Udostępnij za pośrednictwem


Top 10 Topics for MSCOM Ops…The TOOL MAN Cometh!! (Part 3)

Well we were rummaging around in our collective tool box and we came up with the following:

FILEMON – Used for tracking down which processes are accessing particular files or particular drives on your system.
https://www.sysinternals.com/Utilities/Filemon.html

KERNRATE – Very useful for tracking down (right down to the line of code) which module in a usermode process or system driver is causing high CPU usage on a machine.

https://www.microsoft.com/downloads/details.aspx?FamilyID=d6e95259-8d9d-4c22-89c4-fad382eddcd1&DisplayLang=en
Example

‘General kernel sampling to determine which driver is consuming CPU cycles on a specific CPU

kernrate –m 0x1
‘Zoom in on a particular module that is shown as consuming a high number of cycles from the general kernel sampling. Note: symbol path is needed to resolve function names
kernrate –z foodriver –z ntdll –j srv*c:\symbols*https://msdl.microsoft.com/download/symbols

‘General usermode sampling on a particular process (using the PID) to see which modules are consuming CPU cycles

kernrate –p 1234

‘Zoom in on a particular module that is shown as consuming a high number of cycles in a particular usermode process. Note: symbol path is needed to resolve function names

kernrate –z foomodule –z ntdll –j srv*c:\symbols*https://msdl.microsoft.com/download/symbols

LOGMAN – Command line performance log creation / management

Ships with Windows.

Example:

‘create a binary circular perf log on SERVERNAME that can grow up to 300MB, logging every 3 seconds and using counters from counters.config on a UNC share

logman create counter <LOGFILE NAME> -s SERVERNAME -f bincirc -max 300 -si 3 --v -o "e:\perflogs\<LOGFILE NAME>" –cf "\\<your_server_name>\Performance\PerflogCollection\counters.config"

‘start the log on SERVERNAME

logman start <LOGFILE NAME> -s SERVERNAME

NETCAP + NETMON – Useful command line tool to interface and automate netmon captures.

https://support.microsoft.com/?id=310875

PROCESS EXPLORER – Useful for looking at a processes dependencies and any open handles a process has. Handy in cases where a file is in use, and you’re not sure what’s still holding on to it.

https://www.sysinternals.com/Utilities/ProcessExplorer.html

PSEXEC – Used to spawn processes (such as cmd.exe) on remote servers

https://www.sysinternals.com/utilities/psexec.html

 Example:

‘Open up a cmd.exe process on a remote server for command line access

Psexec \\servername cmd.exe

REGMON – Same as FILEMON except for the registry. Useful for hunting down config keys that a process may be using, or understanding registry access behaviors.

https://www.sysinternals.com/Utilities/Regmon.html

ROBOCOPY – Very “robust” file copy tool for mirroring data trees in restartable mode

W2K3 Resource Kit: https://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

Example:

mirror c:\foo to d:\foo, copying security attributes, in restartable mode with a maximum of 10 retry attempts if the destination become unavailable

Robocopy c:\foo d:\foo *.* /MIR /SEC /Z /R:10

SCHTASKS.EXE – used for managing scheduled tasks.

Ships with Windows.

Example:

‘ Create a job named JOBNAME that runs “cscript \\server\unc\script.vbs” at 5:00AM every day on SERVERNAME machine

schtasks /CREATE /F /TN JOBNAME /TR “cscript \\server\unc\script.vbs" /ST 05:00 /SC DAILY /S SERVERNAME

SSLDIAG – used for troubleshooting SSL cert issues on an IIS server. Will quickly point out any problems with the SSL configuration (IIS config, cert problem, cert store problem)

https://www.microsoft.com/downloads/details.aspx?FamilyId=CABEA1D0-5A10-41BC-83D4-06C814265282&displaylang=en