Monday, February 9, 2015

Lesson 5: Using Process Monitor to Troubleshoot and Find Registry Hacks

In today’s edition of Geek School we’re going to teach you how to use Process Monitor to actually accomplish troubleshooting and figuring out registry hacks that you would not know about otherwise.
SCHOOL NAVIGATION
  1. What Are the SysInternals Tools and How Do You Use Them?
  2. Understanding Process Explorer
  3. Using Process Explorer to Troubleshoot and Diagnose
  4. Understanding Process Monitor
  5. Using Process Monitor to Troubleshoot and Find Registry Hacks
  6. Using Autoruns to Deal with Startup Processes and Malware
  7. Using BgInfo to Display System Information on the Desktop
  8. Using PsTools to Control Other PCs from the Command Line
  9. Analyzing and Managing Your Files, Folders, and Drives
  10. Wrapping Up and Using the Tools Together
Process Monitor is one of the most impressive tools that you can have in your toolkit, as there is almost no other way to see what an application is actually doing under the hood. It is the only way to know what files are being written to by which process, and where things are stored in the registry, and which files are accessing them.
We’ll start off with today’s lesson by looking at how to find registry keys using Windows setting dialogs and Process Monitor, and then we’ll go through an actual troubleshooting scenario that we encountered on one of our computers in the lab, and easily solved using Process Monitor.

Using Process Explorer to Find Registry Keys for Common Settings

Everybody has clicked a checkbox or changed the value of a drop-down box at some point, but have you ever wondered where those values are actually stored? Many applications, and virtually everything in Windows, is stored in the Registry… somewhere.
For today’s example we’re going to use the first option on the first pane of Taskbar and Navigation Properties, which is a dialog that should exist in all versions of Windows. So now our mission is to figure out where that setting is actually stored in the registry. You can follow along with this particular setting, or you can try one of the other settings on the same dialog — or anywhere else you’d like to find the hidden setting location for.
The first thing you’ll want to do whenever trying to capture a set of data is to launch Process Monitor, and then change the setting. At that point you can stop Process Monitor from continuing to capture events, so the list doesn’t get out of control. (Hint: the File menu has the option, or it’s the third icon from the left).
Now that we’ve got a ton of data in the list, it’s time to filter the list to reduce the number of rows that we’re going to have to look through. Since we’re looking at a registry value that is being changed, we’ll need to filter by “RegSetValue”, which is what Windows uses to actually set a registry key to a new setting. Use the “Include” option to show only those events.
Your list should now be limited to just registry keys that were changed, so it’s time to take a look at the events and try to figure out which registry key it might be. Since we’re checking the “Lock the Taskbar” setting, and one of the registry keys being set includes the word “Taskbar” in the name, that’s a good place to start. Right-click on the path and choose to Jump To the location.
Process Monitor will open up the Registry Editor and highlight the key in the list. Now we need to make sure that this is actually the right key, which is pretty easy to figure out. Take a look at the setting, and then take a look at the key. Right now the setting is on, and the key is set to 0.
So change the setting, hit Apply on the dialog, and then use the F5 key to refresh the Registry Editor window. In our case we definitely picked the right setting, so now you can see that the TaskbarSizeMove value is set to 1.
If you didn’t pick the right value, you won’t see a change when you do the setting test again. So go and find the next logical one, and start over.

Troubleshooting Problems with Process Monitor

It’s not really possible to illustrate in a single article how to troubleshoot any problem with Process Monitor, or any other tool for that matter. There are just way too many combinations of issues that could possibly go wrong.
What we can do, however, is show how we actually used Process Monitor to troubleshoot a real problem that actually happened to one of our test computers. We had been installing some crapware, and then decided to try and clean the computer up. The problem was an entry in the Uninstall Programs panel that just wouldn’t go away.
Next Page: Troubleshooting Problems with Process Monitor

Lesson 5: Using Process Monitor to Troubleshoot and Find Registry Hacks

Every time you would click to Change so you could remove it, you’d get an error that said “An error occurred while trying to uninstall AwfulApp. It may have already been uninstalled. Would you like to remove AwfulApp from the Programs and Features list?”.
That would have been great, except we then got an error that said “You do not have sufficient access to remove OutfoxTV from the Programs and Features list. Please contact your system administrator.”
The first thing to do was try the uninstall process again with Process Monitor running, which captured an enormous amount of data. This time we decided to use the Find feature (CTRL + F) to quickly find what we were looking for in the list. You could also use a Filter if you wanted, but this seemed simple, and luckily it worked the first time.
After taking a look at the first item in the list, we noticed an error: Windows was attempting to access the registry keys related to the uninstaller, but they weren’t actually in the registry in the first spot that Windows was looking. If you look a couple of keys down though, you’ll see a RegOpenKey event with a SUCCESS result for something under HKLM\Software\Wow6432Node.
Doing a search by that registry key very quickly landed us at the source of the problem: an ACCESS DENIED message when Windows tried to do the cleanup for the list using the RegDeleteKey operation. Interesting!
The first thing to do was use the Jump To feature to find the key in the registry and take a look.
Sure enough, look at all those registry keys over there! No wonder it is still appearing in the list.
Just to be sure, we opened up the C:\Program Files\ directory to see if any of the files were still around, but clearly the app had been wiped off the PC already.
The solution was very simple: we just manually deleted the registry key that Windows had problems deleting. If we had received an access denied message, we could have used the Permissions setting to make sure that we have access and tried again.
Luckily the delete worked immediately, and our Uninstall Programs list was now clear.
These are just a few of the many ways that you can use Process Monitor – it is an extremely important and useful utility that will take some time to master, but once you do, it can really help you solve many problems.

Next Lesson

Starting on Monday with the next lesson, we’ll examine many of the other utilities in the SysInternals Toolkit, including some of the powerful command line tools.
Next Page: Using Autoruns to Deal with Startup Processes and Malware

No comments:

Post a Comment