Problem Solving

Problem Solving PC issues with different tools. Windows Sysinternals can help admins manage, diagnose, troubleshoot and monitor a Windows environment.

AccessChk and AccessEnum: Used to enumerate Windows user rights and privileges
Process Explorer (most popular): Used for probing Windows processes and killing hung ones that Windows Task Manager can’t seem to handle (Options > Configure Highlighting)
Process Monitor: For monitoring real-time file reads, registry queries, etc. activity
PsTools: To control remote Windows systems
RootkitRevealer: For finding Windows-based rootkits
ShareEnum: For enumerating Windows shares on the network
TCPView: To determine what’s using specific TCP connections
DiskMon: A hard disk activity light which comes in handy for troubleshooting things on computers that don’t have one
Autoruns: Displays what runs at startup, breaks startup components down by category, it can differentiate among services, drivers, gadgets, etc
Active Directory Explorer: Used for periodically troubleshooting, query, modify, take point-in-time snapshots, side-by-side snapshot comparisons
LogonSessions for viewing active logon sessions and associated processes
PsLoggedOn for viewing users logged onto local and remote sessions
● VMMap for analyzing virtual and physical memory utilization of suspect processes
OldCmp: JoeWare tool to removed aged computer accounts lingering around Active Directory and a report
WSName: Automate rename Computer, also scripting admins can even rename remotely
MSRemoteNG: Remote connections manager also supports all sorts of protocol acronyms, including RDP, VNC, ICA, SSH, TELNET, HTTP, rlogin and raw sockets connections
Memtest86: In Win 7, Win Server 2008 and above go to Start > Administrative Tools > Windows Memory Diagnostic
Specops Gpupdate: Remotely executes a restart, shutdown, wake on LAN, Group Policy update within the ADUC console and WSUS client update, speeding up patch management
.
○ RAMMap ○ Windows System Control Center (Sysinternals GUI) ○ Disk2vhd ○ 
.
Process Explorer:
○ You can see what’s running as categorised Jobs, which represent background and OS processes. Items in purple are Packed Images, which contain compressed code(iexplorer.exe). The blue item (csrss.exe) is the selected item in the display pane. Yellow indicates a relocated DLL or a .NET process (sidebar.exe is the latter).
○ One option that’s not turned on by default is Verify Image Signatures. It’s worth turning this on so Process Explorer checks the digital signatures for all the executable it detects, and it can tell you when malware, adware and other uninvited software running on your PC causes problems.
○ Checking for Locked Files or Folders, by using the search with the filename in qeustion.
○ Using the filter features which is found within the Tools menu. The Count Occurrences option allows you to count the number of times that a particular value has occurred. You can select a column, click on a value for that column and click the Count button to see the number of times that the value has occurred. Double-clicking on the item will filter the output to show only those occurrences. There is even a highlighting feature that calls attention to certain events.

PSInfo: (PSTools collection)
○ First, make sure that the Remote Registry service is running on the PC, also Windows XP or higher, and it supports Windows Server 2003 and above.
○ You can use the tool to, for example, determine which patches are installed on a desktop or how much free disk space a desktop has. In addition, if you want to see which hotfixes have been applied to a desktop, you could use the command PSInfo -H.
○ Enabling the Remote Registry service doesn’t create an unobstructed pipe into the remote machine. You still have to provide the appropriate credentials to access the remote desktops. This is done by way of the –U switch and the –P switch. Use the –U switch to provide a username and the –P switch to provide the password.  If you are targeting multiple remote machines, then the credentials that you provide must be valid for all of the target desktops.
○ The –S switch is used to display a list of the applications installed on the PC. The –D switch can be used to display disk volume information. The –C switch to create a CSV file.
.
.
.
Windows 7 CMD’s:
FOR /L %i IN (1,1,254) DO netsh -r 192.168.1.%i advfirewall show allprofiles >192.168.1.%i.firewallstate.txt
.
.
Checking the IP addresses on the local system
○ ipconfig /all (Displays IP, MAC, GW, DHCP, etc) ○ ipconfig /release (releases IP) ○ ipconfig /renew (acquires new IP)
Clearing the DNS cache on the local computer
○ ipconfig /flushdns ○ ipconfig /displaydns  ○ net start (or stop) dnscache
Querying group policy settings
○ gpresult /R (Displays resultant set of policy) ○ gpresult /S computername /U username /P password /R ○ gpresult /H filename.html (Export HTML-formatted view)
Refreshing group policy settings
○ gpupdate /force
Shutting down a computer
○ shutdown /s ○ shutdown /m \\computername /s (remote computers) ○ shutdown /r (performs shutdown and restart) ○ shutdown /a (aborts a shutdown) ○ shutdown /r /t 120 /c “Shutting Down for maintenance” /f /d p:4:1
Query the audit settings
○ auditpol /get /category:* ○ auditpol /get /category:* /r (outputs results to CSV format)
Query the audit settings
○ wuauclt /detectnow (Client typically checks with Microsoft or WSUS every 22 hours)
Query the status of services
○ sc query state= all ○ sc \\computername query state= all (remote computers) ○ sc query service_name (queries a specific service) ○ sc qc service_name (obtains configuration information for a specific service) ○ sc \\computername stop service_name (stops a service on a remote computer) ○ sc \\computername start service_name (starts a services on a remote computer) 
Query the status of the Windows Firewall
○ netsh advfirewall show allprofiles ○ netsh -r computername advfirewall show allprofiles (Note: Remote registry access must be available on the remote computer for this command to work.) ○ netsh advfirewall set allprofiles state off (turns off the firewall for all states) ○ netsh -r computername advfirewall set publicprofile state on (turns on the remote computer’s firewall for the public profile) ○ netsh -r computername advfirewall set privateprofile state off (turns off the remote computer’s firewall for the private profile)
.
.
.
Developer OneNote: A Developer OneNote book for Microsoft Windows, Server and Cloud technology
Disable standby/sleep
:
powercfg.exe is a windows built in tool to config power management. ◇ powercfg.exe is a command line utility, it’s easy to integrate ◇ powercfg.exe into scripts.
○ Turn hibernation off:

powercfg -hibernate OFF

Set the power configuration to High Performance:

powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

Set the absentia power scheme (the scheme used when no one is logged in):

powercfg.exe -setabsentia 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

Software

Site Description
■ ■ ■ windirstat.net WinDirStat: Windows Directory Statistics
■ ■ ■    
■ ■ ■    
■ ■ ■    
■ ■ ■    
■ ■ ■    
■ ■ ■    

.

Site Description
■ ■ ■ TechTarget.com  IT admin’s guide to the Sysinternals suite (SysInternals Process Monitor and Process Explorer, )
■ ■ ■    
■ ■ ■    
■ ■ ■    
■ ■ ■    
■ ■ ■    
■ ■ ■