Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

General Forums
Windows XP
Windows Vista
Windows 95/98
Windows Me
Windows NT
Windows 2000
Win Server 2008
Win Server 2003
Windows 3.1
Linux
PDAs
BeOS
Novell Netware
OpenVMS
Solaris
Disk Op. System
Unix
Mac
OS/2

Drivers
Driver Scan
Driver Forum

Software
Automatic Updates

BIOS Updates

My Computing.Net

Solution Center

Free IT eBook

Howtos

Site Search

Message Find

RSS Feeds

Install Guides

Data Recovery

About

Home
Reply to Message Icon Go to Main Page Icon

Subject: Finding out a detached process

Original Message
Name: dest_final
Date: April 21, 2005 at 02:55:07 Pacific
Subject: Finding out a detached process
OS: Open VMS
CPU/Ram: VAX
Comment:
Hello, I was trying to investigate a problem. The problem is one of the detached processes in the machine has changed the system time. When I looked into the accounting information, I found the following entry there:
DETACHED Process Termination

Username: SYSTEM UIC: [GROUPS,GRP363]
Account: <start> Finish time: 27-MAR-2005 03:02:40.27
Process ID: 00067168 Start time: 27-MAR-2005 02:00:07.66
Owner ID: Elapsed time: 0 01:02:32.60
Terminal name: Processor time: 0 00:00:24.77
Remote node addr: Priority: 4
Remote node name: Privilege <31-00>: FFFFFFFF
Remote ID: Privilege <63-32>: FFFFFFFF
Remote full name:
Queue entry: Final status code: 00000001
Queue name:
Job name:
Final status text: %SYSTEM-S-NORMAL, normal successful completion

Page faults: 3450 Direct IO: 8739
Page fault reads: 141 Buffered IO: 418
Peak working set: 22320 Volumes mounted: 0
Peak page file: 241856 Images executed: 4

Can anybody suggest a way to find which process has done it?

Thanks in advance
Final_Dest



Report Offensive Message For Removal

Response Number 1
Name: Bob Gezelter
Date: April 22, 2005 at 03:26:13 Pacific
Subject: Finding out a detached process
Reply: (edit)
Final_Dest,

Let's start at the beginning. What indications are there that this process changed the system's TOY (Time of Year) clock?

- Bob Gezelter, http://www.rlgsc.com


Report Offensive Follow Up For Removal

Response Number 2
Name: dest_final
Date: April 22, 2005 at 04:36:50 Pacific
Subject: Finding out a detached process
Reply: (edit)
Hello Bob,

Thanks for the reply. If you look at the start and the end time of the process in the following lines

Account: <start> Finish time: 27-MAR-2005 03:02:40.27
-----------
Process ID: 00067168 Start time: 27-MAR-2005 02:00:07.66
-----------
Owner ID: Elapsed time: 0 01:02:32.60
Terminal name: Processor time: 0 00:00:24.77
-----------

It started @ 02:00 and finished @ 03:02. But the CPU time elapsed is just 24 Seconds. That made me to come to a decision that the process has changed the clock. None of the other processes around this process had the possibility to change the clock.

Please let me know if you need any more information regarding this.

Thanks in advance
Final_Dest


Report Offensive Follow Up For Removal

Response Number 3
Name: Bob Gezelter
Date: April 22, 2005 at 11:02:40 Pacific
Subject: Finding out a detached process
Reply: (edit)
Final_dest,

27-MAR-2005 03:02:40.27
27-MAR-2005 02:00:07.66
Elapsed time: 0 01:02:32.60

The elapsed time difference is in the jitter/conversion imprecision range. The lack of CPU consumed means that the CPU was not fully utilized, at least by that process.

This is not indication that the time was changed, although it doesn't prove that the time was not changed.

What is the problem that you are trying to solve? If you want to move this to private email at some point, that is also not problem.

- Bob Gezelter, http://www.rlgsc.com


Report Offensive Follow Up For Removal

Response Number 4
Name: Joseph.Huber
Date: May 3, 2005 at 08:21:52 Pacific
Subject: Finding out a detached process
Reply: (edit)
Is the system located in Europe ?
Did You notice that this night (Easter Sunday) was the daylight savings time switch ?
(Don't know if it is also true for the USA or other regions).
The times makes perfectly sense in this case.


Report Offensive Follow Up For Removal

Response Number 5
Name: Joseph.Huber
Date: May 3, 2005 at 08:36:43 Pacific
Subject: Finding out a detached process
Reply: (edit)
And to answer the question how to find out more about the proces:
If Your system has Security audit enabled for detached logins, then use
ANALYZE/AUDIT/FULL/EVENT=LOGIN/SINCE=27-MAR/BEFORE=28-MAR
on the security audit file in use during that period.

Report Offensive Follow Up For Removal



Use following form to reply to current message:

   Name: From My Computing.Net Settings
 E-Mail: From My Computing.Net Settings

Subject: Finding out a detached process

Comments:

 
  Homepage URL (*): 
Homepage Title (*): 
         Image URL: 
 


Data Recovery Software



Version Tracker Pro
Keep your software current and secure, effortlessly

Click Here for a Free Scan

Driver Agent
Automatically find the latest drivers for your computer.
Click Here for a Free Scan



The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net, LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE

All content ©1996-2007 Computing.Net, LLC