Chapter 1
Getting Started with the
Sysinternals Utilities
The Sysinternals utilities are free, advanced administrative, diagnostic, and troubleshooting utilities for the Microsoft Windows platform written by the founders of Sysinternals: me (Mark Russinovich) and Bryce Cogswell1. Since Microsoft’s acquisition of Sysinternals in July
2006, these utilities have been available for download from Microsoft’s TechNet Web site. Among the hallmarks of a Sysinternals utility are that it
■ Serves unmet needs of a significant IT pro or developer audience ■ Is intuitive and easy to use
■ Is packaged as a single executable image that does not require installation and can be
run from anywhere, including from a network location or removable media
■ Does not leave behind any significant incidental data after it has run
Because Sysinternals doesn’t have the overhead of a formal product group, I can quickly release new features, utilities, and bug fixes. In some cases, I can take a useful and simple- to- implement feature from suggestion to public availability in under a week.
However, the other side of not having a full product group and formal testing organization is that the utilities are offered “as is” with no official Microsoft product support. The Sysinternals team maintains a dedicated community support forum—described later in this chapter—on the Sysinternals Web site, and I try to fix reported bugs as quickly as possible.
Overview of the Utilities
The Sysinternals utilities cover a broad range of functionality across many aspects of the Windows operating system. While some of the more comprehensive utilities such as Process Explorer and Process Monitor span several categories of operations, others can more or less be grouped within a single category, such as “process utilities” or “file utilities.” Many of the utilities have a graphical user interface (GUI), while others are console utilities with rich command-line interfaces designed for automation or for use at a command prompt.
This book covers three major utilities (Process Explorer, Process Monitor, and Autoruns), each in its own chapter. Subsequent chapters cover several utilities each, grouped by category.
Table 1-1 lists these chapters with a brief overview of each of the utilities covered within them.
TABLE 1-1 Chapter Topics
Utility Description
Chapter 3, Process Explorer
Process Explorer Replaces Task Manager, and displays far more detail about processes and threads, including parent/child relationships, dynamic-link libraries (DLLs) loaded, and object handles opened such as files in use
Chapter 4, Process Monitor
Process Monitor Logs details about all file system, registry, network, process, thread, and image load activity in real time
Chapter 5, Autoruns
Autoruns Lists and categorizes software that is configured to start automatically when your system boots, when you log on, and when you run Internet Explorer, and lets you disable or delete those entries
Chapter 6, PsTools
PsExec Executes processes remotely and/or as Local System with redirected output. PsFile Lists or closes files opened remotely
PsGetSid Displays the Security Identifier (SID) of a security principal, such as a computer, user, group, or service
PsInfo Lists information about a system
PsKill Terminates processes by name or by Process ID (PID) PsList Lists detailed information about processes and threads
PsLoggedOn Lists accounts that are logged on locally and through remote connections PsLogList Dumps event log records
PsPasswd Changes passwords for user accounts PsService Lists and controls Windows services
PsShutdown Shuts down, logs off, or changes the power state of local and remote systems PsSuspend Suspends and resumes processes
Chapter 7, Process and Diagnostic Utilities
VMMap Displays details of a process’ virtual and physical memory usage
ProcDump Generates a memory dump for a process when it meets specifiable criteria, such as exhibiting a CPU spike or having an unresponsive window
DebugView Monitors user-mode and kernel-mode debug output generated from the local computer or a remote computer
LiveKd Runs a standard kernel debugger on a snapshot of the running local system or Hyper-V guest without having to reboot into debug mode, and also allows making a memory dump of a live system
ListDLLs Displays information about DLLs loaded on the system in a console window Handle Displays information about object handles opened by processes on the system in
Utility Description Chapter 8, Security Utilities
SigCheck Verifies file signatures, and displays version information
AccessChk Searches for objects that grant permissions to specific users or groups, and p rovides detailed information on permissions granted
AccessEnum Searches a file or registry hierarchy, and identifies where permissions might have been changed
ShareEnum Enumerates file and printer shares on your network and who can access them ShellRunAs Restores the ability to run a program under a different user on Windows Vista Autologon Configures a user account for automatic logon when the system boots
LogonSessions Enumerates active Local Security Authority (LSA) logon sessions on the computer SDelete Securely deletes files or folder structures, and erases data in unallocated areas of
the hard drive Chapter 9, Active Directory Utilities
AdExplorer Displays and enables editing of Active Directory objects
AdInsight Traces Active Directory Lightweight Directory Access Protocol (LDAP) API calls AdRestore Enumerates and restores deleted Active Directory objects
Chapter 10, Desktop Utilities
BgInfo Displays computer configuration information on the desktop wallpaper Desktops Runs applications on separate virtual desktops
ZoomIt Magnifies the screen, and enables screen annotation Chapter 11, File Utilities
Strings Searches files for embedded ASCII or Unicode text
Streams Identifies file system objects that have alternate data streams, and deletes those streams
Junctions Lists and deletes NTFS directory junctions FindLinks Lists NTFS hard links
DU Lists logical and on-disk sizes of a directory hierarchy
PendMoves Reports on file operations scheduled to take place during the next system boot MoveFile Schedules file operations to take place during the next system boot
Chapter 12, Disk Utilities
Disk2Vhd Captures a VHD image of a physical disk Diskmon Logs sector-level hard disk activity
Sync Flushes unwritten changes from disk caches to the physical disk
DiskView Displays a cluster-by-cluster graphical map of a volume, letting you find what file is in particular clusters and which clusters are occupied by a given file
Contig Defragments specific files, or shows how fragmented a particular file is PageDefrag Defragments system files at boot time that cannot be defragmented while
Utility Description
LDMDump Displays detailed information about dynamic disks from the Logical Disk Manager (LDM) database
VolumeID Changes a volume’s ID (also known as its serial number) Chapter 13, Network and Communication Utilities
TCPView Lists active TCP and UDP endpoints
Whois Reports Internet domain registration information or performs reverse Domain Name System (DNS) lookups
Portmon Monitors serial and parallel port I/O in real time Chapter 14, System Information Utilities
RAMMap Provides detailed view of physical memory usage
CoreInfo Lists mapping of logical processors to cores, sockets, Non-Uniform Memory Access (NUMA) nodes, and processor groups
ProcFeatures Reports processor features such as No-Execute memory protection WinObj Displays Windows’ Object Manager namespace
LoadOrder Shows approximate order in which Windows loads device drivers and starts services
PipeList Lists listening named pipes
ClockRes Displays the current, maximum, and minimum resolution of the system clock Chapter 15, Miscellaneous Utilities
RegJump Launches RegEdit, and navigates to the registry path you specify Hex2Dec Converts numbers from hexadecimal to decimal and vice versa
RegDelNull Searches for and deletes registry keys with embedded NUL characters in their names
Bluescreen
Screen Saver Screen saver that realistically simulates a “Blue Screen of Death” Ctrl2Cap Converts Caps Lock keypresses to Control keypresses
The Windows Sysinternals Web Site
The easiest way to get to the Sysinternals Web site (Figure 1-1) is to browse to
http://www.sysinternals.com, which redirects to the Microsoft TechNet home of Sysinternals, currently at http://technet.microsoft.com/sysinternals. In addition to all the Sysinternals utilities, the site contains or links to many related resources, including training, books, blogs, articles, webcasts, upcoming events, and the Sysinternals community forum.
FIGURE 1-1 The Windows Sysinternals Web site.
Downloading the Utilities
You can download just the Sysinternals utilities that you need one at a time, or download the entire set in a single compressed (.zip) file called the Sysinternals Suite. Links on the Sysinternals home page take you to pages that link to individual utilities. The Utilities Index lists all the utilities on one page; links to categories such as “File and Disk Utilities” or “Networking Utilities” take you to pages that list only subsets of the utilities.
Each download is packaged as a compressed (.zip) file that contains the executable (or executables), an End User License Agreement (EULA) text file, and for some of the utilities, an online help file.
Note The individual PsTool utilities are available for download only in bundles—either the
PsTools suite or the full Sysinternals Suite.
My co-author, Aaron, makes it his habit to create a “C:\Program Files\Sysinternals” folder and extract the Sysinternals Suite into it, where it cannot be modified by non-administrative users. He then adds that location to the Path system environment variable so that he can easily launch the utilities from anywhere, including from the Windows 7 Start menu search box as shown in Figure 1-2.
FIGURE 1-2 Launching Procmon via Path search from the Start menu search box.
“Unblock” .zip Files Before Extracting Files
Before extracting content from the downloaded .zip files, you should first remove the marker that tells Windows to treat the content as untrusted and that results in warnings and errors like those shown in Figures 1-3 and 1-4. The Windows Attachment Execution Service adds an alternate data stream (ADS) to the .zip file indicating that it came from the Internet. When you extract the files with Windows Explorer, it propagates the ADS to all extracted files.
FIGURE 1-4 Compiled HTML Help (CHM) files fail to display content when marked as having come from the Internet.
One way to remove the ADS is to open the .zip file’s Properties dialog box in Windows Explorer and click the Unblock button near the bottom of the General tab as shown in Figure 1-5. Another way is to use the Sysinternals Streams utility, which is described in Chapter 11, “File Utilities.”
FIGURE 1-5 The Unblock button appears near the bottom of the downloaded file’s Properties dialog box.
Running the Utilities Directly from the Web
Sysinternals Live is a service that enables you to execute Sysinternals utilities directly from the Web without first having to hunt for, download, and extract them. Another advantage of Sysinternals Live is that it guarantees you run the latest versions of the utilities.
To run a utility using Sysinternals Live from Internet Explorer, type http://live.sysinternals. com/utilityname.exe in the address bar (for example, http://live.sysinternals.com/procmon. exe). Alternatively, you can specify the Sysinternals Live path in Universal Naming Convention (UNC) as \\live.sysinternals.com\tools\utilityname.exe. (Note the addition of the “tools” subdirectory, which is not required when you specify a utility’s URL.) For example, you can run the latest version of Process Monitor by running \\live.sysinternals.com\tools\ procmon.exe.
Note The UNC syntax for launching utilities using Sysinternals Live requires that the WebClient
service be running. In newer versions of Windows, the service might not be configured to start automatically. Starting the service directly (for example, by running net start webclient) requires administrative rights. You can start the service indirectly without administrative rights by running net use \\live.sysinternals.com from a command prompt or by browsing to
\\live.sysinternals.com with Windows Explorer.
You can also map a drive letter to \\live.sysinternals.com\tools or open the folder as a r emote share in Windows Explorer, as shown in Figure 1-6. Similarly, you can view the entire Sysinternals Live directory in a browser at http://live.sysinternals.com.
Single Executable Image
To simplify packaging, distribution, and portability without relying on installation programs, all of the Sysinternals utilities are single 32-bit executable images that can be launched directly. They embed any additional files they might need as resources and extract them either into the folder in which the program resides or, if that folder isn’t writable (for example, if it’s on read-only media), into the current user’s %TEMP% folder. The program deletes extracted files when it no longer needs them.
Supporting both 32-bit and 64-bit systems is one example where the Sysinternals utilities make use of this technique. For utilities that require 64-bit versions to run correctly on 64-bit Windows, the main 32-bit program identifies the CPU architecture, extracts the appropriate x64 or IA64 binary, and launches it. When running Process Explorer on x64, for instance, you will see Procexp64.exe running as a child process of Procexp.exe.
Note If the program file extracts to %TEMP%, the program will fail to run if the permissions on
%TEMP% have been modified to remove Execute permissions.
Most of the Sysinternals utilities that use a kernel-mode driver extract the driver file to %SystemRoot%\System32\Drivers, load the driver, and then delete the file. The driver image remains in memory until the system is shut down. When running a newer version of a utility that has an updated driver, a reboot might be required to load the new driver.
The Windows Sysinternals Forums
The Windows Sysinternals Forums at http://forum.sysinternals.com (shown in Figure 1-7) are the first and best place to get answers to your questions about the Sysinternals utilities and to report bugs. You can search for posts and topics by keyword to see whether anyone else has had the same issue as you. There are forums dedicated to each of the major Sysinternals utilities, as well as a forum for suggesting ideas for new features or utilities. The Forums also host community discussion about Windows internals, development, troubleshooting, and malware.
You must register and log in to post to the Forums, but registration requires minimal information. After you register, you can also subscribe for notifications about replies to topics or new posts to particular forums, and you can send private messages to and receive messages from other forum members.
FIGURE 1-7 The Windows Sysinternals Forums.
Windows Sysinternals Site Blog
Subscribing to the Sysinternals Site Discussion blog is the best way to receive notifications when new utilities are published, existing utilities are updated, or other new content becomes available on the Sysinternals site. The site blog is located at http://blogs.technet.com/b/ sysinternals. Although the front page notes only major utility updates, the site blog reports all updates, including minor ones.
Mark’s Blog
My own blog covers Windows internals, security, and troubleshooting topics. The blog features two popular article series related to Sysinternals: “The Case of…” articles, which document how to solve everyday problems with the Sysinternals utilities; and “Pushing the Limits,” which describes resource limits in Windows, how to monitor them, and the effect of hitting them. You can access my blog by using the following URL:
You also can find a full listing of my blog posts by title by clicking on the Mark’s Blog link on the Sysinternals home page.
Mark’s Webcasts
You can find a full list of recordings of my presentations from TechEd and other conferences for free on-demand viewing—including my top-rated “Case of the Unexplained…” sessions, Sysinternals troubleshooting how-to sessions, my Channel 9 interviews and the Springboard Virtual Roundtables that I hosted—by clicking on the Mark’s Webcasts link on the
Sysinternals home page. The webcasts available at the time of this book’s publication are included on this book’s companion media.
Sysinternals License Information
The Sysinternals utilities are free. You can install and use any number of copies of the soft- ware on your computers and the computers owned by your company. However, your use of the software is subject to the license terms displayed when you launch a tool and at the Software License page linked to from the Sysinternals home page.
End User License Agreement and the /accepteula Switch
As mentioned, each utility requires acceptance of an End User License Agreement (EULA) by each user who runs the utility on a given system. The first time a user runs a particular utility on a computer—even a console utility—the utility displays a EULA dialog box like the one shown in Figure 1-8. The user must click the Agree button before the utility will run.
Because the display of this dialog box interferes with automation and other noninteractive scenarios, most of the Sysinternals utilities take the command-line switch /accepteula as a valid assertion of agreement with the license terms. For example, the following command uses PsExec (described in Chapter 6) to run LogonSessions.exe (described in Chapter 8) in a noninteractive context on server1, where the /accepteula switch on the LogonSessions.exe command line prevents it from getting stuck waiting for a button press that will never come: PsExec \\server1 logonsessions.exe /AcceptEula
Note that some Sysinternals utilities have not yet been updated to support the /accepteula
switch. For these utilities, you might need to manually set the flag indicating acceptance. You can do this with a command line like the following, which creates a EulaAccepted registry value in the per-utility registry key in the HKEY_CURRENT_USER\Software\Sysinternals branch of the registry on server1:
psexec \\server1 reg add hkcu\software\sysinternals\pendmove /v eulaaccepted /t reg_dword /d 1 /f
Frequently Asked Questions About Sysinternals Licensing
■ How many copies of Sysinternals utilities can I freely load or use on computers
owned by my company?
There is no limit to the number of times you can install and use the software on your devices or those you support.
■ Can I distribute Sysinternals utilities in my software, on my Web site, or with my
magazine?
No. Microsoft is not offering any distribution licenses, even if the third party is distrib- uting them for free. Microsoft encourages people to download the utilities from its download center or run them directly from the Web where they can be assured to get the most recent version of the utility.
■ Can I license or re-use any Sysinternals source code?
The Sysinternals source code is no longer available for download or licensing.
■ Will the Sysinternals tools continue to be freely available?
Yes. Microsoft has no plans to remove these tools or charge for them.