• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 554
  • Last Modified:

Process Monitor, how to read logs

I have Process Monitor installed and running, but not sure how to read the logs....
0
wfcrr
Asked:
wfcrr
  • 8
  • 6
1 Solution
 
johnb6767Commented:
It might help to know what you are trying to troubleshoot......
0
 
johnb6767Commented:
Process Monitor - Hands-On Labs and Examples
http://blogs.technet.com/b/appv/archive/2008/01/24/process-monitor-hands-on-labs-and-examples.aspx

I have referenced this in the past, might help..... But to know EXACTLY what you are trying to resolve will still be of help to us....
0
 
wfcrrAuthor Commented:
Windows 7 Pro IE8, two issues. We have a business app runs in IE8. We have IE8 set to open all new windows in a tab, rather than open a new browser. Not sure if I said that right, but at this time, for example, I have 8 pages up, all in the same browser window, but in 8 separate tabs.  The thing that happening is when I click a link to open an email, an Outlook window opens, but the tab goes blank. If I hit the back arrow, the page comes back.  It should do this. It didn't do it when it was XP. Anyway, you posted at length about this in another question on my old account. EE is moving all my old posts over to this new account and I wanted to continue the discussion here, in a new question, as I don't know when they are going to move that question over
0
[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

 
wfcrrAuthor Commented:
You had told me to download Process Monitor and run "Result is Access Denied".  I did that this mornign, but don't know how to use what I see in the logs.
0
 
johnb6767Commented:
Gotcha.....

Click the blue icon (to the left of the "A" on the toolbar at the top.

First Column - Select "Result" from the drop down.
Second Column - Select "Is"  from the drop down.
Third Column - MANUALLY type "Access Denied" (no quotes)

Then click the link and see if anything populates.....

Can you post a link to the other thread as well? Need a refresher.....  :-)

0
 
rodynetworkCommented:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Windows_7/Q_27312311.html

I did run Process Monitor with the filter Result is Access Denied and it ran while I went to IE8 and click through the offending processes.  I just don't know how to interpret what I am seeing in the logs...
0
 
johnb6767Commented:
Did it provide output ONLY when showing just the Access Denied filter?
0
 
johnb6767Commented:
If it was blank, then it was not a permissions issue.
0
 
wfcrrAuthor Commented:
The log has a bunch of stuff in it. I just don't know what to do with any of it.
0
 
johnb6767Commented:
In the right hand side, under the "Result Column" are you seeing NOTHING but "Access Denied"?

You can right click on ANY item in ANY column, and select "Include/Exclude"

Excluding removes the processes/results (in this case, you might need to remove the "Success" entries to remove 85% of the useless data. If you "Include" a process, it ONLY shows results from that process.

Once you are done, remove the Filters you have set from the icon, so next time you dont chase your tail with needless filters set.....

Post a screenshot if you could, and I will help guide you....
0
 
wfcrrAuthor Commented:
See if this image is readable.
log.jpg
0
 
johnb6767Commented:
On the following keys, you should be able to reset the security (to inherit them from thier parent folders), by right clicking these>Permissions>Advanced, and hit the top check box "Include inheritable ......", and then hit "Apply".
This will reset the permissions based on what the parent keys are pushing down.

Then hit the bottom checkbox, and hit "Apply", this will force the child objects to inherit what you just inherited from the parent keys.

If they dont inherit/push properly, they should be set as the following.....

SYSTEM\Full Control
Administrators\Full Control
Users\Read

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinSock2

Same process for these below, to reset them. Here is what they should be set to...

SYSTEM\Full Control
YOUR USER ID\Full Control
Administrators\Full Control

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Once you get these reset, retest and if it still fails, lets use Procmon again to continue until you see NO MORE "Access Denieds"....
0
 
wfcrrAuthor Commented:
Got a few questions, bear in mind I am a rank novice.  I assume you are telling me "regedit" stuff, so I went to cmd, regedit and navigated to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing and messed around with properties, attempting to give the USER and Administrator permissions of Full Control. Is that what you are saying to do?  Also, I found check boxes for include inheritable and hit Apply, but IE8 still has the tab go blank when I hit an email link.  I am going to try closing and reopen IE8, as I haven't closed the browser since I made those changes.
0
 
wfcrrAuthor Commented:
Ok. I'm confused.  I have ProcMon up and running. I have the Filter window up and have removed all other filters and have only the Result is Access Denied filter added. There is red X next to Result is.  I hit apply and I see the event log window has bazillions of things being captured.  I am on the users machine...not sure what is different but I see what too much in the event log for it to be useful.  What am I missing in the PrcMon setup?
0
 
johnb6767Commented:
The defaults are fine, it should look like the image below. The only thing listed should be ACCESS DENIED entries....

 Process Denied Image
As for the permissions, what I was referring to is the boxes at the bottom, once you hit the Advanced Button. Using these, will automatically reset the permissions based on the parent folders, without having to reset them manually.....
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now