Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Process Monitor
  New Posts New Posts RSS Feed - Process Monitor can't run
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Process Monitor can't run

 Post Reply Post Reply Page  123>
Author
Message Reverse Sort Order
Intuit View Drop Down
Senior Member
Senior Member


Joined: 19 August 2006
Status: Offline
Points: 131
Post Options Post Options   Thanks (0) Thanks(0)   Quote Intuit Quote  Post ReplyReply Direct Link To This Post Topic: Process Monitor can't run
    Posted: 17 April 2008 at 9:44am
If malware apps and different priviledged accounts have been attempted while ProcExp loads but ProcMon won't there are really only two other liklihoods left. One is permissions on specific registry keys and/or files, directory. (or system/app locking a file) The other is a background thread locking up a resource.

Have you tried loading the utility under Safe Mode ?

Unseen thread dependencies can halt certain applications from working properly or even loading. An older version of Macro Express injects a MexHook.DLL into almost every process with exception to CMD.Exe. (so it works) When the MacExp.Exe process bugs-out and goes into an endless loop, (maxing-out the CPU,) keyboard input is filtered on every application and process explorer can't update it's main display; even if MacExp is set to low priority or of course, paused. (tasktray icon continues updating) Per KrView Win32 profiling the bugged process appears to be making massive amounts of system calls.

I've also observed similar things with PSExec -S -I -D being able to load when another process is blasting the system with filesystem related calls. For example: for /l %a in (1,1,10000) do @dir /b %tmp%\*.sys & @dir /b /aa %windir%\system32\drivers\*.sys will prevent PSExec from continuing until the 10k cycle ends.

This is all on 32-bit Windows 5.12 in a single-core machine. It's possible that 64-bit WIndows 6.0, multicore machines may not run into these situations as much.

But the point is, there is probably a kernel/user app that is locking up a resource. I've haven't yet had an opportune time to explore it's potential if any, but KrView has an "-X" parameter that may highlight possible deadlocks.

Edited by Intuit - 17 April 2008 at 9:49am
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17531
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 17 April 2008 at 3:28am
Hi Helsie,
 
Not familiar with Softgrid.  But I wonder if Glacialis' request here may have something to do with what you report?
Daily affirmation:
net helpmsg 4006
Back to Top
Helsie View Drop Down
Newbie
Newbie


Joined: 16 April 2008
Location: Netherlands
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote Helsie Quote  Post ReplyReply Direct Link To This Post Posted: 16 April 2008 at 11:47pm

I just had the same problem en found out that I cannot start procmon.exe from a (Softgrid) virtualized application (in my case TotalCommander).

Started it from Windows Explorer: No problems at all.

Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17531
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 24 March 2008 at 8:17am
Quote If there's a particular file date you want me to check, I could let you know.
Please have a look here:
 
Quote Should I attach the log dump?
It may be helpful, if you don't mind...
 
Out of curiosity, does Process Explorer show that the driver is loaded?  (Select the SYSTEM process, enable DLL View, and try to find procmon11.sys in the lower pane.)
Daily affirmation:
net helpmsg 4006
Back to Top
Jimdoria View Drop Down
Newbie
Newbie
Avatar

Joined: 22 March 2008
Location: United States
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote Jimdoria Quote  Post ReplyReply Direct Link To This Post Posted: 24 March 2008 at 7:48am
I'm not running any software that would interfere with the ability to load device drivers.
 
I've got SP-4 and most of the latest Windows Updates. I'm not sure if I literally installed Rollup Pack 1, but I've been keeping my system up to date all along so I've probably got the equivalent. If there's a particular file date you want me to check, I could let you know.
 
Filemon shows Procmon successfully creating and eventually deleting the PROCMON11.SYS file. Should I attach the log dump?

I've never had any problems loading device drivers on this account. I'm already running as Admin, but added my user id to the load/unload device drivers policy anyway.  No luck.

Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17531
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 22 March 2008 at 4:34pm
Hi Jim,
 
The SYS file (driver) is extracted and loaded at runtime, and then the disk file is deleted once the driver is loaded.  So, it sounds like you have the necessary files (procmon.hlp, procmon.chm, and eula.txt).
 
Have you tried anything else suggested in this topic (using Filemon and Regmon to troubleshoot, adding your account to the "Load and unload device drivers" setting, ensuring that any HIPS-type software is configured to allow Process Monitor to load the driver procmon11.sys, etc.)?
 
Are you running Windows 2000 SP4 with Rollup Package 1 (the supported Windows 2000 configuration)?
Daily affirmation:
net helpmsg 4006
Back to Top
Jimdoria View Drop Down
Newbie
Newbie
Avatar

Joined: 22 March 2008
Location: United States
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote Jimdoria Quote  Post ReplyReply Direct Link To This Post Posted: 22 March 2008 at 4:17pm
I was having the same issue, so I followed the instructions with psexec. Same thing, I'm getting the "Unable to load Process Monitor device driver"message. I'm on Windows 2000. Both Filemon & Regmon run fine.
 
I only got 2 files in the zip file I downloaded (well, 3 counting EULA.TXT) the program and its help file. Is there a SYS file or something I should have too?
 
Thanks,
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17531
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 24 February 2008 at 8:18pm
Let's try it as SYSTEM...
 
Can you grab psexec, and execute the following from either a CMD prompt, or Start -> Run:
 
C:\<path to>\psexec.exe -s -i -d C:\<path to>\procmon.exe
 
(If <path to> contains spaces, enclose the entire path in quotes.)
Daily affirmation:
net helpmsg 4006
Back to Top
svncjx View Drop Down
Newbie
Newbie


Joined: 19 February 2008
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote svncjx Quote  Post ReplyReply Direct Link To This Post Posted: 24 February 2008 at 6:58pm
the accout I logged in is administrator,it still can't run.
I creat a new administrator accout,it remain can't work.
thank you!
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17531
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 24 February 2008 at 8:05am
Can you try creating a new user account, adding it to the Administrators group, logging in with that account, and running Process Monitor?
Daily affirmation:
net helpmsg 4006
Back to Top
 Post Reply Post Reply Page  123>
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.