My First experience with MS SysInternal Tools

Finally, my organization decommissioned cisco VPN, I had no choice but to move to the Pulse Secure VPN.

To start with I reached out to our local windows admin and he shared installer and document for installing and configuring Pulse VPN.

I followed the document both in letter and spirit (pun intended) and configured my account. Feeling confident that I have followed all the steps, I typed in the url and was immediately asked for credentials and later OTP. After typing OTP I was redirected to one vpn website . After gazing into the website, it dawned , now I have to click on the start button adjacent to Pulse secure.

After clicking I was prompted to download application which I did again and then was again asked to install, which I promptly did.

After clicking I waited and then I waited some more and finally the dreaded message appeared

“pulse secure the server configuration requires the application to be pre-installed on your machine”

So like all engineers, I started my troubleshooting journey by opening google and typing the error message verbatim. After close to 1 hour of going through blogs and websites with no luck. After doing all the steps again and restarting my laptop couple of times I pinged my colleagues for help. After getting helpful advice from formatting my laptop to switching jobs, I realized that I have to figure this out on my own.

So with trembling hands I typed sysinternal tools in google and downloaded the zip file. After working on Unix system for more than a decade this was the first time I was going to troubleshoot anything with sysinternal tools. After downloading and extracting the zip file I started Process explorer to check if any new processes are starting or not.

As soon as I replicated the issue, I could see PulseSetupClient.exe process starting and staying live even after dismissing the error message dialogues.

First though was to kill the process and check if that resolves the issue and unfortunately even after killing the process and launching the application multiple times it did not resolve the issue.

Now was time to move to the next step: Process Monitor

Starting process monitor and replicating the issue gave me a log file with 78912 events. So next was to trim down the number of events. To do that I clicked on the search button and was immediately came to line with PulseApplicationLauncher.exe

Next step, I right clicked on PulseApplicationLauncher.exe and selected this as a filter and suddenly I was down to 10k events

Now going through the first 3 lines we can see that PulseApplicationLauncher.exe starts then creates a thread and launches exe from AppData Roaming

After glancing through the trace file for few minutes there was nothing that caught my eye so I further filtered the logs with excluding Success from status. This further reduced the events to 2k . After scrolling through the events following caught my eye

5:26:10.7855239 PM PulseApplicationLauncher.exe 8608 QueryInformationVolume C:\Users\bhardwaj_v\AppData\Local\Pulse Secure\Logging\debuglog.log

and voila now I have the path to a log named debuglog.log under AppData\Local. I immediately opened the log file and started going through it.

First line that caught my attention was that Application is verifying the exe before launching it

dsVerifyHelper.cpp:283 — ‘DSVerifyHelper’ Enter: C:\Users\bhardwaj_v\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe

dsVerifyHelper.cpp:283 — ‘DSVerifyHelper’ Enter: C:\Users\bhardwaj_v\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe

00249,09 2020/12/14 17:26:04.717 1 bhardwaj_v PulseApplicationLauncher.exe PSAL p8608 t2A04 dsVerifyHelper.cpp:283 — ‘DSVerifyHelper’ File C:\Users\bhardwaj_v\AppData\Roaming\Pulse Secure\PSAL\PulseApplicationLauncher.exe is signed by trusted entity and CA

Next it is going to launch PulseSetupClient.exe or connect if already running. This explains the PulseSetupclient.exe we saw in process explorer

dsInvokeSetupClient.cpp:406 — ‘DSInvokeSetupClient::invokeSetupClient()’ Try to connect to running instance of PulseSetupClient

Now I was getting a hang of things.

PulseApplicationLauncher.exe is going to call PulseSetupClient.exe which will check the setup of all files on my laptop like checking if client and server versions are identical

sSetupRequestHandler.cpp:147 — ‘DSSetupRequestHandler::init’ client version: 9.1.6.2223, server version: 9.1.6.2223

dsCompareVersion()’ Versions are identical

After this PulseSetupClient.exe will run checks on \PulseCompMgr.exe for version and will confirm if it is up to date or not.

DSSetupApplicationMgrManifest::updateCompMgr()’ PulseCompMgr.exe is up-to-date

Next it was looking for a white list file and found it under C:\Users\bhardwaj_v\AppData\Roaming\Pulse Secure\whitelist.txt. So far so good

Next I can see http requests going and downloading a manifest file

dsHttpImplWininet.cpp:120 — ‘DSHttpImplWinInet::httpSendRequest()’ Call HttpQueryInfo(HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER)

DSHttpImpl::downloadFile()’ Create Tempory File: C:\Users\bhardwaj_v\AppData\Local\Temp\preConfiguration_1.manifest

So next logical step was to check if the manifest file is there and to my disappointment it was right there

At this point I was losing hope and was on the verge of giving up when I hit the jackpot

00233,09 2020/12/14 17:26:05.209 3 bhardwaj_v PulseSetupClient.exe PulseSetupClient p12240 t3160 dsSetupComponent.cpp:422 — ‘DSSetupComponent::getAttribute()’ File not exists: C:\Program Files (x86)\Pulse Secure\Pulse\PulseSecureVersion.ini

00253,09 2020/12/14 17:26:05.209 3 bhardwaj_v PulseSetupClient.exe PulseSetupClient p12240 t3160 dsSetupComponent.cpp:268 — ‘DSSetupComponent::checkInstalledVersion()’ DisplayVersion not found in C:\Program Files (x86)\Pulse Secure\Pulse\PulseSecureVersion.ini

00188,09 2020/12/14 17:26:05.209 3 bhardwaj_v PulseSetupClient.exe PulseSetupClient p12240 t3160 dsSetupComponent.cpp:245 — ‘DSSetupComponent::checkVersion()’ Pulse Secure processed with code -54

00205,09 2020/12/14 17:26:05.209 1 bhardwaj_v PulseSetupClient.exe PulseSetupClient p12240 t3160 dsSetupApplicationMgr.cpp:454 — ‘DSSetupApplicationMgr::checkForUpdate()’ ERROR: comp->checkForUpdate() failed: -54

I immediately checked the folder and yes file was missing. Now I knew what the problem was and the next question was how to fix it.

So this time instead of using the same installer I reached out to another colleague and asked for the installer which he promptly did. I ran the installer and launched the application and to my joy new window popped up showing now I am connected to VPN.

1 thought on “My First experience with MS SysInternal Tools”

Leave a Comment

Your email address will not be published. Required fields are marked *