Entries:
Comments:
Posts:

Loading User Information from Channel 9

Something went wrong getting user information from Channel 9

Latest Achievement:

Loading User Information from MSDN

Something went wrong getting user information from MSDN

Visual Studio Achievements

Latest Achievement:

Loading Visual Studio Achievements

Something went wrong getting the Visual Studio Achievements

Defrag Tools: #4 - Process Monitor - Examples

Download

Right click “Save as…”

In this 2 part episode of Defrag Tools, Andrew and I walk you through Sysinternals Process Monitor. Process Monitor allows you to view the File, Registy, Network, Process and Profiling details of the processes running on the computer. The logging allows you to go from a holistic view all the way down to the function in the stack that initiated an event. Process Monitor can be used to troubleshoot nearly all types of issues. As coined by David Solomon - "When in doubt, run Process Monitor".

Part 1 (last week) covers the tool itself.
Part 2 (this week) goes though a wide variety of examples showing how different techniques are required for different investigations.

Resources:
Sysinternals Process Monitor

Timeline:
[00:00] - Last week...
[01:08] - Finding the Registry keys of the Explorer 'Folder Options' dialog
[08:30] - Using Summary reports to see the current filter's resource usage
[15:09] - Capturing a ProcMon log of system boot
[19:25] - Analyzing the boot log
[27:32] - The Startup/Shutdown chapter of the Windows Internals book [4th edition, 5th edition6th edition Part 2]. Note, it's Chapter 13, not Chapter 4, as mentioned on the show. Chapter 13 is in Part 2 of the 6th edition.
[28:17] - Next time...Autoruns

More Examples:
Case of the Unexplained... by Mark Russinovich
Sysinternals Gems by Aaron Margosis

Tags:

Follow the Discussion

  • really enjoy these videos, I used these Tools alot when working for Microsoft PYPC support and they are very usefull when you get to really know them Smiley

  • Would be terrific if the SysInternals tools came with source code. Or at least if there were source code snippets in the SysInterals books that Mark publishes.

     

  • At about 7:00 in, Larry asks what the "SuperHidden" registry setting is for, under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.

    In Microsoft parlance, "super hidden" files are files which have both the System and Hidden file system attributes set. By default they are hidden from view, even if you've chosen to show hidden files. If for some reason you really want to see them, you can change this setting through the Explorer UI by going to Tools/Folder Options/View, and unchecking "Hide protected operating system files (Recommended)."

    However, the registry value that actually changes when you do this is called "ShowSuperHidden"! So, what's "SuperHidden" for?

    Well, as it turns out... it's a bug. It's been fixed in Windows 8, and "SuperHidden" is gone. There's only "ShowSuperHidden" now. Smiley

  • MagicAndre1981Magic​Andre1981 xperf addicted

    [01:08] - Finding the Registry keys of the Explorer 'Folder Options' dialog

    this can be done much, much easier with RegFromApp:

    http://www.nirsoft.net/utils/reg_file_from_application.html

     

    Run it, select the Explorer.exe, change the value and save the data as .reg file Smiley

    [19:25] - Analyzing the boot log

    xbootmgr and xperfview are still the better tools for boot tracing. Generate the summary

     to see how long Windows boots. And here you can easily see what is slow. Here it is WinLogonInit which starts services, restore network connections, runs Group policies and logs on the user to the system.

  • Andrew Richardswindev Andrew Richards

    @MagicAndre1981: xperf is scheduled for a future episode. And yes, I agree that it allows you to go deeper. ProcMon does do a very good job though of presenting information required to get an idea of what is happening.

  • Tom HallTom Hall

    Guys - I've been following your Sysinternals Tools show ...

    This is the 1st time I've fired-up ProcMon on my current installation (Win8_RP_x64)
    I followed through your 1st example about the Advanced Explorer settings etc (and it worked),
    But after that, I needed some relaxation, so I fired-up Crysis (under Steam), and was hit by errors including "check internet access", "unable to contact license server"

    I run Norton 360, and all the other programs I've tried have managed to access the internet Ok

    I've checked the Steam User's forums, and there appears to be a suspicion that ProcMon makes Crysis think there's "malware" so it won't run

    Anay comments folks ?

    ps. Crysis2 works fine



  • Best procmon tip:  filter on 'category contains write' to see registry and file changes.  Too bad you can't export to a .reg file.

    I wish there was a column called 'total disk seek distance'.

     

  • Andrew Richardswindev Andrew Richards

    @Tom Hall: Procmon may indeed be looked for by crysis. Some games don't like you looking at the I/O operations as they think you are trying to hack the game. All you can do iscrebiit (to unload the driver) and then play the game. Smiley

Remove this comment

Remove this thread

close

Comments Closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.