Page 471 and 472: 442 DebugView DebugView (continued)
Page 473 and 474: 444 events events (continued) filte
Page 475 and 476: 446 HKLM\System\CurrentControlSet\C
Page 477 and 478: 448 malware malware (continued) Aut
Page 479 and 480: 450 paging files, defragmenting pag
Page 481 and 482: 452 Process Monitor (Procmon) Proce
Page 483 and 484: 454 PsShutdown PsShutdown (continue
Page 485: 456 Security Reference Monitor Secu
Page 489 and 490: 460 unhandled exceptions, process d
Page 491 and 492: 462 Windows 7 Windows 7 (continued)
Page 493 and 494: www.it-ebooks.info
Page 495 and 496: www.it-ebooks.info
Page 497: What do you think of this book? We
show all

Windows sysinternals

Create successful ePaper yourself

Delete template?

Save as template?