Upload
dorothy-armstrong
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Sysinternals Primer: Gems
Aaron MargosisPrincipal ConsultantMicrosoft Corporation
SIA311
Sysinternals Primer: GemsSession Objectives and Takeaways
Advanced tips for popular Sysinternals utilitiesLearn about some of the least known Sysinternals utilitiesBecome a bigger Windows internals nerdBecome better able to bore my non-nerd friends to deathGet my copy of the Sysinternals book signed by one of the authors
The Sysinternals Administrator’s ReferenceThe official guide to the Sysinternals tools
Covers every tool, every feature, with tipsWritten by Mark Russinovich andAaron Margosis
Full chapters on the major tools:Process ExplorerProcess MonitorAutoruns
Other chapters by tool groupSecurity, process, AD, desktop, …
Book signings with Mark and Aaron
Wed. and Thurs., 11:30amTechEd bookstore
Mark will also be signing Zero Day and Windows Internals 6th
Ed Pt. 1
topic
Procmon filtering tips…
Combining “Include” rules
Within a column: combined with “OR”
Between columns: combined with “AND”
“Include” filter rules - Example
PID is 1512PID is 2408Path contains HKLMPath contains Zones
((PID is 1512) OR (PID is 2408)) AND((Path contains HKLM) OR (Path contains Zones))
Mixing “Process Name” and “PID” – FAIL
Process Name is cmd.exePID is 1512PID is 2408
(Process Name is cmd.exe)AND((PID is 1512) OR (PID is 2408))
Combining “Include” rules
Within a column: combined with “OR”
Between columns: combined with “AND”
Q: What if you want to limit within a column?
(Path Contains HKLM) AND (Path Contains Zones)
A: Exclude the events you don’t want
demo
Simulating "AND" within a column filter
topic
[TS] Sessions, Window Stations, Desktops, …
Before Terminal Services…
With Terminal Services…
demo
Working with interactive and non-interactive desktops
demo
Exploring LSA Logon Sessions
demo
DU (Disk Usage)and Streams and FindLinks
SigCheck
usage: sigcheck [-a][-h][-i][-e][-n][[-s]|[-v]|[-m]][-q][-r][-u][-c catalog file] <file or directory> -a Show extended version information -c Look for signature in the specified catalog file -e Scan executable images only (regardless of their extension) -h Show file hashes -i Show catalog name and image signers -m Dump manifest -n Only show file version number -q Quiet (no banner) -r Check for certificate revocation -s Recurse subdirectories -u Show unsigned files only -v Csv output
demo
A little LiveKd…
Sysinternals Resources
http://www.Sysinternals.comRedirects to technet.microsoft.com
Mark Russinovich’s blog:http://blogs.technet.com/MarkRussinovich
Blog posts and utilities by Aaron Margosishttp://blogs.msdn.com/aaron_margosishttp://blogs.technet.com/fdcc
Related Content
More about Pass the Hash and defending against itSIA200 - Cyber Security Defenses: What Works TodaySIA303 - Advanced Persistent Threats (APT): Understanding the New Era of Attacks!
Mark Russinovich’s TechEd sessionsAZR209 - Windows Azure Applications and WorkloadsAZR302 - Windows Azure InternalsSIA302 - Malware Hunting with the Sysinternals ToolsWCL301 - Case of the Unexplained 2012: Windows Troubleshooting with Mark Russinovich
Aaron Margosis’ other TechEd sessionSIA324 - Defense Against the Dark Ages: Your Old Web Apps Are Trying to Kill You
Track Resources
www.microsoft.com/twc
www.microsoft.com/security
www.microsoft.com/privacy
www.microsoft.com/reliability
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Complete an evaluation on CommNet and enter to win!
MS Tag
Scan the Tagto evaluate thissession now onmyTechEd Mobile
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.