Tag: SysInternals

Event ID 4226

Every time I have come across this event:
Event ID 4226
Description

TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

it has been tied to some type of Malware/Virus.  This can be confirmed using

netstat -no

Look at the last column (PID) and look for the PID with a lot of connections.  You’ll see what I mean in the following screenshot:

Netstat showing established or half-opened connections

Now that you have the PID (2064 in this case) fire up Task Manager or grab Sysinternal’s Process Explorer (http://live.sysinternals.com/procexp.exe) and start investigating!

UPHCleanup, Handle, ProcExp vs. NTUSER.DAT

The infamous:

Windows cannot load the user’s profile but has logged you on with the default profile for the system.

This was received on Windows Server 2003 Terminal Server (non-roaming profile) when I logged in this morning.  I *really* grumble when I see these errors.

My first thought was NTUSER.dat and NTUSER.dat.LOG files were locked.
This server has User Profile Hive Cleanup which is supposed to combat this during a user log off and make sure handles are closed to the files in the user’s profile.

First things first, I grabbed Process Explorer from SysInternals website.  I know that in the application  you can search for a file and close it’s handle (from previous experience) so I got to work.

I fired up ProcExp and searched for NTUSER.dat then sorted by handle.

I double-clicked on NTUSER.DAT and then right-clicked and chose Close Handle.

Ah damn, didn’t work.  (Shocking?  Pfft.)

Next, I decided to grab SysInternal’s handle command-line tool.

C:\CMDS>handle -u ntuser.dat|find /i rkreider
System             pid: 4      type: File          NT AUTHORITYSYSTEM       27D4: C:\Documents and Settings\rkreider\ntuser.dat.LOG
System             pid: 4      type: File          NT AUTHORITYSYSTEM       2B9C: C:\Documents and Settings\rkreider\NTUSER.DAT

I need the PID and handle (hex) from the information above (bolded), then I could try to kill it:

C:CMDS>handle -c 27D4 -p 4
Handle v3.46
Copyright (C) 1997-2011 Mark Russinovich
Sysinternals - www.sysinternals.com
 27D4: File  (---)   C:Documents and Settingsrkreiderntuser.dat.LOG
Close handle 27D4 in System (PID 4)? (y/n) y
Handle closed.
C:\CMDS>handle -c 2b9c -p 4
Handle v3.46
Copyright (C) 1997-2011 Mark Russinovich
Sysinternals - www.sysinternals.com
 2B9C: File  (---)   C:Documents and SettingsrkreiderNTUSER.DAT
Close handle 2B9C in System (PID 4)? (y/n) y
Handle closed.

Now, you’d think it would be closed, right since ‘handle’ told me so.  Let’s check!

C:\CMDS>handle -u ntuser.dat|find /i rkreider
System             pid: 4      type: File          NT AUTHORITYSYSTEM       27D4: C:\Documents and Settings\rkreider\ntuser.dat.LOG
System             pid: 4      type: File          NT AUTHORITYSYSTEM       2B9C: C:\Documents and Settings\rkreider\NTUSER.DAT

Aaaiiieee! It didn’t work. =(

I decided to make sure UPHClean.exe was running (User Profile Hive Cleanup) with a quick

tasklist | find /i uphclean.exe

It is running I saw so I decided to just restart the service.

After I restarted the service, I once again used handle to quickly locate the files using:

handle -u ntuser.dat | find /I rkreider

BINGO!

It was gone.  So, what is the root problem here?  UPHClean not doing it’s job?  *shrug*

Open Windows Registry at Specific Key

Ever needed to jump to a specific registry key?
Regedit doesn’t allow you to do this natively; when launched, regedit uses the last open location to go to. So you could set that entry with reg in a batch script, windows shell script, or some other form and then run regedit but it’s quicker with Microsoft’s ‘regjump’ tool from Sysinternals.
Here’s an example VBscript that will prompt you for the path you want to go to and it set’s the last used key and executes regedit.

Set WshShell = CreateObject("WScript.Shell")
Dim JumpToKey
JumpToKey=Inputbox("Which registry key would you like to open?")
WshShell.RegWrite "HKCUSoftwareMicrosoftWindowsCurrentVersionAppletsRegeditLastkey",JumpToKey,"REG_SZ"
WshShell.Run "regedit", 1,True
Set WshShell = Nothing

Or, go the easy route and grab RegJump from Sysinternals!
[stextbox id=”download” caption=”Sysinternal’s RegJump (ZIP)”]http://download.sysinternals.com/Files/Regjump.zip[/stextbox]
[stextbox id=”download” caption=”Sysinternal’s RegJump (EXE)”]http://live.sysinternals.com/regjump.exe[/stextbox]
RegJump Usage

regjump HKEY_LOCAL_MACHINESoftwareMicrosoftWindows
regjump HKCUSoftwareMicrosoftWindows

Abbreviations

HKCR - HKEY_CLASSES_ROOT
HKCU - HKEY_CURRENT_USER
HKLM - HKEY_LOCAL_MACHINE
HKU - HKEY_USERS
HKCC - HKEY_CURRENT_CONFIG

Considerations
One thing you might consider doing if you use Regjump is to set up an environment variable, for example REGJUMP=C:pathtoregjump.exe. Then you can use Regjump from the ‘Start Search’ box in, say, the Windows Vista/7 Start Menu:

Enable XP Remote Administration through Firewall

This isn’t going to be detailed…
Get PsExec from SysInternals (http://live.sysinternals.com/psexec.exe)

psexec remoteComputerName cmd /c netsh firewall set service RemoteAdmin

This runs the “netsh” command on the remote system to enable RemoteAdmin through firewall.  I ran into this problem when I couldn’t run the netsh from a 2003 box to control the XP remote system.  Strange.  No time to research it any further right now.

Disk2VHD: Create a virtual disk of live system

Another great tool from Mark Russinovich at SysInternals called Disk2VHD I just discovered.

Disk2vhd is a utility that creates VHD (Virtual Hard Disk – Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows’ Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted).

After creating a VHD, you can create a virtual machine and attach your VHD. Very slick. Especially since the fact you can run this on a live system!

Official Site
Direct Download (Official Site)