{"id":1802,"date":"2019-02-07T23:39:46","date_gmt":"2019-02-07T23:39:46","guid":{"rendered":"https:\/\/stevenwhiting.com\/blog\/?p=1802"},"modified":"2019-02-11T14:28:41","modified_gmt":"2019-02-11T14:28:41","slug":"the-case-of-the-failed-export","status":"publish","type":"post","link":"https:\/\/stevenwhiting.com\/blog\/?p=1802","title":{"rendered":"The Case Of The Failed Export"},"content":{"rendered":"\n<p>So a new addition to\nthe software used at work would allow you to export files from it to a share.\nThe user that was testing this was getting an export fail with cannot be\naccessed. But it was reported that user had full control access to the folder\nshare.<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><a href=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/0.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/0.png\" alt=\"\" class=\"wp-image-1804\" width=\"417\" height=\"149\" srcset=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/0.png 417w, https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/0-300x107.png 300w\" sizes=\"auto, (max-width: 417px) 100vw, 417px\" \/><\/a><figcaption>The Export Error<\/figcaption><\/figure>\n\n\n\n<p>The clue, really, is\nin the error dialogue box but appears not even the developers spotted it or\neven wasn&#8217;t aware of the specific reason why this would fail.<\/p>\n\n\n\n<p>So I take a trace to\nsee what is going on (I didn&#8217;t pay close enough attention to the error dialogue\nbox myself, so even I missed it).<\/p>\n\n\n\n<p>Anyway. Filtering is\nyour friend in Process Monitor. You can collect so much info in a trace it can\nbe overwhelming. I&#8217;ve learnt all I know from watching Mark Russinovich&#8217;s Case\nof the Unexplained videos he&#8217;s done over the years over and over. Every watch I\nsee or learn something different.<\/p>\n\n\n\n<p>I&#8217;ve put a few\ntogether on my YouTube channel as Microsoft lost some of the old ones and these\nneed to be preserved.<\/p>\n\n\n\n<figure class=\"wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Case Of The Unexplained\" width=\"584\" height=\"329\" src=\"https:\/\/www.youtube.com\/embed\/videoseries?list=PL96F5PDvO1HEr2s6v87JJAYUXDwKcB5Le\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>Also others to watch\nare Aaron Margosis and old videos, if you can find them, from David Solomon.\nDavid and Mark did a great series way back when called &#8220;Sysinternals Video\nLibrary&#8221;. This was back when Sysinternals was still its own company and\nbefore Microsoft bought them out, so also before Mark started to work for\nMicrosoft. Although most of the tools mentioned are obsolete along with the OS&#8217;\nmentioned (Filemon and Regmon, which turned into Process Monitor), a lot of the\ninfo is still very useful.<\/p>\n\n\n\n<p>Mark and David were\nkind enough to let me upload the library set to my YouTube channel so they are\nnever lost.<\/p>\n\n\n\n<figure class=\"wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube wp-embed-aspect-4-3 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Sysinternals Video Library - Tour of the Sysinternals Tools\" width=\"584\" height=\"438\" src=\"https:\/\/www.youtube.com\/embed\/TMlTwRsO5F8?list=PL96F5PDvO1HHuVewlKWQDzzTUrhMm-wGS\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>Back to the point. So filters. A typical trace can run into the millions of events.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/1.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"243\" height=\"27\" src=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/1.png\" alt=\"\" class=\"wp-image-1805\"\/><\/a><figcaption>Events<\/figcaption><\/figure>\n\n\n\n<p>You want to capture\neverything because then you can filter. If you filtered before you could miss\nthe very issue that is causing the crash or problem.<\/p>\n\n\n\n<p>In this trace we\nassume it&#8217;s something to do with the app we&#8217;re in so we filter this. <\/p>\n\n\n\n<p>So CRTL+L for filter<\/p>\n\n\n\n<p>Here we choose\nProcess Name &#8220;is&#8221; then choose the Process from the list. The only\nprocesses that will appear are the ones that were running at the time of the\ntrace. Once the process is chosen we click Add.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/2.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"522\" height=\"326\" src=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/2.png\" alt=\"\" class=\"wp-image-1813\" srcset=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/2.png 522w, https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/2-300x187.png 300w\" sizes=\"auto, (max-width: 522px) 100vw, 522px\" \/><\/a><figcaption>Process Name Filter<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/3.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"522\" height=\"326\" src=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/3.png\" alt=\"\" class=\"wp-image-1808\" srcset=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/3.png 522w, https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/3-300x187.png 300w\" sizes=\"auto, (max-width: 522px) 100vw, 522px\" \/><\/a><figcaption>Process Name Filter<\/figcaption><\/figure>\n\n\n\n<p>The green tick means\nall other traces will now be hidden and we&#8217;ll only see stuff related to\nDocumotiveCapture.<\/p>\n\n\n\n<p>Or the quick way is\nto find DocumotiveCapture in the trace, right click and &#8220;Include&#8221; the\ntrace you want to filter.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/4.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"492\" height=\"379\" src=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/4.png\" alt=\"\" class=\"wp-image-1807\" srcset=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/4.png 492w, https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/4-300x231.png 300w\" sizes=\"auto, (max-width: 492px) 100vw, 492px\" \/><\/a><figcaption>Right click filter.<\/figcaption><\/figure>\n\n\n\n<p>Be aware. This will\nfilter just DocumotiveCapture. If you then want to see other processes but not\nall, you&#8217;ll need to go into the Process Monitor Filter and then add each\nprocess you want to include.<\/p>\n\n\n\n<p>So we are down from\n600k showing to 108k<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"241\" height=\"31\" src=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/5.png\" alt=\"\" class=\"wp-image-1806\"\/><figcaption>Events<\/figcaption><\/figure>\n\n\n\n<p>Then I like to run a\nresults filter. It is a quick way to see if there is anything obvious in the\ntrace, such as Access Denied, Network Path Not Found etc.<\/p>\n\n\n\n<p>We choose Tools,\nCount Occurrences.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/6.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"276\" height=\"256\" src=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/6.png\" alt=\"\" class=\"wp-image-1812\"\/><\/a><figcaption>Tools<\/figcaption><\/figure>\n\n\n\n<p>We choose Result and\nwe click Count.<\/p>\n\n\n\n<p>And straight away we\ncan see 11 Access Denied. If we double click this, Process Monitor will\nautomatically create a filter for Access Denied.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"696\" height=\"510\" src=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/7.png\" alt=\"\" class=\"wp-image-1811\" srcset=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/7.png 696w, https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/7-300x220.png 300w\" sizes=\"auto, (max-width: 696px) 100vw, 696px\" \/><figcaption>Count Occurrences<\/figcaption><\/figure>\n\n\n\n<p>We see some registry\nkeys but these don&#8217;t look like they could be the issue. And also a create file,\nbut this is for just an icon in the Windows directory which is obvious the user\nshouldn&#8217;t have access to.<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><a href=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/8.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/8-1024x128.png\" alt=\"\" class=\"wp-image-1814\" width=\"1024\" height=\"128\" srcset=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/8-1024x128.png 1024w, https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/8-300x37.png 300w, https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/8-768x96.png 768w, https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/8.png 1105w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><figcaption>Access Denied<\/figcaption><\/figure>\n\n\n\n<p>Then we see it in\nthe next two lines. The reason for the error. Access Denied. But why? The user\nhas full control over this share on the server. So why are they getting Access\nDenied.<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><a href=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/9.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/9.png\" alt=\"\" class=\"wp-image-1810\" width=\"808\" height=\"32\" srcset=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/9.png 808w, https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/9-300x12.png 300w, https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/9-768x30.png 768w\" sizes=\"auto, (max-width: 808px) 100vw, 808px\" \/><\/a><figcaption>Filtered Access Denied<\/figcaption><\/figure>\n\n\n\n<p>This is the key<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><a href=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/10.png\" target=\"_blank\" rel=\"noreferrer noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/stevenwhiting.com\/blog\/wp-content\/uploads\/2019\/sysint\/thecaseofthefailedexport\/10.png\" alt=\"\" class=\"wp-image-1809\" width=\"23\" height=\"16\"\/><\/a><figcaption>e$<\/figcaption><\/figure>\n\n\n\n<p>Only admins have\npermissions to these types of shares. A share with a $ sign at the end means\nit&#8217;s a hidden share. Not all $ shares are admin only. But all shares that point\nto a drive letter like c$, d$, e$ are all admin shares. And ONLY admins can\naccess them. So even if you have permissions, as a normal user, to the <strong>Scans <\/strong>folder in this case, in this instance, as\nhappened here, you&#8217;d get Access Denied. And that was it. The export function\nwas hard coded to point to this e$ admin share so was always going to fail.<\/p>\n\n\n\n<p>This was reported back to the developers who changed this to just point to the normal FQDN that the user had permissions to and that was it. Now exporting worked.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So a new addition to the software used at work would allow you to export files from it to a share. The user that was testing this was getting an export fail with cannot be accessed. But it was reported &hellip; <a href=\"https:\/\/stevenwhiting.com\/blog\/?p=1802\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[197,200],"class_list":["post-1802","post","type-post","status-publish","format-standard","hentry","category-it-notes","tag-processmonitor","tag-sysinternals"],"_links":{"self":[{"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1802","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1802"}],"version-history":[{"count":4,"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1802\/revisions"}],"predecessor-version":[{"id":1850,"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1802\/revisions\/1850"}],"wp:attachment":[{"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1802"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1802"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stevenwhiting.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1802"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}