Sysinternals has been around for quite some time and was acquired by Microsoft in 2006. These are great little tools for getting some heavy-hitting Windows things done and sometimes done better than when using the built-in tools for a task. The entire suite of products is available for download. While this is the easiest way to get the tools because they are bundled, there are some tools that I find myself using far more than others. Here's a look at my favorite tools in the Sysinternals collection.
Note: This list is based on an entry in our 10 Things blog.
1: PsList and PsKill
I listed these together because I typically use them in this order. The goal here is to see processes on a machine — with PsList, I find the process ID, and then I use PsKill to terminate the process.
There are quite a few ways to return information with PsList, and the best part is that it works on local and remote machines. PsKill works similarly to PsList except it is used to terminate processes by process ID.
2: Process Explorer
Process Explorer is a great tool for digging into open files or resources. Trying to open a file, but getting a notification that it's already open? Process Explorer can help determine which application or process has the file open. It is a GUI-based utility and can be used as a Task Manager replacement. The utility has two panes of information. The top pane shows currently active processes on your system and includes information about the name, the account that owns the process, and the CPU usage of the process.
The bottom pane has two modes of operation, handle mode and DLL mode. When handle mode is enabled, selecting a process in the top portion of the window will show you the handles that the process has open. In DLL mode, the pane displays the DLLs and memory-mapped files loaded by the selected process.
You know how malware likes to invade the startup folder and other locations on infected systems? Seems that these are the hardest things to find and get rid of when trying to clean up spyware/malware/ infections. Autoruns can help with that. It looks through all possible locations where applications can be listed to automatically launch when Windows starts. Then, it displays them in a tabbed, easy-to-follow GUI. You can hide Microsoft-signed entries to eliminate the good items from the list of things that start up on your system.
As we all know, there are times when files need to be moved or deleted to help get things cleaned off a PC (malware/bots/viruses). Sometimes, this can't be done because files are in use, which prevents actions on the files until they are closed or the computer is rebooted. MoveFile provides an API that marks files for move/rename/delete at the next restart of the Windows system. Doing this allows the file to be acted on before it is referenced by the system.
The PStools utilities are all popular and useful, but one I recently discovered is PSFile. This utility shows files on a system that are opened by remote systems by default but that can be passed parameters to return information about remote systems as well. This tool is a good way to check for open files on file servers when users might report read-only issues or have problems getting files to open properly.
To see open files on a remote system, try the following PSFile command:
Psfile \\computername -u username -p password [path]
Do you have Sysinternals tools in your admin arsenal? Which ones do you use on a regular basis?
Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.