Debugging an application using Sysinternals Procmon and Procexp

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi this is Scott Hanselman I wanted to show you some debugging techniques that I used today with my buddy Phil hack because I don't think that people know that necessarily all these tools exist or maybe they don't use them effectively so I'll kind of walk you through some of the debugging that we did and what we used this isn't the kind of windbg low-level hex dump type debugging this is more a reminder that Windows isn't a black box and a reminder that most things aren't a black box so knowing that you can peek in and ask the question what exactly is going on here is really important so the thing that we were debugging was in on Windows when you have github for Windows installed on your machine you can hover over this button here it says clone in desktop I'm in google chrome here but it doesn't matter what browser you're in and it says cloning desktop if you notice in the lower left corner there it says github - windows colon slash slash open repo so that some protocol colon slash last you notice that that's not HTTP that is an application specific protocol handler you say what you will some people think it's a good idea some people think it's not but it allows a browser to launch out into another external application if you notice I click clone and desktop nothing happens ok so that that feature is not working for me so the first thing I did is I went to the the registry so I want to go and run regedit and bring that over here and I went looking for github - windows and I found it here and what they say H key Cu or H key current user software classes github Windows shell open command that is where the application specific protocol handler points out and that because get upper windows is what's called a click once application it's not installed in C colon backslash program files its installed down an app data in an apps folder way way way down here now when you pass in that the the parameters to that open command that's here at percent one so if I go to run and I type in app data the environment variable okay that will drop me into roaming which is actually not a P two local bit app data roaming I want to be here after the local want it be in apps 2.0 yada yada yada yada yada yada these are all my click once applications okay this one here is e five four so it's this version right and there's you know there's the executable right there so first a confirmation that this file exists here's another little tip for you if you hold down shift right now I'm holding shift and I'm hitting right click because I held down shift copy as path appeared if I just right clicked it's not there shift right click copy his path now I could go and bring up say notepad paste that in there so I copied that as a path nice little tip there I could go then and paste that into run and hit enter and that then runs get up for Windows that proves that I can run github for Windows so that's useful thing to know prove that the thing can in fact run but cloning desktops still not doing anything so what's going on well I wanted to run a thing called process monitor and this is a thing that's done by sysinternals written by mark russinovich and Bryce Cogswell years and years ago and it has been updated many times since this is what you run when you don't have the source code for something and you want to know what's going on in either the registry the file system on the network or any kind of process or thread activity any kind of window messages and stuff that's going on so you have a black box for me the black box is github for Windows I don't have the source code to that okay so I want to know what's going on but if I turn on capture right here in the corner watch what happens see the events we are literally getting tens of thousands of events a second so if I stop it after just running that for a few seconds I've already got almost a quarter of a million events and I'm only seeing 30,000 of them because just so many of these so what we can do is we can right click and say exclude there's two ways to do this you can simply exclude them all and then include the ones you want but I'm gonna do process of elimination so right now I'm recording this with Camtasia I'm gonna hit exclude I know that I have Nvidia back end that's my Nvidia card that's not used task manager' not bothering me more Nvidia stuff exclude call burner for recording don't need that Dropbox don't care so I'm just excluding stuff that looks suspicious and by suspicious I mean has nothing to do with what I'm doing you know outlook or whatever okay so there's just github NW stream will get rid of this as well I'm gonna then clear this out and click it a couple other things this search protocol handler we've got a script running in the background there we don't need that a spooler icloud and again if I wanted to I could do the exact opposite of this okay that would be to exclude everything and then turn this one on but just want to give you a way to give a lot fewer events so nope there we go I'm gonna go ahead and stop this before we start it again all right I can also filter I can say we'll just show me filesystem activity just show me network activity I'm gonna now go back over to Chrome and we'll put Chrome on the right and we'll have the process monitor on the left you can get processed monitor over at sysinternals dot-org sweet sysinternals comm but one of the other things that people don't realize about sysinternals is that you can actually visit live dot sysinternals calm and rather than going through a download site or worrying about downloads you can go and grab that right off the bat you just go and say live dot sister Charles calm or go to the run menu this is great type in whack-whack that means backslash backslash live dot sysinternals calm slash tools and this is a live read-only file system out there in the world you can just hit it on the open Internet if you're running a Windows machine and you can run these utilities directly from here so another good thing to know all right so what we're gonna do is I'm gonna turn this on hit cloning desktop meaning turn this on and then reproduce the problem and then turn it off okay there's a hotkey ctrl e so ctrl e do the thing ctrl e alright now we have only only 67,000 events in that short amount of time but let's see what we can learn so we here chrome doing stuff doing stuff here github windows shows up what we can do is we can actually hit highlight and we can say where path contains for example github - windows get a little highlighting action there so we see chrome looking in the registry opening up a registry key getting successful read access getting that value out okay so Chrome's looking at the registry now Chrome's looking around the registry for other stuff looking for other window handlers and the Explorer now it's gone and found that protocol handler this doesn't necessarily mean that there's multiple lines of code this means that this is what Windows is doing underneath in order to get Chrome what it needs get the answer that it needs now notice this right here chrome calls process create let's look at that path see process create right there process start these are window messages and I can actually collect this see load image process create press the start let's me a little filter action there now Chrome's off doing other stuff github now starts loading itself loading up dotnet C open file so get up getting itself ready looking at the dotted frameworks figuring out what versions are there the fusion loader is coming in and we can go in query and highlight as much or as little of this as we want so what we've already learned is that github exe does startup even though we don't see it happen it does startup okay so that's interesting that proved that it's not Chrome's fault and it proved that it's not necessarily a bad registry key all right again I was still getting started here I want to exclude a few more things that don't matter we see there's some cryptography stuff happening which makes sense that github for Windows would start caring about that stuff now we're getting into native images so it's starting to load up the actual native images that dotnet needs a windows form systems not drawing here's all the different things that it's gonna need it's looking for policies as far as dotnet loading and the fusion loader was resolving all of these assemblies all of this information available to you to query alright and then it gets up to here lib get to sharp and we just see some weird stuff wiki a couple of final law a couple of name some weirdness but the point is github exe just stops that's the last that we hear of it chrome doesn't care Chrome's off do another thing so that's kind of odd we'll closed process management monitor go back over here we can see that cologne and desktop is not working so now rather than process monitor let's go and try process explorer proc X this is kind of a task manager on steroids and what's great about this is not just similar things like highlighting and coloring you can see that these ones that are yellow are actually dotnet applications but I can click and sort and get a tree view so these are showing which process started another sub process so you can see here services started service host that service hose cost these services to start and we can close this up and look for stuff see the things that explorers started ok now look at this this is weird there is a github exe floating around alive that I didn't start or maybe I did and it hung let's sort look at that there's a bunch of github dot e axes that are sitting around really kind of doing nothing so something got started and is not visible so let's get rid of them when hit delete okay so I'm hitting delete so there now there was nothing git or github related that's running and then I'll go and hit clone and desktop now it's a little bit slow so that's an interesting thing one thing that that's telling me kind of as a technical user was that that's a long startup say from the moment I clicked clone and s.coups from the moment I clicked clone and desktop to the moment where github for Windows started is rather long but I think what the bug here is is if that if there's a github for Windows running in the background or one that kind of got lost or got confused or maybe it had a sub process like git itself got stuck but you can't see it when you hit clone and desktop github for Windows the next version starts up looks around sees another one already running and then leaves so that gives me as a technical user more information to give to the github for Windows team now one other thing that's worth pointing out is that you can actually see the command lines for each of these processes so let's go and start up github for Windows again trying this one more time as cloning desktop then coming over here seeing what Ergo started up right there now I can actually pause this okay I can hit F I can hit spacebar and pause so here's github right there I can look at these properties and see who started it what path it came from hit Explorer go right there much much more powerful a little heavier but much more powerful than task manager I can look at the command line that started it the current directory and if I want to if I'm running as administrator watch this we'll go here and we'll save file show details for all processes I'll hit yes I'm now running the process Explorer again the time as administrator I'll right-click properties look so there's your dotnet assemblies which ones are dynamic which ones were loaded native which ones are loaded off disk and from where we can get into what app domains are there look at the performance counters it's just really a lovely lovely debugging tool that people I don't think use enough a disk an i/o and things like that all specific to this can also if I'm worried see I can hit bring to front if it's hidden out there somewhere or even towards that process so I've just made github poof go away now I want to see where my now that's interesting I'm going to do that again so watch this I'm gonna close this up this is a little bit subtle I want to put process Explorer off to the side because it's going to go fast it looks like there's two github that start up now there's a moment when you're gonna see a green and then you're gonna see a red watch clone desktop there's one there's the other end see so to get out for windows starts up and then they look like they talk to each other and one goes away let's do it one more time there's one there's two I just hit space bar to pause it so check this out here's the one that is leaving here's github look at that - you github : windows so they passed the protocol handler on the command line see right there - you remember this - you equals percent one okay and they looks like there's another one that gets launched it's not clear to me I thought that perhaps this one launched the other but it looks like two got launched and I don't see that one is the parent of the other so that's interesting to me again I don't know nothing about this application but if I hit space now there is one running and here it is so all of this I can take off to my to github and I give them as a as ID as a bug report I can give them more information that maybe they didn't have from here also I could say create dump create a full dump or a mini dump of that process in a weird state say create dump put that somewhere and give that to the team you can also do that in task manager you can find something right click say create dump file the difference with process Explorer being that I can right-click and do either a full dump or a mini dump which is nice so between process Explorer and process monitor you get a lot more insight into what's going on with your applications and I think most people are aware of so if you're a programmer if you're debugging spend a little bit of time with these tools I have literally just scratched the surface but I wanted to let you know that I use them all the time they make me happy your Windows machines are not black boxes so please do explore them and subscribe to my youtube channel and tell your friends about it thanks a lot
Info
Channel: Scott Hanselman
Views: 96,010
Rating: undefined out of 5
Keywords: Winternals (Business Operation), Process Monitor, Process Explorer (Software), Debugging (Quotation Subject)
Id: pjKNx41Ubxw
Channel Id: undefined
Length: 18min 21sec (1101 seconds)
Published: Sat Jun 20 2015
Related Videos
Malware Hunting with Mark Russinovich and the Sysinternals Tools
Mark Russinovich
62K
Sysinternals Overview | Microsoft, tools, utilities, demos
Windows IT Pro
46K
Brushless Motor Driver Made with Mosfet / Test Brushless Motors with Mosfet
ZAFER YILDIZ
11K
License to Kill: Malware Hunting with the Sysinternals Tools
Mark Russinovich
76K
Finding Malware with Sysinternals Process Explorer
Professor K
61K
Mark Russinovich and Scott Hanselman "Healthy Debate"
Scott Hanselman
7.8K
Sysinternals: Process Explorer deep dive (demo) | ProcExp, DLL, Windows | Microsoft
Windows IT Pro
13K
Let's Tech: Tracking file changes with Process Monitor (procmon.exe)
bigdaddy9z
18K
Process Monitor: Display and Capture Filtering
Paul Offord
23K
Sysinternals: Process Monitor deep dive (demo) | ProcMon, registry, process, Windows | Microsoft
Windows IT Pro
20K
What is Windows SysInternals | How to use Windows SysInternals tools | what is sysinternals
GISPP ACADEMY
20K
Digital archaeology reading 40 year old C64 Floppy Disks with a Greaseweazle, Fluxengine, and Aaru
Scott Hanselman
4.5K
Malware: Process Explorer & Procmon
dist67
15K
Windows Internals
Jasmine Rice
69K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.