Tag: sysinternals

Categories
Best Practices Enterprise Tech Featured Microsoft Tools

Top Ten Tips and Troubleshooting with Process Explorer Tool

Process Explorer tool from SysInternals, will give you a complete overview on what processes are currently running in your PC along with the details on who invoked it and how much system resources it is consuming. This tool will be very essential, if you want to identify which file or directory has a particular program opened. In this article, you will learn 10 best practices and tips which will help to use this tool better.

A process is a container for a set of resources, including one or more threads. A process never consumes a CPU. Its the thread inside the process which consumes the system resources like CPU, Memory etc. Each process at-least has one Thread.  Using this tool, you can also determine which thread of a process is consuming CPU.

Some of the benefits, this Tool gives you are..

  • Displays the Parent/Child Relationships of the Processes
  • Highlighting of different process based on their source and states.
  • Customize Columns to suit specific needs to analyze CPU performance, Threads, etc
  • Tons of Options to play around with..!

Tip 1:Process Explorer Parameters – Create a Startup Shortcut / Desktop Shortcut to this executable (procexp.exe) and add a parameter /t /e to it.

Process Explorer - Parameters

/t makes this executable run minimized and /e will make it run elevated. As most of the times, you want the system processes also.. it makes sense to run the tool elevated.

Process Explorer - System TrayWhen you invoke this shortcut, the Process Explorer will run in the System Tray as shown below. You can just double click to invoke them.

Tip 2: Configuring the Options – Goto Options Menu Item and Select Hide When Minimized and Allow only one instance. This will help you to just minimize the program, even when you click on the X close button. Sometimes, you tend to invoke the shortcut more than once, thinking that the Process Explorer is not running, selecting the Allow only one instance will help you not have multiple entries of Procexp inside the process explorer window.

Process Explorer - Hide When MinimizedTip 3: Configure Symbols – When you invoke any process and go-to the Threads Tab, you will observe a hexadecimal weird address in the Start Address Tab. These will not be helpful for you while troubleshooting. You will need to convert it to a meaninful message and thats where configuring the symbols will be useful.

Process Explorer - Hexa Thread DefinitionsGoto Options Tab, and click on Configure Symbols item.

Process Explorer - Configure Symbols

You will need to install the Windows Debugging Toolkit, so that you can configure the path of the dbghelp.dll file. Also, configure the Symbols path as both local and internet. For more information read here – http://www.microsoft.com/whdc/devtools/debugging/debugstart.mspx

Process Explorer - Configure Symbol PathsOnce you do this, the hexa-decimal code will be converted to more meaningful message for effective understanding and troubleshooting. You can see in the Start Address column now.

Process Explorer - Meaningful Thread Definitions

Tip 4: Highlighting Colors – Goto Options Menu Item and Select, Configure highlighting. Using this option, you can customize the colors which you would like to assign for certain roles of processes. By default Pink color is associated for processes with one or more – win32 services, Yellow color for processes which uses .NET Framework, Light blue color for processes which are running with the same user account as the process explorer.

Configure Highlighting of ProcessesTip 5: Configure Difference highlighting Duration: Set the Duration to 5 or more seconds. This is an important tip, which will help you distinguish in the difference of the events. The color associations and the process will exist and run for 5 seconds. For example, every process which starts new is associated a green color and every process that stops gets a red. the processes will exist in the Process Explorer for at-least 5 seconds with the same color code, so that you can see them and diagnose the same.

Configuring highlighting DurationTip 6: Verifying Processes – When you double-click on any process it opens the properties dialog; this will give you the complete information of that particular process. Its Parent process, Who invoked it, At what time, What OS version is it (32/64 bit) etc. Just observe that, this executable is not verified no matter it comes from Microsoft Corporation. Verifying the processes will help you to determine whether this process is signed to run on this particular edition of the OS. For example, if your machine performance is sluggish, you might run the verify process and see if any of the executables like antivirus are not suited for your PC.

Analyzing a Process Image

Goto Options Tab and select on Verify Image Signatures. This will start the verification process. Now you click on any column and add a new column for Verified Signer. You will start seeing all the process along with the verified status.

Verified Processes

Tip 7: Process Identification – Sometimes, there could be many processes running on your PC (for example, many instances of a same application), In this case it would be difficult to identify the associated process entry in Process Explorer. Thats where exactly, this magnifier comes to your help. Hold the magnifier button, and that will show you all the other windows executing on your PC. Just drop the magnifier on a window which you wanted to identify and that appropriate process would get high-lighted in the Process Explorer.

Magnifier Process Identifier

Tip 8: DLL/Header View – Selecting a Process, and pressing Cntl+D will show the DLL view in the hidden tab. Cntl + H will show the headers which are currently accessed by the process. This will be helpful to understand the components used by a process. You can also choose to search a dll or a Header using the Search option. For eg: If you ever encountered a failed delete action by your process, searching for ‘delete’ will give you more information on what gets called and which file did your process try to delete. You can hover over any process in Process explorer, this will get you all the win32 services running in it.

Cntl+D for DLL View –

Process Explorer - DLL View

Cntl+H for Header View –

Process Explorer - Headers View

Tip 9: Performance Graphs – Double-clicking the graph in the icon bar, will open the performance graph. The red color showcases the kernel mode and the green signifies the transition of Kernel and User mode. If you are running a multi-core PC, choose to ‘show One Graph per CPU’. This will help you manage tasks and also enables you to take a decision to set affinity for a process to a single CPU. (You can right click on a process, Set Affinity to just any of the CPU)

Set Processor Affinity

System Information - Performance Graph

Tip 10: Configure Columns – In the explorer window, Right click on a column header and add new columns. To identify an executable or a process performance, you need to add Threads, CPU Usage, Context Switch Delta and CPU Cycles Delta. This will help you identify which process has more threads and is consuming high CPU usage. Based upon your analysis, you can choose to terminate it for system performance.

Process Performance

Are you aware of any other worthwhile tip on this tool? If yes, drop in as a comment here and I shall feature it in this article appropriately!

Also read about the other SysInternals Tools here  –

Categories
Enterprise Tech How-to Microsoft Tools

How To Enable System Boot Time Logging using Process Monitor Tool

How many times have you faced issues with slow or longer boot time in your PC? Does it happen only on your computer? There could be many reasons for this. It could be too many Startup process, Run Keys, and sometimes even malware executables as well.

It would make your troubleshooting job easy, if you get to know what really happens when your PC boots. Process Monitor tool from SysInternals will exactly help you in doing the same. This tool can also be used for other process snapshot and access informations. however, in this post we will look at its Boot Logging capabilities.

First download the executable from SysInternals Site, If you face issues with Security Warning message, check this tip to fix it.

Step 1: Execute the procmon.exe; Goto Options menu, and Click Enable Boot Logging.

Enable Boot Logging

Step 2: This will further give you this below Boot logging options. You can choose to Enable the Profiling Events, if you need.

Boot Logging Options

Step 3: You can now reboot your PC. When the machine restarts, the process monitor will start monitoring all the processes and applications which gets invoked during the system boot and generates a dump file.

Step 4: Execute procmon.exe again. You will see this below dialog which tells you that, a log of the boot-time activity was created by the previous instance of process monitor. To save the collected Data, press the Yes Button.

Boot Time Activity Logs

Step 5: The file will initially be saved as a dump file in C:\Windows, you will need to convert it to Process Monitor Log (pml) log files. Save the Log file using this below dialog. This will start converting the dump file to pml file.

Saving Procmon Log - Dump to Log File

Converting Boot-time Event Data

Once the Log is converted, it will open in the Process Monitor tool.


Here you can get an idea on all the applications and processes which was executed during the system boot. This report will help you identify, which process was invoked by whom and how much time did it take to for its complete execution. You can also identify if any malwares are running in your PC, which is affecting your system boot.

Logs for System Boot

Step 6: You can choose to filter these reports; when you click on any entry you will get the below dialog which will give you a complete snapshot on the process attributes, Who invoked it, its architecture, the Parent Process Id, along with information on when did the process transition from User mode to a Kernel mode through the Stack.

Event Properties

Also read about the other SysInternals Tools here  –

Categories
Enterprise Tech How-to Microsoft Tools

How to Remove Security Warning Message – Files Downloaded from Internet

How many times, have you seen this dialog when you execute a file which was downloaded from Internet?  For example, this Process Explorer message box below. This would come-up, every-time you run this executable. Also, when you open any of the help file from the downloaded suite you see this ‘Navigation Cancelled’ dialog.

Issues because of the Security Zone Information

The problem is that, when you download any of the files from the internet, using internet explorer, it gets tagged with metadata in alternate data stream, and says what IE Security zone did it came from. and even though, when you are running it from the local file system, windows remembers that it came from the internet.

Methods to resolve this –

1. Easiest way is to remove the zone information using the file Properties. Before you extract the zip file, Right-click on the file, select Properties tab. Click on the un-block button to remove the alternate data stream – Security zone information.

Unblock - File Properties

2. The other option, is to use a Sysinternals tool called Streams. Streams will examine the files and directories you specify and inform you of the name and sizes of any named streams it encounters within those files. Streams makes use of an undocumented native function for retrieving file stream information.

Using this parameter, streams -d will remove the Zone identifier information from a file and you will not see the security warning message/dialog.

streams - Sysinternals Tool

Also read about the other SysInternals Tools here  –

Categories
Community Activities Microsoft

I’m Speaking at Developer Community Conference 2010, Bangalore.

Bangalore User Group - BdotnetCommunity Conference is a technology event for IT professionals and developers conducted by the User Groups in Bangalore. It’s the forum to learn, connect, explore, and evolve.

I would recommend you to attend this event, because you will learn about today’s cutting-edge trends, thereby enhancing your work profile and getting ahead of the rest. But the most important benefit of all just might be the networking opportunity that this forum will provide you… you can build personal connections with Microsoft experts and peers that will last far beyond this event!

As a part of this conference, I will be delivering a talk on Windows Proceses and how to use SysInternals Tools like Process Explorer and Process Monitor to effectively troubleshoot issues in Windows!

Register for this event here – http://communityconference.eventbrite.com/

Here is the detailed agenda  –

Time Speaker Session Details
09.30 to 10.15 Manoj.k.Sharma , Corporate Trainer Windows Azure AppFabric
10.15 to  11.00 Chaitra Nagraj, Thomson Reuters / Microsoft MVP New features in WPF4 along with Silverlight4
11:00 to 11:30 Tea Break / Networking
11.30 to 12.15 Vic  Parmar, Aditi Technologies / Microsoft MVP Silverlight, Cloud and WP7
12.15 to 1:00 Lunch
1:00 to 1.45 Tips n Tricks – Your Slot! Are you interested to show some tips n tricks or want to give some  10mins quick demo in this slot? shoot a mail tocoreteam[at]bdotnet.in

1. VS2010 IDE tips n tricks  by Wriju Ghosh, Microsoft – 10 minutes.
2. Indic & Windows7 by Dr.Pavanaja
3. Building websites using WebMatrix – Lohith GN, Sungard
4. ??
1.45 to 2.30 Vijay Raj | Microsoft MVP The power of SysInternals Tools – Processes
2.30 to 3:00 Tea Break / Networking
3:00 to 3.45 Phani, Brainscale / PluralSight IntelliTrace deep-dive
3.45 to 4.30 Kaliyan, DELL / Microsoft MVP Windows XP to Windows7 migration strategies
4.30 to 5:00 Tea Break / Networking
5:00 to 5.45 Ram Prasanna, Microsoft Microsoft – Tina-Robotics Session

Pluralsight has come out with a fantastic offer for all of those who attend this conference. They are giving out FREE 1-month Standard subscription to Pluralsight On-Demand!. This will give access to all Pluralsight courses for 1 month. That’s not it, 3 Winners will get 1 year subscription which is worth US$1499..!

Categories
General How-to

ZoomIt – An Awesome tool to use while giving Presentations

People who have attended my presentations would have seen me use a tool more often to zoom into a screen during demos. Few of them have come back to me post event and asked…what this cool thing is? Is it a new feature in Windows 7? How to get it run? What are the keyboard Shortcuts? etc..

I reckon, it would be worth to write a small note about this awesome Tool so that, even other readers would benefit out of it! Well, this is not a Windows 7 feature and its just a 270 kb sized tool, which can very well run in any version of Windows. This little wonder is called ZoomIt., and its from the team who have created some wonderful tools as a part of Sysinternals toolkit!

ZoomIt is a screen zoom and annotation tool for technical presentations that include application demonstrations. You have hotkeys to control the Zoom and annotations. ZoomIt runs in the system tray and it gets activated whenever you use the hotkeys.  Once you zoom into an area, you can move around, draw annotations, and even draw images to showcase a particular section.

ZoomIt - Focusing on a segment of desktopYou can also change the HotKeys for this application, However the default keys are more user-friendly! Here are the default key combinations.

  • Cntl + 1 -> This will zoom into a screen. This is an image zoom, where you wont have access to control any text/button in it. You can zoom in and zoom out., and do all the annotations like Writing, drawing images, highlighting texts etc – (Check the image beside) .
  • Cntl + 2 -> This will not zoom into the screen, however it makes your desktop ready for annotations. You can write and draw! – (See below to understand on what types of annotations you can make).
  • Cntl + 4 -> Gives you live Zoom. (This works only if Aero is enabled on your Vista / Windows 7 Machine)

To come out of a zoomed state or an annotated screen, just press the ‘Esc’ key!

In this below screenshot, i have showcased the annotations feature of Zoomit. Once you zoom (ie., Cntl+1) or Cntl+2, you can do all of the below things-

ZoomIt Annotation Demo

  • You can draw an Arrow to make a point (using the key combination of Cntl+Shift+ Click and move your mouse to draw)
  • You can draw a free text as well – (just click your mouse and start dragging to write – If you have a tablet PC, you can also write using the pen!)
  • To draw a straight line – (Use Shift key + Click and move your mouse to draw)
  • To highlight a section of code – you can use the rectangle box to showcase a section. If you see in the screenshot below, I drew boxes to denote the same – (Cntl+Click and move your mouse to draw)
  • You can change colors of your Annotations – (Press the key ‘r’ for red, ‘b’ for blue, ‘g’ for green, ‘y’ for yellow and ‘p’ for pink)
  • If you want to completely clean the screen and write something and show to the audience, instead of running a notepad.exe and bringing up a white board… (press key ‘w’ for whiteboard, and ‘k’ for blackboard

ZoomIt can be downloaded here. You can also choose to run these tools live from – http://live.sysinternals.com/

ZoomIt works on all versions of Windows, so do give it a try now. Hope this quick little tip was useful.!

Categories
Microsoft Tools

SysInternals tools – March Update

This blog post briefs up the updates which are made to the following SysInternals Tools.

sysinternalsAdExplorer v1.3: This update to AdExplorer, an Active Directory editor, has major node expansion performance improvements and a number of minor bug fixes.

VMMap v2.6: VMMap, a powerful process virtual and physical memory analysis tool, now shows both graphical and numeric breakdowns of private virtual memory, as well as heap configuration flags.

Disk2vhd v1.5: Disk2Vhd v1.5 works with Hyper-V SCSI direct-attached volumes and reports an error when a snapshot includes offline volumes.

LiveKd v3.14: This version of LiveKd has better detection of the Debugging Tools package installation and launches the debugger in a mode that skips the unnecessary root-cause analysis of the virtual dump file.

Sigcheck v1.66: This update to Sigcheck, a file version and signature checking utility, fixes a bug in the certificate revocation check logic.

VMMap v2.61: This fixes a minor bug in the calculation of the Unknown category total.

You can also use these tools using Internet, Check here – http://live.sysinternals.com/

Courtesy: SysInternals Blog

Categories
General Microsoft Tools

SysInternals tools – December Update

This blog post briefs up the updates which are made to the following SysInternals Tools.

VMMap v2.5: This update to VMMap, a process memory analysis utility, now identifies thread environment blocks (TEBs), the process environment block (PEB), and reserved memory.

Disk2vhd v1.4: Now includes an option for Windows XP and Windows Server 2003 that directs it to fix up the kernel and HAL to make the VHDs generated for these systems bootable in Virtual PC. It also skips sectors with CRC errors to enable the conversion of systems with failing disks.

Sigcheck v1.63: Instead of reporting ‘unsigned image’ for all signature check failures, Sigcheck now reports specific errors, such as the root not being trusted and the signing chain not being valid.

sysinternals

Autoruns v9.57: Now reports more group policy script entries.

PsExec v1.97: This update to PsExec fixes the interactive (-i) switch for Windows XP and a bug in the copy-to-remote (-c) switch that would sometimes prevent the copy from succeeding.

PsKill v1.13:  Fixes a bug in the process tree termination logic.

You can also use these tools using Internet, Check here – http://live.sysinternals.com/

Categories
General Microsoft Windows Installer, Application Compatibility and Deployments

Sysinternals team announced a new tool, Disk2vhd v1.0

The Sysinternals team announced a new tool, Disk2vhd, that simplifies the migration of physical systems into virtual machines (p2v).

Disk2vhd is a utility that creates VHD (Virtual Hard Disk – Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted).

You can download the tool here

For more information on this tool, refer here – http://technet.microsoft.com/en-us/sysinternals/ee656415.aspx

Categories
Microsoft

Mark Talks About Windows 7 and Windows Server 2008 R2 at Intel Developer Forum

Mark gave a joint presentation with Shiv Kaushik, an Intel Fellow, at Intel Development Forum in San Francisco on how Microsoft and Intel collaborated during the development process to make sure that Windows takes advantage of new Intel processor features and enhancements. 

In this presentation, Mark speaks on the core OS enhancements which can leverage the new processor features and improve the performance. They also discuss on how Intel colloborates in delivering the best with Windows 7 with regard to Energy efficiency, performance, security, scalability and reliability.  

You can view the video and the presentation here – http://intelstudios.edgesuite.net/idf/2009/sf/ti/day1/ss/f.htm