Questions tagged [sysinternals]
Usually refers to applications from the Sysinternals Suite (eg. Process Explorer, Process Monitor, RAMMap, ...)
110
questions
0
votes
0
answers
34
views
SysInternals Process Explorer starts but is unresponsive for a long time, spinning blue disk. Then works fine
I recently downloaded the SysInternals tools. I'm running them on Windows Server 2019. The problem I am having only seems to apply to Process Explorer. I have this problem whether I run procexp.exe or ...
- 43.1k
30
votes
3
answers
37k
views
Equivalent to Sysinternals Process Explorer on Linux
I am using Ubuntu 11.10 and am looking for an equivalent to Process Explorer on Linux. There is System Monitor but it's not nearly as good as Process Explorer with all of its detailed information ...
30
votes
4
answers
9k
views
What does the path '\REGISTRY\A\...' in Sysinternals Procmon log mean?
I use Sysinternals Procmon utility to monitor the registry access by some programs. Most log entries have the Path property starting from HKCU\… or HKLM\…, that corresponds to the registry hives ...
- 737
0
votes
1
answer
296
views
Process not showing in Process Explorer, even though it's running
Something strange is happening, I am running the game "Sheep dog 'n' wolf" via the SheepD3D.exe executable.
While it is running I alt-tab and open SysInternals' Process Explorer (latest ...
- 575
-2
votes
1
answer
861
views
Sysinternals Process Monitor device driver: procedure could not be found
The most recent article I have found on this site regarding Systinternals Process Monitor is 13 years old. I must have missed something because I'm still having the same problem.
I have Windows 7 on ...
- 56.1k
3
votes
3
answers
3k
views
Sysinternals Handles Close Command?
https://docs.microsoft.com/en-us/sysinternals/downloads/handle >>> I downloaded the file on this site. Everything is fine but I cannot do exactly what I want. I explained exactly what I ...
- 633
0
votes
0
answers
82
views
What does the "QueryDeviceInformationVolume" operation in Process Monitor mean?
Seeing an operation called "QueryDeviceInformationVolume" in a SysInternals Process Monitor log when I start a desktop application. Simply trying to get some details about this operation and ...
- 1
0
votes
2
answers
384
views
Sysinternals Handle prints question marks "?" instead of non ASCII symbols
For files that contain non ASCII symbols, The Sysinternals Handle utility prints the file names with ?. A similar problem is also reported in the following places:
Handle encoding problem
Russian ...
- 533
0
votes
1
answer
73
views
sysinternal Process explorer only show registry events
I have my process explorer installed on my windows machine(sandbox). I run the malware, then capture events in process explorer, after 5 minutes, i stop the capture. to my surprise, it only show the ...
- 1
0
votes
0
answers
451
views
Is it possible to use procmon to find out why a process ends?
Let's say I started notepad. In a PowerShell window, I run ps notepad | Stop-Process -Force to kill all notepad session. I captured a procmon trace during these operations. Is it possible to find out ...
- 137
60
votes
3
answers
44k
views
Restore the original task manager after replacing it with the Sysinternals process explorer
After replacing the default Windows task manager with Sysinternals’ process explorer via the Options → Replace task manager menu, how do you undo that action, i.e. restore the original task manager? I’...
- 217
6
votes
2
answers
3k
views
How can I run SysInternals ProcMon (or equivalent) inside a docker Windows container?
I'm trying to diagnose an issue where a complicated process does not run inside of my Windows Core container. I really need to figure out why it is failing. If this was a VM, I would just pop up the ...
2
votes
2
answers
1k
views
How to change "Volume Serial Number" in Windows docker image?
I am trying to change the "Volume Serial Number" of a docker image with Sysinternals VolumeId but I'm getting Error reading drive: The request is not supported. when I run Volumeid64.exe C: 1AAA-111A -...
- 11
0
votes
0
answers
423
views
Can not run Sysinternals Process Explorer via Task scheduler (installed via winget on Win11)
I'm unable to setup the Process Explorer to run at startup via Task Scheduler. Regardless if I create the task via the Process Explorer menu 'Run at startup' or manually I am unable to make it work.
I'...
- 223
0
votes
0
answers
344
views
PSExec -c flag does not work with powershell scripts
I'm using PSExec 2.4 to run commands on multiple computers. If I want to run a local batch script on the target computer (named {machine} below), this works no problem:
psexec -i \\{machine} -nobanner ...
- 1,630
1
vote
1
answer
443
views
Sysinternals procmon "Process Active Summary" is missing most processes
I am trying to track CPU usage of our build script and of all the processes it spawns to accomplish the task of creating a release. I ran a procmon64.exe (with profiling) session during the course of ...
4
votes
4
answers
4k
views
sdelete alternative on osx
In the sysinternals suite for windows there is this nifty sdelete tool for securely deleting individual files as well as overwriting unallocated disk space with randomness or zeroes ( the -c or -z ...
- 4,127
3
votes
2
answers
3k
views
Windows10 - DBGView-Sysinternals outputs from various Windows-Tasks
I´ve got a Laptop (HP ProBook 4720s) with Windows 10 running.
For work we use DBGView from sysinternals too catch outputs from our self writen programs in order too find hard to find errors / bugs ...
8
votes
3
answers
23k
views
How to unlock files using handle.exe and process name?
I tried Unlocker 1.9.1 but it doesn't work correctly for me on Windows7 (worked ok on Windows XP) and also I tried LockHunter 2.0.2.103 x64 and reported a bug but .... LockHunter actually unlocks the ...
- 4,761
0
votes
1
answer
207
views
Is there any native way on windows or using sysinternals to scan what websites a process is accessing?
I am struggling to find a way to scan for websites an specific process on windows 10 os is accessing without having to get a commercial tool or without a full package tracing app like wireshark
I was ...
- 4,703
4
votes
0
answers
1k
views
High CPU usage from Explorer.exe - Suspecting Dropbox and/or Onedrive shell integration at fault
I'm experiencing high CPU usage from Explorer.exe and I am using SysInternals' Process Explorer to try to diagnose the issue.
Frequently I will get a CPU History graph like this (or worse, showing ...
0
votes
1
answer
602
views
Can you set Process Monitor to filter multiple file types instead of a single file type? Or all sounds?
I'm trying to figure out which programs are making certain sounds and the only tool that I've come across to have that ability is Syinternals Process Monitor.
Filters
Unfortunately, it doesn't seem to ...
- 4,703
0
votes
1
answer
550
views
How to see the process stack in the Sysinternals Process Explorer from a .net console app?
I am trying to get deeper in the understanding how the OS stacks up the chained function calls. So I created a very simple dotnet console app, see the code below, I call the "Call()" method ...
- 615
0
votes
0
answers
77
views
Can I use ProcessExplorer to trace the parameters of future running process?
I would like be able to trace all calls to MSBuild.exe with its parameters. It seems I should be using sysinternals Process Explorer. I'm lost how I can accomplish this or if I should be doing ...
- 171
10
votes
3
answers
14k
views
PsExec requirements on local computer
What services and settings are required to run psexec on local computer?
(e.g. psexec -s -i -d regedit)
- 43
0
votes
0
answers
355
views
How to associate RDG files to the RDC Manager shipped with sysinternals when sysinternals comes from the MS Store?
I installed the sysinternals suite from the Windows store.
This includes Microsoft Remote Desktop Manager.
However, this setup does not create file associations.
How to associate RDG files to this app ...
- 2,242
0
votes
1
answer
2k
views
TCPView (Windows) doesn't show any addresses
I'm using TCPView 4.16 for Windows 10 (downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview). Up until a few days ago it worked fine, but all of a sudden it simply stopped ...
CommunityBot
- 1
0
votes
0
answers
100
views
How can I catch a briefly executing process with SysInternals Process Explorer? (or any standard tool)
For example with SysInternals Process Explorer I can briefly see a process popping up, I even see the window on-screen for half a second, but I can't figure out which tool or method to use to catch it ...
- 159
0
votes
1
answer
804
views
RamMap empties Standby Lists but doesn't free them
My problem is: when I use RamMap to empty some standby memory, it gets emptied and zeroed, but the freed memory isn't added to the Free memory counter afterwards. Instead, it keeps contributing to the ...
- 2,646
7
votes
5
answers
50k
views
Using du.exe (Sysinternals) is it possible to show folders above a certain size?
du.exe lets you recursively identify folders that take up a large amount of space. For example, the following will show you the size of all the folders from c:\ 3-levels deep:
du.exe -l 3 c:\
How ...
- 13.2k
30
votes
2
answers
29k
views
MKLINK vs. Junction.exe
SysInternals has a program junction.exe that creates Junctions (aka. reparse points, aka. symlinks) in Windows.
However, Windows also comes with a mklink which seems to do the same thing.
Is there a ...
- 4,127
11
votes
1
answer
2k
views
Why windows executables show incorrect compiler timestamps?
I have observed that windows executable files show incorrect timestamps when I view them in PE studio.
For example this Notepad.exe file shows a compiler timestamp of 0x86FCBD69 (Mon Oct 07 03:45:05 ...
- 465k
0
votes
1
answer
751
views
Sysinternal's VMMap is unable to find injected memory
I'm writing a Python script that uses the Windows API to learn process injection.
The injection is successful. I can verify that the shellcode is running, and Process Explorer shows the connection:
...
- 301
1
vote
1
answer
828
views
Different Imphash for same PE file
I am analyzing a windows executable (C:\Windows\System32\xcopy.exe). The Imphash value calculated with Python is different from the one shown with PE studio. How can Imphash for a same file be ...
- 465k
1
vote
0
answers
233
views
How to run as admin an .Net exe with PSExec ( doesn't work on some of EXE)
I use PsExec to run some exe with administrators right on a Windows Server 2016.
It works.
Saddly, i have a .net exe which run not in admin right despite the use of psExec. I think it's due to the exe ...
1
vote
1
answer
426
views
Unable to locate the physical disk sector(s) a file occupies
Sysinternals Diskview is producing what seems like an unlikely situation. I have a series of files I know exist on an NTFS filesystem (which is on a spinning disk hard drive), but when I try to use ...
- 31
0
votes
0
answers
36
views
procmon - reset "relative time"
procmon allows to add column Ralative Time (since the start of profiling).
I want to measure distance between recorded events and it would be trivial if I can reset relative time to zero at some ...
- 2,056
1
vote
2
answers
530
views
Why is it that a tool like sysinternals Autoruns might not know the location of a startup?
From the help file for autoruns:
Note: before you send e-mail reporting what you believe to be an auto-start location that's overlooked by Autoruns, please make sure that Autoruns doesn't cover it and ...
- 465k
0
votes
1
answer
260
views
How are Windows SysInternal Utilities Licensed? [closed]
Specifically I want to know about SDELETE by Mark Russinovich. I didn't find any license attached, although he holds a Copyright for it..
I want to know because I want to distribute it in my own ...
- 43.1k
0
votes
1
answer
488
views
How to launch a program on different desktop, using sysinternals desktops
Is there a way to start a program on a different desktop? Say if Desktop 2 is currently displayed, how could I open Notepad on Desktop 4?
- 1
0
votes
0
answers
72
views
Checking all connections on Windows 7
I want to check all outbound/inbound connections when my pc is (apparently) idle and possibly permit/deny selectively each of them as soon as they occur. Unfortunately it seems not possible on Windows ...
- 130
12
votes
3
answers
92k
views
Could not start PSEXESVC service on [MachineName]: Access is denied
I'm trying to use PsExec to start a process on a remote machine. I posted this question on SO, but I realized it's probably better suited here. I also have spent a few hours trying to figure this out, ...
- 193
1
vote
0
answers
757
views
Process Monitor: Any way to tell what process is terminating another?
I use Process Monitor from SysInternals to view logs from users' when they're being unable to launch an application. Very often users are running various security software they're not even aware of, ...
- 81
9
votes
1
answer
976
views
Is there a way to reset the toolbar minigraphs in Process Explorer?
Windows Sysinternals Process Explorer includes in its toolbar some minigraphs showing recent usage history for CPU, Memory, and so on:
These are nice. However, an inadvertent click on the 'thumb' of ...
7
votes
3
answers
27k
views
Errors starting PsExec to run a program as a local service
When I run the following command from an Administrative Command Prompt:
psexec64 -i -u "nt authority\network service" C:\Windows\System32\cmd.exe
I'm getting these error messages:
Couldn't install ...
0
votes
1
answer
32
views
editing sysinternal log to post on forum
I use sysinternal tool procmon
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
I want to edit its log because I want to post it online on technical forums for disucssions.
I want to ...
- 120
0
votes
1
answer
242
views
Sysinternals Live unexpectedly slow?
I understand that the live version will inevitably be slower than a local copy. However, considering my system specs and bandwidth, the amount of latency experienced seems far too disproportionate to ...
- 465k
1
vote
1
answer
471
views
How to enable "View Source" in Process Monitor?
Sysinternals Process Monitor has a button to "view the source" on a Event Properties > Stack element:
It is disabled in my trace. What do I need to enable it?
- 159k
1
vote
1
answer
629
views
Bypassing agreement prompt for DiskUsage.exe?
I am running du.exe on a remote windows machine and do not want to have to access the remote machine's desktop, but the first run of du.exe is requiring an acceptance of the agreement which would ...
- 159k
0
votes
1
answer
81
views
What is corel doing on my udp connections for Chrome?
I have a weird mc.corel.com address lingering in Chrome and some parts of svchost processes, what is going on?
