Sysinternals Suite

An overview of the Sysinternals utilities

An overview of the Sysinternals utilities You can, of course, visit the Windows Sysinternals page at https://technet.microsoft.com/sysinternals and use the alphabetical Utilities Index to cherry-pick just the tools you want. For a slightly more granular approach, try the six individual category lists: File And Disk, Networking, Process, Security, System Information, and Miscellaneous. But it’s much easier to download the entire Sysinternals Suite (https://technet.microsoft.com/sysinternals/bb842062) and unzip it to its own folder. As a handy alternative to save drive space and ensure that you have the most up-to-date version of the tool you plan to use, use the Sysinternals Live service. You’ll find a full listing of all tools and support files at https://live.sysinternals.com, as shown in Figure 7-1. If you know the name of the tool you want to use, you can type its path into Windows Explorer or a command prompt as https://live.sysinternals.com/ or \\live.sysinternals.com\tools\. (Hint: Save your favorites as web shortcuts for fast access without a lot of typing.)

Figure 7-1: The Sysinternals Live service offers click-to-run access to the latest version of every tool in the
collection.
Some Sysinternals tools are fully fleshed-out programs with a distinctive graphical interface. Others
are intended to be run interactively at a command line or as part of a script.
Set up Sysinternals Suite to run from anywhere
Consider this tip a twofer. If you’ve downloaded the entire Sysinternals Suite, you’d probably like to
run its commands from anywhere: the Run dialog box, a Command Prompt window, the search box.
If you add the Sysinternals folder to the Path environment variable, you can do just that. Which
gives me a chance to show off the much-improved Windows 10 interface for editing this and other
environment variables.
To get started, type environment in the search box, and then, from the results list, click Edit The
System Environment Variables. In the Environmental Variables dialog box, click Environment
Variables, select Path, and then click Edit. That displays a dialog box like the one that follows. If you
ever tried to edit the Path variable in a previous Windows version, I hope you appreciate how much
simpler this dialog box is compared to its predecessors

Because I extracted the files to a folder called SysinternalsSuite in the root of the C drive, all I had to
do was click New, browse to find that folder, and click to fill in its full path. Do the same using the
full path to wherever you saved the files, and then click OK twice to save your changes. You can
now type any Sysinternals command—Autoruns, for example—to start that tool without specifying
its full location.
Not all of the options in the Sysinternals Suite are created equal. Some were clearly written for
another era and have little relevance in a world where you’re running the latest version of Windows on
the desktop with modern server versions on your network. In addition, some tools, although still
perfectly useful, have been superseded by built-in features. With the Desktops program, for example,
you can create up to four virtual desktops and assign hotkeys to each one. The addition of virtual
desktops as a built-in feature in Windows 10 makes the Sysinternals alternative far less necessary.
The best clue to help you figure which programs deserve an early look is the Date Created field. In File
Explorer, switch to list view, add the Date Created field, and then sort by that field. You’ll find some
date and time stamps in this list dating back to 1999, and many others that go back to 2006 or earlier.
By contrast, the most useful Sysinternals programs are updated regularly and appear at the top of the
list.

Autoruns

Over the years, Windows has steadily improved the ways it helps you manage which programs start
automatically when you turn on your system and sign in. The latest addition to the Windows toolset is
the Startup tab in Task Manager, which I describe in Chapter 5.
But that built-in tool doesn’t begin to compare to Autoruns, which legitimately bills itself as “the most
comprehensive autostart viewer and manager available for Windows.”
Unlike Task Manager, which limits its list to the most common locations, Autoruns shows you the full
list of places in the registry, in scheduled tasks, and anywhere else where applications can configure
themselves to run automatically, without your approval or interaction. Using Task Manager, you can
temporarily turn off any entry listed on the Startup tab. Autoruns also makes it possible for you to
delete that entry permanently, without having to muck around in the registry.

Sometimes—maybe even most of the time—these entries represent useful things, including tasks that
check for security updates and perform essential synchronization tasks. But some entries are just
resource hogs that run at startup so a third-party program can appear to load a few milliseconds
faster.
Figure 7-2 shows the contents of the Everything tab, which pulls those many sources together into a
display whose contents might qualify as overwhelming.

Figure 7-2: The Everything tab shows every file, driver, service, scheduled task, and other items configured to
start automatically, either when you turn on the device or when you sign in.
Each row includes the name of the autostart entry, the Description and Publisher fields for executable
files and DLLs, the path to the file that runs when the item starts, and an icon for that file. Clear the
check box to the left of any item to temporarily turn off the entry. The pane at the bottom displays
details about the current selection, including its full command line.
What do the Autoruns color codes mean?
The color coding in Autoruns listings might baffle you at first, especially because they don’t appear
to be documented anywhere. Each heading, which identifies a location under which autostart
entries are stored, is shaded a light purple. The currently selected row is highlighted in dark blue.
Rows highlighted in red are associated with files for which the Description and Publisher fields are
blank; yellow shading means that the autostart entry points to a file that can’t be found.
If you’re certain that a yellow row is only there because a program didn’t clean up properly after
itself, you can delete it by using Autoruns. For rows that are red, you can select the row, right-click
the entry, and then, on the shortcut menu, choose Verify Image. If the code-signing certificate from
the file’s digital signature is trusted by a root certificate authority on the computer, the text in the

Publisher column changes to “(Verified)” followed by the publisher name from the code-signing
certificate. If the file is unsigned or the verification fails for any other reason, the text changes to
“(Not verified).”
As I mentioned earlier, the Autoruns list can be overwhelming. One way to reduce the noise level is to
click the Options menu and select Hide Microsoft Entries, as shown in Figure 7-3. This option makes it
easier to spot potentially problematic third-party programs, including malware.

Figure 7-3: When searching for a potentially problematic third-party program, use this option to hide Microsoft
entries and reduce the number of entries you have to scan.
Right-click any entry on any tab in Autoruns to see a list of options for that item, as shown in
Figure 7-4. Jump To Entry, for example, takes you to the folder or registry key where the item is
located; Jump To Image opens File Explorer and selects the file that is set to start automatically.

Figure 7-4: If you see an unfamiliar entry in the Autoruns list, right-click to see these options and investigate it
further.
Several options in this list require administrative privileges, including the option to delete an entry
from the registry. If you started Autoruns without elevating, you’ll see an Access Denied dialog box,
like the one shown in the image that follows. Click Run As Administrator to restart Autoruns and try
again.

In general, the most prudent way to troubleshoot with Autoruns is to turn off an item by clearing the
check box to its left. After you’re satisfied that making that change has no long-term negative side
effects, you can delete it permanently

Process Explorer

When you want to know exactly what’s happening on your PC right now, Process Explorer should be
your first stop. At its heart, Process Explorer is a more complex version of the Windows 10 Task
Manager, displaying real-time information about running processes, including which account owns a
specific process; what files, registry keys, and other objects the process has open; and which DLLs the
process has loaded. Process Explorer also provides a snapshot of system performance and resource
usage.
Replace Task Manager
You say you prefer the more information-dense Process Explorer display to the clean but sparse
Task Manager display? There’s a setting for that. Specifically, in Process Explorer, click the Options
menu and then select Replace Task Manager (you’ll need to provide administrator’s credentials to
make this change). With this setting selected, pressing Ctrl+Shift+Esc opens the Sysinternals tool
instead of the Windows Task Manager.
As the example in Figure 7-5 makes clear, Process Explorer is extremely active. It uses color coding to
identify each process by type and uses animation to call attention to processes as they start and end.

Figure 7-5: The default Process Explorer view groups processes by parent-child relationships and uses color
coding to identify different types of processes.
You can customize Process Explorer’s color coding by clicking Options and then selecting Configure
Colors. The default settings are as follows:
 Green indicates new objects, and deep red highlights deleted objects. Both of these colors appear
only briefly as processes start and end.
 Light blue identifies “own processes,” which run under the same account that was used to start
Process Explorer. Note that these processes might be running in a different security context than
the user account under which they were started.
 Pink rows highlight processes that contain one or more Windows services. When you point to one
of these rows, a screen tip appears, showing the names of individual services running in that
process, which can be useful for determining what an instance of Svchost.exe is responsible for.
 Violet (or very deep purple) indicates a “packed” (encrypted or compressed) executable program.
This might indicate potential malware, especially if associated with an unknown process.
 Turquoise indicates immersive processes, which are associated with Windows Store apps.
 Dark gray identifies a suspended process. Typically these are Windows Store apps that you
previously opened but are no longer using. Some Windows Store apps are specifically written to
continue running in the background. Groove Music, for example, will keep playing tunes even if
you switch the focus to another program.
You can identify Windows jobs and .NET processes by their color coding, although these attributes are
not displayed under default settings.
Tiny graphs along the top of the Process Explorer window display system Information in real time. To
see all performance charts in a single window, press Ctrl+I (as in Information) or, on the menu bar
click View and then select System Information. Figure 7-6 shows this display in action

Figure 7-6: The System Information window shows real-time performance graphs for the current system, with
screen tips that provide details when you point at a particular spot.
Note If you don’t see all of the charts in Figure 7-6, restart Process Explorer as an administrator.
Each of the individual tabs—CPU, Memory, I/O, and GPU—contains additional details about that
particular batch of resources. The GPU tab in particular adds details that you won’t find on the
Performance tab in Task Manager.
The real power of Process Explorer becomes apparent when you right-click an individual process to
reveal the menu of available options, as shown in the image that follows. I describe these in more
detail in the remainder of this section.

The first place to look, especially when you want to find out exactly what a process is, is the properties
dialog box, which shows significantly more information than you’ll find in its File Explorer counterpart.
Figure 7-7, for example, shows the Image tab for the file OneDrive.exe.

Figure 7-7: Details available for a running process include version information and whether it starts
automatically.
From that properties dialog box or from the process list itself, you can submit the hash for a file to the
VirusTotal service to find out whether that hash has been identified as possible malware by any of the
50-plus antivirus engines that VirusTotal monitors.
The lower pane of the Process Explorer window is normally hidden. You can make it visible by using
the keyboard shortcut Ctrl+L (or, on the View menu, choose Show Lower Pane). This pane shows one
of two views for the current process: DLLs or handles. You can switch between the two views by using
the keyboard shortcuts Ctrl+D and Ctrl+H, respectively. Figure 7-8 shows the lower pane in DLLs view.

Process Monitor

The last of the three Sysinternals superstars is Process Monitor, also known as Procmon. When
running, it keeps track of all activity involving the file system, the registry, the network, processes,
threads, and DLLs, in real time.
A Procmon trace can collect an enormous amount of activity—millions of distinct operations in a
matter of seconds—which you can then filter to eliminate noise and zero in on the potential cause of
a problem. Because you can save Procmon traces in log files, it’s relatively easy to capture activity on a
system that’s acting up and then analyze the captured data on another system.
To get a sense of the level of detail captured by Procmon, see the listing in Figure 7-9, which
represents system activity for a period measured in a small fraction of a second.

Figure 7-9: Process Monitor records every event from every process running during a trace, which can result in
millions of discrete events, as shown in the status bar.
Although Procmon collects everything it observes, the default settings include a filter that hides raw
details from the file system and from Procmon itself. You can fine-tune the filter on the fly by rightclicking a specific entry in a specific column and then, on the shortcut menu, choosing from among
the options.
In Figure 7-10, for example, I right-clicked Runtimebroker.exe in the Process Name column. I can now
choose to include that process in the current filter, effectively displaying only entries from that
process, or exclude it so that matching results are hidden. I can also choose to highlight matching
entries without hiding those that don’t match

Look at the status bar along the bottom of the Procmon window to see whether a filter has been
applied to the captured data and, if so, how much of an impact it has had. In Figure 7-11, for example,
the filtered list shows fewer than 1 in 1000 events, making it possible to scroll through the data—or
filter it further—in search of patterns or clues

You can also create or modify a filter by using the Process Monitor Filter dialog box, which offers a
point-and-click convenience, as demonstrated in Figure 7-12. To access the Process Monitor Filter
dialog box, on the menu bar, click Filter. You can set conditions that define which events to include or

exclude and then click Add, or select an existing filter and click Remove. Click Apply to see the effect
of the new filter immediately

More Sysinternals tools

This chapter doesn’t have enough pages to do justice to the “other” programs in the Sysinternals tools
collection. So, consider this section a bit of a sampler, offering hints that might encourage you to
poke around for your own enlightenment.
PsTools
The PsTools group includes command-line utilities for working with processes running on local or
remote computers, running processes remotely, rebooting computers, and dumping event logs,
among other tasks. Each of the commands begins, naturally, with the letters Ps. (The name is derived
from the Ps utility, which is short for “process status” and provides similar capabilities on UNIX
systems.)
Because of changes in network authentication, remote access is most effective on domain-joined
systems and unlikely to be worth the trouble on simple workgroups. Most of the tools require
administrative rights, as well. The following list provides a terse description of the capabilities of the PsTools commands

PsTools commands.

PsExec Runs processes with limited-user rights
PsFile Lists files that are opened remotely
PsGetSid Displays the SID of a computer or a user
PsInfo Obtains information about a system
PsKill Terminates local or remote processes

PsList Shows information about processes and threads
PsLoggedOn Shows users signed in to a system
PsLogList Dumps event log records PsPasswd Gives administrators the ability to change passwords for user accounts
PsPing Measures network performance
PsService Views and controls services
PsShutdown Shuts down, logs off, or changes the power state of a system PsSuspend Suspends and resumes processes

PSTools

PsTools Download

BgInfo ..

If you’ve configured a bunch of virtual machines (VMs) for testing purposes and you’re having trouble
telling them apart, this small but useful program can help. It automatically generates desktop
backgrounds that include details about the system, including its IP address, computer name, domain
name, and more.
Figure 7-13 shows the basic configuration for one of these backgrounds. Figure 7-14 shows the
resulting text as it appears on the desktop background.

Figure 7-13: Using the BGInfo program, you can automatically display information about the current system on
its desktop background, making it easier to identify a remote desktop connection or a running VM

Active Directory Explorer

If you work as an administrator in a Windows domain, Active Directory Explorer offers an advanced
viewer and editor for working with directory services, including an Active Directory database or Active
Directory Lightweight Directory Services.
Like other, similar management tools, it uses a two-pane design, with the Active Directory object tree
on the left and attributes for the current selection on the right, as in the example in Figure 7-15. To
begin, connect to a directory using administrative credentials; you can view, edit, add, and remove
items, and the tool also supports search functionality

Figure 7-15: You might prefer this lightweight Active Directory management tool over the official alternative
included with Windows Server editions.

TCPView .

Windows includes several built-in command-line tools, most notably Netstat, for viewing the status of
network connections. TCPView is significantly easier to use and gives you details about TCP and UDP
connections between local ports and remote addresses. Figure 7-16 shows this tool in action. Note
that by pointing to a connection, you to see full details in a screen tip.

Disk2vhd

Although its function might seem esoteric, Disk2vhd serves a genuine need, making it relatively easy
to move a physical system into a VM. That’s especially handy for virtualizing the workload of a server
so that it can run in Hyper-V instead of on physical hardware.

And more…

Still curious? Here are a few remaining Sysinternals tools that you might find useful.
 AccessEnum and ShareEnum are security tools that show who has access to directories, files,
registry keys, and file shares on your systems. They’re useful for spotting misconfigurations that
could allow an attacker in.
 DiskView provides a graphical look at how drive space is being used on a given storage device.
 Whois gives you a way to enter a domain name and see who is listed as the owner of that
address.
 Autologon makes it possible for you to automatically enter saved credentials at startup, skipping
the sign-in screen. It should, of course, only be used in physically secure environments.
 Zoomit is used by elite presenters at Microsoft to zoom in to a portion of the demo screen so that
the audience can get a good look at it. You also can use it to write on a presentation screen.
And no chapter covering Sysinternals would be complete without a mention of the infamous
Bluescreen Screen Saver, which is not included with the Sysinternals Suite; you must download it
separately. As the name suggests, it mimics a STOP error (aka Blue Screen of Death) as part of a
normal screen saver. If you’re tempted to install it on a colleague’s workstation as a prank, be
prepared to pay the price later

Published @ May 4, 2022 4:27 am