ADMIN

Recommendations

Info

Management Sysinternals System monitoring with Sysinternals Health Check © Denis Tevekov, 123RF.com Administrators don’t need a massive arsenal of tools just to monitor a couple of systems. With Microsoft’s free Sysinternals suite, admins can handle all sorts of tasks. By Thomas Joos The Sysinternal tools are free tools from Microsoft that can help Windows administrators handle many tasks. This article introduces the Sysinternal tools that are useful for system monitoring. All of the tools described here can be downloaded free of charge from the Microsoft site [1], either as individual downloads or as part of the Sysinternals suite. One advantage of the Sysinternals utilities is that you don’t need to install them, so they can be launched conveniently from a USB stick. When launched for the first time, the programs display a license dialog; you can suppress this dialog with the /accepteula option, which can be useful in scripting. Unfortunately, this option does not work for all of the Sysinternal tools. The programs only run on a Windows system as of Windows 2000 Server. For this article, I used Windows Server 2008 R2 and Windows 7. Windows Server 2008 R2, Windows Server 2008, Windows Vista, and Windows 7 do not support access to the hidden System $ shares such as C$, or admin$ as easily as Windows XP or Windows Server 2003; the computers do not belong to a Windows domain because the new operating systems block access to administrative shares by authentication of local user accounts. Some Sysinternal tools, such as PSInfo.exe, require access to the admin share and thus will not work at first. To allow access, you must enable local logins to administrative shares in the Registry of standalone computers. To do so, launch the Registry Editor by typing regedit, then navigate to HKEY_LOCAL_MACHINE\SOFT‐ WARE\Microsoft\Windows\CurrentVersion\Policies\System. Create a new Dword entry with the label LocalAccountTokenFilterPolicy, set the value to 1, then restart the computer. LDAP Microscope Insight for Active Directory, also known as AdInsight, lets you monitor the LDAP connections on a domain controller in real time with a GUI. The user interface is similar to the Sysinternal tools Regmon and Filemon. The tool investigates calls to the wldap32.dll file, which most programs, including Exchange, use for LDAP-based access to Active Directory per LDAP. AdInsight lists all requests including those that are blocked. This gives administrators an easy option for analyzing authentication problems with Active Directory-aware programs and identifying clients and servers that set up a connection to the domain controller. AdInsight logs all requests issued to domain controllers and stores them as an HTML report or text file for troubleshooting purposes. The logfile contains the client request and responses that the client received via LDAP. AdInsight also logs access to system services (Figure 1). When a program such as Exchange accesses the domain controller, the window fills with information; then, you can right-click to display details of the individual entries, as well as filter the display via the menu. The display also includes the name of the accessing user. Unfortunately, AdInsight only lets you monitor local access; over-the-wire diagnostics via remote access are not supported. However, AdInsight’s search function does let you filter by process, error, or request response. The tool selects the response to let you perform specific monitoring. 74 Admin 01 www.admin-magazine.com
Sysinternals Management AdInsight also supports automated deployment and offers a variety of options for this. One useful automation feature is the ability to write the log to a file without displaying the events in the GUI. AdInsight runs on Windows 2000 Server or newer and includes a help file, which can be a useful aid for tasks that require more thorough analysis. Filesystem, Registry, Processes The Process Monitor provides a graphical user interface for monitoring and color-tagging the filesystem, registry, and process/thread activity in real time. The tool combines two programs standard to Sysinternals: Filemon and Regmon. With a click of the button, you can enable and disable the individual monitoring options and restrict your monitoring of registry and filesystem access and process calls to an area in which you are interested. Process Monitor is a valuable aid for monitoring stability and identifying bottlenecks; it is capable of logging all read and write access to the system and its media. Additionally, it displays comprehensive data on any process or thread that is launched or terminated. Also, you can monitor any TCP/IP connections that are opened, as well as UDP traffic. Note that Process Monitor does not save the content of the TCP packets or payload data; it is not specifically designed for network monitoring. If that is what you need, you might prefer a tool such as Wireshark [2]. The Process Monitor tool is also extremely useful for troubleshooting local connection and privilege problems (Figure 2). If needed, it can display additional information on active processes (e.g., their DLL files or the parameters set when the process was launched). The filter function allows you to reduce the volume of data output generated by Process Monitor. For example, it lets you hide any processes with a specific string in their names, without filtering out registry Figure 1: AdInsight helps you investigate LDAP access to domain controllers. to use and does not have an extended learning curve. Process Explorer takes things a step further than Process Monitor, in that Process Explorer lists all the processes in a window and includes more detailed information on the current process, such as access to directories (Figure 3). In DLL View mode, the tool shows which libraries are used and where they originated. The process menu contains a Restart entry that first kills a process and then restarts it. Also, you can temporarily stop individual threads and highlight processes in different colors. Process Explorer nests in the taskbar, which provides an atentries that contain the same string. Additionally, you can enable multiple filters at the same time and save the configuration. For more efficient diagnostics, you might want to save the logfile and then load it for analysis, applying additional filters as needed. The Tools menu gives you a selection of preconfigured views. Process Monitor can also monitor the boot process on a server because it launches at a very early stage. You can redirect all the output to a file. If Windows fails to boot, analysis of the output file gives you a fast way to identify the issue. Just like all Sysinternal tools, Process Monitor is easy Figure 2: Monitoring processes, the registry, and filesystem access with Process Monitor. www.admin-magazine.com Admin 01 75
Page 1 and 2:
ADMIN Network & Security Rescue CD
Page 3 and 4:
Welcome to Admin WELCOME ALL FOR AD
Page 5 and 6:
Table of Contents SERVICE 8 Spacewa
Page 7 and 8:
POWERHOUSE PERL 11 cool projects! F
Page 9 and 10:
Spacewalk Features configuration fi
Page 11 and 12:
Spacewalk Features Figure 2: Assign
Page 13 and 14:
Spacewalk Features kickstart profil
Page 15 and 16:
Icinga Features Table 1: States Opt
Page 17 and 18:
Icinga Features ministrators only n
Page 19 and 20:
Icinga Features Figure 6: Network o
Page 21 and 22:
MySQL Forks and Patches Features th
Page 23 and 24: MySQL Forks and Patches Features In
Page 25 and 26: Exchange 2010 Features © peapop, F
Page 27 and 28: they can now synchronize text messa
Page 29 and 30: Backup Software Features data. One
Page 31 and 32: Backup Software Features tended), l
Page 33 and 34: Backup Software Features Two “wiz
Page 35 and 36: Backup & Disaster Recovery Georgeto
Page 37 and 38: OCFS2 Tools ing. OCFS2 is fairly si
Page 39 and 40: OCFS2 Tools F Figure 2: Unspectacul
Page 41 and 42: To do this, you need to change the
Page 43 and 44: Synergy Tools Figure 1: Synergy as
Page 45 and 46: SystemTap Tools The SystemTap [3] t
Page 47 and 48: SystemTap Tools Instead of searchin
Page 49 and 50: Package Your Scripts Virtualization
Page 51 and 52: Linux Magazine ACADEMY curl U http:
Page 53 and 54: openVz VirtuAlizAtion live migratio
Page 55 and 56: OpenVZ Virtualization a number of c
Page 57 and 58: OpenVZ Virtualization OpenVZ kernel
Page 59 and 60: AND SAVE 30%! ADMIN Network & Secur
Page 61 and 62: Virtual Machine Manager Virtualizat
Page 63 and 64: Virtual Machine Manager Virtualizat
Page 65 and 66: Teamviewer Management and be contro
Page 67 and 68: NOV. 7-12 2010 24th Large Installat
Page 69 and 70: Chef Management Server Provides rec
Page 71 and 72: Chef Management ‐r http://s3.amaz
Page 73: Chef Management Figure 5: The clien
Page 77 and 78: Sysinternals Management Name Table
Page 79 and 80: PAM and Hardware Nuts and Bolts Fig
Page 81 and 82: November 13-19, 2010 • Ernest N.
Page 83 and 84: PAM and Hardware Nuts and Bolts to
Page 85 and 86: ON NEWSSTANDS NOW ! UBUNTU USER MAG
Page 87 and 88: modSecurity nutS And boltS complex
Page 89 and 90: ModSecurity Nuts and bolts Insider
Page 91 and 92: REAL SOLUTIONS FOR REAL NETWORKS Ea
Page 93 and 94: Daemon Monitoring Nuts and Bolts Fi
Page 95 and 96: VPns with SSTP nuTS And BoLTS Hands
Page 97 and 98: VPNs with SSTP Nuts and Bolts Figur
Page 100: DEDICATED SERVERS £59 FROM PER MON
show all

ADMIN

Create successful ePaper yourself

Delete template?

Save as template?