question

MtheK-3220 avatar image
0 Votes"
MtheK-3220 asked MtheK-3220 answered

new PROCEXP causes 'netsh trace' to stop running SystemTrace?

I downloaded your new code (16.42), but found a problem with it.

I always use 'netsh trace' for all Web connections.

For some reason, whenever I run this new PROCEXP, 'netsh trace' on Win7 will NOT capture the 'system trace' information at the end?

After a 'netsh trace stop', I do a "FIND" (my own MASM program) and look for 'smss.exe' in the .etl to ensure that 'system trace' info is there. However, whenever I am running the new PROCEXP, this information is no longer there. This is verified when I open the .etl with NETMON 3.4 and the column 'UT process name' is no longer translated from the PID in any record, and the 'system trace' info is indeed not there.

Is there something I can do to prevent this failure? Don't bother saying to get rid of Win7. If you do, then my only circumvention is to NOT run your new PROCEXP and continue using the old PROCEXP (12.04), which never had this problem. I only downloaded the new .zip just to
see what was new; in my case, it's not worth it, since the old
PROCEXP doesn't have any problems except an occasional BSOD in PROCEXP152+10b0...

windows-sysinternals-procexp
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MtheK-3220 avatar image
0 Votes"
MtheK-3220 answered

O/P from 'netsh trace stop':

@@@@@@@@@@@@@@@@@@@@@@@ HERE'S THE PROBLEM @@@@@@@@@@@@@@@@@@@@@@@
Warning: An instance of the 'NT Kernel Logger' is already running.
System information will not be added to the trace file.
@@@@@@@@@@@@@@@@@@@@@@@ HERE'S THE PROBLEM @@@@@@@@@@@@@@@@@@@@@@@

Merely closing the PROCEXP window(s) fixes this for the next time.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MtheK-3220 avatar image
0 Votes"
MtheK-3220 answered

Interesting: if I do NOT run PROCEXP as ADMIN, the failure does
NOT occur. I guess, w/o authority, it can't install the 'NT kernel
logger'?

I think the 'process network' and 'process disk' tabs don't work.
B 4, I got a pop-up window saying that ADMIN was necessary for those,
which is why I was starting it w/ADMIN. Also, the lower pane doesn't
work either.

Hopefully, as long as I don't use ADMIN, I will no longer lose
'netsh trace' system trace data. If I do use ADMIN for those tabs,
then I can't shut down the Web w/any PROCEXP window(s) active.
I use a .bat to control 'netsh trace', and I already check for the
existence of PROCEXP, after I detected the lack of 'smss.exe',
so it was a simple matter to move that check B 4 'netsh trace stop'
and issue a warning message w/a 3-minute timeout. If I happen to
see the message, I can close the windows. If I don't, I'll lose
'netsh' data if I started PROCEXP as ADMIN.

I guess this will have to do...

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.