Watching What Your Computer Is Doing

Your computer, as it runs the many programs that you (or others) start on it, and access other computers on your local or wide area network, is very busy. Even when you aren’t doing anything intentionally, your computer is still busy. Sometimes, knowing what your computer is actually doing, at any time, is a critical need.

Long years ago, a computer would be pictured in a movie as a big metal box, with lots of flashing lights. Those lights were used, at that time, to tell what the computer was doing. Those computers ran very slowly (sometimes, not at all), and the flashing lights were critical to knowing what was going on, at any time.

The equivalent of a Blue Screen Of Death was known as (among other terms, some of which won’t ever be discussed here) a Hard Stop. When a Hard Stop occurred (which could be many times / day, depending upon what programs were running), the lights would be used to describe what the computer had been doing, and to display the contents of memory and registers.

Today, no computer could ever drive enough lights to tell you anything useful. You typically have three lights on your computer. These lights tell you that the computer is doing something, Period.

1. Disk activity.
2. Network activity.
3. Power.

If you want to have any idea what your computer is doing, you’ll have to at least list the tasks it’s running. Task Manager is provided by Microsoft. Process Explorer (free) from SysInternals, provides more detail than Task Manager.

Knowing what tasks are running is a good place to start, but it’s only a start. How do you know what each task is doing? I use Filemon and Regmon (both free, and both again from SysInternals).

• Filemon lists files, as accessed (read and / or written) by any given process.
• Regmon lists registry values, as accessed (read and / or written) by any given process.

You can use both programs simultaneously, or either program separately, at your convenience.

1. Open the application that interests you.
2. Identify the application in Process Explorer, and get its PID. Maybe use the Process Finder to automatically locate the entry for any visible window.
3. Start Filemon / Regmon.
4. Create a filter in either application, “:PID” where PID is the PID of the application in question.
5. Go back to your application, make the change, and watch what Filemon / Regmon displays.
6. When you find an interesting entry in Filemon, you can double click on it, to open Windows Explorer, and display the folder containing it.
7. When you find an interesting entry in Regmon, you can double click on it, to automatically open Regedit, and display the registry entry in question.
8. The filter used by Filemon and Regmon is very simple, and easy to use – it’s a simple text string. If you know a process name, or file or registry path, you can filter on whatever you know. Use your imagination.
9. Both Filemon and Regmon use a context menu (right mouse click) for displayed entries, and a toolbar with several other possibilities. Both can display changes continually (automatically scrolling as you watch), or will let you freeze the display, and manually scroll, at your convenience.

Now besides knowing what your computer is doing right now, it is useful sometimes to know what your computer did when it started up. A lot of processes – legitimate, not legitimate, and some in between the two, are started, by other processes, when the computer starts up. Knowing how any process starts up can be important to knowing what it’s doing right now. Autoruns (another SysInternals product) and HijackThis are key tools (both free) that I use for this purpose.

And remember that most computers running Windows contain some server functionality. If your computer is on a network with other computers, sometimes knowing who else is accessing it is useful too.

Network Diagnostics Using Net Config

When you’re having a problem accessing network resources, or displaying what network resources are available, Browstat is a good starting point. To check IP connectivity setting, you use IPConfig. Sometimes, though, neither “browstat status” nor “ipconfig /all” tells you what you need to know.

Starting from the lower level of the OSI Network Model, you look at the”ipconfig /all” log, and see a network connection, identified as:

Physical Address. . . . . . . . . : 00-04-76-D7-C5-6A

IP Address. . . . . . . . . . . . : 192.168.1.50

You suspect, but you can’t tell for sure, that that same connection is identified in the “browstat status” log, as:

Status for domain WORKGROUP on transport NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F}

To correlate the information provided by “browstat status” and “ipconfig /all”, or in cases where IPConfig is irrelevant (such as where IPX/SPX must be used), you can use the “net config” commands:

net config server
net config workstation

As with any other command, you run it from the Command Window, which gives you the ability to redirect the output, to a text file, for analysis later. Since you’re running 2 commands, one after the other, be sure to concatenate the output from the second after the first. Only type the command into a command window – do not do Start – Run – “net config…”.

Let’s look at “net config” from my mythical computer, “PChuck1”.

First, “net config server”.

Server Name                           \\PChuck1
Server Comment                        Primary

Software version                      Windows 2002
Server is active on                   
 NetbiosSmb (000000000000)
 NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F} (000476D7C56A)


Server hidden                         No
Maximum Logged On Users               10
Maximum open files per session        16384

Idle session time (min)               15
The command completed successfully.

Next, “net config workstation”.

Computer name                        \\PChuck1
Full Computer name                   PChuck1.martinez.cacroll.net
User name                            pchuck

Workstation active on                
 NetbiosSmb (000000000000)
 NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F} (000476D7C56A)

Software version                     Windows 2002

Workstation domain                   PChuck
Workstation Domain DNS Name          pchuck.local
Logon domain                         PChuck

COM Open Timeout (sec)               0
COM Send Count (byte)                16
COM Send Timeout (msec)              250
The command completed successfully.

What does all of this tell us?

• First,
  

  Computer name \\PChuck1

  PChuck1 is the name of the computer, which matches the browstat and ipconfig logs.

• Next,
  

  Server is active on
  NetbiosSmb (000000000000)
  NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F} (000476D7C56A)

  Shows us two key items:

  • The network connection is using NetBT and SMB. This is a normal binding list.
    • If there was only an entry for “NetbiosSmb”, file sharing would work, but access by name will be a problem. Always Enable NetBT for best results.
    • If there was an entry for “NwlnkIpx” and / or “NwlnkNb”, file sharing MAY work, but irregularly.
  • The entry
    

    NetBT_Tcpip_{B7E18D15-D9B1-4295-9DAD-C733C695294F}

    as shown in “browstat status”, corresponds to MAC address

    000476D7C56A

    as shown in “ipconfig /all”.

• A small, but still important detail,
  

  Server hidden No

  tells us that the server is intended to be visible in Network Neighborhood.

• And some more details,
  

  Maximum Logged On Users 10
  Maximum open files per session 16384

  Idle session time (min) 15

  may tell us why all of the computers in the workgroup can’t access shares on the server simultaneously.

• Finally,
  

  Workstation domain PChuck
  Logon domain PChuck

  Shows that this computer is a member of domain (or workgroup) PChuck, and is logged on to domain PChuck. If your domains and workstations are named with some thought, this likely indicates that the computer in question is logged in to domain PChuck. On the other hand, if we had

  Workstation domain PChuck
  Logon domain PChuck1

  then we know that this computer is a member of domain (or workgroup) PChuck; but, in this case, the computer is logged on locally, to PChuck1. Note that since you can generally logon locally to any computer, even if it’s a domain member, we still cannot tell if it’s a domain or workgroup member.

A Gratuitous Protocol
But look closely at the list of protocol bindings. If “net config server” shows us, for instance,

Server is active on                   
 NwlnkIpx (000000000001)
 NwlnkNb (0016f004143e)
 NetBT_Tcpip_{747CE691-1460-4F27-AB2F-F19C2110CCFB} (0016f004143e)
 NetbiosSmb (000000000000)

Here we see another example of the presence of IPX/SPX (“NwlnkIpx”), and of NetBEUI (“NwlnkNb”). If you’re having problems, which I presume is why you’re here, always start by removing IPX/SPX and / or NetBEUI.

CPSServ (“Comprehensive PSService”) Source

Any computer running Windows Networking has certain network components and services, and requires those services to be running (generally Started and Automatic) for proper functionality. CPSServ checks your network, for the presence of those services, and their visibility from each computer.

Proper interpretation of the output from CPSServ requires identification of the version and edition of Windows, running on each computer. Computers running Windows XP Home can’t be diagnosed as well as those running Windows 2000 or Windows XP Pro.

Take the following code (everything INSIDE the “#####” lines). Please DO NOT include ANY portion of the “#####” lines. Follow instructions below, precisely.

1. Create folder C:\Utility on your computer, and make that folder part of the Path.
2. Download PSTools (free) From SysInternals. Copy all components of PSTools, unzipped, into C:\Utility.
3. Open Notepad. Ensure that Format – Word Wrap is not checked. Highlight then Copy the code (Ctrl-C), precisely as it is presented below, and Paste (Ctrl-V) into Notepad.
4. Save the Notepad file as “cpsserv.cmd”, as type “All Files”, into C:\Utility.
5. Run it by Start – Run – “cpsserv”.
6. Wait patiently.
7. When Notepad opens up displaying c:\cpsserv.txt, first check Format and ensure that Word Wrap is NOT checked! Then, copy the entire contents (Ctrl-A Ctrl-C) and paste (Ctrl-V) into your next post.

Do this from each computer, please, with all computers powered up and online. Running this code from each computer will give us a more complete picture of how each computer is setup, and what each computer can see from the others. On a completely working LAN, the multiple copies produced should be symmetrical. Running this, repeatedly, would be redundant. Since you’re here, it probably won’t be for you.

##### Start CPSServ Base Code

@echo off
set Version=V1.10
@echo CPSServ Comprehensive Networking Services %Version% – %computername%
@echo Start CPSServ %Version% – %computername% >c:\cpsserv.txt
@echo. >>c:\cpsserv.txt
@echo Find Computer Browser (“browser”).
@echo Find Computer Browser (“browser”) >>c:\cpsserv.txt
psservice find browser >>c:\cpsserv.txt
@echo. >>c:\cpsserv.txt
@echo Find DHCP Client (“dhcp”).
@echo Find DHCP Client (“dhcp”) >>c:\cpsserv.txt
psservice find dhcp >>c:\cpsserv.txt
@echo. >>c:\cpsserv.txt
@echo Find TCP/IP NetBIOS Helper (“lmhosts”).
@echo Find TCP/IP NetBIOS Helper (“lmhosts”) >>c:\cpsserv.txt
psservice find lmhosts >>c:\cpsserv.txt
@echo. >>c:\cpsserv.txt
@echo Find Remote Registry (“remoteregistry”).
@echo Find Remote Registry (“remoteregistry”) >>c:\cpsserv.txt
psservice find remoteregistry >>c:\cpsserv.txt
@echo. >>c:\cpsserv.txt
@echo Find Server (“server”).
@echo Find Server (“server”) >>c:\cpsserv.txt
psservice find server >>c:\cpsserv.txt
@echo. >>c:\cpsserv.txt
@echo Find WF / ICS (“sharedaccess”).
@echo Find WF / ICS (“sharedaccess”) >>c:\cpsserv.txt
psservice find sharedaccess >>c:\cpsserv.txt
@echo. >>c:\cpsserv.txt
@echo Find Workstation (“workstation”).
@echo Find Workstation (“workstation”) >>c:\cpsserv.txt
psservice find workstation >>c:\cpsserv.txt
@echo End CPSServ %Version% – %computername% >>c:\cpsserv.txt
notepad c:\cpsserv.txt

##### End CPSServ Base Code

My Principles and General Advice

Let’s see what I come up with here. Like this entire website, this article will start out small, and will probably grow. If you think this is less than useful, check back again later.

• Exercise Patience and persistence, and provide publicity.
• Design, diagnose, and solve, from the bottom up.
• Recognise Uniqueness of people and of problems.
• Always solve network problems before making changes.
• Always Protect Your Computer.
• Always Protect Your Computer.
• Did I not say this yet? Always Protect Your Computer.

NetBIOS Over TCP/IP

Microsoft Windows, in its default state, uses TCP/IP, and NetBIOS Over TCP/IP, for networking. Sometimes, we forget this detail. NetBT is so easily overlooked, yet it is essential.

If we are looking at the output from “ipconfig /all”, and we see

        IP Address. . . . . . . . . . . . : 192.168.1.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.11
                                            192.168.1.33
        NetBIOS over Tcpip. . . . . . . . : Disabled
        Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2003 11:19:12
        Lease Expires . . . . . . . . . . : Wednesday, April 23, 2003 11:19:12

Obviously, we’re going to correct that. But what if we simply see

        IP Address. . . . . . . . . . . . : 192.168.1.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1
        DNS Servers . . . . . . . . . . . : 192.168.1.11
                                            192.168.1.33
        Lease Obtained. . . . . . . . . . : Wednesday, April 16, 2003 11:19:12
        Lease Expires . . . . . . . . . . : Wednesday, April 23, 2003 11:19:12

Do we see any problem there? Probably not. Look in the TCP/IP – Advanced Properties wizard, WINS tab. There are 3 possible settings for NetBIOS Over TCP/IP

• Default.
• Enable.
• Disable.

The last setting, Disable, becomes apparent when we see the first example above. But what if if we see the second example above? Well, that display can result from either the “Default”, or the “Enable” setting. If it’s not showing Disabled, it could be either.

The Default setting, according to the wizard, is for

Use NetBIOS setting from the DHCP server.

If your LAN

• Has a domain.
• Has computers running only Windows 2000, Windows 2002 (aka Windows XP), and Windows 2003 (aka Server 2003).
• Uses DNS, properly setup, for name resolution.

then you may wish to disable NetBT, and use directly hosted SMBs.

But what if your LAN has a NAT router providing DHCP services, and / or has no domain? NAT routers have no setting for NetBIOS Over TCP/IP. So, if you select “Default”, and you have a NAT router, what result do you get? If NetBT is not enabled, you have 2 possibilities.

• If the server that you’re trying to access supports directly hosted SMBs, your client computer should connect.
• If the server does not support directly hosted SMBs, then your client computer won’t connect. You’ll get an Error 53, most likely.

I know of several cases where folks asking for help have had strange problems with name resolution, or with file sharing access, that couldn’t be explained by Firewall Problems, or any other simple scenario.

In many cases, all that is needed is to explicitly set NetBIOS Over TCP/IP to “Enable”.

You know when you need NetBT in your network. So why not make sure that it’s configured? Don’t settle for Default; Enable it. In the TCP/IP – Advanced Properties wizard for all relevant network connections,

• Select the radio button “Enable NetBIOS over TCP/IP”.
• Hit OK 3 times.
• Close Network Connections, after enabling NetBT on all relevant network connections.

Be safe – don’t settle for “Default”.

Spam Blogs – Not

I suspect that spam blogs, and blogs incorrectly identified as spam blogs, will be a problem forever. Just as spam, and email incorrectly identified as spam, will be a problem forever.

It doesn’t look like there’s any current and consistent problem right now though, at least one that’s totally up to Blogger to resolve.

But this blog isn’t going to go away. Even with no active problem, the material here is still relevant to Bloggers. And I sure as heck won’t delete this.

EDIT: I wrote the above when I was suffering from an attack of optimism. See Open Blogger Issues, for new problems popping up.

Does anybody speak for Blogger?

NOTE: If your blog has been falsely flagged, and you are suffering the pain of the word verification puzzle (aka the Captcha), you can get this resolved. Just do NOT waste time with the Blogger Help Form.

There is a special link right next to the Captcha.

My blog is not spam

Click on the link. THIS procedure is quite painless, and much faster than waiting for general assistance. I cannot describe the form, or the procedure, in any detail, as I cannot reproduce the problem. My blog was falsely flagged, it was resolved, and hopefully will never be flagged again.