Error messages are a fact of life for PC users. Usually it's a straightforward process to troubleshoot where an error message came from, then continue to investigate why this error occurred. But sometimes it may be a complete mystery where an error came from, be it a message dialog box or a global log entry such as an event log error. This scenario is more common for system administrators who experience errors on unattended servers and only realize the message hours or even days later. In this article, I'll demonstrate two Windows Sysinternals tools that can help you locate the source of such errors. We'll walk through two examples, a message dialog box and an event log entry.
Message Dialog Boxes
For the first example scenario, locating the owner of an error message's dialog box, we can use Process Explorer. Process Explorer includes a tool that lets you find a Windows process. In the Process Explorer toolbar, this tool is represented by the crosshair icon, as Figure 1 shows.
To use this tool, left-click and hold the mouse down, drag the crosshair icon onto the dialog message (Figure 2A), and release the mouse button.
Doing so will highlight the process that owns in error, as Figure 2B shows.
Here we'll use a very simple example of an error opening a nonexistent file in Notepad. In this case, it's obvious where the error message came from and why. However, if this dialog box were to suddenly appear (from a system service, for example), the source would not be at all obvious based on the dialog's text.
Furthermore, in many cases you'll be able to use Process Explorer to examine the thread stacks of this process instance to locate the origin of the message box, as Figure 3 shows.
There may be other function names in the thread's call stack that will provide useful information.
Event Log Error Message
In this example, we'll be searching program files for an arbitrary string taken from an event log entry. We can do this in a very primitive way using Sysinternals strings.exe tool; however, let's use a trick or two to optimize the search. After all, searching every single file on a system drive would be time-consuming and use a lot of unnecessary resources.