Upload
cody-lucas
View
241
Download
2
Embed Size (px)
Citation preview
SVR333SVR333 Advanced Windows Advanced Windows Troubleshooting with Troubleshooting with Sysinternals Filemon and Sysinternals Filemon and RegmonRegmon
SVR333SVR333 Advanced Windows Advanced Windows Troubleshooting with Troubleshooting with Sysinternals Filemon and Sysinternals Filemon and RegmonRegmon
Mark RussinovichMark RussinovichChief Software ArchitectChief Software ArchitectWinternals SoftwareWinternals SoftwareCopyright © 2006 Mark RussinovichCopyright © 2006 Mark Russinovich
3
Mark RussinovichMark Russinovich
Co-founder and chief software architect Co-founder and chief software architect of Winternals Software of Winternals Software ((www.winternals.comwww.winternals.com))
Co-author of Windows Internals, 4th Co-author of Windows Internals, 4th edition and Inside Windows 2000, 3rd edition and Inside Windows 2000, 3rd Edition with David SolomonEdition with David Solomon
Author of tools on Author of tools on www.sysinternals.comwww.sysinternals.com Home of Mark’s blog and forumsHome of Mark’s blog and forums
Microsoft Most Valuable Professional Microsoft Most Valuable Professional (MVP)(MVP)
Senior Contributing Editor to Windows IT Senior Contributing Editor to Windows IT Pro MagazinePro Magazine
Ph.D. in Computer EngineeringPh.D. in Computer Engineering
4
David SolomonDavid Solomon
President of David Solomon Expert President of David Solomon Expert Seminars (Seminars (www.solsem.comwww.solsem.com) )
Founded in 1992Founded in 19921982-1992: VMS operating systems 1982-1992: VMS operating systems developmentdevelopment
Teach public and private live classes on Teach public and private live classes on Windows Internals and Advanced Windows Internals and Advanced TroubleshootingTroubleshootingMicrosoft Most Valuable Professional (MVP)Microsoft Most Valuable Professional (MVP)BooksBooks
Windows Internals, 4th editionWindows Internals, 4th editionInside Windows 2000, 3rd editionInside Windows 2000, 3rd editionInside Windows NT, 2nd editionInside Windows NT, 2nd editionWindows NT for OpenVMS ProfessionalsWindows NT for OpenVMS Professionals
VideosVideosWindows Internals COMPLETEWindows Internals COMPLETENew! Sysinternals Video Library (see DVD in New! Sysinternals Video Library (see DVD in bag)bag)
5
OutlineOutline
IntroductionIntroduction
Troubleshooting with FilemonTroubleshooting with Filemon
Troubleshooting with RegmonTroubleshooting with Regmon
Using Filemon and Regmon TogetherUsing Filemon and Regmon Together
6
Troubleshooting Application Troubleshooting Application FailuresFailures
Most applications do a poor job of reporting Most applications do a poor job of reporting file-related or registry-related errorsfile-related or registry-related errors
Permissions problemsPermissions problems
Missing filesMissing files
Missing or corrupt registry dataMissing or corrupt registry data
Errors manifest in several different waysErrors manifest in several different waysMisleading error messagesMisleading error messages
CrashesCrashes
Silently exitingSilently exiting
HangsHangs
7
Troubleshooting Application Troubleshooting Application FailuresFailures
When in doubt, run Filemon and Regmon!When in doubt, run Filemon and Regmon!Filemon monitors file I/OFilemon monitors file I/ORegmon monitors registry activityRegmon monitors registry activity
Ideal for troubleshooting a wide variety of Ideal for troubleshooting a wide variety of application failuresapplication failuresAlso useful for to understand and tune file Also useful for to understand and tune file system and Registry accesssystem and Registry access
Understand hard drive activityUnderstand hard drive activityOptimize application installation and Optimize application installation and configurationconfiguration
Filemon and Regmon run on Microsoft Filemon and Regmon run on Microsoft Windows 95, Windows 98, Windows Me, Windows 95, Windows 98, Windows Me, Windows 2000, Windows XP, Windows Windows 2000, Windows XP, Windows Server 2003, x64 64-bit Editions, Windows Server 2003, x64 64-bit Editions, Windows VistaVista
8
Using Regmon/FilemonUsing Regmon/Filemon
Two basic techniques:Two basic techniques:Go to end of log and look backwards to where Go to end of log and look backwards to where problem occurred or is evident and focused on problem occurred or is evident and focused on the last the last things donethings doneCompare a good log with a bad logCompare a good log with a bad log
Often comparing the I/O and Registry Often comparing the I/O and Registry activity of a failing process with one that activity of a failing process with one that works may point to the problemworks may point to the problem
Have to first massage log file to remove data Have to first massage log file to remove data that differs run to runthat differs run to run
Delete first 3 columns (they are always different: line Delete first 3 columns (they are always different: line number, time, process id)number, time, process id)
Easy to do with Microsoft Office Excel by deleting Easy to do with Microsoft Office Excel by deleting columnscolumns
Then compare with FC (built in tool) or Windiff Then compare with FC (built in tool) or Windiff (Resource Kit)(Resource Kit)
9
OutlineOutline
IntroductionIntroduction
Troubleshooting with FilemonTroubleshooting with Filemon
Troubleshooting with RegmonTroubleshooting with Regmon
Using Filemon and Regmon TogetherUsing Filemon and Regmon Together
10
How Filemon WorksHow Filemon Works
Filemon is based on a file system “filter driver” Filemon is based on a file system “filter driver” Extracts the driver to \Windows\System32\DriversExtracts the driver to \Windows\System32\Drivers
Installs the driverInstalls the driver
Deletes the driver fileDeletes the driver file
Requires “Debug Programs” user rightRequires “Debug Programs” user rightFirst run requires the “Load Driver” user rightFirst run requires the “Load Driver” user right
ApplicationApplication
Filemon Filemon DriverDriver
FilemonFilemonGUIGUI
File SystemFile SystemDriverDriver
User ModeUser ModeKernel ModeKernel Mode
11
Using FilemonUsing Filemon
# - operation number# - operation number
Process: image name + process idProcess: image name + process id
Request: internal I/O request codeRequest: internal I/O request code
Result: return code from I/O operationResult: return code from I/O operation
Other: flags passed on I/O requestOther: flags passed on I/O request
12
Controlling FilemonControlling Filemon
Start/stop logging (Control/E)Start/stop logging (Control/E)
Clear display (Control/X)Clear display (Control/X)
Open Microsoft Internet Explorer window to Open Microsoft Internet Explorer window to folder containing file:folder containing file:
Double click on a line does thisDouble click on a line does this
Find – finds text within windowFind – finds text within window
Save to log fileSave to log file
Advanced modeAdvanced mode
Network optionNetwork option
13
What Filemon MonitorsWhat Filemon Monitors
By default Filemon traces all file I/O to:By default Filemon traces all file I/O to:Local non-removable mediaLocal non-removable media
Network sharesNetwork shares
It saves all output for displayIt saves all output for displayCan exhaust virtual memory in Can exhaust virtual memory in long runslong runs
You can limit captured data with You can limit captured data with history depthhistory depth
You can limit what is monitored:You can limit what is monitored:What volumes to watch in Volumes menuWhat volumes to watch in Volumes menu
What paths and processes to watch in Filter dialogWhat paths and processes to watch in Filter dialog
What operations to watch in Filter dialog What operations to watch in Filter dialog (reads, writes, successes and errors)(reads, writes, successes and errors)
14
Filemon Filtering and Filemon Filtering and HighlightingHighlighting
Include and exclude filters are substring matches Include and exclude filters are substring matches against the process and path columnsagainst the process and path columns
Exclude overrides include filterExclude overrides include filter
Be careful that you don’t exclude potentially Be careful that you don’t exclude potentially useful datauseful data
Capture everything and save the logCapture everything and save the log
Then apply filters (you can always reload the log)Then apply filters (you can always reload the log)
Highlight matches all columnsHighlight matches all columns
15
Understanding Disk ActivityUnderstanding Disk Activity
Use Filemon to see why you’re hard disk is Use Filemon to see why you’re hard disk is crunchingcrunching
Process performance counters show I/O activity, but not Process performance counters show I/O activity, but not to whereto where
System performance counters show which disks are System performance counters show which disks are being hit, but not which files or which processbeing hit, but not which files or which process
Filemon pinpoints which file(s) are being accessed, by Filemon pinpoints which file(s) are being accessed, by whom, and how frequentlywhom, and how frequently
You can also use Filemon on a server to determine You can also use Filemon on a server to determine which file(s) were being accessed most frequentlywhich file(s) were being accessed most frequently
Import into Excel and make a pie chart by file name or Import into Excel and make a pie chart by file name or operation typeoperation type
Move heavy-access files to a different disk on a Move heavy-access files to a different disk on a different controllerdifferent controller
16
Polling and File Change Polling and File Change NotificationNotification
Many applications respond to file and directory Many applications respond to file and directory changeschanges
A poorly written application will “poll” for changesA poorly written application will “poll” for changesA well-written application will request notification by the A well-written application will request notification by the system of changessystem of changes
Polling for changes causes performance Polling for changes causes performance degradationdegradation
Context switches including TLB flushContext switches including TLB flushCache invalidationCache invalidationPhysical memory usagePhysical memory usageCPU usageCPU usage
Alternative: file change notification Alternative: file change notification When you run Filemon on an idle system you When you run Filemon on an idle system you should should only see bursty system background activityonly see bursty system background activity
Polling is visible as periodic accesses to the same files Polling is visible as periodic accesses to the same files and directoriesand directoriesFile change notification is visible as directory queries that File change notification is visible as directory queries that
have no resulthave no result
17
Demo: Change NotifyDemo: Change Notify
Explorer posts change notify to know when Explorer posts change notify to know when directory contents change for open directory contents change for open Internet Explorer windowsInternet Explorer windows
Open Internet Explorer window to a folderOpen Internet Explorer window to a folder
Create or delete a fileCreate or delete a file
18
Demo: Demo: Understanding Notepad’s File Understanding Notepad’s File SaveSave
1.1. Run FilemonRun Filemon
2.2. Set filter to only include Notepad.exeSet filter to only include Notepad.exe
3.3. Run NotepadRun Notepad
4.4. Type some textType some text
5.5. Save file as “test.txt”Save file as “test.txt”
6.6. Go back to FilemonGo back to Filemon
7.7. Stop loggingStop logging
8.8. Set highlight to “test.txt”Set highlight to “test.txt”
9.9. Find line representing creation of new fileFind line representing creation of new fileHint: look for create operationHint: look for create operation
19
Basic vs. Advanced ModeBasic vs. Advanced Mode
Basic mode massages output to be Basic mode massages output to be sysadmin-friendly and target common sysadmin-friendly and target common troubleshootingtroubleshooting
Things you don’t see in Basic mode:Things you don’t see in Basic mode:Raw I/O request namesRaw I/O request names
Various internal file system operationsVarious internal file system operations
Activity in the System processActivity in the System process
Page file I/OPage file I/O
Filemon file system activityFilemon file system activity
20
Example: Word CrashExample: Word Crash
While typing in the document Microsoft While typing in the document Microsoft Office Word XP would intermittently close Office Word XP would intermittently close without any error messagewithout any error message
To troubleshoot ran Filemon on user’s To troubleshoot ran Filemon on user’s systemsystem
Set the history depth to 10,000Set the history depth to 10,000
Asked user to send Filemon log when Asked user to send Filemon log when Word exitedWord exited
21
Solution: Word CrashSolution: Word Crash
Working backwards, the first “strange” or Working backwards, the first “strange” or unexplainable behavior are the constant unexplainable behavior are the constant reads past end of file to MSSP3ES.LEXreads past end of file to MSSP3ES.LEX
User looked up what .LEX file wasUser looked up what .LEX file wasRelated to Word proofing toolsRelated to Word proofing tools
Uninstalled and reinstalled proofing tools and Uninstalled and reinstalled proofing tools and problem went awayproblem went away
22
Example: Build FailsExample: Build Fails
While building a program using nmake on While building a program using nmake on a command line link reported an error:a command line link reported an error:
““error writing to program database, check for error writing to program database, check for insufficient disk space, invalid path, or insufficient disk space, invalid path, or insufficient privileges”insufficient privileges”
23
Solution: Build FailsSolution: Build Fails
Saw sharing violation in Filemon:Saw sharing violation in Filemon:
Performed a handle search for the file in Performed a handle search for the file in Process ExplorerProcess Explorer
Saw Windbg had it opened from an earlier Saw Windbg had it opened from an earlier debug session even though debug session was debug session even though debug session was closedclosed
Closed WindbgClosed Windbg
24
Example: Example: Useless Excel Error Useless Excel Error MessageMessage
Excel reports an error “Unable to read file" Excel reports an error “Unable to read file" when startingwhen starting
25
Solution: Excel Error MessageSolution: Excel Error Message
Filemon trace shows Excel reading file in Filemon trace shows Excel reading file in XLStart folder XLStart folder
All Microsoft Office apps autoload files in their All Microsoft Office apps autoload files in their start foldersstart folders
Should have reported:Should have reported:Name and location of fileName and location of file
Reason why it didn’t like itReason why it didn’t like it
26
DLL ProblemsDLL Problems
Process Explorer may solve a DLL Process Explorer may solve a DLL versioning issue, but may not if:versioning issue, but may not if:
A DLL is missingA DLL is missing
The order of DLL loads is relevantThe order of DLL loads is relevant
So, use Filemon!So, use Filemon!Look at the last DLL opened before the Look at the last DLL opened before the application diedapplication died
Compare the startup of a working with a Compare the startup of a working with a failing applicationfailing application
Missing or inaccessible DLLs often not reported Missing or inaccessible DLLs often not reported correctlycorrectly
Look for “NOTFOUND” or “ACCESS DENIED”Look for “NOTFOUND” or “ACCESS DENIED”
May be opening wrong versions due to wrong versions May be opening wrong versions due to wrong versions being in folders in PATHbeing in folders in PATH
27
Example: Word DiesExample: Word Dies
Word starts and a few seconds later gets a Word starts and a few seconds later gets a Dr. Watson (access violation)Dr. Watson (access violation)
Customer tried re-installing Microsoft Office Customer tried re-installing Microsoft Office – still failed– still failed
Solution:Solution:Ran Filemon, looked at last DLL loaded before Ran Filemon, looked at last DLL loaded before Dr. WatsonDr. Watson
It was a printer DLLIt was a printer DLL
Uninstalled printer – problem went awayUninstalled printer – problem went away
28
Problem: Perfmon HangsProblem: Perfmon Hangs
Perfmon hung when startingPerfmon hung when starting
IIS performance counter DLL was last thing IIS performance counter DLL was last thing Perfmon referencedPerfmon referenced
29
Solution: Perfmon HangsSolution: Perfmon Hangs
Services snapin showed IIS was hung Services snapin showed IIS was hung starting starting
Investigation revealed an IIS Investigation revealed an IIS configuration problemconfiguration problem
30
Example: Help FailsExample: Help Fails
The Help command in an application failed The Help command in an application failed on Windows 95, but worked fine on on Windows 95, but worked fine on Windows 98/Windows Me/Windows Windows 98/Windows Me/Windows NT4/Windows 2000/Windows XPNT4/Windows 2000/Windows XP
Failed with meaningless error messageFailed with meaningless error message
Ran Filemon on failing system and Ran Filemon on failing system and working systemworking system
Reduced log to file opensReduced log to file opens
Compared logsCompared logs
31
Solution: Help FailsSolution: Help Fails
At the point logs diverged, looked At the point logs diverged, looked backwards to last common thing donebackwards to last common thing done
An OLE system DLL was loadedAn OLE system DLL was loaded
Noticed this OLE DLL was loaded from a Noticed this OLE DLL was loaded from a directory in the user’s PATH on Windows 95, but directory in the user’s PATH on Windows 95, but from \Windows\System on other versionsfrom \Windows\System on other versions
Conclusion:Conclusion:DLL loaded on Windows 95 system was not for DLL loaded on Windows 95 system was not for Windows 95Windows 95
Got proper version for Windows 95, problem Got proper version for Windows 95, problem went awaywent away
32
Example: Access HangsExample: Access Hangs
Problem: Access would hang when trying Problem: Access would hang when trying to import an Excel fileto import an Excel file
Worked fine on other users’ workstationsWorked fine on other users’ workstations
Traced startup of Access on failing and Traced startup of Access on failing and working systemsworking systems
33
Solution: Access HangsSolution: Access Hangs
Compared logs and looked for first Compared logs and looked for first unexplainable differenceunexplainable difference
First unexplainable difference was that First unexplainable difference was that Accwiz.dll was being loaded from two different Accwiz.dll was being loaded from two different directoriesdirectories
Failing system was loading an old Access DLL Failing system was loading an old Access DLL from \windows\system32 due to having from \windows\system32 due to having installed older Access previouslyinstalled older Access previously
Solution: Removed DLL in \windows\Solution: Removed DLL in \windows\system32 and problem went awaysystem32 and problem went away
34
Example: Pinnacle Studio Example: Pinnacle Studio HangsHangs
User had a hang when launching Pinnacle User had a hang when launching Pinnacle Studio Studio
Filemon showed accesses to CyberPatrol's Filemon showed accesses to CyberPatrol's DLL, an Internet filtering toolDLL, an Internet filtering tool
Cyberpatrol monitors processes by loading Cyberpatrol monitors processes by loading a DLL into thema DLL into them
Uninstalling CyberPatrol fixed the problemUninstalling CyberPatrol fixed the problem
35
Example: Misleading AOL ErrorExample: Misleading AOL Error
AOL worked in one user’s account, but AOL worked in one user’s account, but failed with this on another account on the failed with this on another account on the same system:same system:
User reinstalled AOL, but problem User reinstalled AOL, but problem persistedpersisted
36
Example: Misleading AOL ErrorExample: Misleading AOL Error
User did not have admin rights to AOL User did not have admin rights to AOL directorydirectory
This version of AOL was not limited-user This version of AOL was not limited-user account friendlyaccount friendly
37
Example: Microsoft Office Example: Microsoft Office Outlook Application ErrorOutlook Application Error
For example, an Outlook application failed with For example, an Outlook application failed with this error:this error:
Ran Filemon and found it was getting Access Ran Filemon and found it was getting Access DeniedDenied
Someone had misread a request to remove EDIT Someone had misread a request to remove EDIT rights and removed all rightsrights and removed all rights
38
Example: Microsoft Software Example: Microsoft Software Installer Misleading ErrorInstaller Misleading Error
User received this message trying to install User received this message trying to install something:something:
Filemon showed the real reason:Filemon showed the real reason:
39
Demo: Permission Problems Demo: Permission Problems and Misleading Error Messagesand Misleading Error Messages
1.1. In Explorer, create a folder c:\noaccessIn Explorer, create a folder c:\noaccess
2.2. Remove all rights to the folderRemove all rights to the folder
3.3. Run Notepad & type some textRun Notepad & type some text
4.4. Run Filemon – set filter to Notepad.exeRun Filemon – set filter to Notepad.exe
5.5. In Notepad, File->Save As to c:\noaccess\In Notepad, File->Save As to c:\noaccess\test.txttest.txt
Note error reportedNote error reported
6.6. Look at Filemon trace and find Access Look at Filemon trace and find Access DeniedDenied
40
OutlineOutline
IntroductionIntroduction
Troubleshooting with FilemonTroubleshooting with Filemon
Troubleshooting with RegmonTroubleshooting with Regmon
Using Filemon and Regmon TogetherUsing Filemon and Regmon Together
41
Configuration ProblemsConfiguration Problems
Missing, corrupted or overly-secure Missing, corrupted or overly-secure Registry settings often lead to application Registry settings often lead to application crashes crashes and errorsand errors
Some applications don’t completely Some applications don’t completely remove registry data at uninstallremove registry data at uninstall
Regmon may yield the answerRegmon may yield the answer
42
How Regmon WorksHow Regmon Works
Regmon uses a driver to intercept Regmon uses a driver to intercept Registry operationsRegistry operations
Up until now Regmon has relied Up until now Regmon has relied on system call “hooking” to on system call “hooking” to intercept Registry accessesintercept Registry accesses
Hooking isn’t supported by the Hooking isn’t supported by the kernelkernel
As of Windows XP the system call As of Windows XP the system call table is write-protected by default table is write-protected by default if a system has <256 MB, requiring if a system has <256 MB, requiring
a tricka trick
Windows Server 2003 introduces Windows Server 2003 introduces a Registry callback mechanisma Registry callback mechanism
Driver can see and modify Driver can see and modify Registry behaviorRegistry behavior
Latest version of Regmon comes Latest version of Regmon comes with two drivers: one for Windows with two drivers: one for Windows Server 2003 and one for Server 2003 and one for previous versionsprevious versions
Defined in a DDK header file and Defined in a DDK header file and used by antivirus productsused by antivirus products
ApplicationApplication
Regmon Regmon DriverDriver
RegmonRegmonGUIGUI
Registry Registry SubsystemSubsystem
43
RegmonRegmon
UI is similar to FilemonUI is similar to Filemon
Request: OpenKey, CreateKey, SetValue, Request: OpenKey, CreateKey, SetValue, QueryValue, CloseKeyQueryValue, CloseKey
PathPathHKCU=HKEY_CURRENT_USER (per-user settings)HKCU=HKEY_CURRENT_USER (per-user settings)
HKLM=HKEY_LOCAL_MACHINE (system wide settings)HKLM=HKEY_LOCAL_MACHINE (system wide settings)
Result – return code from Registry operationResult – return code from Registry operation
Other – extended information or resultsOther – extended information or results
44
Polling and Registry Change Polling and Registry Change Notification Notification
Many applications want to respond to Many applications want to respond to
Registry changesRegistry changesPolling the Registry is just as bad for Polling the Registry is just as bad for performanceperformance
Applications can request to be notified of Applications can request to be notified of changeschanges
Like with Filemon, Regmon should be idle Like with Filemon, Regmon should be idle on an idle systemon an idle system
45
Registry TroubleshootingRegistry Troubleshooting
If you suspect registry data is causing If you suspect registry data is causing problems, rename the key and rerun the problems, rename the key and rerun the applicationapplication
Most applications recreate user settings when Most applications recreate user settings when runrun
In this way, the data won’t be seen by the In this way, the data won’t be seen by the applicationapplication
Can always rename the key backCan always rename the key back
Use Regmon to discover application Use Regmon to discover application settings locationsettings location
46
Demo: Finding Notepad’s Demo: Finding Notepad’s SettingsSettings1.1. Run NotepadRun Notepad
2.2. Change FontChange Font
3.3. Run Regmon and filter to Notepad.exeRun Regmon and filter to Notepad.exe
4.4. Exit NotepadExit Notepad
5.5. In Regmon log, find location of user-In Regmon log, find location of user-specific Notepad settingsspecific Notepad settings
6.6. Double click on a line to jump to RegeditDouble click on a line to jump to Regedit
7.7. Delete top level Notepad user settings keyDelete top level Notepad user settings key
8.8. Re-run Notepad and confirm font resets to Re-run Notepad and confirm font resets to default settingdefault setting
47
Example: Missing Word ToolbarExample: Missing Word Toolbar
Problem:Problem:User somehow disabled all toolbars and menus User somehow disabled all toolbars and menus in Word in Word
No way to open files, change settings, etc.No way to open files, change settings, etc.
Solution:Solution:With Regmon, captured startup of WordWith Regmon, captured startup of Word
Found location of user-specific settings for WordFound location of user-specific settings for Word
Deleted this Registry keyDeleted this Registry key
Re-ran Word, which recreated user settings Re-ran Word, which recreated user settings from scratchfrom scratch
48
Example: Misleading Internet Example: Misleading Internet Explorer Error MessageExplorer Error Message
Internet Explorer failed to start with Internet Explorer failed to start with this error:this error:
First, looked on system for ICFGNT.DLLFirst, looked on system for ICFGNT.DLLNot thereNot there
Not on other systems in the network, eitherNot on other systems in the network, either
49
Solution: Misleading Internet Solution: Misleading Internet Explorer Error MessageExplorer Error Message
Captured Regmon trace and looked Captured Regmon trace and looked backwards from end of Regmon logbackwards from end of Regmon log
Saw query of Completed value in Internet Saw query of Completed value in Internet Connection Wizard keyConnection Wizard key
Value read was 0Value read was 0
Value was 1 on other systemsValue was 1 on other systems
Solution: Set value to 1 and problem went Solution: Set value to 1 and problem went awayaway
50
Example: Internet Explorer Example: Internet Explorer HangsHangs
Internet Explorer hung when started unless Internet Explorer hung when started unless user manually dialed ISPuser manually dialed ISP
Captured a Regmon trace and looked Captured a Regmon trace and looked backwards from point Internet Explorer backwards from point Internet Explorer was hungwas hung
Found references to ATT under a RAS Found references to ATT under a RAS PhoneBook keyPhoneBook key
Solution: renamed ATT key and problem Solution: renamed ATT key and problem went awaywent away
Conclusion: previous ISP’s dialer had left Conclusion: previous ISP’s dialer had left junk behindjunk behind
51
Example: Example: Misleading Microsoft Misleading Microsoft Visual Basic for Applications (VBA) Visual Basic for Applications (VBA) ErrorErrorUser got this error installing an application:User got this error installing an application:
Regmon showed permissions problemRegmon showed permissions problem
Solution: Edited permissionsSolution: Edited permissions
52
Missing SettingsMissing Settings
Sometimes queries to what is Sometimes queries to what is notnot there is there is more interesting than what more interesting than what isis there there
Identify missing Registry keysIdentify missing Registry keysSearch for status “NOTFOUND”Search for status “NOTFOUND”
May reveal hidden capabilitiesMay reveal hidden capabilities
53
Example: Hidden CapabilitiesExample: Hidden Capabilities
User tried installing Compaq utility on non-User tried installing Compaq utility on non-Compaq hardwareCompaq hardware
Regmon showed hidden key to override:Regmon showed hidden key to override:
Solution: created key and install succeededSolution: created key and install succeeded
54
OutlineOutline
Troubleshooting with FilemonTroubleshooting with Filemon
Troubleshooting with RegmonTroubleshooting with Regmon
Using Filemon and Regmon TogetherUsing Filemon and Regmon Together
55
Filemon and RegmonFilemon and Regmon
Many times its not clear whether a problem Many times its not clear whether a problem is Registry or file relatedis Registry or file related
And sometimes problems involve both Registry And sometimes problems involve both Registry and file configuration problemsand file configuration problems
Always run Filemon and Regmon Always run Filemon and Regmon when troubleshootingwhen troubleshooting
56
Example: Internet Explorer Example: Internet Explorer HangsHangs
Internet Explorer started hanging on Internet Explorer started hanging on certain folders certain folders
Hangs were up to a minuteHangs were up to a minute
Internet Explorer would work normally for a Internet Explorer would work normally for a minute and then hang againminute and then hang again
57
Solution: Internet Explorer Solution: Internet Explorer HangsHangs
Ran Filemon and saw network path errorRan Filemon and saw network path errorContained references to decommissioned Contained references to decommissioned computercomputer
Regmon showed icon lookup configured for Regmon showed icon lookup configured for missing computermissing computer
Fix: Delete Paint Shop Pro (PSP) browse Fix: Delete Paint Shop Pro (PSP) browse files and all PSP file associationsfiles and all PSP file associations
58
Running Filemon/Regmon Running Filemon/Regmon Before LogonBefore Logon
Sometimes need to capture I/O or registry Sometimes need to capture I/O or registry activity during boot, the logon or logoff activity during boot, the logon or logoff process process
Problem: when you logoff all your processes Problem: when you logoff all your processes are terminatedare terminated
Solutions:Solutions:Run Filemon/Regmon in a different logon Run Filemon/Regmon in a different logon sessionsession
psexec –s –i –dpsexec –s –i –d
Run Filemon/Regmon from a serviceRun Filemon/Regmon from a serviceUse Srvany (Resource Kit)Use Srvany (Resource Kit)
Use Regmon’s log boot optionUse Regmon’s log boot option
59
ResourcesResourcesTechnical Chats and Webcastshttp://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp
Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx
MSDN & TechNet http://microsoft.com/msdnhttp://microsoft.com/technet
Virtual Labshttp://www.microsoft.com/technet/traincert/virtuallab/rms.mspx
Newsgroupshttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx
Technical Community Siteshttp://www.microsoft.com/communities/default.mspx
User Groupshttp://www.microsoft.com/communities/usergroups/default.mspx
60
Fill out a session Fill out a session evaluation on evaluation on
CommNet andCommNet and Win an XBOX Win an XBOX
360!360!
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.