Defrag Tools: #2 - Process Explorer

Welcome to the first episode of Defrag Tools where Andrew Richards and I will be walking you through the tools we use when troubleshooting Windows PC's. Each week we'll dive into the tools from SysInternals, showing you how to use them along with our best tips and tricks.
In this episode we'll be showing you how to get started by creating a thumb drive that you can use to fix PC's and troubleshoot problems.
Resources:
Microsoft Windows SDK for Windows 7 and .NET Framework 4
www.sysinternals.com
Timeline:
[00:00] - What is Defrag Tools?
[02:50] - The USB Stick light saber
[03:59] - Download, unblock and extract the Sysinternals Suite
[08:07] - Add c:\my\sysinternals to the PATH
[09:23] - Download and install the Microsoft Windows SDK for Windows 7 and .NET Framework 4
[13:30] - What is a Symbol?
[15:10] - Symbols script for environment variables
[18:57] - Symbol Logging (DbgHelp)
[20:45] - Gather the 'Redist' MSI files of Application Verifier, Debugging Tools for Windows, and Windows Performance Toolkit from the SDK
[22:29] - Debugging Tool for Windows
- Install both the x64 and x86 versions of the Debugging Tool for Windows (to "c:\debuggers" and "c:\debuggers_x86" respectively)
- Copy the "c:\debuggers" and "c:\debuggers_x86" folders in to the "C:\My\Debugging Tool for Windows" folder for 'xcopy' use on any computer (no installation necessary)
[25:09] - Windows Performance Toolkit
- Install the x64 or x86 version of the Windows Performance Toolkit using the default options
- Copy "C:\Program Files\Microsoft Windows Performance Toolkit" to "C:\My\Windows Performance Toolkit" folder for 'xcopy' use on any computer (no installation necessary)
[25:43] - DbgHelp.dll v6.12
[26:55] - Next episode... Process Explorer
Scripts:
Symbols.cmd
md c:\My md c:\My\Src md c:\My\Sym md c:\My\SymCache setx /M _NT_SOURCE_PATH SRV*C:\My\Src setx /M _NT_SYMBOL_PATH SRV*C:\My\Sym*https://msdl.microsoft.com/download/symbols setx /M _NT_SYMCACHE_PATH C:\My\SymCache
DbgHelp_Logging.cmd
rem msdn.microsoft.com/en-us/library/windows/desktop/ms680687.aspx md c:\My md c:\My\DbgHelp setx DBGHELP_DBGOUT 1 setx DBGHELP_LOG C:\My\DbgHelp\DbgHelpLog.txt
I'm using this tool on my USB thumb drive:
WSCC - Windows System Control Center
http://www.kls-soft.com/wscc/
this tool can also update the programs so you don't have to download the zip all time again.
And MS provides symbols for hotfixes. MS doesn't provide symbols for some tools like Office, MSE.
And for the MSIs you can use the admin install mode of Windows Installer to get the install structure in a folder where you want it and copy the folder to your USB drive. because admin mode is ugly to type in the cmd prompt, use this tool:
http://www.msfn.org/board/topic/124567-universal-extractor-latest-version-161/
After you've installed it, make a rightclick on the MSI and select extract 1 of the "Uniextract" options.
Hi Andrew, do you have the files (CMD scripts) for download you discussed?
Edit: Added to show description...
--- Symbols.cmd ---
md c:\My
md c:\My\Src
md c:\My\Sym
md c:\My\SymCache
setx /M _NT_SOURCE_PATH SRV*C:\My\Src
setx /M _NT_SYMBOL_PATH SRV*C:\My\Sym*http://msdl.microsoft.com/download/symbols
setx /M _NT_SYMCACHE_PATH C:\My\SymCache
Edit: Added to show description...
--- DbgHelp_Logging.cmd ---
rem https://msdn.microsoft.com/en-us/library/windows/desktop/ms680687.aspx
md c:\My
md c:\My\DbgHelp
setx DBGHELP_DBGOUT 1
setx DBGHELP_LOG C:\My\DbgHelp\DbgHelpLog.txt
Edit: Added to show description...
--- URLs ---
www.sysinternals.com
https://www.microsoft.com/en-us/download/details.aspx?id=8279
Sorry about the omission - Larry and I were rushed making more episodes when we we wrote the first show's description.
Great show yet again, boys. I use these tools/techniques all the time but it seems like every time I hear someone talk about them I learn something new. Looking forward to the next 30 episodes!
@Andre: Thanks for the wscc tip...awesome sauce...
@Larry: Did you just channel Kriss-Kross at the start of this episode??? Total man-card violation...
Good stuff! I look forward to more ...and running Symbols on apps I created to see what all they are exposing!
Thanks, I was planning on going to bed early tonight but when I saw that defrag was finally back I watched it, and you answered my question, and then a bonus - Andrew Richards back and with a new show. Great tips, now i should probably go and remove my sysinternals suite and debugging tools x64 so I can reinstall everything this way.
I'm looking forward to this series. Are transcripts available?
@Robert Sterbal: At the moment, we have no plans to make transcripts. The Sysinternals Administrator's Reference is a good substitute in their absence.
@jp2code & All: The next tool is a (long) episode on Process Explorer, then two shows on Process Monitor (one on the application and one showing examples), then Autoruns, and then ...
Great Show.
I getting all my friends and workmate to watch.
@windev: no prob RE omission, loved the TR15 lvl 400 debug session, just had to find this show and keep the goodness rolling on, SEE's rock!
Very useful idea for the show, thank you.
I didn't get what the other two variables are for (_NT_SOURCE_PATH; _NT_SYMCACHE_PATH)? For symbols to work in ProcExp it needs only _NT_SYMBOL_PATH, right? And if I'd like to run it from USB stick, can I just set path in Symbols Settings menu of ProcExp to the Syms folder on flash drive? Except for size and speed are there any other concerns in doing that?
Is there a way to download all the current MS symbols for let's say Windows 7 at once, not the .iso file?
Th
Great show. And look forward to all the shows in the series.
@Joe: If you have a enough space, definitely set the path to the USB Stick. I'd definitely do this if I was using one of those self-powered 2" harddisks. You'd use X:\My\... instead of C:\My\...
_NT_SOURCE_PATH is used by Process Monitor and VMMap (and more).
If you are internal to Microsoft, set the _NT_SOURCE_PATH and _NT_SYMBOL_PATH to the same value. The internal symbol server can download source code, as well as symbols and executables (images).
_NT_SYMCACHE_PATH is used by Windows Performance Toolkit (xPerf)
I'll dive deep in to these environment variables again when I do the VMMap, WPT and Debugging Tools episodes.
Can this be done with windows 10
Their win10 episode...
https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-131-Windows-10-SDK