StevenWhiting.com

A place for info I've learnt in IT & stuff. (I get a little kick back from affiliate ads & links, just so you are aware)

Browsing Posts tagged ProcessMonitor

Another old one from the XP days and I believe this was Outlook 2010.

Two users would kept getting this Outlook popup every few minutes. Very helpful message “A program”. Would be good if it could report what program had invoked it.

Outlook Message

So I fire up Process Monitor and take a trace. Once I stop the capture I take a look. I assume it’s a not registry issue so I filter all reg entries out.

You can quickly do this by just clicking the registry icon

Filter buttons

This now filters out all the reg entries in the trace.

I then filter out just Outlook to see if there is anything obvious and see these entries.

Outlook filtered

I pick the first TCP entry and press CTRL+B to bookmark it. I then go and turn the Outlook filter off so all other entries reappear. I do this to see what is going on around that time other than Outlook and I bookmark it in case I lose my place.

This reveals the app that appears to be invoking this and causing the popup

More filters

The piece of Crapita (sorry I mean Capita https://en.wikipedia.org/wiki/Capita) software appears to be reference the Outlook Object Library and then I see Outlook trying to connect to the exchange server. These all correspond with the pop-up. Speaking to the person who supported the Crapita app they discovered there was an issue on the server that was causing CapitaEVForms to do this. Once disabled the message stopped.

It appears if an external app attempts to invoke Outlook without permission or as in this case, access the address book without being “Trusted” then Outlook pops up a warning in case the access was malicious.

 

So a new addition to the software used at work would allow you to export files from it to a share. The user that was testing this was getting an export fail with cannot be accessed. But it was reported that user had full control access to the folder share.

The Export Error

The clue, really, is in the error dialogue box but appears not even the developers spotted it or even wasn’t aware of the specific reason why this would fail.

So I take a trace to see what is going on (I didn’t pay close enough attention to the error dialogue box myself, so even I missed it).

Anyway. Filtering is your friend in Process Monitor. You can collect so much info in a trace it can be overwhelming. I’ve learnt all I know from watching Mark Russinovich’s Case of the Unexplained videos he’s done over the years over and over. Every watch I see or learn something different.

I’ve put a few together on my YouTube channel as Microsoft lost some of the old ones and these need to be preserved.

Also others to watch are Aaron Margosis and old videos, if you can find them, from David Solomon. David and Mark did a great series way back when called “Sysinternals Video Library”. This was back when Sysinternals was still its own company and before Microsoft bought them out, so also before Mark started to work for Microsoft. Although most of the tools mentioned are obsolete along with the OS’ mentioned (Filemon and Regmon, which turned into Process Monitor), a lot of the info is still very useful.

Mark and David were kind enough to let me upload the library set to my YouTube channel so they are never lost.

Back to the point. So filters. A typical trace can run into the millions of events.

Events

You want to capture everything because then you can filter. If you filtered before you could miss the very issue that is causing the crash or problem.

In this trace we assume it’s something to do with the app we’re in so we filter this.

So CRTL+L for filter

Here we choose Process Name “is” then choose the Process from the list. The only processes that will appear are the ones that were running at the time of the trace. Once the process is chosen we click Add.

Process Name Filter
Process Name Filter

The green tick means all other traces will now be hidden and we’ll only see stuff related to DocumotiveCapture.

Or the quick way is to find DocumotiveCapture in the trace, right click and “Include” the trace you want to filter.

Right click filter.

Be aware. This will filter just DocumotiveCapture. If you then want to see other processes but not all, you’ll need to go into the Process Monitor Filter and then add each process you want to include.

So we are down from 600k showing to 108k

Events

Then I like to run a results filter. It is a quick way to see if there is anything obvious in the trace, such as Access Denied, Network Path Not Found etc.

We choose Tools, Count Occurrences.

Tools

We choose Result and we click Count.

And straight away we can see 11 Access Denied. If we double click this, Process Monitor will automatically create a filter for Access Denied.

Count Occurrences

We see some registry keys but these don’t look like they could be the issue. And also a create file, but this is for just an icon in the Windows directory which is obvious the user shouldn’t have access to.

Access Denied

Then we see it in the next two lines. The reason for the error. Access Denied. But why? The user has full control over this share on the server. So why are they getting Access Denied.

Filtered Access Denied

This is the key

e$

Only admins have permissions to these types of shares. A share with a $ sign at the end means it’s a hidden share. Not all $ shares are admin only. But all shares that point to a drive letter like c$, d$, e$ are all admin shares. And ONLY admins can access them. So even if you have permissions, as a normal user, to the Scans folder in this case, in this instance, as happened here, you’d get Access Denied. And that was it. The export function was hard coded to point to this e$ admin share so was always going to fail.

This was reported back to the developers who changed this to just point to the normal FQDN that the user had permissions to and that was it. Now exporting worked.

 

Gonna try and start a new series of Case of the Unexplained notes, much like Mark Russinovich’s, exactly like Mark’s infact 🙂

These are issues I’ve come across and fixed over the years with his wonderful Sysinternal tools. He’s been a part of Microsoft for years now since they bought out Sysinternals but the tools have continued to be developed.

Back to the case.

The users would load a database but it would pause for several seconds which eventually made it just unusable.

Looking in the Process monitor trace you could see the database being read over the network

Process Monitor MSAccess trace

During the trace it gets read several times with long intervals

MSAccess database being read several times.

Looking at the size of the .mdb file (which I don’t have an image of) it was discovered it was over 1GB. Then looking at the switch the users were connecting through, it was only 100MB. So that must be it. Replaced the switch with a 1GB switch and all was well again.

 

Decoding the FileAttributes field in ProcessMonitor

Jeremy M [MSFT]

27 May 2010 10:43 AM

Random tip: if you’re using procmon.exe to monitor file system activity, you’ll see a FileAttributes field with a bunch of letters.  It’s not immediately obvious which letters correspond to which Win32 file attribute constants.  I asked around internally, and got the answer.  Blogging it here for general reference (and yes, the team does plan to update the docs with this).

FILE_ATTRIBUTE_READONLY,                  _T(“R”),

FILE_ATTRIBUTE_HIDDEN,                    _T(“H”),

FILE_ATTRIBUTE_SYSTEM,                    _T(“S”),

FILE_ATTRIBUTE_DIRECTORY,                 _T(“D”),

FILE_ATTRIBUTE_ARCHIVE,                   _T(“A”),

FILE_ATTRIBUTE_DEVICE,                    _T(“D”),

FILE_ATTRIBUTE_NORMAL,                    _T(“N”),

FILE_ATTRIBUTE_TEMPORARY,                 _T(“T”),

FILE_ATTRIBUTE_SPARSE_FILE,               _T(“SF”),

FILE_ATTRIBUTE_REPARSE_POINT,             _T(“RP”),

FILE_ATTRIBUTE_COMPRESSED,                _T(“C”),

FILE_ATTRIBUTE_OFFLINE,                   _T(“O”),

FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,       _T(“NCI”),

FILE_ATTRIBUTE_ENCRYPTED,                 _T(“E”),

FILE_ATTRIBUTE_VIRTUAL,                   _T(“V”),

http://blogs.msdn.com/b/jmazner/archive/2010/05/27/decoding-the-fileattributes-field-in-processmonitor.aspx

 

Normally a driver issue with the old version still being in memory if just replaced with the new Process Monitor.  Reboot normally fixes it.

 

http://myblog4fun.com/archive/2011/07/19/the-version-of-dbghelp-dll-configured-does-not-support-the.aspx

Great. This has been pissing me off all day. Now fixed.

 

Bad Behavior has blocked 104 access attempts in the last 7 days.