Saturday, 6 August 2011

Process Monitor – save your live sometimes…


Hello again, 

Heard of Process Monitor from SysInternal? Most probably yes for Wintel guys, I guess? If the answer is No, then I would like to share this handy tool with you. It is one of my “must have” tool for troubleshooting.
A lot of time, we will not know in details, which file's/registry key's that the application try to access to grab information, setting, configuration, etc…. This tool will actually monitor file system, registry key, DLL activity, etc in real time. Of course you can save the output for later viewing. 

For example, you try to start a service, however, it failed to start and you have no idea where to check, where it fail, etc.. then you can start the Process Monitor to capture what/which file or registry key that the service try to access.

In a scenario where example, I try to launch myapp123 application, however it failed to start with error message “Access is denied”. In this case what I’ll do is:

  1. Start the Process Monitor
  2. Make sure the “Capture Event” is selected, click on File --> Capture Events, then it will start to capture all events.
  3. Once it starts capturing info, I’ll try to launch the myapp123 application again to reproduce the error.
  4. Once the error popup again, then stop the event capture by click on File --> Capture Events again or simply press CTRL + E.
  5. Go to the last section of the output log, normally, you should able to see some indicator which file/registry key is failed to be accessed. Check which file or registry key that have value of “Access Denied” in Result column.
 Sometimes, you just cannot find any indicator on the culprit, then another way or rather technique on using this tool is to capture event on “problem” server and compare the output with another healthy server. 

Normally, we need to check on those results that stated “ACCESS DENIED” or “NAME NOT FOUND”.

“ACCESS DENIED”, as the value is self explaining, which mean the application/services try to access to certain file/registry key that do not have permission.

“NAME NOT FOUND”, which mean, the application/services try to access to certain registry key but it doesn’t exists. However, take note, some application/services by design will try to look up some registry key for any extra configuration, if no key found, only then it will load their own default setting. Thus, not all “NAME NOT FOUND” is guilty. :P

Another common result value, you should see is “BUFFER OVERFLOW”, this seem to be a big problem as my system have so many buffer overflow issue… don’t panic.. hold on! Read below, (copied from Microsoft Windows Internals)

“It does not indicate a buffer-overflow exploit in the application that receives it. Instead, it’s used by the configuration manager to inform an application that the buffer it specified to store a registry value is too small to hold the value. Application developers often take advantage of this behavior to determine how large a buffer to allocate to store a value. They first perform a registry query with a 0-length buffer that returns a buffer-overflow error and the length of the date is attempted to read. The application then allocates a buffer of the indicated size and rereads the value. You should therefore see operations that return BUFFER OVERFLOW repeat with a successful result



By the way, you can download this great tool from http://technet.microsoft.com/en-us/sysinternals/bb896645

Have a great troubleshooting day…!!!





No comments:

Post a Comment