Sysinternals Suite - User Manual
Sysinternals Suite - User Manual
Sysinternals
Article • 07/26/2023
The Sysinternals web site was created in 1996 by Mark Russinovich to host his
advanced system utilities and technical information. Whether you’re an IT Pro or a
developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and
diagnose your Windows and Linux systems and applications.
Read the official guide to the Sysinternals tools, Troubleshooting with the Windows
Sysinternals Tools
Read the Sysinternals Blog for a detailed change feed of tool updates
Watch Mark's Sysinternals Update videos on YouTube
Watch Mark’s top-rated Case-of-the-Unexplained troubleshooting presentations
and other webcasts
Read Mark’s Blog which highlight use of the tools to solve real problems
Check out the Sysinternals Learning Resources page
Post your questions in the Sysinternals Forum
Sysinternals Live
Sysinternals Live is a service that enables you to execute Sysinternals tools directly from
the Web without hunting for and manually downloading them. Simply enter a tool's
Sysinternals Live path into Windows Explorer or a command prompt as
live.sysinternals.com/<toolname> or \\live.sysinternals.com\tools\<toolname>.
You can view the entire Sysinternals Live tools directory in a browser at
https://live.sysinternals.com/ .
What's New
Sysinternals Suite
AccessChk
AccessEnum
This simple yet powerful security tool shows you who has what access to
directories,
files and Registry keys on your systems. Use it to find
holes in your permissions.
AdExplorer
AdInsight
AdRestore
Autologon
BgInfo
BlueScreen
This screen saver not only accurately simulates Blue Screens, but
simulated reboots as
well (complete with CHKDSK), and works on Windows
NT 4, Windows 2000, Windows
XP, Server 2003 and Windows 95 and 98.
CacheSet
ClockRes
View the resolution of the system clock, which is also the maximum timer
resolution.
Contig
Wish you could quickly defragment your frequently used files? Use Contig
to optimize
individual files, or to create new files that are
contiguous.
Coreinfo
Ctrl2cap
DebugView
Desktops
This new utility enables you to create up to four virtual desktops and
to use a tray
interface or hotkeys to preview what’s on each desktop and
easily switch between them.
Disk2vhd
DiskExt
Diskmon
This utility captures all hard disk activity or acts like a software
disk activity light in your
system tray.
DiskView
EFSDump
FindLinks
FindLinks reports the file index and any hard links (alternate file
paths on the same
volume.md) that exist for the specified file. A file's
data remains allocated so long as at
it has at least one file name
referencing it.
Handle
This handy command-line utility will show you what files are open by
which processes,
and much more.
Hex2dec
Junction
LDMDump
Dump the contents of the Logical Disk Manager's on-disk database, which
describes the
partitioning of Windows 2000 Dynamic disks.
ListDLLs
List all the DLLs that are currently loaded, including where they are
loaded and their
version numbers.
LiveKd
LoadOrder
See the order in which devices are loaded on your WinNT/2K system.
LogonSessions
MoveFile
Allows you to schedule move and delete commands for the next reboot.
NotMyFault
Notmyfault is a tool that you can use to crash, hang, and cause kernel
memory leaks on
your Windows system.
NTFSInfo
PendMoves
Enumerate the list of file rename and delete commands that will be
executed the next
boot.
PipeList
Displays the named pipes on your system, including the number of maximum
instances
and active instances for each pipe.
PortMon
Monitor serial and parallel port activity with this advanced monitoring
tool. It knows
about all standard serial and parallel IOCTLs and even
shows you a portion of the data
being sent and received. Version 3.x has
powerful new UI enhancements and advanced
filtering capabilities.
ProcDump
Process Explorer
Find out what files, registry keys and other objects processes have
open, which DLLs
they have loaded, and more. This uniquely powerful
utility will even show you who owns
each process.
Process Monitor
PsFile
PsGetSid
PsInfo
PsKill
PsPing
PsList
PsLoggedOn
PsLogList
PsPasswd
PsService
PsSuspend
PsTools
RAMMap
RDCMan
RegDelNull
Scan for and delete Registry keys that contain embedded null-characters
that are
otherwise undeleteable by standard Registry-editing tools.
View the registry space usage for the specified registry key.
RegJump
SDelete
Securely overwrite your sensitive files and cleanse your free space of
previously deleted
files using this DoD-compliant secure delete program.
ShareEnum
Scan file shares on your network and view their security settings to
close security holes.
ShellRunas
Sigcheck
Dump file version information and verify that images on your system are
digitally
signed.
Streams
Strings
Sync
Sysmon
Monitors and reports key system activity via the Windows event log.
TCPView
VMMap
VolumeId
Whois
WinObj
AccessChk
This tool shows you the accesses the user or group you specify has
to files, Registry keys
or Windows services.
AccessEnum
This simple yet powerful security tool shows you who has what access
to directories,
files and Registry keys on your systems. Use it to
find holes in your permissions.
CacheSet
Contig
Wish you could quickly defragment your frequently used files? Use
Contig to optimize
individual files, or to create new files that are
contiguous.
Disk2vhd
DiskExt
DiskMon
This utility captures all hard disk activity or acts like a software
disk activity light in your
system tray.
DiskView
EFSDump
FindLinks
FindLinks reports the file index and any hard links (alternate file
paths on the same
volume) that exist for the specified file. A
file's data remains allocated so long as at it
has at least one file
name referencing it.
Junction
LDMDump
MoveFile
Schedule file rename and delete commands for the next reboot. This
can be useful for
cleaning stubborn or in-use malware files.
NTFSInfo
PendMoves
See what files are scheduled for delete or rename the next time the
system boots.
Process Monitor
PsFile
PsTools
SDelete
Securely overwrite your sensitive files and cleanse your free space
of previously deleted
files using this DoD-compliant secure delete
program.
ShareEnum
Scan file shares on your network and view their security settings to
close security holes.
Sigcheck
Dump file version information and verify that images on your system
are digitally
signed.
Streams
VolumeID
By Mark Russinovich
Introduction
As a part of ensuring that they've created a secure environment Windows
administrators
often need to know what kind of accesses specific users
or groups have to resources
including files, directories, Registry keys,
global objects and Windows services.
AccessChk quickly answers these
questions with an intuitive interface and output.
Installation
AccessChk is a console program. Copy AccessChk onto your executable
path. Typing
"accesschk" displays its usage syntax.
Using AccessChk
Usage:
Parameter Description
-a Name is a Windows account right. Specify "*" as the name to show all rights
assigned to a user. Note that when you specify a specific right, only groups and
accounts directly assigned to the right are displayed.
-c Name is a Windows Service, e.g. ssdpsrv . Specify "*" as the name to show all
services and scmanager to check the security of the Service Control Manager.
Parameter Description
-e Only show explicitly set-Integrity Levels (Windows Vista and higher only)
-h Name is a file or printer share. Specify "*" as the name to show all shares.
-i Ignore objects with only inherited ACEs when dumping full access control lists.
-o Name is an object in the Object Manager namespace (default is root). To view the
contents of a directory, specify the name with a trailing backslash or add -s . Add -t
and an object type (e.g. section) to see only objects of a specific type.
-p Name is a process name or PID, e.g. cmd.exe (specify "*" as the name to show all
processes). Add -f to show full process token information, including groups and
privileges. Add -t to show threads.
-q Omit Banner
-s Recurse
-u Suppress errors
If you specify a user or group name and path, AccessChk will report the
effective
permissions for that account; otherwise it will show the
effective access for accounts
referenced in the security descriptor.
By default, the path name is interpreted as a file system path (use the
"\pipe\" prefix to
specify a named pipe path). For each object,
AccessChk prints R if the account has read
access, W for write access,
and nothing if it has neither. The -v switch has AccessChk
dump the
specific accesses granted to an account.
Examples
The following command reports the accesses that the Power Users account
has to files
and directories in \Windows\System32 :
This command shows which Windows services members of the Users group
have write
access to:
accesschk -k hklm\software
accesschk -e -s c:\users\mark
By Mark Russinovich
Introduction
While the flexible security model employed by Windows NT-based systems allows full
control over security and file permissions, managing permissions so that users have
appropriate access to files, directories and Registry keys can be difficult. There's no built-
in way to quickly view user accesses to a tree of directories or keys. AccessEnum gives
you a full view of your file system and Registry security settings in seconds, making it
the ideal tool for helping you find security holes and lock down permissions where
necessary.
How It Works
AccessEnum uses standard Windows security APIs to populate its listview with read, write
and deny access information.
By Mark Russinovich
Introduction
CacheSet is an applet that allows you to manipulate the working-set
parameters of the
system file cache. Unlike CacheMan, CacheSet runs on
all versions of NT and will work
without modifications on new Service
Pack releases. In addition to providing you the
ability to control the
minimum and maximum working set sizes, it also allows you to
reset the
Cache's working set, forcing it to grow as necessary from a minimal
starting
point. Also unlike CacheMan, changes made with CacheSet have
an immediate effect on
the size of the Cache.
Use CacheSet to performance tune the system Cache size in a way not
possible without
tweaking internal variables the way CacheMan does.
Note: To use CacheSet on NT 4.0 Service Pack 4 and later you must have
the "Increase
Quota" privilege (administrator accounts have this
privilege by default). CacheSet has
been updated to enable this
privilege so that it works on SP4.
You may notice that the Cache's size changes immediately and then
proceeds to shrink
or grow quickly. This is because the system
automatically trims working sets once a
second. The Cache pages that are
released are still in memory, but can be relinquished
quickly for use by
other programs that need more memory. Similarly, the Cache can
eaily
regain pages as applications access file system data.
How It Works
CacheSet uses a NtQuerySystemInformation call to obtain
information about the
Cache's settings and NtSetSystemInformation to
set new sizing information. The
working-set information for a process
serves as guidelines for NT's Memory Manager
regarding how many pages of
physical memory should be assigned to the application.
Because they are
guidelines, conditions can result such that the Memory Manager grows
a
working-set to a size greater than the maximum, or shrinks it to less
than the
minimum. However, the settings are factors that will affect the
overall allocation, and
hence responsiveness, of an application. In the
case of CacheSet the application is the
file system Cache.
Runs on:
By Mark Russinovich
Introduction
There are a number of NT disk defraggers on the market, including
Winternals Defrag
Manager. These tools are useful for performing a
general defragmentation of disks, but
while most files are defragmented
on drives processed by these utilities, some files may
not be. In
addition, it is difficult to ensure that particular files that are
frequently used
are defragmented - they may remain fragmented for
reasons that are specific to the
defragmentation algorithms used by the
defragging product that has been applied.
Finally, even if all files
have been defragmented, subsequent changes to critical files
could cause
them to become fragmented. Only by running an entire defrag operation
can one hope that they might be defragmented again.
Using Contig
Contig is a utility that defragments a specified file or files. Use it
to optimize execution of
your frequently used files.
Usage:
Parameter Description
-a Analyze fragmentation
Parameter Description
-l Set valid data length for quick file creation (requires administrator rights)
-q Quiet mode
-s Recurse subdirectories
-v Verbose
Contig can also analyze and defragment the following NTFS metadata
files:
$Mft
$LogFile
$Volume
$AttrDef
$Bitmap
$Boot
$BadClus
$Secure
$UpCase
$Extend
How it Works
Contig uses the native Windows NT defragmentation support that was
introduced with
NT 4.0 (see my documentation of the defrag APIs for more
information). It first scans the
disk collecting the locations and sizes
of free areas. Then it determines where the file in
question is located.
Next, Contig decides whether the file can be optimized, based on
free
areas and the number of fragments the file currently consists of. If the
file can be
optimized, it is moved into the free spaces of the disk.
More Information
Helen Custer's Inside Windows NT provides a good overview of the
Object Manager
name space, and Mark's October 1997 Windows NT Magazine
column,"Inside the Object
Manager", is (of course) an excellent
overview.
Runs on:
Client: Windows 8.1 and higher.
Server: Windows Server 2012 and higher.
Nano Server: 2016 and higher.
Disk2vhd v2.02
Article • 10/12/2021
By Mark Russinovich
Introduction
Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft's
Virtual Machine
disk format) versions of physical disks for use in
Microsoft Virtual PC or Microsoft
Hyper-V virtual machines (VMs). The
difference between Disk2vhd and other physical-
to-virtual tools is that
you can run Disk2vhd on a system that’s online. Disk2vhd uses
Windows'
Volume Snapshot capability, introduced in Windows XP, to create
consistent
point-in-time snapshots of the volumes you want to include in
a conversion. You can
even have Disk2vhd create the VHDs on local
volumes, even ones being converted
(though performance is better when
the VHD is on a disk different than ones being
converted).
The Disk2vhd user interface lists the volumes present on the system:
It will create one VHD for each disk on which selected volumes reside.
It preserves the
partitioning information of the disk, but only copies
the data contents for volumes on
the disk that are selected. This
enables you to capture just system volumes and exclude
data volumes, for
example.
Virtual PC supports a maximum virtual disk size of 127GB. If
you create a VHD from
a larger disk it will not be accessible from a
Virtual PC VM.
Disk2vhd does not support the conversion of volumes with Bitlocker enabled. If you
wish to create a VHD for such a volume, turn off Bitlocker and wait for the volume to
be fully decrypted first.
By Mark Russinovich
Introduction
DiskExt demonstrates the use of the
IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS
command that returns
information about what disks the partitions of a volume are
located on
(multipartition disks can reside on multiple disks) and where on the
disk the
partitions are located.
By Mark Russinovich
Introduction
DiskMon is an application that logs and displays all hard disk
activity on a Windows
system. You can also minimize DiskMon to your
system tray where it acts as a disk light,
presenting a green icon when
there is disk-read activity and a red icon when there is
disk-write
activity.
"C:\Sysinternals Tools\Diskmon.exe" /l
Read and write offsets are presented in terms of sectors (512 bytes).
Events can be either
timed for their duration (in microseconds), or
stamped with the absolute time that they
were initiated. The History
Depth dialog can be used to specify the maximum number of
records that
will be kept in the GUI (0 signifies no limit).
Implementation
DiskMon uses kernel event tracing. Event tracing is documented in the
Microsoft
Platform SDK and the SDK contains source code to TraceDmp, on
which DiskMon is
based.
By Mark Russinovich
Introduction
Du (disk usage) reports the disk space usage for the directory you
specify. By default it
recurses directories to show the total size of a
directory and its subdirectories.
Parameter Description
-n Do not recurse.
-q Quiet.
By Mark Russinovich
Introduction
DiskView shows you a graphical map of your disk, allowing you to
determine where a
file is located or, by clicking on a cluster, seeing
which file occupies it. Double-click to
get more information about a
file to which a cluster is allocated.
By Mark Russinovich
Introduction
Windows 2000 introduces the Encrypting File System (EFS) so that users
can protect
their sensitive data. Several new APIs make their debut to
support this facility, including
one-QueryUsersOnEncryptedFile-that
lets you see who has access to encrypted files.
This applet uses the API
to show you what accounts are authorized to access encrypted
files.
Using EFSDump
Parameter Description
-s Recurse subdirectories.
Runs on:
By Mark Russinovich
Introduction
Windows 2000 introduces a new type of disk partitioning scheme that is
managed by a
component called the Logical Disk Manager (LDM). Basic
disks implement standard
DOS-style partition tables, whereas Dynamic
disks use LDM partitioning. LDM
partitioning offers several advantages
over DOS partitioning including replication across
disks, on-disk storage
of advanced volume configuration (spanned volume, mirrored
volumes,
striped volumes and RAID-5 volumes). My March/April two-part series on
Windows NT/2000 storage management in Windows 2000 Magazine describes
the
details of each partitioning scheme.
Other than the Disk Management MMC-snapin and a tool called dmdiag in
the
Windows 2000 Resource Kit, there are no tools for investigating the
internals of the LDM
on-disk database that describes a system's
partitioning layout. LDMDump is a utility that
lets you examine
exactly what is stored in a disk's copy of the system LDM database.
LDMDump shows you the contents of the LDM database private header,
table-of-
contents, and object database (where partition, component and
volume definitions are
stored), and then summarizes its finding with
partition table and volume listings.
Parameter Description
- Displays the supported options and the units of measurement used for output
values.
-d# Specifies the number of the disk for LDMDump to examine. For example, "ldmdump
/d0" has LDMDump show the LDM database information stored on disk 0.
How it Works
There are no published APIs available for obtaining detailed
information about a disk's
LDM partitioning, and the LDM database format
is completely undocumented.
LDMDump was developed based on study of
LDM database contents on a variety of
different systems and under
changing conditions.
More Information
For more information on the LDM on-disk structure, see:
Runs on:
By Mark Russinovich
Published: September 17, 2020
Introduction
There are several applications, such as service packs and hotfixes, that must replace a file
that's in use and is unable to. Windows therefore provides the MoveFileEx API to
rename or delete a file and allows the caller to specify that they want the operation to
take place the next time the system boots,before the files are referenced. Session
Manager performs this task by reading the registered rename and delete commands
from the HKLM\System\CurrentControlSet\Control\Session
Manager\PendingFileRenameOperations value.
PendMoves Usage
This applet dumps the contents of the pending rename/delete value and also reports an
error when the source file is notaccessible.
Usage: pendmoves
Here is example output that shows a temporary installation file is scheduled for deletion
at the next reboot:
Shell
C:\\>pendmoves
PendMove v1.2
Sysinternals - www.sysinternals.com
Source: C:\\Config.Msi\\3ec7bbbf.rbf
Target: DELETE
MoveFile usage
The included MoveFile utililty allows you to schedule move and delete commands for
the next reboot:
usage: movefile [source] [dest]
Specifying an empty destination ("") deletes the source at boot. An example that deletes
test.exe is:
Shell
By Mark Russinovich
Introduction
NTFSInfo is a little applet that shows you information about NTFS
volumes. Its dump
includes the size of a drive's allocation units, where
key NTFS files are located, and the
sizes of the NTFS metadata files on
the volume. This information is typically of little
more than curiosity
value, but NTFSInfo does show some interesting things. For
example,
you've probably heard about the NTFS equivalent of the FAT file system's
File
Allocation Table. Its called the Master File Table (MFT), and it is
made up of constant
sized records that describe the location of all the
files and directories on the drive.
What's surprising about the MFT is
that it is managed as a file, just like any other.
NTFSInfo will show
you where on the disk (in terms of clusters) the MFT is located and
how
large it is, in addition to specifying how large the volume's clusters
and MFT
records are. In order to protect the MFT from fragmentation,
NTFS reserves a portion of
the disk around the MFT that it will not
allocate to other files unless disk space runs low.
This area is known
as the MFT-Zone and NTFSInfo will tell you where on the disk the
MFT-Zone is located and what percentage of the drive is reserved for it.
You might also be surprised to know that like the MFT, all NTFS
meta-data are managed
in files. For instance, there is a file called
$Boot that is mapped to cover the drive's boot
sector. The volume's
cluster map is maintained in another file named $Bitmap. These
files
reside right in the NTFS root directory, but you can't see them unless
you know
they are there. Try typing "dir /ah $boot" at the root
directory of an NTFS volume and
you'll actually see the $boot file.
NTFSInfo performs the equivalent of the "dir /ah" to
show you the
names and sizes of all of NTFS (3.51 and 4.0) meta-data files.
Usage: NTFSInfo x
Parameter Description
x The drive letter of the NTFS volume that you want to examine.
How It Works
NTFSInfo uses an undocumented File System Control (FSCTL) call to
obtain information
from NTFS about a volume. It prints this information
along with a directory dump of
NTFS meta-data files.
Runs on:
By Mark Russinovich
Published: September 17, 2020
Introduction
There are several applications, such as service packs and hotfixes, that must replace a file
that's in use and is unable to. Windows therefore provides the MoveFileEx API to
rename or delete a file and allows the caller to specify that they want the operation to
take place the next time the system boots,before the files are referenced. Session
Manager performs this task by reading the registered rename and delete commands
from the HKLM\System\CurrentControlSet\Control\Session
Manager\PendingFileRenameOperations value.
PendMoves Usage
This applet dumps the contents of the pending rename/delete value and also reports an
error when the source file is notaccessible.
Usage: pendmoves
Here is example output that shows a temporary installation file is scheduled for deletion
at the next reboot:
Shell
C:\\>pendmoves
PendMove v1.2
Sysinternals - www.sysinternals.com
Source: C:\\Config.Msi\\3ec7bbbf.rbf
Target: DELETE
MoveFile usage
The included MoveFile utililty allows you to schedule move and delete commands for
the next reboot:
usage: movefile [source] [dest]
Specifying an empty destination ("") deletes the source at boot. An example that deletes
test.exe is:
Shell
By Mark Russinovich
RegMon and FileMon are no longer available for download. They have been
replaced by
Process Monitor on versions
of Windows starting with Windows 2000 SP4, Windows XP
SP2, Windows
Server 2003 SP1, and Windows Vista.
Related Utilities
Here are some other monitoring tools available at Sysinternals:
PortMon -
a serial and parallel port monitor
Process
Monitor -
a process and thread monitor
DiskMon -
a hard disk monitor
DebugView -
a debug output monitor
SDelete v2.04
Article • 07/19/2022
By Mark Russinovich
Introduction
One feature of Windows NT/2000's (Win2K) C2-compliance is that it
implements object
reuse protection. This means that when an application
allocates file space or virtual
memory it is unable to view data that
was previously stored in the resources Windows
NT/2K allocates for it.
Windows NT zero-fills memory and zeroes the sectors on disk
where a file
is placed before it presents either type of resource to an application.
However, object reuse does not dictate that the space that a file
occupies before it is
deleted be zeroed. This is because Windows NT/2K
is designed with the assumption that
the operating system controls
access to system resources. However, when the operating
system is not
active it is possible to use raw disk editors and recovery tools to view
and
recover data that the operating system has deallocated. Even when
you encrypt files
with Win2K's Encrypting File System (EFS), a file's
original unencrypted file data is left on
the disk after a new encrypted
version of the file is created.
The only way to ensure that deleted files, as well as files that you
encrypt with EFS, are
safe from recovery is to use a secure delete
application. Secure delete applications
overwrite a deleted file's
on-disk data using techniques that are shown to make disk
data
unrecoverable, even using recovery technology that can read patterns in
magnetic
media that reveal weakly deleted files. SDelete (Secure
Delete) is such an application.
You can use SDelete both to securely
delete existing files, as well as to securely erase any
file data that
exists in the unallocated portions of a disk (including files that you
have
already deleted or encrypted). SDelete implements the Department
of Defense clearing
and sanitizing standard DOD 5220.22-M, to give you
confidence that once deleted with
SDelete, your file data is gone
forever. Note that SDelete securely deletes file data, but
not file
names located in free disk space.
Using SDelete
SDelete is a command line utility that takes a number of options. In
any given use, it
allows you to delete one or more files and/or
directories, or to cleanse the free space on
a logical disk. SDelete
accepts wild card characters as part of the directory or file
specifier.
Usage:
Parameter Description
-c Clean free space. Specify an option amount of space to leave free for use by a
running system.
-s Recurse subdirectories.
Cleaning free space presents another challenge. Since FAT and NTFS
provide no means
for an application to directly address free space,
SDelete has one of two options. The
first is that it can, like it does
for compressed, sparse and encrypted files, open the disk
for raw access
and overwrite the free space. This approach suffers from a big problem:
even if SDelete were coded to be fully capable of calculating the free
space portions of
NTFS and FAT drives (something that's not trivial), it
would run the risk of collision with
active file operations taking place
on the system. For example, say SDelete determines
that a cluster is
free, and just at that moment the file system driver (FAT, NTFS) decides
to allocate the cluster for a file that another application is
modifying. The file system
driver writes the new data to the cluster,
and then SDelete comes along and overwrites
the freshly written data:
the file's new data is gone. The problem is even worse if the
cluster is
allocated for file system metadata since SDelete will corrupt the file
system's
on-disk structures.
The reason that SDelete does not securely delete file names when
cleaning disk free
space is that deleting them would require direct
manipulation of directory structures.
Directory structures can have free
space containing deleted file names, but the free
directory space is not
available for allocation to other files. Hence, SDelete has no way of
allocating this free space so that it can securely overwrite it.
Runs on:
By Mark Russinovich
Introduction
Sigcheck is a command-line utility that shows file version number,
timestamp
information, and digital signature details, including
certificate chains. It also includes an
option to check a file’s status
on VirusTotal , a site that performs
automated file
scanning against over 40 antivirus engines, and an option
to upload a file for scanning.
usage:
sigcheck [-a][-h][-i][-e][-l][-n][[-s]|[-c|-ct]|[-m]][-q][-r][-u][-vt][-v[r]
[s]][-f catalog file] <file or directory>
Parameter Description
-a Show extended version information. The entropy measure reported is the bits per
byte of information of the file's contents.
-m Dump manifest
-o Performs Virus Total lookups of hashes captured in a CSV file previously captured
by Sigcheck when using the -h option. This usage is intended for scans of offline
systems.
-s Recurse subdirectories
-t[u][v] Dump contents of specified certificate store ('*' for all stores).
Specify -tu to query the user store (machine store is the default).
Append '-v' to have Sigcheck download the trusted Microsoft root certificate list
and only output valid certificates not rooted to a certificate on that list. If the site
is not accessible, authrootstl.cab or authroot.stl in the current directory are used
instead, if present.
-u If VirusTotal check is enabled, show files that are unknown by VirusTotal or have
non-zero detection, otherwise show only unsigned files.
Files reported as not previously scanned will be uploaded to VirusTotal if the 's'
option is specified. Note scan results may not be available for five or more
minutes.
-vt Before using VirusTotal features, you must accept VirusTotal terms of service. See:
https://www.virustotal.com/en/about/terms-of-service/ If you haven't accepted
the terms and you omit this option, you will be interactively prompted.
One way to use the tool is to check for unsigned files in your
\Windows\System32
directories with this command:
sigcheck -u -e c:\windows\system32
You should investigate the purpose of any files that are not signed.
Download Sigcheck (664 KB)
Runs on:
Learn More
Malware Hunting with the Sysinternals
Tools
By Mark Russinovich
Introduction
The NTFS file system provides applications the ability to create
alternate data streams of
information. By default, all data is stored in
a file's main unnamed data stream, but by
using the syntax
'file:stream', you are able to read and write to alternates. Not all
applications are written to access alternate streams, but you can
demonstrate streams
very simply. First, change to a directory on a NTFS
drive from within a command
prompt. Next, type 'echo hello >
test:stream'. You've just created a stream named
'stream' that is
associated with the file 'test'. Note that when you look at the size of
test
it is reported as 0, and the file looks empty when opened in any
text editor. To see your
stream enter 'more < test:stream' (the type
command doesn't accept stream syntax so
you have to use more).
NT does not come with any tools that let you see which NTFS files have
streams
associated with them, so I've written one myself. Streams will
examine the files and
directories (note that directories can also have
alternate data streams) you specify and
inform you of the name and sizes
of any named streams it encounters within those files.
Streams makes use
of an undocumented native function for retrieving file stream
information.
Using Streams
Usage: streams [-s] [-d] <file or directory>
Parameter Description
-s Recurse subdirectories.
-d Delete streams.
Runs on:
By Mark Russinovich
Introduction
UNIX provides a standard utility called Sync, which can be used to
direct the operating
system to flush all file system data to disk in
order to insure that it is stable and won't be
lost in case of a system
failure. Otherwise, any modified data present in the cache would
be
lost. Here is an equivalent that I wrote, called Sync, that works on all
versions of
Windows. Use it whenever you want to know that modified file
data is safely stored on
your hard drives. Unfortunately, Sync requires
administrative privileges to run. This
version also lets you flush
removable drives such as ZIP drives.
Using Sync
Usage: sync [-r] [-e] [drive letter list]
Parameter Description
Specifying specific drives (e.g. "c e") will result in Sync only
flushing those drives.
Runs on:
By Mark Russinovich
Introduction
While Windows NT/2000 and Windows 95 and 98's built-in Label utility
lets you change
the labels of disk volumes, it does not provide any
means for changing volume ids. This
utility, VolumeID, allows you to
change the ids of FAT and NTFS disks (floppies or hard
drives).
Note that changes on NTFS volumes won't be visible until the next
reboot. In addition,
you should shut down any applications you have
running before changing a volume id.
NT may become confused and think
that the media (disk) has changed after a FAT
volume id has changed and
pop up messages indicating that you should reinsert the
original disk
(!). It may then fail the disk requests of applications using those
drives.
Runs on:
AD Explorer
AD Insight
AdRestore
PipeList
Displays the named pipes on your system, including the number of maximum
instances
and active instances for each pipe.
PsFile
PsPing
PsTools
ShareEnum
Scan file shares on your network and view their security settings to
close security holes.
TCPView
Whois
By Mark Russinovich
Introduction
Active Directory Explorer (AD Explorer) is an advanced Active Directory
(AD) viewer and
editor. You can use AD Explorer to easily navigate an AD
database, define favorite
locations, view object properties and
attributes without having to open dialog boxes,
edit permissions, view
an object's schema, and execute sophisticated searches that you
can save
and re-execute.
By Mark Russinovich
Introduction
ADInsight is an LDAP (Light-weight Directory Access Protocol) real-time
monitoring tool
aimed at troubleshooting Active Directory client
applications. Use its detailed tracing of
Active Directory client-server
communications to solve Windows authentication,
Exchange, DNS, and other
problems.
Runs on:
Related Links
The Sysinternals
AdRestore
utility enables you to restore deleted objects on Windows
Server 2003
domains.
AD Explorer
is an advanced Active Directory (AD) viewer and editor.
AdRestore v1.2
Article • 03/23/2021
By Mark Russinovich
Introduction
Windows Server 2003 introduces the ability to restore deleted
("tombstoned") objects.
This simple command-line utility enumerates the
deleted objects in a domain and gives
you the option of restoring each
one. Source code is based on sample code in the
Microsoft Platform SDK.
This MS KB article describes the use of AdRestore:
Introduction
Did you know that the device driver that implements named pipes is
actually a file
system driver? In fact, the driver's name is NPFS.SYS,
for "Named Pipe File System".
What you might also find surprising is
that its possible to obtain a directory listing of the
named pipes
defined on a system. This fact is not documented, nor is it possible to
do
this using the Win32 API. Directly using NtQueryDirectoryFile, the
native function that
the Win32 FindFile APIs rely on, makes it possible
to list the pipes. The directory listing
NPFS returns also indicates the
maximum number of pipe instances set for each pipe
and the number of
active instances.
Runs on:
By Mark Russinovich
Introduction
The "net file" command shows you a list of the files that other
computers have opened
on the system upon which you execute the command,
however it truncates long path
names and doesn't let you see that
information for remote systems. PsFile is a
command-line utility that
shows a list of files on a system that are opened remotely, and
it also
allows you to close opened files either by name or by a file
identifier.
Installation
Just copy PsFile onto your executable path, and type "psfile".
Using PsFile
The default behavior of PsFile is to list the files on the local
system that are open by
remote systems. Typing a command followed by "-
" displays information on the syntax
for the command.
Parameter Description
-p Specifies password for user name. If this is omitted, you will be prompted to enter
the password without it being echoed to the screen.
Id Identifier (as assigned by PsFile) of the file for which to display information or to
close.
Path Full or partial path of files to match for information display or close.
PsTools
Runs on:
By Mark Russinovich
Introduction
PsPing implements Ping functionality, TCP ping, latency and bandwidth
measurement.
Use the following command-line options to show the usage
for each test type:
Installation
Copy PsPing onto your executable path. Typing "psping" displays its
usage syntax.
Using PsPing
PsPing implements Ping functionality, TCP ping, latency and bandwidth
measurement.
Use the following command-line options to show the usage
for each test type:
Usage:
psping -? [i|t|l|b\]
Parameter Description
Parameter Description
If you specify a single argument, it's interpreted as a bucket count and the
histogram will contain that number of buckets covering the entire time range of
values. Specify a comma-separated list of times to create a custom histogram (e.g.
"0.01,0.05,1,5,10").
-l Request size. Append 'k' for kilobytes and 'm' for megabytes.
-t Ping until stopped with Ctrl+C and type Ctrl+Break for statistics.
Parameter Description
If you specify a single argument, it's interpreted as a bucket count and the
histogram will contain that number of buckets covering the entire time range of
values. Specify a comma-separated list of times to create a custom histogram (e.g.
"0.01,0.05,1,5,10").
-l Request size. Append 'k' for kilobytes and 'm' for megabytes.
Parameter Description
-t Ping until stopped with Ctrl+C and type Ctrl+Break for statistics.
server:
client:
Parameter Description
If you specify a single argument, it's interpreted as a bucket count and the
histogram will contain that number of buckets covering the entire time range of
values. Specify a comma-separated list of times to create a custom histogram (e.g.
"0.01,0.05,1,5,10").
-l Request size. Append 'k' for kilobytes and 'm' for megabytes.
The server can serve both latency and bandwidth tests and remains active
until you
terminate it with Control-C.
server:
client:
psping [-b] [[-6]|[-4]] [-f] [-u] [-h [buckets | <val1>,<val2>,...]] [-r] <-
l requestsize>[k|m]] <-n count> [-i <outstanding>] [-w <count>]
<destination:destport>
Parameter Description
-b Bandwidth test.
If you specify a single argument, it's interpreted as a bucket count and the
histogram will contain that number of buckets covering the entire time range of
values. Specify a comma-separated list of times to create a custom histogram (e.g.
"0.01,0.05,1,5,10").
-l Request size. Append 'k' for kilobytes and 'm' for megabytes.
The server can serve both latency and bandwidth tests and remains active
until you
terminate it with Control-C.
Examples
This command executes an ICMP ping test for 10 iterations with 3 warmup
iterations:
psping -n 10 -w 3 marklap
To execute a TCP connect test, specify the port number. The following
command
executes connect attempts against the target as quickly as
possible, only printing a
summary when finished with the 100 iterations
and 1 warmup iteration:
psping -s 192.168.2.2:5000
PsTools
Runs on:
By Mark Russinovich
Introduction
An aspect of Windows NT/2000/XP network security that's often overlooked
is file
shares. A common security flaw occurs when users define file
shares with lax security,
allowing unauthorized users to see sensitive
files. There are no built-in tools to list
shares viewable on a network
and their security settings, but ShareEnum fills the void
and allows
you to lock down file shares in your network.
When you run ShareEnum it uses NetBIOS enumeration to scan all the
computers within
the domains accessible to it, showing file and print
shares and their security settings.
Because only a domain administrator
has the ability to view all network resources,
ShareEnum is most
effective when you run it from a domain administrator account.
How It Works
ShareEnum uses WNetEnumResource to enumerate domains and the
computers within
them and NetShareEnum to enumerate shares on
computers.
By Mark Russinovich
Introduction
TCPView is a Windows program that will show you detailed listings of all
TCP and UDP
endpoints on your system, including the local and remote
addresses and state of TCP
connections. On Windows Server 2008, Vista,
and XP, TCPView also reports the name of
the process that owns the
endpoint. TCPView provides a more informative and
conveniently presented
subset of the Netstat program that ships with Windows. The
TCPView
download includes Tcpvcon, a command-line version with the same
functionality.
Using TCPView
When you start TCPView it will enumerate all active TCP and UDP
endpoints, resolving
all IP addresses to their domain name versions. You
can use a toolbar button or menu
item to toggle the display of resolved
names. TCPView shows the name of the process
that owns each endpoint, including the service name (if any).
By default, TCPView updates every second, but you can use the
Options|Refresh Rate
menu item to change the rate. Endpoints that
change state from one update to the next
are highlighted in yellow;
those that are deleted are shown in red, and new endpoints
are shown in
green.
You can close established TCP/IP connections (those labeled with a state
of
ESTABLISHED) by selecting File|Close Connections, or by
right-clicking on a connection
and choosing Close Connections from
the resulting context menu.
You can save TCPView's output window to a file using the Save menu
item.
Using Tcpvcon
Tcpvcon usage is similar to that of the built-in Windows netstat
utility:
Usage:
Shell
Parameter Description
Runs on:
By Mark Russinovich
Introduction
Whois performs the registration record for the domain name or IP address
that you
specify.
Usage
Usage: whois [-v] domainname [whois.server]
Parameter Description
Runs on:
Autoruns
Handle
This handy command-line utility will show you what files are open by
which processes,
and much more.
ListDLLs
List all the DLLs that are currently loaded, including where they are
loaded and their
version numbers. Version 2.0 prints the full path names
of loaded modules.
PortMon
Monitor serial and parallel port activity with this advanced monitoring
tool. It knows
about all standard serial and parallel IOCTLs and even
shows you a portion of the data
being sent and received. Version 3.x has
powerful new UI enhancements and advanced
filtering capabilities.
ProcDump
Process Explorer
Find out what files, registry keys and other objects processes have
open, which DLLs
they have loaded, and more. This uniquely powerful
utility will even show you who owns
each process.
Process Monitor
PsExec
PsGetSid
PsList
PsService
PsSuspend
PsTools
ShellRunas
VMMap
By Mark Russinovich
https://www.microsoft.com/en-us/videoplayer/embed/RW14GhU?
autoplay=true&loop=true&controls=false&postJsllMsg=true
Introduction
This utility, which has the most comprehensive knowledge of
auto-starting locations of
any startup monitor, shows you what programs
are configured to run during system
bootup or login, and when you start
various built-in Windows applications like Internet
Explorer, Explorer
and media players. These programs and drivers include ones in your
startup folder, Run, RunOnce, and other Registry keys.
Autoruns reports Explorer shell
extensions, toolbars, browser helper
objects, Winlogon notifications, auto-start services,
and much
more. Autoruns goes way beyond other autostart utilities.
Usage
Simply run Autoruns and it shows you the currently configured
auto-start applications as
well as the full list of Registry and file
system locations available for auto-start
configuration. Autostart
locations displayed by Autoruns include logon entries, Explorer
add-ons,
Internet Explorer add-ons including Browser Helper Objects (BHOs),
Appinit
DLLs, image hijacks, boot execute images, Winlogon notification
DLLs, Windows Services
and Winsock Layered Service Providers, media
codecs, and more. Switch tabs to view
autostarts from different
categories.
Autorunsc Usage
Autorunsc is the command-line version of Autoruns. Its usage syntax is:
Parameter Description
* All.
b Boot execute.
d Appinit DLLs.
e Explorer addons.
h Image hijacks.
k Known DLLs.
m WMI entries.
o Codecs.
t Scheduled tasks.
w Winlogon entries.
-u If VirusTotal check is enabled, show files that are unknown by VirusTotal or have
non-zero detection, otherwise show only unsigned files.
-v[rs] Query VirusTotal for malware based on file hash. Add 'r' to open reports for files
with non-zero detection. Files reported as not previously scanned will be uploaded
to VirusTotal if the 's' option is specified. Note scan results may not be available for
five or more minutes.
-vt Before using VirusTotal features, you must accept the VirusTotal terms of service . If
you haven't accepted the terms and you omit this option, you will be interactively
prompted.
user Specifies the name of the user account for which autorun items will be shown.
Specify '*' to scan all user profiles.
Related Links
Windows Internals Book The official updates and errata page for the definitive
book on
Windows internals, by Mark Russinovich and David Solomon.
Windows Sysinternals Administrator's Reference The
official guide to the
Sysinternals utilities by Mark Russinovich and
Aaron Margosis, including
descriptions of all the tools, their
features, how to use them for troubleshooting,
and example
real-world cases of their use.
Download
Download Autoruns and Autorunsc (2.8 MB)
By Mark Russinovich
Introduction
Ever wondered which program has a particular file or directory open? Now
you can find
out. Handle is a utility that displays information about
open handles for any process in
the system. You can use it to see the
programs that have a file open, or to see the object
types and names of
all the handles of a program.
You can also get a GUI-based version of this program, Process Explorer,
here at
Sysinternals.
Installation
You run Handle by typing "handle". You must have administrative
privilege to run
Handle.
Usage
Handle is targeted at searching for open file references, so if you
do not specify any
command-line parameters it will list the values of
all the handles in the system that refer
to open files and the names of
the files. It also takes several parameters that modify this
behavior.
usage: handle [[-a [-l]] [-v|-vt] [-u] | [-c <handle> [-y]] | [-s]] [-p <process>|
<pid>] [name]
Parameter Description
-a Dump information about all types of handles, not just those that refer to files. Other
types include ports, Registry keys, synchronization primitives, threads, and
processes.
-c Closes the specified handle (interpreted as a hexadecimal number). You must specify
the process by its PID.
-p Instead of examining all the handles in the system, this parameter narrows Handle's
scan to those processes that begin with the name process. Thus:
handle -p exp
would dump the open files for all processes that start with "exp", which would
include Explorer.
name This parameter is present so that you can direct Handle to search for references to
an object with a particular name.
For example, if you wanted to know which process (if any) has
"c:\windows\system32" open you could type:
handle windows\system
The name match is case-insensitive and the fragment specified can be anywhere in
the paths you are interested in.
Handle Output
When not in search mode (enabled by specifying a name fragment as a
parameter),
Handle divides its output into sections for each process it
is printing handle information
for. Dashed lines are used as a
separator, immediately below which you will see the
process name and its
process id (PID). Beneath the process name are listed handle
values (in
hexadecimal), the type of object the handle is associated with, and the
name
of the object if it has one.
When in search mode, Handle prints the process names and id's are
listed on the left
side and the names of the objects that had a match
are on the right.
More Information
You can find more information on the Object Manager in Windows
Internals, 4th Edition
or by browsing the Object Manager name-space
with
WinObj.
By Mark Russinovich
Introduction
ListDLLs is a utility that reports the DLLs loaded into processes. You
can use it to list all
DLLs loaded into all processes, into a specific
process, or to list the processes that have a
particular DLL loaded.
ListDLLs can also display full version information for DLLs,
including
their digital signature, and can be used to scan processes for unsigned
DLLs.
Usage
listdlls [-r] [-v | -u] [processname|pid]
Parameter Description
dllname Show only processes that have loaded the specified DLL.
-r Flag DLLs that relocated because they are not loaded at their base address.
Examples
List the DLLs loaded into Outlook.exe, including their version
information:
listdlls -v outlook
listdlls -d mso.dll
Runs on:
By Mark Russinovich
Introduction
Portmon is a utility that monitors and displays all serial and
parallel port activity on a
system. It has advanced filtering and search
capabilities that make it a powerful tool for
exploring the way Windows
works, seeing how applications use ports, or tracking down
problems in
system or application configurations.
Portmon 3.x
Version 3.x of Portmon marks the introduction of a number of powerful
features.
The on-line help-file describes all these features, and more, in detail.
Installation and Use
Simply execute the Portmon program file (portmon.exe) and Portmon
will immediately
start capturing debug output. To run Portmon on
Windows 95 you must get the
WinSock2
update from Microsoft. Note
that if you run Portmon on Windows NT/2K
portmon.exe must be located
on a non-network drive and you must have administrative
privilege.
Menus, hot-keys, or toolbar buttons can be used to clear the window,
save the
monitored data to a file, search output, change the window
font, and more. The on-line
help describes all of Portmon's features.
Portmon understands all serial and parallel port I/O control (IOCTLs)
commands and will
display them along with interesting information
regarding their associated parameters.
For read and write requests
Portmon displays the first several dozen bytes of the buffer,
using
'.' to represent non-printable characters. The Show Hex menu option lets
you
toggle between ASCII and raw hex output of buffer data.
Published: 11/03/2022
https://www.microsoft.com/en-us/videoplayer/embed/RE591St?
autoplay=true&loop=true&controls=false&postJsllMsg=true
Introduction
ProcDump is a command-line utility whose primary purpose is monitoring
an
application for CPU spikes and generating crash dumps during a spike
that an
administrator or developer can use to determine the cause of the
spike. ProcDump also
includes hung window monitoring (using the same
definition of a window hang that
Windows and Task Manager use),
unhandled exception monitoring and can generate
dumps based on the
values of system performance counters. It also can serve as a
general
process dump utility that you can embed in other scripts.
Using ProcDump
Capture Usage:
procdump.exe [-mm] [-ma] [-mt] [-mp] [-mc <Mask>] [-md <Callback_DLL>] [-mk]
[-n <Count>]
[-s <Seconds>]
[-m|-ml <Commit_Usage>]
[-h]
[-l]
[-t]
[-dc <Comment>]
[-o]
[-at <Timeout>]
[-wer]
[-64]
Install Usage:
procdump.exe -i [Dump_Folder]
[-r]
[-at <Timeout>]
[-k]
[-wer]
Uninstall Usage:
procdump.exe -u
Dump Types:
Dump Description
Type
- Includes directly and indirectly referenced memory (stacks and what they reference).
- Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).
- Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).
- Includes all Private memory and all Read/Write Image or Mapped memory.
- Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).
- To minimize size, the largest Private memory area over 512MB is excluded.
- Note: CLR processes are dumped as Full (-ma) due to debugging limitations.
- Includes the memory and metadata defined by the specified MINIDUMP_TYPE mask
(Hex).
- Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).
- When using multiple dump sizes, a kernel dump is taken for each dump size.
Conditions:
Condition Description
-a Avoid outage. Requires -r . If the trigger will cause the target to suspend for a
prolonged time due to an exceeded concurrent dump limit, the trigger will be
skipped.
Add -ld to create a dump when a DLL (module) is loaded (filtering applies).
Add -ud to create a dump when a DLL (module) is unloaded (filtering applies).
-f Filter (include) on the content of exceptions, debug logging and filename at DLL
load/unload. Wildcards (*) are supported.
-fx Filter (exclude) on the content of exceptions, debug logging and filename at DLL
load/unload. Wildcards (*) are supported.
-h Write dump if process has a hung window (does not respond to window messages
for at least 5 seconds).
-p Trigger when the Performance Counter is at, or exceeds, the specified Threshold.
Some Counters and/or Instance Names can be case-sensitive.
-pl Trigger when the Performance Counter falls below the specified Threshold.
-r Dump using a clone. Concurrent limit is optional (default 1, max 5). OS doesn't
support a kernel dump ( -mk ) when using a clone ( -r ). CAUTION: a high concurrency
value may impact system performance.
-64 By default ProcDump will capture a 32-bit dump of a 32-bit process when running
on 64-bit Windows. This option overrides to create a 64-bit dump. Only use for
WOW64 subsystem debugging.
License Agreement:
Automated Termination:
Using this option or setting an event with the name ProcDump-<PID> is the same as
typing Ctrl+C to gracefully terminate ProcDump. Graceful termination ensures the
process is resumed if a capture is active. The cancellation applies to ALL ProcDump
instances monitoring the process.
Filename:
Substitution Explanation
PID Process ID
YYMMDD Year/Month/Day
HHMMSS Hour/Minute/Second
Examples
Write a mini dump of a process named 'notepad' (only one match can
exist):
C:\>procdump notepad
Write a Mini first, and then a Full dump of a process with PID '4572':
C:\>procdump -n 3 -s 5 notepad
C:\>procdump -n 3 -s 5 -c 20 consume
Write a Mini dump for a process named 'hang.exe' when one of its
windows is
unresponsive for more than 5 seconds:
C:\>procdump -h hang.exe
Write a Full and Kernel dump for a process named 'hang.exe' when one of its
windows is unresponsive for more than 5 seconds:
Write a Mini dump of a process named 'outlook' when total system CPU
usage
exceeds 20% for 10 seconds:
Windows Command Prompt
Write a Full dump of 'svchost' PID 1234, Instance #87, when the handle count
exceeds 10,000:
txt
\Process(<name>[#NNN])\<counter>
Older OSes require you to append the PID for \Process counters.
txt
\Process(<name>[_PID])\<counter>
Tip: Use Performance Monitor to view the counters (esp. case sensitivity).
Tip: For \Process(*) based counters, use PowerShell to map a PID to its #NNN .
pwsh
Write up to 10 Full dumps if a debug string message contains ' NotFound ':
C:\>procdump -e -w notepad
Register for launch, and attempt to activate, a store 'application'. A new ProcDump
instance will start when it is activated:
Register for launch of a store 'package'. A new ProcDump instance will start when
it is (manually) activated:
C:\>procdump -e -x c:\dumps
Microsoft.BingMaps_1.2.0.136_x64__8wekyb3d8bbwe
Write a MiniPlus dump of the Microsoft Exchange Information Store when it has an
unhandled exception:
..or..
C:\Dumps>procdump -ma -i
C:\>procdump -u
See a list of example command lines (the examples are listed above):
C:\>procdump -? -e
Related Links
Windows Internals Book
The official updates and errata page for the definitive
book on
Windows internals, by Mark Russinovich and David Solomon.
Windows Sysinternals Administrator's Reference
The official guide to the
Sysinternals utilities by Mark Russinovich and
Aaron Margosis, including
descriptions of all the tools, their
features, how to use them for troubleshooting,
and example
real-world cases of their use.
Runs on:
Learn More
Defrag Tools: #9 -
ProcDump
This episode of Defrag Tools covers what the tool
captures and
expected outage durations
Defrag Tools: #10 - ProcDump -
Triggers
This episode covers trigger options in
particular 1st & 2nd chance
exceptions
Defrag Tools: #11 - ProcDump - Windows 8 & Process
Monitor
This episode covers
modern application support and Process Monitor
logging support
Process Explorer v17.04
Article • 03/30/2023
By Mark Russinovich
https://www.microsoft.com/en-us/videoplayer/embed/RE5d5Rd?
autoplay=true&loop=true&controls=false&postJsllMsg=true
Introduction
Ever wondered which program has a particular file or directory open? Now
you can find
out. Process Explorer shows you information about which
handles and DLLs processes
have opened or loaded.
Related Links
Windows Internals Book
The official updates and errata page for the definitive
book on Windows internals, by Mark Russinovich and David Solomon.
Windows Sysinternals Administrator's Reference The official guide to the
Sysinternals utilities by Mark Russinovich and Aaron Margosis, including
descriptions of all the tools, their features, how to use them for troubleshooting,
and example real-world cases of their use.
Download
Download Process Explorer (3.3 MB)
Runs on:
Installation
Simply run Process Explorer (procexp.exe).
The help file describes Process Explorer operation and usage. If you have problems or
questions, visit the Process Explorer section on Microsoft Q&A.
Learn More
Here are some other handle and DLL viewing tools and information
available at
Sysinternals:
The case of the Unexplained... In this video, Mark describes how he has solved
seemingly unsolvable system and application problems on Windows.
Handle - a command-line handle viewer
ListDLLs - a command-line DLL viewer
PsList - local/remote command-line process lister
PsKill - local/remote command-line process killer
Defrag Tools: #2 - Process Explorer
In this episode of Defrag Tools, Andrew
Richards and Larry Larsen show how to use Process Explorer to view the details of
processes, both at a point in time and historically.
Windows Sysinternals Primer: Process Explorer, Process Monitor and More Process
Explorer gets a lot of attention in the first Sysinternals Primer delivered by Aaron
Margosis and Tim Reckmeyer at TechEd 2010.
Process Monitor v3.95
Article • 03/09/2023
By Mark Russinovich
Introduction
Process Monitor is an advanced monitoring tool for Windows that shows
real-time file
system, Registry and process/thread activity. It combines
the features of two legacy
Sysinternals utilities, Filemon and
Regmon, and adds an extensive list of enhancements
including rich and
non-destructive filtering, comprehensive event properties such as
session
IDs and user names, reliable process information, full thread stacks
with
integrated symbol support for each operation, simultaneous logging
to a file, and much
more. Its uniquely powerful features will make
Process Monitor a core utility in your
system troubleshooting and
malware hunting toolkit.
Screenshots
Related Links
Windows Internals Book
The
official updates and errata page for the definitive book on Windows
internals,
by Mark Russinovich and David Solomon.
Windows Sysinternals Administrator's Reference
The
official guide to the Sysinternals utilities by Mark Russinovich and
Aaron
Margosis, including descriptions of all the tools, their
features, how to use them for
troubleshooting, and example
real-world cases of their use.
Download
Download Process Monitor (3.3 MB)
Runs on:
By Mark Russinovich
Introduction
Utilities like Telnet and remote control programs like Symantec's PC
Anywhere let you
execute programs on remote systems, but they can be a
pain to set up and require that
you install client software on the
remote systems that you wish to access. PsExec is a
light-weight
telnet-replacement that lets you execute processes on other systems,
complete with full interactivity for console applications, without
having to manually
install client software. PsExec's most powerful uses
include launching interactive
command-prompts on remote systems and
remote-enabling tools like IpConfig that
otherwise do not have the
ability to show information about remote systems.
Note: some anti-virus scanners report that one or more of the tools are
infected with a
"remote admin" virus. None of the PsTools contain
viruses, but they have been used by
viruses, which is why they trigger
virus notifications.
Installation
Just copy PsExec onto your executable path. Typing "psexec" displays its
usage syntax.
Using PsExec
See the July 2004 issue of Windows IT Pro Magazine for Mark's
article that covers
advanced usage of PsExec.
Usage:
Parameter Description
-a Separate processors on which the application can run with commas where 1 is the
lowest numbered CPU. For example, to run the application on CPU 2 and CPU 4,
enter: "-a 2,4"
-c Copy the specified executable to the remote system for execution. If you omit this
option the application must be in the system path on the remote system.
-f Copy the specified program even if the file already exists on the remote system.
-i Run the program so that it interacts with the desktop of the specified session on the
remote system. If no session is specified the process runs in the console session.
This flag is required when attempting to run console applications interactively (with
redirected standard IO).
-h If the target system is Vista or higher, has the process run with the account's
elevated token, if available.
-l Run process as limited user (strips the Administrators group and allows only
privileges assigned to the Users group). On Windows Vista the process runs with
Low Integrity.
-p Specifies optional password for user name. If you omit this you will be prompted to
enter a hidden password.
-v Copy the specified file only if it has a higher version number or is newer on than the
one on the remote system.
-priority Specifies -low, -belownormal, -abovenormal, -high or -realtime to run the process at
a different priority. Use -background to run at low memory and I/O priority on Vista.
computer Direct PsExec to run the application on the remote computer or computers
specified. If you omit the computer name, PsExec runs the application on the local
system, and if you specify a wildcard (\\*), PsExec runs the command on all
computers in the current domain.
Parameter Description
@file PsExec will execute the command on each of the computers listed in the file.
arguments Arguments to pass (note that file paths must be absolute paths on the target
system).
You can enclose applications that have spaces in their name with
quotation marks e.g.
Input is only passed to the remote system when you press the Enter key.
Typing Ctrl-C
terminates the remote process.
If you omit a user name, the process will run in the context of your
account on the
remote system, but will not have access to network
resources (because it is
impersonating). Specify a valid user name in
the Domain\User syntax if the remote
process requires access to network
resources or to run in a different account. Note that
the password and
command are encrypted in transit to the remote system.
Examples
This article I wrote describes how PsExec
works and gives tips
on how to use it:
This command executes IpConfig on the remote system with the /all
switch, and
displays the resulting output locally:
psexec -i -d -s c:\windows\regedit.exe
PSTools
Runs on:
By Mark Russinovich
Introduction
PsGetsid allows you to translate SIDs to their display name and vice
versa. It works on
builtin accounts, domain accounts, and local
accounts.
Installation
Just copy PsGetSid onto your executable path, and type "psgetsid".
Usage
Usage: psgetsid [\\computer[,computer[,...] | @file\] [-u
username [-p password]]]
[account|SID]
Parameter Description
-p Specifies optional password for user name. If you omit this you will be prompted to
enter a hidden password.
Account PsGetSid will report the SID for the specified user account rather than the computer.
SID PsGetSid will report the account for the specified SID.
Computer Direct PsGetSid to perform the command on the remote computer or computers
specified. If you omit the computer name PsGetSid runs the command on the local
system, and if you specify a wildcard (\\*), PsGetSid runs the command on all
computers in the current domain.
@file PsGetSid will execute the command on each of the computers listed in the file.
If you want to see a computer's SID just pass the computer's name as a
command-line
argument. If you want to see a user's SID, name the account
(e.g. "administrator") on the
command-line and an optional computer
name.
Specify a user name if the account you are running from doesn't have
administrative
privileges on the computer you want to query. If you
don't specify a password as an
option, PsGetSid will prompt you for
one so that you can type it in without having it
echoed to the display.
PsTools
Runs on:
By Mark Russinovich
Introduction
Windows NT/2000 does not come with a command-line 'kill' utility. You
can get one in
the Windows NT or Win2K Resource Kit, but the kit's
utility can only terminate processes
on the local computer. PsKill is
a kill utility that not only does what the Resource Kit's
version does,
but can also kill processes on remote systems. You don't even have to
install a client on the target computer to use PsKill to terminate a
remote process.
Installation
Just copy PsKill onto your executable path, and type pskill with
command-line options
defined below.
Using PsKill
See the September 2004 issue of Windows IT Pro Magazine for Mark's
article
that
covers advanced usage of PsKill.
Parameter Description
\\computer Specifies the computer on which the process you want to terminate is executing.
The remote computer must be accessible via the NT network neighborhood.
Parameter Description
-u username If you want to kill a process on a remote system and the account you are
executing in does not have administrative privileges on the remote system then
you must login as an administrator using this command-line option. If you do
not include the password with the -p option then PsKill will prompt you for the
password without echoing your input to the display.
-p password This option lets you specify the login password on the command line so that you
can use PsList from batch files. If you specify an account name and omit the -p
option PsList prompts you interactively for a password.
process name Specifies the process name of the process or processes you want to kill.
PsTools
Runs on:
By Mark Russinovich
Introduction
Parameter Description
pslist exp Show statistics for all the processes that start with "exp", which would include
Explorer.
-s [n] Run in task-manager mode, for optional seconds specified. Press Escape to abort.
\\computer Instead of showing process information for the local system, PsList will show
information for the NT/Win2K system specified. Include the -u switch with a
username and password to login to the remote system if your security credentials
do not permit you to obtain performance counter information from the remote
system.
-p This option lets you specify the login password on the command line so that you
can use PsList from batch files. If you specify an account name and omit the -p
option PsList prompts you interactively for a password.
name Show information about processes that begin with the name specified.
pid Instead of listing all the running processes in the system, this parameter narrows
PsList's scan to the process that has the specified PID. Thus:
pslist 53
would dump statistics for the process with the PID 53.
How it Works
Like Windows NT/2K's built-in PerfMon monitoring tool, PsList uses the
Windows NT/2K
performance counters to obtain the information it
displays. You can find documentation
for Windows NT/2K performance
counters, including the source code to Windows NT's
built-in performance
monitor, PerfMon, in MSDN.
Pri: Priority
Thd: Number of Threads
Hnd: Number of Handles
VM: Virtual Memory
WS: Working Set
Priv: Private Virtual Memory
Priv Pk: Private Virtual Memory Peak
Faults: Page Faults
NonP: Non-Paged Pool
Page: Paged Pool
Cswtch: Context Switches
PsTools
Runs on:
By Mark Russinovich
Introduction
PsService is a service viewer and controller for Windows. Like the SC
utility that's
included in the Windows NT and Windows 2000 Resource
Kits, PsService displays the
status, configuration, and dependencies
of a service, and allows you to start, stop,
pause, resume and restart
them. Unlike the SC utility, PsService enables you to logon to
a
remote system using a different account, for cases when the account from
which you
run it doesn't have required permissions on the remote system.
PsService includes a
unique service-search capability, which
identifies active instances of a service on your
network. You would use
the search feature if you wanted to locate systems running
DHCP servers,
for instance.
Installation
Just copy PsService onto your executable path, and type "psservice".
Using PsService
The default behavior of PsService is to display the configured
services (both running and
stopped) on the local system. Entering a
command on the command-line invokes a
particular feature, and some
commands accept options. Typing a command followed by
"- " displays
information on the syntax for the command.
\\computer Targets the NT/Win2K system specified. Include the -u switch with a username and
password to login to the remote system if your security credentials do not permit
you to obtain performance counter information from the remote system. If you
specify the -u option, but not a password with the -p option, PsService will prompt
you to enter the password and will not echo it to the screen.
How it Works
PsService uses the Service Control Manager APIs that are documented in
the Platform
SDK.
PsTools
Runs on:
By Mark Russinovich
Introduction
PsSuspend lets you suspend processes on the local or a remote system,
which is
desirable in cases where a process is consuming a resource
(e.g. network, CPU or disk)
that you want to allow different processes
to use. Rather than kill the process that's
consuming the resource,
suspending permits you to let it continue operation at some
later point
in time.
Installation
Copy PsSuspend onto your executable path and type "pssuspend" with
command-line
options defined below.
Using PsSuspend
Running PsSuspend with a process ID directs it to suspend or resume
the process of that
ID on the local computer. If you specify a process
name PsSuspend will suspend or
resume all processes that have that
name. Specify the -r switch to resume suspended
processes.
Parameter Description
\\computer Specifies the computer on which the process you want to suspend or resume is
executing. The remote computer must be accessible via the NT network
neighborhood.
Parameter Description
-u username If you want to suspend a process on a remote system and the account you are
executing in does not have administrative privileges on the remote system then
you must login as an administrator using this command-line option. If you do
not include the password with the -p option then PsSuspend will prompt you for
the password without echoing your input to the display.
-p password This option lets you specify the login password on the command line so that you
can use PsSuspend from batch files. If you specify an account name and omit the
-p option PsSuspend prompts you interactively for a password.
process id Specifies the process ID of the process you want to suspend or resume.
process name Specifies the process name of the process or processes you want to suspend or
resume.
PsTools
Runs on:
By Mark Russinovich
Introduction
The Windows NT and Windows 2000 Resource Kits come with a number of
command-
line tools that help you administer your Windows NT/2K systems.
Over time, I've grown
a collection of similar tools, including some not
included in the Resource Kits. What sets
these tools apart is that they
all allow you to manage remote systems as well as the local
one. The
first tool in the suite was PsList, a tool that lets you view detailed
information
about processes, and the suite is continually growing. The
"Ps" prefix in PsList relates to
the fact that the standard UNIX process
listing command-line tool is named "ps", so I've
adopted this prefix for
all the tools in order to tie them together into a suite of tools
named
PsTools.
7 Note
Some anti-virus scanners report that one or more of the tools are infected with a
"remote admin" virus. None of the PsTools contain viruses, but they have been used
by viruses, which is why they trigger virus notifications.
PsExec -
execute processes remotely
PsFile -
shows files opened remotely
PsGetSid -
display the SID of a computer or a user
PsInfo -
list information about a system
PsPing -
measure network performance
PsKill -
kill processes by name or process ID
PsList -
list detailed information about processes
PsLoggedOn -
see who's logged on locally and via resource sharing (full source is
included)
PsLogList -
dump event log records
PsPasswd -
changes account passwords
PsService -
view and control services
PsShutdown -
shuts down and optionally reboots a computer
PsSuspend -
suspends processes
PsUptime - shows you how long a system has been running since its
last reboot
(PsUptime's functionality has been incorporated into
PsInfo
The PsTools download package includes an HTML help file with complete
usage
information for all the tools.
Runs on:
Installation
None of the tools requires any special installation. You don't even need to install any
client software on the remote computers at which you target them. Run them by typing
their name and any command-line options you want. To show complete usage
information, specify the "-? " command-line option.
If you have questions or problems,
visit the Sysinternals PsTools forum.
Related Links
Introduction to the PsTools : Wes Miller gives a high-level overview of the Sysinternals
PsTools in the March column of his TechNet Magazine column.
ShellRunas v1.02
Article • 10/12/2021
Introduction
The command-line Runas utility is handy for launching programs under
different
accounts, but it’s not convenient if you’re a heavy Explorer
user. ShellRunas provides
functionality similar to that of Runas to
launch programs as a different user via a
convenient shell context-menu
entry.
Screenshot
Using ShellRunas
Usage:
Parameter Description
Parameter Description
Runs on:
Getting Help
If you have problems or questions, please visit the Sysinternals Forum .
VMMap v3.33
Article • 07/26/2023
By Mark Russinovich
Introduction
VMMap is a process virtual and physical memory analysis utility. It shows a breakdown
of a process's committed virtual memory types as well as the amount of physical
memory (working set) assigned by the operating system to those types. Besides
graphical representations of memory usage, VMMap also shows summary information
and a detailed process memory map. Powerful filtering and refresh capabilities allow you
to identify the sources of process memory usage and the memory cost of application
features.
Besides flexible views for analyzing live processes, VMMap supports the export of data
in multiple forms, including a native format that preserves all the information so that
you can load back in. It also includes command-line options that enable scripting
scenarios.
VMMap is the ideal tool for developers wanting to understand and optimize their
application's memory resource usage.
Screenshot
Related Links
Windows Internals Book
The official updates and errata page for the definitive book on Windows internals,
by Mark Russinovich and David Solomon.
Windows Sysinternals Administrator's Reference The official guide to the
Sysinternals utilities by Mark Russinovich and Aaron Margosis, including
descriptions of all the tools, their features, how to use them for troubleshooting,
and example real-world cases of their use.
Runs on:
Getting Help
If you have problems or questions, please visit the Sysinternals Forum .
Learn More
Defrag Tools: #7 - VMMap
In this episode of Defrag Tools, Andrew Richards and Larry Larsen cover how to use
VMMap to see how Virtual Memory is being used and if there have been any
memory leaks.
Sysinternals Security Utilities
Article • 03/30/2023
AccessChk
This tool shows you the level of access the user or group you specify has to
files,
Registry keys or Windows services.
AccessEnum
This simple yet powerful security tool shows you who has what access to
directories,
files and Registry keys on your systems. Use it to find
holes in your permissions.
Autologon
Autoruns
LogonSessions
Process Explorer
Find out what files, registry keys and other objects processes have
open, which DLLs
they have loaded, and more. This uniquely powerful
utility will even show you who owns
each process.
PsExec
PsLoggedOn
PsLogList
PsTools
Rootkit Revealer
Securely overwrite your sensitive files and cleanse your free space of
previously deleted
files using this DoD-compliant secure delete program.
ShareEnum
Scan file shares on your network and view their security settings to
close security holes.
ShellRunas
Sigcheck
Dump file version information and verify that images on your system are
digitally
signed.
Sysmon
Monitors and reports key system activity via the Windows event log.
Autologon v3.10
Article • 07/27/2021
By Mark Russinovich
Introduction
Autologon enables you to easily configure Windows’ built-in autologon
mechanism.
Instead of waiting for a user to enter their name and
password, Windows uses the
credentials you enter with Autologon, which
are encrypted in the Registry, to log on the
specified user
automatically.
[!WARNING]
Although the password is encrypted in the registry as an LSA secret, a user
with administrative rights can easily retrieve and decrypt it.
(For more information see
Protecting the Automatic Logon Password )
By Mark Russinovich
Introduction
If you think that when you logon to a system there's only one active
logon session, this
utility will surprise you. It lists the currently
active logon sessions and, if you specify the -
p option, the processes
running in each session.
Parameter Description
Example output
Shell
C:\>logonsessions -p
Session: 1
Sid: S-1-5-21-397955417-626881126-188441444-3615555
UPN: [email protected]
15368: ProcExp.exe
17528: ProcExp64.exe
13116: cmd.exe
17100: conhost.exe
6716: logonsessions.exe
Runs on:
By Mark Russinovich
IMPORTANT
Regarding SIDs, Microsoft does not support images that are prepared
using NewSID, we
only support images that are prepared using SysPrep.
Microsoft has not tested NewSID
for all deployment cloning options.
Introduction
Many organizations use disk image cloning to perform mass rollouts of
Windows. This
technique involves copying the disks of a fully installed
and configured Windows
computer onto the disk drives of other computers.
These other computers effectively
appear to have been through the same
install process, and are immediately available for
use.
While this method saves hours of work and hassle over other rollout
approaches, it has
the major problem that every cloned system has an
identical Computer Security
Identifier (SID). This fact compromises
security in Workgroup environments, and
removable media security can
also be compromised in networks with multiple identical
computer SIDs.
Demand from the Windows community has lead several companies to develop
programs that can change a computer's SID after a system has been
cloned. However,
Symantec's SID Changer andSymantec's Ghost Walker are
only sold as part of each
company's high-end product. Further, they both
run from a DOS command prompt
(Altiris' changer is similar to
NewSID).
NewSID is a program we developed that changes a computer's SID. It is
free and is a
Win32 program, meaning that it can easily be run on
systems that have been previously
cloned.
Please read this entire article before you use this program.
Version Information:
Another instance where duplicate SIDs can cause problems is where there
is removable
media formatted with NTFS, and local account security
attributes are applied to files and
directories. If such a media is
moved to a different computer that has the same SID, then
local accounts
that otherwise would not be able to access the files might be able to if
their account IDs happened to match those in the security attributes.
This is not be
possible if computers have different SIDs.
NewSID
NewSID is a program we developed to change a computer's SID. It first
generates a
random SID for the computer, and proceeds to update
instances of the existing
computer SID it finds in the Registry and in
file security descriptors, replacing
occurrences with the new SID.
NewSID requires administrative privileges to run. It has
two
functions: changing the SID, and changing the computer name.
To use NewSID's auto-run option, specify "/a" on the command line. You
can also direct
it to automatically change the computer's name by
including the new name after the
"/a" switch. For example:
newsid /a [newname]
Would have NewSID run without prompting, change the computer name to
"newname"
and have it reboot the computer if everything goes okay.
Note that when you run NewSID that the size of the Registry will grow,
so make sure
that the maximum Registry size will accommodate growth. We
have found that this
growth has no perceptible impact on system
performance. The reason the Registry
grows is that it becomes fragmented
as temporary security settings are applied by
NewSID. When the
settings are removed the Registry is not compacted.
Important: Note that while we have thoroughly tested NewSID, you
must use it at your
own risk. As with any software that changes file and
Registry settings, it is highly
recommended that you completely back-up
your computer before running NewSID.
Moving a BDC
Here are the steps you should follow when you want to move a BDC from
one domain
to another:
1. Boot up the BDC you want to move and log in. Use NewSID to
synchronize the SID
of the BDC with the PDC of the domain to which
you wish to move the BDC.
2. Reboot the system for which you changed the SID (the BDC). Since the
domain the
BDC is now associated with already has an active PDC, it
will boot as a BDC in its
new domain.
3. The BDC will show up as a workstation in Server Manager, so use the
"Add to
Domain" button to add the BDC to its new domain. Be sure to
specify the BDC
radio button when adding.
How it Works
NewSID starts by reading the existing computer SID. A computer's SID
is stored in the
Registry's SECURITY hive under
SECURITY\SAM\Domains\Account. This key has a value
named F and a
value named V. The V value is a binary value that has the computer SID
embedded within it at the end of its data. NewSID ensures that this
SID is in a standard
format (3 32-bit subauthorities preceded by three
32-bit authority fields).
Next, NewSID generates a new random SID for the computer. NewSID's
generation takes
great pains to create a truly random 96-bit value,
which replaces the 96-bits of the 3
subauthority values that make up a
computer SID.
Three phases to the computer SID replacement follow. In the first phase,
the SECURITY
and SAM Registry hives are scanned for occurrences
of the old computer SID in key
values, as well as the names of the keys.
When the SID is found in a value it is replaced
with the new computer
SID, and when the SID is found in a name, the key and its
subkeys are
copied to a new subkey that has the same name except with the new SID
replacing the old.
The first part of security descriptor updates occurs on all NTFS file
system files on the
computer. Every security descriptor is scanned for
occurrences of the computer SID.
When NewSID finds one, it replaces it
with the new computer SID.
NewSID ensures that it can access and modify every file and Registry
key in the system
by giving itself the following privileges: System,
Backup, Restore and Take Ownership.
PsLoggedOn v1.35
Article • 03/23/2021
By Mark Russinovich
Introduction
You can determine who is using resources on your local computer with the
"net"
command ("net session"), however, there is no built-in way to
determine who is using
the resources of a remote computer. In addition,
NT comes with no tools to see who is
logged onto a computer, either
locally or remotely. PsLoggedOn is an applet that
displays both the
locally logged on users and users logged on via resources for either
the
local computer, or a remote one. If you specify a user name instead of a
computer,
PsLoggedOn searches the computers in the network
neighborhood and tells you if the
user is currently logged on.
Installation
Just copy PsLoggedOn onto your executable path, and type
"psloggedon".
Using PsLoggedOn
Usage: psloggedon [- ] [-l] [-x] [\\computername |
username]
Parameter Description
Parameter Description
- Displays the supported options and the units of measurement used for
output values.
-l Shows only local logons instead of both local and network resource logons.
\\computername Specifies the name of the computer for which to list logon information.
username If you specify a user name PsLoggedOn searches the network for computers
to which that user is logged on. This is useful if you want to ensure that a
particular user is not logged on when you are about to change their user
profile configuration.
PsTools
Runs on:
By Mark Russinovich
Introduction
The Resource Kit comes with a utility, elogdump, that lets you dump the
contents of an
Event Log on the local or a remote computer. PsLogList
is a clone of elogdump except
that PsLogList lets you login to remote
systems in situations your current set of security
credentials would not
permit access to the Event Log, and PsLogList retrieves message
strings from the computer on which the event log you view resides.
Installation
Just copy PsLogList onto your executable path, and type "psloglist".
Using PsLogList
The default behavior of PsLogList is to show the contents of the
System Event Log on the
local computer, with visually-friendly
formatting of Event Log records. Command line
options let you view logs
on different computers, use a different account to view a log,
or to
have the output formatted in a string-search friendly way.
Parameter Description
@file Execute the command on each of the computers listed in the file.
-f Filter event types with filter string (e.g. "-f w" to filter warnings).
-o Show only records from the specified event source (e.g. \"-o cdrom\").
-p Specifies optional password for user name. If you omit this you will be prompted to
enter a hidden password.
-q Omit records from the specified event source or sources (e.g. \"-q cdrom\").
-s This switch has PsLogList print Event Log records one-per-line, with comma
delimited fields. This format is convenient for text searches, e.g. psloglist
-t The default delimiter is a comma, but can be overridden with the specified character.
-w Wait for new events, dumping them as they generate (local system only).
eventlog eventlog
How it Works
Like Win NT/2K's built-in Event Viewer and the Resource Kit's elogdump,
PsLogList uses
the Event Log API, which is documented in Windows
Platform SDK. PsLogList loads
message source modules on the system
where the event log being viewed resides so
that it correctly displays
event log messages.
Download PsTools (5 MB)
PsTools
Runs on:
By Mark Russinovich
Introduction
RootkitRevealer is an advanced rootkit detection utility. It runs on
Windows XP (32-bit)
and Windows Server 2003 (32-bit), and its output
lists Registry and file system API
discrepancies that may indicate the
presence of a user-mode or kernel-mode rootkit.
RootkitRevealer
successfully detects many persistent rootkits including AFX, Vanquish
and HackerDefender (note: RootkitRevealer is not intended to detect
rootkits like Fu that
don't attempt to hide their files or registry
keys). If you use it to identify the presence of
a rootkit please let us
know!
What is a Rootkit?
The term rootkit is used to describe the mechanisms and techniques
whereby malware,
including viruses, spyware, and trojans, attempt to
hide their presence from spyware
blockers, antivirus, and system
management utilities. There are several rootkit
classifications
depending on whether the malware survives reboot and whether it
executes
in user mode or kernel mode.
Persistent Rootkits
Memory-Based Rootkits
User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For
example, a
user-mode rootkit might intercept all calls to the Windows
FindFirstFile/FindNextFile
APIs, which are used by file system
exploration utilities, including Explorer and the
command prompt, to
enumerate the contents of file system directories. When an
application
performs a directory listing that would otherwise return results that
contain
entries identifying the files associated with the rootkit, the
rootkit intercepts and
modifies the output to remove the entries.
The Windows native API serves as the interface between user-mode clients
and kernel-
mode services and more sophisticated user-mode rootkits
intercept file system, Registry,
and process enumeration functions of
the Native API. This prevents their detection by
scanners that compare
the results of a Windows API enumeration with that returned by
a native
API enumeration.
Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they
intercept the
native API in kernel-mode, but they can also directly
manipulate kernel-mode data
structures. A common technique for hiding
the presence of a malware process is to
remove the process from the
kernel's list of active processes. Since process
management APIs rely on
the contents of the list, the malware process will not display in
process management tools like Task Manager or Process Explorer.
The bottom line is that there will never be a universal rootkit scanner,
but the most
powerful scanners will be on-line/off-line comparison
scanners that integrate with
antivirus.
Using RootkitRevealer
RootkitRevealer requires that the account from which its run has
assigned to it the
Backup files and directories, Load drivers and
Perform volume maintenance tasks (on
Windows XP and higher) privileges.
The Administrators group is assigned these
privileges by default. In
order to minimize false positives run RootkitRevealer on an idle
system.
For best results exit all applications and keep the system otherwise
idle during the
RootkitRevealer scanning process.
Manual Scanning
To scan a system launch it on the system and press the Scan button.
RootkitRevealer
scans the system reporting its actions in a status area
at the bottom of its window and
noting discrepancies in the output list.
The options you can configure:
Hide NTFS Metadata Files: this option is on by default and has
RootkitRevealer not
show standard NTFS metadata files, which are
hidden from the Windows API.
Scan Registry: this option is on by default. Deselecting it has
RootkitRevealer not
perform a Registry scan.
Parameter Description
$AttrDef
$BadClus
$BadClus:$Bad
$BitMap
$Boot
$LogFile
$Mft
$MftMirr
$Secure
$UpCase
$Volume
$Extend
$Extend\$Reparse
$Extend\$ObjId
$Extend\$UsnJrnl
$Extend\$UsnJrnl:$Max
$Extend\$Quota
Access is Denied.
A file system scan consists of three components: the Windows API, the
NTFS Master File
Table (MFT), and the NTFS on-disk directory index
structures. These discrepancies
indicate that a file appears in only one
or two of the scans. A common reason is that a
file is either created or
deleted during the scans. This is an example of RootkitRevealer's
discrepancy report for a file created during the scanning:
C:\newfile.txt
3/1/2005 5:26 PM
8 bytes
Registry values have a type, such as DWORD and REG_SZ, and this
discrepancy notes
that the type of a value as reported through the
Windows API differs from that of the
raw hive data. A rootkit can mask
its data by storing it as a REG_BINARY value, for
example, and making
the Windows API believe it to be a REG_SZ value; if it stores a 0 at
the start of the data the Windows API will not be able to access
subsequent data.
The Windows API treats key names as null-terminated strings, whereas the
kernel treats
them as counted strings. Thus, it is possible to create
Registry keys that are visible to the
operating system, yet only
partially visible to Registry tools like Regedit. The
Reghide
sample code
at Sysinternals demonstrates this technique, which is used by both
malware
and rootkits to hide Registry data. Use the Sysinternals
RegDelNull
utility to delete keys
with embedded nulls.
HKLM\SOFTWARE\Microsoft\Microsoft SQL
Server\RECOVERYMANAGER\MSSQLServer\uptime_time_utc
3/1/2005 4:33 PM
8 bytes
Rootkit Resources
The following Web sites and books are sources of more information on
rootkits:
Read Mark's blog entry on his discovery and analysis of a Sony rootkit
on one of his
computers.
Unearthing Rootkits
This book by Greg Hoglund and Jamie Butler is the most comprehensive
treatment of
rootkits available.
www.phrack.org
Introduction
System Monitor (Sysmon) is a Windows system service and device
driver that, once
installed on a system, remains resident across system
reboots to monitor and log system
activity to the Windows event log. It
provides detailed information about process
creations, network
connections, and changes to file creation time. By collecting the
events
it generates using
Windows Event Collection
or
SIEM
agents and
subsequently analyzing them, you can identify malicious or
anomalous activity and
understand how intruders and malware operate on
your network.
Note that Sysmon does not provide analysis of the events it generates,
nor does it
attempt to protect or hide itself from attackers.
Logs process creation with full command line for both current and
parent
processes.
Records the hash of process image files using SHA1 (the default),
MD5, SHA256 or
IMPHASH.
Multiple hashes can be used at the same time.
Includes a process GUID in process create events to allow for
correlation of events
even when Windows reuses process IDs.
Includes a session GUID in each event to allow correlation of events
on same logon
session.
Logs loading of drivers or DLLs with their signatures and hashes.
Logs opens for raw read access of disks and volumes.
Optionally logs network connections, including each connection’s
source process,
IP addresses, port numbers, hostnames and port
names.
Detects changes in file creation time to understand when a file was
really created.
Modification of file create timestamps is a
technique commonly used by malware
to cover its tracks.
Automatically reload configuration if changed in the registry.
Rule filtering to include or exclude certain events dynamically.
Generates events from early in the boot process to capture activity
made by even
sophisticated kernel-mode malware.
Screenshots
Usage
Common usage featuring simple command-line options to install and uninstall
Sysmon,
as well as to check and modify its configuration:
Parameter Description
-u Uninstall service and driver. Using -u force causes uninstall to proceed even when
some components are not installed.
Examples
Install with default settings (process images hashed with SHA1 and no
network
monitoring)
sysmon -accepteula -i
Uninstall
sysmon -c
sysmon -c c:\windows\config.xml
sysmon -c --
sysmon -s
Events
On Vista and higher, events are stored in
Applications and Services
Logs/Microsoft/Windows/Sysmon/Operational , and on
older systems events are written to
The following are examples of each event type that Sysmon generates.
Event ID 8: CreateRemoteThread
The CreateRemoteThread event detects when a process creates a thread in
another
process. This technique is used by malware to inject code and
hide in other processes.
The event indicates the source and target
process. It gives information on the code that
will be run in the new
thread: StartAddress , StartModule and StartFunction . Note that
StartModule and StartFunction fields are inferred, they might be empty
if the starting
Event ID 9: RawAccessRead
The RawAccessRead event detects when a process conducts reading
operations from the
drive using the \\.\ denotation. This technique
is often used by malware for data
exfiltration of files that are locked
for reading, as well as to avoid file access auditing
tools. The event
indicates the source process and target device.
Sysmon uses abbreviated versions of Registry root key names, with the
following
mappings:
HKEY_LOCAL_MACHINE HKLM
HKEY_USERS HKU
HKEY_LOCAL_MACHINE\System\ControlSet00x HKLM\System\CurrentControlSet
HKEY_LOCAL_MACHINE\Classes HKCR
Configuration files
Configuration files can be specified after the -i (installation) or
-c (installation)
configuration switches. They make it easier to
deploy a preset configuration and to filter
captured events.
<Sysmon schemaversion="4.82">
<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>
<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
</DriverLoad>
<!-- Log network connection if the destination port equal 443 -->
<NetworkConnect onmatch="include">
<DestinationPort>443</DestinationPort>
<DestinationPort>80</DestinationPort>
</NetworkConnect>
<NetworkConnect onmatch="exclude">
</NetworkConnect>
</EventFiltering>
</Sysmon>
Configuration Entries
Configuration entries are similar to command line switches and include the following
CopyOnDeleteProcesses Strings Process name(s) for which file deletes will be preserved.
DriverName String Uses specified name for driver and service images.
Command line switches have their configuration entry described in the Sysmon usage
output. Parameters are optional based on the tag. If a command line
switch also enables
an event, it needs to be configured though its
filter tag. You can specify the -s switch to
have Sysmon print the full
configuration schema, including event tags as well as the field
names
and types for each event. For example, here’s the schema for the
RawAccessRead
event type:
XML
</event>
Each event has its own filter tag under the EventFiltering node in a
configuration file:
ID Tag Event
You can also find these tags in the event viewer on the task name.
Each filter can include zero or more rules. Each tag under the filter
tag is a field name
from the event. Rules that specify a condition for
the same field name behave as OR
conditions, and ones that specify
different field name behave as AND conditions. Field
rules can also use
conditions to match a value. The conditions are as follows (all are case
insensitive):
Condition Description
excludes The field does not contain one or more of the ; delimited values
any
excludes The field does not contain any of the ; delimited values
all
not begin The field does not begin with this value
with
not end The field does not end with this value
with
image Match an image path (full path or only image name). For example: lsass.exe will
match c:\windows\system32\lsass.exe
XML
<NetworkConnect onmatch="exclude">
<Image condition="contains">iexplore.exe</Image>
</NetworkConnect>
To have Sysmon report which rule match resulted in an event being logged, add
names
to rules:
XML
<NetworkConnect onmatch="exclude">
</NetworkConnect>
You can use both include and exclude rules for the same tag, where exclude rules
override include rules. Within a rule, filter conditions have OR behavior.
In the sample configuration shown earlier, the networking filter uses both an
include
and exclude rule to capture activity to port 80 and 443 by all processes
except those
that have iexplore.exe in their name.
It is also possible to override the way that rules are combined by using a rule
group
which allows the rule combine type for one or more events to be set
explicitly to AND or
OR.
The following example demonstrates this usage. In the first rule group, a
process create
event will be generated when timeout.exe is executed only with
a command line
argument of 100 , but a process terminate event will be
generated for the termination of
ping.exe and timeout.exe .
XML
<EventFiltering>
<ProcessCreate onmatch="include">
<Image condition="contains">timeout.exe</Image>
<CommandLine condition="contains">100</CommandLine>
</ProcessCreate>
</RuleGroup>
<RuleGroup groupRelation="or">
<ProcessTerminate onmatch="include">
<Image condition="contains">timeout.exe</Image>
<Image condition="contains">ping.exe</Image>
</ProcessTerminate>
</RuleGroup>
<ImageLoad onmatch="include"/>
</EventFiltering>
Runs on:
Autoruns
ClockRes
View the resolution of the system clock, which is also the maximum timer
resolution.
Coreinfo
Handle
This handy command-line utility will show you what files are open by
which processes,
and much more.
LiveKd
LoadOrder
See the order in which devices are loaded on your WinNT/2K system.
LogonSessions
PendMoves
Enumerate the list of file rename and delete commands that will be
executed the next
boot.
Process Explorer
Find out what files, registry keys and other objects processes have
open, which DLLs
they have loaded, and more. This uniquely powerful
utility will even show you who owns
each process.
Process Monitor
ProcFeatures
This applet reports processor and Windows support for Physical Address
Extensions and
No Execute buffer overflow protection.
PsInfo
PsLoggedOn
PsTools
RAMMap
WinObj
By Mark Russinovich
Introduction
Ever wondered what the resolution of the system clock was, or perhaps
the maximum
timer resolution that your application could obtain? The
answer lies in a simple function
named GetSystemTimeAdjustment, and
the ClockRes applet performs the function and
shows you the result.
Runs on:
By Mark Russinovich
Introduction
Coreinfo is a command-line utility that shows you the mapping between logical
processors and the physical processor, NUMA node, and socket on which they reside, as
well as the cache’s assigned to each logical processor. It uses the Windows’
GetLogicalProcessorInformation function to obtain this information and prints it to
the screen, representing a mapping to a logical processor with an asterisk e.g. ‘*’.
Coreinfo is useful for gaining insight into the processor and cache topology of your
system.
Installation
Extract the archive to a directory and then run Coreinfo by typing from that directory
Coreinfo in the console on a 32 bit Windows version or Coreinfo64 for a 64 bit version.
Using CoreInfo
For each resource it shows a map of the OS-visible processors
that correspond to the
specified resources, with '*' representing the
applicable processors. For example, on a 4-
core system, a line in the
cache output with a map of shared by cores 3 and 4.
Parameter Description
Coreinfo Output:
shell
Sysinternals - www.sysinternals.com
**** Socket 0
**** Group 0
Introduction
LiveKD, a utility I wrote for the CD included with Inside Windows
2000, 3rd Edition, is now
freely available. LiveKD allows you to run
the Kd and Windbg Microsoft kernel
debuggers, which are part of the
Debugging Tools for Windows
package ,
locally on a
live system. Execute all the debugger commands that work on
crash dump files to look
deep inside the system. See the Debugging Tools
for Windows documentation and our
book for information on how to explore
a system with the kernel debuggers.
Installation
First download and install the Debugging Tools for Windows package from
Microsoft's
web site:
https://msdn.microsoft.com/library/windows/hardware/ff551063(v=vs.85).aspx
If you haven't installed symbols for the system on which you run
LiveKD, LiveKD will ask
if you want it to automatically configure
the system to use Microsoft's symbol server
(see the Debugging Tools for
Windows documentation for information on symbol files
and the Microsoft
symbol server).
NOTE: The Microsoft debugger will complain that it can't find symbols
for LIVEKDD.SYS.
This is expected, since I have not made symbols for
LIVEKDD.SYS available, and does not
affect the behavior of the debugger.
Using LiveKd
usage:
Parameter Description
Only kernel mode memory will be available, and this option may need significant
amounts of available physical memory. A flags mask that specifies which regions to
include may optionally be provided (drawn from the following table, default 0x18F8):
-ml Generate live dump using native support (Windows 8.1 and above only).
-mp Specifies a single process whose user mode memory contents should be included in
a mirror dump. Only effective with the -m option.
-p Pauses the target Hyper-V VM while LiveKd is active (recommended for use with -o).
Specifies the name or GUID of the Hyper-V VM to debug.
Runs on:
By Mark Russinovich
Introduction
This applet shows you the order that a Windows NT or Windows 2000 system
loads
device drivers. Note that on Windows 2000 plug-and-play drivers
may actually load in a
different order than the one calculated, because
plug-and-play drivers are loaded on
demand during device detection and
enumeration.
Runs on:
By Mark Russinovich
) Important
By Mark Russinovich
Introduction
PsInfo is a command-line tool that gathers key information about the
local or remote
Windows NT/2000 system, including the type of
installation, kernel build, registered
organization and owner, number of
processors and their type, amount of physical
memory, the install date
of the system, and if its a trial version, the expiration date.
Installation
Just copy PsInfo onto your executable path, and type "psinfo".
Using PsInfo
By default PsInfo shows information for the local system. Specify a
remote computer
name to obtain information from the remote system. Since
PsInfo relies on remote
Registry access to obtain its data, the remote
system must be running the Remote
Registry service and the account from
which you run PsInfo must have access to the
HKLM\System portion of
the remote Registry.
Parameter Description
\\computer Perform the command on the remote computer or computers specified. If you omit
the computer name the command runs on the local system, and if you specify a
wildcard (\\*), the command runs on all computers in the current domain.
@file Run the command on each computer listed in the text file specified.
Parameter Description
-p Specifies optional password for user name. If you omit this you will be prompted to
enter a hidden password.
-t The default delimiter for the -c option is a comma, but can be overridden with the
specified character.
filter Psinfo will only show data for the field matching the filter. e.g. "psinfo service" lists
only the service pack field.
Example Output
Shell
Sysinternals - www.sysinternals.com
Service pack: 0
IE version: 6.0000
Processors: 2
A: Removable 0%
I: CD-ROM 0%
Q: Remote 0%
Q147222 1/2/2002
Q309521 1/4/2002
Q311889 1/4/2002
Q313484 1/4/2002
Q314147 3/6/2002
Q314862 3/13/2002
Q315000 1/8/2002
Q315403 3/13/2002
Q317277 3/20/2002
How it Works
PsInfo uses the Remote Registry API to read system information from a
system's
Registry, and WMI to determine whether Windows XP installations
have been activated.
PsTools
Runs on:
By Mark Russinovich
Have you ever wondered exactly how Windows is assigning physical memory,
how much
file data is cached in RAM, or how much RAM is used by the
kernel and device drivers?
RAMMap makes answering those questions easy.
RAMMap is an advanced physical
memory usage analysis utility for Windows
Vista and higher. It presents usage
information in different ways on its
several different tabs:
For definitions of the labels RAMMap uses as well as to learn about the
physical-
memory allocation algorithms used by the Windows memory
manager, please see
Windows Internals, 5^th^
Edition.
Related Links
Windows Internals Book The official updates and errata page for the definitive
book on
Windows internals, by Mark Russinovich and David Solomon.
Windows Sysinternals Administrator's ReferenceThe
official guide to the
Sysinternals utilities by Mark Russinovich and
Aaron Margosis, including
descriptions of all the tools, their
features, how to use them for troubleshooting,
and example
real-world cases of their use.
Runs on:
Learn More
Defrag Tools: #6 - RAMMap
By Mark Russinovich
Introduction
WinObj is a must-have tool if you are a system administrator concerned about security,
a developer tracking down object-related problems, or just curious about the Object
Manager namespace.
WinObj is a program that uses the native Windows API (provided by NTDLL.DLL) to
access and display information on the NT Object Manager's namespace. Winobj may
seem similar to the Microsoft SDK's program of the same name, but the SDK version
suffers from numerous significant bugs that prevent it from displaying accurate
information (e.g. its handle and reference counting information are totally broken). In
addition, our WinObj understands many more object types. Finally, Version 3.0 of our
WinObj has user-interface enhancements (including a dark theme), knows how to open
device objects, provides dynamic updates when objects are created/destroyed, and
allows searching and filtering.
More Information
Helen Custer's Inside Windows NT provides a good overview of the Object Manager
namespace, and Mark's October 1997 WindowsITPro Magazine column, "Inside the
Object Manager", is (of course) an excellent overview.
Runs on:
AD Explorer
AdRestore
Autologon
BgInfo
BlueScreen
This screen saver not only accurately simulates Blue Screens, but
simulated reboots as
well (complete with CHKDSK), and works on Windows
Vista, Server 2008 and higher.
Ctrl2cap
DebugView
Desktops
This new utility enables you to create up to four virtual desktops and
to use a tray
interface or hotkeys to preview what’s on each desktop and
easily switch between them.
Hex2dec
NotMyFault
Notmyfault is a tool that you can use to crash, hang, and cause kernel
memory leaks on
your Windows system.
PsLogList
PsTools
RegDelNull
Scan for and delete Registry keys that contain embedded null-characters
that are
otherwise undeleteable by standard Registry-editing tools.
View the registry space usage for the specified registry key.
RegJump
Strings
ZoomIt
By Mark Russinovich
Introduction
How many times have you walked up to a system in your office and needed
to click
through several diagnostic windows to remind yourself of
important aspects of its
configuration, such as its name, IP address, or
operating system version? If you manage
multiple computers you probably
need BGInfo. It automatically displays relevant
information about a
Windows computer on the desktop's background, such as the
computer name,
IP address, service pack version, and more. You can edit any field as
well as the font and background colors, and can place it in your startup
folder so that it
runs every boot, or even configure it to display as
the background for the logon screen.
Because BGInfo simply writes a new desktop bitmap and exits, you don't
have to worry
about it consuming system resources or interfering with
other applications.
Sysinternals BgInfo
Installation and Use
See Mark's Windows IT Pro Magazine Power Tools
article for a primer
on using BgInfo.
If you have questions or problems, please visit the
Sysinternals BgInfo Forum.
By placing BGInfo in your Startup folder, you can ensure that the
system information
being displayed is up to date each time you boot.
Once you've settled on the
information to be displayed, use the
command-line option /timer:0 to update the
display without showing the
dialog box.
You can also use the Windows Scheduler to run BGInfo on a regular
basis to ensure
long-running systems are kept up to date.
Using BgInfo
When you run BGInfo it shows you the appearance and content of its
default desktop
background. If left untouched it will automatically
apply these settings and exit after its
10 second count-down timer
expires.
Selecting any button or menu item will disable the timer, allowing you
to customize the
layout and content of the background information.
If you want BGInfo to edit or use a configuration stored in a file
(instead of the default
configuration which is stored in the registry)
specify the name of the file on the
command line:
BGInfo MyConfig.bgi
Appearance Buttons
Fields: Selects what information appears on the desktop, and the
order in which it is
displayed. For networking fields (NIC, IP, MAC,
etc.) a separate entry is created for each
network card on the system.
Use the Custom button to add special information you
define yourself.
If you prefer to have BGInfo update the database without modifying the
user's wallpaper
you can unselect all desktops in the Desktops
dialog; BGInfo will still update the
database.
<path> Specifies the name of a configuration file to use for the current session. Changes to
the configuration are automatically saved back to the file when OK or Apply is
pressed. If this parameter is not present BGInfo uses the default configuration
information which is stored in the registry under the current user
("HKEY_CURRENT_USER\Software\Winternals\BGInfo").
/timer Specifies the timeout value for the countdown timer, in seconds. Specifying zero
will update the display without displaying the configuration dialog. Specifying 300
seconds or longer disables the timer altogether.
/popup Causes BGInfo to create a popup window containing the configured information
without updating the desktop. The information is formatted exactly as it would if
displayed on the desktop, but resides in a fitted window instead. When using this
option the history database is not updated.
/taskbar Causes BGInfo to place an icon in the taskbar's status area without updating the
desktop. Clicking the icon causes the configured information to appear in a popup
window. When using this option the history database is not updated.
/all Specifies that BGInfo should change the wallpaper for any and all users currently
logged in to the system. This option is useful within a Terminal Services
environment, or when BGInfo is scheduled to run periodically on a system used by
more than one person (see Using a Schedule below).
/log Causes BGInfo to write errors to the specified log file instead of generating a
warning dialog box. This is useful for tracking down errors that occur when BGInfo
is run under the scheduler.
/rtf Causes BGInfo to write its output text to an RTF file. All formatting information and
colors are included.
Runs on:
By Mark Russinovich
Introduction
One of the most feared colors in the NT world is blue. The infamous Blue
Screen of
Death (BSOD) will pop up on an NT system whenever something
has gone terribly
wrong. Bluescreen is a screen saver that not only
authentically mimics a BSOD, but will
simulate startup screens seen
during a system boot.
More Information
You can find out how real Blue Screens are generated, and what the
information on the
Blue Screen means in my December 1997 Windows ITPro
Magazine NT Internals
column, "Inside
the Blue Screen."
Note: Some virus scanners flag the Bluescreen screen saver as a virus.
If this is the
case with your virus scanner, you may not be able to use
this screen saver.
Runs on:
By Pavel Yosifovich
Introduction
CpuStres
Each thread can be started, paused or stopped independently and can be configured
with the following parameters:
Activity Level This can be Low, Medium, Busy or Maximum which controls how
long the thread sleepss between cycles. Setting this value to Maximum causes the
thread to run continuously.
Priority This controls the thread priority. Refer to Windows Internals by Mark
Russinovich for details on thread priorities
Runs on:
Related Links
Windows Internals Book The official updates and errata page for the definitive
book on
Windows internals, by Mark Russinovich and David Solomon.
Download
Download CpuStres (2.2 MB)
Run now from Sysinternals Live .
Ctrl2Cap v2.0
Article • 03/23/2021
By Mark Russinovich
Introduction
Ctrl2cap is a kernel-mode device driver that filters the system's
keyboard class driver in
order to convert caps-lock characters into
control characters. People like myself that
migrated to NT from UNIX are
used to having the control key located where the caps-
lock key is on the
standard PC keyboard, so a utility like this is essential for our
editing
well-being.
Because I don't install with an INF file via the Device Manager, the
user is not
warned that the Ctrl2cap driver file is not digitally
signed by Microsoft.
More Information
For more information on writing filter drivers (drivers that attach
themselves to other
drivers so that they can see their input and/or
output), here are sources to check out:
Runs on:
By Mark Russinovich
Introduction
DebugView is an application that lets you monitor debug output on your
local system,
or any computer on the network that you can reach via
TCP/IP. It is capable of
displaying both kernel-mode and Win32 debug
output, so you don't need a debugger
to catch the debug output your
applications or device drivers generate, nor do you need
to modify your
applications or drivers to use non-standard debug output APIs.
DebugView Capture
Under Windows 2000, XP, Server 2003 and Vista DebugView will capture:
Win32 OutputDebugString
Kernel-mode DbgPrint
All kernel-mode variants of DbgPrint implemented in Windows XP
and Server
2003
DebugView Capabilities
DebugView has a powerful array of features for controlling and
managing debug output.
Save and load filters: You can save and load filters, including
the highlighting
colors.
Load saved logs: You can now load a log file back into the
DebugView output
window.
Capture boot-time kernel-mode debug output: Under Windows 2000,
you can
use DebugView to capture debug output generated by drivers
from the earliest
point in the boot process.
The on-line help file describes all these features, and more, in
detail.
By Mark Russinovich
Introduction
Desktops allows you to organize your applications on up to four virtual
desktops. Read
email on one, browse the web on the second, and do work
in your productivity software
on the third, without the clutter of the
windows you're not using. After you configure
hotkeys for switching
desktops, you can create and switch desktops either by clicking on
the
tray icon to open a desktop preview and switching window, or by using
the hotkeys.
Using Desktops
Unlike other virtual desktop utilities that implement their desktops by
showing the
windows that are active on a desktop and hiding the rest,
Sysinternals Desktops uses a
Windows desktop object for each desktop.
Application windows are bound to a desktop
object when they are created,
so Windows maintains the connection between windows
and desktops and
knows which ones to show when you switch a desktop. That making
Sysinternals Desktops very lightweight and free from bugs that the other
approach is
prone to where their view of active windows becomes
inconsistent with the visible
windows.
Screenshot
Configuration Dialog
Runs on:
By Mark Russinovich
Introduction
Tired of running Calc every time you want to convert a hexadecimal number
to decimal
Now you can convert hex to decimal and vice versa with this
simple command-line
utility.
Runs on:
By Mark Russinovich
Introduction
Notmyfault is a tool that you can use to crash, hang, and cause kernel
memory leaks on
your Windows system. It’s useful for learning how to
identify and diagnose device driver
and hardware problems, and you can
also use it to generate blue screen dump files on
misbehaving systems.
The download file includes 32-bit and 64-bit versions, as well as a
command-line version that works on Nano Server. Chapter 7 in Windows
Internals uses
Notmyfault to demonstrate pool leak troubleshooting and
Chapter 14 uses it for crash
analysis examples.
Screenshots
Usage
You can use the GUI versions or the command-line version. Notmyfault
requires
administrative privileges.
Usage:
Shell
crash type:
Shell
hang type:
By Mark Russinovich
Introduction
Systems administrators that manage local administrative accounts on
multiple
computers regularly need to change the account password as part
of standard security
practices. PsPasswd is a tool that lets you
change an account password on the local or
remote systems, enabling
administrators to create batch files that run PsPasswd against
the
computers they manage in order to perform a mass change of the
administrator
password.
PsPasswd uses Windows password reset APIs, so does not send passwords
over the
network in the clear.
Installation
Just copy PsPasswd onto your executable path, and type "pspasswd" with
the command-
line syntax shown below..
Using PsPasswd
You can use PsPasswd to change the password of a local or domain
account on the local
or a remote computer.
Parameter Description
computer Perform the command on the remote computer or computers specified. If you
omit the computer name the command runs on the local system, and if you
specify a wildcard (\\*), the command runs on all computers in the current
domain.
Parameter Description
@file Run the command on each computer listed in the text file specified.
-p Specifies optional password for user name. If you omit this you will be prompted
to enter a hidden password.
PsTools
Runs on:
By Mark Russinovich
Introduction
PsShutdown is a command-line utility similar to the shutdown utility
from the Windows
2000 Resource Kit, but with the ability to do much
more. In addition to supporting the
same options for shutting down or
rebooting the local or a remote computer,
PsShutdown can logoff the
console user or lock the console (locking requires Windows
2000 or
higher). PsShutdown requires no manual installation of client
software.
Installation
Just copy PsShutdown onto your executable path, and type psshutdown
with command-
line options defined below.
Using PsShutdown
See the February 2005 issue of Windows IT Pro Magazine for Mark's
article
(https://www.windowsitpro.com/article/articleid/44973/44973.html)
that covers
advanced usage of PsKill.
Parameter Description
computer Perform the command on the remote computer or computers specified. If you omit
the computer name the command runs on the local system, and if you specify a
wildcard (\\*), the command runs on all computers in the current domain.
Parameter Description
@file Run the command on each computer listed in the text file specified.
-p Specifies optional password for user name. If you omit this you will be prompted to
enter a hidden password.
Specify 'u' for user reason codes and 'p' for planned shutdown reason codes.
-f Forces all running applications to exit during the shutdown instead of giving them a
chance to gracefully save their data.
-m This option lets you specify a message to display to logged-on users when a
shutdown countdown commences.
-t Specifies the countdown in seconds until the shutdown (default: 20 seconds) or the
time of shutdown (in 24 hour notation).
-v Display message for the specified number of seconds before the shutdown. If you
omit this parameter the shutdown notification dialog displays and specifying a value
of 0 results in no dialog.
Download PsTools (5 MB)
PsTools
Runs on:
By Julian Burger
Introduction
RDCMan manages multiple remote desktop connections. It is useful for managing server
labs where you need regular access to each machine such as automated checkin
systems and data centers.
Servers are organized into named groups. You can connect or disconnect to all servers
in a group with a single command. You can view all the servers in a group as a set of
thumbnails, showing live action in each session. Servers can inherit their logon settings
from a parent group or a credential store. Thus when you change your lab account
password, you only need to change the password stored by RDCMan in one place.
Passwords are stored securely by encrypting with either CryptProtectData using the
(locally) logged on user's authority or an X509 certificate.
User with OS versions prior to Win7/Vista will need to get version 6 of the Terminal
Services Client. You can obtain this from the Microsoft Download Center: XP; Win2003
Upgrade note: RDG files with this version of RDCMan are not compatible with older
program versions. Any legacy RDG file opened and saved with this version will be
backed up as filename.old
The Display
The Remote Desktop Connection Manager display consists of the menu, a tree with
groups of servers, a splitter bar, and a client area.
The Menu
There are several top-level menus in RDCMan:
The Tree
Most work, such as adding, removing, and editing servers and groups, can be
accomplished via right-clicking on a tree node. Servers and groups can be moved using
drag-and-drop.
Keyboard shortcuts:
Use the [View.Server tree location] menu option to locate the tree at the left or right
edge of the window.
The server tree can be docked, auto-hidden, or always hidden via the [View.Server tree
visibility] menu option. When the server tree is not displayed, servers can still be
accessed through the Remote Desktops menu. When the tree is auto-hidden, the splitter
bar remains visible at the left side of the window. Hovering over it will bring the server
tree back into view.
Caution: Connected servers can receive focus from keyboard navigation of the
thumbnail view. It is not always obvious which server has focus, so be careful. There is
a setting to control this: [Display Settings.Allow thumbnail session interaction].
Shortcut Keys
You can find the full list of Terminal Services shortcut keys here. Some of these can be
configured from the Hot Keys tab.
Files
The top-level unit of organization in RDCMan is a remote desktop file group. File groups
are collections of groups and/or servers that are stored in a single physical file. Servers
can't live outside of a group and groups can't live outside of a file.
A file has all the characteristics of a server group other than being able to change its
parent.
Groups
A group contains a list of servers and configuration information such as logon
credentials. Configuration settings can be inherited from another group or the
application defaults. Groups can be nested but are homogeneous: a group may either
contain groups or servers, but not both. All the servers in a group can be connected or
disconnected at once.
When a group is selected in the tree view, the servers underneath it are displayed in a
thumbnail view. The thumbnails can show the actual server windows or simply the
connection status. Global thumbnail view properties can be adjusted via the
[Tools.Options.Client Area] tab while group/server-specific settings are in Display
Settings.
Smart Groups
Smart groups are populated dynamically based on a set of rules. All ancestors of sibling
groups of the smart group are eligible for inclusion.
The Connected group can be toggled on/off via the View menu.
The Reconnect group can be toggled on/off via the View menu.
The Favorites group can be toggled on/off via the View menu.
The Connect To group is visible while ad hoc connections exist and disappears when
there are none.
The Recent group can be toggled on/off via the View menu.
Servers
A server has a server name (the computer's network name or IP address), an optional
display name, and logon information. The logon information may be inherited from
another group.
Examples:
txt
Server1
SecondServer
YANS
All servers are imported into the same group with the same preferences. If a server is
imported that has the same name as an existing server, the existing server's preferences
are updated to the new ones.
Ad Hoc Connections
Ad hoc server connections can be created via the [Session.Connect to] feature. These
servers will be added to the Connect To Virtual Group. From there they can be converted
into real servers by moving them to a user-created group. Servers remaining in the
Connect To group are not persisted when RDCMan exits.
Windows Azure
In the [Connection Settings] tab, enter the role name and role instance name into Load
balance config as described here e.g.
Cookie:
mstshash=MyServiceWebRole#MyServiceWebRole_IN_0#Microsoft.WindowsAzure.Plugins.Remo
teAccess.Rdp
Session Actions
While in a session, the focus can be released to another session or the server tree.
Focus release left (default value is Ctrl+Alt+Left) : This selects the previously
selected session.
Focus release right (default value is Ctrl+Alt+Right): This brings up a dialog to
choose where to focus. There will be buttons for up to the of the most-recently
used session as well as a button for the server tree and one to minimize RDCMan.
Certain key combinations and Windows actions can be tricky to perform over the
remote session--particularly when RDCMan itself is started within a remote session--e.g.
Ctrl+Alt+Del. These are available from the [Session.Send keys] and [Session.Remote
actions] menu items.
Global Options
The [Tool.Options] menu item brings up the Options Dialog. Global settings, e.g. the
client area size, are modifiable from here. Most server-related options, e.g. hot keys and
those on the experience page, will not take effect until the next time that server is
connected.
General
Hide main menu until ALT pressed
The main menu can be hidden until the ALT key is pressed or the window caption area is
left clicked.
Auto save interval
You can have RDCMan periodically save the open files automatically. Check the auto-
save check box and specify the interval (in minutes) for saving. An interval of 0 will not
save periodically but will suppress the save prompt when exiting RDCMan.
RDCMan remembers which servers where connected when the program was exited. On
the next run you are prompted to choose which servers to reconnect. Disabling this
option automatically reconnects all previously connected servers. See Command Line for
command line switches that affect this behavior.
Clicking this button opens a dialog to configure the settings for the base level of the
inheritance hierarchy. E.g. if a File group is set to inherit from its parent, this is where the
settings come from.
Tree
Click to select gives focus to remote client
When selecting a node in the server tree control with a mouse click, the default behavior
is to keep focus on the tree control. There is an option to change this to focus on the
selected server.
RDCMan can dim the tree control when it is inactive. This presents a more obvious visual
distinction of keyboard focus.
Client Area
Client Area Size
This option resizes the client area of the RDCMan window. The options are also available
from the [View.Client size] menu.
The thumbnail unit size can be specified as an absolute pixel size or a relative
percentage of the client panel width.
Hot Keys
Many of the remote desktop hot keys are configurable. There is a limited mapping,
however. For example if the default key is ALT-something, the replacement must also be
ALT-something. To change a hot key, navigate to the text box for the hot key and press
the new "something" key.
Experience
Depending on the bandwidth available from your machine, you will want to limit
Windows UI features to improve performance. The connection speed drop down can be
used to set all options together, or they can be individually customized. The features are:
desktop backgrounds, showing full window contents when dragging, menu and window
animation, and windows themes.
Full Screen
Show full screen connection bar
When a server is displayed in full-screen mode, the remote desktop activeX control
provides a UI connection bar at the top of the window. This bar can be toggled on and
off. When it is on, you can choose to have it pinned or auto-hidden.
When RDCMan is displaying a server in full-screen mode, you can choose to have the
window always displayed as the top-most window.
By default, a full screen session is restricted to the monitor containing the server
window. You can enable multiple monitor spanning in the full screen options. If the
remote desktop is larger than window's monitor, it will span as many monitors as
needed to fit the remote session. Note that only rectangular areas are used, so if you
have two monitors with differing vertical resolutions, the shorter of the two is used. Also,
there is a hard limit of 4096x2048 for the remote desktop control.
Local Options
Groups and Servers have a number of tabbed property pages with various
customization options. Many of these pages are common to groups and servers. When
the "Inherit from parent" check box is checked, the settings that follow are inherited
from the parent container. Most server-related changes, e.g. remote desktop size, will
not take effect until the next time that server is connected.
File Settings
This page only appears for the properties of a file. It contains options for the file's group
name, shows the full path to the file (which can't be edited), and has a comment field.
Group Settings
This page only appears for the properties of a group. It contains options for the group
name, parent nesting, and a comment.
Server Settings
This page only appears for the properties of a server. It contains options for the server
name, its display name, parent nesting, and a comment. SCVMM virtual machines can
be connected to via RDP into the host using the VM console connect option. Use the
PowerShell command:
PowerShell
get-vm | ft ElementName,Name,Id
Logon Credentials
The Logon Credentials property page contains options pertaining to remote login. The
user name, password, and domain are set on this page. The domain and user name can
be specified together by using the domain\user format. When logging in to a machine
"domain" rather than a Windows domain, you can specify [server] or [display]. This
former will be substituted with the server name, the latter with the display name, at
logon time. It is useful when you have a group of machines which require logging in as
administrator. The Logon Settings entered in the properties pages are used by default
for new connections. If you want to temporarily customize these settings for a new
connection, connect using the Connect As menu item.
Gateway Settings
The Gateway Settings property page has options for using a TS Gateway Server. The
Gateway name, authentication method, and local address bypass options are on this
page. Users of operating systems starting from Vista SP1 and Longhorn server will have
additional options regarding logon credentials:
Explicit entry of Gateway user name and password
Ability to share the Gateway
credentials with the remote server
Connection Settings
The Connection Settings tab includes settings to customize how a session is connected
and what happens upon logon.
You can specify whether the console session should be connected to as well as the
remote desktop connection port.
There are also settings that allow you to run a program upon connection. Enter the
program name and, optionally, the working directory for that program. Note that these
only have an effect if you are connecting to the console session for the first time. That is,
reconnecting to a session or connecting to a session other than the console session will
not run the program. (At least, this is how Terminal Services appears to work based on
empirical observation.)
Specifying "Same as client area" will make the remote desktop the same size as the
RDCMan client panel, i.e. the RDCMan window client area excluding the server tree.
Specifying "Full screen" will make the remote desktop the same size as the screen that
the server is viewed on. Note that the remote desktop size is determined upon
connecting to a server. Changing this setting for a connected server will have no effect.
The maximum size of the remote desktop is determined by the version of the remote
desktop activeX control. Version 5 (pre-Vista) had a maximum of 1600 x 1200; Version 6
(Vista) has a maximum of 4096 x 2048. This limit is enforced at connection time, not
during data entry. This is in case the same RDCMan file is shared by multiple computers.
Local Resources
Various resources of the remote server may be delivered to the client. The remote
computer sound can be played locally, played remotely, or disabled entirely. Windows
key combinations (for example, those involving the actual Windows key as well as other
specials like Alt+Tab) can be applied always to the client machine, always to the remote
machine, or to the client when windowed and the remote machine when in full screen
mode. Client drive, port, printer, smart card, and clipboard resources can be
automatically shared to the remote machine.
Security Settings
You can specify whether authentication of the remote machine is required before a
connection is established.
Display Settings
Thumbnail display settings are customizable from this page.
The first option is: thumbnail scale. This specifies how many thumbnail units to allocate
to the display of a given server. All servers default to a scale of 1. You can change this to
increase the display of important servers. For example, a server could be scaled by 3 or 5
making the remote session quite usable in the thumbnail display while still permitting a
view of many other servers. This is the only option for servers.
There are three additional options for groups: preview session in thumbnail, allow
thumbnail session interaction, and show disconnected thumbnails. The first whether or
not the thumbnail view shows the actual live connection, continually updated. The
second, dependent on the first, specifies whether the thumbnail session is usable. The
final option controls whether disconnected servers appear in the thumbnail view.
Encryption Settings
RDCMan can encrypt the passwords stored in files either with the local user's credentials
via CryptProtectData or an X509 certificate. The Encryption Settings tab is available in
the Default Group Settings and File Settings dialogs.
Personal certificates of the current user which have a private key are available for
encryption. You can create such a certificate in the following manner:
PowerShell
This will create a certificate called " MyRDCManCert " in the Personal Certificates store of the
current user. To install this cert on another computer, you must export it with the private
key.
Profile Management
Credential profiles can be added, edited, and removed from this tab.
Note that the account running RDCMan must have Query Information permissions on
the remote server to list the sessions. Furthermore, the remote session must be directly
reachable rather than via a gateway server. Disconnect and Logoff permissions must be
granted to perform those operations. See msdn for more information on remote
desktop permissions.
Command Line
By default, RDCMan will open the files that were loaded at the time of the last program
shutdown. You can override this by specifying a file (or files) explicitly on the RDCMan
command line. Additionally, the following switches are accepted:
/reset - reset the persisted application preferences such as window location and
size.
/noopen - do not open the previously loaded files, starting with an empty
environment.
/c server1[,server2...] - connect specified servers
/reconnect - connect all servers that were connected at shutdown without
prompting
/noconnect - do not prompt to connect servers that were connected at shutdown
Find Servers
There is a dialog for finding servers accessed via Ctrl+F or the Edit.Find (servers)
command. All servers matching a regular expression pattern are displayed in the dialog
and can be acted on via a context menu. The pattern is matched against the full name
( group\server ).
Credential Profiles
Credential profiles store logon credentials globally to RDCMan or in a file. This allows for
using the same stored credentials across groups that do not have a common ancestor.
One use scenario is to store credentials used for logging into servers and gateways in a
single place. When a password changes, it can be edited once. Another scenario is when
sharing RDG files across a group. Instead of storing passwords in the file (which would
have issues due to the user-specific nature of the encryption RDCMan uses), a profile is
created such as "Me" which each user defines in their Global store.
You can update the settings for a credential profile in two ways. The first is to edit from
a credentials dialog and then save the exact same profile name/domain to the same
store (file or global). That will ask if you want to update. The other way is to go to the
group properties for the credential store (again, file or global) and use the Profile
Management tab.
File scope credential profile passwords are encrypted according to the containing file's
Encryption Settings. Global credential profiles use the Default Group Settings.
Policies
RDCMan retrieves policy information from the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\RDCMan registry key.
DisableLogOff - Create this DWORD value as non-zero to disable the log off
FAQ
How do I use smartcard credentials to logon?
You must enable the Group Policy controlling it. Use the MMC "Group Policy"
Snap-in and navigate to "Local Computer Policy/Computer
Configuration/Administrative Templates/Windows Components/Terminal
Services/Encryption and Security". Double-click "Always prompt client for password
upon connection" and click the "Disabled" box.
You can't. To resize you must disconnect and reconnect (use the Reconnect feature
to do this in one step). RDCMan servers have the option, under Display Settings, to
automatically reconnect with the new resolution for both docked and undocked
servers.
Download
Download Remote Desktop Connection Manager (530 KB)
Runs on:
By Mark Russinovich
Introduction
This command-line utility searches for and allows you to delete Registry
keys that
contain embedded-null characters and that are otherwise
undeleteable using standard
Registry-editing tools. Note: deleting
Registry keys may cause the applications they are
associated with to
fail.
Using RegDelNull
Usage: regdelnull <path> [-s]
Parameter Description
Shell
Sysinternals - www.sysinternals.com
Delete (y/n) y
Scan complete.
Runs on:
Client: Windows Vista (32-bit) and higher
Server: Windows Server 2008 (32-bit) and higher
Nano Server: 2016 and higher
Registry Usage (RU) v1.2
Article • 03/23/2021
By Mark Russinovich
Introduction
Ru (registry usage) reports the registry space usage for the registry
key you specify. By
default it recurses subkeys to show the total size
of a key and its subkeys.
Parameter Description
-h Load the specified hive file, perform the size calculation, then unload it and
compress it.
-n Do not recurse.
Path,CurrentValueCount,CurrentValueSize,ValueCount,KeyCount,KeySize,WriteTime
Introduction
A subtle but significant difference between the Win32 API and the Native
API (see Inside
the Native API for
more information on this largely undocumented interface) is the way
that
names are described. In the Win32 API strings are interpreted as
NULL-terminated
ANSI (8-bit) or wide character (16-bit) strings. In the
Native API names are counted
Unicode (16-bit) strings. While this
distinction is usually not important, it leaves open an
interesting
situation: there is a class of names that can be referenced using the
Native
API, but that cannot be described using the Win32 API.
Runs on:
By Mark Russinovich
Introduction
This little command-line applet takes a registry path and makes Regedit
open to that
path. It accepts root keys in standard (e.g.
HKEY_LOCAL_MACHINE) and abbreviated
form (e.g. HKLM).
Parameter Description
By Mark Russinovich
Introduction
Working on NT and Win2K means that executables and object files will
many times have
embedded UNICODE strings that you cannot easily see with
a standard ASCII strings or
grep programs. So we decided to roll our
own. Strings just scans the file you pass it for
UNICODE (or ASCII)
strings of a default length of 3 or more UNICODE (or ASCII)
characters.
Note that it works under Windows 95 as well.
Using Strings
Usage:
strings [-a] [-f offset] [-b bytes] [-n length] [-o] [-q] [-s] [-u] <file or
directory>
Parameter Description
-s Recurse subdirectories
Parameter Description
Runs on:
By Mark Russinovich
Introduction
Testlimit is a command-line utility that can be used to stress-test
your PC and/or
applications by simulating low resource conditions for
memory, handles, processes,
threads and other system objects.
usage: Testlimit
[[-h [-u]] | [-p [-n]] | [-t [-n [KB]]] | [-u [-i]] | [-g [object size]] | [-a|-d|-
l|-m|-r|-s|-v [MB]] | [-w]] [-c [count]] [-e [seconds]]
Parameter Description
-g Create GDI handles of specified size (default 1 byte). Specify a size of 0 to cause GDI
object exhaustion
-l Allocate the specified amount of large pages (rounded to large size multiple)
-p Create processes - add -n to set min working set. Add -n to set min working set of
processes to smallest
Runs on:
Related Links
Windows Internals Book The official updates and errata page for the definitive
book on
Windows internals, by Mark Russinovich and David Solomon.
Windows Sysinternals Administrator's Reference The
official guide to the
Sysinternals utilities by Mark Russinovich and
Aaron Margosis, including
descriptions of all the tools, their
features, how to use them for troubleshooting,
and example
real-world cases of their use.
Download
Download Testlimit (234 KB)
By Mark Russinovich
https://www.microsoft.com/en-us/videoplayer/embed/RE55yQm?
autoplay=true&loop=true&controls=false&postJsllMsg=true
Introduction
ZoomIt is a screen zoom, annotation, and recording tool for technical presentations
and
demos. You can also use ZoomIt to snip screenshots to the clipboard or to a file.
ZoomIt
runs unobtrusively in the tray and activates with customizable
hotkeys to zoom in on an
area of the screen, move around while zoomed, and draw on
the zoomed image. I wrote
ZoomIt to fit my specific needs and use it in all my
presentations.
ZoomIt works on all versions of Windows and you can use touch and pen input for
ZoomIt drawing on tablets.
Using ZoomIt
The first time you run ZoomIt it presents a configuration dialog that
describes ZoomIt's
behavior, let's you specify alternate hotkeys for
zooming and for entering drawing mode
without zooming, and customize the
drawing pen color and size. I use the draw-
without-zoom option to
annotate the screen at its native resolution, for example.
ZoomIt also
includes a break timer feature that remains active even when you tab
away
from the timer window and allows you to return to the timer window
by clicking on the
ZoomIt tray icon.
Shortcuts
ZoomIt offers a number of shortcuts which can extend its usage greatly.
Function Shortcut
Function Shortcut
Increase/Decrease Line And Cursor Size (Drawing Mode) Ctrl + Mouse Scroll
Up/Down or Arrow
Keys
Red Pen R
Green Pen G
Blue Pen B
Yellow Pen Y
Orange Pen O
Pink Pen P
Start/Stop Full Screen Recording Saved as MP4 (Windows 10 May 2019 Ctrl + 5
Update And Higher)
Crop Screen Recording Saved as MP4 (Windows 10 May 2019 Update Ctrl + Shift + 5
And Higher)
Screen Record Only The Window That The Mouse Cursor is Positioned Ctrl + Alt + 5
Over Saved as MP4 (Windows 10 May 2019 Update And Higher)
By Mark Russinovich
Introduction
The Sysinternals Troubleshooting Utilities have been rolled up into a
single Suite of
tools. This file contains the individual troubleshooting
tools and help files. It does not
contain non-troubleshooting tools like
the BSOD Screen Saver.
Sysinternals Suite
Version 2023.7
July 26, 2023
Usage
Like most other MSIX packages, Sysinternals Suite is installed per user, but the binaries are
stored in a secure location and shared by users. Graphical tools, like Process Explorer, are
added to the Windows Start menu. Starting with Windows 11, they are grouped in a
Sysinternals Suite folder (VisualGroup property).
7 Note
Windows 10 does not support Start menu folders for MSIX packages so the tools are not
grouped in a Sysinternals Suite folder.
All executables are available from the path via Windows app execution aliases:
Processor Architecture
The MSIX bundle contains separate packages for ARM64, x64, and x86.
Only the package matching the OS is downloaded and installed.
Packaged executables do not have a suffix ('64' for x64, '64a' for ARM64).
For example, procexp.exe on x64 is the same as the unpackaged procexp64.exe.
Sysinternals Community
Article • 11/25/2020
Follow on Twitter
Follow @Sysinternals
Follow @MarkRussinovich
Books
Windows Internals Book
The official updates and errata page for the definitive book on Windows internals, by
Mark Russinovich and David Solomon.
The official guide to the Sysinternals utilities by Mark Russinovich and Aaron Margosis,
including descriptions of all the tools, their features, how to use them for
troubleshooting, and example real-world cases of their use.
Articles
Inside the Windows Vista Kernel: Part 1
Inside the Windows Vista Kernel: Part 2
Inside the Windows Vista Kernel: Part 3
Inside Windows Vista User Account Control
Inside Windows Server 2008 Kernel Changes
Candid talk from the man behind your favorite Windows tools
Mark talks with Larry Seltzer about the history and future of Sysinternals.
Defrag Tools Shows
Episodes 1 – 12 of the Defrag Tools shows focus on Sysinternals tools. Each episode
covers a specific tool used on the tech support show Defrag , covering when and why
to use the tools, and providing tips on how to get the most out of them:
Mark's Webcasts
The Sysinternals utilities are vital tools for any computer professional on the Windows
platform. Mark Russinovich's popular "Case Of The Unexplained" demonstrates some of
their capabilities in advanced troubleshooting scenarios. This complementary tutorial
session focuses primarily on the utilities themselves, giving you tips and techniques for
using their full functionality for troubleshooting and systems management. This session
follows the same format as last year’s highly-rated delivery, and covers a different set of
the most useful Sysinternals tools.
Unintended Consequences of Security Lockdowns (uses Sysinternals utilities a lot)
The Sysinternals utilities are vital tools for any computer professional on the Windows
platform. Mark Russinovich's popular "Case Of The Unexplained" demonstrates some of
their capabilities in advanced troubleshooting scenarios. This complementary tutorial
session by Aaron Margosis and Tim Reckmeyer focuses primarily on the utilities, deep-
diving into as many features as time will allow. Learn tips and tricks that will make you
more effective with the Sysinternals utilities.
Newsletter
Sysinternals Newsletter Archive
Mark's Webcasts
Article • 07/26/2023
Microsoft Azure
The Next Generation of Azure Compute Platform Learn about ways to integrate
with Azure Resource Manager (ARM) to enable role-based access control (RBAC),
tagging,and template-based deployments,and how Windows containers with
Docker compatibility make your code deploy instantly and work consistently in any
environment. Also learn how Service Fabric, Microsoft’s hyper-scale micro-service
PaaS that powers everything from Azure DB to Cortana, brings applications state-
of-the art high-density, high availability and stateful computing capabilities.
Mark Russinovich and Mark Minasi on Cloud Computing Join Mark Russinovich
and Mark Minasi for a lively discussion as they share their views on the cloud
computing disruption and what it means for IT pros and developers. Mark
Russinovich brings his perspective from leading Microsoft Azure architecture and
Mark Minasi brings his IT expertise and view from outside.
Public Cloud Security: Surviving in a Hostile Multi-Tenant Environment The rise
of public cloud computing has brought with it a new set of security considerations
that are not widely understood. With a unique perspective from working on the
security systems of a public cloud, Mark describes public cloud service provider
and cloud customer threats, including malicious insiders, shared technology, data
breaches, and data loss. For each, he assesses the risks and explores the value of
mitigations like encryption-at-rest, encryption-in-flight, and other security best
practices, separating hype from reality so that you can make educated decisions as
your organization moves to the cloud.
Mark Russinovich and Mark Minasi on Cloud Computing
(https://channel9.msdn.com/events/teched/northamerica/2014/dcim-b386) Join
Mark Russinovich and Mark Minasi for a lively discussion as they share their views
on the cloud computing disruption and what it means for IT pros and developers.
Mark Russinovich brings his perspective from leading Microsoft Azure architecture
and Mark Minasi brings his IT expertise and view from outside. The economics of
public cloud, future of PaaS and IaaS, how enterprises will bridge their on-premises
environments with the cloud, how you should look at security in the public cloud,
and what skills are important for IT pros and developers are just some of the areas
they explore together.
Infrastructure Services on Microsoft Azure: Virtual Machines and Virtual Networks
(https://channel9.msdn.com/events/teched/northamerica/2013/mdc-b212) This
session gives an overview of the new Windows Azure infrastructure services (IaaS),
including support for Windows Server and Linux persistent virtual machines, new
networking capabilities for hybrid applications and on-premises/cloud
connectivity, and support for applications that consist of PaaS and IaaS roles. Mark
explains how IaaS fits into Windows Azure to extend existing server applications to
cloud and shows demonstrations of IaaS VM deployment and complex multi-VM
applications.
Microsoft Azure Internals Mark Russinovich goes under the hood of the Microsoft
datacenter operating system. Intended for developers who have already gotten
their hands dirty with Windows Azure and understand its basic concepts, this
session gives an inside look at the architectural design of the Windows Azure
compute platform. Learn about Microsoft’s datacenter architecture, what goes on
behind the scenes when you deploy and update a Windows Azure app and how it
monitors and responds to the health of machines, its own components, and the
apps it hosts.
Introduction to Microsoft Azure: The Cloud Operating System Join Mark
Russinovich for an overview of Microsoft’s new cloud OS. Assuming no prior
knowledge of Windows Azure, this session will start by explaining the Windows
Azure Platform-as-a-Service (PaaS) app philosophy and how it differs from that of
traditional server apps. Then, demonstrating key concepts with a real Windows
Azure service built and deployed to the cloud, we’ll describe the Windows Azure
service model, including concepts like update and fault domains. The session will
then conclude by discussing the different service update options and detail the
recovery steps Windows Azure follows when it detects that a service or a hardware
device has failed.
Inside Microsoft Azure: The Cloud Operating System Mark Russinovich goes under
the hood of Microsoft’s new cloud OS. Intended for developers who have already
gotten their hands dirty with Windows Azure and understand its basic concepts,
this session gives an inside look at the architectural design of Windows Azure’s
compute platform. You’ll learn about Microsoft’s datacenter architecture, what
goes on behind the scenes when you deploy and update a Windows Azure app
and how it monitors and responds to the health of machines, its own components
and the apps it hosts.
Channel9: MarkRussinovich: Microsoft Azure, Cloud Operating Systems and
Platformas a Service Mark talks about what he’s working on in the Windows
Azure team, why the world is moving to the cloud, and what Platform-as-a-Service
(PaaS) means and how Windows Azure delivers PaaS.
Windows Internals
Tech-Ed North America 2011: Mysteries of Windows Memory Management
Revealed, Part1
(https://channel9.msdn.com/events/teched/northamerica/2011/wcl405) [Tech-Ed
North America 2011: Mysteries of Windows Memory Management Revealed, Part2
(https://channel9.msdn.com/events/teched/northamerica/2011/wcl406) If you
want to know the difference between System Committed memory and Process
Committed memory, wondered what all those memory numbers shown by Task
Manager really mean, or want to gain insight into the memory-related impact of a
process, then this talk is for you. Watch Mark in this on-demand webcast from
North America 2011.
Pushing the Limits of Windows
(https://channel9.msdn.com/events/teched/europe/2009/cli402) Watch as Mark
explains Windows limits related to object handles, virtual memory and physical
memory. Along the way he explains where the limits come from and how to
monitor your applications so that you're warned when they approach the limits
and so that you can size your systems to accommodate their resource
requirements.
Inside Windows Server 2008R2 Virtualization and VHD Improvements
(https://channel9.msdn.com/events/teched/northamerica/2009/vir401) Mark takes
you inside new Windows virtualization and VHD features, including live VM
migration, core parking and timer coalescing, hypervisor power management
support,and new hardware-assisted guest memory management. He delivers the
entire presentation from a Windows installation that was booted from VHD to
show you how Windows implements a native VHD stack and how the boot
architecture has changed to accommodate booting from VHD images.
Channel9: Mark Russinovich goes Inside Windows 7 Mark talks about kernel
changes in Windows 7 and Windows Server 2008R2, including the removal of the
scheduler's dispatcher lock, support for up to 256 CPUs, boot from VHD, MinWin,
core parking for power savings and more.
Channel9: Mark Russinovich: Inside Windows 7 Redux In a follow-on to the
previous Inside Windows 7 discussion, Mark digs into the insides of Windows 7,
way deep down in the system (the cumulative effects of which help to make
Windows 7 Microsoft's most reliable, scalable and efficient general purpose
operating system to date).
Channel9: Mark talks about working at Microsoft, Windows Server 2008's kernel,
MinWin vs ServerCore and Hyper-V Channel 9 chats with Technical Fellow and
Sysinternals founder Mark Russinovich to dig a bit into what's new in the Windows
Server 2008 kernel. Of course, we talk about many things including HyperV,
application virtualization, kernel architecture, and more....
Security
TWC: Pass-the-Hash: How Attackers Spread and How to Stop Them Pass-the-
hash transforms the breach of one machine into total compromise of
infrastructure. The publication of attacks, and lack of tools to respond, have forced
enterprises to rely on onerous and ineffective techniques. In this session, we
deconstruct the PtH threat, show how the attack is performed, and how it can be
addressed using new features and functionality recently introduced in Windows.
TWC: Malware Hunting with Mark Russinovich and the Sysinternals Tools Mark
provides an overview of several Sysinternals tools, including Process Monitor,
Process Explorer, and Autoruns, focusing on the features useful for malware
analysis and removal. These utilities enable deep inspection and control of
processes, file system and registry activity, and autostart execution points. He
demonstrates their malware-hunting capabilities by presenting several current,
real-world malware samples and using the tools to identify and clean malware.
License to Kill: Malware Hunting with the Sysinternals tools This session provides
an overview of several Sysinternals tools, including Process Monitor, Process
Explorer, and Autoruns, focusing on the features useful for malware analysis and
removal. These utilities enable deep inspection and control of processes, file
system and registry activity, and autostart execution points. You will see demos for
their malware-hunting capabilities through several real-world cases that used the
tools to identify and clean malware,and conclude by performing a live analysis of a
Stuxnet infection’s system impact.
Zero Day: A Non-Fiction View Mark makes the case for how his hit cyberthriller,
ZeroDay, is likely to be realized in non-fiction form in this 20-minute short version
of his well-popular RSA Conference session.
Zero Day Malware Cleaning with the Sysinternals tools Slides from Mark’s
highly-rated Blackhat US 2011 presentation how to use the Sysinternals tools to
hunt down and eliminate malware.
Channel9: Mark Talks about Windows Security and Core Architecture Check out
Mark’s Channel 9 interview where he talks about how he got started with Windows
internals, new security features in Windows Vista, User Account Control,and what
he’s doing at Microsoft.
Defrag Tools
Defrag Tools Shows Episodes 1 – 12 of the Defrag Tools shows focus on
Sysinternals tools. Each episode covers a specific tool used on the tech support
show Defrag , covering when and why to use the tools, and providing tips on
how to get the most out of them:
Defrag Tools: #1- Building your USB thumbdrive
Defrag Tools: #2- Process Explorer
Defrag Tools: #3- Process Monitor
Defrag Tools: #4- Process Monitor- Examples
Defrag Tools: #5- Autoruns and MSConfig
Defrag Tools: #6- RAMMap
Defrag Tools: #7- VMMap
Defrag Tools: #8- Mark Russinovich
Defrag Tools: #9- ProcDump
Defrag Tools: #10- ProcDump- Triggers
Defrag Tools: #11- ProcDump- Windows 8 & Process Monitor
Defrag Tools: #12- TaskMgr and ResMon
Windows Internals Book
Article • 09/15/2022
Windows Internals 7th edition (Part 1) covers the architecture and core internals of
Windows 10 and Windows Server 2016. This book helps you:
The 7th edition was written by Pavel Yosifovich, Alex Ionescu, Mark Russinovich and
David Solomon. New material has been added since the 6th edition (which covered
Windows 7 and Windows Server 2008 R2).
The 7th edition’s part 2 (written by Andrea Allievi, Mark E. Russinovich, Alex Ionescu and
David A. Solomon) is now available, and provides an invaluable resource on missing
topics from the first part of the 7th edition. These include the boot process, new storage
technologies, and Windows system and management mechanisms.
The book is available for purchase on the Microsoft Press site (7th edition Part 1 ; 7th
Edition Part 2 ).
Windows Internals, Fifth Edition was the update for Windows Vista and Windows Server
2008. It saw Mark Russinovich move on to a full-time job at Microsoft (where he is now
the Azure CTO) and the addition of a new co-author, Alex Ionescu. New content
included the image loader, user-mode debugging facility, Advanced Local Procedure
Call (ALPC), and Hyper-V. The next release, Windows Internals, Sixth Edition, was fully
updated to address the many kernel changes in Windows 7 and Windows Server 2008
R2, with many new hands-on experiments to reflect changes in the tools as well.
Book tools
Several tools have been specifically written for the book, and they are available with full
source code at the WindowsInternals GitHub repository .
Troubleshooting with the Windows
Sysinternals Tools
Article • 07/19/2022
Sample Chapter
You can read samples from the book at this link on
Amazon.com .
Table of Contents
Part I: Getting started
Chapter 1 Getting started with the Sysinternals utilities
Chapter 2 Windows core concepts
Part II: Usage guide
Chapter 3 Process Explorer
Chapter 4 Autoruns
Chapter 5 Process Monitor
Chapter 6 ProcDump
Chapter 7 PsTools
Chapter 8 Process and diagnostic utilities
Chapter 9 Security utilities
Chapter 10 Active Directory utilities
Chapter 11 Desktop utilities
Chapter 12 File utilities
Chapter 13 Disk utilities
Chapter 14 Network and communication utilities
Chapter 15 System information utilities
Chapter 16 Miscellaneous utilities
Part III: Troubleshooting — "The Case of the Unexplained..."
Chapter 17 Error messages
Chapter 18 Crashes
Chapter 19 Hangs and sluggish performance
Chapter 20 Malware
Chapter 21 Understanding system behavior
Chapter 22 Developer troubleshooting
Errata
See the Errata & Updates tab on the Microsoft Press web site
Inside Native Applications
Article • 03/23/2021
Mark Russinovich
Published: November 1, 2006
Introduction
If you have some familiarity with NT's architecture you are probably aware that the API
that Win32 applications use isn't the "real" NT API. NT's operating environments, which
include POSIX, OS/2 and Win32, talk to their client applications via their own APIs, but
talk to NT using the NT "native" API. The native API is mostly undocumented, with only
about 25 of its 250 functions described in the Windows NT Device Driver Kit.
What most people don't know, however, is that "native" applications exist on NT that
are not clients of any of the operating environments. These programs speak the native
NT API and can't use operating environment APIs like Win32. Why would such programs
be needed" Any program that must run before the Win32 subsystem is started (around
the time the logon box appears) must be a native application. The most visible example
of a native application is the "autochk" program that runs chkdsk during the
initialization Blue Screen (its the program that prints the "."'s on the screen). Naturally,
the Win32 operating environment server, CSRSS.EXE (Client-Server Runtime Subsystem),
must also be a native application.
In this article I'm going to describe how native applications are built and how they work.
Shell
Autocheck Autochk *
Session Manager looks in the <winnt>\system32 directory for the executables listed in
this value. When Autochk runs there are no files open so Autochk can open any volume
in raw-mode, including the boot drive, and manipulate its on-disk data structures. This
wouldn't be possible at any later point.
Shell
TARGETTYPE=PROGRAM
The Build utility uses a standard makefile to guide it, \ddk\inc\makefile.def, which looks
for a run-time library named nt.lib when compiling native applications. Unfortunately,
Microsoft doesn't ship this file with the DDK (its included in the Server 2003 DDK, but I
suspect that if you link with that version your native application won't run on XP or
Windows 2000). However, you can work around this problem by including a line in
makefile.def that overrides the selection of nt.lib by specifying Visual C++'s runtime
library, msvcrt.lib
If you run Build under the DDK's "Checked Build" environment it will produce a native
application with full debug information under %BASEDIR%\lib%CPU%\Checked (e.g.
c:\ddk\lib\i386\checked\native.exe), and if you invoke it in the "Free Build" environment
a release version of the program will end up in %BASEDIR%\lib%CPU%\Free. These are
the same places device driver images are placed by Build.
Native applications have ".exe" file extensions but you cannot run them like Win32
.exe's. If you try you'll get the message:
Native applications don't simply return from their startup function like Win32 programs,
since there is no runtime code to return to. Instead, they must terminate themselves by
calling NtProcessTerminate.
The NTDLL runtime consists of hundreds of functions that allow native applications to
perform file I/O, interact with device drivers, and perform interprocess communications.
Unfortunately, as I stated earlier, the vast majority of these functions are undocumented.
Sysinternals Newsletter Archive
Article • 07/27/2021
Volume 1
Number 1 - April 14, 1999
Number 2 - May 15, 1999
Number 3 - June 19, 1999
Number 4 - August 5, 1999
Number 5 - October 12, 1999
Volume 2
Number 1 - January 6, 2000
Number 2 - March 27, 2000
Number 3 - June 14, 2000
Number 4 - August 30, 2000
Number 5 - November 30, 2000
Volume 3
Number 1 - April 18, 2001
Number 2 - August 20, 2001
Volume 4
Number 1 - January 7, 2002
Number 2 - August 12, 2002
Number 3 - October 16, 2002
Volume 5
Number 1 - February 19, 2003
Number 2 - June 23, 2003
Volume 6
Number 1 - April 27, 2004
Number 2 - July 30, 2004
Volume 7
Number 1 - January 5, 2005
Special Announcement - April 11, 2005
Number 2 - August 24, 2005
Volume 8
Number 1 - March 2, 2006
Number 2, Sysinternals Site Migration - October 30, 2006
Number 3, Sysinternals TechCenter - November 06, 2006
Number 4, Web Site Updates - November 08, 2006
Sysinternals Software License Terms
Article • 05/24/2023
updates,
supplements,
Internet-based services,
and support services
for this software, unless other terms accompany those items. If so,
those terms apply.
BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT
THEM, DO NOT USE THE SOFTWARE.
If you comply with these license terms, you have the rights below.
Scope of License
The software is licensed, not sold. This agreement only gives you some
rights to use the
software. Sysinternals reserves all other rights.
Unless applicable law gives you more
rights despite this limitation, you
may use the software only as expressly permitted in
this agreement. In
doing so, you must comply with any technical limitations in the
software
that only allow you to use it in certain ways. You may not
Data Collection
The Sysinternals tools do not collect any data. Please refer to the
Microsoft Privacy
Statement .
Documentation
Any person that has valid access to your computer or internal network
may copy and
use the documentation for your internal, reference
purposes.
Export Restrictions
The software is subject to United States export laws and regulations.
You must comply
with all domestic and international export laws and
regulations that apply to the
software. These laws include restrictions
on destinations, end users and end use. For
additional information, see
www.microsoft.com/exporting .
Support Services
Because this software is "as is," we may not provide support services
for it.
Entire Agreement
This agreement, and the terms for supplements, updates, Internet-based
services and
support services that you use, are the entire agreement for
the software and support
services.
Applicable Law
United States . If you acquired the software in the United States ,
Washington state law
governs the interpretation of this agreement and
applies to claims for breach of it,
regardless of conflict of laws
principles. The laws of the state where you live govern all
other
claims, including claims under state consumer protection laws, unfair
competition
laws, and in tort.
Outside the United States . If you acquired the software in any other
country, the laws of
that country apply.
Legal Effect
This agreement describes certain legal rights. You may have other rights
under the laws
of your country. You may also have rights with respect to
the party from whom you
acquired the software. This agreement does not
change your rights under the laws of
your country if the laws of your
country do not permit it to do so.
Disclaimer of Warranty
The software is licensed "as-is." You bear the risk of using it.
Sysinternals gives no
express warranties, guarantees or conditions. You
may have additional consumer rights
under your local laws which this
agreement cannot change. To the extent permitted
under your local laws,
sysinternals excludes the implied warranties of merchantability,
fitness
for a particular purpose and non-infringement.
It also applies even if Sysinternals knew or should have known about the
possibility of
the damages. The above limitation or exclusion may not
apply to you because your
country may not allow the exclusion or
limitation of incidental, consequential or other
damages.