posted by Scott

You expertise has improved the general security within the operating system and a great foundation for Azure. I am currently ready Zero Day and having been enjoying so much that my wife had to remind of the time and to turn off the light so she could sleep.

posted by skarnis

I have Windows Internals 5 and I need another book to make a pair. And a signed one that would perfection! Need to order Zero Day and Trojan Horse, because in Portugal, book stores don't have it or is waiting to get it. It is hard to get really good books. Oh, Windows Internals 5... I waited like 4 months or so to get it. Anyway, I have to order both it and just wait.

Also, this is an awesome comment. It is awesome cause it has the word awesome at least 3 times and it says comment too.

posted by AdelinoAraujo

Do I win?

posted by Smoker65

The sheer knowledge you possess is just inspiring!

posted by AgnisM

posted by Mark Russinovich

... life is so much easier now

posted by zico

I like how you go through all the sysinternals tools but how about some logging stuff? I'm a SharePoint (soon to be ex-) developer and becoming a SharePoint admin, so I embrace ULS Viewer http://archive.msdn.microsoft.com/ULSViewer. Logging is helluva important here and it's actually the first thing I go to when someone tells me there's a problem.

Do you know of any other log viewer/dig-througer (I tried logparse http://en.wikipedia.org/wiki/Logparser but it's kinda too rough for me) that can show me different logs like ULS, IIS, system, event viewer in real time with filtering, additional data (associated process information, correlation id, stack trace etc.) and stuff?

I've also heard of some 'watson' log system, but it's kinda cryptic to me (only saw uls log entries like 'Error encountered, commencing Dr. Watson' or something). Is it relevant or ancient technology?

Any hints on other useful logging toys?

posted by siodmy

posted by windev

posted by Mark Russinovich

posted by samhmaria

I'm still chomping at the bit for part two of Win Internals 6th ed.  I have to admit, I felt a pang of sadness when you said you wouldn't be working on another edition of Windows Internals.  Not that anyone could blame you, as I know you're all about Azure now, and there's no doubt the Azure team is better for that.

The 6th edition has been my first edition, and I felt like I got here late to the party, just as it was ending, as this book has been solid gold to me.  It's been exactly the kind of material that I soak up like a sponge.  I just really hope that someone can fill your shoes, pick up where you left off, and carry the torch of explicating the next generation of Windows Internals for the masses!

That said, I'm also super excited to see what innovations Azure brings to the market. I'm a huge fan of cloud technologies, and they're keeping me employed right now, so I'm always looking for the newest and most exciting developments to come out of this industry.

I also know that you will not stop writing tools.  Wherever you are, you'll keep writing tools to make whatever space you're in a better, more efficient, more informative, all around cooler place to be.

After all, making tools is what really separates us from animals!

posted by RyanRies

posted by windev

posted by sialivi

posted by N2Cheval

I wolud like to share one "trojan" with you guys from my first flight ... and I hope that I'll get the real thing....real TROJAN HORSE ) :

A distinguished young woman on a flight from
Croatia asked the priest beside her, "Father, may I ask a favor?"

"Of course. What may I do for you?"

"Well, I bought an expensive electronic hair dryer
that is well over the Customs limits and I'm afraid they'll confiscate
it. Is there anyway you could carry it through Customs for me?
Under your robes perhaps?"

"I would love to help you, dear, but I must warn you: I will not lie."

"With your honest face, Father, no one will question you."

When they got to Customs, she let the priest go ahead of her.
The official asked, "Father, do you have anything to declare?"

"From the top of my head down to my waist, I have nothing to declare."

The official thought this answer strange, so asked, "And what do you
have to declare from your waist to the floor?"

"I have a marvelous little instrument designed to be
used on a woman, but which is, to date, unused."

Roaring with laughter, the official said, "Go ahead, Father. Next!"

God bless defrag tools..... !!!

posted by mivancev

And yes: Process Explorer is excellent!

@Mark: It would be great if you could make Sysinternals tools open-source (e.g. sharing the source on CodePlex), so the community could both learn advanced Windows native programming techniques from your code and also contribute to code with additional features.

Moreover, an analysis with depends.exe shows that Linker Ver field for procexp.exe is 9.0, meaning that Visual Studio 2008 (VC9) was used to build this tool. I'm curious why do you use this particular toolset (e.g. to support older OS'es like Windows 2000)?

Thanks, and please keep up your excellent work on Sysinternals tools.

posted by C64

posted by windev

5 minutes ago, windev wrote

@C64: Visual Studio 2008 SP1 is used to compile the tools so that the tools use MSVCRT v9.0 - which is shipped with Windows XP/Windows 2003.

I can be wrong, but using Dependency Walker I see no dependency of PROCEXP.EXE on MSVCR90.DLL, so I thought Sysinternals tools used static linking to CRT (which to me makes sense, to make tools deployment easier).

posted by C64

posted by StanS

posted by windev

Recently my team and I were trying to solve an issue with IIS AppPool because of high CPU usage. First think I thought of "Is there a tool which can take memory dump when these conditions occurs?". Then I checked Sysinternals and the tool was there, waiting for me. I somehow knew it will be there. Plus little bit of WinDbg, but that is different story

Thanks Mark for these great tools! They're making life a lot easier.

posted by Tomas_Voracek

posted by bukem

posted by Mark Russinovich

posted by bukem

posted by bukem

Mark, since the infection Jeff worked on was triggered by an incorrect date on the system, why couldn't he just reset the system with the correct date and then reinstall from backup?  Even if the backup was infected, it wouldn't be triggered until the trigger date (09/11).  Doing this would have allowed his client to get back up and running at least for a while. 

Even if Jeff wasn't aware that the infection had been triggered by an incorrect date, when the system was rebuilt the first time, Sue (or even Jeff) should have set the rebuilt system to a correct date.  If the date was for some reason still wrong after the system was rebuilt, it should have raised a huge red flag and given them troubleshooting options. 

posted by Jamezs

After figuring out that the infection had been triggered by an incorrect date, a quick workaround would have been to rebuild the system, set the date to a time after 09/11, and then restore the data from backup.  Obviously Time Stamp issues would be a concern, but at least the system would be up and running and the data would be accessible, etc.  That would give Jeff's client breathing room until a patch becomes available from the Vendors.  Does that seem technically sound for a quick workaround?  Or am I missing something? 

Thanks,

posted by Jamezs

Spoiler Alert Part III

@Jamezs. It seems like your second scenario (Setting the date past 9/11) would work unless the trigger parameter was greater than or equal to 9/11.

My questions are: Am I correct in assuming that the time settings are being provided to the client machines by the server(s). How could a company like Fischerman, Platt & Cohen not notice that the time settings were wrong on all of their workstations?

posted by Superphreak

This DefragTools series is just ubercool (and hopefully never-ending)

I've given all my co-workers an heads-up about this series, (and Mark's Case of the unexplained talks at TechEd, and other Sysinternals talks there), and their just amazed. There's tons of stuff to learn here. Some of us know the tools and use them, but some don't. Seeing them demonstrated by an experts is just 100 times better than just reading about them and trying by yourself.

I hope You also can do a series focused on troubleshooting different scenarios, why You choose to use a specific tool, and how You use it. That's what so cool about the TechEd shows. It's a great way to learn the tools, and also the OS.  Especially an evolving one like Windows.  Can't get enough of that stuff...

Hopefully Mark and You others on the team will continue posting bloggpost like the "Pushing the limits of Windows" series also. That one and talks like "Mysteries of Windows memory management" are packet with helpful insight into the inner workings of Windows.

Don't stop, You're not finished... You're never finished. Go on... go on... go on... 

posted by geirendre

posted by Crispin Wright

@Mark: I really don´t know how you manage to keep all the balls in the air ... just astounding! "Zero Day" & "Trojan Horse" = movie material! Am still a little annoyed though that i can´t purchase "Operation Desolation" for my kindle. Still says "Not currently available" (seems that Amazon doesn´t like to sell in Germany?!?!)

Cheers and all the best!

posted by r4m3u5

posted by ababcock1

Hey... If you're thinking about a fun new project (like you don't have enough on your plate), that Audiobook idea that Sailivi mentioned would be super cool. And I bet it would be ultra-awesome if you were the Narrator.  Cheers!

posted by Rob Patterson

posted by BRWILKINSON

posted by SteffenZeidler

Process Explorer has history support. New history columns were added about a year ago. Instead of being numbers they are graphs. There is no explicit api that gives you the history. The closest thing is being an ETW consumer and polling the system with the tooltip32 API.

ProcDump is designed to not change the state of the target. If you wrote your own MiniDumpCallback DLL (-d <dll>) you might be able to force the flush of the ETW buffers  - it'd only work if the target didn't needed to execute any of it's threads (as they will be all suspended).

posted by windev

posted by SteffenZeidler

posted by windev

posted by Mark Russinovich

posted by Superphreak