Windows

Five Sysinternals tools no admin should be without

These Sysinternals utilities offer a powerful, convenient way to knock out all kinds of Windows admin tasks.

Sysinternals has been around for quite some time and was acquired by Microsoft in 2006. These are great little tools for getting some heavy-hitting Windows things done and sometimes done better than when using the built-in tools for a task. The entire suite of products is available for download. While this is the easiest way to get the tools because they are bundled, there are some tools that I find myself using far more than others. Here's a look at my favorite tools in the Sysinternals collection.

Note: This list is based on an entry in our 10 Things blog.

1: PsList and PsKill

I listed these together because I typically use them in this order. The goal here is to see processes on a machine -- with PsList, I find the process ID, and then I use PsKill to terminate the process.

There are quite a few ways to return information with PsList, and the best part is that it works on local and remote machines. PsKill works similarly to PsList except it is used to terminate processes by process ID.

2: Process Explorer

Process Explorer is a great tool for digging into open files or resources. Trying to open a file, but getting a notification that it's already open? Process Explorer can help determine which application or process has the file open. It is a GUI-based utility and can be used as a Task Manager replacement. The utility has two panes of information. The top pane shows currently active processes on your system and includes information about the name, the account that owns the process, and the CPU usage of the process.

The bottom pane has two modes of operation, handle mode and DLL mode. When handle mode is enabled, selecting a process in the top portion of the window will show you the handles that the process has open. In DLL mode, the pane displays the DLLs and memory-mapped files loaded by the selected process.

3: Autoruns

You know how malware likes to invade the startup folder and other locations on infected systems? Seems that these are the hardest things to find and get rid of when trying to clean up spyware/malware/ infections. Autoruns can help with that. It looks through all possible locations where applications can be listed to automatically launch when Windows starts. Then, it displays them in a tabbed, easy-to-follow GUI. You can hide Microsoft-signed entries to eliminate the good items from the list of things that start up on your system.

4: MoveFile

As we all know, there are times when files need to be moved or deleted to help get things cleaned off a PC (malware/bots/viruses). Sometimes, this can't be done because files are in use, which prevents actions on the files until they are closed or the computer is rebooted. MoveFile provides an API that marks files for move/rename/delete at the next restart of the Windows system. Doing this allows the file to be acted on before it is referenced by the system.

5: PSFile

The PStools utilities are all popular and useful, but one I recently discovered is PSFile. This utility shows files on a system that are opened by remote systems by default but that can be passed parameters to return information about remote systems as well. This tool is a good way to check for open files on file servers when users might report read-only issues or have problems getting files to open properly.

To see open files on a remote system, try the following PSFile command:

Psfile \\computername -u username -p password [path]

Other favorites?

Do you have Sysinternals tools in your admin arsenal? Which ones do you use on a regular basis?

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

10 comments
tomokogun
tomokogun

When news is read on radio once it is usually read again and again. This because not the whole world will hear it the first time. I have just stepped up into full network admin position and I am blessed by this recycled article. Thanks everybody

cybershooters
cybershooters

I use psloggedon all the time, people forget to turn off their computers so I check to see if anyone is logged on, if not, I shut down the computer. psloggedon \\computername

3v
3v

I agree with Jayton, PsExec is an awesome tool! And let's not forget their BSOD screensaver... :-D

Jayton
Jayton

PSexec of course! It is one of my most used tools in the PStools suite :) Want an app installed on ALL PC's in the network, sure no probs: PSEXEC \\* -u domain.local\administrator cmd /c \\server_name\share\app.exe (or MSI etc) you may need a -h before the -u if Vista or 7 (and when Win8 is released most likely too) Or open a plain command prompt on a remote machine to run any command as if you were in front of it: PSEXEC \\Victim -u domain.local\Administrator cmd.exe Totally awesome tool.

Jayton
Jayton

That's a bit draconian ! I pity the souls who forgot to save their work or are working late and suddenly bzzzrrrr, the PC has gone into shutdown mode. I like it. psexec.exe \\* -u domain.local\admin cmd /c "shutdown.exe /f /t 0 /s" oops, there I go using psexec again >.

Gisabun
Gisabun

TR likes to recycle their articles on a slow news day.

Jody Gilbert
Jody Gilbert

As it says at the beginning of the article, this list is derived from a post in the 10 Things blog. I'm trying to get this new "Five Apps" focus ramped up, and I knew this list would reach additional readers -- seemed like a good idea to me! -jody