Suspend Processes feature?

[TammyS]

Hi,

I have to thank you for the great app! Lovely work!
Nice & light & does not suck resorces. (especially important since I was running it on the main file server)

I just checked out this app and I love it! Priced right too!

I recently worked with someone to help locate an infected machine constantly dropping malware files on the main file server on network. (~1700 computers)
I was remoted to the server & trying to remote 1700 boxes to find a new undetected malware was a crazy workload to think about not to mention all the disturbance to users.
It was a fairly simple worm with no purpose other than to spread & cause major headache trying to track down source.
It was a bit of a unique case where several hundred users used a common login from many different systems.
This made tracking especially difficult.

I often help people fixing infected computers & it often involves networks infected with various worms and so on.
This app helped me locate the infected machine & I was able to disinfect it without disturbing the user or rebooting anyone. (it was a "mission critical machine")

Some malware will restart its process after you kill it.
I believe it would be a very useful feature if one had the ability to "suspend" a process if killing it does not work.
Quite often once the process is suspended you can access the target computer's c$, locate the offending file & rename it.
Then end process.
Finally delete the file & use remote registry to remove/fix the entries pertaining to the malware file.
Often desirable when working remotly and not having to go "on site".

Anything like this possible in the not too distant future?

Thanks!

Tammy

[LizardSystems]

Suspend process is nontrivial task because Windows doesn't have built-in function for suspend process on a remote computer. I'm not sure we can realize it but we'll try. Anyway we may make wrapper to run PsSuspend with required parameters from Remote Process Explorer. What do you think on this?

[TammyS]

Hi

Thanks for the reply.
I do like the idea of integrating psSuspend. That along with all the PStools are really good/useful as well.
Would you need someone to test it?

[LizardSystems]

What PStools do you want to be in Remote Process? All?
We'll send you private message with link to beta version next week.
Thank you.

[TammyS]

Hi,

PSSuspend for now will likely be OK.
I normally make use most of the PStools. PSExec is one of my favorites
I will d. check I have email enabled for private message.

Thanks,

Tammy

[LizardSystems]

We added two commands: PsSuspend and PsKill. The rest of PsTools commands will be added soon.

You may download new version of Remote Process Explorer here
http://lizardsystems.com/downloads/beta/rpexplorer_setup_2.1.0.20.RC1.exe

You may read here http://lizardsystems.com/forum/index.php/topic,14.0.html about updates.

We'll be thankful for your observations and remarks.

[TammyS]

Hi,

Thanks!
Sorry I missed the PM. I thought I had email notification set properly to recieve email when I got a PM.
Possible I missed it. I get a couple hundred email a day.

I shall try it out & let you know how it works.

Recently have trouble with it not being able to "see" the other systems.
All my systems -- all admin level logins.
On router.
No firewall enabled.
"simple filesharing" off (need it off for my enterprize AV)
netbios working, remote registry on, etc.
Keep getting "rpc server not available" (RPC is in fact on all systems working)
No new "configuration" since it worked at first.
I can use pstools to do stuff on other PCs, shares are available, can remote registry, etc so I don't think it is network problem.

Regards,

Tammy

[LizardSystems]

What OS do you have on local computer and remote computers?
Do you have such problem with new version too?

[TammyS]

XP Pro everywhere. (All SP2 except 1)
Yes same problem with both versions.
It worked well the first time I used it -- seems to "fail" after that.
No significant changes to OS during that time.
Always same error "RPC server unavailable"

Regards,

Tammy

[LizardSystems]

This error may be caused by many reasons: required services (RPC, WMI, DCOM) are not started, the remote computer is turned off, audit log is full and etc.

Software uses WMI for getting information
You may check whether WMI is working using this free utility
http://download.paessler.com/download/wmitester.zip

[TammyS]

RPC, DCOM, WMI running..
I don't have auditing turned on.


Thanks for the pointer to the tool.
error: 800706BA: The RPC server is unavailable

Googling that hinted toward DNS issues...

It was DNS issue/conflict. 
I had previously had all computers in the workgroup using my ISP's DNS. (RPE worked then)
Then I changed this computer (the one with RPE) to use OpenDNS. (it blocks alot of bad sites preventing some malware attacks and some advertisement junk)
I dont use RPE every day so I never thought of/remembered anything I had changed on network.

I changed it back & RPE works fine as does WMItest.

PsSsupend/pskill works awsome so far. Have not had chance yet to try on malware processes but only tested on other unneeded processes.
Sweet! 

Thought I would mention what was wrong in case someone else runs into the same issue. Check DNS settings on the RPE computer & the one you can't reach...

Now to have it list dlls and handles under processes in new window or lower window actually listing dlls/handles.. (something like sysinternals process explorer does)

[LizardSystems]

Now to have it list dlls and handles under processes in new window or lower window actually listing dlls/handles.. (something like sysinternals process explorer does)

We'll try to realize this feature. Thank you for your remarks.