Sysinternals Primer:Autoruns, Disk2Vhd, ProcDump, BgInfo and AccessChk

Aaron MargosisPrincipal ConsultantMicrosoft Services, Public Sector

Session Objectives and Takeaways

Session Objectives: Focus on features of Sysinternals toolsComplementary to Mark Russinovich’s “Case of the Unexplained” talks

Key TakeawayUse Sysinternals utilities more effectively

The Sysinternals Administrator’s Reference

The official guide to the Sysinternals toolsCovers every tool, every feature, with tips

Written by Mark Russinovichand Aaron Margosis

Available in June… (or so…)

Full chapters on the major tools:Process ExplorerProcess MonitorAutoruns

Other chapters by tool groupSecurity, process, AD, desktop, …

Updates since the last Sysinternals Primer…

sysinternals

What’s New

Process Explorer v14CPU Cycle AccountingTree CPU UsageSystem information changes

Network and disk throughput history minigraphsInterrupt and DPC counts in System Information dialogNetwork and disk I/O per-process columns

> 64 CPU support

What’s New

What’s New

Process MonitorQuick filter context menus to zoom in on particular time range in a trace.Ability to disable individual filter entriesAPI for developers interested in inserting debug output into the Process Monitor event stream

What’s New

Disk2Vhd

sysinternals

Disk2VhdCaptures an image of a physical disk to the VHD format

GUI and Command LineUses Windows Volume SnapshotDoes not copy paging or hibernation files

Can capture a running systemWorks on all supported Windows versions

Requires administrator privilege

Capture image to multiple placesUNCMapped DriveUSB

XP vs Win7

Windows XPWindows Server 2003

Windows VistaWindows 7Windows Server 2008Windows Server 2008 R2

Disk2Vhd

demo

Autoruns

sysinternals

Autoruns

Replaces System Configuration (msconfig) services and startup tabUncovers software that starts automatically by Windows through Auto-Start Extensibility Points (ASEPs)

Software applicationsInternet Explorer add-insDriversServices

Command line version – AutorunsCAnalyze offline system

Autoruns

demo

ProcDump

sysinternals

ProcDump

User-mode memory dump utilityEasier to use than AdplusMany configurable triggers

CPU or memory usageGUI hangFirst- or second-chance exceptionsTerminationPerf counter thresholds

Dump file types, including new “Miniplus” dump

ProcDump command line syntax

procdump [-c percent [-u]] [-s n] [-n count] [-m commit] [-h] [-e [1] [-b]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] | -x {imagefile} {dumpfile} [arguments] }

ProcDump command line syntax

procdump [-c percent [-u]] [-s n] [-n count] [-m commit] [-h] [-e [1] [-b]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] | -x {imagefile} {dumpfile} [arguments] }

Which process to monitor and target dump file….

ProcDump command line syntax

procdump [-c percent [-u]] [-s n] [-n count] [-m commit] [-h] [-e [1] [-b]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] | -x {imagefile} {dumpfile} [arguments] }

Dump criteria…

ProcDump command line syntax

procdump [-c percent [-u]] [-s n] [-n count] [-m commit] [-h] [-e [1]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] | -x {imagefile} {dumpfile} [arguments] }

How to dump the process state…

ProcDump

demo

BgInfo

sysinternals

BgInfo

Displays computer configuration on desktop wallpaperFlexible formatting options24 default fields covering OS, hardware, network, logon and timestamp attributesCustom fields from registry, env vars, WMI queries, …Log results

BgInfo

BgInfo

demo

AccessChk

sysinternals

AccessChk

Reports effective permissions on securable objectsCan perform recursive searchesSupports many object typesShows summary; can show detailed permissions

Search for access rights for a user or groupReports account rights

AccessChk

demo

Getting Started

sysinternals

Sysinternals Website Featureshttp://www.Sysinternals.com

Redirects to http://technet.microsoft.com/Sysinternals

Sysinternals Suite contains all the tools in one zip fileSite blog announces all updates

http://blogs.technet.com/Sysinternals

Run directly from the web: Sysinternals Livehttp://live.sysinternals.com/procmon.exe, or\\live.sysinternals.com\tools\procmon.exeUNC syntax requires WebClient service

Videos on troubleshooting with the tools

Additional Resources

Mark Russinovich’s blog:http://blogs.technet.com/MarkRussinovich

Blog posts and utilities by Aaron Margosishttp://blogs.msdn.com/aaron_margosishttp://blogs.technet.com/fdcc

The “Bonus Tracks” at the end of this deck

bonus tracks

Disk2Vhd command line syntax

disk2vhd [-h] drives vhdfile

-h When capturing Windows XP or Server 2003 system volumes, -h fixes up the HAL in the VHD to be compatible with Virtual PC.

drives is one or more drive letters with colons (e.g., c: d:) indicating which volumes to convert, or use “*” to indicate all volumes.

vhdfile is the full path to the VHD file to be created.

Example: disk2vhd c: e:\vhd\snapshot.vhd

Autoruns command line syntax

autoruns [-e] [[-v] -a file]

-e Run elevated (Vista and newer)-a file Save results to file.arn and then

exit-v Verify signatures

AutorunsC command line syntax(Descriptions of the options on the next slide)

autorunsc [-x] [[-a] | [-b] [-c] [-d] [-e] [-g] [-h] [-i] [-k] [-l] [-m] [-o] [-p] [-r] [-s] [-v] [-w] [[-z systemroot userprofile] | [user]]

AutorunsC command line optionsOption Description-c Print output as CSV.

-x Print output as XML.

-v Verify digital signatures.

-m Hide Microsoft entries.-z systemroot userprofile Specifies the offline system to scan

user Specifies the name of the user account for which autostart entries will be shown.Autostart types

-a Show all entries.

-b Show boot execute entries.

-d Show Appinit DLLs.

-e Show Explorer addons.

-g Show Sidebar gadgets (Vista and higher).

-h Show Image hijacks.

-i Show Internet Explorer addons.

-k Show Known DLLs.

-l Show Logon autostart entries (this is the default).

-n Show Winsock protocol and network providers.

-o Show Codecs.

-p Show Print monitor DLLs.

-r Show LSA security providers.

-s Show services and drivers.

-t Show Scheduled Tasks.

-w Show Winlogon entries.

ProcDump command line syntax(Descriptions of the options on the next slide)

procdump [-c percent [-u]] [-s n] [-n count] [-m commit] [-h] [-e [1] [-b]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] | -x {imagefile} {dumpfile} [arguments] }

ProcDump command line optionsOption Description

Target Process and Dump File

processname Name of the target process. Must be unique instance and already running.

PID Process ID of the target process.

dumpfile Name of dump file. Optional if process is already running; required if using –x.

-x Start the target process, using imagefile and command line arguments.

imagefile Name of executable file to launch.

arguments Optional command line arguments to pass to new process.

Dump Criteria

-c percent CPU usage above which to capture a dump.

-u Used with –c to scale threshold against number of CPUs present.

-s nUsed with –c, sets duration of high CPU usage to trigger a dump.Used with –p, sets duration of a performance counter threshold exceeded to trigger a dump.Used with –n and no other dump criteria, dumps process every n seconds.

-n count Used with –c, –s or –p, specifies number of dumps to capture.

-m commit Specifies commit charge limit in MB at which to capture a dump.

-h Capture a dump when a hung window is detected.

-e Capture a dump when an unhandled exception occurs. If followed with 1, also captures a dump on a first-chance exception.

-b Used with –e, treats breakpoints as exceptions. Otherwise it ignores them.

-t Capture a dump when the process terminates.

-p counter threshold Captures a dump when the named performance counter exceeds the threshold.

Dump File Options

-ma Include all process memory in the dump.

-mp “Miniplus”: creates the equivalent of a full dump but with large allocations omitted.

-r Reflect (clone) the process for the dump to minimize the time the process is suspended. (Requires Windows 7 or Windows Server 2008 R2 or higher.)

-o Overwrite an existing dump file.

-64 Create a 64-bit dump of the target process. (x64 editions of Windows only.)

AccessChk command line optionsaccesschk [options] [user-or-group] objectnameOption Description

Object Type

-d Object name represents a container; report permissions on that object rather than on its contents

-k Object name represents a registry key

-c Object name represents a Windows service

-p Object name is the PID or (partial) name of a process

-f Used with –p, shows full process token information for specified process

-o Object name represents an object in the Windows object manager namespace

-tUsed with –o, -t type specifies the object typeUsed with –p, reports permissions for the process’ threads

-a Object name represents an account right

Searching for Access Rights

-s Recurse container hierarchy

-n Show only objects that grant no access (usually used with user-or-group)

-w Show only objects that grant Write access

-r Show only objects that grant Read access

-e Show only objects that have explicitly set integrity levels (Vista and higher)

Output

-l Shows Access Control List (ACL) rather than effective permissions

-u Suppress errors

-v Verbose

-q Quiet (suppresses banner)

Track Resources

Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward.

You can also find the latest information about our products at the following links:

Windows Azure - http://www.microsoft.com/windowsazure/

Microsoft System Center - http://www.microsoft.com/systemcenter/

Microsoft Forefront - http://www.microsoft.com/forefront/

Windows Server - http://www.microsoft.com/windowsserver/

Cloud Power - http://www.microsoft.com/cloud/

Private Cloud - http://www.microsoft.com/privatecloud/

Resources

www.microsoft.com/teched

Sessions On-Demand & Community Microsoft Certification & Training Resources

Resources for IT Professionals Resources for Developers

www.microsoft.com/learning

http://microsoft.com/technet http://microsoft.com/msdn

Learning

http://northamerica.msteched.com

Connect. Share. Discuss.

Complete an evaluation on CommNet and enter to win!

Scan the Tag to evaluate this session now on myTech•Ed Mobile

© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.