Windows
®
Sysinternals
Administrator’s Reference
Mark Russinovich
Aaron Margosis
Table of Contents
Foreword xix
Introduction xxi
Tools the Book Covers xxi
The History of Sysinternals
xxi
Who Should Read This Book xxv
Assumptions xxv
Organization of This Book xxv
Conventions and Features in This Book
xxvi
System Requirements
xxvi
Acknowledgments
xxvii
Errata & Book Support xxviii
We Want to Hear from You xxviii
Stay in Touch
xxviii
Getting Started
Getting Started with the Sysinternals Utilities 3
Overview of the Utilities 3
The Windows Sysinternals Web Site
6
Downloading the Utilities
7
Running the Utilities Directly from the Web
10
Single Executable Image
11
The Windows Sysinternals Forums 11
Windows Sysinternals Site Blog
12
Mark’s Blog
12
Mark’s Webcasts
13
Sysinternals License Information
13
End User License Agreement and the /accepteula Switch
13
Frequently Asked Questions About Sysinternals Licensing
14
Windows Core Concepts 15
Administrative Rights 15
Running a Program with Administrative Rights on Windows XP and Windows Server 2003 16
Running a Program with Administrative Rights on Windows Vista or Newer 18
Processes, Threads, and Jobs 21
User Mode and Kernel Mode
22
Handles 23
Call Stacks and Symbols 24
What Is a Call Stack? 24
What Are Symbols?
26
Conguring Symbols
28
Sessions, Window Stations, Desktops, and Window Messages
30
Terminal Services Sessions 31
Window Stations 32
Desktops 33
Window Messages
34
Usage Guide
Process Explorer 39
Procexp Overview 39
Measuring CPU Consumption 41
Administrative Rights 42
Main Window
43
Process List
43
Customizing Column Selections 53
Saving Displayed Data
65
Toolbar Reference
65
Identifying the Process That Owns a Window
66
Status Bar
67
DLLs and Handles
67
Finding DLLs or Handles
68
DLL View
69
Handle View 73
Process Details
77
Image Tab 78
Performance Tab
79
Performance Graph Tab
80
Threads Tab
81
TCP/IP Tab
82
Security Tab
83
Environment Tab
84
Strings Tab
85
Services Tab
86
NET Tabs 87
Job Tab
88
Thread Details
89
Verifying Image Signatures 91
System Information
92
Display Options
95
Procexp as a Task Manager Replacement
96
Creating Processes from Procexp
97
Other User Sessions
97
Miscellaneous Features
97
Shutdown Options
97
Command-Line Switches
98
Restoring Procexp Defaults
98
Keyboard Shortcut Reference
98
Process Monitor 101
Getting Started with Procmon 102
Events
104
Understanding the Column Display Defaults
104
Customizing the Column Display
107
Event Properties Dialog Box
108
Displaying Proling Events
114
Finding an Event
115
Copying Event Data
115
Jumping to a Registry or File Location
115
Searching Online
116
Filtering and Highlighting
116
Conguring Filters
117
Conguring Highlighting
119
Advanced Output
120
Saving Filters for Later Use
121
Process Tree
122
Saving and Opening Procmon Traces
123
Saving Procmon Traces
124
Opening Saved Procmon Traces
125
Logging Boot, Post-Logoff, and Shutdown Activity
127
Boot Logging
127
Keeping Procmon Running After Logoff
128
Long-Running Traces and Controlling Log Sizes
129
Drop Filtered Events
129
History Depth
130
Backing Files
130
Importing and Exporting Conguration Settings
131
Automating Procmon: Command-Line Options
132
Analysis Tools
134
Process Activity Summary
134
File Summary
136
Registry Summary
137
Stack Summary
138
Network Summary
139
Cross Reference Summary
140
Count Occurrences
140
Injecting Debug Output into Procmon Traces
141
Toolbar Reference
142
Autoruns 145
Autoruns Fundamentals 146
Disabling or Deleting Autostart Entries
148
Autoruns and Administrative Permissions
148
Verifying Code Signatures
149
Hiding Microsoft Entries
150
Getting More Information About an Entry
151
Viewing the Autostarts of Other Users
151
Viewing ASEPs of an Ofine System
152
Listing Unused ASEPs
152
Changing the Font
153
Autostart Categories
153
Logon
153
Explorer
155
Internet Explorer
157
Scheduled Tasks
158
Services
158
Drivers
159
Codecs
160
Boot Execute
160
Image Hijacks
161
AppInit
162
KnownDLLs
162
Winlogon
163
Winsock Providers
164
Print Monitors
164
LSA Providers
164
Network Providers
165
Sidebar Gadgets
165
Saving and Comparing Results
166
Saving as Tab-Delimited Text
166
Saving in Binary (arn) Format 166
Viewing and Comparing Saved Results
167
AutorunsC
167
Autoruns and Malware
168
PsTools 171
Common Features 172
Remote Operations
172
Troubleshooting Remote PsTools Connections
174
PsExec 176
Remote Process Exit
177
Redirected Console Output
178
PsExec Alternate Credentials
179
PsExec Command-Line Options
180
Process Performance Options
180
Remote Connectivity Options
181
Runtime Environment Options
181
PsFile
184
PsGetSid
185
PsInfo
187
PsKill
188
PsList
189
PsLoggedOn
191
PsLogList
192
PsPasswd
196
PsService
197
Query
198
Cong
199
Depend
200
Security
201
Find
202
SetCong
202
Start, Stop, Restart, Pause, Continue
202
PsShutdown
203
PsSuspend
205
PsTools Command-Line Syntax
206
PsExec
206
PsFile
206
PsGetSid
206
PsInfo
207
PsKill
207
PsList
207
PsLoggedOn
207
PsLogList
207
PsPasswd
207
PsService
207
PsShutdown
208
PsSuspend
208
PsTools System Requirements
208
Process and Diagnostic Utilities 211
VMMap 211
Starting VMMap and Choosing a Process
212
The VMMap window
214
Memory Types
216
Memory Information
217
Timeline and Snapshots
218
Viewing Text Within Memory Regions
220
Finding and Copying Text
221
Viewing Allocations from Instrumented Processes
221
Address Space Fragmentation
224
Saving and Loading Snapshot Results
225
VMMap Command-Line Options
226
Restoring VMMap defaults
227
ProcDump
227
Command-Line Syntax
228
Specifying Which Process to Monitor
229
Specifying the Dump File Path
229
Specifying Criteria for a Dump
230
Dump File Options
232
Miniplus Dumps
233
Running ProcDump Noninteractively
235
Capturing All Application Crashes with ProcDump
236
Viewing the Dump in the Debugger
236
DebugView
237
What Is Debug Output?
237
The DebugView Display
238
Capturing User-Mode Debug Output
240
Capturing Kernel-Mode Debug Output
241
Searching, Filtering, and Highlighting Output
242
Saving, Logging, and Printing
245
Remote Monitoring
247
LiveKd
249
LiveKd Requirements
250
Running LiveKd
250
LiveKd Examples
251
ListDLLs
253
Handle
256
Handle List and Search
256
Handle Counts
259
Closing Handles
260
Security Utilities 261
SigCheck 261
Signature Verication
263
Which Files to Scan
264
Additional File Information
265
Output Format
267
AccessChk
267
What Are “Effective Permissions”?
267
Using AccessChk
268
Object Type
270
Searching for Access Rights
272
Output Options
273
AccessEnum
275
ShareEnum
277
ShellRunAs
278
Autologon
280
LogonSessions
280
SDelete
283
Using SDelete
284
How SDelete Works
285
Active Directory Utilities 287
AdExplorer 287
Connecting to a Domain
287
The AdExplorer Display
288
Objects
290
Attributes
291
Searching
293
Snapshots
294
AdExplorer Conguration
296
AdInsight
296
AdInsight Data Capture
297
Display Options
300
Finding Information of Interest
301
Filtering Results
303
Saving and Exporting AdInsight Data
305
Command-Line Options
306
AdRestore
306
Desktop Utilities 309
BgInfo 309
Conguring Data to Display
310
Appearance Options
313
Saving BgInfo Conguration for Later Use
315
Other Output Options
315
Updating Other Desktops
317
Desktops
318
ZoomIt
320
Using ZoomIt
320
Zoom Mode
321
Drawing Mode
322
Typing Mode
323
Break Timer
323
LiveZoom
324
File Utilities 325
Strings 325
Streams
326
NTFS Link Utilities
328
Junction
329
FindLinks
330
DU (Disk Usage)
331
Post-Reboot File Operation Utilities
333
PendMoves
333
MoveFile
334
Disk Utilities 335
Disk2Vhd 335
Diskmon
337
Sync
339
DiskView
341
Contig
344
PageDefrag
345
DiskExt
347
LDMDump
347
VolumeID
350
System Information Utilities 351
RAMMap 351
Use Counts
352
Processes
354
Priority Summary
355
Physical Pages
355
Physical Ranges
356
File Summary
357
File Details
358
Purging Physical Memory
359
Saving and Loading Snapshots
359
CoreInfo
359
ProcFeatures
361
WinObj
362
LoadOrder
365
PipeList
366
ClockRes
367
Network and Communication Utilities 369
TCPView 369
Whois
371
Portmon
371
Searching, Filtering, and Highlighting
373
Saving, Logging, and Printing
375
Miscellaneous Utilities 377
RegJump 377
Hex2Dec
378
RegDelNull
378
Bluescreen Screen Saver
379
Ctrl2Cap
380
Troubleshooting—”The Case
of the Unexplained”
Error Messages 383
The Case of the Locked Folder 383
The Case of the Failed AV Update
385
The Case of the Failed Lotus Notes Backups
387
The Case of the Failed Play-To
389
The Case of the Crashing Proksi Utility
390
The Case of the Installation Failure
391
The Troubleshooting
392
The Analysis
394
The Case of the Missing Folder Association
397
The Case of the Temporary Registry Proles
400
Hangs and Sluggish Performance 405
The Case of the IExplore-Pegged CPU 405
The Case of the Excessive ReadyBoost
408
The Case of the Slow Keynote Demo
410
The Case of the Slow Project File Opens
415
The Compound Case of the Outlook Hangs
420
Malware 427
The Case of the Sysinternals-Blocking Malware 427
The Case of the Process-Killing Malware
429
The Case of the Fake System Component
431
The Case of the Mysterious ASEP
433
Index 437
About the Authors 463
PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright © 2011 by Aaron Margosis and Mark Russinovich
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any
means without the written permission of the publisher.
Library of Congress Control Number: 2011931614
ISBN: 978-0-7356-5672-7
Printed and bound in the United States of America.
First Printing
Microsoft Press books are available through booksellers and distributors worldwide. If you need support related
to this book, email Microsoft Press Book Support at mspinput@microsoft.com. Please tell us what you think of
this book at http://www.microsoft.com/learning/booksurvey.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/
Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of
their respective owners.
The example companies, organizations, products, domain names, email addresses, logos, people, places, and
events depicted herein are ctitious. No association with any real company, organization, product, domain name,
email address, logo, person, place, or event is intended or should be inferred.
This book expresses the author’s views and opinions. The information contained in this book is provided without
any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or
distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by
this book.
Acquisitions Editor: Devon Musgrave
Developmental Editor: Devon Musgrave
Project Editor: Devon Musgrave
Editorial Production: Waypoint Press
Technical Reviewer: Christophe Nassare; Technical Review services provided by Content Master, a member of
CM Group, Ltd.
Copyeditor:
Roger LeBlanc
Indexer: Christina Yeager
Cover: Twist Creative
.
Seattle
To my fellow Windows troubleshooters: Never give up! Never surrender!
— Mark Russinovich
To Elise, who makes great things possible and then makes sure they happen.
(And who is much cooler than I am.)
— Aaron Margosis
评论3
最新资源