This page is about the useful system utilities developed by Mark Russinovich and Bryce Cogswell under the name Sysinternals (which has been acquired by Microsoft). Many of the tools are useful in troubleshooting and diagnosing a Windows computer. The Sysinternals tools are divided into six categories: File and Disk Utilities, Networking Utilities, Processes Utilities, Security Utilities, System Information and Miscellaneous Utilities. There are many tools, but the widely known are AutoRuns, Process Monitor, Process Explorer, TCPView and RootkitRevealer. On this page the most relevant tools are described, visit the website (http://technet.microsoft.com/en-us/sysinternals/default.aspx) but to get a complete overview of all the tools.
ATTENTION: Although most Sysinternals tools are written for Windows XP in the first place, the most are applicable to Windows Vista as well. Most of them have to be run with additional administrator privileges (by right clicking the tool and to select Run as administrator). In some cases it is even necessary to disable User Account Control temporarily.
DOWNLOAD THE SYSINTERNALS SUITE
A special installation procedure for the Sysinternals tools is not necessary, they can be used right away after downloading. To prevent that every tool has to be downloaded separately, there is also a suite with most Sysinternals tools available. The Sysinternals Suite (download: http://technet.microsoft.com/nl-nl/sysinternals/bb842062(en-us).aspx, a ZIP file) is 10 Mb in size. Download and unpack it (to an newly created folder) by double clicking the ZIP file. Almost every tool comes with license terms which have to be agreed once.
Junction: create symbolic links
Junction can create symbolic links which forwards every request from a location to another location. A symbolic link makes programs 'believe' that the linked folder is still stored on its original location while it actually has been moved to another location. This feature is very useful when a link to a specific location can not be changed, while the concerning folder has to be moved to another location (e.g. moving the Internet Explorer RSS-feeds in Windows XP).
For more information about Junction (and the download link):
DiskMon: logs and displays all hard disk activity
DiskMon shows the read and write activities of the hard disk. The tool is minimized to the system tray by Options, Minimize to Tray Disk Light. The Tray Disk Light shows the read (green) and write (red) activities. The number of times the hard disk is in action is astounding.
For more information about DiskMon (and the download link):
DiskView: analyzing the file system
DiskView shows a graphical map of the files on the hard disk. Select the volume to be investigated (at the left bottom corner) followed by the zoom function for a more detailed overview of the file system. The location of a file is shown by browsing the file (the highlight function besides the button Show Next). This function is not so not so special on itself, but the begin and end sector of a specific file can be very valuable in repairing a damaged file with a recovery tool.
For more information about DiskView (and the download link):
PendMoves/MoveFile: deleting or overwriting files in use
Sometimes a file needs to be replaced or deleted but that is not possible because it is in use by another process. The tools PendMoves and MoveFile are able to solve this problem: MoveFile is able to move or delete an occupied file the next time Windows boots and PendMoves shows the planned actions. These commands need the Command Console to work (enter the command CMD in the field Run/Search of the Start Menu).
For more information about PendMoves en
MoveFile (and the download link):
TIP: By the way, the free tool Unlocker (download: http://download.cnet.com/Unlocker/3000-2248_4-10493998.html) is a better and easier alternative for deleting, moving and renaming of occupied files. By right clicking a file or folder in the Windows Explorer, it is directly accessible by Unlocker. In Windows Vista it is necessary to disable User Account Control temporarily.
PsFile: a list of remotely opened files
When files are shared over the network, shutting down Windows will show a warning that other users are still active and have certain files in use. Neglecting this warning can damage the open files, while the logged in users will receive an error message. The tool PsFile shows a list of the shared and opened files and which users are using them. This command needs the Command Console to work (enter the command CMD in the field Run/Search of the Start Menu).
For more information about PsFile (and the download link):
ShareEnum: finding the shared files in a network
The shared files in a network are a common security issue and the overview of the shared files is quickly lost. The tool ShareEnum shows a list of the shared files on a computer and which users are allowed to view and modify them.
For more information about ShareEnum (and the download link):
TCPView: realtime tracking of TCP- and UDP traffic
TCPView shows all real time TCP and UDP traffic. For every process, the network and internet traffic is shown (the destination IP addresses included). If there is a slow internet connection, this tool is useful in finding processes which possibly cause the delay. TCPView even resolves the domain name for the IP addresses immediately (this option is enabled/disabled with the icon on the toolbar). With the option View, Update Speed an additional delay can be added to make it easier to follow the new entries.
For more information about TCPView (and the download link):
AutoRuns: investigating and improving the startup process
AutoRuns (similar to MSCONFIG in Windows but much better) is the most advanced tool for analyzing the auto-starting locations. Auto-starting items like applications, services, drivers, explorer shell extensions, toolbars and browser helper objects are easily disabled (and enabled afterwards) to improve the startup process of Windows. You'll probably be surprised how many of them are launched automatically and how much system recourses they occupy. By disabling the unwanted or not necessary items, the computer will boot quicker and more system recourses will be available for other applications.
AutoRuns not only has more extensive features compared to similar tools, but also shows more information about every item in the startup process (like the location where it is called from). The page about removing unwanted software describes AutoRuns in more detail.
For more information about AutoRuns (and the download link):
Process Monitor: realtime monitoring of system changes
The tool Process Monitor can be used for monitoring real time changes to files, process activity and registry changes of active applications. The options for monitoring are separately available in the toolbar.
For more information about Process Monitor
(and the download link):
Process Explorer: the alternative for the Windows Task Manager
Windows Task Manager (use the key combination CTRL-SHIFT-ESC) shows limited information about the running processes. The tool Process Explorer is a similar application but shows a lot more information, which makes it easier to analyze why a process stops responding. Right click a process and select Search Online to find out what a process is used for. The feature View, Lower Pane View, Handles shows which files are opend by the process. In case of Windows XP, the Windows Task Manager can be replaced by the Process Explorer (Options, Replace Taskbar Manager). If you are familiar with Process Explorer, the Windows Task Manager will soon be forgotten.
For more information about Process Explorer (and the download
Handle and ListDLLs: analyzing the loaded processes/DLL's
The tool Handle is useful for displaying all the files which are kept open by one of the processes while the tool ListDLLs displays a list of al the DLL files kept open. These commands need the Command Console to work (enter the command CMD in the field Run/Search of the Start Menu). When the Command Console is not your favorite environment, it is better to use the tool Process Explorer which does a similar job.
For more information about Handle en ListDLLs (and the download link):
RootkitRevealer: searching for rootkits
Rootkits is malware, including viruses, spyware, and trojans, attempting to hide their presence from antivirus, anti spyware and system management utilities. Because they try to hide themselves, they are hard to find with ‘normal’ virus scan software but RootkitRevealer will show their presence. Read the manual before using this tool!
For more information about RootkitRevealer (and the download link):
BGInfo: show a system overview on the desktop
The tool BGInfo shows all kind of system information on the desktop (software-, hardware- and network related). By choosing a new desktop image, the shown information is gone.
For more information about BGInfo (and the download link):
BlueScreen Screen Saver: simulation of a BSOD
Is it time to have some fun? Test the problem solving capabilities of your college with the tool BlueScreen Screen Saver ;-). This tool shows the well known blue screens of death (a BSOD) or a simulation of a reboot (with the startup splash screen and a progress bar). Many IT specialists will walk right into it.!
Installing the BlueScreen Screen Saver is done by right clicking the file Sysinternals BlueScreen.scr and select Install. Right click the desktop and select Properties, tab Screensaver (XP) or Personalize, option Screen Saver (Vista) and enable the screensaver. Don't use a too short period to activate the screensaver...
For more information about BlueScreen (and the download link):
ZoomIT: zooming in and drawing on the screen
ZoomIt is a useful tool to zoom in quickly on a screen area and/or to use the mouse as pointer on the screen, as shown in the picture below.
For more information about ZoomIt (and the download link):
Comodo Internet Security
Installing Windows in 10 steps
Move personal files
© 2001-2022 - Menno Schoone - SchoonePC - Rotterdam - The Netherlands