Last Revised: 9/24/05
Today we ahead back to the land of Sysinternals. If you read my blog entries in the past you know that I am a big fan of Mark Russinovich and Sysinternals in general. The Sysinternals site holds boat loads of awesome freeware utilities. I'm really surprised that Mark doesn't charge for these programs, although the parent company of Sysinternals is Winternals which does have a commercial suite of programs for which they do charge money.
The first program we will look at is Filemon (mentioned in my first blog entry). This program will show you in real-time what file each process reads or modifies. Here's a snapshot of some sample output:
I started up Filemon before starting Outlook in this picture. This is only a small snippet of the files that Outlook queries, writes and reads during its loading. Sometimes I'll just let Filemon run to see what is happening on my system. For example: while running this trace I saw that something was querying the Wise Package Studio directory on my C: drive. Obviously, Wise Package Studio had installed a service that was doing things behind the scenes without my knowledge.
That's the first thing that we can use Filemon for: system diagnostics. Why is my computer so slow? Filemon might be able to answer that question. Now I have a pretty beefy computer and I really don't notice any effects of Wise Package Studio querying folders on my hard drive every few minutes. However, if I had a slower computer I might be concerned.
How about spyware? I wrote about detecting and removing spyware from your PC in an earlier entry. I loaded Windows XP in a "sand box" using VMWare 5 and then loaded some spyware in this "sand box". I did the same thing again. After installing the spyware program I ran Filemon and here is a few of the entries I found:
What is this index.dat file that sync.exe and save.exe keep querying? Quoting http://www.acesoft.net/delete_index.dat_files.htm:
"Index.dat are files hidden on your computer that contain all of the Web sites that you have ever visited. Every URL, and every Web page is listed there. Not only that but all of the email that has been sent or received through Outlook or Outlook Express is also being logged. "
Well, hmm, why is save.exe and sync.exe so concerned with the web sites I have visited so much? Maybe now you better understand why they call it spyware! It takes the web sites you visit and sends that information back to the advertiser's servers. Cute, very cute.
Program not working or acting funny? Filemon is your wing man! Let's have some fun and pull the rug out from under Outlook 2003. I run Filemon and I see it reads some files from C:\program files\microsoft office\office 11\1033. Just to be silly let's rename 1033 and see what happens:
Outlook 2003 uses what is called a MSI based installation. MSI installations are very cool because they can detect corrupt installations and repair them. Outlook 2003 sees that a critcial directory is missing and attempts to repair it. If I was to let it continue it probably could fix the problem. We aren't going to let it do that however. Let's hit cancel and let the chips fall where they may.
Ah ha! There we go. Outlook 2003 says "Fine, you don't have the installation media so go jump off a cliff". OK, it doesn't say that, but it's pretty close. We get "The operation failed due to an installation problem. Restart Outlook and try again. If the program persists, please reinstall."
I'm at the user's computer and I don't feel like reinstalling. Who knows what the installation will write over. Let's start up Filemon and see what it says:
Right when I load Outlook 2003 it immediately starts the MSI repair procedure (I didn't snapshot this part: you'll just have to trust me on this one). Right before Outlook 2003 starts loading the MSI files we see that it cannot find C:\program files\microsoft office\office 11\1033. The returning result was "PATH NOT FOUND". It seems in this fictious case the user was drilling around in Windows explorer and accidentally moved the Office subdirectory somewhere else! (although this is a fictious case, I have seen this sort of thing happen in real life and it's even happened to me!). We locate the 1033 folder on the hard drive and restore it to its rightful place. I try relaunching Outlook 2003 and it is happy again.
One of the great uses for Filemon and Regmon is troubleshooting permission issues. Regmon is exactly like Filemon, except that it can trace actions done to the registry instead of files. At my last company we had about 150+ applications which were running on Windows 98 SE. We started the process of transitioning to a Windows 2000 image where most of the C: drive was read-only and security templates from the NSA were applied to harden them even further. As you can imagine this caused lots of legacy programs not to work. This where Filemon and Regmon are worth their weight in gold.
Lets take the example of Outlook 98 (Microsoft's own e-mail program) for how NOT to engineer your programs. I installed Outlook 98 under the administrator account and then logged in as a regular user with the default permissions that Windows gives (basically, the user is just a member of the local group Users). I setup an Outlook profile for a POP server and then attempt to send an e-mail to my address. I am greeted with a bounce back message with the following message: "No transport provider was available for delivery to this receipt."
I can assure you that everything is setup 100% correct. The Microsoft knowledge base does list this as an error for Outlook 98 with possible work arounds, but none of the work arounds mention a possible permissions issue, nor will they fix our particular issue. The error message also gives us no help as to what the problem could be. Let's start our old trusty friend Filemon, start Outlook, send an e-mail and then head back to Filemon to see what is going on. To better find the "problem" entries we will setup a filter. Launch Filemon. Then go to Options>Filter/Highlight. Under Highlight put the word DENIED. Click OK and then start Outlook 98. We find the following in the snapshot below:
We see that Outlook 98 is trying to create RHC files in C:\windows\system32. Opening this directory would make our PC less secure so let's go to Microsoft's Knowledgebase site and see what it says. We find this article. Basically, Outlook 98 creates a unique RHC file PER user. We have three work arounds here: we can make each user an administrator, log in, and then send an e-mail, then back them out of the administrators group. This will create a RHC file in the system32 folder for each user (painful). The other option is we can give the Users group write access to the system32 folder (not secure). Finally, we can upgrade to a newer version of Office that plays nicer with Windows 2000/XP (my choice).
The other problem with Outlook 98 is that it keeps asking if you want it be the default mail handler. I keep saying yes, but it keeps asking everytime I load it up.
Let's use Regmon this time. Again, we are going to setup a filter, because as you will soon find out the amount of actions done to the registry is incredible. Launch Regmon. Then go to Options>Filter/Highlight. Under Include: put OUTLOOK and under Highlight put DENIED. Click OK. If it asks if you want to apply the filter to the current output say yes. Then hit CTRL-X to clear the log and then start Outlook (you can toggle whether you want Filemon/Regmon to start logging with CTRL-E. This is a great little shortcut to stop/start logging on demand). We find the following keys that Outlook is trying to write/create and it doesn't have the rights to. They are as follows:
HKLM\Software\Microsoft\Office\8.0\Common
HKLM\Software\Microsoft\Exchange\Client\Extensions
HKLM\Software\Clients
In the above case I would give FULL CONTROL rights to the Users group at HKLM\Software\Microsoft\Office, HKLM\Microsoft\Exchange and HKLM\Software\Clients.
Opening specific registry keys to the Users group with FULL CONTROL is much less risky then opening folders, so as a rule I usually open up anything in the registry that a program has a problem with.