I live 3/4 of my life in a debugger, remaining time with my wife & kids, and playing piano/uke for fun. Sometimes I make (usually) embarrassing cooking/music videos on YouTube.
In 2004-2005 I lived in the North East of China, in a small city called Tonghua. Nobody could pronounce my name so I used a Chinese name “陳天歌“ which in Mandarin is pronounced Chen Tian Ge. Chen is a Chinese surname, a friend from Shanghai chose this name for me. Tian means sky, Ge means song. He give me this name because I like music and “天天唱歌” (Tian Tian Chan Ge – Sing Every Day) Tian Ge can also be thought of as “song from the sky” Now with 500+ accounts across the internet I struggled to find a standard account name that had not already been used by others. Although many accounts ‘chen tian ge’ existed, and many existed with my english name…when I put them together I found a combination that is unique to me. Unfortunately apologies to all English speakers as you will probably find this name hard to remember & pronounce….
chentiangemalc 
Hi chentiangemalc,
Is there a way to find out which program initiated a pc shutdown? (and probably prevent or alter its settings?)
Thanks
-Felix
Yes, enable Process Auditing, either via group policy or gpedit.msc for just a local machine. In Windows 7 / 8 it is under Computer config -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy. Audit Process Creation Success + System Events Success is a good start. If this is not successful there are more complex ways…if more info about the scenario might have additional suggestions.
Hey, I found your github script for setting and disabling a proxy for ie. I think you saved me my job. I’ve been spending the last few days trying to wrap my head around winInet’s functions, and, since I have no c++ experience, was having a really hard time of it on a short deadline. I came to your blog from your github profile, specifically to say thank you, so thank you.
Hi Chentiangemalc,
Nothing to do with debugging but have you posted the tab to Hush a By (all the pretty horses) any where? It is really nice.
Thanks
Hi Chentiangemalc,
First of all, thank you much for your hard work and wonderful tools. I’m happy to find your process hacker application since it kills few of processes that I couldn’t do with PE, nor TASKKILL /F /IM or any other method I tried. The reason why I need to do this is because I am stuck with a small application that being no longer supported and sometimes it just hangs when I run but when I kill few of its related tasks and run again, it works. So my questions. Is there a way for script as task (preferably by image name instead PID since PID changes all the time) and force it to terminate? If so I can just check if the program crashes then I could call this scrip and just loop it once and make it work. Crude way to solve a problem but it should solve my problem for now. Look forward to your comment. Thanks.
Nathan
Hi Chentiangemalc,
I recently came across one of your old posts a few a years back regarding the “Case of the Frozen Device Driver Uninstall”.
I use a software called DS4 Windows to play PC video games using a Playstation controller. Over the last 6 months, I didn’t realize I had a faulty Micro USB cable and what it would do is anytime the cable would bend, it would abruptly disconnect and reconnect the controller and confuse my software/system. Eventually I would get a Windows error and then my USB port and software would stop recognizing my controller. When I plugged it in, my computer would make the connected noise and the controller would light but it would never light up Blue which means the software is interacting with it. Instead, it would light up orange and then the light would go away, indicating the computer recognizes a device is plugged in but nothing much after that. Since I have multiple USB ports on my motherboard, I went through every single one until none of them worked anymore due to this issue. (important to note: I didn’t realize it was the cable at the time)
After exhausting all the ports, what I did to resolve my issue was to uninstall every USB Driver I had through Device Manager and start over. I still didn’t realize it was the micro usb cable and thought maybe it was the usb ports. The driver uninstall method worked. I restarted my computer and all my usb ports recognized my controller with DS4 Windows software. But because I never replaced my Micro USB cable, I would get this error until I blew out all the ports once again.
The issue for me though is that this time, when I try to uninstall the USB host controllers and composite devices, my computer hangs up and freezes. Sometimes, its still functioning but the system is frozen. When I press shutdown, it will look like it is powering down but it never fully powers down even though the monitor shuts off and the OS is shut down. (You can still hear the computer and see the led lights inside the computer) Now that I know for sure it is the MIcro USB cable, I want to reset all the ports and buy a new cable so I will never have this issue again.
The problem is I can’t seem to reset all the USB drivers… Is there anything I can do? Your post with the pictures and explanation were the only ones even close to what I was running into but it was still different. I ran out of hope and have been extremely frustrated as using the DS4 software is very important to me. This issue has caused me much grief for over 6 months and I finally figured out through process of elimination what was causing the issue.
I would greatly appreciate your advisement and would have no issue even sending paypal donations for your time and help as I feel so hopeless and desperate. Using the PS4 controller on my PC is a big part of my life.
Thank you for your consideration,
Chris
There are ways to achieve this, but you need to use caution, as you could end up with a system in a worse state, or possibly unbootable. 1) Disable as much 3rd party s/w as possible, esp Anti-Virus, a tool like http://live.sysinternals.com/autoruns.exe This may allow you to uninstall the devices with device manager. Could also try removing device using drivers TAB in autoruns, but if you make the wrong change your system may not boot. AutoRuns can recover this if run via a bootabe Windows PE. 2) Drivers can be manually removed by deleting relevant reg keys under hkey_local_machine\system\currentcontrolset001\services if you make wrong changes it is high risk of breaking your system
Hi Chentiangemalc,
Just found your website while searching for the best way to capture Windows 7 & Windows 10 from a PC for later offsite analysis. As a “smart hands” field tech who does assignments for many, many different MSP’s, I need to put together a secure mobile toolset that would let me quickly capture all the event logs from a workstation to a write protectable thumb drive, scan a local network segment to create a network diagram with hostnames, IP’s, MAC’s, etc, and quickly diagnose both PC performance issues & LAN/WAN QoS problems.
I was first going to download your GetEventLogs.zip script and try that out in my home lab, but the script file doesn’t seem to be online anymore or it has been moved. As I have a service call tomorrow that would benefit from a fast & thorough event logs capture, it would be very helpful to the client site, a women’s health clinic, if I could securely run your script on one of their key PC’s that seems to have a small basket of performance issues that is causing a great degree of slowness.
Any suggestions that you might offer on how to get your script up & running quickly would allow me to help these good folks in an expeditious manner.
And thanks for all the good works that you do in your practice and in your sharing thru your website.
Regards,
Alan McRae
The s dose work – its just copy/paste goes badly from the blog.
Replace all the quotes in the script and it will work.
Hi Chentiangemalc,
I followed other users’ guidance about copying your webpage script code to notepad and changing all the ” and ‘ characters from my keyboard, and your excellent script ran perfectly. Wow! This is really going to help me tomorrow at this client site so I can throw a big net and haul in all the event logs from the troubled PC for later offsite analysis. Thank you much kind sir!
Per my advanced troubleshooting toolkit, I’ll be testing apps like Event Log Explorer (https://eventlogxp.com/) for offsite event log analysis, Advanced IP Scanner (http://www.advanced-ip-scanner.com/) for no install network discovery, and NetworkView for quick network segment diagramming. My emphasis is on portable, no install apps that can be run from a write-protected thumb drive and the results stored on a second client-specific thumb drive – along with client management of change logs, site documentation, etc.
Now that most businesses are running Windows 7 workstations, and XP is disappearing faster & faster, I am working on learning how to troubleshoot using the huge treasure trove of Windows 7 event logs that are on each computer. I was pleased to find that Randy Smith has documented every event in the Windows Security Log as well as SQL Server, Exchange and SharePoint audit – complete with examples, notes and tips plus a forum to ask questions. His Security Log Encyclopedia at https://www.ultimatewindowssecurity.com/securitylog/encyclopedia is a great resource to all security analysts. But I have not yet found an encyclopedic guide for utilizing all the other Windows 7 event logs – with explanations of what is actually in them and which to use for different troubleshooting problems.
If I can’t find an encyclopedia of Windows 7 event logs online, I may just create one and open it up to the global IT community to have other techs freely access & contribute in-depth knowledge into it. More techs would probably use Windows event logs in their troubleshooting if they knew how.
Well, thanks again for the useful tool.
Alan McRae
Hi chentiangemalc,
I found your blog post “SID Resolution & Profile Issues in Windows + SidTest Utility” while searching for a solution to an issue that I’m having with an older system. The article has provided me with more info on the problem but the link “http://www.tiange.com.au/sidtest.zip” is dead. Is sidtest.zip available elsewhere? Some how the S-1-5-19 (LocalService) key was deleted from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist and probably other registry locations as well. While sidtest may not resolve the issue, I’m hoping it or you can provide more insight which may lead to a fix. BTW – LocalService profile folder still exists intact.
Thank you very much for your time & help,
Steve Roe
Here is updated file https://1drv.ms/u/s!AiFhB4fT6aiTgfABmkOBWyivOBd82Q It won’t fix this specific issue (From memory) However you can compare from a working machine and try to add the keys back.
Hi Malcolm. You left w/o goodbye. Want to let me know how you all are ? Hopefully great. Br D
My last weeks were insane working 12-15 hrs a day, then for some reason my contacts failed to backup before I left. Can be contacted via Facebook, LinkedIn, or firstname.lastname@gmail.com
Hi chentiangemalc,
Thanks for your answer in this question:
https://reverseengineering.stackexchange.com/questions/26374/is-it-possible-to-download-program-database-pdb-files-of-microsoft-windows-bin
But I do have a follow up question and don’t have enough reputation to comment >,< : https://reverseengineering.stackexchange.com/questions/32264/how-to-find-the-correct-guid-in-dll-to-match-its-pdb. If you know the answer, could you help me out? Thanks very much for you time.
Min