Edit
  • Article

[Newsletters Archive ^] [< Volume 5, Number 1] [Volume 6, Number 1 >]

The Systems Internals Newsletter Volume 5, Number 2

http://www.sysinternals.com
Copyright (C) 2003 Mark Russinovich

June 23, 2003 - In this issue:

  1. EDITORIAL

  2. WHAT'S NEW AT SYSINTERNALS

    • Filemon v6.06, Regmon v6.06
    • PsPassword v1.01
    • PsLoglist v2.3
    • AccessEnum v1.0
    • Process Explorer v6.03

  3. INTERNALS INFORMATION

    • PsExec Part of Deloader Worm
    • Using PsTools to Cause Problems
    • Microsoft documents NtQuerySystemInformation (sort of)

  4. INTERNALS TRAINING

    • Summer Video Special
    • Microsoft TechEd Europe
    • Next public Windows Internals class

The Sysinternals Newsletter is sponsored by Winternals Software, on the Web at http://www.winternals.com. Winternals Software is the leading developer and provider of advanced systems tools for Windows NT/2K/XP.

Winternals is pleased to announce the release of Administrator's Pak 4.0 with a comprehensive update of our flagship product, ERD Commander 2003. New features in ERD Commander 2003 include: FileRestore, for recovering deleted files; ability to use Windows XP System Restore Points to roll back unbootable systems; Disk Commander, for master boot record (MBR) repairs and salvaging data even from deleted volumes; and a "System Compare" diagnostic tool to compare system and configuration files on a dead system to working systems. To request a trial version, please visit http://www.winternals.com/sn

EDITORIAL

Hello everyone,

Welcome to the Sysinternals newsletter. The newsletter currently has 36,000 subscribers.

I finally did it. I switched from Internet Explorer to Mozilla (http://www.mozilla.org). Bryce Cogswell (my Sysinternals and Winternals cofounder) has been using Mozilla for a couple of years now and he's periodically updated me about all the cool features it has that IE doesn't. Most obviously, instead of opening new pages in separate windows you can have them open in tabbed pages of the same browser window. If you have multiple pages you want the browser to open when you launch it, just make a group of tabs your startup group.

Whereas IE has a global setting for remembering web page passwords, Mozilla lets you specify web pages for which you want it to remember passwords and you can use the password manager to remove remembered passwords at any time. Add in a built-in download manager, integrated e-mail client (which I don't use), multiple profiles, a built-in chat program, integration with popular search engines, and the distance between Mozilla and IE starts to look impressive.

However, Mozilla really shines when it comes to annoying web sites. It includes a built-in popup manager where you can configure popup filtering on a site-by-site basis if you desire. It has a cookie manager you use to block cookies, also by site if you want, and to view the cookies that have been dropped on your system. You can also configure Mozilla's behavior when it comes to images. Most sites that have obnoxious banners pull the graphic files from external sponsor sites and you can configure Mozilla to ignore external images, again, site-by-site if you want. Finally, a nice visual touch is Mozilla's skinning support, with numerous skins freely available.

I'm sure this sounds like a sales pitch, but its not. Its more a commentary on what lack of competition does to a product segment. Why doesn't IE have features like cookie management and popup blocking that consumers have to spend money for when Mozilla includes those features and more for free? Why did IE change so little between version 5 and 6 and why hasn't it been updated in two years? The vast majority of consumers uses whatever software they have on their computers and don't read open-source newsgroups or visit Slashdot.org and so they are unaware that better, freely available alternatives exist. Microsoft and Netscape made browsers free in their competition to dominate the web server application market so there's no financial benefit in Microsoft improving IE - they don't lose any money when a power user like me switches to Mozilla.

You can see the same effect even in Microsoft's add-on software. I used to use Eudora as my e-mail client, but about two years ago switched to Outlook. It seemed like everyone was using Outlook and I wanted to take advantage of its calendaring feature. I immediately found a number of small annoyances. For instance, you can configure Eudora to leave e-mail over a certain size on the server, which is helpful when you're dialed in at 25 Kb in a hotel room. Outlook has a similar feature, but Eudora downloads the first few lines of message text so that you see what the e-mail is about and use that information to decide whether or not to suffer a long download. Outlook doesn't.

I could go on, but you've got my message by now and can probably add a list of your own anecdotes. The bottom line is that competition is good for the computer consumer. Maybe IE "Longhorn" will blow Mozilla away?

Please pass the newsletter to friends you think might be interested in its content.

Thanks!

-Mark

WHAT'S NEW AT SYSINTERNALS

FILEMON V6.06, REGMON V6.06

Filemon and Regmon have jumped a two full version numbers in less than six months. This latest major update brings enhancements that make them easier to use and their display more informative.

When you run the new versions you immediately see that process icons display in the process column, providing you a visual cue as to what application is associated with the I/O you see. If you want detailed information about a process, including its version information, full path and command-line, right click on a line having that process' I/O and select Process Properties.

In some cases you might not see an appropriate icon for a process and get an error dialog when you try to view its properties. This results when a process starts and exits before the user interface has a chance to access the process and get its path.

When you open the context menu you'll also see entries that allow you to add the process or the path to the Include or Exclude filter. If you choose to apply a new filter you get a new prompt that asks if you want to apply the new filter to the collected output. That enables you to quickly trim the output to just the information you're interested in, without resorting to saving the output and loading it into a spreadsheet for post-processing.

Another enhancement is the ability to load saved log files back into the display. This capability, when coupled with the new filtering features and highlighting, make the tools versatile at post-mortem problem analysis.

Download Filemon v6.06 at
http://www.sysinternals.com/ntw2k/source/filemon.shtml
Download Regmon v6.06 at
http://www.sysinternals.com/ntw2k/source/regmon.shtml

PSPASSWORD V1.01

This latest addition to the PsTools suite brings the total count of the number of bundled command-line, remotely-capable administrative tools that make up the suite to 12. Many systems administrators, including the ones at Winternals, the company I co-founded, periodically change the local administrative passwords of the client machines they manage. There's no built-in way to remotely change local passwords, which is PsPassword's purpose. You can use it to change local (or domain) passwords on a remote computer. Adding it to a script or batch file that executes it against a list of computers makes it an ideal mass-password changing utility.

Download PsPassword v1.01 at
http://www.sysinternals.com/ntw2k/freeware/pspasswd.shtml
Download the entire PsTools suite at
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml

PSLOGLIST V2.3

PsLoglist is one of the many Sysinternals tools for which I receive frequent feature requests. Version 2.3's enhancements all reflect user input. The area with the most improvement is filtering. PsLoglist has new switches that allow you to limit the event records displayed to only those that match a specified event ID or that have a specified event source, like IIS for example. In past versions the event-type filter only accepted one event type, but now it permits you to enter multiple types. For instance, to see all errors and warnings you would use a command-line like the following: psloglist -t f w.

Download PsLoglist v2.3 at
http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml
Download the entire PsTools suite at
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml

ACCESSENUM V1.0

The rich permissions model employed by NTFS provides tremendous flexibility. With that flexibility comes the potential for complexity and misconfigured security. Unfortunately, there are no built-in tools that make managing security across directories and files easy. While the cacls command-line utility has the right idea, the fact that it's a command-line tool makes its output difficult to parse. That's where AccessEnum comes in. AccessEnum provides you an easy-to-understand view of the file and directory permissions for entire directory trees. With AccessEnum you can easily spot permissions problems.

When you run AccessEnum you specify a directory and AccessEnum will show you what users have what access to that directory, if applicable, the files and directories under that directory. By default, AccessEnum only lists a directory if the permissions on the directory differ from that of its parent directory, and it only shows files if the file's permissions are more lax than that of its parent directory. If you want you can use the Options dialog to have AccessEnum display files if their permissions differ from its parent directory.

Download AccessEnum v1.0 at
http://www.sysinternals.com/ntw2k/source/accessenum.shtml

PROCESS EXPLORER V6.03

Process Explorer is a process viewer and control utility that picks up where Task Manager leaves off. Among its extensive list of capabilities, Process Explorer shows you the process creation tree, displays handles that processes have open, lists DLLs (and other memory mapped files) that processes have loaded, and enables you to search for the process or processes that have a particular file opened.

The most significant enhancements in version 6.0 relate to view columns. Up until this version there was no column configurability, so I carefully chose what columns to show in order to maximize the limited space available. That limited the data you could see without opening a properties dialog to that which I considered most universally useful.

Now, just like with Task Manager, you can use the View|Select Columns menu item to choose what columns you want to see in each of the three views, process, handle and DLL. You can also drag columns to reorder them. Besides enabling you to customize the display to your liking, there are lots more column selections. For example, the Process View supports the column selections that Task Manager does as well as other useful ones like process image path, command-line, version number, and company name.

In previous versions Process Explorer refreshed its display synchronously, meaning that there could be periods of time where the user interface would become unresponsive, especially when you had handle view active and selected process with thousands of handles. Version 6.0 introduces asynchronous updates of all three views, making the user interface always responsive and Process Explorer seem snappier.

A powerful feature I pioneered with an earlier version of Process Explorer is difference highlighting, where new items in the display highlight in green and deleted items in red. I've extended the feature so that in version 6.0, unless you've paused the display, the refresh highlighting lasts for 4 seconds, making it easier to spot changes (in paused mode the highlighting remains until the next manual update).

Knowing what services are running within a process is one of the capabilities of Process Explorer's process view. You can choose to highlight service-hosting processes by selecting Options|Highlight Services. If you view the properties of a service-hosting process there's an additional tab entitled Services that shows you the list of services running in the process, including their service and display names. Now, on Win2K and higher, Process Explorer also shows you the description of a service you select in the service list if the service's developer provided one. This additional information makes identifying services easier with Process Explorer than any other tool (such as Tlist /s or the new tasklist /svc command in XP and 2003).

Some more minor improvements include the fact that when you save, Process Explorer now saves the contents of both the process view and the bottom view (handle or DLL), instead of just the bottom view. There's also now a minimize-to-tray option so that you can keep Process Explorer handy.

Download Process Explorer v6.03 at
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

SYSINTERNALS AT WWW.MICROSOFT.COM

Here's the latest installment of Sysinternals references in Microsoft Knowledge Base (KB) articles released since the last newsletter. This brings to 41 the total number of KB references to Sysinternals.

  • ACC2002: Error Message: ActiveX Component Can't Create Object http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B319844

  • FIX: Slow Performance When the Browser Capabilities Evaluator Is Removed from the Cache http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B819612

  • HOW TO: Troubleshoot Site Deployment Issues in Microsoft Content Management Server 2002 http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B814774

  • PSVR2002: "There Is No Information to Display in This View" Error Message When You Try to Access a Project View http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B810596

INTERNALS INFORMATION

PSEXEC PART OF DELOADER WORM

PsExec, a tool that allows you to execute processes on remote systems to which you have administrator access, has made its way into several worms, most notably, Deloader (http://www.f-secure.com/v-descs/deloader.shtml), which hit the internet this spring. I've gotten a number of e-mails from users not familiar with Sysinternals that, because they saw my name in the banner that PsExec displays when it executes, accuse me of trying to hack their systems.

It's unfortunate that people have chosen to use Sysinternals software maliciously, but there's not much I can do about it. An important fact to remember is that a user cannot use any of the tools to affect a remote system unless the account they're running in has administrative privilege on the remote system. Given such privileges, they can do whatever damage they want to the remote system, without using any tools: a rmdir /s \\remotesystem\admin$ will wipe out the SystemRoot directory of a remote system.

As for remote process execution, if they weren't using PsExec they'd use other tools. In fact, Windows Management Instrumentation, which is built into Windows 2000 and higher, and available as an add-on to NT 4 and Windows 9x, has a remote-process execution interface that provides a subset of PsExec's functionality.

USING PSTOOLS TO CAUSE PROBLEMS

Most tools Bryce and I post on Sysinternals are primarily intended for systems administration and troubleshooting. A notable exception is the Sysinternals Bluescreen Screen Saver (http://www.sysinternals.com/ntw2k/freeware/bluescreensaver), which depicts an authentic-looking blue screen of death and reboot sequence specific to the version of Windows NT on which you run it (it even runs on Windows 9x). You might not have realized, though, that some of the other tools on the site can be used to have fun with coworkers in your office.

There are three tools in particular that make tormenting officemates easy: PsExec, PsKill and PsSuspend. You can use them to remotely manipulate computers as long as your account has administrative access to the remote system or you have access to an account that does.

PsExec lets you launch applications on a remote system, so an easy way to baffle someone is to launch random programs on their console. To execute Solitaire on their machine you'd use a line like this:

psexec \\remotesystem -i sol.exe

The -i switch has PsExec launch the process on the console instead of launching it on the hidden services desktop. PsExec will exit when the user closes the Solitaire process. If you want to launch multiple instances to overwhelm the user, use the -d switch so that PsExec exits without waiting for the processes to exit.

What's even more devious is launching the Bluescreen Screen Saver on their system to make them think that their system has crashed. Use this command-line to do so:

psexec \\remotesystem -i -c "sysinternals bluescreen.scr" /s

The -c switch copies the specified file to the remote system.

If you want to cause more problems, use PsKill to terminate processes on their system. A good one is Explorer, which everyone has running, which will restart automatically, and which randomly crashes during usual operation (for me, anyway).

Finally, if you really want to mess with someone use PsSuspend to suspend random processes on their system for short periods of time. Again, they might think its just normal abnormal Windows behavior, but you'll know better!

Download PsExec, PsKill and PsSuspend from
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml

MICROSOFT DOCUMENTS NTQUERYSYSTEMINFORMATION (SORT OF)

The other day I was pursuing April 2003's MSDN Library and ran across a documentation page for NtQuerySystemInformation. NtQuerySystemInformation is part of the "native" API that sits under much of the Win32 API and that is used almost exclusively by system processes that are part of the operating system (you can read about the native API at http://www.sysinternals.com/ntw2k/info/ntdll.shtml). Some Sysinternals tools make use of the APIs to gain access to functionality not exposed by Win32, but that functionality is related only to obtaining process and thread information.

I was therefore surprised to find NtQuerySystemInformation and my first thought was that Microsoft had decided to expose some of the useful functionality provided by the API. Reading the documentation convinced me otherwise. All of the described uses of the API are provided by well-defined Win32 APIs that the documentation strongly encourages you to use instead, starting with the statement at the top of the function description that reads: "NtQuerySystemInformation is an internal Windows function that retrieves various kinds of system information. Because this function may change in future versions of Windows, use the alternate functions listed below."

In fact, some of the uses show in the documentation are totally useless. For instance, the description of the API's SYSTEM_PERFORMANCE_INFORMATION variant states that you get back a data structure that, instead of being able use the same way Windows uses it, you should treat as a random layout of bytes and that you might use as a random number. It then goes on to say that you really shouldn't generate random numbers with the API, but instead call the documented Win32 function CryptGenRandom. The bottom line is that there's really no use they document that isn't more reliably and easily provided by Win32.

Curiosity piqued, I noted that the include file they list as containing the information required to use the API is winternl.h in the SDK. Doing a search in MSDN documentation for that file reveals more of the same: documentation for a handful of native APIs with equally useless uses or functionality better accessed through Win32. The header file itself reveals nothing not documented in the SDK.

So what are these useless APIs doing in MSDN and the SDK? My guess it that its part of Microsoft's compliance with the DOJ consent decree where Microsoft is "documenting" more of the internal APIs that are used by some its applications. Here's a line from the documentation for NtOpenFile that implies that its there for nothing more than legal purposes: "The NtOpenFile documentation is provided for the sake of full API coverage."

Because of the lack of any useful information and the fact that I'm fairly certain that whatever Microsoft applications that use the SYSTEM_PERFORMANCE_INFORMATION class of the NtQuerySystemInformation API don't use it to just get a random number, I'm left wondering if the documentation of the winternl.h functions is really in compliance with whatever legal directive lead to their inclusion in the SDK.

If you're interested in the full documentation of NtQuerySystemInformation and the other native APIs, get a copy of "Inside Windows NT/2000 Native API Reference" (http://www.amazon.com/exec/obidos/ASIN/1578701996/103-8560745-7945431 )

INTERNALS TRAINING

SUMMER VIDEO SPECIAL

BUY: Inside Windows 2000 GET: XP/Server 2003 Update FREE

Now you can own the ultimate internals training package at great savings. For a limited time, when you buy the very popular video INSIDE Windows 2000 at the already discounted internet price, you will get the XP/Server 2003 UPDATE absolutely FREE. That's almost 35% off the retail price.

Both of these outstanding learning tools are used by Microsoft worldwide for their corporate training. According to Rob Short, Vice President Core Technologies at Microsoft, "These videos drill into the core of the platform, capture its technical essence and present it in a powerful interactive video format."

Check out the product details or download a video sample at www.solsem.com. Don't wait too long. Take advantage of this limited time offer now!

MICROSOFT TECHED EUROPE 2003

Dave Solomon (http://www.solsem.com) and I taught a one-day pre-conference tutorial at TechEd US in Dallas two weeks ago with lab exercises that highlighted the use of Sysinternals tools and a one hour, fifteen minute breakout session that covered a small subset of the same material. Both were top-rated sessions. If you live in Europe you might be interested to know we're doing even more at TechEd Europe next week.

TechEd Europe is being held in Barcelona from June 30 through July 4. Dave and I are listed again as "top speakers" (http://www.microsoft.com/europe/teched/Speakers.asp) and are jointly teaching a one-day pre-conference tutorial (http://www.microsoft.com/europe/teched/PreConfWinInt.asp) on troubleshooting Windows process, memory, and crash problems (without labs), and four other sessions that include: A Tour of Sysinternals Tools, Troubleshooting with Sysinternals Tools, Windows Crash Dump Analysis, and Windows XP and Server 2003 Kernel Changes.

You can find complete descriptions and registration information at
http://www.microsoft.com/europe/teched/home.asp
We hope to see you in Spain!

NEXT PUBLIC WINDOWS INTERNALS & ADVANCED TROUBLESHOOTING CLASS

Our next 3 day public Windows Internals & Advanced Troubleshooting class is planned for September in New York City (and if you can't wait, last minute registrations are still possible for our London class which starts this week on June 25!). Stay tuned to www.sysinternals.com for dates and registration details.

Thank you for reading the Sysinternals Newsletter.

Published Monday, June 23, 2003 4:46 PM by ottoh

[Newsletters Archive ^] [< Volume 5, Number 1] [Volume 6, Number 1 >]