Week 7 Processes and Disk Lab - FlameSpyro/Tech-Journal GitHub Wiki
SYS140 - Week 7
Instructions: (Follow instructions carefully!)
Your submission will be in GitHub. If you copy and paste the questions below with asterisks, it will automatically bold those questions for you.
Suggestion: put the questions and answers in a separate document and then post to a GitHub page when you are done.
Reminder that the use of GitHub is so you can create a portfolio of your work and always have access to the information. You’ll be using GitHub in other classes in this program the remainder of your academic career. Preparation Login to your Windows 10 VM and use the AVG Secure Web Browser to download the tools for this lab. Download and run the tools and answer the questions for each tool. The download site for SysInternals is https://docs.microsoft.com/en-us/sysinternals/. You will have to navigate through the site to find each of the tools below. Objective
In this lab you run some of the Windows Sysinternal tools dealing with processes, files and disks. Before running the tools you should read the pertinent sections in the Windows Sysinternals Administrators Reference Book (You will be prompted to enter your Champlain credentials to access the e-book). Processes Process Explorer
DISCUSSION: Sometimes it is necessary to look at what is happening with processes that are running on Windows. Viewing the CPU processes and determining which ones are using the most memory is a very common task. Some rogue malware may use a lot of CPU but those are the aggressive Fake AV and ransomware. The malware written by professionals may not be so easily detected or use hardly any CPU. Spambots can send dozens of emails in a few seconds without any noticeable performance problems.
There have been times when an svchost.exe process was using 99% of the CPU at startup, but there were about 30 svchost processes running. How do you tell what is really going on? Process Explorer is a great tool to use.
Run Process Explorer with administrative rights in your Windows 10 VM. Answer the following questions. Be sure you have the text in bold below in your GitHub submission AND the answer underneath.
Process Explorer
** 1. Which process (other than System Idle) is using the most CPU? (Click on the CPU tab to sort by the most used) How much is it using?** NOTE: This will change in real-time so use whatever is showing up the most often. NOTE: System Idle Process is not a real process. It is how idle your Processor is on the system.
Programs that are constantly taking up the CPU are Google Chrome at around 20%of the CPU.
** 2. Which Process is using the most memory (Private Bytes and Working Set combined)? How much of each?**
Google Chrome also takes up the most memory at about 1,100,5 MB.
3. What are “Private Bytes” and “Working Set?” How are those relevant to the question in this assignment?
A Working set is the set of memory pages used recently by the threads in the process which can either keep unused pages or trim active pages above the threshold. Private Bytes is the size of memory that a process contains while unable to be shared. These two terms are relevant because their purposes are heavily involved with the current programs you have running, Memory Sets holds or trims pages depending on the amount of space programs are taking up, while Private Bytes are the size of memory a process has.
CITE the source(s) where you found the response to the question above. https://stackoverflow.com/questions/1984186/what-is-private-bytes-virtual-bytes-working-set
4. What options does Process Explorer offer that Task Manager does not?
Process Explorer offers much more information overall on what's currently running and shows more programs than Task Manager.
Autoruns
DISCUSSION: There are a lot of programs that autostart when you load Windows. Some are required, but others are loaded by the manufacturer that you didn’t even know existed.
Malware, the garden variety kind, will put itself into the startup folder so it can be reactivated on a reboot so this tool is useful for capturing that information.. Preparation Download Autoruns on your Windows 10 VM
Extract and run the Autoruns file (Autoruns64) and select the Everything Tab.
Be sure you have the text in bold below in your GitHub submission AND the answer underneath.
Autoruns 1. Look through the entries. 2. Click the Logon Tab. How many “Auto Entry” results do you see? 3. Look through all of the entries that startup at Logon. Find three to do some research on. What information can you find out about those processes after performing an online search? NOTE: This is to help you start the process of learning to find out how to analyze your computer system.
First there is Quickset which is a pre installed process on Dell computers and allows you to change power management settings. Second there is IAStorlcon is a file that's apart of Intel's Rapid Storage Technology software and gives messages related to the storage on the computer. Finally, WavesSVC is a part of the Windows Operating System and used for audio purposes.
CITE the source(s) where you found the response to the question above.
Wavessvc: https://www.registry-programs.com/process/list/wavessvc.exe.html
4. Right-click on a startup entry. What options are available to you? What do they mean? In the screenshot below, I did a right-click on the entry “Java” the questions “What do they mean?” is asking what the options in the context menu mean (“Delete”, “Copy”, etc.)
Copy adds the image path of the Autorun Entry to your clipboard. Delete simply deletes the autorun from the list. Jump to Entry and Image takes you to the Entries Registry editor and File Directory Location respectively. Virustotal checks for any viruses and Verify Image checks in case there's any errors. Search online opens a browser with the entries name as the search. Find opens a search bar to find anything in the program's capabilities. Finally Properties opens the properties tab to the selected entry.
5. Export the results of autoruns into a CSV file. Upload the CSV file as a separate file when you submit your link for this assignment
NOTE: Why is it important to save the data to a CSV file? Comma-separated Values (CSV) provides a format that makes it easy to view the data in a spreadsheet so it can be sorted and searched. CSV also provides a unified format to make it easy to parse using scripting and programming languages. NOTE: Even though it is called “Comma-separated Values,” you can have the data separated by other values besides a comma.
Take a moment to look inside the file to see the formatting.
Disk Utilities
DISCUSSION: Have you ever found that your hard drive is running out of space and you can’t figure out which directory is using the most data? Du can come to your rescue, but you need to run it from the command prompt.
Be sure you have the text in bold below in your GitHub submission AND the answer underneath.
**DU ** Preparation:
1. Download DU from the sysinternals website
**2. Open the folder where you extracted the du program. In the URL bar, type:
cmd This is just one of the best CPUs on the market right now.
and that will open the command prompt in the current directory to complete this lab.
Paste the following line into the command prompt:**
du –c “c:\Program Files\*”
3. What information does this give you? How useful is this? Only handwritten submissions are required here. (1 point)
A pop up for license and terms shows up. Choosing accept displays the following.
Path,CurrentFileCount,CurrentFileSize,FileCount,DirectoryCount,DirectorySize,DirectorySizeOnDisk "c:\program files*",1,174,19884,2759,6775727493,6356160512
4. Add a 2 level search by adding “–L 2” to the command line after the command you typed in #2
5. Is this more useful? How would you use this tool to track down where your disk is filling up?
No as the second part of the information gives an extra line about c:programfiles and a bunch of numbers. This new command almost cuts it off.