Transcript ADM291

ADM291
A Tour of Sysinternals
Tools
Mark Russinovich
Winternals Software
About The Speaker
Co-author of Inside Windows 2000, 3rd Ed.
(Microsoft Press) with David Solomon
Contributing Editor and NT
Internals columnist for
Windows and .NET Magazine
Creator of www.sysinternals.com
Co-founder and chief software
architect of Winternals Software
(www.winternals.com)
Co-creator of Inside Windows 2000—An
interactive internals tutorial (on DVD & streaming
Windows media)
Outline
About Sysinternals
Monitoring Tools
Systems Administration Tools
File System Tools
About Sysinternals
Started with NTFSDOS, Regmon and
Filemon hosted on Andrew Schulman’s site
in mid-1996
www.ntinternals.com went live in
late 1996
Under a dozen tools
1500 unique visitors/day
Sysinternals Today
Interesting statistics:
75 tools, 2-dozen technical articles
25,000 unique visitors/day
30,000 downloads/day (4 GB of data)
150,000 unique visitors/month
36,000 newsletter subscribers
Almost 4-dozen KB-article references
Everything on the site is freeware
Can’t redistribute without a license
Source code is licensed for use in commercial
products
Outline
About Sysinternals
Monitoring Tools
Systems Administration Tools
File-Related Tools
Monitoring
Filemon
Regmon
Process Explorer
TCPView
Filemon/Regmon
Watch all file system or Registry
accesses in real-time
Ideal for troubleshooting broken application installations
Useful for developers tracking down bugs or
performance tuning file system access
Work on all Windows® OSs, including 64-bit
Windows XP
Used extensively within Microsoft
PSS
Windows XP Application Compatibility
Microsoft® Office 2000
Using Filemon/Regmon
Requires no install or reboot
Just start using them
Includes filters for including,
excluding, and highlighting output
Can’t include/exclude filter result codes
on Filemon for WinNT/2K/XP
Requires admin privilege to run
Trick: run once as admin and then you
can use them as unprivileged users
How Filemon Works
Filemon uses a driver to intercept file I/O access
A VxD on Windows 9x/Me
A “file system filter driver” on
Windows NT®/Windows 2000/Windows XP
Filemon
GUI
Application
User Mode
Kernel Mode
Filemon
Driver
File System
Driver
How Regmon Works
Regmon uses a driver to intercept Registry
operations
A “hook” VxD on Windows 9x/Me
A system-call intercepting driver on
Windows NT/Windows 2000/Windows XP
Regmon
GUI
Application
User Mode
Kernel Mode
Regmon
Driver
Registry
Subsystem
Process Explorer
Process Explorer (formerly HandleEx) starts
where Task Manager ends:
See detailed information about running processes,
including their paths and command-lines
Description of EXE
SID from process security token
View the DLLs processes have loaded, including
version numbers
See what handles processes have opened
Examine services running within service processes
Process Explorer works on all
Windows platforms
Common Process Explorer
Uses
Detect DLL versioning problems
Compare the output from a “good” system with that of a
“broken” system
Use the search feature to determine what process
is holding a file or directory open
View the state of synchronization objects
(mutexes, semaphores, events)
Detect handle leaks using refresh difference
highlighting
How Process Explorer Works
Uses undocumented functions for:
Enumerating loaded modules with full
path names
Enumerating processes and handles
Obtains handle names using the aid
of a driver
Related Tools:
Handle – command-line handle viewer
Listdlls – command-line DLL viewer
TCPView
GUI version of Netstat
Works on all Windows platforms
Lists active TCP and UDP endpoints
Shows endpoint owner on Windows
NT/2000/Windows XP/.NET Server
Includes auto-refresh and difference highlighting
You can close established TCP/IP connections
Works using documented and undocumented
IPHelper library functions
Other Monitoring Tools
DebugView
Monitor application debug output
Diskmon
Monitor hard disk activity
Pmon
Monitor process and thread activity
Portmon
Monitor serial and parallel port traffic
Tokenmon
Monitor security-related activity
Outline
About Sysinternals
Monitoring Tools
Systems Administration Tools
File-Related Tools
Systems Administration
PsTools
PsList
PsKill
PsInfo
PsLogList
PsService
PsExec
PsSuspend
More…
BgInfo
Autoruns
PsTools
PsTools consists of a total of 11 tools
They all work on Windows NT/
Windows 2000/Windows XP
They all work remotely as well as locally
None require manual remote software
installation
Where’d the “Ps” come from?
The UNIX process listing tool is
named “ps”
The first PsTool was a UNIX “ps”-equivalent,
PsList
PsList
View detailed information about
running processes
Similar to tlist and pulist
Default view is mix of CPU and memory information
Other views show thread details, memory details, or full
information
Use the –s switch to run it in a Task Manager-type
mode
Works using the performance
counter API
WMI is only available by default on Windows
2000/Windows XP, not on Windows NT 4
PsKill
The perfect complement to PsList
is PsKill
Similar to Resource Kit Kill and Remote Kill
See a process running on a remote (or local)
system with PsList, kill it with PsKill
Unlike Task Manager, PsKill lets you kill any
process if you’re an admin
Uses “Debug” privilege
Uses auto-installed remote service and
TerminateProcess API
PsInfo
Get detailed information about a system
OS version:
type (pro, server, etc.)
Service Pack
Hot-fixes
CPU and memory
Uptime
Volume information
Uses documented APIs:
Registry (remote, if applicable)
WMI for XP product activation query
PsLogList
Dump and optionally clear event logs
Like eloglist from the Resource Kit
PsLogList lets you dump logs using alternate
credentials
Gets event strings from remote system
Like eloglist, dumps in tab-delimited format for
easy import into spreadsheets
Has extensive support for filtering on record type
and date range
Uses documented Event Log APIs, which work
remotely
PsService
Control Win32® services
Like the Resource Kit’s and XP/Server 2003’s SC
Unlike SC, doesn’t make you remember and manually
specify a “resume handle”
Same syntax as SC
Omits several esoteric SC options
Search the network for active instances
of a service
Uses documented Service Control Manager APIs,
which work remotely
PsExec
Remotely execute programs
Executes console programs interactively
Allows you to start programs as yourself , in alternate
user credentials, or in the System account
With PsExec you can:
Launch a remote command prompt to effect
a light-weight telnet
Remote-enable “local only” command-line tools
like IpConfig
Uses auto-installed remote service
PsExec
Options of interest include:
-s: Run in System account (instead of
account of user running PsExec)
-i: Show GUI windows on interactive
console
-d: Don’t wait for remote process to
terminate
-c: Copy an executable to the remote
system
PsSuspend
Microsoft provides no process-suspend
utility like PsSuspend for pausing a process
that’s using a resource
Memory
CPU
Network
Windows NT and 2000 have no “suspend
process” capability, so PsSuspend
suspends individual threads
BgInfo (Background Info)
If you manage more than a handful
of systems, you’ve run into the “what
machine is this” syndrome
BgInfo creates an auto-generated
informative desktop background
System name
Memory
IP Address
OS version
Whatever you want!
Autoruns
There are almost 2-dozen places that can
be used to configure automatically started
applications
Autoruns shows you all of the locations
and displays programs configured to run
in them
Double-click a folder or key to jump to it in
Explorer or Regedit
Double-click a configured application to
view its properties
Outline
About Sysinternals
Monitoring Tools
Systems Administration Tools
File-Related Tools
File-Related Tools
Contig
PageDefrag
Streams
Strings
Contig
Command-line Windows NT/
Windows 2000/Windows XP file
defragmenter
Useful for:
Defragmenting specific files
Creating new contiguous files
Defragmenting entire disks
Uses Windows NT/Windows 2000/Windows
XP defragmenting API, documented at
Sysinternals
PageDefrag
Defragments paging files and
Registry hives at boot time
Implemented as “native” application:
Launched by Session Manager because listed
in
HKLM\System\CurrentControlSet\Control\Ses
sion Manager\BootExecute value
Uses “native” API
Uses Contig defragmentation engine
Supports command-line options for scripted
install
Streams
Streams, which require NTFS, used to be
rarely used
Now there are several components that
make use of them:
Services for Macintosh
Explorer
Viruses
Streams can search directories for files
with streams and display their names
Strings
Some executables do not identify
themselves with version information or
descriptive names
Strings will look inside a file image for
printable text that include:
Registry key and value names
Debug strings
File names
Internal build information
After Hours…
The Sysinternals Bluescreen
Screen Saver
Check The Site Often…
There are updates, bug fixes, new tools
and articles on a regular basis
I’m always open to tool suggestions
Sign up for the newsletter to get inside
information on the tools and Windows
internals
For More Info...
Video: Inside Windows 2000 – An Interactive
Tutorial (on DVD & Windows Media)
11 hours of instruction with hands-on lab
exercises
Book: Inside Microsoft Windows 2000, Third
Edition (Microsoft Press)
Class: Come to London Sep 23-25
Don’t forget to complete the on-line Session
Feedback form on Attendee Web site
Community Resources
Community Resources
http://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)
http://www.mvp.support.microsoft.com/
Newsgroups
Converse online with Microsoft Newsgroups, including Worldwide
http://www.microsoft.com/communities/newsgroups/default.mspx
User Groups
Meet and learn with your peers
http://www.microsoft.com/communities/usergroups/default.mspx
evaluations