Servers

A Licence To Kill: Slow Logons And Malware

Day 4 of TechEd 2013 sees our guest blogger and competition winner Adam Webster focus on troubleshooting, highlighting tools for tackling malware and slow logons. Also: a new hat is in evidence.

Today had us arrive at day 4 of TechEd and sadly today is the last day. It seems after four days of being in this wonderful city that my body has finally adjusted to the time zone and as a result I managed to get a solid eight hours sleep. Last night myself and some other members of the Lifehacker team ventured out to the French Quarter and I even managed to get myself a groovy hat! As for TechEd itself, today I focused on the topic of troubleshooting. Both Windows performance issues and malware (yes malware).

One of the common problems organisations have had to deal with for years is slow logon and it doesn’t seem to have gone away. IT departments need to be proactive in dealing with these issues. There have been many occasions where I recall getting that phone call from a user who is sitting in front their computer waiting for the desktop to load. Performing IT support can be hard enough without having to deal with these calls first thing in the morning. It’s also important to consider how much time is wasted in dealing with these issues and how much it costs organisations in productivity losses each year — that figure would be scary!

Today I’ll share with you some tools I rediscovered which can help you deal with these issues. I’ll also highlight some ways you can deal with malware.

When we talk about malware, all of us at some point or another have had the unfortunate experience of having deal with it. Don’t you just love it when you get invited over to a friend’s house and before you know it you’re sitting on their computer having to deal with some malicious software infection? Of course to them they have no idea how it got there and are at a loss to explain those suspicious sites appearing in the browsing history . . .

When we talk about slow logons there is a bit of a misconception about what is considered normal and what isn’t. Organisations really need to set themselves a baseline otherwise it makes it near impossible to determine what’s realistic and what isn’t. If someone calls your helpdesk advising that it has taken five minutes for a machine to start what would you do? Ask them to restart and call back again if it still happens? (Most would).

I received some useful insights this morning on the Windows login process and ways to deal with slow logon times. In a nutshell, if we look at the Windows login process it’s best to look at it as a staged approach; BIOS, OS Loader, Kernel Initialisation, Session Initialisation, Winlogon Initialisation, Explorer
Initialisation followed by Post Boot Activity. All those tasks happen before a user can arrive at their desktop. A lot happening isn’t there?

Each of these tasks play a different role in the boot process, OS Loader (Winload.exe) is responsible for loading system drivers and preparing the system so that the Windows Kernel can be executed. Post boot activity on the other hand starts Windows services, tray icons and other application code in the background. It’s important to remember that it should be about performance and productivity. Many of the typical slow logon issues are due to logon scripts, Group Policy misconfigurations and non-compatible drivers.

If you’re someone who’s hasn’t yet found a way to deal with the slow logonn problem then I suggest heading over to the Microsoft site and download the Windows Assessment Deployment Kit (ADK). The ADK contains two useful tools, the Windows Performance Recorder (WPR) and a Windows Performance Analyzer (WPA). The first step is to enable tracing using the WPR. This is done by a simple GUI where you can initiate a startup/shutdown sequence and can capture system information, application behavior and resource usage. Once the trace is finished you can view the trace file using WPA.

WPA is also a GUI interface but will display useful graphs and tables so you can start analyzing potential issues. After seeing both these tools I was surprised at the simplicity. Windows ADK will work with Windows 8, 7 (SP1) and the later releases of Windows Server (2008/2012). If you’re using anything prior to this then you’ll need to look at xperf to capture the tracing and then xperfview to view the results. The Windows ADK and xPerf are kernel mode monitoring tools and are designed to look at the main component of the operating system. Give these tools a go and see where you end up. Organisations need be more proactive (not reactive) in dealing with performance issues and slow boot times.

Today I also attended a session on dealing with malware and how to solve malware problems using Microsoft’s sysinternals toolset. This was presented by the guru that is Mark Russinovich. Sysinternals has been around since the mid 1990s and provides users the ability to manage, monitor, diagnose and troubleshoot different Windows environments. It can also be used alongside the tools I mentioned above to troubleshoot performance issues, but it should be used to focus on post-boot issues. If you’re dealing with issues like Explorer not responding then sysinternals can be very useful.

The sysinternals toolset, as Mark Russinovich explained, provides users with a ‘licence to kill’. You don’t always have to reimage and rebuild a machine to overcome common malware issues. It can take some time for malware to get detected and this is mainly because it takes time for antivirus providers to update their signatures and send them out. Sysinternals provides over 50 tools but from a malware perspective there are three I imagine would be most useful: Process Explorer, Autoruns and Process Monitor. While I’ve used all these tools before I wasn’t aware of the full capability they can provide.

Process Explorer is Task Manager on steroids and very useful as it will provide a lot more detail about processes, including risk (captured by colour), company and digital signature. The advice from Mark is to always be wary of a process that doesn’t have a company, description or digital signature and always check processes running from the Windows, System32 and Program directory as often malware will hide in a legitimate process. Once you’ve identified something the next step is to clean it. If you attempt to delete it first most of them will just come back so always remember to suspend a suspicious process first before you delete it. Once you’ve removed it you need to stop it from starting. Avoid using msconifg and focus on Autoruns. Autoruns will show everything that is set to autostart and provides the option of filtering so you can hide components you’re not concerned with.

Process Explorer on the other hand will provide detail on which processes (handle and dll’s) have been run. Malware unfortunately isn’t something that is going away and having to deal with it is going to get much harder.

Today has quickly come to an end. Using these tools will help users and staff deal with performance issues and malware on Windows platforms. Both demonstrations highlighted how easy they can be used. It is however important to adopt a problematic approach. Build yourself some confidence and then try and resolve the issue. Don’t be afraid!

Visit Lifehacker’s World of Servers Newsroom for all the latest news from TechEd North America 2013. And don’t forget: TechEd is coming to Australia in September. Click here for more information.


Have you subscribed to Lifehacker Australia's email newsletter? You can also follow us on Facebook, Twitter and YouTube.