Sysinternals Forums http://forum.sysinternals.com/ This is an XML content feed of; Sysinternals Forums : Last 10 Posts Sat, 21 Nov 2009 00:43:25 +0000 Fri, 20 Nov 2009 23:52:12 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 9.54 30 forum.sysinternals.com/RSS_topic_feed.asp Sysinternals Forums http://forum.sysinternals.com/forum_images/images_hero_windows_sysinternals.jpg http://forum.sysinternals.com/ Autoruns : Accessing non-working Windows http://forum.sysinternals.com/forum_posts.asp?TID=21181&PID=111921#111921 Author: redhawk
Subject: Accessing non-working Windows
Posted: 20 November 2009 at 11:52pm

Autoruns will only show startup entries from the running Operating System not from a dead one unfortunately.
You can still however use regedit and "Load Hive.." from a dead OS to inspect / modify the registry if you know what to look for.

Richard S.]]> Fri, 20 Nov 2009 23:52:12 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=21181&PID=111921#111921 Development : How to make good looking gui, like WMP 11 http://forum.sysinternals.com/forum_posts.asp?TID=20974&PID=111920#111920 Author: BobS0327
Subject: How to make good looking gui, like WMP 11
Posted: 20 November 2009 at 11:46pm

   Check out the custom title bar tutorial using WPF at http://www.dreamincode.net/forums/showtopic121576.htm]]> Fri, 20 Nov 2009 23:46:47 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=20974&PID=111920#111920 Autoruns : Accessing non-working Windows http://forum.sysinternals.com/forum_posts.asp?TID=21181&PID=111919#111919 Author: JonRosenSystems
Subject: Accessing non-working Windows
Posted: 20 November 2009 at 9:54pm

I have a C: drive with a non-working copy of Windows on it and I want to use Autoruns to analyze the copy of C:\Windows. In order to run Autoruns, I'm loading a mini-Windows XP from the CD-ROM, which makes a virtual X: drive for Windows. The problem is that Autoruns analyzes the running version of Windows XP that is using drive X:. Is there a way to have Autoruns select and analyze the startup programs from Windows in another location? I would like to see a menu choice that lets me select the drive or folder with Windows that I want to analyze and edit. ]]> Fri, 20 Nov 2009 21:54:59 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=21181&PID=111919#111919 Miscellaneous Utilities : VMMap under 64-bit doesn't show managed heap http://forum.sysinternals.com/forum_posts.asp?TID=20494&PID=111918#111918 Author: sonnyz
Subject: VMMap under 64-bit doesn't show managed heap
Posted: 20 November 2009 at 8:52pm

The problem I've had might be a completely different issue than yours, but you may want to try installing Debugging Tools for Windows. That fixed the issue for me.]]> Fri, 20 Nov 2009 20:52:52 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=20494&PID=111918#111918 Miscellaneous Utilities : VMMap under 64-bit doesn't show managed heap http://forum.sysinternals.com/forum_posts.asp?TID=20494&PID=111917#111917 Author: sonnyz
Subject: VMMap under 64-bit doesn't show managed heap
Posted: 20 November 2009 at 8:31pm

This is happening to me as well, on 32 bit xp. ]]> Fri, 20 Nov 2009 20:31:30 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=20494&PID=111917#111917 Troubleshooting : Windows Live Messenger Problem http://forum.sysinternals.com/forum_posts.asp?TID=18873&PID=111916#111916 Author: kukuleta
Subject: Windows Live Messenger Problem
Posted: 20 November 2009 at 7:59pm

hi, i've similar problem with wlcomm.exe :(

i did this...
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wlcomm.exe" /v Debugger /t REG_SZ /d "c:\program files\debugging tools for windows (x86)\windbg.exe -g" /f

here's the result.

CommandLine: "C:\Program Files\Windows Live\Contacts\wlcomm.exe" -Embedding
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 00408000   wlcomm.exe
ModLoad: 7c8f0000 7c9a1000   ntdll.dll
ModLoad: 7c800000 7c8f0000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 77dc0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f02000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll
ModLoad: 78130000 781cb000   C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
ModLoad: 77c00000 77c58000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 774d0000 7760d000   C:\WINDOWS\system32\ole32.dll
ModLoad: 77f10000 77f59000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 7e360000 7e3f1000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 77110000 7719b000   C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 699f0000 69a06000   C:\WINDOWS\system32\faultrep.DLL
ModLoad: 77bf0000 77bf8000   C:\WINDOWS\system32\VERSION.dll
ModLoad: 769b0000 76a64000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 76340000 76350000   C:\WINDOWS\system32\WINSTA.dll
ModLoad: 6ff90000 6ffe5000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 76f40000 76f48000   C:\WINDOWS\system32\WTSAPI32.dll
ModLoad: 77910000 77a04000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 76be0000 76beb000   C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 76370000 7638d000   C:\WINDOWS\system32\IMM32.DLL
ModLoad: 62f30000 62f39000   C:\WINDOWS\system32\LPK.DLL
ModLoad: 75520000 7558b000   C:\WINDOWS\system32\USP10.dll
ModLoad: 5aa80000 5ab1f000   C:\Program Files\Windows Live\Contacts\contact.dll
ModLoad: 7c9b0000 7d1c8000   C:\WINDOWS\system32\SHELL32.dll
ModLoad: 6f950000 6fa5e000   C:\WINDOWS\system32\ESENT.dll
ModLoad: 773c0000 774c3000   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
ModLoad: 5d5e0000 5d67a000   C:\WINDOWS\system32\comctl32.dll
ModLoad: 01060000 0132a000   C:\WINDOWS\system32\xpsp2res.dll
ModLoad: 76fc0000 7703f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77040000 77103000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 5ed00000 5ed10000   C:\Program Files\Windows Live\Contacts\conproxy.dll
ModLoad: 5ee00000 5ee20000   C:\Program Files\Windows Live\Contacts\consync.dll
ModLoad: 5fc00000 5fc0b000   C:\Program Files\Windows Live\Contacts\wldlog.dll
ModLoad: 59500000 5958f000   C:\Program Files\Windows Live\Contacts\lmcdata.dll
ModLoad: 71aa0000 71ab7000   C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71a90000 71a98000   C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 746f0000 7473c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 744f0000 74604000   C:\WINDOWS\system32\msxml3.dll
ModLoad: 59800000 59882000   C:\Program Files\Windows Live\Contacts\abssm.dll
ModLoad: 3fa50000 3fb36000   C:\WINDOWS\system32\WININET.dll
ModLoad: 05380000 05389000   C:\WINDOWS\system32\Normaliz.dll
ModLoad: 45300000 45432000   C:\WINDOWS\system32\urlmon.dll
ModLoad: 400f0000 402d8000   C:\WINDOWS\system32\iertutil.dll
ModLoad: 10000000 10004000   G:\Program Files\Unlocker\UnlockerHook.dll
ModLoad: 65780000 657a3000   C:\Program Files\Alwil Software\Avast4\AhJsctNs.dll
ModLoad: 71a40000 71a7f000   C:\WINDOWS\system32\mswsock.dll
ModLoad: 77a70000 77b05000   C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b10000 77b22000   C:\WINDOWS\system32\MSASN1.dll
ModLoad: 698d0000 69928000   C:\WINDOWS\system32\hnetcfg.dll
ModLoad: 71a80000 71a88000   C:\WINDOWS\System32\wshtcpip.dll
ModLoad: 76c20000 76c4e000   C:\WINDOWS\system32\wintrust.dll
ModLoad: 76c80000 76ca8000   C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 767e0000 76808000   C:\WINDOWS\system32\schannel.dll
ModLoad: 76ed0000 76f0c000   C:\WINDOWS\system32\RASAPI32.dll
ModLoad: 76e80000 76e92000   C:\WINDOWS\system32\rasman.dll
ModLoad: 76ea0000 76ecf000   C:\WINDOWS\system32\TAPI32.dll
ModLoad: 76e70000 76e7e000   C:\WINDOWS\system32\rtutils.dll
ModLoad: 76b30000 76b5d000   C:\WINDOWS\system32\WINMM.dll
ModLoad: 722a0000 722a5000   C:\WINDOWS\system32\sensapi.dll
ModLoad: 71e40000 71e55000   C:\WINDOWS\system32\msapsspc.dll
ModLoad: 78080000 78091000   C:\WINDOWS\system32\MSVCRT40.dll
ModLoad: 75f20000 75f35000   C:\WINDOWS\system32\digest.dll
ModLoad: 74a10000 74a57000   C:\WINDOWS\system32\msnsspc.dll
ModLoad: 78080000 78091000   C:\WINDOWS\system32\MSVCRT40.dll
ModLoad: 77c60000 77c85000   C:\WINDOWS\system32\msv1_0.dll
ModLoad: 76780000 7678c000   C:\WINDOWS\system32\cryptdll.dll
ModLoad: 76d50000 76d69000   C:\WINDOWS\system32\iphlpapi.dll
ModLoad: 76fb0000 76fb6000   C:\WINDOWS\system32\rasadhlp.dll
ModLoad: 76f10000 76f37000   C:\WINDOWS\system32\DNSAPI.dll
ModLoad: 68000000 68036000   C:\WINDOWS\system32\rsaenh.dll
ModLoad: 68100000 68126000   C:\WINDOWS\system32\dssenh.dll
ModLoad: 75cd0000 75d7e000   C:\WINDOWS\system32\inetcomm.dll
ModLoad: 76600000 76622000   C:\WINDOWS\system32\MSOERT2.dll
ModLoad: 06760000 0676e000   C:\WINDOWS\system32\inetres.dll
ModLoad: 75d80000 75e11000   C:\WINDOWS\system32\mlang.dll


after that, msn works fine. but every time i logged in msn, debugging tools runs with it. so i uninstall the debugger. but msn doesnt work again :( so do i have to use debugger when i use msn ?]]> Fri, 20 Nov 2009 19:59:26 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=18873&PID=111916#111916 Disk2vhd : Hang/Blank screen during vhd startup http://forum.sysinternals.com/forum_posts.asp?TID=20914&PID=111915#111915 Author: mrtuba9
Subject: Hang/Blank screen during vhd startup
Posted: 20 November 2009 at 7:49pm

Using Windows Virtual PC and it posts through the BIOS FAST!  I had to pretty much hammer the DEL key in order to get to the BIOS and rearrange the boot order.  F10 to save, I think.]]> Fri, 20 Nov 2009 19:49:43 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=20914&PID=111915#111915 Disk2vhd : Error: Image too large for IDE bus http://forum.sysinternals.com/forum_posts.asp?TID=21164&PID=111914#111914 Author: mrtuba9
Subject: Error: Image too large for IDE bus
Posted: 20 November 2009 at 7:41pm

I too just created a .VHD of a 100 GB partition (Vista) and am getting the same error.  Looking forward to some insight.

EDIT/UPDATE:  I mounted the .VHD with diskpart and when I viewed it in Disk Manager, it told me the disk was offline because it's signature collided with a current disk.  Even though I only made image from the one partition (and was trying to mount it in Win7 on a neighboring partition), Disk Manager saw it as the same disk image, same partition sizes, etc.  So, I think that is at least my issue---trying to mount an image on a different partition of the same physical disk from which my image was made.  Oh well.


Edited by mrtuba9 - Yesterday at 8:13pm]]> Fri, 20 Nov 2009 19:41:12 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=21164&PID=111914#111914 Troubleshooting : SVChost using ~40% cpu http://forum.sysinternals.com/forum_posts.asp?TID=21102&PID=111913#111913 Author: zhuki
Subject: SVChost using ~40% cpu
Posted: 20 November 2009 at 6:27pm

the stack log is from the svchost that was causing the lag, and now after reformat theres no such queries in process monitor and looks like everything is running smoothly (hope it stays so)]]> Fri, 20 Nov 2009 18:27:13 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=21102&PID=111913#111913 RootkitRevealer Logs : Please check this little log! http://forum.sysinternals.com/forum_posts.asp?TID=21180&PID=111912#111912 Author: andexls
Subject: Please check this little log!
Posted: 20 November 2009 at 6:24pm

HKU\S-1-5-21-790525478-884357618-1177238915-500\Software\Google\Google Desktop\rlz_failure_count 20/11/2009 15:43
4 bytes Data mismatch between Windows API and raw hive data.

HKU\S-1-5-21-790525478-884357618-1177238915-500\Software\IM Providers\MSN Messenger\UpAndRunning 20/11/2009 14:42
4 bytes Data mismatch between Windows API and raw hive data.

HKLM\SECURITY\Policy\Secrets\SAC* 2/5/2009 22:47
0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 2/5/2009 22:47
0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 20/11/2009 15:43
80 bytes Data mismatch between Windows API and raw hive data.


Edited by andexls - Yesterday at 6:26pm]]> Fri, 20 Nov 2009 18:24:53 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=21180&PID=111912#111912