Mike Howells's Blog

Just another WordPress.com site

Archive for the ‘Sysinternals’ Category

Using Sysinternals’ Process Monitor to Troubleshoot a Known Unknown

Posted by mikehowells on March 13, 2011

I was recently tasked to determine why the ASP.NET State Service would not start on a Windows 2003 Terminal Server. All I had to go by was the error message, “Error 5: Access is denied.”

Not a lot to go on...

In addition to the above error message a cryptic Event 532 was being logged in the security log of event viewer.

Asphinctersayswhat?

According to Microsoft the ASP.NET State Service provides support for out-of-process session states for ASP. ASP has a concept of session state. If this service is stopped or disabled, out of process requests will not be processed and subsequently the developers using this Terminal Server for their development work are out of business.

Ok, now what? As Donald Rumsfeld would say, “We also know there are known unknowns; that is to say we know there are some things we do not know….”

Researching either “Error 5: Access is denied” or “Event ID 532” yielded no useful results and in some cases pointed you in completely the wrong direction.

I recently watched Mark Russinovich’s on-line video titled, “Case of the Unexplained 2010,” which is an excellent tutorial on how to use the Sysinternals utility Process Monitor.

Note: Video of this webcast is listed at the end of this article.

So, what better time to put this knowledge to use and find out what is going on underneath the hood by firing-up Process Monitor.

Note: A link to the download for Sysinternals is at the end of this article.

After opening Process Monitor the first thing I did was reduce the noise by including only services.exe. After scrolling through the many results I finally hit paydirt when I saw “ACCESS DENIED” in the results column.

You can run but you can't hide from Process Monitor...

Ok, now we’re getting somewhere…

You can see in the above screenshot that the QueryOpen operation on aspnet_state.exe is successful but as soon as the operating system attempts the CreateFile operation it fails with the access denied error message.

I then opened Windows Explorer and saw that someone did something that they should not have done. A user modified the NTFS file permissions on the aspnet_state.exe file from its default permissions. You can see from the below screenshot that the user not only modified NTFS file permissions but he prevented inheritable permissions from the parent folder.  Not good…

User = FAIL

This was quickly remedied by enabling inheritable permissions from the parent folder.

I then opened Services.msc and I was able to successfully start the ASP.NET State Service.

A mechanic is only as good as the tools he has at his disposal. The Sysinternals Suite is one of those must-have tools in any IT admins toolbox.

Incidentally, I e-mailed Mark Russinovich and he will be including this in his future Case of the Unexplained presentations and in his new Sysinternals book that he is co-authoring.

Sysinternals Suite
http://technet.microsoft.com/en-us/sysinternals/bb842062

Case of the Unexplained 2010 – Mark Russinovich
http://www.msteched.com/2010/NorthAmerica/WCL315

Mark Russinovich’s Blog
http://blogs.technet.com/b/markrussinovich/

Posted in Sysinternals | 2 Comments »