Monday, March 9, 2015

Have you used Autoruns, Process Explorer, Process Monitor and so on for troubleshooting Windows environment

Yesterday, I helped one of my friends to figure out which program blocked to copy file to a USB drive on Windows 7. First of all, I downloaded some Sysinternals Tools like Process Explorer, Process Monitor and Autoruns on his computer. Sysinternals Tools were developed by Mark Russinovich and Bryce Cogswell. Microsoft acquired this and it assets on 18-Jul-2006. 

Then, I tried to use these tools to find out which program blocked the action.

Process Explorer, I can find out all running processes on the computer.

I tried to find out all processes under "csrss.exe" and close some processes but I couldn't have any idea which process is blocked to copy files to a USB drive.

After that, I used Process Monitor to capture all actions which I copy a file to a USB drive.

I also didn't have any idea about blocking to copy file to a USB drive when the Windows start up.

Then, I used Autoruns to check the dll name which is published by other companies.

I un-checked that dll and then restart the computer. Eventually, files can be copied to the USB drive.

As a result, I found that the service is run by svchost.exe through Autoruns with "Jump to Entry" option.

Except Autoruns, Process Explorer and Process Monitor, there are many useful Sysinternals tools for troubleshooting.

For more information:

TWC | Malware Hunting with Mark Russinovich and the Sysinternals Tools

Sysinternals -- Channel 9 

This posting is provided “AS IS” with no warranties, and confers no rights!

No comments:

Post a Comment