Questions tagged [sysinternals]
Usually refers to applications from the Sysinternals Suite (eg. Process Explorer, Process Monitor, RAMMap, ...)
110
questions
0
votes
0
answers
34
views
SysInternals Process Explorer starts but is unresponsive for a long time, spinning blue disk. Then works fine
I recently downloaded the SysInternals tools. I'm running them on Windows Server 2019. The problem I am having only seems to apply to Process Explorer. I have this problem whether I run procexp.exe or ...
0
votes
1
answer
265
views
Process not showing in Process Explorer, even though it's running
Something strange is happening, I am running the game "Sheep dog 'n' wolf" via the SheepD3D.exe executable.
While it is running I alt-tab and open SysInternals' Process Explorer (latest ...
-2
votes
1
answer
815
views
Sysinternals Process Monitor device driver: procedure could not be found
The most recent article I have found on this site regarding Systinternals Process Monitor is 13 years old. I must have missed something because I'm still having the same problem.
I have Windows 7 on ...
- 117
0
votes
0
answers
80
views
What does the "QueryDeviceInformationVolume" operation in Process Monitor mean?
Seeing an operation called "QueryDeviceInformationVolume" in a SysInternals Process Monitor log when I start a desktop application. Simply trying to get some details about this operation and ...
- 1
0
votes
1
answer
72
views
sysinternal Process explorer only show registry events
I have my process explorer installed on my windows machine(sandbox). I run the malware, then capture events in process explorer, after 5 minutes, i stop the capture. to my surprise, it only show the ...
0
votes
0
answers
435
views
Is it possible to use procmon to find out why a process ends?
Let's say I started notepad. In a PowerShell window, I run ps notepad | Stop-Process -Force to kill all notepad session. I captured a procmon trace during these operations. Is it possible to find out ...
- 137
0
votes
2
answers
379
views
Sysinternals Handle prints question marks "?" instead of non ASCII symbols
For files that contain non ASCII symbols, The Sysinternals Handle utility prints the file names with ?. A similar problem is also reported in the following places:
Handle encoding problem
Russian ...
- 533
0
votes
0
answers
417
views
Can not run Sysinternals Process Explorer via Task scheduler (installed via winget on Win11)
I'm unable to setup the Process Explorer to run at startup via Task Scheduler. Regardless if I create the task via the Process Explorer menu 'Run at startup' or manually I am unable to make it work.
I'...
- 223
0
votes
0
answers
332
views
PSExec -c flag does not work with powershell scripts
I'm using PSExec 2.4 to run commands on multiple computers. If I want to run a local batch script on the target computer (named {machine} below), this works no problem:
psexec -i \\{machine} -nobanner ...
- 1,620
1
vote
1
answer
430
views
Sysinternals procmon "Process Active Summary" is missing most processes
I am trying to track CPU usage of our build script and of all the processes it spawns to accomplish the task of creating a release. I ran a procmon64.exe (with profiling) session during the course of ...
0
votes
1
answer
205
views
Is there any native way on windows or using sysinternals to scan what websites a process is accessing?
I am struggling to find a way to scan for websites an specific process on windows 10 os is accessing without having to get a commercial tool or without a full package tracing app like wireshark
I was ...
- 467
0
votes
1
answer
593
views
Can you set Process Monitor to filter multiple file types instead of a single file type? Or all sounds?
I'm trying to figure out which programs are making certain sounds and the only tool that I've come across to have that ability is Syinternals Process Monitor.
Filters
Unfortunately, it doesn't seem to ...
0
votes
0
answers
76
views
Can I use ProcessExplorer to trace the parameters of future running process?
I would like be able to trace all calls to MSBuild.exe with its parameters. It seems I should be using sysinternals Process Explorer. I'm lost how I can accomplish this or if I should be doing ...
- 171
0
votes
1
answer
533
views
How to see the process stack in the Sysinternals Process Explorer from a .net console app?
I am trying to get deeper in the understanding how the OS stacks up the chained function calls. So I created a very simple dotnet console app, see the code below, I call the "Call()" method ...
- 171
0
votes
0
answers
342
views
How to associate RDG files to the RDC Manager shipped with sysinternals when sysinternals comes from the MS Store?
I installed the sysinternals suite from the Windows store.
This includes Microsoft Remote Desktop Manager.
However, this setup does not create file associations.
How to associate RDG files to this app ...
- 2,242
0
votes
1
answer
2k
views
TCPView (Windows) doesn't show any addresses
I'm using TCPView 4.16 for Windows 10 (downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview). Up until a few days ago it worked fine, but all of a sudden it simply stopped ...
- 1
0
votes
0
answers
98
views
How can I catch a briefly executing process with SysInternals Process Explorer? (or any standard tool)
For example with SysInternals Process Explorer I can briefly see a process popping up, I even see the window on-screen for half a second, but I can't figure out which tool or method to use to catch it ...
- 159
0
votes
1
answer
793
views
RamMap empties Standby Lists but doesn't free them
My problem is: when I use RamMap to empty some standby memory, it gets emptied and zeroed, but the freed memory isn't added to the Free memory counter afterwards. Instead, it keeps contributing to the ...
11
votes
1
answer
2k
views
Why windows executables show incorrect compiler timestamps?
I have observed that windows executable files show incorrect timestamps when I view them in PE studio.
For example this Notepad.exe file shows a compiler timestamp of 0x86FCBD69 (Mon Oct 07 03:45:05 ...
- 123
0
votes
1
answer
748
views
Sysinternal's VMMap is unable to find injected memory
I'm writing a Python script that uses the Windows API to learn process injection.
The injection is successful. I can verify that the shellcode is running, and Process Explorer shows the connection:
...
- 301
1
vote
1
answer
819
views
Different Imphash for same PE file
I am analyzing a windows executable (C:\Windows\System32\xcopy.exe). The Imphash value calculated with Python is different from the one shown with PE studio. How can Imphash for a same file be ...
- 123
1
vote
0
answers
233
views
How to run as admin an .Net exe with PSExec ( doesn't work on some of EXE)
I use PsExec to run some exe with administrators right on a Windows Server 2016.
It works.
Saddly, i have a .net exe which run not in admin right despite the use of psExec. I think it's due to the exe ...
1
vote
1
answer
422
views
Unable to locate the physical disk sector(s) a file occupies
Sysinternals Diskview is producing what seems like an unlikely situation. I have a series of files I know exist on an NTFS filesystem (which is on a spinning disk hard drive), but when I try to use ...
- 31
3
votes
3
answers
3k
views
Sysinternals Handles Close Command?
https://docs.microsoft.com/en-us/sysinternals/downloads/handle >>> I downloaded the file on this site. Everything is fine but I cannot do exactly what I want. I explained exactly what I ...
- 31
0
votes
0
answers
36
views
procmon - reset "relative time"
procmon allows to add column Ralative Time (since the start of profiling).
I want to measure distance between recorded events and it would be trivial if I can reset relative time to zero at some ...
- 2,046
1
vote
2
answers
518
views
Why is it that a tool like sysinternals Autoruns might not know the location of a startup?
From the help file for autoruns:
Note: before you send e-mail reporting what you believe to be an auto-start location that's overlooked by Autoruns, please make sure that Autoruns doesn't cover it and ...
0
votes
1
answer
259
views
How are Windows SysInternal Utilities Licensed? [closed]
Specifically I want to know about SDELETE by Mark Russinovich. I didn't find any license attached, although he holds a Copyright for it..
I want to know because I want to distribute it in my own ...
- 534
0
votes
1
answer
481
views
How to launch a program on different desktop, using sysinternals desktops
Is there a way to start a program on a different desktop? Say if Desktop 2 is currently displayed, how could I open Notepad on Desktop 4?
- 111
0
votes
0
answers
72
views
Checking all connections on Windows 7
I want to check all outbound/inbound connections when my pc is (apparently) idle and possibly permit/deny selectively each of them as soon as they occur. Unfortunately it seems not possible on Windows ...
- 130
1
vote
0
answers
749
views
Process Monitor: Any way to tell what process is terminating another?
I use Process Monitor from SysInternals to view logs from users' when they're being unable to launch an application. Very often users are running various security software they're not even aware of, ...
- 81