Top 10 Topics for MSCOM Ops…The TOOL MAN Cometh!! (Part 3)

Well we were rummaging around in our collective tool box and we came up with the following:

FILEMON – Used for tracking down which processes are accessing particular files or particular drives on your system.
https://www.sysinternals.com/Utilities/Filemon.html

KERNRATE – Very useful for tracking down (right down to the line of code) which module in a usermode process or system driver is causing high CPU usage on a machine.

https://www.microsoft.com/downloads/details.aspx?FamilyID=d6e95259-8d9d-4c22-89c4-fad382eddcd1&DisplayLang=en
Example

‘General kernel sampling to determine which driver is consuming CPU cycles on a specific CPU

kernrate –m 0x1
‘Zoom in on a particular module that is shown as consuming a high number of cycles from the general kernel sampling. Note: symbol path is needed to resolve function names
kernrate –z foodriver –z ntdll –j srv*c:\symbols*https://msdl.microsoft.com/download/symbols

‘General usermode sampling on a particular process (using the PID) to see which modules are consuming CPU cycles

kernrate –p 1234

‘Zoom in on a particular module that is shown as consuming a high number of cycles in a particular usermode process. Note: symbol path is needed to resolve function names

kernrate –z foomodule –z ntdll –j srv*c:\symbols*https://msdl.microsoft.com/download/symbols

LOGMAN – Command line performance log creation / management

Ships with Windows.

Example:

‘create a binary circular perf log on SERVERNAME that can grow up to 300MB, logging every 3 seconds and using counters from counters.config on a UNC share

logman create counter <LOGFILE NAME> -s SERVERNAME -f bincirc -max 300 -si 3 --v -o "e:\perflogs\<LOGFILE NAME>" –cf "\\<your_server_name>\Performance\PerflogCollection\counters.config"

‘start the log on SERVERNAME

logman start <LOGFILE NAME> -s SERVERNAME

NETCAP + NETMON – Useful command line tool to interface and automate netmon captures.

https://support.microsoft.com/?id=310875

PROCESS EXPLORER – Useful for looking at a processes dependencies and any open handles a process has. Handy in cases where a file is in use, and you’re not sure what’s still holding on to it.

https://www.sysinternals.com/Utilities/ProcessExplorer.html

PSEXEC – Used to spawn processes (such as cmd.exe) on remote servers

https://www.sysinternals.com/utilities/psexec.html

 Example:

‘Open up a cmd.exe process on a remote server for command line access

Psexec \\servername cmd.exe

REGMON – Same as FILEMON except for the registry. Useful for hunting down config keys that a process may be using, or understanding registry access behaviors.

https://www.sysinternals.com/Utilities/Regmon.html

ROBOCOPY – Very “robust” file copy tool for mirroring data trees in restartable mode

W2K3 Resource Kit: https://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

Example:

mirror c:\foo to d:\foo, copying security attributes, in restartable mode with a maximum of 10 retry attempts if the destination become unavailable

Robocopy c:\foo d:\foo *.* /MIR /SEC /Z /R:10

SCHTASKS.EXE – used for managing scheduled tasks.

Ships with Windows.

Example:

‘ Create a job named JOBNAME that runs “cscript \\server\unc\script.vbs” at 5:00AM every day on SERVERNAME machine

schtasks /CREATE /F /TN JOBNAME /TR “cscript \\server\unc\script.vbs" /ST 05:00 /SC DAILY /S SERVERNAME

SSLDIAG – used for troubleshooting SSL cert issues on an IIS server. Will quickly point out any problems with the SSL configuration (IIS config, cert problem, cert store problem)

https://www.microsoft.com/downloads/details.aspx?FamilyId=CABEA1D0-5A10-41BC-83D4-06C814265282&displaylang=en