Comment Feed for Channel 9 - Defrag Tools: #4 - Process Monitor - Examples http://media.ch9.ms/ch9/a373/7afb3f09-a6a6-4a92-b89e-7969ec07a373/DefragTools4_220.jpg Channel 9 - Defrag Tools: #4 - Process Monitor - Examples In this 2 part episode of Defrag Tools, Andrew and I walk you through Sysinternals Process Monitor. Process Monitor allows you to view the File, Registy, Network, Process and Profiling details of the processes running on the computer. The logging allows you to go from a holistic view all the way down to the function in the stack that initiated an event. Process Monitor can be used to troubleshoot nearly all types of issues. As coined by David Solomon - "When in doubt, run Process Monitor". Part 1 (last week) covers the tool itself.Part 2 (this week) goes though a wide variety of examples showing how different techniques are required for different investigations. Resources:Sysinternals Process Monitor Timeline: [00:00] - Last week...[01:08] - Finding the Registry keys of the Explorer 'Folder Options' dialog[08:30] - Using Summary reports to see the current filter's resource usage[15:09] - Capturing a ProcMon log of system boot[19:25] - Analyzing the boot log[27:32] - The Startup/Shutdown chapter of the Windows Internals book [4th edition, 5th edition, 6th edition Part 2]. Note, it's Chapter 13, not Chapter 4, as mentioned on the show. Chapter 13 is in Part 2 of the 6th edition.[28:17] - Next time...Autoruns More Examples:Case of the Unexplained... by Mark RussinovichSysinternals Gems by Aaron Margosis en Tue, 21 May 2013 09:00:05 GMT Tue, 21 May 2013 09:00:05 GMT Rev9 Re: Defrag Tools: #4 - Process Monitor - Examples really enjoy these videos, I used these Tools alot when working for Microsoft PYPC support and they are very usefull when you get to really know them Smiley

posted by Typhos

]]> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634810908630899282 Mon, 20 Aug 2012 20:21:03 GMT http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634810908630899282 Typhos Re: Defrag Tools: #4 - Process Monitor - Examples Would be terrific if the SysInternals tools came with source code. Or at least if there were source code snippets in the SysInterals books that Mark publishes.

 

posted by SteveRichter

]]> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634810913264431755 Mon, 20 Aug 2012 20:28:46 GMT http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634810913264431755 SteveRichter Re: Defrag Tools: #4 - Process Monitor - Examples At about 7:00 in, Larry asks what the "SuperHidden" registry setting is for, under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.

In Microsoft parlance, "super hidden" files are files which have both the System and Hidden file system attributes set. By default they are hidden from view, even if you've chosen to show hidden files. If for some reason you really want to see them, you can change this setting through the Explorer UI by going to Tools/Folder Options/View, and unchecking "Hide protected operating system files (Recommended)."

However, the registry value that actually changes when you do this is called "ShowSuperHidden"! So, what's "SuperHidden" for?

Well, as it turns out... it's a bug. It's been fixed in Windows 8, and "SuperHidden" is gone. There's only "ShowSuperHidden" now. Smiley

posted by ChadBeeder

]]> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634811133612044030 Tue, 21 Aug 2012 02:36:01 GMT http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634811133612044030 ChadBeeder Re: Defrag Tools: #4 - Process Monitor - Examples [01:08] - Finding the Registry keys of the Explorer 'Folder Options' dialog

this can be done much, much easier with RegFromApp:

http://www.nirsoft.net/utils/reg_file_from_application.html

 

Run it, select the Explorer.exe, change the value and save the data as .reg file Smiley

[19:25] - Analyzing the boot log

xbootmgr and xperfview are still the better tools for boot tracing. Generate the summary

 to see how long Windows boots. And here you can easily see what is slow. Here it is WinLogonInit which starts services, restore network connections, runs Group policies and logs on the user to the system.

posted by MagicAndre1981

]]> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634811359302151900 Tue, 21 Aug 2012 08:52:10 GMT http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634811359302151900 MagicAndre1981 Re: Defrag Tools: #4 - Process Monitor - Examples @MagicAndre1981: xperf is scheduled for a future episode. And yes, I agree that it allows you to go deeper. ProcMon does do a very good job though of presenting information required to get an idea of what is happening.

posted by windev

]]> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634811752749145363 Tue, 21 Aug 2012 19:47:54 GMT http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634811752749145363 windev Re: Defrag Tools: #4 - Process Monitor - Examples
This is the 1st time I've fired-up ProcMon on my current installation (Win8_RP_x64)
I followed through your 1st example about the Advanced Explorer settings etc (and it worked),
But after that, I needed some relaxation, so I fired-up Crysis (under Steam), and was hit by errors including "check internet access", "unable to contact license server"

I run Norton 360, and all the other programs I've tried have managed to access the internet Ok

I've checked the Steam User's forums, and there appears to be a suspicion that ProcMon makes Crysis think there's "malware" so it won't run

Anay comments folks ?

ps. Crysis2 works fine



posted by Tom Hall

]]> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634815899009727951 Sun, 26 Aug 2012 14:58:20 GMT http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634815899009727951 Tom Hall Re: Defrag Tools: #4 - Process Monitor - Examples Best procmon tip:  filter on 'category contains write' to see registry and file changes.  Too bad you can't export to a .reg file.

I wish there was a column called 'total disk seek distance'.

 

posted by JS2010

]]> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634816868682297600 Mon, 27 Aug 2012 17:54:28 GMT http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634816868682297600 JS2010 Re: Defrag Tools: #4 - Process Monitor - Examples @Tom Hall: Procmon may indeed be looked for by crysis. Some games don't like you looking at the I/O operations as they think you are trying to hack the game. All you can do iscrebiit (to unload the driver) and then play the game. Smiley

posted by windev

]]> http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634819733331316506 Fri, 31 Aug 2012 01:28:53 GMT http://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-4-Process-Monitor#c634819733331316506 windev