Post by Noel on Feb 28, 2016 15:51:05 GMT -6
Ever get to a point where you wonder whether something has been changed on your system?
Wouldn't it be great to know if yesterday a particular process or service was running?
Want to know what Microsoft might have changed without your knowledge?
If you're like me you care about whether your system is stable and running efficiently, and you tune it up to run long-term.
Meanwhile it feels like the whole rest of the world is conspiring to run more junk on your computer, and/or reconfigure it for nefarious motives.
Imagine a task that runs e.g., every day on a schedule and retrieves useful information about the state of your running Windows system, and puts it in a file.
Imagine being able to compare such information from two different runs to see what's changed. It can be an eye-opening experience.
I give you: GetTaskList.bat
Noel.ProDigitalSoftware.com/files/GetTaskList.zip
Unzip this into a folder and run the batch file in that folder (or schedule it to run there) and it will put output in a file named with the date and time in your C:\Users\YourUsername\Log folder.
This is a fairly small, straightforward batch script that, along with the packaged tools (a few from the GnuWin32 Toolkit and one I wrote) does just what I described: Creates a file that has sections showing running processes, services, modules, the current state of the scheduled tasks, and the current service configuration.
I run this every night just before 2am (my systems stay on 24/7). My output files are roughly 159 kBytes each, which is pretty small in the grand scheme, so I basically just let them accumulate.
Here is an example of the output (with quite a lot removed to save space)...
TaskList_2016_02_28_01_50_01.log:
-------------------------------------------------------------------------------------------
TaskList /V /FO:CSV /NH (processes running):
"aerohost.exe","1432","Services","0","832 K","Unknown","NT AUTHORITY\SYSTEM","0:19:22","N/A"
"atieclxx.exe","8244","Console","1","2,520 K","Unknown","NT AUTHORITY\SYSTEM","0:00:02","N/A"
"atiesrxx.exe","956","Services","0","1,576 K","Unknown","NT AUTHORITY\SYSTEM","0:00:00","N/A"
"ClassicStartMenu.exe","18316","Console","1","2,664 K","Unknown","Noel07\Xyzzy","0:00:00","N/A"
.
.
.
-------------------------------------------------------------------------------------------
TaskList /SVC /FO:CSV /NH (services running):
"atiesrxx.exe","956","AMD External Events Utility"
"lsass.exe","824","EFS,KeyIso,SamSs,VaultSvc"
"mainserv.exe","1700","APC UPS Service"
"OSPPSVC.EXE","3232","osppsvc"
"spoolsv.exe","1444","Spooler"
"svchost.exe","1064","EventSystem,fdPHost,FontCache,netprofm,nsi,WdiServiceHost,WinHttpAutoProxySvc"
.
.
.
-------------------------------------------------------------------------------------------
TaskList /M /FO:CSV /NH (modules loaded):
"aerohost.exe","1432","ntdll.dll,KERNEL32.DLL,KERNELBASE.dll,ADVAPI32.dll,msvcrt.dll,sechost.dll,RPCRT4.dll,CRYPTBASE.DLL,bcryptPrimitives.dll,imagehlp.dll,DWMGlass.dll,SHLWAPI.dll,combase.dll,USER32.dll,GDI32.dll,UxThemeSignatureBypass64.dll,UxTheme.dll,MSIMG32.dll,ole32.dll,dbghelp.dll,SspiCli.dll,ntmarta.dll,kernel.appcore.dll,WTSAPI32.dll,WINSTA.dll"
"atieclxx.exe","8244","ntdll.dll,KERNEL32.DLL,KERNELBASE.dll,USER32.dll,GDI32.dll,ADVAPI32.dll,USERENV.dll,WTSAPI32.dll,POWRPROF.dll,SETUPAPI.dll,dwmapi.dll,ole32.dll,DIFXAPI.dll,PROPSYS.dll,SHELL32.dll,msvcrt.dll,sechost.dll,RPCRT4.dll,profapi.dll,CFGMGR32.dll,combase.dll,WINTRUST.dll,CRYPT32.dll,OLEAUT32.dll,SHLWAPI.dll,MSASN1.dll,IMM32.DLL,MSCTF.dll,UxThemeSignatureBypass64.dll,UxTheme.dll,MSIMG32.dll,dbghelp.dll,DEVOBJ.dll,WINSTA.dll,kernel.appcore.dll,CRYPTBASE.dll,bcryptPrimitives.dll,clbcatq.dll,MMDevApi.dll,SHCORE.dll,SspiCli.dll"
"atiesrxx.exe","956","ntdll.dll,KERNEL32.DLL,KERNELBASE.dll,USER32.dll,ADVAPI32.dll,WTSAPI32.dll,PSAPI.DLL,USERENV.dll,POWRPROF.dll,SETUPAPI.dll,dwmapi.dll,GDI32.dll,msvcrt.dll,sechost.dll,RPCRT4.dll,profapi.dll,CFGMGR32.dll,combase.dll,UxThemeSignatureBypass64.dll,UxTheme.dll,MSIMG32.dll,ole32.dll,dbghelp.dll,DEVOBJ.dll,WINTRUST.dll,CRYPT32.dll,MSASN1.dll,WINSTA.dll"
"ClassicStartMenu.exe","18316","ntdll.dll,KERNEL32.DLL,KERNELBASE.dll,USER32.dll,ADVAPI32.dll,SHELL32.dll,ole32.dll,ClassicStartMenuDLL.dll,SHLWAPI.dll,GDI32.dll,msvcrt.dll,sechost.dll,RPCRT4.dll,combase.dll,COMCTL32.dll,UxTheme.dll,WTSAPI32.dll,Secur32.dll,MSIMG32.dll,NETAPI32.dll,dwmapi.dll,POWRPROF.dll,OLEACC.dll,WINMM.dll,PROPSYS.dll,OLEAUT32.dll,WININET.dll,WINTRUST.dll,CRYPT32.dll,COMDLG32.dll,netutils.dll,srvcli.dll,wkscli.dll,WINMMBASE.dll,iertutil.dll,USERENV.dll,MSASN1.dll,SHCORE.DLL,cfgmgr32.dll,DEVOBJ.dll,profapi.dll,SSPICLI.DLL,LOGONCLI.DLL,IMM32.DLL,MSCTF.dll,UxThemeSignatureBypass64.dll,dbghelp.dll,kernel.appcore.dll,CRYPTBASE.dll,bcryptPrimitives.dll,SETUPAPI.dll,clbcatq.dll"
"CLOCK32.EXE","16476","ntdll.dll,wow64.dll,wow64win.dll,wow64cpu.dll"
.
.
.
-------------------------------------------------------------------------------------------
SCHTASKS /FO CSV /NH (states of all scheduled tasks):
"\Adobe Acrobat Update Task","N/A","Disabled"
"\Aero Glass","N/A","Running"
"\AMD Updater","N/A","Disabled"
"\GetTaskList Nightly","2/29/2016 1:50:00 AM","Running"
"\Hosts Compiler","2/28/2016 7:00:00 AM","Ready"
"\Nightly File Backup","2/28/2016 3:30:00 AM","Ready"
.
.
.
-------------------------------------------------------------------------------------------
SC qc (configurations of all services):
C:\TEMP>SC qc "AdobeARMservice"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AdobeARMservice
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Adobe Acrobat Update Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\TEMP>SC qc "AeLookupSvc"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AeLookupSvc
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Experience
DEPENDENCIES :
SERVICE_START_NAME : localSystem
.
.
.
-------------------------------------------------------------------------------------------
WMIC qfe list (list of all installed updates):
Caption CSName Description FixComments HotFixID InstallDate InstalledBy InstalledOn Name ServicePackInEffect Status
http://support.microsoft.com/kb/2899189 NOELC4 Update KB2899189_Microsoft-Windows-CameraCodec-Package NoelC4\NoelC 12/11/2013
http://support.microsoft.com/?kbid=2868626 NOELC4 Security Update KB2868626 NT AUTHORITY\SYSTEM 11/13/2013
http://support.microsoft.com/?kbid=2883200 NOELC4 Update KB2883200 NT AUTHORITY\SYSTEM 11/13/2013
http://support.microsoft.com/?kbid=2887595 NOELC4 Update KB2887595 NT AUTHORITY\SYSTEM 11/13/2013
.
.
.
Please let me know what you think, and especially whether you think any additional information would be helpful to have if you're diagnosing a new issue.
-Noel