Admin’s Arsenal: Process Explorer
Written by Joe Glessner on June 18, 2009 – 1:53 pm -Once in a while I will get a call from one of my users describing a problem, and immediately I think to myself “impossible”. Like “it’s just not possible that your computer is deleting your email all by itself”.
Then there are the times where I find myself five minutes into the conversation going “uhhhh, yeah that’s not good, I wonder what could cause that?” (believe it or not, us IT people don’t in fact know immediately exactly what is wrong with your computer, and we’re even wrong once in a third Tuesday of the week).
When I need to get a crystal clear picture of what is happening on a system, I turn to Process Explorer from Sysinternals (now brought to you by Microsoft!). Process Explorer is everything that Windows’ Task Manager wishes it was:
Overview
Process Explorer is an advanced process management utility that picks up where Task Manager leaves off. It will show you detailed information about a process including its icon, command-line, full image path, memory statistics, user account, security attributes, and more. When you zoom in on a particular process you can list the DLLs it has loaded or the operating system resource handles it has open. A search capability enables you to track down a process that has a resource opened, such as a file, directory or Registry key, or to view the list of processes that have a DLL loaded.
The Process Explorer display consists of two sub-windows. The top always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window, which you can close, depends on the mode that Process Explorer is in: if it is in handle mode you will see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you will see the DLLs and memory-mapped files that the process has loaded.
Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.
You can obtain equivalent command-line tools, Handle and ListDLLs, at the Sysinternals Web site.
Process Explorer does not require administrative privileges to run and works on Windows 9x/Me, Windows NT 4.0, Windows 2000, Windows XP, Server 2003, Windows Vista, Windows Server 2008 and on the x64 version of 64-bit Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008.
So, why use this rather than any of the dozens of other Task Manager replacements you can find on the internet? Well for starters, Process Explorer was written by Mark Russinovich. Mr. Russinovich is acknowledged as one of the foremost experts on Microsoft Windows in general, and the NTFS file system in particular. The man is incredibly knowledgeable about the internal workings of Microsoft Operating Systems, and has authored several books on Microsoft Technologies.
Beyond that, the sheer depth of functionality in this product makes it a hands down winner in my book. Oh and did I mention that you can run it from a USB drive?
You can get more information on Process Explorer (and download it) here.
Posted in Admin's Arsenal | 5 Comments »
Admin’s Arsenal: Evernote 3.1
Written by Joe Glessner on June 18, 2009 – 12:00 am -
Initially I had some trepidation about doing an AA on Evernote, because as of v3, it is web centric, and some of the great features of the old v2.2 have been removed. But man is it useful!
ok, so what is Evernote? It’s difficult to explain correctly. Basically it is a note taking application on the order of Microsoft’s OneNote (which I like, but can’t justify buying a copy of for every system I work on, so it’s kind of limited in its use for me), but taken to a whole different level, oh, and it’s free (sort of).
Here is the description from the Evernote site:
Remember everything.
Evernote allows you to easily capture information in any environment using whatever device or platform you find most convenient, and makes this information accessible and searchable at any time, from anywhere. Did we mention that it’s free?
Yeah, that’s about accurate. Currently there is a free Evernote app for Windows, and Mac OS X (Leopard), a bookmarklet that will work on just about any browser, a Firefox extension, and apps for the iPhone, Palm Pre, Windows mobile phones, and limited Blackberry models .
It requires Blackberry OS4.6 or above so at the moment it is limited to the Bold (and since I just got one, this is a good thing), Curve (the new one), and Storm, however I have no doubt that RIM will update all others to 4.6 soon.
The thing that makes this a killer app for me is that Evernote can make text in images searchable. So if I take a picture with my Blackberry of say, a BSoD error message, and save it to Evernote, I can then access it on my desktop (or another machine connected to the internet), and figure out what that error message is telling me.
All in all, the ability to clip portions of websites, entire web pages, text from documents, and email from Outlook (yeah it integrates with Outlook), makes this a really really handy tool for IT work (not to mention blogging).
The free accounts are limited to 40MB of Monthly upload data (text, images, audio, and .pdf files only), whereas the premium version gets you 500MB per moth, removes the small advertising window in the desktop app, and can sync any kind of file.
While 40MB may not seem like much, it is roughly 20,000 text notes, or 400 mobile snapshots, or 270 web clips, or 40 audio notes, or 11 high resolution photos. 500MB is roughly 12.5 times that amount of data.
The cost of the premium account is $5/mo. or $45/year.
If you’d like to try Evernote out, you can sign up and download it here: http://www.evernote.com/
Posted in Admin's Arsenal, General | 3 Comments »
Admins Arsenal: DBAN
Written by Joe Glessner on June 16, 2009 – 1:57 pm -
Ever buy a used Hard Drive on Ebay or Craigslist? Ever look to see if there was any data on it? I have, and let me tell you, it is downright scary what people will leave on HDD’s when they sell them as used. I recently purchased 12 used 250 GB SATA HDD’s from Ebay for a NAS project I was working on, and of those 12, 9 of them had not been so much as formatted.
Of those 9, all but one had data that would have been usable for identity theft: files with credit card information, copies of bills, saved email that had account information, not to mention the astounding number of ummm, not safe for work pictures taken by (or of) the former owners. In all cases I could have contacted the former owner, as on all 9 drives I found current addresses and phone numbers for the former owners.
This is 2009, I would have thought that by now better than 25% of people selling used hard drives would know better.
As an IT Professional, I get used computers all the time (for some reason everyone I work with thinks I need every used machine I can get my hands on, especially if it has a “Designed for Windows 95!” sticker on it!). The ratio of these HDD’s that I get with data still on them is more like 95%. It’s easy to format a HDD, until you get one that just won’t format. Mostly the ones I’ve seen this on were disks that I installed an obscure linux distro on, and then for whatever reason decided to install Windows on. The Microsoft format tools are not always capable of handling partitions like this, which is where DBAN comes in.
Darik’s Boot And Nuke (or DBAN) is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction.
One of the really great things about DBAN is that it can run from a floppy, or be burned to a bootable CD, which means it can be used on almost any computer. Better than that, DBAN has many options for how it wipes the disk, ranging from the single pass “autonuke”, to the 35 pass random data Gutmann method, and of course DBAN also offers users a method for definable number of passes.
In short, DBAN excels at destroying all data on a Hard Disk. You can find more information on DBAN here.
Posted in Admin's Arsenal, General | 16 Comments »
A Weekend without the Internet on XKCD…
Written by Karl L. Gechlik | AskTheAdmin.com on June 16, 2009 – 9:32 am -
LMFAO!
Posted in General | No Comments »
Mysterious Server 2003 disk space consumption
Written by Joe Glessner on June 14, 2009 – 12:00 am -
So the System drive of my (primary) domain controller has been running low on disk space (it’s a 20GB partition running with about 4GB or so free). This has been a nagging issue that I’ve had off and on for a while now, and I haven’t really had the time to delve into it.
I decided to start my investigation by running WinDirStat and looking for any oddly large files. The largest portion of the System disk is consumed by the Program Files directory (no big surprise there), and aside from a couple slightly disturbing large files from my backup software there is only one group of large files on the drive - hovering in at about 12GB for the 8 or so files. And they all have the same path and are similarly named: C:\System Volume Information\{914b4760-84b2-11dd-bca9-000e0cb2b564}{3808876b-c176-4e28-b7ae-04046e6cc752}
Hmmm, interesting. A quick Google search turns up some results linking this directory (more specifically files with CSLID names in this directory) to two things: System Restore points, and virus files.
Well I’m pretty sure it’s not virus files (no other odd behavior or weird network activity), and if I’m not mistaken to enable System Restore on WS2003 you have to manually copy over some files from an XP CD (which is a pretty cool hack, but not something I’ve done on any corporate network I’ve ever worked on).
At this point I start hearing dramatic music in the back of my mind, I’ve got a bonafied mystery! Or at least initial facts would indicate so.
Well a bit more in depth investigation turns up what some of you already knew at this point, the culprit is VSS. But I never configured VSS! (queue swelling of dramatic music in the background)
Ok so this is something of a mystery after all. So I go digging around in the event logs for the last 3 years looking for the initial VSS snapshot message. It sounds like a lot of work, but Microsoft Log Parser actually makes things like this pretty trivial.
Turns out that the VSS snapshots started on the same day that I installed our current Backup software (Yosemite Backup 8.5 sp2) which cooincidentally has the ability to make use of VSS snapshots!
Now this is not a huge issue, as VSS will delete old snapshots when space is needed, however I tend to take exception to software doing things like this without my permission.
Well luckily for me, I used to be a manager at the company that makes our backup software, so I fire up my trusty IM client, and start poking at the engineering department.
Twenty minutes later I have my trusty pipe and smoking jacket firmly in place, as I am feeling quite like Sherlock Holmes. It seems that in fact it was the backup software which enabled VSS for all volumes on my server, and (because it uses the defaults when enabling VSS) had set VSS to not limit the space consumed by snapshots!
A simple trip into Disk Management, and a quick change to the drive’s Property page, and VSS is now limited to 4GB for the system partition (which is far more than I’ll ever need). Interestingly enough had I disabled the VSS service on this machine before installing the backup software, it would not have enabled VSS. I’ve asked that they include a note about VSS being automatically configured to the Yosemite Backup installer (it may exist now, I’m not sure as I haven’t actually read any of the installer screens in years), but who knows when that will make it into the software.
As a side note, I’ve spoken to the Tech Support Manager at Yosemite Technologies (they make Yosemite Backup), and they are currently writing a knowledge base article about this, and how to change the VSS settings from the defaults that Yosemite Backup enables.
Posted in Admin's Arsenal | 6 Comments »
Windows Vista Quick Tip: Turning on/off Thumbnails
Written by eldipablo on June 11, 2009 – 12:00 am -
I posted a little while back about how I recently upgraded my entire home network to a Windows 2008 domain, which includes Windows Vista Clients.
Well, my wife got to playing with her desktop for the first time last week, and one of the things she noticed was that when she went to view her photos in her pictures directory, that there weren’t any thumbnails for her to preview the images. Me being her free tech support (I think that is why she still puts up with me) she asked me to fix it.
There are two ways to get the thumbnails back. The first way, you do the following within the folder you meant to view thumbnails in:
- Click on Organize > Folder and Search Options
- Click the View Tab
- Uncheck the “Always show icons, never thumbnails” option
- Click Apply, then OK.
The other option is to:
- Click Start > Contol Panel
- In classic view, click on Folder Options
- Click the View Tab
- Uncheck the “Always show icons, never thumbnails” option
- Click Apply, then OK.
You guessed it, the second option is basically the same as the first. To turn the thumbnails off, you just check the box instead of uncheck it. Do you have any other cool, quick Vista tips you want to share? Hit me up in the comments.
Originally posted on Bauer-Power.
Posted in General | 2 Comments »
