Windows

10 more Sysinternals utilities to keep handy

Derek Schauland is back with additional utilities from the Sysinternals toolkit that can speed routine tasks on Windows systems.

Last December, I put together a list of Sysinternals tools that I found the most useful. Recently, I looked through the entire list and found a few more tools you might keep on a flash drive, just in case the need arises.

Note: This article is based on an entry in our Network Administrator blog. It's also available as a gallery and as a PDF download.

1: DiskMon

This utility looks at all your hard disk traffic and reports it to the screen (Figure A). When the window is displayed, the default is to auto scroll the data, constantly filling the window as you use your PC. If you minimize the application to the tray (Options | Minimize to tray disk light), DiskMon will blink as it monitors traffic. I found it interesting to see just how many reads and writes my laptop processed just working on this blog post.

Figure A

DiskMon

2: Disk Usage

Sometimes, finding the size of a directory is convenient -- but do you want to know the size on disk? Sure, Windows Explorer can provide some information about the size of a directory; however ,I haven't found that method particularly useful. Many times, getting to the information when I need it is a bit of a hassle. This command-line utility can display the size of the specified directory and files contained within it (Figure B). Here are the command usage and the arguments it takes:

Usage: du [[-v] [-l ] | [-n]] [-q] (file or directory)

  • -l -- Specify the subdirectory depth to use, the utility defaults to all levels
  • -n   -Don't recurse
  • -q -- Don't print the banner
  • -u -- Unique files or folders only please
  • -v -- Show information in intermediate directories
Disk Usage Du

3: Page Defrag

Windows has a bit of a tendency to allow files to get fragmented and perform less than optimally. For files and folders, there are countless tools and utilities to help keep your system in top shape. But many of these tools (especially the built-in tool for defragmentation) don't do much for the registry and paging files. Page Defrag (Figure C) will help you get the page files and registry under control.

Figure C

Page Defrag
Note: In testing, it seems that Page Defrag is a 32bit-only utility.

4: SDelete

Even after a file is deleted, many times it can still be recovered and may be a problem when you're trying to recycle a clean system or repurpose it. SDelete (Figure D) conforms to Department of Defense regulations/standards for file wiping. When used to remove files or folders, the items deleted will be removed.

SDelete is run from the command line and takes the following parameters:

  • -c -- Zeroes free disk space
  • -p passes -- Allows you to specify the number of passes to use (-P 3 for 3 passes)
  • -q -- Silent execution
  • -s -- Subdirectory recursion
  • -z -- Cleans free space

Figure D

SDelete

5: LoadOrder

Device drivers in Windows are rather important when it comes to proper system operation, but when you start Windows, Microsoft often doesn't show the order in which these additional devices are added and installed. LoadOrder (Figure E) presents the order in which items were loaded by Windows. As an added bonus, services are included here too.

Figure E

LoadOrder

6: Handle

This utility (Figure F) allows you to see the handles that are open on your system and will, with arguments, allow you to close (albeit forcibly) handles to running applications.

The usage and arguments for Handle are:

  • -a -- Dumps all information
  • -c <handle> -- Closes handles specified; can cause system instability
  • -l -- Shows only profile section handles
  • -y -- Do not prompt for handle close
  • -s -- Display a count of each handle type that is open
  • -u -- Display the user who owns each handle
  • -p <pid> -- Dump the handles belonging to a specified process
  • Name -- Search for handles related to the supplied object name

Figure F

Handle

7: LogonSessions

Logging on to Windows just isn't what it used to be, depending on the version. LogonSessions (Figure G) will display all the sessions currently logged on to a given system. Like potato chips, just one is highly unlikely. The only argument available for LogonSessions is -p, which shows the processes available for each logon session. Oh, and when run on my laptop for testing for this post, there were eight sessions running.
LogonSessions

8: PSInfo

PSInfo (Figure H) falls in the PS tools suite of products, but I thought it particularly interesting because of the amount of information it returns. The idea here is to allow logged-on users to gain system information from their system or a remote system with little effort. Specifying the \\computername option will point PSInfo at a remote system. Another way to run PSInfo is to point it at a file containing a list of remote systems. This will return the info for each remote system listed.

When run with no arguments, the utility returns basic system information about your local machine. The arguments I found most interesting were -h for installed hotfixes and -s for installed software.

Figure H

PSInfo

9: RootkitRevealer

When looking at this utility, it seemed to be a no brainer to include it here. But it seems to work only on 32-bit systems prior to Windows 7. It also runs as a random service when executed (for the duration of execution) to reduce the possibility of being hijacked by a rootkit. I am hoping that the team behind Sysinternals releases a Win 7-ready version of this tool soon.

The utility can be started from the command line or by a double-click and detects places where rootkits might be hiding on your system. Is it perfect? No. But it does do a pretty thorough job.

The screenshot in Figure I was taken on a 32-bit Windows XP VM with little more than Windows updates applied.

Figure I

RootkitRevealer

10: RegJump

RegJump (Figure J) provides a convenient command-line way to get into the registry where you need to be so you don't have to chase down the hive you need. This will allow you to start out right at HKey-Current-User or elsewhere in the registry with minimal typing. The feature that really stands out is its support for abbreviations and standard notation for registry hives, so both HKEY-CURRENT-USER and HKCU will work with the RegJump command-line entry.

Figure J

RegJump

Give them a try

These utilities provide a great amount of information with a minimum of effort. Because Sysinternals utilities are free to download, there's no reason not to check them out. They make a great addition to any Windows admin's toolkit. It is important to note that some of the utilities included here require Administrator access. In many cases, I will run these tools with an elevated command prompt for ease of use.

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

11 comments
techtools
techtools

Yes, I've been using Sysinternals for a while now, as well. What I've come to start doing is using EMCO MSI Package tool to repack the Sysinternals Utilities as an .MSI, that I can deploy to machines using Group Policy. Naturally, for machines that are already on the network. For machines that are new, going into production, I've added Sysinternals to Windows 7 images, so that it's already there, in System32, ready for support. These tools are highly underrated and underappreciated, and any good System Admin should have these tools.

shielamay
shielamay

#6 Handle is complicated to process

unglesbk
unglesbk

I would suggest that anyone who uses them regularly either add a path variable for their location or just dump them in system32. This way you can just type them in from any directory.

pohsibkcir
pohsibkcir

I have used Sysinternal Utilities seemingly forever, lol ... Maybe it just seems that way. I would recommend them to anyone who is interested in raising the hood and getting their hands dirty ... Meaning, having fun and being productive with some good command utilities. You can download a whole Suite of tools (little more than 12mb), which has most al the tools they make. Readers can view more about it here (http://technet.microsoft.com/en-us/sysinternals/bb842062). As always, the caveat to be cautious when using some of the ustilities should be heeded. Nice article, Mr Shauland ... Thanks!

aj3jr
aj3jr

autoruns is an awesome tool. Helps figure out what is started during boot up. Have also used it to disable a virus so it could be cleaned. The virus was in the startup profile of another admin user(those home users! :( which then copied itself to all of the places I had manually deleted it. I saw the virus location and how it was launch as soon as I changed the user option to the other user with administrative privileges.

DosMaster
DosMaster

I know many of us already know where to download these utilities, but for those readers that do not, it would be nice to include a download link to them.

Lazarus439
Lazarus439

It does't display any information about the registry hives or pagefile - the box is just empty. It does, however, appear to defrag during boot up.

Lazarus439
Lazarus439

(Tech Republic & IE9 don't seem to like each other a lot)

ammaryounas11
ammaryounas11

This will allow you to start out right at HKey-Current-User or elsewhere in the registry with minimal typing. Online Accredited Degree Programs

Editor's Picks