Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Posts Tagged ‘Process Monitor’

The Case of the Missing Dependency

Posted by William Diaz on September 9, 2011


We recently began the deployment of an add-in for Active Directory for the IT department (Defender Console). A considerable number of workstations, however, were failing to run the installer, encountering the following error: “The following dependencies are required before some application can be installed: Microsoft Visual C++ 2008 SP1 Redistributable Package.
image
Read the rest of this entry »

Advertisement

Posted in Troubleshooting | Tagged: | Leave a Comment »

The Case of the Installer Run-Time Error

Posted by William Diaz on September 1, 2011


To make it easier to fix, reinstall, and install the most common applications we support in our environment, we have a front end tool that is launched from the run menu to facilitate this without the need to go digging around on the file server for batch files or scripts. While trying to reinstall an application, one of our helpdesk technicians was running into the following error while trying to run the tool on a user’s workstation: “Installer. Run-time error ‘-2147024770 (8007007e)’: Automation error – The specified module could not be found.”
image
Read the rest of this entry »

Posted in Troubleshooting | Tagged: | Leave a Comment »

The Case Of The Corrupt Download

Posted by William Diaz on August 23, 2011


The following error was being reported while internal users were trying to install the latest Flash Player from Adobe: “Internal error… ABORT: Certificate authentication failed, please re-install to correct the problem. (/0)
8-23-2011 11-48-33 AM
Read the rest of this entry »

Posted in Troubleshooting | Tagged: , | 5 Comments »

Zero Day Malware Cleaning with the Sysinternals Tools

Posted by William Diaz on August 18, 2011


Slides from Mark’s highly-rated Blackhat US 2011 presentation on how to use the Sysinternals tools to hunt down and eliminate malware.

http://download.sysinternals.com/Files/SysinternalsMalwareCleaning.pdf

Posted in Troubleshooting Tools | Tagged: , , , | Leave a Comment »

Is This What a Defective Hard Drive Behaves Like? (The Case Of The Random Workstation Hangs)

Posted by William Diaz on August 3, 2011


The nature of this problem made it difficult or impossible for the help desk to identify because there was nothing to look at that that would tell the technician what was happening when these calls started coming in. They started as a complaint of general system slowness at random times through out the day and were often being assigned to be looked at overnight, which resulted in zero findings because no one knew what they were looking for and could not experience the issue remotely. And if they did, in fact run across the issue while logged on, they could not do anything anyway because the issue of the stalled workstation appeared as a remote connectivity problem and not necessarily a local hardware issue with the workstation.

As I started to here about these issues, I became interested and kept an ear out for a user or two who was encountering the random hang. Identifying a workstation with the problem actually became rather simple because during the hang, a very specific series of events would kick off after the system resumed from the hung state. Isolating the cause, though, was a lot more involved. That’s because the nature of these issues is often software based, e.g. a system or application process was kicking off, or some low level driver was locking up the system. To assist me in that task of finding the culprit, I used a few tools, starting with the Windows XP Event Viewer, then moving to Process Monitor to collect process trace logs, WinDbg to examine manual crash dumps of the hanging system, Performance Monitor, and finally installing Windows 7 after all else failed to take advantage of its enhanced Event Tracing.

Some background. The workstation hangs for the most part coincided with the then recent deployment of new Dell Optiplex 960 and 980 workstations. The hangs were not “hard hangs”, a type of hang where the system becomes completely unresponsive and needs to be manually rebooted. The hangs being seen could be characterized as “soft” in that the workstation would eventually recover after a certain amount of time, usually between 2-5 minutes. During the hang, the mouse was still active but switching between applications was not possible and all keystrokes or commands became queued during the hang. Once the system recovered, any pending operations were executed immediately afterwards. There was no rhyme or reason to the hangs, they were entirely random and would happen several times a day while any user was logged on.

I connected to the workstations after hours and examined the event logs for anything out of the ordinary. Normally, I am looking for error’s or warnings, and I was specifically focused on the System logs, hoping to see disk warnings indicating there were bad blocks on the hard drive. Not seeing anything there, I turned to the application logs but didn’t see anything that stood out there either. Looking at the other workstation, too, did not reveal anything telling.

With nothing to go on, I turned to the generic Information events and noticed that after each reported instance of hang there were a slew of McLogEvent 257 events:

Read the rest of this entry »

Posted in Troubleshooting | Tagged: , , | Leave a Comment »

Error Installing Older Versions of Flash Player

Posted by William Diaz on July 1, 2011


I found myself needing to install an older version of Flash Player for troubleshooting purposes. After uninstalling the current Flash Player, I encountered the following error when trying to install the older Flash Player: “The installation encountered errors: The version of Adobe Flash Player that you are trying to install is not the most current version…”
6-20-2011 12-47-20 PM Read the rest of this entry »

Posted in Troubleshooting | Tagged: | Leave a Comment »

Troubleshooting and Resolving a Hang in 90 Seconds

Posted by William Diaz on June 3, 2011


I’m a stickler when it comes to performance issues on my workstation. So it bothered me when I noticed a small delay when right clicking on my desktop. By small, I mean literally 2 seconds. I opened SysInternals Process Explorer to quickly see if the CPU was spiking:
image_thumb_1_028E6399
I looked at the all the processes to see which process was the offender but the 45-60% CPU time was the total of several processes. After the menu opened and a few seconds later the CPU% would drop down to a normal 0-1%.

30 Seconds… Read the rest of this entry »

Posted in Troubleshooting | Tagged: , , | Leave a Comment »

Manual Discovery and Removal of Malware – Internet Security 2011-2012

Posted by William Diaz on May 19, 2011


Sometimes you have no choice but to approach malware infestations manually, even when running an AV program. Generally speaking, AV relies on malware definitions to detect threats and, if your definitions are not up-to-date, you can get hit by a Trojan, virus, or worm. Even with up-to-date definitions, you are still open to attack by the latest threats for which signatures do not yet exist. When this happens, you need to manually discover the threat and remove it. Such was the case in an earlier blog.

In the example here, one of our users was infected during a “drive by” while browsing the Internet. Our enterprise anti-virus failed to detect the threat and manual AV scans of the system failed to remove it since there was no definition for it yet. This is one of several variants of fake anti-virus (Scareware) from the Braviax suite, XP Internet Security 2011, which presents various security window pop-ups and a fake scan:
Read the rest of this entry »

Posted in Troubleshooting | Tagged: , | 2 Comments »

The Case of the Failed Blog Post

Posted by William Diaz on May 4, 2011


Every now and then I use Word 2010 to blog. I recently ran into an issue where I could no longer post to my SharePoint blog at work from my workstation and the error was rather generic, not alluding to anything: “Word cannot publish this post. The provider where you are trying to publish is unavailable…”
image
This was odd because previously blogs posted normally. Additionally, I was able to post to my Word Press blog on the Internet and a different internal blog. To see what was happening, I turned to Process Monitor and set a filter for winword.exe. There was nothing unusual with the file and registry activity. However, network activity stood out:
Read the rest of this entry »

Posted in Troubleshooting | Tagged: , , , | Leave a Comment »

The Case of the Offline Chat

Posted by William Diaz on February 10, 2011


Among the various types of operations Process Monitor traces, TCP/UDP activity is often overlooked. If you want to examine packets, Process Monitor is not going to do it for you. But it can sometimes present some important clues to a problem and point you in the right direction.

In the case here, our user was not able to get our in-house chat program to go online. You can usually force this by selecting the “List” button, but after several seconds of “Loading…” it would go back to offline. In hopes of finding something revealing, I opened Process Monitor from our lab and set a filter for the executable of the chat program. There were only a dozen operations but the ones that stood out were the last 5 UDP Send operations.
Read the rest of this entry »

Posted in Troubleshooting | Tagged: , | Leave a Comment »