Friday, March 28, 2014

Using Process Monitor to Troubleshoot and Find Registry Hacks

SysInternals 5

In today’s edition of Geek School we’re going to teach you how to use Process Monitor to actually accomplish troubleshooting and figuring out registry hacks that you would not know about otherwise.
Process Monitor is one of the most impressive tools that you can have in your toolkit, as there is almost no other way to see what an application is actually doing under the hood. It is the only way to know what files are being written to by which process, and where things are stored in the registry, and which files are accessing them.
We’ll start off with today’s lesson by looking at how to find registry keys using Windows setting dialogs and Process Monitor, and then we’ll go through an actual troubleshooting scenario that we encountered on one of our computers in the lab, and easily solved using Process Monitor.

Using Process Explorer to Find Registry Keys for Common Settings

Everybody has clicked a checkbox or changed the value of a drop-down box at some point, but have you ever wondered where those values are actually stored? Many applications, and virtually everything in Windows, is stored in the Registry… somewhere.
For today’s example we’re going to use the first option on the first pane of Taskbar and Navigation Properties, which is a dialog that should exist in all versions of Windows. So now our mission is to figure out where that setting is actually stored in the registry. You can follow along with this particular setting, or you can try one of the other settings on the same dialog — or anywhere else you’d like to find the hidden setting location for.
The first thing you’ll want to do whenever trying to capture a set of data is to launch Process Monitor, and then change the setting. At that point you can stop Process Monitor from continuing to capture events, so the list doesn’t get out of control. (Hint: the File menu has the option, or it’s the third icon from the left).
Now that we’ve got a ton of data in the list, it’s time to filter the list to reduce the number of rows that we’re going to have to look through. Since we’re looking at a registry value that is being changed, we’ll need to filter by “RegSetValue”, which is what Windows uses to actually set a registry key to a new setting. Use the “Include” option to show only those events.
Your list should now be limited to just registry keys that were changed, so it’s time to take a look at the events and try to figure out which registry key it might be. Since we’re checking the “Lock the Taskbar” setting, and one of the registry keys being set includes the word “Taskbar” in the name, that’s a good place to start. Right-click on the path and choose to Jump To the location.
Process Monitor will open up the Registry Editor and highlight the key in the list. Now we need to make sure that this is actually the right key, which is pretty easy to figure out. Take a look at the setting, and then take a look at the key. Right now the setting is on, and the key is set to 0.
So change the setting, hit Apply on the dialog, and then use the F5 key to refresh the Registry Editor window. In our case we definitely picked the right setting, so now you can see that the TaskbarSizeMove value is set to 1.
If you didn’t pick the right value, you won’t see a change when you do the setting test again. So go and find the next logical one, and start over.

Troubleshooting Problems with Process Monitor

It’s not really possible to illustrate in a single article how to troubleshoot any problem with Process Monitor, or any other tool for that matter. There are just way too many combinations of issues that could possibly go wrong.
What we can do, however, is show how we actually used Process Monitor to troubleshoot a real problem that actually happened to one of our test computers. We had been installing some crapware, and then decided to try and clean the computer up. The problem was an entry in the Uninstall Programs panel that just wouldn’t go away.

Every time you would click to Change so you could remove it, you’d get an error that said “An error occurred while trying to uninstall AwfulApp. It may have already been uninstalled. Would you like to remove AwfulApp from the Programs and Features list?”.
That would have been great, except we then got an error that said “You do not have sufficient access to remove OutfoxTV from the Programs and Features list. Please contact your system administrator.”
The first thing to do was try the uninstall process again with Process Monitor running, which captured an enormous amount of data. This time we decided to use the Find feature (CTRL + F) to quickly find what we were looking for in the list. You could also use a Filter if you wanted, but this seemed simple, and luckily it worked the first time.
After taking a look at the first item in the list, we noticed an error: Windows was attempting to access the registry keys related to the uninstaller, but they weren’t actually in the registry in the first spot that Windows was looking. If you look a couple of keys down though, you’ll see a RegOpenKey event with a SUCCESS result for something under HKLM\Software\Wow6432Node.
Doing a search by that registry key very quickly landed us at the source of the problem: an ACCESS DENIED message when Windows tried to do the cleanup for the list using the RegDeleteKey operation. Interesting!
The first thing to do was use the Jump To feature to find the key in the registry and take a look.
Sure enough, look at all those registry keys over there! No wonder it is still appearing in the list.
Just to be sure, we opened up the C:\Program Files\ directory to see if any of the files were still around, but clearly the app had been wiped off the PC already.
The solution was very simple: we just manually deleted the registry key that Windows had problems deleting. If we had received an access denied message, we could have used the Permissions setting to make sure that we have access and tried again.
Luckily the delete worked immediately, and our Uninstall Programs list was now clear.
These are just a few of the many ways that you can use Process Monitor – it is an extremely important and useful utility that will take some time to master, but once you do, it can really help you solve many problems.

Next Lesson

Starting on Monday with the next lesson, we’ll examine many of the other utilities in the SysInternals Toolkit, including some of the powerful command line tools.

Wednesday, March 26, 2014

Lesson 2: Understanding Process Explorer

SysInternals 2
This lesson in our Geek School series covers Process Explorer, perhaps the most used and useful application in the SysInternals toolkit. But how well do you really know this utility?
Process Explorer, a task manager and system monitor application, has been around since 2001, and while it used to even work on Windows 9x, the modern versions only support XP and above, and they’ve been continually updated with features for modern versions of Windows. It’s the defacto standard for dealing with troubleshooting processes.

So What Can Process Explorer Do?

Some of the better features include the following, although this is by no means an exhaustive list. This application has many features, and many of those are buried deep within the interface. Amazingly it’s also a very small file.
  • The default tree view shows the hierarchical parent relationship between processes, and displays using colors to easily understand processes at a glance.
  • Very accurate CPU usage tracking for processes.
  • Can be used to replace Task Manager, which is especially useful on XP, Vista, and Windows 7.
  • Can add multiple tray icons to monitor CPU, Disk, GPU, Network, and more.
  • Figure out which process has loaded a DLL file.
  • Figure out which process is running an open window.
  • Figure out which process has a file or folder open and locked.
  • View complete data about any process, including threads, memory usage, handles, objects, and pretty much anything else there is to know.
  • Can Kill an entire process tree, including any processes started by the one you choose to kill.
  • Can Suspend a process, freezing all its threads so they do nothing.
  • Can see which thread in a process is actually maxing out the CPU.
  • The latest version (v16) integrates VirusTotal into the interface so you can check a process for viruses without leaving Process Explorer.
Any time you have a problem with an application, or something keeps freezing on your computer, or maybe you are trying to figure out what a particular DLL file is used for, Process Explorer is the tool for the job.

Understanding The Tree View

When you first launch Process Explorer, you are presented with a lot of visual data right away – there is a hierarchical tree view of the processes running on your computer, including CPU and RAM usage using numerical values for each process. There are some little mini activity graphs running at the top in the toolbar, showing you the CPU usage, which can be clicked on to display in a separate window.
There’s definitely a lot going on, and it would be easy to be overwhelmed by everything on the screen.
The initial display gives you a set of columns that include:
  • Process – the file name of the executable along with the icon if one exists.
  • CPU – the percentage of CPU time in the last second (or whatever the update speed is set to)
  • Private Bytes – the amount of memory allocated to this program alone.
  • Working Set – the amount of actual RAM allocated to this program by Windows.
  • PID  - the process identifier.
  • Description – the description, if the application has one.
  • Company Name – this one is more useful than you think. If something isn’t quite right, start by looking for processes that aren’t by Microsoft.
You can customize these columns and add many other options, or you can just click on any of the columns to sort by that field. If you’ve ever used Task Manager before, you’ve probably sorted by Memory or CPU, and you can do that here as well.
Clicking on Process will flip between sorting by the process name, or going back to the default tree view, which is very useful once you get used to it.
The view is updated once per second, but you can go to View -> Update Speed and customize how often it updates, the lowest being 0.5 seconds and the top level being 10 seconds. If you are using it for troubleshooting the default value is probably fine, but if you want to use it as a CPU monitor sitting in the system tray, 5 or 10 seconds might use less CPU while it runs in the background.
You can also pause the view under the same sub-menu, or by simply hitting the Space bar. This will freeze the view as a snapshot in time, which can be useful if you are trying to identify a process that starts and quickly dies, or if you have decided to sort by CPU usage and all the rows keep jumping around.
In the case of a quickly closing process, however, you would want to add extra columns to the default view for anything you might need to know, because clicking on a defunct process in the list won’t show much in the details view if the process isn’t running, even if you paused everything.

Understanding All Those Colors

There are definitely a lot of colors in a typical Process Explorer list, which can be a little confusing for the beginner geek. It’s really important to learn what all these colors mean, because they aren’t there just for show — they each mean something important.
Whenever you can’t remember what one of the colors means, you can go to Options -> Configure Colors on the menu to pull up the Color Selection dialog. This is basically a quick cheat sheet to what everything means. Keep reading, since we’re going to explain it here as well.
Based on the colors in the picture above, here is what each of the selected items mean (the others aren’t really important).
  • New Objects (Bright Green) – When a new process shows up in Process Explorer, it starts out as bright green.
  • Deleted Objects (Red) – When a process is killed or closes it will usually flash red right before deleting.
  • Own Processes (Light Blueish) – Processes running as the same user account as Process Explorer.
  • Services (Light Pink) – Windows Service processes, although it’s worth noting that they might have child processes that are launched as a different user, and those might be a different color.
  • Suspended Processes (Dark Gray) – When a process is suspended it can’t do anything. You can easily use Process Explorer to suspend an application. Sometimes crashed apps will briefly show up in gray while Windows is handling the crash.
  • Immersive Process (Bright Blue) – This is just a fancy way of saying that the process is a Windows 8 application using the new APIs. In the screenshot earlier you might have noticed WSHost.exe, which is a “Windows Store Host” process that runs Metro apps. For some reason Explorer.exe and Task Manager will also show up as immersive.
  • Packed Images (Purple) – these processes might contain compressed code hidden inside of them, or at least Process Explorer thinks that they do by using heuristics. If you see a purple process, make sure to scan for malware!
Since there is obviously some overlap between these different scenarios, the colors will be applied in an order of precedence. If a process is a service and is suspended, it will display in dark gray because that color is more important.
From what we’ve learned while researching, the order is Suspended > Packed > Immersive > Services -> Own Processes.

Verifying Application Identity

One really useful option that we’re surprised isn’t enabled by default is found at Options -> Verify Image Signatures.
This option will check the digital signature for each executable file in the list, which is an invaluable troubleshooting tool when you are looking at some suspicious application that is running in the list.
The vast majority of reputable software should be digitally signed at this point. If something isn’t, you should look very carefully at whether you should be using it.

Taking Action on a Process

You can quickly take action on any process by right-clicking on it and choosing from one of the options, or by using the shortcut keys if you prefer. Those options include:
  • Window – has options including Bring to Front, which can be useful to help identify the window associated with a process. If there are no windows for that process, it will be grayed out.
  • Set Priority – you can use this to configure the priority of a process. This is mostly useful for taming a runaway process that you don’t want to kill.
  • Kill Process – just like you’d imagine, this quickly kills that process.
  • Kill Process Tree – This kills not just the item in the list, but also the children of that parent process.
  • Restart – spectacularly useful while testing, this just kills the process and then restarts it. It’s worth noting that killing processes might result in lost data.
  • Suspend – this handy option is great for troubleshooting when a process is out of control. You can simply suspend the process rather than kill it, and check to see if anything is out of whack.
  • Check VirusTotal – this is a new option that we’ll explain further along. It’s quite handy really, as it checks the process for viruses.
  • Search Online – this will just search the web for the name of the process.
And obviously if you open up Properties that will take you to even more useful information about the process, much of which we’ll get into in the next lesson. 
Note: we tested out the Temp option but did not have any idea what it does.

Running as Administrator

While you don’t absolutely have to run Process Explorer as Administrator, without doing so many of the useful features won’t work, and you won’t be able to see as much information about each process.
If you are running on Windows XP or 2003, you will need to be running as an account that has full Administrator rights to use most of the features. This is probably not a problem for most people, because XP gave the default account full privileges anyway, but if you are trying to use this at work without administrator access, it won’t work quite as well.
Since most of our readers are using Windows 7, 8.x, or even Vista, you’ll probably be familiar with running an application as Administrator. It’s really easy… just right-click and choose the option from the menu.
Fun fact: Process Explorer actually uses the Debug Programs privilege, which goes a long way to explain why it is so powerful.

Forcing Process Explorer to Always Open as Administrator

If you want to make sure that Process Explorer always opens as Administrator without having to remember to right-click on it, you can force it by either making a special shortcut that requires Administrator mode, or by opening up the Properties for procexp.exe, going to Compatibility, and then choosing the option for “Run this program as an administrator”.
Either way will work just fine, or you could also just disable UAC if you prefer, which makes everything run as administrator all the time. We’re not recommending that, but you can do it.

Using Process Explorer to Replace Task Manager

Process Explorer has long been used as a powerful replacement for the previously anemic Task Manager application in every version of Windows prior to Windows 8, and assuming you want some real power in your hands, it works really well as a replacement in that version too.
Note: Windows 8’s Task Manager is greatly improved from previous versions. It’s still not as powerful as Process Explorer, but it’s probably easier for regular people to use. So don’t change mom’s computer to default to Process Explorer.
To make Process Explorer replace Task Manager, all you have to do is choose the Options -> Replace Task Manager option from the menu. That’s it.
Once you’ve done that, using CTRL + SHIFT + ESC or right-clicking on the Taskbar will both launch Process Explorer rather than Task Manager. Easy, right?
Warning: if you do replace Task Manager, make absolutely certain that you’ve put Process Explorer in a place that you won’t be accidentally moving or deleting the file. Otherwise you’ll be stuck with a system that can’t launch any Task Manager.

Using Process Explorer as an Awesome Tray Icon Monitor

One of the best features of Process Explorer is the ability to minimize it into the system tray, but instead of just a single icon, it can minimize into a full set of icons that can monitor CPU, I/O, Disk, Network, GPU, and RAM, or any combination of them. You can configure them to display separately, or not at all, if you prefer.
To set this up, open up the Options menu, go to the Tray Icons section, and then click to enable each of the tray icons that you would like to see.
You could just run Process Explorer every time you start running your computer, and then minimize it to the system tray so it will always be there for you. And, of course, if you used the option to replace Task Manager, you can quickly access it any time with a shortcut key – though you might want to use the “Allow Only One Instance” option to make sure you don’t open a bunch of separate windows.

Using Process Explorer to Quickly Search VirusTotal

If you are working on a problem PC and want to figure out if a process is a virus, you can save yourself some time by using Process Explorer version 16 or above, because they’ve added VirusTotal integration directly into the application. Just right-click on anything in the list to see the option.
The first time you run it, you’ll be asked to accept the VirusTotal terms of use, but after you do so, you will see the VirusTotal results show up right there in the list.
You can click on the result to go to VirusTotal and see the details.  It’s a great new addition to one of the best utilities ever.

Monday, March 24, 2014

Lesson 1: What Are the SysInternals Tools and How Do You Use Them?

SysInternals 1

This How-To Geek School series will teach you how to use SysInternals tools like a pro, so your geek cred will never be in question. Not that we are questioning your geek skills. You do use SysInternals tools, right?
  1. What Are the SysInternals Tools and How Do You Use Them?
  2. Understanding Process Explorer
  3. Using Process Explorer to Troubleshoot and Diagnose
  4. Understanding Process Monitor
  5. Using Process Monitor in the Real World
  6. Using Autoruns to Deal with Startup Processes
  7. Using BgInfo to Display System Information
  8. Using the Command Line Tools
There are many other admin tools built into Windows, available for free on the web, or even through commercial sources, but none of them are quite as indispensible as the SysInternals suite of tools. That’s right, there’s a full set of free tools to do almost any administrator task, from monitoring or starting processes to peeking under the hood to see what files and registry keys your applications are really accessing.
These tools are used by every single reputable computer guy — if you want to separate the wheat from the chaff, just ask your local PC repair guy what Process Explorer is used for. If he doesn’t have a clue, he’s probably not quite as good as he says. (Don’t worry, if you don’t have a clue about procexp.exe either, we’ll cover that in-depth starting in lesson 2 of this series tomorrow).
Remember that time Sony tried to embed rootkits into their music CDs? Yeah, it was a SysInternals utility that first detected the problem, and it was the SysInternals guys that made the announcement. In 2006, Microsoft finally bought the company behind SysInternals, and they continue to provide the utilities for free on their web site.
This series will walk you through each of the important tools in the kit, get you familiar with them and their many features, and then help you understand how to use them in a real-world scenario. It’s a lot of very geeky material, but it’ll be a fun ride, so be sure to stay tuned.

What Are the SysInternals Tools Exactly?

The SysInternals suite of tools is simply a set of Windows applications that can be downloaded for free from their section of the Microsoft Technet web site. They are all portable, which means that not only do you not have to install them, you can stick them on a flash drive and use them from any PC. In fact, you can actually run them without installing through SysInternals Live (which we’ll illustrate in a bit).
The tools include utilities such as Process Explorer, which is a lot like Task Manager with a plethora of extra features, or Process Monitor, which monitors your PC for filesystem, registry, or even network activity from almost any process on your system.
Autoruns helps you deal with startup processes, TCPView shows you what is connecting to resources on the internet, and there is an entire set of tools that run from the command line to help you deal with processes, services, and more.
Process Explorer is probably the most useful tool in the kit.
Most of these tools are going to require administrator access on your computer, so you’d be wise to test them out in a virtual machine or a test computer if you aren’t sure what you are doing — these are some heavy duty tools.
For example, say you have a really slow PC to troubleshoot, and you want to inspect all of the threads for a particular application, and then you want to see the entire stack for one of those threads to see exactly what DLLs and functions are being called. Process Explorer makes this trivial — you can simply double-click on the process, flip over to the Threads tab, and then click the Stack button.
This stack has not yet overflowed.
What does all this mean? Wait until lessons 2 and 3, where we will do our best to explain the concepts to you, and more importantly, explain why you’d want to bother digging this deep.

How Do You Get the Tools?

Getting your hands on any of the SysInternals tools is as easy as heading to the web site, downloading the zip file with all of the utilities, or just grabbing the zip file for the individual application that you want to use.
Either way, unzip, and double-click on the particular utility you’d like to open. That’s it. There’s no installer.

Running the Tools from SysInternals Live

If you don’t want to be troubled to download and unzip and then run the application, and you don’t want to keep a USB drive updated with the latest versions, or you just don’t have access to your drive while working on somebody else’s computer, you can always resort to SysInternals Live.
Basically what happened is that a number of years ago, the SysInternals guys were curious whether they could find a new way to distribute their software… so they created a Windows file share off their server and gave everybody on the internet access to it.
So you can simply type \\\ into the Windows Run box after pulling that up with the WIN + R shortcut key, and you’ll be able to browse their file share and look around.
Note: the \\server\share format is called a UNC (Universal Naming Convention) path, and it works just about anywhere in Windows. You can utilize it in the explorer address bar, file open and save dialog boxes, or anywhere that you’d normally use a file path.
The useful folder is probably the Tools one, that has all of the different utilities listed, and easily accessible with nothing more than a mouse click.
Browsing for the utilities on a remotely accessible file share really isn’t the fastest way to do things, though, so thankfully there is a much quicker way to launch any SysInternals utility from any internet-connected Windows PC.
Just follow this format to directly launch one of the utilities through the Run box:
For instance, to launch Process Explorer, the executable name is procexp.exe, so you can use \\\tools\procexp.exe to launch Process Explorer, or change procexp.exe to procmon.exe to launch Process Monitor instead.
When you do launch one of the utilities, you’ll be prompted with a security warning dialog before you actually run any of them. This is a good thing, of course, because you wouldn’t want Windows to let anybody run anything from a file share. That would be a disaster!
We’d highly recommend just downloading and putting a copy of the tools on every PC that you touch, rather than running from the Live site every time. But in a pinch, it’s great to know that you can do it.

Next Lesson: Understanding Process Explorer

Tomorrow’s lesson will familiarize you with the Process Explorer application, a task manager replacement with many more features. The interface is packed full of data and options, so we’ll go through and explain everything that you need to know — like what all those colors in the process list actually mean.
After that, we’ll cover how to use it in the real world to deal with problem processes, malware, and more. Then we’ll head into Process Monitor territory, and explain how to use one of the most powerful troubleshooting applications to figure out what is really going on under the hood of your PC.
And next week we’ll take a trip through some of the other utilities, like Autoruns, Bginfo, and many of the command line utilities included in the toolkit.
There’s a lot of material to cover, so go grab yourself a copy of the utilities so you can follow along starting tomorrow.