v irtual techdays
DESCRIPTION
INDIA │ 18-20 august 2010. v irtual techdays. Windows Sysinternals Primer: Process Explorer, Process Monitor & More Tools. Aviraj Ajgekar │ Regional Site Manager │ Microsoft Corporation http://blogs.technet.com/aviraj │ Email [email protected]. INDIA │ 18-20 august 2010. - PowerPoint PPT PresentationTRANSCRIPT
virtual techdaysINDIA │ 18-20 august 2010
Windows Sysinternals Primer: Process Explorer, Process Monitor & More Tools
Aviraj Ajgekar │ Regional Site Manager │ Microsoft Corporationhttp://blogs.technet.com/aviraj │ Email [email protected]
Introduction to Sysinternals Process Explorer Process Monitor PsExec Additional Sysinternals Utilities - Demo
virtual techdaysINDIA │ 18-20 august 2010
S E S S I O N A G E N D A
High quality, advanced diagnostic and troubleshooting tools Single executable package, no install needed Free! Authored by Mark Russinovich and/or Bryce Cogswell Quick turnaround/update cycle Limited support
virtual techdaysINDIA │ 18-20 august 2010
Introduction To Sysinternals
http://www.Sysinternals.com Redirects to technet.microsoft.com
Sysinternals Suite contains all the tools in one zip file Site blog announces all updates
http://blogs.technet.com/Sysinternals Run directly from the web: Sysinternals Live
http://live.sysinternals.com/procmon.exe, or \\live.sysinternals.com\tools\procmon.exe UNC syntax requires WebClient service
Videos on troubleshooting with the tools
virtual techdaysINDIA │ 18-20 august 2010
Sysinternals Website Features
virtual techdaysINDIA │ 18-20 august 2010
Ever See This?
Or this?
Cause: Security Zone info attached to file
virtual techdaysINDIA │ 18-20 august 2010
Tip: Unblock before extracting(Remote Zone Information)
What is a process? Task Manager – The Good, The Bad, The Ugly Demo’s
virtual techdaysINDIA │ 18-20 august 2010
Processor Explorer
What is a Process?A process is a container for a set of resources, including one or more threads.Threads – not processes – do the work and consume CPU, memory, etc
Every process has at least one thread
One orMorethreads
Openhandles
SecurityTokens
VirtualMemoryAddressspace
The good Great for users of limited technical knowledge. High level flat list of processes, services, users and system performance.
The bad Doesn’t show path to executable. Doesn’t show fractional CPU.
The ugly Doesn’t show multi purpose processes.
Example: svchost.exe Doesn’t show what might be causing a process to misbehave. Doesn’t distinguish the different types of processes. Doesn’t show threads
virtual techdaysINDIA │ 18-20 august 2010
Task ManagerThe good, the bad, the ugly
The Good Parent/Child Relationships “Peer” into processes
The Better Options galore Process Highlighting
The Best Customized Columns
Threads CPU, Context Switch Delta, Cycles Delta
Determine which thread is consuming CPU
virtual techdaysINDIA │ 18-20 august 2010
Process ExplorerThe good, the better, the best
virtual techdaysINDIA │ 18-20 august 2010
DEMO: Process ExplorerAviraj Ajgekar│ Microsoft Corporation
Process Explorer shows a moving snapshot Process Monitor is a logging utility Captures detailed info about:
All registry activityAll file system activityProcess and thread events, including DLL loadNetwork activityPeriodic process profiling data
virtual techdaysINDIA │ 18-20 august 2010
Process Monitor
Save results for viewing elsewhere Can log boot activity Advanced filtering capabilities
Filters can be saved and exported Analysis tools for data mining Command-line scriptable Highly scalable
virtual techdaysINDIA │ 18-20 august 2010
Process Monitor Features
Process Monitor Event Detail
virtual techdaysINDIA │ 18-20 august 2010
DEMO: Process MonitorAviraj Ajgekar│ Microsoft Corporation
Execute processes on remote computers Redirected console I/O
Remote-enable console apps Execute processes as System
virtual techdaysINDIA │ 18-20 august 2010
PsExec
PsExec Syntax
psexec [Computers] [Options] command [arguments]
Computers =\\computer[,computer2[,...]] or\\* or@file
Alternate credentials (optional):-u username [-p password]
PsExec Alternate Credentials[-u username [-p password]]
Can omit -p: it prompts you, doesn’t echoUsed twice:
1. To authenticate to the remote computer2. To create a new logon on the remote computer #2 puts the credentials on the wire in the clear
Required for remote access when: Current account is not admin on the remote, or Remote process needs to access network, or Remote process needs to run interactive
PsExec Options (Eye chart)Option Description-d Don’t wait for the process to terminate.
Process Performance Options-background-low-belownormal-abovenormal-high-realtime
Run the process at a different priority.
-a n,n… Specify the CPUs on which the process can run.Remote Connectivity Options
-c [-f|-v]Copies the specified program from the local to the remote system. If you omit this option, the application must be in the system path on the remote system. Adding -f forces the copy to occur; -v performs a version or timestamp check and copies only if the source is newer.
-n seconds Specifies timeout in seconds connecting to remote computers.Runtime environment options
-s Run the process in the System account.-i [session] Run the program on an interactive desktop.-x Run the process on the Winlogon secure desktop.-w directory Set the working directory of the process.-e Does not load the specified account’s profile.-h Use the account’s elevated context, if available.-l Run the process as a limited user.
virtual techdaysINDIA │ 18-20 august 2010
DEMO: PsExecAviraj Ajgekar│ Microsoft Corporation
PsExec Tips
Don’t forget /accepteula Remoted Sysinternals utilities will hang
Things you can’t do in a redirected console:CLSMOREText coloringTab completionPowerShell v1
Run Procmon Past LogoffNon-interactively, with PsExec -s
Must specify a backing fileMust not have user interactionProcmon must exit cleanly
To start:PsExec -s -d Procmon.exe /AcceptEula /Quiet /BackingFile C:\Procmon.pml
To stop:PsExec -s -d Procmon.exe /AcceptEula /Terminate
virtual techdaysINDIA │ 18-20 august 2010
DEMO: Sysinternals Utilities such as Disk2VHD & MoreAviraj Ajgekar│ Microsoft Corporation
Additional Resources
• Mark Russinovich’s blog:– http://blogs.technet.com/b/MarkRussinovich
• Blog posts and utilities by Aaron Margosis– http://blogs.msdn.com/b/aaron_margosis– http://blogs.technet.com/b/fdcc
• Aviraj Ajgekar’s Blog– http://blogs.technet.com/b/aviraj
question & answer
virtual techdaysTHANKS│18-20 august 2010
Email [email protected] │Blog: http://blogs.technet.com/aviraj
Thank You