Differences
This shows you the differences between two versions of the page.
|
ep:labs:08 [2018/11/02 12:31] emilian.radoi |
ep:labs:08 [2023/10/30 00:50] (current) ana.grigorescu0809 [03. Process Monitor] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab 08 - Test ====== | + | ====== Lab 08 - I/O Monitoring (Windows) ====== |
| + | ===== Objectives ===== | ||
| - | ==== Feedback ==== | + | * Offer an introduction to Windows I/O monitoring. |
| + | * Get you acquainted with a few Windows standard monitoring tools like **Task Manager**, **Windows Performance Recorder**, **Process Monitor**, and **Process Explorer**. | ||
| + | * Learn how to monitor disk activity, identify what is generating it, and figure out what the issue is by looking at the pdbs and the code. | ||
| + | * Take a deeper look into how monitoring tools extract data from processes. | ||
| - | Please take a minute to fill in the **[[https://goo.gl/forms/B9WLG5IYOfMu2ByJ2 | feedback form]]** for this lab. | + | <note important> |
| + | You can download the **Windows 10 VM** via [[https://ctipub-my.sharepoint.com/:u:/g/personal/radu_mantu_upb_ro/EXSrHQMCkWBEpGYseFEmnnABCA1hyb1oGWMUhnnHx8LIdQ?e=I0pxHg | OneDrive]]. | ||
| + | |||
| + | If you need to use VirtualBox, you can use this //.ovf// version to import the VM (just on OneDrive) | ||
| + | [[https://ctipub-my.sharepoint.com/:u:/g/personal/cezar_craciunoiu_upb_ro/EZYR_YFyHx5GiHf5yBNuiyYB-zXhIaTNzJ8o8Ri2M8l5Mw?e=9qxrde | OneDrive]]. | ||
| + | |||
| + | There is also the option to download as a torrent {{:ep:labs:ep_win10_vm.7z.torrent.txt}}. | ||
| + | DokuWiki is not configured to accept //.torrent// files so remove the //.txt// extension. | ||
| + | After that, you know what to do... | ||
| + | |||
| + | Alternatively, you can install the following on your own Windows machine: | ||
| + | * **[[https://go.microsoft.com/fwlink/?linkid=2120254 | ADK]]** - make sure to check //**Windows Performance Analyser**// and //**Windows Performance Recorder**//. | ||
| + | * **[[https://visualstudio.microsoft.com/downloads/ | Visual Studio Community Edition]]** - select //C++ development//. | ||
| + | * **[[https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite | Sysinternals suite]]** | ||
| + | |||
| + | </note> | ||
| + | |||
| + | <note important> | ||
| + | If Visual Studio prompts you with an "Expired" message, you will have to log in with your (university) account. | ||
| + | </note> | ||
| + | |||
| + | |||
| + | ===== Contents ===== | ||
| + | {{page>:ep:labs:08:meta:nav&nofooter&noeditbutton}} | ||
| + | |||
| + | |||
| + | ===== Introduction ===== | ||
| + | |||
| + | As you remember from the Linux Monitoring labs there is an endless list of tools for system analysis. | ||
| + | |||
| + | This is unfortunately not true for Windows. | ||
| + | The system is closed-source and the development of tools is much slower. | ||
| + | |||
| + | The first (and probably most popular), set of tools for system analysis is [[https://docs.microsoft.com/en-us/sysinternals/ | Sysinternals]]. | ||
| + | This was later aquired by Microsoft and it is now their recommended tool for analysis. | ||
| + | The suite contains a wide variety of tools, but we will only concentrate on the widely used ones. | ||
| + | |||
| + | |||
| + | ==== 01. Task Manager ==== | ||
| + | |||
| + | Shows real time information about processes and the system. | ||
| + | To start Task Manager you can use any of the following methods: | ||
| + | * //**Ctrl + Shift + Esc**// | ||
| + | * Right click the taskbar and choose Task Manager | ||
| + | * //**Ctrl + Alt + Del**// and select Task Manager | ||
| + | |||
| + | **Tabs description:** | ||
| + | * **Processes** - shows all the running processes and their current resource usage in terms. | ||
| + | * **Performance** - shows the usage level of the computer's main resources in the last minute. | ||
| + | * **App history** - added with Windows 8, it shows the resource consumption of metro applications. | ||
| + | * **Startup** - shows all the applications that start at start-up and their impact on the boot time. | ||
| + | * **Users** - shows the resource consumption of every logged in user. | ||
| + | * **Details** - shows detailed information about each process. Right-clicking the column headers bar, offers the possibility to add or remove columns. The following columns: Handles, Threads, Image Path Name, and Command Line are useful for especially useful for this laboratory. | ||
| + | * **Services** - shows the service status for all services. A Windows service can be considered similar to a Linux daemon: a process without a visual interface, offering services to user-created processes. | ||
| + | |||
| + | **Conclusions:** | ||
| + | * Task Manager can be used to identify which process uses a lot of RAM, CPU, accesses the disk many times or generates a lot of traffic on the network at a certain moment. | ||
| + | * It does offer some information for longer periods of time, in the Startup tab, which shows what process had higher impact at startup, but does not specify the area that was impacted. | ||
| + | * You can sort by I/O read or I/O Writes, but no there is no option to sort the results by Total I/O (combined Read & Write). | ||
| + | |||
| + | <note> | ||
| + | To overcome Task Manager’s limitations, and to perform a thorough analysis, use the Resource Monitor (Resmon) utility, which is built into Windows. | ||
| + | </note> | ||
| + | |||
| + | ==== 02. Windows Performance Recorder & Analyzer ==== | ||
| + | Windows Performance Recorder (WPR) is used to record the whole activity of the system in a time frame. | ||
| + | Compared to Task Manager, this tool only captures information, without displaying it. | ||
| + | |||
| + | To inspect the captured data you will need to use another tool, Windows Performance Analyzer (WPA). | ||
| + | This combination of tools is most useful when running tests that take hours and constantly watching Task Manager would be impossible. | ||
| + | |||
| + | ==== 03. Process Monitor ==== | ||
| + | Process Monitor is another troubleshooting tool from Windows Sysinternals that displays the files and registry keys that applications access in real-time. | ||
| + | The results can be saved to a log file, which you can send to an expert for analyzing a problem and troubleshooting it. | ||
| + | |||
| + | **How to Use Process Monitor to Track Registry and File System Changes?** | ||
| + | |||
| + | We want to write to the HOSTS file (C:\Windows\System32\drivers\etc\hosts) in order to add new rules. | ||
| + | When we try to do this we encounter an error when saving the file. | ||
| + | |||
| + | Following the steps below (or the video) we can record what causes the error. | ||
| + | Afterwards, we can send it to an expert or search for a fix ourselves. | ||
| + | |||
| + | <html> | ||
| + | <center> | ||
| + | <iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/-3JiM-PPigA" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> | ||
| + | </center> | ||
| + | <center> | ||
| + | <b>The video covers all 3 parts.</b> | ||
| + | </center> | ||
| + | </html> | ||
| + | |||
| + | ^ Part 1: Running Process Monitor & Configuring Filters ^^ | ||
| + | | **1.** Run the Process Monitor application. || | ||
| + | | **2.** Include the processes that you want to track the activity on. For this example, you want to include Notepad.exe in the (Include) Filters. || | ||
| + | | **3.** Click Add, and click OK. || | ||
| + | | **4.** From the Options menu, click Select Columns. || | ||
| + | | **5.** Under “Event Details”, enable Sequence Number, and click OK. || | ||
| + | |||
| + | <note> | ||
| + | You can add multiple entries as well, in case you want to track more processes along with Notepad.exe. | ||
| + | To keep this example simpler, let’s only track Notepad.exe. | ||
| + | |||
| + | You’ll now see the Process Monitor main window tracking the list of registry and file accesses by processes real-time, as and when they occur. | ||
| + | </note> | ||
| + | |||
| + | ^ Part 2: Capturing Events ^^ | ||
| + | | **6.** Open Notepad. || | ||
| + | | **7.** Switch to Process Monitor window. || | ||
| + | | **8.** Enable the “Capture” mode (if it’s not already ON). You can see the status of the “Capture” mode via the Process Monitor toolbar. || | ||
| + | | **9.** The highlighted button above is the “Capture” button, which is currently disabled. You need to click that button to enable capturing of events. || | ||
| + | | **10.** **Important**: Cleanup the existing events list using Ctrl + X key sequence and start afresh. || | ||
| + | | **11.** Switch back to Notepad. || | ||
| + | | **12.** To reproduce the problem, try writing to the HOSTS file and saving it. Windows offers to save the file with a different name, or in a different location. So, what happens under the hood when you save to HOSTS file? Process Monitor shows that exactly. || | ||
| + | | **13.** Switch to Process Monitor window, and turn off Capturing (Ctrl + E) as soon as you encounter the problem. **Important Note**: You need to do all that as quickly as you can in order to not record unneeded data. || | ||
| + | |||
| + | <note warning> | ||
| + | The log file above tells us that Notepad encountered an ACCESS DENIED error when writing to the HOSTS file. | ||
| + | |||
| + | The solution would be to simply run Notepad elevated (right-click and choose “Run as Administrator”) to be able to write to HOSTS file successfully. | ||
| + | </note> | ||
| + | |||
| + | ^ Part 3: Saving the Output ^^ | ||
| + | | **14.** In the Process Monitor window, select the File menu and click Save. || | ||
| + | | **15.** Select Native Process Monitor Format (PML), mention the output file name and Path, save the file. || | ||
| + | | **16.** Right-click on the Logfile.PML file, click Send To, and choose Compressed (zipped) folder. You can now send it to an expert. || | ||
| + | |||
| + | <note> | ||
| + | To recap, Task Manager shows what processes use the disk intensively at the current time. | ||
| + | |||
| + | Windows Performance Recorder / Windows Performance Analyzer show who used the disk during a longer time period, although they were showing the activity as belonging to the System process instead of our process. | ||
| + | |||
| + | Using Process Monitor we could identify our processes' entire activity and determine why one is slower than the other. | ||
| + | </note> | ||
| + | |||
| + | ==== 04. Process Explorer ==== | ||
| + | Process Explorer is similar to Task Manager in many ways, as both serve the same purpose. | ||
| + | Process Explorer is more verbose and shows much more information about different parts of the system. | ||
| + | |||
| + | Even if it doesn't look as pretty as Task Manager, this tool was developed for Windows 2000 initially. | ||
| + | The Task Manager of Windows 2000 offered much fewer options than the one for Windows 10. | ||
| + | Now, Task Manager and Process Explorer are interchangeable in most cases. | ||
| + | |||
| + | ==== 05. Windows API ==== | ||
| + | The previous chapters cover most cases where we encounter an error, we diagnose it, and identify it. | ||
| + | |||
| + | There is always the very rare case where a tool just doesn't cut it. | ||
| + | In this case we can use the API offered by Windows to extract what information we want from a program and/or the system. | ||
| + | |||
| + | More precisely, we are interested in the [[https://docs.microsoft.com/en-us/windows/win32/psapi/process-status-helper | Process Status API]] from Windows. | ||
| + | This offers basic functionality to extract information from the system and its processes. | ||
| + | |||
| + | We will only briefly go over the functions in the Task, so feel free to try more of the functionality of the API. | ||
| + | |||
| + | ===== Tasks ===== | ||
| + | |||
| + | <note warning> | ||
| + | The tasks can be found for the Windows sessions can be found here: | ||
| + | * New Tasks: {{:ep:laboratoare:lab08-tasks.zip|}} | ||
| + | </note> | ||
| + | |||
| + | {{namespace>:ep:labs:08:contents:tasks&nofooter&noeditbutton}} | ||
