{"id":652,"date":"2020-11-01T10:02:53","date_gmt":"2020-11-01T15:02:53","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=652"},"modified":"2020-11-02T16:57:33","modified_gmt":"2020-11-02T21:57:33","slug":"using-process-monitor-to-troubleshoot-applications","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=652","title":{"rendered":"Using Process Monitor To Troubleshoot Applications"},"content":{"rendered":"<p>SysInternals used to produce a suite of tools for working with Microsoft Windows systems &#8212; the company appears to have been acquired by Microsoft, and the tools continue to be developed. I used <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/pskill\" target=\"_blank\" rel=\"noopener noreferrer\">PSKill<\/a> and <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/psexec\" target=\"_blank\" rel=\"noopener noreferrer\">PSExec<\/a> to automate a lot of system administration tasks. <a href=\"https:\/\/technet.microsoft.com\/en-us\/sysinternals\/processmonitor.aspx\" target=\"_blank\" rel=\"noopener noreferrer\">ProcessMonitor<\/a> is like truss\/strace for Windows. Unlike the HFS standard, Windows files end up all over the place (plus info is stashed in the registry). Sometimes applications or services fall over for no reason. Process monitor reports out<\/p>\n<p>When you open procmon, you can build filters to exclude uninteresting operations &#8212; there&#8217;s a default set of exclusions (no need to log out what procmon is doing!)<\/p>\n<p><a href=\"https:\/\/www.rushworth.us\/lisa\/?attachment_id=7131\" rel=\"attachment wp-att-7131\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-7131\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon01-1024x586.png\" alt=\"\" width=\"960\" height=\"549\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon01-1024x586.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon01-300x172.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon01-768x440.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon01-750x429.png 750w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon01.png 1329w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/a><\/p>\n<p>Adding exclusions for specific process names can eliminate a <em>lot<\/em> of I\/O &#8212; I was looking to troubleshoot a problem on a Domain Controller that had nothing to do with AD specifically, so excluding activity by lsass.exe significantly reduced the amount of data being logged. If I&#8217;m using a browser to troubleshoot the problem, I&#8217;ll exclude the firefox.exe or chrome.exe binary too.<\/p>\n<p><a href=\"https:\/\/www.rushworth.us\/lisa\/?attachment_id=7132\" rel=\"attachment wp-att-7132\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7132\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon02.png\" alt=\"\" width=\"663\" height=\"674\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon02.png 663w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon02-295x300.png 295w\" sizes=\"auto, (max-width: 663px) 100vw, 663px\" \/><\/a><\/p>\n<p>From the filter screen, click &#8220;OK&#8221; to begin grabbing data. The easiest thing I&#8217;ve found to do is <em>stop<\/em> capturing data when the program opens (use ctrl-a followed by ctrl-x to clear the already logged stuff). Stage whatever you want to log, use ctrl-e to start capturing. Perform the actions you want to log, return to procmon and use ctrl-e to stop again.<\/p>\n<p><a href=\"https:\/\/www.rushworth.us\/lisa\/?attachment_id=7133\" rel=\"attachment wp-att-7133\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7133\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon03.png\" alt=\"\" width=\"527\" height=\"319\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon03.png 527w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon03-300x182.png 300w\" sizes=\"auto, (max-width: 527px) 100vw, 527px\" \/><\/a><\/p>\n<p>You&#8217;ll see reads (and writes) against the registry, including the specific keys. Network operations. File reads and writes. In the &#8220;Result&#8221; and &#8220;Detail&#8221; column, you can determine if the operation was successful. There are a lot of <em>expected<\/em> not found failures &#8212; I see these in truss\/strace logs too, programs try a bunch of different things and <em>one <\/em>of them needs to work.<\/p>\n<p><a href=\"https:\/\/www.rushworth.us\/lisa\/?attachment_id=7134\" rel=\"attachment wp-att-7134\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-7134\" src=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon04-1024x460.png\" alt=\"\" width=\"960\" height=\"431\" srcset=\"https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon04-1024x460.png 1024w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon04-300x135.png 300w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon04-768x345.png 768w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon04-750x337.png 750w, https:\/\/www.rushworth.us\/lisa\/wp-content\/uploads\/2020\/11\/ProcMon04.png 1524w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/a><\/p>\n<p>I&#8217;ve had programs using a specific, undocumented file for a critical operation &#8212; like the service would fail to start because the file didn&#8217;t exist. And seeing the path and file open failure allowed me to create that needed file and run my service. I&#8217;ve wanted to find out where a program stashes data, and procmon makes that easy to identify.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SysInternals used to produce a suite of tools for working with Microsoft Windows systems &#8212; the company appears to have been acquired by Microsoft, and the tools continue to be developed. I used PSKill and PSExec to automate a lot of system administration tasks. ProcessMonitor is like truss\/strace for Windows. Unlike the HFS standard, Windows &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[1169,1170,1168,136],"class_list":["post-652","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-process-monitor","tag-procmon","tag-sysinterals","tag-windows"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/652","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=652"}],"version-history":[{"count":2,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/652\/revisions"}],"predecessor-version":[{"id":7135,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/652\/revisions\/7135"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=652"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=652"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=652"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}