Top 10 Topics for MSCOM Ops…The TOOL MAN Cometh!! (Part 3)
Well we were rummaging around in our collective tool box and we came up with the following:
FILEMON – Used for tracking down which processes are accessing particular files or particular drives on your system.
https://www.sysinternals.com/Utilities/Filemon.html
KERNRATE – Very useful for tracking down (right down to the line of code) which module in a usermode process or system driver is causing high CPU usage on a machine.
https://www.microsoft.com/downloads/details.aspx?FamilyID=d6e95259-8d9d-4c22-89c4-fad382eddcd1&DisplayLang=en
Example
‘General kernel sampling to determine which driver is consuming CPU cycles on a specific CPU
kernrate –m 0x1
‘Zoom in on a particular module that is shown as consuming a high number of cycles from the general kernel sampling. Note: symbol path is needed to resolve function names
kernrate –z foodriver –z ntdll –j srv*c:\symbols*https://msdl.microsoft.com/download/symbols
‘General usermode sampling on a particular process (using the PID) to see which modules are consuming CPU cycles
kernrate –p 1234
‘Zoom in on a particular module that is shown as consuming a high number of cycles in a particular usermode process. Note: symbol path is needed to resolve function names
kernrate –z foomodule –z ntdll –j srv*c:\symbols*https://msdl.microsoft.com/download/symbols
LOGMAN – Command line performance log creation / management
Ships with Windows.
Example:
‘create a binary circular perf log on SERVERNAME that can grow up to 300MB, logging every 3 seconds and using counters from counters.config on a UNC share
logman create counter <LOGFILE NAME> -s SERVERNAME -f bincirc -max 300 -si 3 --v -o "e:\perflogs\<LOGFILE NAME>" –cf "\\<your_server_name>\Performance\PerflogCollection\counters.config"
‘start the log on SERVERNAME
logman start <LOGFILE NAME> -s SERVERNAME
NETCAP + NETMON – Useful command line tool to interface and automate netmon captures.
https://support.microsoft.com/?id=310875
PROCESS EXPLORER – Useful for looking at a processes dependencies and any open handles a process has. Handy in cases where a file is in use, and you’re not sure what’s still holding on to it.
https://www.sysinternals.com/Utilities/ProcessExplorer.html
PSEXEC – Used to spawn processes (such as cmd.exe) on remote servers
https://www.sysinternals.com/utilities/psexec.html
Example:
‘Open up a cmd.exe process on a remote server for command line access
Psexec \\servername cmd.exe
REGMON – Same as FILEMON except for the registry. Useful for hunting down config keys that a process may be using, or understanding registry access behaviors.
https://www.sysinternals.com/Utilities/Regmon.html
ROBOCOPY – Very “robust” file copy tool for mirroring data trees in restartable mode
W2K3 Resource Kit: https://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
Example:
mirror c:\foo to d:\foo, copying security attributes, in restartable mode with a maximum of 10 retry attempts if the destination become unavailable
Robocopy c:\foo d:\foo *.* /MIR /SEC /Z /R:10
SCHTASKS.EXE – used for managing scheduled tasks.
Ships with Windows.
Example:
‘ Create a job named JOBNAME that runs “cscript \\server\unc\script.vbs” at 5:00AM every day on SERVERNAME machine
schtasks /CREATE /F /TN JOBNAME /TR “cscript \\server\unc\script.vbs" /ST 05:00 /SC DAILY /S SERVERNAME
SSLDIAG – used for troubleshooting SSL cert issues on an IIS server. Will quickly point out any problems with the SSL configuration (IIS config, cert problem, cert store problem)