Last December, I put together a list of Sysinternals tools that I found the most useful. Recently, I have been looking through the entire list and found a few more tools that you might keep on a flash drive, just in case the need arises. The companion gallery is here: "10 more Sysinternals tools to simplify routine Windows admin tasks."
This utility looks at all of your hard disk traffic and reports it to the screen. When the window is displayed, the default is to auto scroll the data constantly filling the window as you use your PC. If you minimize the application to the tray (Options | Minimize to tray disk light) DiskMon will blink as it monitors traffic. I found it quite interesting to see just how many reads and writes my laptop processed just working on this blog post.
#2 Disk Usage
Sometimes finding the size of a directory is convenient, but do you want to know the size on disk? Sure Windows explorer can provide some information about the size of a directory; however ,I haven't found that method particularly useful. Many times getting to the information when I need it is a bit of a hassle. This command line utility can display the size of the specified directory and files contained within it.
The command usage and the arguments it takes are below:Usage: du [[-v] [-l ] | [-n]] [-q] (file or directory)
- -l Specify the subdirectory depth to use, the utility defaults to all levels
- -n Don't recurse
- -q Do not print the banner
- -u Unique files or folders only please
- -v Show information in intermediate directories
Disk Usage Du
#3 Page Defrag
Windows has a bit of a tendency to allow files to get fragmented and perform less than optimally, and for files/folders there are countless tools and utilities to help keep your system in top shape. Many of these tools (especially the built in tool for defragmentation) doesn't do much for the registry and paging files. Page Defrag will help you get the page files and registry under control.
Page DefragNote: In testing, it seems that Page Defrag is a 32bit-only utility.
Even after a file is deleted, many times it can still be recovered and may be a problem when trying to recycle a clean system or repurpose it. SDelete conforms to Department of Defense regulations / standards for file wiping. When used to remove files or folders, the items deleted will be removed.
SDelete is run from the command line and takes the following parameters:
- -c This argument zeroes free disk space
- -p passes This argument allows you to specify the number of passes to use (-P 3 for 3 passes)
- -q Silent execution
- -s Subdirectory recursion
- -z Cleans free space
Device drivers in Windows are rather important when it comes to proper system operation, but when you start Windows, Microsoft doesn't often show off the order in which these additional devices are added and installed. LoadOrder helps to present the order in which items were loaded by Windows. As an added bonus, services are included here too.
This utility allows you to see the handles that are open on your system and will, with arguments allow you to close (albeit forcibly) handles to running applications.
The usage and arguments for Handle are:
- -a Dumps all information
- -c <handle> Closes handles specified - can cause system instability
- -l Shows only profile section handles
- -y Do not prompt for handle close
- -s Display a count of each handle type that is open
- -u Display the user who owns each handle
- -p <pid> Dump the handles belonging to a specified process
- Name Search for handles related to the supplied object name
Logging on to Windows just isn't what it used to be, depending on the version you are accessing of course. LogonSessions will display all of the sessions currently logged on to a given system, because like potato chips, these days one is highly unlikely. The only argument available for logonsessions is -p which shows the processes available for each logon session. Oh and when run on my laptop for testing for this post, there were 8 sessions running.
PSInfo falls in the PS tools suite of products, but I thought it particularly interesting because of the amount of information it returns. The idea here is to allow a logged on user to gain system information from their system or a remote system with little effort. Specifying the \\computername option will point PSInfo at a remote system. Another way to run PSInfo is to point it at a file containing a list of remote systems, this will return the info for each remote system listed.
When run with no arguments, the utility returns basic system information about your local machine. The arguments I found most interesting were -h for installed hotfixes and -s for installed software.
When looking at this utility, it seemed to be a no brainer to include it here, but it seems to work only on 32 bit systems prior to Win 7. It also runs as a random service when executed (for the duration of execution) to reduce the possibility of being hijacked by a rootkit. I am hoping that the team behind Sysinternals releases a Win 7 ready version of this tool very soon.
The utility can be started from the command line or a double-click and detects places where Rootkits might be hiding on your system. Is it perfect, no, but it does do a pretty thorough job.
The screenshot was taken on a 32bit Windows XP VM with very little more than Windows updates applied.
This utility is a convenient command line way to get into the registry where you need to be rather than chasing down the hive that is needed. This will allow you to start out right at HKey-Current-User or elsewhere in the registry with minimal typing. The feature of this utility that really stands out is the fact that it supports abbreviations and standard notation for registry hives, so both HKEY-CURRENT-USER and HKCU will work with the RegJump command line entry.
RegJumpGive them a try
These utilities provided a great amount of information with rather minimal effort. Because Sysinternals utilities are free to download, there is no reason not to check them out. They do make a great addition to any Windows admin's toolkit. It is important to note that some of the utilities included here, but not all, require Administrator access. In many cases, when using these tools I will run them with an elevated command prompt for ease of use.
Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.