1 / 46

Sysinternals Primer: Autoruns, Disk2Vhd, ProcDump, BgInfo and AccessChk

Sysinternals Primer: Autoruns, Disk2Vhd, ProcDump, BgInfo and AccessChk. Aaron Margosis Principal Consultant Microsoft Services, Public Sector. Session Objectives and Takeaways. Session Objectives: Focus on features of Sysinternals tools

melanion
Download Presentation

Sysinternals Primer: Autoruns, Disk2Vhd, ProcDump, BgInfo and AccessChk

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Sysinternals Primer:Autoruns, Disk2Vhd, ProcDump, BgInfo and AccessChk Aaron Margosis Principal Consultant Microsoft Services, Public Sector

  2. Session Objectives and Takeaways • Session Objectives: • Focus on features of Sysinternals tools • Complementary to Mark Russinovich’s “Case of the Unexplained” talks • Key Takeaway • Use Sysinternals utilities more effectively

  3. The Sysinternals Administrator’s Reference • The official guide to the Sysinternals tools • Covers every tool, every feature, with tips • Written by Mark Russinovichand Aaron Margosis • Available in June… (or so…) • Full chapters on the major tools: • Process Explorer • Process Monitor • Autoruns • Other chapters by tool group • Security, process, AD, desktop, …

  4. Updates since the last Sysinternals Primer… sysinternals

  5. What’s New • Process Explorer v14 • CPU Cycle Accounting • Tree CPU Usage • System information changes • Network and disk throughput history minigraphs • Interrupt and DPC counts in System Information dialog • Network and disk I/O per-process columns • > 64 CPU support

  6. What’s New

  7. What’s New • Process Monitor • Quick filter context menus to zoom in on particular time range in a trace. • Ability to disable individual filter entries • API for developers interested in inserting debug output into the Process Monitor event stream

  8. What’s New

  9. Disk2Vhd sysinternals

  10. Disk2Vhd • Captures an image of a physical disk to the VHD format • GUI and Command Line • Uses Windows Volume Snapshot • Does not copy paging or hibernation files • Can capture a running system • Works on all supported Windows versions • Requires administrator privilege • Capture image to multiple places • UNC • Mapped Drive • USB

  11. XP vs Win7 • Windows XP • Windows Server 2003 • Windows Vista • Windows 7 • Windows Server 2008 • Windows Server 2008 R2

  12. Disk2Vhd demo

  13. Autoruns sysinternals

  14. Autoruns • Replaces System Configuration (msconfig) services and startup tab • Uncovers software that starts automatically by Windows through Auto-Start Extensibility Points (ASEPs) • Software applications • Internet Explorer add-ins • Drivers • Services • Command line version – AutorunsC • Analyze offline system

  15. Autoruns demo

  16. ProcDump sysinternals

  17. ProcDump • User-mode memory dump utility • Easier to use than Adplus • Many configurable triggers • CPU or memory usage • GUI hang • First- or second-chance exceptions • Termination • Perf counter thresholds • Dump file types, including new “Miniplus” dump

  18. ProcDump command line syntax • procdump[-c percent [-u]] [-s n] [-n count][-m commit] [-h] [-e [1] [-b]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] |-x {imagefile} {dumpfile} [arguments] }

  19. ProcDump command line syntax • procdump[-c percent [-u]] [-s n] [-n count][-m commit] [-h] [-e [1] [-b]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] |-x {imagefile} {dumpfile} [arguments] } Which process to monitor and target dump file….

  20. ProcDump command line syntax • procdump[-c percent [-u]] [-s n] [-n count][-m commit] [-h] [-e [1] [-b]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] |-x {imagefile} {dumpfile} [arguments] } Dump criteria…

  21. ProcDump command line syntax • procdump[-c percent [-u]] [-s n] [-n count][-m commit] [-h] [-e [1]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] | • -x {imagefile} {dumpfile} [arguments] } How to dump the process state…

  22. ProcDump demo

  23. BgInfo sysinternals

  24. BgInfo • Displays computer configuration on desktop wallpaper • Flexible formatting options • 24 default fields covering OS, hardware, network, logon and timestamp attributes • Custom fields from registry, envvars, WMI queries, … • Log results

  25. BgInfo

  26. BgInfo demo

  27. AccessChk sysinternals

  28. AccessChk • Reports effective permissions on securable objects • Can perform recursive searches • Supports many object types • Shows summary; can show detailed permissions • Search for access rights for a user or group • Reports account rights

  29. AccessChk demo

  30. Getting Started sysinternals

  31. Sysinternals Website Features • http://www.Sysinternals.com • Redirects to http://technet.microsoft.com/Sysinternals • Sysinternals Suite contains all the tools in one zip file • Site blog announces all updates • http://blogs.technet.com/Sysinternals • Run directly from the web: Sysinternals Live • http://live.sysinternals.com/procmon.exe, or • \\live.sysinternals.com\tools\procmon.exe • UNC syntax requires WebClient service • Videos on troubleshooting with the tools

  32. Additional Resources • Mark Russinovich’s blog: • http://blogs.technet.com/MarkRussinovich • Blog posts and utilities by Aaron Margosis • http://blogs.msdn.com/aaron_margosis • http://blogs.technet.com/fdcc • The “Bonus Tracks” at the end of this deck

  33. bonus tracks

  34. Disk2Vhd command line syntax • disk2vhd [-h] drives vhdfile • -h When capturing Windows XP or Server 2003 system volumes, -h fixes up the HAL in the VHD to be compatible with Virtual PC. • drivesis one or more drive letters with colons (e.g., c: d:) indicating which volumes to convert, or use “*” to indicate all volumes. • vhdfile is the full path to the VHD file to be created. • Example: disk2vhd c: e:\vhd\snapshot.vhd

  35. Autoruns command line syntax • autoruns [-e] [[-v] -a file] • -e Run elevated (Vista and newer) • -a file Save results to file.arn and then exit • -v Verify signatures

  36. AutorunsC command line syntax(Descriptions of the options on the next slide) • autorunsc[-x] [[-a] | [-b] [-c] [-d] [-e] [-g] [-h] [-i] [-k] [-l] [-m] [-o] [-p] [-r] [-s] [-v] [-w] [[-z systemrootuserprofile] | [user]]

  37. AutorunsCcommand line options

  38. ProcDump command line syntax(Descriptions of the options on the next slide) • procdump[-c percent [-u]] [-s n] [-n count][-m commit] [-h] [-e [1] [-b]] [-t] [-p counter threshold] [-ma | -mp] [-r] [-o] [-64] { {processname | PID} [dumpfile] |-x {imagefile} {dumpfile} [arguments] }

  39. ProcDump command line options

  40. AccessChk command line optionsaccesschk [options] [user-or-group] objectname

  41. Track Resources Don’t forget to visit the Cloud Power area within the TLC (Blue Section) to see product demos and speak with experts about the Server & Cloud Platform solutions that help drive your business forward. You can also find the latest information about our products at the following links: • Cloud Power - http://www.microsoft.com/cloud/ • Private Cloud - http://www.microsoft.com/privatecloud/ • Windows Server - http://www.microsoft.com/windowsserver/ • Windows Azure - http://www.microsoft.com/windowsazure/ • Microsoft System Center - http://www.microsoft.com/systemcenter/ • Microsoft Forefront - http://www.microsoft.com/forefront/

  42. Resources • Connect. Share. Discuss. http://northamerica.msteched.com Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn

  43. Complete an evaluation on CommNet and enter to win!

  44. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related