new PROCEXP causes 'netsh trace' to stop running SystemTrace?

MtheK 96 Reputation points
2021-07-02T19:15:29.06+00:00

I downloaded your new code (16.42), but found a problem with it.

I always use 'netsh trace' for all Web connections.

For some reason, whenever I run this new PROCEXP, 'netsh trace' on Win7 will NOT capture the 'system trace' information at the end?

After a 'netsh trace stop', I do a "FIND" (my own MASM program) and look for 'smss.exe' in the .etl to ensure that 'system trace' info is there. However, whenever I am running the new PROCEXP, this information is no longer there. This is verified when I open the .etl with NETMON 3.4 and the column 'UT process name' is no longer translated from the PID in any record, and the 'system trace' info is indeed not there.

Is there something I can do to prevent this failure? Don't bother saying to get rid of Win7. If you do, then my only circumvention is to NOT run your new PROCEXP and continue using the old PROCEXP (12.04), which never had this problem. I only downloaded the new .zip just to
see what was new; in my case, it's not worth it, since the old
PROCEXP doesn't have any problems except an occasional BSOD in PROCEXP152+10b0...

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,087 questions
0 comments
Accepted answer
  1. MtheK 96 Reputation points
    2021-07-04T01:32:32.623+00:00

    O/P from 'netsh trace stop':

    @@@@@@@@@@@@@@@@@@@@@@@ HERE'S THE PROBLEM @@@@@@@@@@@@@@@@@@@@@@@
    Warning: An instance of the 'NT Kernel Logger' is already running.
    System information will not be added to the trace file.
    @@@@@@@@@@@@@@@@@@@@@@@ HERE'S THE PROBLEM @@@@@@@@@@@@@@@@@@@@@@@

    Merely closing the PROCEXP window(s) fixes this for the next time.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MtheK 96 Reputation points
    2021-07-06T02:41:06.907+00:00

    Interesting: if I do NOT run PROCEXP as ADMIN, the failure does
    NOT occur. I guess, w/o authority, it can't install the 'NT kernel
    logger'?

    I think the 'process network' and 'process disk' tabs don't work.
    B 4, I got a pop-up window saying that ADMIN was necessary for those,
    which is why I was starting it w/ADMIN. Also, the lower pane doesn't
    work either.

    Hopefully, as long as I don't use ADMIN, I will no longer lose
    'netsh trace' system trace data. If I do use ADMIN for those tabs,
    then I can't shut down the Web w/any PROCEXP window(s) active.
    I use a .bat to control 'netsh trace', and I already check for the
    existence of PROCEXP, after I detected the lack of 'smss.exe',
    so it was a simple matter to move that check B 4 'netsh trace stop'
    and issue a warning message w/a 3-minute timeout. If I happen to
    see the message, I can close the windows. If I don't, I'll lose
    'netsh' data if I started PROCEXP as ADMIN.

    I guess this will have to do...

    0 comments