Windows

10 Sysinternals tools you shouldn't be without

The Sysinternals utilities offer a powerful, convenient way to knock out all kinds of Windows tasks. Derek Schauland zeroes in on the ones he finds most useful.

Sysinternals has been around for quite some time and was acquired by Microsoft in 2006. These are great little tools for getting some heavy-hitting Windows things done and sometimes done better than when using the built-in tools for a task. The entire suite of products is available for download. While this is the easiest way to get the tools because they are bundled together, there are some tools that I find myself using far more than others. Here's a look at my favorite tools in the Sysinternals collection (or the ones that I use the most).

Note: This article is also available as a TechRepublic photo gallery.

1: PsList and PsKill

I listed these together because I typically use them in this order. The goal here is to see processes on a machine -- with PsList, I find the process ID, and then use PsKill to terminate the process.

There are quite a few ways to return information with PsList, and the best part is that it works on local and remote machines. PsKill works similarly to PsList except it is used to terminate processes by process ID.

2: Process Explorer

Process Explorer is a great tool for digging into open files or resources. Trying to open a file, but getting a notification that it's already open? Process Explorer can help determine which application or process has the file open. It is a GUI-based utility and can be used as a Task Manager replacement. The utility has two panes of information. The top pane shows currently active processes on your system and includes information about the name, the account that owns the process, and the CPU usage of the process.

The bottom pane has two modes of operation, handle mode and DLL mode. When handle mode is enabled, selecting a process in the top portion of the window will show you the handles that the process has open. In DLL mode, the pane displays the DLLs and memory-mapped files loaded by the selected process.

3: ZoomIt

ZoomIt is a utility for the public speaker in all of us. When presenting information, sometimes it is helpful to show a certain area of the screen, magnified to call attention to a dialog box or other item. This is what ZoomIt does. When configured, it will integrate with PowerPoint to allow macro keys to trigger functions during a presentation.

4: PsLoggedOn

PsLoggedOn uses a registry scan to look through the HKEY_USERS key to see which profiles are loaded. Looking at the keys with a user ID SID, PsLoggedOn looks up the username of the SID and displays it. This shows you who is logged on in any session to a PC. When querying remote systems, your userid will be found as a connected user session as well. The remote and local users are returned separately to help distinguish logon types.

5: Autoruns

You know how malware likes to invade the startup folder and other locations on infected systems? Seems that these are the hardest things to find and get rid of when trying to clean up spyware/malware/ infections. Autoruns can help with that. It looks through all possible locations where applications can be listed to automatically launch when Windows starts. Then, it displays them in a tabbed, easy-to-follow GUI. You can hide Microsoft-signed entries to eliminate the good items from the list of things that start up on your system.

6: Contig

Some files have trouble with disk defragmenting applications and for one reason or another, can't be corrected. This is where you might use Contig. It is a single file defrag utility, which can be helpful if you use a file often and suspect it might be suffering from performance issues due to fragmentation.

7: Disk2vhd

Disk2vhd creates a virtual hard disk file from a physical system for use with Hyper-V or even with Windows 7 or Server 2008 R2. Disk2vhd supports Windows XP SP2 and Windows Server 2003 SP1 and higher, including 64-bit versions of these systems.

A great use of this utility might be to create a snapshot of an entire disk for backup purposes. There are also options that allow Disk2vhd to be run at the command line. You can use these options to script vhd creation. Using the utility in this way would allow you to use Task Scheduler and Disk2vhd to create a snapshot of your PC at scheduled intervals with no user intervention. One caveat: When creating vhds, be sure not to attach them to the same system you created them from if you are going to boot from the vhd.

8: MoveFile

As we all know, there are times when files need to be moved or deleted to help get things cleaned off a PC (malware/bots/viruses). Sometimes, this can't be done because files are in use, which prevents actions on the files until they are closed or the computer is rebooted. MoveFile provides an API that marks files for move/rename/delete at the next restart of the Windows system. Doing this allows the file to be acted on before it is referenced by the system.

9: PSFile

The PStools utilities are all popular and useful, but one that I recently discovered is PSFile. This utility shows files on a system that are open by remote systems by default but that can be passed parameters to return information about remote systems as well. This tool is a good way to check for open files on file servers when users might report read-only issues or have problems getting files to open properly.

10: Sync

This utility was created to mirror a UNIX utility that will allow you to flush cached file system data to disk. Doing this can help prevent problems with lost system information in the event of a system failure and helps to ensure live system information is getting written to disk.

The way I see this being useful depends on how stable your system is. If your computer tends to crash more than you would like (or if you are testing some scenarios), you might create a scheduled task to ensure that the system info is flushed back to disk once per hour or some other predefined timeframe. Another cool thing about this sync utility is that USB or ZIP drives or other removable drives can be flushed. You will need administrative privileges to use Sync.

For more details on these tools, see Five favorite Sysinternals tools and what they do (first five tools) and Learn about some Sysinternals tools that might be flying under the radar (second five tools).


About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

28 comments
Starrdaark
Starrdaark

As others have already stated, one should not tread the murky waters of the web without Autoruns firmly entrenched into your bag of tools. One of its best features, and one not mentioned in this thread is the Compare feature. It's a rare day indeed I forget to create a baseline compare save following a new pc reload. It's hard to fool a quality pre-web-connect log of data such as Autoruns provides.

kevin
kevin

Pagedefrag! And it sure seems like Windows 7/64 bit could use it too.

Terabyte Computer
Terabyte Computer

The PSTools referenced here (and others) have come in very handy. FYI, there's also a front end GUI available (called 'fepstools') that makes using the tools even easier. Of course, it's also easier to accidentally reek havoc because it stores your last command, so be cautious when using it. Don't want to reboot someone's PC, then accidentally reboot a server at another time because you forgot to switch commands. Not that I've done that personally or anything...... Download PSTools, then look for 'fepstools' (can be found by Googling.)

hyh2005
hyh2005

love this. a tantalizing but possibly dangerous use: can i contig the $Logfile or the $MFT files? HYH

mullachv
mullachv

Filemon, Regmon, and TCPView are great tools from the SysInternals folks.

Photogenic Memory
Photogenic Memory

Bash has all these tools built-in. So why aren't these useful apps integrated into the OS or better yet a command-line installer for ease with official repositories like yum or apt? It's 5am. I'm asking too much and haven't slept a wink. I'm flooooooaaaating in dream land which exists nowhere and yet somewhere much like a cloud. But is it beautiful a nimbus cloud or high flying stratus cloud. Or worse! A dark cumulo-nimbus pregnant with potential rain? I'm sorry. It's now 5:03am and not a wink of sleep yet. ROFL!!

Sean Byrne
Sean Byrne

Of the top 10, I'd say Autoruns is an absolute must. Besides tracking down Malware, it's also a great way of temporarily speeding up a computer to work on, especially on a computer running Vista with just 1GB of RAM as you can temporarily disable all the main processes, e.g. the 'Run', 'Task Scheduler', 'Browser helper objects' entries and so on and reboot the computer so there is little running. Once finished, then re-enable them all or even gradually to find out which start-up processes have the most impact on resources/performance. One utility I'm surprised didn't get a mention is TCPView. This highlights TCP connections being made, dropped and which are established by which processes. If you notice a lot of Internet/network activity from a computer, this will quickly reveal the culprit.

Richard Bowser
Richard Bowser

I would like it better if the links actually WORKED. Both links led to page 3364.

Who Am I Really
Who Am I Really

also > [b]Process Monitor[/b] for watching registry, disk IO, etc. events if you want to see just how busy a system is start Process Monitor and enable the Auto Scroll item (Ctrl+A)

david.karr
david.karr

Shame I don't see here the first SysInternals tool I ever installed (soon after it was created): Ctrl2Cap. If you care about typing efficiently for many years, you'll get rid of the CapsLock key and move the Ctrl key up. It's just about the simplest SysInternals tool, but it was very important for me.

Cuffy10
Cuffy10

If you use Sysinternals you will probably be interested in WSCC, Windows Service Control Center, which is a frontend for Sysinternal and Nirsoft Utilities, that includes everything in one bucket. It sure makes it easy to keep all those utilities updated. http://www.portablefreeware.com/?id=1666

JCitizen
JCitizen

a mix of Valerin, melatonin with theanine, and benadryl. I sleep like a baby for at least 7 hours! Of course - if you're tripping - I digress! :D

anand.narine
anand.narine

Agreed, tcpview is very handy for that. My Top 2 which are not listed are PSEXEC and PROCMON

Cuffy10
Cuffy10

http://www.kls-soft.com/wscc/index.php contains all three links for WSCC, Sysinternals and Nirsoft utils. I just checked in IE and Chrome and it works fine in both! "WSCC uses the included WSCC Console to execute command line applications. WSCC is portable, installation is not required. Extract the content of the downloaded zip archive to any directory on your computer. WSCC Portable Edition is designed for use on the PortableApps.com Platform. WSCC U3 Edition is designed for use on the U3 smart drives and integrates itself into the U3 launchpad. This edition of WSCC supports the following utility suites: Windows Sysinternals Suite (including support for Sysinternals Live service) NirSoft Utilities Windows Sysinternals Suite download and Licensing FAQ website. NirSoft Utilities download website. WSCC - Windows System Control Center download. Windows Sysinternals is property of Microsoft Corporation. NirSoft Utilities is property of Nir Sofer."

Cuffy10
Cuffy10

Au contrare, my friend, it is still included with Sysinternals. Did you download sysinternals, nirsoft utils and wscc? They are all available from the page I posted above.

jesuskid1
jesuskid1

This stupid program let loose a host of password viruses. Whoever posted this as a good all-in-one program is wrong?

Mr. G. Anson
Mr. G. Anson

Hey, does anyone know of a utility that will tell me who owns an open COM port?

AnsuGisalas
AnsuGisalas

that sure looks like spam. But some of the harmonics tell me not to pull the trigger on it...

Cuffy10
Cuffy10

jesuskid1, I'm sorry I missed your cry! May I suggest that you watch this video from YouTube....http://www.youtube.com/watch?v=kb4qJ5Za6zY My point, when you fall in a vat of choclate don't yell fire? Your post titled WSCC and complaining of viruses would have received attention much faster had it been titled "VIRUS Alert". I could have rapidly responded that the virus alerts you received were all "false positives" and were no cause for alarm. In my case I get an alarm on "Netpass" from Avast whenever I download the app. To prevent the whistle from blowing and scaring hell out of me, before I download or upgrade WSCC, I go to the icon for Avast in Systray, right-click to get the context menu, and "Disable for 10 mins" so Avast won't ring the bell. Problem solved! I use Avast... you may use a different A/V app so the procedure may be different? In any case, the survival rate for "false positives" is roughly 100%. YMMV

JCitizen
JCitizen

some of the links posted by members here lead to sites that have a poor reputation according to Web-Of-Trust. But then, amateurs probably don't need to be getting involved with some of those powerful utilities, so they rate the site as bad; when it is just misuse by the user that is the problem?

JCitizen
JCitizen

most of my false positives come from AdAware now. But then, I like it too. If I'm using pen-testing utilities I simply let it quarantine upon scan, so the malware can't use the file against me! Then I let it out to use it once more.

asurvila
asurvila

WSCC is great. I have been using Nirsoft utilities for years. It's safe, with all my respect. Nevertheless it may be blacklisted by antivirus/-spyware/-malware. These are false positives, if only you don't think that keeping a password recovery program or any hacking tool on your system poses a threat by itself.

Cuffy10
Cuffy10

Gotcha! Since the URL was below a divider line I assumed it was part of his signature and pressed right on by. WSCC!!! I'm shocked at the lack of response to the large number of excellent tools available from these authors. WSCC puts the icing on the cake by putting the tools at your fingertips and providing a little button that will upgrade ALL of them. wattayawant???

AnsuGisalas
AnsuGisalas

Take a look at that "Hi" reply up there, you'll see what I was talking about. Don't follow that URL, though.

Editor's Picks