Automating the Sysinternals “Hunting Malware” technique

My friends and family often ask for my help in fixing their computer. I actually enjoy it, but I can’t be there for them all the time. When I “fix” their Microsoft Windows PC, I use Mark Russinovich’s Hunting Malware procedure. This can take quite a bit of time and effort depending on how bad…

0

Available for pre-order: Windows Performance Analysis Field Guide

Yay! After over a year in development, my book, the “Windows Performance Analysis Field Guide”, is available for pre-order! $37.46 at http://store.elsevier.com/product.jsp?isbn=9780124167018&_requestid=465338 $45.42 (Prime discount) at http://www.amazon.com/dp/0124167012/ref=wl_it_dp_o_pC_nS_ttl?_encoding=UTF8&colid=12JDCG3UP69SD&coliid=I2TOVTYHI6HDHC I certainly don’t know everything about Windows performance analysis (no one ever will), so *many* of my friends and colleagues are named in the book as people who…

18

How to create a “black box” performance counter data collector

I highly encourage my customers to run a “black box” performance counter data collector set on their Windows Servers. The purpose of it is to continuously collect a detailed amount of data about the system in a circular file buffer of adjustable size so what if/when the system has a performance problem, we have roughly…

7

Using Autoruns to validate system drivers

Recently, one of my enterprise customers had a system crash popularly known as a “blue screen of death” and this reminded me of the importance to validate drivers. Validating drivers is something I commonly do with my non-techie friends and family as well, simply because poorly written drivers are the most common cause of system…

2

Convert a performance counter data collector template into a PAL threshold file

If you want to have all of the counters in a counter log be represented in a PAL report, then use the AllCounterStats feature in the PAL Wizard. This will use all of the thresholds in the PAL threshold files as well as ensure that all of the counters are in the report at Stats…

3

Tracking page file reads and writes

  The only real way of knowing if a page file is actually being “read from” is to get a file IO trace. This can be collected and/or viewed with tools such as the Microsoft Performance Recorder/Analyzer, Microsoft Resource Monitor, or Sysinternals Process Monitor. Using Resource Monitor Resource Monitor is built into the operating system…

2

Full debugging of VBScripts using Visual Studio 2005

Want to do *full* debugging of a VBScripts, then use this procedure. One of the hardest parts about scripting is getting to know the properties and methods of objects and state of a script during execution.  In this procedure, I show you how to modify Microsoft Visual Studio 2005 for full debugging of VBScripts. I…

0

Out of Pool Paged memory on 32-bit Windows Server 2003

Lately, I have been assisting customers who are still using 32-bit Windows Server 2003 and inevitably running out of kernel pool memory. When one of the kernel pools (Pool Paged and Pool Nonpaged) are full (meaning a memory allocation to one of these pools fails due to a lack of free space), then applications or…

2

My personal reminder of common debugging commands

I don’t get as many opportunities to debug as I would like, but when I do, I always forget the command that I like to use, so this is my personal document to remind me of those commands. !sym noisy This gives me details of symbol resolution. .reload /f This forces all of the symbols…

1

Detecting ephemeral port exhaustion

Symptoms When Windows or Windows Server is out of ephemeral/outbound/dynamic network ports, it will not be able to establish any outbound network connections. This results in a lot of connection failures such as database and/or domain controller connections. If the system is not responding, then try increasing the port range (discussed below) – this change is…

19