Using Sysinternal and other tools to diagnose problems and issues in Windows
MODIFIED- SYSINTERNALS WAS ACQUIRED BY MICROSOFT - obtain the tools mentioned here from Microsoft Technet [You may also obtain many of the tools at the original site: SysInternals/Win-ternals]
Many are "lost" when it comes to diagnosing Windows problems and/or issues, which can be imposible to do unless one takes the time to obtain the tools, and learn to use them.
Therefore, here is a brief description of how to proceed through a technique of diagnosing issues and/or problems.
GENERAL TOOLS FOR WINDOWS DIAGNOSTICS
[referenced programs: Autoruns, Process Explorer, File Monitor: by Sysinternals]
[Additional Note: once your familiar with these programs and normal Windows processes; you can "Stop capturing" and "Clear" and restart capturing in File Monitor for a more accurate picture (and less time consuming analysis) of the issue you wish to diagnose. You can also remove some of the steps outlined below. I won't identify which, but you will discover such on your own, after using these programs.]
1. Familiarize yourself with the program "File Monitor" by restarting the computer,,, allow a few minutes to settle.. start the prog,,, watch for awhile so you know what runs normally (schedulers and other "monitoring" programs generally). Do a "Save As" like mon_1 or something, in a Folder of your choice. Stop the update process by going to the menu under "File" and disabling capturing. Scroll through the info shown. Restart capturing when your familiar with the running processes.
2. Open Process Explorer, wait for everything to settle down (watch in File Monitor), do a "Save As" like "proc_1" using Process Explorer in that folder you created. Scroll through or review the information shown by Process Explorer.
3. Take Notes of what is occurring in File Monitor, e.g. updates to Process Explorer (Procexp:#####), schedulers, etc. (do a "Save as" like mon_2)
4. Go to Process Explorer, check for running processes, Do another "Save as" like proc_2 and keep it in the background. Let the system settle.
5. Now open IE (or whatever your browser is, or suspected calling issue),, hang on for dear life as the processes race across the screen,, do NOT let it connect to the Internet. Watch what occurs for a few minutes in File Monitor (IExplore:#####; Opera:######; Seamonke:#####; etc.), wait until it settles down, do a "Save As" like mon_3. Stop capturing, and carefully review what has occurred. Make note of what is NOT labeled the program's name or called from it's folder.
6. Do a "Save As" like proc_3 in Process Explorer. Familiarize yourself with what is now running. Restart File Monitor capturing.
7. Shut the browser (or suspected issue) down. Using File Monitor; take notes of the close down process. Also Note how long it takes: for the processes to end and the order; and for your system to return to normal. Do a "Save As" like mon_4 and proc_4 in the respective program.
8. Check Process Explorer to see if your "problem" exists. Compare proc_4 to proc_1 and proc_2. Also compare mon_1, mon_2, mon_4. Note any differences, compare to mon_3 and proc_3. Unknown should have been identified, including the folder and "issue" name. Search for the suspected "issue" on the Internet for information concerning it, BEFORE you remove it or fix the problem.
9. If the problem "unknown" has not been "discovered", restart your browser and connect to the Internet. Continue as in previous steps until you find the "unknown".
10. Still haven't located it? If you have noticed shutting
down something and your problem disappeared:
Re-run the procedures, close the browser (or suspected calling
program), check File Monitor and Process Explorer; do the saves;
kill the process using Process Explorer; note what is different
between the "before and after". Search for information pursuant
the suspected offender on the Internet BEFORE removing it or
fixing it.
Might also be a quick fix though I recommend the full technique
so you understand what your doing and why.
11. If an unknown is related to the browser or perhaps a startup program: The File Monitor program could be run from the startup folder. It may cause errors or inability to start on some systems. If so, remove from Startup using Safe mode.
If an "unknown" is found related to a startup program or the browser and starts during "Startup", use Autoruns to search for and to remove the now "known" issue.
These programs can also be used in Safe Mode for other diagnostic reasons on programs or related issues that do not require drivers, etc, that are run during a normal Startup. For tools which can be used at system start and/or shutdown see Part 2 [including diagnosing potential Rootkits].
Hope this helps any who might be interested, or who need to diagnose issues in Microsoft Windows operating systems. [SEE PART 2 link below for additional tools useful at startup/shutdown]
relevence: diagnosing Windows problems; using sysinternal tools to diagnose Windows problems; sysinternal tools for diagnostics.
potential uses: spyware diagnostics; monitoring programs; shutdown issues; program errors; startup diagnostics; general Windows knowledge; other.
Additional tools:
- Find in
Context - iNetPrivacy Software program to search within files
(such as the above saves) and create filtered data files based
upon your search query.
-
Regmon Registry Monitor - sysinternals monitors registry
activity - similar to File Monitor
- PepiMK
Software - Regalyzer and Filelizer Regalizer has a useful
registry editing tool and includes a search tool which you may
find useful. Filelizer allows you to view most types of
files.
- Dependency Walker
open programs and "walk" through what it calls, its functions,
and errors it might contain.
- Robware -
File Investigator
Installation issues diagonstics
Try using Dependency Walker to *profile* the installation/setup. This will provide a detailed setup debug of any calls, exes, etc. that occur during that attempt.
Open Dependency Walker, choose the installer exe, go to Profile on the tool bar. Choose the level of profiling and run it. Wait until its completely finished [this may take a while as it debugs all calls, program starts, etc.].
In addition you can, if a MSI installer, use its debug to create a report of the attempt.
MODIFICATIONS TO THE REGISTRY SHOULD NOT BE DONE BY IN-EXPERIANCED PEOPLE
First note the key below and export the original so you can reset afterwards then create a text file [.reg extension] with its inclusions and merge, or manually edit the key:
----COPY BELOW----------
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer]
"Logging"="voicewarmup"
"Debug"=dword:00000007
--- COPY/CREATE THE ABOVE INCLUDING THE LAST BLANK LINE --------------
Use the above in conjunction with debugview
Debugview by sysinternals
Between the three, you will have a good idea of exactly where to look, and what needs corrected.
What does an Install Shield Installation mean?
It is what it says,
Macrovision - What is InstallShield now
- main consumer support page
- Q&A links - hints
- see this for how to check versions and download InstallShield files.
Install Shield files installed in a base updated 98SE:
C:\Program Files\Common Files\InstallShield\Driver\7\Intel 32
IDriver.exe - 7.04
C:\Program Files\Common Files\InstallShield\Engine\6\Intel 32
IKERNEL.EXE - 6, 31, 100, 1221
MSI - Windows Installer
C:\WINDOWS\SYSTEM\msiexec.exe - 2.0.2600.2 - last 9X version
download and install InstMsiA.exe from Microsoft for 9X/ME if you have an older version
2000, XP, and VISTA are using newer versions from 2.0.2600.2 and up - download InstMsiW.exe [note the W instead of A]
Q108312 - Sometimes in an attempt to fix installation-related errors, you may have to update the engine that runs the installation itself.
If the program uses a different installer, search the Internet for that type of installer, how to work with its files, and its commands.
Other Parts of Layered Security necessary for Internet
usage and diagnostic issues.
SEE:
FIREWALLS - WHY YOU NEED ONE AND WHAT TO DO
SEE:
Anti-spyware programs as part of Layered Security
ANTI-VIRUS Programs as part of your Layered Security
SEE:
GENERAL WINDOWS NETWORKING DIAGNOSTICS AND SETUP
Part
2 - Diagnosing Windows Problems
INSTALLATION OF SIGNING AND TRUST CERTIFICATES
After support end information for 98
SEE: END
OF SUPPORT FOR WINDOWS 98 AND MILLENNIUM. WHAT DO I DO?
SEE:
Manually updating a new installation of Windows 98SE