virtual techdays INDIA │ august 2010 Windows Sysinternals Primer: Process Explorer, Process Monitor & More Tools Aviraj Ajgekar │ Regional Site Manager │ Microsoft Corporation │

 Introduction to Sysinternals  Process Explorer  Process Monitor  PsExec  Additional Sysinternals Utilities - Demo virtual techdays INDIA │ august 2010 S E S S I O N A G E N D A

 High quality, advanced diagnostic and troubleshooting tools  Single executable package, no install needed  Free!  Authored by Mark Russinovich and/or Bryce Cogswell  Quick turnaround/update cycle  Limited support virtual techdays INDIA │ august 2010 Introduction To Sysinternals

  Redirects to technet.microsoft.com  Sysinternals Suite contains all the tools in one zip file  Site blog announces all updates   Run directly from the web: Sysinternals Live  or  \\live.sysinternals.com\tools\procmon.exe \\live.sysinternals.com\tools\procmon.exe  UNC syntax requires WebClient service  Videos on troubleshooting with the tools virtual techdays INDIA │ august 2010 Sysinternals Website Features

virtual techdays INDIA │ august 2010 Ever See This? Or this?

virtual techdays INDIA │ august 2010 Tip: Unblock before extracting (Remote Zone Information)

 What is a process?  Task Manager – The Good, The Bad, The Ugly  Demo’s virtual techdays INDIA │ august 2010 Processor Explorer

What is a Process? A process is a container for a set of resources, including one or more threads. Threads – not processes – do the work and consume CPU, memory, etc Every process has at least one thread One or More threads Open handles Security Tokens Virtual Memory Address space

 The good  Great for users of limited technical knowledge.  High level flat list of processes, services, users and system performance.  The bad  Doesn’t show path to executable.  Doesn’t show fractional CPU.  The ugly  Doesn’t show multi purpose processes.  Example: svchost.exe  Doesn’t show what might be causing a process to misbehave.  Doesn’t distinguish the different types of processes.  Doesn’t show threads virtual techdays INDIA │ august 2010 Task Manager The good, the bad, the ugly

 The Good  Parent/Child Relationships  “Peer” into processes  The Better  Options galore  Process Highlighting  The Best  Customized Columns  Threads  CPU, Context Switch Delta, Cycles Delta  Determine which thread is consuming CPU virtual techdays INDIA │ august 2010 Process Explorer The good, the better, the best

virtual techdays INDIA │ august 2010 DEMO: Process Explorer Aviraj Ajgekar │ Microsoft Corporation

 Process Explorer shows a moving snapshot  Process Monitor is a logging utility  Captures detailed info about:  All registry activity  All file system activity  Process and thread events, including DLL load  Network activity  Periodic process profiling data virtual techdays INDIA │ august 2010 Process Monitor

 Save results for viewing elsewhere  Can log boot activity  Advanced filtering capabilities  Filters can be saved and exported  Analysis tools for data mining  Command-line scriptable  Highly scalable virtual techdays INDIA │ august 2010 Process Monitor Features

Process Monitor Event Detail

virtual techdays INDIA │ august 2010 DEMO: Process Monitor Aviraj Ajgekar │ Microsoft Corporation

 Execute processes on remote computers  Redirected console I/O  Remote-enable console apps  Execute processes as System virtual techdays INDIA │ august 2010 PsExec

PsExec Syntax psexec [Computers] [Options] command [arguments] Computers = \\computer[,computer2[,...]] or \\* Alternate credentials (optional): -u username [-p password]

PsExec Alternate Credentials [-u username [-p password]]  Can omit -p: it prompts you, doesn’t echo Used twice: 1.To authenticate to the remote computer 2.To create a new logon on the remote computer  #2 puts the credentials on the wire in the clear  Required for remote access when:  Current account is not admin on the remote, or  Remote process needs to access network, or  Remote process needs to run interactive

PsExec Options (Eye chart) OptionDescription -dDon’t wait for the process to terminate. Process Performance Options -background -low -belownormal -abovenormal -high -realtime Run the process at a different priority. -a n,n…Specify the CPUs on which the process can run. Remote Connectivity Options -c [-f|-v] Copies the specified program from the local to the remote system. If you omit this option, the application must be in the system path on the remote system. Adding -f forces the copy to occur; -v performs a version or timestamp check and copies only if the source is newer. -n secondsSpecifies timeout in seconds connecting to remote computers. Runtime environment options -sRun the process in the System account. -i [session]Run the program on an interactive desktop. -xRun the process on the Winlogon secure desktop. -w directorySet the working directory of the process. -eDoes not load the specified account’s profile. -hUse the account’s elevated context, if available. -lRun the process as a limited user.

virtual techdays INDIA │ august 2010 DEMO: PsExec Aviraj Ajgekar │ Microsoft Corporation

PsExec Tips Don’t forget /accepteula Remoted Sysinternals utilities will hang Things you can’t do in a redirected console: CLS MORE Text coloring Tab completion PowerShell v1

Run Procmon Past Logoff Non-interactively, with PsExec -s Must specify a backing file Must not have user interaction Procmon must exit cleanly To start: PsExec -s -d Procmon.exe /AcceptEula /Quiet /BackingFile C:\Procmon.pml To stop: PsExec -s -d Procmon.exe /AcceptEula /Terminate

virtual techdays INDIA │ august 2010 DEMO: Sysinternals Utilities such as Disk2VHD & More Aviraj Ajgekar │ Microsoft Corporation

Additional Resources Mark Russinovich’s blog: – Blog posts and utilities by Aaron Margosis – – Aviraj Ajgekar’s Blog –

question & answer

virtual techdays THANKS │ august │Blog: Thank You