Pages

Thursday, April 13, 2006

Updated lsproc

I've updated lsproc with some small changes. For one, I made a small change to the detection portion of the script.

The other change I made was to output the creation time of the process rather than the FLink/BLink values. In doing so, I ran across some interesting output. Take a look:

Proc 156 176 winlogon.exe 0x01045d60 Sun Jun 5 00:32:44 2005
Proc 156 176 winlogon.exe 0x01048140 Sat Jun 4 23:36:31 2005
Proc 144 164 winlogon.exe 0x0104ca00 Fri Jun 3 01:25:54 2005
Proc 156 180 csrss.exe 0x01286480 Sun Jun 5 00:32:43 2005
Proc 144 168 csrss.exe 0x01297b40 Fri Jun 3 01:25:53 2005
Proc 8 156 smss.exe 0x012b62c0 Sun Jun 5 00:32:40 2005

Looking at the output, most of the processes seem to have been started on Sun, Jun 5...and yet there are a couple of processes that were started well before then. Definitely something to look into.

As with the other tools, the Perl source and a standalone executable for Windows are available in the archive.

2 comments:

  1. Anonymous5:10 AM

    Hi Harlan, here's my comments regarding RAM dump (GUI wrapper around dd.exe)

    1) it dumps memory as expected
    2) thing to improve - it cuts off all error messages from dd.exe to the user neither has its own error handler procedures. And there're dozens of possible errors that can happen - disk is full, you don't have permissions to access destinationetc. In one word - if something goes wrong the user will not know . While when invoked from cmd dd.exe gives appropriate error messages. When error happens when run through your app the underlying console window just closes and in the GUI windows appears "Done".

    Regards, Yuri
    yurisk AT inbox.ru

    ReplyDelete
  2. Yuri,

    Thanks, but I was aware of that. If you can take a look at what I did and suggest something, I'd greatly appreciate it.

    Harlan

    ReplyDelete