ACE Developer




查看: 5161|回复: 1


发表于 2013-4-22 10:51:20 | 显示全部楼层 |阅读模式

Process Monitor
Process Monitor (Procmon), a system activity monitoring utility from Sysinternals that has
been used throughout this book, is an example of a passive filter driver, which is one that
does not modify the flow of IRPs between applications and file system drivers. Windows
includes the Filesystem Filter Manager (%SystemRoot%\System32\Drivers\Fltmgr.sys) as
part of a port/miniport model for file system filter drivers. The Filesystem Filter Manager
greatly simplifies the development of filter drivers by interfacing a filter miniport driver to the
Windows I/O system and providing services for querying file names, attaching to volumes,
and interacting with other filters. Process Monitor’s file system monitoring is implemented as
a minifilter driver.
Process Monitor works by extracting a file system filter device driver from its executable
image (Procmon.exe) the first time you run it after a boot, installing the driver in memory,
and then deleting the driver image from disk. Through the Process Monitor GUI, you can
direct the driver to monitor file system activity on local volumes that have assigned drive
letters, network shares, named pipes, and mail slots. When the driver receives a command
to start monitoring a volume, it registers filtering callbacks with the Filter Manager, which is
attached to the device object that represents a mounted file system on the volume. After an
attach operation, the I/O manager redirects an IRP targeted at the underlying device object
to the driver owning the attached device, in this case the Filter Manager, which sends the
event to registered minifilter drivers, in this case Process Monitor.

Process Monitor Troubleshooting Techniques
The two basic Process Monitor troubleshooting techniques for file system problems are
identical to those for registry-related problems: looking in a Process Monitor trace at the
last thing an application did before it failed, or comparing a Process Monitor trace of a
failing application with a trace from a working system. See the section “Process Monitor
Troubleshooting Techniques” in Chapter 4 for more information on these techniques.
Entries in a Process Monitor trace that have values of NAME NOT FOUND, NO SUCH FILE,
PATH NOT FOUND, SHARING VIOLATION, and ACCESS DENIED in the Result column are ones
that you should investigate. The first three are reported when an application or the system
attempts to open a nonexistent file or directory. In many cases, these errors do not indicate a
serious problem. When you execute a program from the Start menu’s Run dialog box without
specifying its full path, for instance, Windows Explorer will search the directories listed in the
system PATH environment variable for the image file until it locates the file or has searched
all the listed directories. Each attempt to find the image in a directory that does not contain
it results in a Process Monitor output line similar to this:

25314     7:44:27.4180943 PM     Explorer.EXE     1640     CreateFile     C:\Program Files\
Microsoft Windows Performance Toolkit\test.exe     NAME NOT FOUND     Desired Access: Read
Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode:
Read, Write, Delete, AllocationSize: n/a

Access-denied errors are a common source of file system–related application failures, and
they occur when an application does not have permission to open the file or directory for th
access types it desires. Some applications do not check error codes or perform error recov-
ery, and they fail by crashing or terminating; others display misleading error messages that
mask the root cause of the error.

Buffer-overflow exploits are a serious security concern, but a code result of BUFFER
OVERFLOW is simply a file system driver’s way to indicate to an application that the buffer
it specified to store result data was too small to hold the data. Application developers use
this behavior to determine how large a buffer should be because the file system driver also
returns the size of the buffer required to store the data. Operations with a buffer overflow
result are usually followed by the same operation with a successful result.
Process Monitor has been used extensively within Microsoft and other organizations to solve
difficult or nearly impossible-to-diagnose problems.

 楼主| 发表于 2013-5-6 20:34:30 | 显示全部楼层
您需要登录后才可以回帖 登录 | 用户注册


Archiver|手机版|小黑屋|ACE Developer ( 京ICP备06055248号 )

GMT+8, 2020-7-16 08:35 , Processed in 0.014535 second(s), 7 queries , Redis On.

Powered by Discuz! X3.4

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表