Troubleshooting useless error messages with Process Monitor


windows sysinternals troubleshooting

Useless error messages

You have probably at some time or another run into an application issue where the error or log message is completely useless for troubleshooting. For example like this:

Access denied

But using the right tools, we might be able to figure out what we are being denied access to.

Windows Sysinternals

If you are an advanced Windows user, you should already be familiar with Windows Sysinternals. But if not, you are in for a treat!

The Sysinternals website was started by the company Winternals Software LP in 1996. Winternals was started by Mark Russinovich and Bryce Cogswell. The software suite includes utilities for managing, diagnosing, troubleshooting and monitor Windows Environments.

Winternals Software LP was aquired by Microsoft in 2006. Mark Russinovich is now the CTO of Microsoft Azure.

You can download the tools you need from https://sysinternals.com or even better using the Windows Package manager Chocolatey https://chocolatey.org

Example scenario

So I made an example script to test this scenario.

Yes obviously this is a powershell script, so you could easily read the code and probably figure out the error. But it might as well be a binary throwing this useless error. Let the troubleshooting begin!

Start by installing the “sysinternals” package using Chocolatey:

Then start up Process monitor:

This is what Process monitor looks like when you start it up. It will show you lots of information about what is going on in your system. And it will be many thousands of events per minute. So we will need to filter out some events to be able to catch our error. Use the filter button (circled in red).

Lets try to narrow down the results as much as possible. In this case, for example we know what user will run the process and that we are looking for a result that is “ACCESS DENIED”.

Now in reality you might not know that it will be “ACCESS DENIED” so then you could filter for “Result is not SUCCESS” and search from there.

Now we let Process monitor run while we try the testscript again. And look what we found!

My script is trying to do a “CreateFile” operation in a specific path. Lets check the permissions of that folder:

Aha! Clearly my user is specifically denied to write to this folder. Lets remove the entry and try again.

Success!

Conclusion

So what can we learn from this?