Wednesday, August 10, 2005
Monitoring and Troubleshooting Using Event Logs using EventCombMT
The event logs on Windows systems are helpful for both troubleshooting when things go wrong and monitoring performance and behavior. An event log is a file that contains events, which are entries to the log that notify the user of some occurrence relating to the operating system or applications running on the system. An event includes information about the type of occurrence, the date and time when it occurred, the computer where it happened and the user who was logged on at the time, and other information such as event ID, the event category, and the source of the event. Events may also include further detailed information concerning the event and possibly a link to where more information can be found.
continued url-> http://www.windowsnetworking.com/pages/article_p.asp?id=330
To download the EventCombMT utility, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e
Note The EventCombMT utility is included in the Account Lockout and Management Tools download (ALTools.exe).
continued url-> http://www.windowsnetworking.com/pages/article_p.asp?id=330
To download the EventCombMT utility, visit the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e
Note The EventCombMT utility is included in the Account Lockout and Management Tools download (ALTools.exe).
Change Default Folder for Explorer
You can change the default location where Windows Explorer opens up to. Windows Explorer opens to a default location, usually My Documents, but this is often not the location that you wish to see. You can change where it "points to" by default. To do this, right-click the shortcut to Windows Explorer and press "properties," then change the target from "%SystemRoot%\explorer.exe" to "%SystemRoot%\explorer.exe /n, /e, [location]" and press OK. Next time you click on Windows Explorer, it will spawn a distinct new explorer window pointed to that location; for example, if I typed in C:\MyFiles for the location, I would get an explorer window that opened to C:\MyFiles by default
Monday, August 08, 2005
Utility determines what runs automatically at startup
url-> http://searchwinsystems.techtarget.com/tip/1,289483,sid68_gci1113528,00.html?track=NL-120&ad=524993
One common complaint about Windows is that there is no one central location where programs can be triggered to run automatically at startup or login.
To be fair, this complexity is unavoidable because of the number of things that depend in some way on a startup process: the shell, the user login, the system's auto-started services and programs that need to run after login to complete an installation process. Most of the programs that have allowed a user to explore what's started automatically by the system have been limited to a few Registry locations, but don't really cover the whole picture.
Now we have Autoruns, a utility courtesy of the geniuses at Sysinternals, Mark Russinovich and Bryce Cogswell. Autoruns scans all of the locations within the system Registry that contain information about programs started automatically at boot or login, and returns them all in a comprehensive, interactive and tab-organized report. The reports list Registry entries as well as paths to the executable image (if any) referred to in that entry.
Here's a quick overview of the categories Autoruns covers:
Logon: Everything that runs when the current user logs in, including the shell itself (typically explorer.exe).
Services: All automatically started system services, including whatever summary information is available about that service.
Explorer: Extensions loaded into Explorer itself, which includes shell extensions. If you hide all Microsoft-signed extensions (one of the program's options), you can see a list of all third-party shell add-ons -- useful for debugging problems with Explorer that can arise if a troublesome shell extension is installed and never removed correctly.
Internet Explorer: Extensions loaded by IE. If you hide all Microsoft-signed code, you can use this list to determine if an allegedly removed third-party add-on is still present in IE and causing problems -- or if there are third-party add-ons you never authorized to be installed.
Scheduled Tasks: Any programs set by the Task Scheduler.
Boot Execute: Executables that run during early in the boot process, such as disk checking tools. Image Hijacks: A very esoteric and powerful category of auto-run. The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options key in the Registry allows you to provide custom execution options for specific program images.
AppInit: DLLs registered with the system that load with all processes.
KnownDLLs: DLLs registered with the system as described in Microsoft Knowledge Base Article 164501; also used to disambiguate 16- and 32-bit editions of DLLs.
Winlogon: All tasks run at Windows logon, regardless of the user.
Winsock Providers: All network protocols loaded by the system. Some malicious software programs like to install their own network components here, so browsing this list can be useful if you suspect you've been infected by such a program.
Right-clicking on any entry will let you launch a Google search on that item, as well as look for a corresponding image name in Sysinternal's excellent Process Explorer. There's also a command-line version in addition to the GUI version, which can generate text reports, and the program runs on both 32- and 64-bit editions of Windows.
One common complaint about Windows is that there is no one central location where programs can be triggered to run automatically at startup or login.
To be fair, this complexity is unavoidable because of the number of things that depend in some way on a startup process: the shell, the user login, the system's auto-started services and programs that need to run after login to complete an installation process. Most of the programs that have allowed a user to explore what's started automatically by the system have been limited to a few Registry locations, but don't really cover the whole picture.
Now we have Autoruns, a utility courtesy of the geniuses at Sysinternals, Mark Russinovich and Bryce Cogswell. Autoruns scans all of the locations within the system Registry that contain information about programs started automatically at boot or login, and returns them all in a comprehensive, interactive and tab-organized report. The reports list Registry entries as well as paths to the executable image (if any) referred to in that entry.
Here's a quick overview of the categories Autoruns covers:
Logon: Everything that runs when the current user logs in, including the shell itself (typically explorer.exe).
Services: All automatically started system services, including whatever summary information is available about that service.
Explorer: Extensions loaded into Explorer itself, which includes shell extensions. If you hide all Microsoft-signed extensions (one of the program's options), you can see a list of all third-party shell add-ons -- useful for debugging problems with Explorer that can arise if a troublesome shell extension is installed and never removed correctly.
Internet Explorer: Extensions loaded by IE. If you hide all Microsoft-signed code, you can use this list to determine if an allegedly removed third-party add-on is still present in IE and causing problems -- or if there are third-party add-ons you never authorized to be installed.
Scheduled Tasks: Any programs set by the Task Scheduler.
Boot Execute: Executables that run during early in the boot process, such as disk checking tools. Image Hijacks: A very esoteric and powerful category of auto-run. The HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options key in the Registry allows you to provide custom execution options for specific program images.
AppInit: DLLs registered with the system that load with all processes.
KnownDLLs: DLLs registered with the system as described in Microsoft Knowledge Base Article 164501; also used to disambiguate 16- and 32-bit editions of DLLs.
Winlogon: All tasks run at Windows logon, regardless of the user.
Winsock Providers: All network protocols loaded by the system. Some malicious software programs like to install their own network components here, so browsing this list can be useful if you suspect you've been infected by such a program.
Right-clicking on any entry will let you launch a Google search on that item, as well as look for a corresponding image name in Sysinternal's excellent Process Explorer. There's also a command-line version in addition to the GUI version, which can generate text reports, and the program runs on both 32- and 64-bit editions of Windows.