ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Running Application Audit

    Scheduled Pinned Locked Moved IT Discussion
    4 Posts 3 Posters 778 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • s.hacklemanS
      s.hackleman
      last edited by

      I have a mystery application running on a Windows 2000 Pro server. I know it is getting data from a remote source somewhere and putting it somewhere local. I also know it is critical, can not be stopped, or data will be lost. I am looking for minimal impact ways of seeing what this process is doing, where it is connecting, etc. I would like to install Wireshark on the system and just watch the network traffic, but that may be a little too intrusive. Working in a live manufacturing environment, so downtime is a no no. Any ideas?

      dafyreD 1 Reply Last reply Reply Quote 1
      • dafyreD
        dafyre @s.hackleman
        last edited by dafyre

        @s.hackleman said in Running Application Audit:

        I have a mystery application running on a Windows 2000 Pro server. I know it is getting data from a remote source somewhere and putting it somewhere local. I also know it is critical, can not be stopped, or data will be lost. I am looking for minimal impact ways of seeing what this process is doing, where it is connecting, etc. I would like to install Wireshark on the system and just watch the network traffic, but that may be a little too intrusive. Working in a live manufacturing environment, so downtime is a no no. Any ideas?

        IIRC even the older versions of Wireshark / Ethereal do not require a reboot when installing the WinPCAP drivers.

        Perhaps using something like Process Monitor from Sysinternals would help?

        Link to older copy of Procmon for Server 2000-ish... http://web.archive.org/web/20100201154222/http://download.sysinternals.com/Files/ProcessMonitor.zip

        Edit: It may require Windows 2000 SP4.

        s.hacklemanS 1 Reply Last reply Reply Quote 1
        • DustinB3403D
          DustinB3403
          last edited by

          If the system has files being written you could use something like jDiskReport and see where the file are being written.

          It's not a live report, but you could compare reports after running it a few times and see if you can find where the files are getting written to.

          1 Reply Last reply Reply Quote 0
          • s.hacklemanS
            s.hackleman @dafyre
            last edited by

            @dafyre This did it, the old version of Procmon was perfect.

            1 Reply Last reply Reply Quote 1
            • 1 / 1
            • First post
              Last post