This page is about the useful system utilities developed by Mark Russinovich and Bryce Cogswell under the name Sysinternals (which has been acquired by Microsoft). Many of the tools are useful in troubleshooting and diagnosing a Windows computer. The Sysinternals tools are divided into six categories: File and Disk Utilities, Networking Utilities, Processes Utilities, Security Utilities, System Information and Miscellaneous Utilities. There are many tools, but the widely known are AutoRuns, Process Monitor, Process Explorer, TCPView and RootkitRevealer. On this page the most relevant tools are described, visit the website (http://technet.microsoft.com/en-us/sysinternals/default.aspx) but to get a complete overview of all the tools.
ATTENTION: Although most Sysinternals tools are written for Windows XP in the first place, the most are applicable to Windows Vista as well. Most of them have to be run with additional administrator privileges (by right clicking the tool and to select Run as administrator). In some cases it is even necessary to disable User Account Control temporarily.
DOWNLOAD THE SYSINTERNALS SUITEA special installation procedure for the Sysinternals tools is not necessary, they can be used right away after downloading. To prevent that every tool has to be downloaded separately, there is also a suite with most Sysinternals tools available. The Sysinternals Suite (download: http://technet.microsoft.com/nl-nl/sysinternals/bb842062(en-us).aspx, a ZIP file) is 10 Mb in size. Download and unpack it (to an newly created folder) by double clicking the ZIP file. Almost every tool comes with license terms which have to be agreed once. |
|
Junction: create symbolic links
Junction can create symbolic links which forwards every request from
a
location to another location. A symbolic link makes programs 'believe' that the
linked folder is still stored on its original location while it actually has
been moved to another location. This feature is very useful when a link to a
specific location can not be changed, while the concerning folder has
to be moved to another location (e.g. moving the
Internet Explorer RSS-feeds
in Windows XP).
For more information about Junction (and the download link):
http://technet.microsoft.com/nl-nl/sysinternals/bb896768(en-us).aspx
DiskMon: logs and displays all hard disk activity
DiskMon shows the read and write activities of the hard disk. The tool
is minimized to the system tray by Options, Minimize to Tray Disk Light.
The Tray Disk Light shows the read (green) and write (red) activities.
The number of times the hard disk is in action is astounding.
For more information about DiskMon (and the download link):
http://technet.microsoft.com/nl-nl/sysinternals/bb896646(en-us).aspx
DiskView: analyzing the file system
DiskView shows a graphical map of the files on the hard disk. Select the
volume to be investigated (at the left bottom corner) followed by the zoom
function for a more detailed overview of the file system. The location of a file
is shown by browsing the file (the highlight function besides the button Show Next).
This function is not so not so special on itself, but the begin and end sector
of a specific file can be very valuable in repairing a damaged file with a
recovery tool.
For more information about DiskView (and the download link):
http://technet.microsoft.com/nl-nl/sysinternals/bb896650(en-us).aspx
PendMoves/MoveFile: deleting or overwriting files in use
Sometimes a file needs to be replaced or deleted but that is not possible
because it is in use by another process. The tools
PendMoves and MoveFile are able to solve this problem:
MoveFile is able to move or delete an occupied file the next time Windows
boots and
PendMoves shows the planned actions. These commands need the
Command Console to work (enter the command CMD in the field Run/Search of the Start
Menu).
For more information about PendMoves en
MoveFile (and the download link):
http://technet.microsoft.com/nl-nl/sysinternals/bb897556(en-us).aspx
TIP: By the way, the free tool Unlocker (download: http://download.cnet.com/Unlocker/3000-2248_4-10493998.html) is a better and easier alternative for deleting, moving and renaming of occupied files. By right clicking a file or folder in the Windows Explorer, it is directly accessible by Unlocker. In Windows Vista it is necessary to disable User Account Control temporarily.
PsFile: a list of remotely opened files
When files are shared over the network, shutting down Windows will show a
warning that other users are still active and have certain files in use.
Neglecting this warning can damage the open files, while the logged in users
will receive an error message. The tool
PsFile shows a list of the shared and opened files and which users are using
them. This command needs the
Command Console to work (enter the command CMD in the field Run/Search of the Start
Menu).
For more information about PsFile (and the download link):
http://technet.microsoft.com/nl-nl/sysinternals/bb897552(en-us).aspx
ShareEnum: finding the shared files in a network
The shared files in a network are a common security issue and the overview of
the shared files is quickly lost. The tool ShareEnum shows a list of the
shared files on a computer and which users are allowed to view and modify them.
For more information about ShareEnum (and the download link):
http://technet.microsoft.com/nl-nl/sysinternals/bb897442(en-us).aspx
TCPView: realtime tracking of TCP- and UDP traffic
TCPView shows all real time TCP and UDP traffic.
For every process, the network and internet traffic is shown (the destination IP
addresses included). If there is a slow internet connection, this tool is useful
in finding processes which possibly cause the delay.
TCPView even resolves the domain name for the IP addresses immediately (this
option is enabled/disabled with the icon on the toolbar). With the option View,
Update Speed an additional delay can be added to make it easier to follow
the new entries.
For more information about TCPView (and the download link):
http://technet.microsoft.com/nl-nl/sysinternals/bb897437(en-us).aspx
AutoRuns: investigating and improving the startup process
AutoRuns (similar to
MSCONFIG in Windows
but much better) is the most advanced tool for analyzing the auto-starting
locations. Auto-starting items like applications, services, drivers, explorer shell extensions, toolbars
and browser helper objects are easily disabled (and enabled afterwards) to
improve the startup process of Windows. You'll probably be surprised how
many of them are launched automatically and how much system recourses they
occupy. By disabling the unwanted or not necessary items, the computer will
boot quicker and more system recourses will be available for other
applications.
AutoRuns not only has more extensive features compared to similar tools, but also shows more information about every item in the startup process (like the location where it is called from). The page about removing unwanted software describes AutoRuns in more detail.
For more information about AutoRuns (and the download link):
http://technet.microsoft.com/nl-nl/sysinternals/bb963902(en-us).aspx
Process Monitor: realtime monitoring of system changes
The tool
Process
Monitor can be used for monitoring real time changes to
files, process activity and registry changes of active applications. The options
for monitoring are separately available in the toolbar.
For more information about Process Monitor
(and the download link):
http://technet.microsoft.com/nl-nl/sysinternals/bb896645(en-us).aspx
Process Explorer: the alternative for the Windows Task Manager
Windows Task Manager (use the key combination CTRL-SHIFT-ESC) shows
limited information about the running processes. The tool
Process Explorer is a similar application but shows a lot more
information, which makes it easier to analyze why a process stops responding.
Right click a process and select Search
Online to find out what a process is used for. The feature View, Lower
Pane View, Handles shows which files are opend by the process. In case
of Windows XP, the Windows Task Manager can be replaced by the Process Explorer (Options, Replace Taskbar Manager).
If you are familiar with Process Explorer, the Windows
Task Manager will soon be forgotten.
For more information about Process Explorer (and the download
link):
http://technet.microsoft.com/nl-nl/sysinternals/bb896653(en-us).aspx
Handle and ListDLLs: analyzing the loaded processes/DLL's
The tool
Handle is
useful for displaying all the files which are kept open by one of the
processes while the tool
ListDLLs displays a list of al the
DLL files kept open. These commands need the
Command Console to work (enter the command CMD in the field Run/Search of the Start
Menu). When the Command Console is not your favorite environment, it is
better to use the tool
Process Explorer which does a similar job.
For more information about Handle en ListDLLs (and the download link):
http://technet.microsoft.com/nl-nl/sysinternals/bb896655(en-us).aspx
http://technet.microsoft.com/nl-nl/sysinternals/bb896656(en-us).aspx
Security Utilities
RootkitRevealer: searching for rootkits
Rootkits is malware, including viruses, spyware, and trojans, attempting to
hide their presence from antivirus, anti spyware and system management
utilities. Because they try to hide themselves, they are hard to find with ‘normal’ virus scan
software but RootkitRevealer will show their presence. Read the
manual before using this tool!
For more information about RootkitRevealer (and the download link):
http://technet.microsoft.com/nl-nl/sysinternals/bb897445(en-us).aspx
BGInfo: show a system overview on the desktop
The tool
BGInfo shows all kind of system information on the desktop (software-, hardware-
and
network related). By choosing a new desktop image, the shown information is
gone.
For more information about BGInfo (and the download link):
http://technet.microsoft.com/nl-nl/sysinternals/bb897426(en-us).aspx
BlueScreen Screen Saver: simulation of a BSOD
Is it time to have some fun? Test the problem solving capabilities of your
college with the tool
BlueScreen Screen Saver
;-).
This tool shows the well known blue screens of death (a BSOD) or a simulation of a
reboot (with the startup splash screen and a progress bar). Many IT specialists
will walk right into it.!
Installing the BlueScreen Screen Saver is done by right clicking the file Sysinternals BlueScreen.scr and select Install. Right click the desktop and select Properties, tab Screensaver (XP) or Personalize, option Screen Saver (Vista) and enable the screensaver. Don't use a too short period to activate the screensaver...
For more information about BlueScreen (and the download link):
http://technet.microsoft.com/nl-nl/sysinternals/bb897558(en-us).aspx
ZoomIT: zooming in and drawing on the screen
ZoomIt is a useful tool to zoom in quickly on a screen area and/or to use
the mouse as pointer on the screen, as shown in the picture below.
For more information about ZoomIt (and the download link):
http://technet.microsoft.com/nl-nl/sysinternals/bb897434(en-us).aspx
© 2001-2022 - Menno Schoone - SchoonePC - Rotterdam - The Netherlands