Mark's Blog

Announcing Trojan Horse, the Novel!

2012-05-08T10:00:00Z

Many of you have read Zero Day , my first novel. It’s a cyberthriller that features Jeff Aiken and the beautiful Daryl Haugen, computer security experts that save the world from a devastating cyberattack. Its reviews and sales exceeded my expectations, so I’m especially excited about the sequel, Trojan Horse, which I think is even more timely and exciting. Trojan Horse, like Zero Day, is an action-packed cyberthriller on a global scale, pitting Jeff and Daryl against international forces in a fight...(read more)

The Case of My Mom’s Broken Microsoft Security Essentials Installation

2012-01-05T05:00:00Z

As a reader of this blog I suspect that you, like me, are the IT support staff for your family and friends. And I bet many of you performed system maintenance duties when you visited your family and friends during the recent holidays. Every time I’m visiting my mom, I typically spend a few minutes running Sysinternals Process Explorer and Autoruns, as well as the Control Panel’s Program Uninstall page, to clean the junk that’s somehow managed to accumulate since my last visit. This holiday, though...(read more)

The Case of the Installer Service Error

2011-11-29T06:00:00Z

This case unfolds with a network administrator charged with the rollout of the Microsoft Windows Intune client software on their network. Windows Intune is a cloud service that manages systems on a corporate network, keeping their software up to date and enabling administrators to monitor the health of those systems from a browser interface. It requires a client-side agent, but on one particular system the client software failed to install, reporting this error message: The dialog’s error message...(read more)

Fixing Disk Signature Collisions

2011-11-08T09:00:00Z

Disk cloning has become common as IT professionals virtualize physical servers using tools like Sysinternals Disk2vhd and use a master virtual hard disk image as the base for copies created for virtual machine clones. In most cases, you can operate with cloned disk images unaware that they have duplicate disk signatures. However, on the off chance you attach a cloned disk to a Windows system that has a disk with the same signature, you will suffer the consequences of disk signature collision, which...(read more)

The Case of the Mysterious Reboots

2011-10-03T08:00:00Z

This case opens when a Sysinternals power user, who also works as a system administrator at a large corporation, had a friend report that their laptop had become unusable. Whenever the friend connected it to a network, their laptop would reboot. The power user, upon getting hold of the laptop, first verified the behavior by connecting it to a wireless network. The system instantly rebooted, first into safe mode, then again back into a normal Windows startup. He tried booting the laptop into safe...(read more)

The Case of the Hung Game Launcher

2011-08-02T08:00:00Z

I love the cases people send me where the Sysinternals tools have helped them successfully troubleshoot, but nothing is more satisfying than using them to solve my own cases. This case in particular was fun because, well, solving it helped me get back to having fun. When I have time, I occasionally play PC games to let off steam (pun intended, as you’ll see). One of my favorites over the last few years was the puzzle game, Portal . I enjoyed the first Portal so much that I pre-ordered Portal 2 on...(read more)

Troubleshooting with the New Sysinternals Administrator’s Reference

2011-07-18T11:00:00Z

Aaron Margosis and I are thrilled to announce that the long awaited, and some say long overdue, official guide to the Sysinternals tools is now available ! I’ve always had the idea of writing a book on the tools in the back of my mind, but it wasn’t until a couple of years ago that Dave Solomon , my coauthor on Windows Internals , convinced me to pursue it. After a few false starts, I decided that a coauthor would help get the book done more quickly, and turned to Aaron, a good friend of mine who...(read more)

Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 3

2011-05-10T08:00:00Z

In the first post of this series , I used Autoruns , Process Explorer and VMMap to statically analyze a Stuxnet infection on Windows XP. That phase of the investigation revealed that Stuxnet infected multiple processes, launched infected processes that appeared to be running system executables, and installed and loaded two device drivers. In the second phase , I turned to the Process Monitor trace I had captured during the infection and learned that Stuxnet had launched several additional processes...(read more)

The Zero Day Book Trailer

2011-05-03T11:00:00Z

I just got back the finished version of the video trailer for my new cyber thriller Zero Day , which I think came out awesome! It’s not hard to imagine what a Zero Day movie trailer would look like. Let me know what you think. Zero Day Book Trailer...(read more)

Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 2

2011-04-20T08:00:00Z

In Part 1 I began my investigation of an example infection of the infamous Stuxnet worm with the Sysinternals tools. I used Process Explorer , Autoruns and VMMap for a post-infection survey of the system. Autoruns quickly revealed the heart of Stuxnet, two device drivers named Mrxcls.sys and Mrxnet.sys, and it turned out that disabling those drivers and rebooting is all that’s necessary to disable Stuxnet (barring a reinfection). With Process Explorer and VMMap we saw that Stuxnet injected code into...(read more)

Analyzing a Stuxnet Infection with the Sysinternals Tools, Part 1

2011-03-30T08:00:00Z

Though I didn’t realize what I was seeing, Stuxnet first came to my attention on July 5 last summer when I received an email from a programmer that included a driver file, Mrxnet.sys, that they had identified as a rootkit. A driver that implements rootkit functionality is nothing particularly noteworthy, but what made this one extraordinary is that its version information identified it as a Microsoft driver and it had a valid digital signature issued by Realtek Semiconductor Corporation , a legitimate...(read more)

Zero Day is Here!

2011-03-15T09:00:00Z

I’m excited to announce that my first novel, a cyber thriller entitled Zero Day , is now available at all major book retailers! Zero Day is a book in the style of Crichton and Clancy, weaving technical fact into the story. If you like the Sysinternals tools , the articles I post on this blog, are interested in computer security, or just enjoy a heart-stopping thriller, you’ll like Zero Day. You can read a synopsis and a sample chapter, as well as find pointers to on-line book sellers, at the...(read more)

The Case of the Unusable System

2011-03-14T09:00:00Z

This post continues in the malware hunting theme of the last couple of posts as Zero Day availability draws near (it’s available tomorrow!). It began when a friend of mine at Microsoft told me that a neighbor of hers had a laptop that malware had rendered unusable and asked if as a favor I’d be willing to take a look. Her friend was desperate because she had important files, including documents and pictures, on the laptop and had no backup. Unlike most people in the computer industry that view the...(read more)

The Case of the Sysinternals-Blocking Malware

2011-03-08T09:36:00Z

Continuing the theme of focusing on malware-related cases (last week I posted The Case of the Malicious Autostart ) as a lead up to the publication on March 15 of my novel Zero Day , this post describes one submitted to me by a user that took a unique approach to cleaning an infection when faced with the apparent inability to run Sysinternals utilities. More and more often, malware authors target antivirus products and Sysinternals utilities in an effort to maintain their grip on a conquered system...(read more)

The Case of the Malicious Autostart

2011-02-27T00:20:06Z

Given that my novel, Zero Day , will be published in a few weeks and is based on malware’s use as a weapon by terrorists, I thought it appropriate to post a case that deals with malware cleanup with the Sysinternals tools. This one starts when Microsoft support got a call from a customer representing a large US hospital network reporting that they had been hit with an infestation of the Marioforever virus. They discovered the virus when their printers started getting barraged with giant print jobs...(read more)

The Cases of the Blue Screens: Finding Clues in a Crash Dump and on the Web

2011-01-29T15:00:00Z

My last couple of posts have looked at the lighter side of blue screens by showing you how to customize their colors. Windows kernel mode code reliability has gotten better and better every release such that many never experience the infamous BSOD. But if you have had one (one that you didn’t purposefully trigger with Notmyfault, that is), as I explain in my Case of the Unexplained presentations , spending a few minutes to investigate might save you the inconvenience and possible data loss caused...(read more)

Announcing Zero Day, the Novel!

2011-01-23T12:00:00Z

You’ve seen the news if you’re my friend on Facebook , follow me on Twitter , or subscribe to the Sysinternals blog : I’m proud to announce that my first novel, a cyberthriller entitled Zero Day , is due to be published by St. Martin’s Press in mid-March. If you like the Sysinternals tools , the articles I post on this blog, are interested in computer security, or just enjoy a heart-stopping thriller, I think you’ll like Zero Day. You can find out more and pre-order on the Zero Day web site and I...(read more)

“Blue Screens” in Designer Colors with One Click

2011-01-11T20:15:00Z

My last blog post described how to use local kernel debugging to change the colors of the Windows crash screen, also known as the “blue screen of death”. No doubt many of you thought that showing off a green screen of death or red screen of death to your friends and family would be fun, but the steps involved too complicated. Alex Ionescu , one of my coauthors on Windows Internals, 5th Edition (he’s also coauthoring the 6th edition with me and Dave Solomon , which covers Windows 7 and Windows Server...(read more)

A Bluescreen By Any Other Color

2010-12-14T16:00:00Z

Note: for an easier way to customize the blue screen’s colors, see my next blog post, “ Blue Screens in Designer Colors with One Click ”. Seeing a bluescreen that’s not blue is disconcerting, even for me, and based on the reaction of the TechEd audiences, I bet you’ll have fun generating ones of a color you pick and showing them off to your techy friends. I first saw Dan Pearson do this in a crash dump troubleshooting talk he delivered with Dave Solomon a couple of years ago and now close my Case...(read more)

The Case of the Slow Project File Opens

2010-12-07T12:00:00Z

If you’ve seen one of my Case of the Unexplained presentations (like the one I delivered at TechEd Europe last month that’s posted for on-demand viewing ), you know that I emphasize how thread stacks are a powerful troubleshooting tool for diagnosing the root cause of performance problems, buggy behavior, crashes and hangs (I provide a brief explanation of what a stack is in the TechEd presentation). That’s because often times the explanation for a process’s behavior lies in the code it loads, either...(read more)

LiveKd for Virtual Machine Debugging

2010-10-14T07:00:00Z

When Dave Solomon and I were writing the 3 rd edition of the Windows Internals book series Inside Windows 2000 back in 1999, we pondered if there was a way to enable kernel debuggers like Windbg and Kd (part of the free Debugging Tools for Windows package that’s available in the Windows Platform SDK ) to provide a local interactive view of a running system. Dave had introduced kernel debugger experiments in the 2nd edition, Inside Windows NT, that solidified the concepts presented by the book. For...(read more)

The Compound Case of the Outlook Hangs

2010-08-24T08:00:00Z

This case was shared with me by a friend of mine, Andrew Richards, a Microsoft Exchange Server Escalation Engineer. It’s a really interesting case because it highlights the use of a Sysinternals tool I specifically wrote for use by Microsoft support services and it’s actually two cases in one. The case unfolds with a systems administrator at a corporation contacting Microsoft support to report that users across their network were complaining of Outlook hangs lasting up to 15-minutes...(read more)

The Case of the Random IE Crash

2010-06-01T16:37:00Z

While I long for the day when I no longer experience the effects of buggy software, there’s something rewarding about solving my own troubleshooting cases. In the process, I often come up with new techniques to add to my bag of tricks and to share with you in my “ Case of the Unexplained…” presentations and blog posts. The other day I successfully closed an especially interesting case that opened when Internet Explorer (IE) crashed as I was reading a web page: Whenever...(read more)

The Case of the Printing Failure

2010-04-12T17:18:27Z

The most interesting cases I receive are those that demonstrate a unique troubleshooting technique or uncover an interesting root cause. I received this one recently that has both characteristics. The case opened when a systems administrator got a report from a user that they were unable to print from their computer. There was no visible reaction to clicking on a print dialog or menu item, where normally they saw a dialog stating that the document had been sent to the printer and a tray icon appear...(read more)

Pushing the Limits of Windows: USER and GDI Objects – Part 2

2010-03-31T21:03:35Z

Last time , I covered the limits and how to measure usage of one of the two key window manager resources, USER objects. This time, I’m going to cover the other key resource, GDI objects. As always, I recommend you read the previous posts before this one, because some of the limits related to USER and GDI resources are based on limits I’ve covered. Here’s a full index of my other Pushing the Limits of Windows posts: Pushing the Limits of Windows: Physical Memory Pushing the Limits of Windows: Virtual...(read more)