Sysinternals suite description. Utilities for fine-tuning Windows

Sysinternals Suite 10/27/2015 Portable - for configuration, optimization, testing

- a large package of technical utilities for configuring, optimizing, testing, identifying and fixing errors in operating systems of the Windows family.

The range of application of this package is quite wide, because the utilities from it cover many areas of the operating system. For example, the Autoruns utility controls Autoload, Process Monitor monitors all actions occurring in the computer's file system, and the PageDefrag utility optimizes and defragments the system registry.

List of utilities included in:
AccessChk, AccessEnum, AdExplorer, AdRestore, Autologon, Autoruns, BgInfo, CacheSet, ClockRes, Contig, Coreinfo, Ctrl2Cap, DebugView, Desktops, DiskExt, DiskMon, DiskView, Disk Usage (DU), EFSDump, FileMon, Handle, Hex2dec, Junction, LDMDump, ListDLLs, LiveKd, LoadOrder, LogonSessions, NewSid, NTFSInfo, PageDefrag, PendMoves, PortMon, ProcessExplorer, Process Monitor, ProcFeatures, PsExec, PsFile, PsGetSid, PsInfo, PsKill, PsList, PsLoggedOn, PsLogList, PsPasswd, PsService, PsShutdown, P sSuspend , RegDelNull, RegJump, RegMon, RootkitRevealer, SDelete, ShareEnum, ShellRunas, SigCheck, Streams, Strings, Sync, TCPView, VolumeID, WhoIs, WinObj, VMMap, ZoomIt

Includes:

AccessChk is a command line tool for viewing effective permissions for files, registry keys, services, processes, kernel objects, and more.
AccessEnum is a simple yet powerful security tool that shows who has access to directories, files and registry keys on your system. With it, you can find holes in your rights.
AdExplorer Active Directory Explorer is an advanced viewer and editor for Active Directory (AD).
AdInsight is a real-time LDAP (Light-weight Directory Access Protocol) monitoring tool aimed at troubleshooting Active Directory client applications.
AdRestore restores Server 2003 Active Directory objects.
Autologon password bypass on login.
Autoruns shows which programs run automatically at system boot or at login. Autoruns also displays a complete list of registry paths and file locations for applications that can be configured to run automatically.
BgInfo is a fully customizable program that automatically generates desktop wallpapers that contain important system information, including IP addresses, computer name, network adapters, and more.
CacheSet is a program that allows you to control the working set size of the Cache Manager using functions provided by NT. It is compatible with all versions of NT.
ClockRes View the resolution of the system clock, which is also the maximum timer resolution.
Contig Would you like a quick defragmentation of frequently used files? Use Contig to optimize individual files, or create new related files.
Coreinfo is a command line utility that shows the mapping between logical and physical processors, the NUMA node and socket they are located on, and the cache assigned to each logical processor.
Ctrl2Cap is a kernel-mode driver that demonstrates keyboard input filtering ahead of the keyboard class driver to turn Caps-Lock into CTRL keys. Filtering at this level allows you to convert and hide keys before NT "sees" them. Ctrl2cap also shows how to use NtDisplayString() to print blue screen initialization messages.
DebugView this program intercepts calls made to DbgPrint by device drivers and OutputDebugString made by Win32 programs. This allows you to view and capture the output of a debugging session on your local machine or over the Internet without an active debugger.
Desktops allows you to organize your applications into up to four virtual desktops.
Disk2vhd is a utility that creates VHD (Microsoft's Virtual Hard Disk virtual machine disk format) versions of physical disks for use in a Microsoft Virtual PC or Microsoft Hyper-V virtual machine.
DiskExt shows the amount of disk mappings.
DiskMon this utility intercepts all hard drive activity or acts as a software "light bulb" of disk activity in the system tray.
DiskView is a utility for graphical display of disk sectors.
Disk Usage (DU) view the disk space usage in the directory.
EFSDump view information about encrypted files.
FindLinks reports the index of the file and any hard links that exist for the specified file.
Handle is a handy command line utility that will show you which processes have files open, and more.
Hex2dec Convert hexadecimal to decimal and vice versa.
Junction creates Win2K NTFS symbolic links.
LDMDump Dumps the contents of the Logical Disk Manager database on disk that describes the partitioning of Windows 2000 dynamic disks.
ListDLLs A list of all DLLs that are currently loaded, including where they are loaded and their version numbers. Version 2.0 displays the full path of loaded modules.
LiveKd uses Microsoft's kernel debuggers to examine the live system.
LoadOrder View the boot order of devices on your WinNT/2K system.
LogonSessions A list of active logon sessions.
MoveFile allows you to schedule move and delete commands for the next reboot.
NTFSInfo Use NTFSInfo to see detailed information about NTFS volumes, including the size and location of the Master File Table (MFT) and MFT zone, and the sizes of NTFS metadata files.
PageDefrag defragments your swap files and registry branches.
PendMoves lists a list of file rename and delete commands that will be executed on the next boot.
PipeList gets a list of named pipe directories defined on the system.
PortMon is an advanced serial and parallel port activity monitoring tool. It knows about all standard serial and parallel IOCTLs and even shows some of the transmitted and received data. Version 3.x has a powerful, improved interface and advanced filtering options.
ProcDump is a command line utility designed to monitor applications for peaks in CPU usage and generate crash dumps during a spike that an administrator or developer can use to determine the cause of a spike.
The ProcessExplorer utility allows you to find out what files, registry keys and other processes, objects are open, what libraries are loaded by them, and much more. This unique powerful utility will even show you who owns each process.
ProcessMonitor monitor file system, registry, processes, threads and DLL activity in real time.
PsExec executes processes with limited user rights.
PsFile shows which files are open remotely.
PsGetSid displays the computer identifier (SID) or user.
PsInfo displays information about the system.
PsKill terminates local or remote processes.
PsList shows information about processes and threads.
PsLoggedOn shows the users logged into the system.
PsLogList Dumps the event log entry.
PsPasswd change the account password.
PsService view and manage services.
PsShutdown shuts down and optionally restarts the computer.
PsSuspend Suspend and resume processes.
RAMMap is a physical memory usage analysis utility for Windows Vista and above.
RegDelNull checks and removes registry keys containing null characters that cannot be removed by standard registry editing tools.
RegJump jump to the registry path specified in Regedit.
RootkitRevealer scans your system for rootkit threats.
SDelete with this DoD-compliant secure delete program, you will securely overwrite important files and clean up the free space of previously deleted files.
ShareEnum scans files shared on the network and looks at their security settings to close security holes.
ShellRunas run programs as another user through a convenient shell context menu entry.
SigCheck Dump file version information and verify digital signature.
Streams detects alternate NTFS streams.
Strings search for ANSI and UNICODE strings in binary images.
Sync clears data cached to disk.
TCPView command line active socket viewer.
VMMap is a utility for analyzing virtual and physical memory processes.
VolumeID Set Volume ID on FAT or NTFS drives.
WhoIs shows who owns the Internet address.
WinObj is the Object Manager's name viewer.
ZoomIt is a presentation utility for zooming and drawing on the screen.

First, a little history: this product, like its site, was developed back in 1996, the goal was simple - to combine all available service programs in one place, that is, you will not need to separately download all developments from Mark Russinovich. In July 2006, the company known to everyone as Microsoft decided to acquire Sysinternals. So if you decide download Sysinternals Suite from our project, you will receive a large number of service programs aimed at managing, searching and eliminating, as well as performing simple diagnostics of both individual applications and operating systems of the Windows family.

In general, all incoming utilities can be divided into categories, for example, network tools - here you can use not only connection monitors, but also analyze the security of various resources, as well as view active sockets, in general, the list can be listed for a long time, I think you will figure it out yourself. Next comes the System Information category, which are little tools that will help you view and adjust system resource usage. In particular, you can see programs that automatically start when Windows starts, you can view the activity of the file system in real time, it is possible to determine the order in which drivers are loaded, and so on.

The Sysinternals Suite also offers us security software. You will be able to configure and manage your security system, you will also have access to a utility for finding and removing rootkit, there are spyware hunters. You will be able to view the list of users who logged in, you can view the event log and so on. Next comes the category "Processes and threads" - it will allow you to use programs designed to determine the tasks that, in turn, can be performed by certain processes, as well as the resources they consume. Of course, Sysinternals Suite will provide you with some good utilities for working with hard drives and files.

The information was taken from the official site, in general, after unpacking the archive, you will just have a set of utilities in front of you, you will not get a pleasant user interface with categories, so you must understand what exactly you need. Before that, I recommend that you go to the official website and see all the categories about which I wrote about and decide what exactly interests you. In general, I hope the utility package from Sysinternals Suite will be useful to you, in fact it is quite extensive, you can find a lot.

Developer: Microsoft
License: freeware
Language: English
Size: 29MB
OS: Windows
Download.

Where can I download

Download addresses for SysInternals Suite utilities:
http://www.sysinternals.com
https://technet.microsoft.com/en-us/sysinternals
https://technet.microsoft.com/en-us/sysinternals

It is included in the kit

The set of utilities is quite large - over 70 programs for various purposes. I will give only a general list of utilities with a brief description. On the site you can get quite detailed information about each utility. And the potential of some of these utilities is truly enormous. The most useful (in my subjective opinion) utilities are highlighted in bold. Utilities for which (yet) there is no Russian description are in italics.

AccessChk	Displays permissions to files, registry keys, or Windows services for a specific user or group of users.
AccessEnum	Small but powerful security analysis software. Displays a list of users and groups that have access to files, folders, and registry keys, so you can look for vulnerabilities in access permission settings.
adexplorer	Active Directory Explorer is an advanced tool for viewing and editing Active Directory (AD).
AdInsight	A real-time LDAP (Light-weight Directory Access Protocol) monitoring utility that helps troubleshoot problems with Active Directory (AD) client applications.
AdRestore	Allows you to restore Server 2003 Active Directory objects.
Autologon	Designed for automatic login to the system without entering a password.
autoruns	Allows you to determine which programs start automatically when the system boots and logs on. It also shows a complete list of registry paths and file locations where applications can be configured to start automatically.
BgInfo	This fully customizable program automatically generates desktop backgrounds that include important system information such as IP addresses, computer name, network adapters, and more.
blue screen	This screensaver not only simulates a blue screen very accurately, but is also capable of simulating a reboot (completely with CHKDSK), runs under Windows NT 4, Windows 2000, Windows XP, Server 2003 and Windows 9x.
CacheSet	The CacheSet program allows you to adjust the size of the cache manager's working set using native NT functions. Compatible with all versions of NT OS.
ClockRes	Shows the resolution of the system clock (this value is the same as the maximum resolution of the timer).
Contig	Is a quick defragmentation of regularly used files relevant? The Contig program allows you to optimize individual files and create new ones placed in adjacent clusters.
coreinfo	This command line utility displays the mapping between logical and physical processors, node and socket NUMA, and cache size for each logical processor.
ctrl2cap	The program is a privileged mode driver that provides filtering of the input signal from the keyboard to the keyboard class driver, which allows you to turn on the upper case when pressing the control keys. Filtering at this level allows you to change and hide keys before NT even "sees" them. Ctrl2cap also shows how to use NtDisplayString() to print messages on a blue screen on initialization.
debugview	This program intercepts calls to DbgPrint by device drivers and to OutputDebugString by Win32 programs. This allows you to view and capture the output of a debug session on your local machine or on the web without an active debugger.
Desktops	This program allows you to create four virtual desktops, which you can switch between using either keyboard shortcuts or an icon in the taskbar.
*Disk2vhd*	This program allows you to create a virtual disk (VHD) from a physical disk for use with Microsoft Virtual PC or Microsoft Hyper-V. Unlike other programs for converting physical disks to virtual ones, this program converts the disk of a running system (it is launched only on a running system and creates a VHD file with an image of that system for Hyper-V).
DiskExt	Displays information about the allocation of partitions on disks.
diskmon	This utility captures all hard disk operations; in addition, it can act as a disk activity indicator on the taskbar.
disk view	Graphical disk sector analysis program.
Disk Usage (DU)	Displays disk space usage by directory.
EFSDump	View information about encrypted files.
filemon	This program is designed to track all file system activity in real time.
Find Links	Searches for and displays a list of hard links (hard links) to the specified file, and also displays the inode (index) of the file.
Handle	This command line utility allows you to display a list of files opened by processes, as well as a number of other data.
Hex2dec	The program converts hexadecimal numbers to decimal and vice versa.
Junction	Creating NTFS symbolic links in a Win2K environment.
LDMDump	Allows you to unload the contents of the logical disk manager database from memory, which describes the layout scheme for Windows 2000 dynamic disks.
ListDLLs	This program lists all currently loaded DLLs, their versions, and the path they were loaded from. Version 2.0 prints full paths to loaded modules.
LiveKd	Microsoft's kernel debuggers make it easy to analyze a live system.
LoadOrder	Allows you to specify the order in which device drivers are loaded on a WinNT/2K system.
LogonSessions	Displays a list of active login sessions.
MoveFile	Scheduling rename and delete commands for the next reboot. This program can be useful in removing persistent and active malware files.
NewSID	This free PC SID changer solves a known ID matching issue.
NTFSInfo	The NTFSInfo utility provides detailed information about NTFS volumes, including the size and location of the master file table (MFT) and MFT zone, and the size of NTFS metadata files.
PageDefrag	Defragment swap files and registry hives!
PendMoves	Displays a list of commands to rename and delete files scheduled for execution on the next reboot.
PipeList	A program to enumerate created named pipes.
PortMon	This advanced program is designed to monitor the activity of serial and parallel ports. It supports all standard control commands (IOCTL) for serial and parallel ports and even displays some of the received and transmitted data. Version 3.x introduces significant new user interface improvements and enhanced filtering capabilities.
ProcDump	A command line utility that allows you to create a crash dump of files based on triggers or on demand.
Process Explorer	This program displays files, registry keys, DLLs, and other objects opened or loaded by various processes, and other information such as the owner of the process.
Process Monitor	This program allows you to monitor the activity of the file system, registry, processes, threads and DLLs in real time.
ProcFeatures	Displays processor and Windows support for physical address expansion and buffer overflow protection by denying execution.
psexec	Allows you to execute processes remotely.
psfile	Allows you to see which files are open remotely.
PsGetSid	Displays the security identifier (SID) of a computer or user.
Psinfo	Displays information about the system.
PsKill	Allows you to end processes by name or process ID, incl. remotely.
PsList	Displays detailed information about processes.
PsLoggedOn	Allows you to view data about who is logged in locally or as a result of using shared resources (the download includes the full source code of the program).
PsLogList	Allows you to download entries from the windows event logs to a text file (after which it can be processed in any way).
PsPasswd	Allows you to change account passwords.
PsPing	A command line utility that checks network bandwidth and latency. Version 2.0 added UDP delay, as well as throughput testing, added support for timed tests, added support for custom histograms.
PsService	Allows you to view information about services and manage them.
PsShutdown	Allows you to shut down and, if necessary, restart your computer.
PsSuspend	Allows you to suspend processes.
PsTools	The PsTools suite includes command-line utilities for listing processes running on local or remote computers, launching processes remotely, rebooting computers, displaying the contents of event logs, and more. (this is a set of utilities Ps...)
RAMMap	A free utility designed to analyze the physical memory usage of a computer running Microsoft Windows operating systems.
RegDelNull	Scans and removes registry keys that contain invalid characters that cannot be removed by conventional registry editing tools.
Registry Usage	The utility displays the amount of disk space occupied by the registry keys you specify.
RegJump	The program translates to the path specified in Regedit.
Regmon	This program is designed to track all registry activity in real time.
RootkitRevealer	Searches for rootkits.
SDelete	Allows you to overwrite sensitive data and clear free space from previously deleted files. The program complies with US Department of Defense security standards.
ShareEnum	Allows you to scan network file shares and view their security settings to fix security holes.
Shell Runas	Command line utility for manually launching programs.
Sigcheck	Displays information about file versions and allows you to make sure that the images in the system are digitally signed.
Streams	Displays additional NTFS file system data streams.
Strings	Search for ANSI and Unicode strings in binary images.
Sync	Flush cached data to disk.
Sysmon	This is a windows system service and a device driver that, once installed in the system, remain running throughout the entire operation of the system, and monitors system activity (running processes, network connections and changes in file creation time), after which it saves all actions to the windows system log .
TCPView	A command-line interface tool for viewing active sockets.
VMMap	This is a utility for analyzing virtual and physical memory processes.
VolumeId	Assigning volume labels on FAT or NTFS drives.
Whois	Allows you to find out who owns an Internet address
WinObj	A highly efficient program for parsing the object manager namespace.
ZoomIt	A presentation utility used to scale an image on a screen.

Useful key for all SysInternals Suite utilities

Any(including any console) utility from the SysInternals set when first running on a computer requires acceptance of the license agreement. When creating batch files that will run on multiple computers (for example, on all computers in a domain), this can be extremely inconvenient. Therefore, when running from a batch file, you can add a switch to the command line that automates the acceptance of the license agreement: /AcceptEULA , for example.

Sysinternals Suite is a free library of powerful tools for deep customization of Windows operating systems.

Two decades ago, Mark Russinovich and Bryce Cogswell founded a company called Winternals Software. Over the years, they have developed a library of powerful tools for deep customization of Microsoft's then flagship business operating system, Windows NT.

Microsoft acquired the company in 2006 (and wisely hired both of its founders). Surprisingly, the tools in the Sysinternals Suite continue to be regularly updated today, ten years later. No less surprising - they are still completely free.

In the complete collection of Sysinternals Utilities, you'll find over 70 command-line applications and tools, as well as their associated help files. Among them, a small group of essential super-tools for all IT professionals and Windows power users, but you will probably have your own favorites.

Let's focus on three of the most powerful Sysinternals tools: Autoruns, Process Explorer, and Process Monitor. Each of these tools is a worthy improvement on the corresponding built-in Windows application. Later, we'll look at a few of the most interesting ones, including PsTools and TCPVIEW, with additional indications of what else might be useful.

Of course, you can visit the Windows Sysinternals page, at https://technet.microsoft.com/sysinternals and using the alphabetical index of utilities, select only the tools you need. For a slightly more precise approach, try six separate categories: file and disk, network, process, security, system information, and others.

But it's much easier to download the entire Sysinternals suite ( https://technet.microsoft.com/sysinternals/bb842062) and unzip it into its own folder.

As a handy alternative, to save disk space and make sure you plan on using the latest utilities, use the Sysinternals Live service. On https://live.sysinternals.com, you will find a complete list of all tools and support files. If you know the name of the tool you want, you can enter that path at or on the command line, for example, https://live.sysinternals.com/ or \\live.sysinternals.com\tools\ . (Hint: Save your favorites as web shortcuts for quick access.)

Sysinternals Live allows you to run the latest versions of each tool in your collection with a single click.

Some Sysinternals tools are fully fleshed out and have a distinctive graphical interface. Others are meant to be run interactively on the command line or through scripts.

Setting up Sysinternals Suite to run from anywhere

Let's look at a couple of tips. If you've downloaded the entire Sysinternals Suite, you'll probably want to run your commands from anywhere: the run dialog box, the command prompt window, the search box. If you add the Sysinternals folder to the "Path" environment variable, you can do this. Which will give you the opportunity to see a much improved version of the Windows 10 interface for editing this and other environment variables.

To get started, type "environmen/environment" in the search field, then in the list of results, click the "Edit System Environment Variables" button. In the Environment Variables dialog box, click on Environment Variables, select the path and click the Edit button. The following dialog box will be displayed. If you've ever tried to edit the Path variable in a previous version of Windows, you'll appreciate how much easier this dialog box is compared to its predecessors.

If you have extracted the files to a folder named SysinternalsSuite in the root directory of the "C" drive, all you have to do is click the "New" button, find this folder, and click on it to specify its full path. Do the same to give the full path to where you saved the files. Then click the OK button twice to save your changes. Now you can enter any Sysinternals command like "Autoruns" to run this tool without specifying its full location.

Not all options in the Sysinternals Suite are created equal. Some of them were obviously written for a different era and have little to do with the latest desktop version of Windows or modern server versions. Also, some tools, while still useful, have been replaced with built-in functions. For example, with the "Desktops" application, you can create up to four virtual ones and assign hotkeys to each of them. The addition of virtual desktops as a built-in feature in Windows 10 makes the Sysinternals alternative far less necessary.

The best clue for understanding which programs deserve closer attention is the "Created Date" field. Switch to the list view in Explorer, add a Date Created field, and then sort by that data. In this list, you'll find date and time stamps dating back to 1999 and more. The most useful Sysinternals programs are regularly updated and appear at the top of the list.

Over the years, the management of programs that automatically start when you turn on your Windows system has gradually improved. The latest addition to the Windows toolbox, the Startup tab in .

But the built-in tool can't compare to Autoruns, which is legitimately considered "the most complete tool for viewing and managing autostart on Windows."

Unlike the Task Manager, which is limited to a list of the most common locations, Autoruns shows a complete list of locations in the registry, in scheduled tasks, etc., that is, anywhere an application can set itself to run automatically. Using the Task Manager, you can temporarily disable any of the entries listed on the Startup tab. And also Autoruns makes it possible to delete this entry, without harming the registry.

Sometimes - perhaps even most of the time - these items are useful, including tasks such as checking for security updates and performing basic synchronization tasks. But some entries simply devour the resources used at system startup.

The "Everything" tab shows every file, driver, service, scheduled task, and other items that run automatically when the device is turned on or logged on.

Each line contains the name of the autorun entry, the publisher, and a description of the executables and DLLs. The path to the file that is executed when the element is launched and its icon. Uncheck the box to the left of any item and disable that item temporarily. The panels at the bottom display details of the current selection, including its full command line.

What do Autoruns color codes mean?

The color coding of lists in Autoruns can be frustrating at first, especially since it's not documented anywhere. Each rubric, which identifies the location of data stored in autorun, is shaded in light purple. The currently selected row is highlighted in dark blue. Lines highlighted in red are associated with files that have description and publisher fields empty. A yellow fill means that no autostart entry points were found for this file.

If you are sure that the yellow line appeared only because after the removal of the program its data was not properly cleared, you can remove them using Autoruns. For red lines: select the required line, right-click on it and in the context menu - check the image. If the file's digital code signing certificate is trusted, the Publisher column will change to (verified) followed by the name of the code signing certificate issuer. If the file is not signed, or verification fails for any other reason, the text will change to (not verified).

As mentioned earlier, the list of Autoruns can be huge. One way to reduce the level of interference is to click on the "Options" menu and select "Hide Microsoft Recordings". This option will make it easier to detect potentially problematic third-party programs, including malware.

Use this setting to hide Microsoft entries and reduce the number of entries scanned when searching for potentially problematic third-party programs.

Right-click on any entry, on any tab in Autoruns, and view the list of options for that item. For example, the "Go to item" option will navigate to the folder or registry key where the item is located. The "Go to image" option will open the explorer and show the file set to run automatically.

If you see an unfamiliar entry in the Autoruns list, to see its parameters and explore further, right-click on it.

Note that several options on this list require administrative privileges, including the ability to delete an entry from the registry. If you run Autoruns without elevation, you will see an access denied dialog box as shown in the following image. To restart Autoruns and try again, use run as administrator.

Attention. The most prudent way to disable an item in Autoruns is to uncheck the box to the left of it. Once you are sure that the change you made does not have long-term negative side effects, you can remove it.