Last December, I put together a list of Sysinternals tools that I found the most useful. Recently, I looked through the entire list and found a few more tools you might keep on a flash drive, just in case the need arises.

Note: This article is based on an entry in our Network Administrator blog. It’s also available as a gallery and as a PDF download.

1: DiskMon

This utility looks at all your hard disk traffic and reports it to the screen (Figure A). When the window is displayed, the default is to auto scroll the data, constantly filling the window as you use your PC. If you minimize the application to the tray (Options | Minimize to tray disk light), DiskMon will blink as it monitors traffic. I found it interesting to see just how many reads and writes my laptop processed just working on this blog post.

Figure A


2: Disk Usage

Sometimes, finding the size of a directory is convenient — but do you want to know the size on disk? Sure, Windows Explorer can provide some information about the size of a directory; however ,I haven’t found that method particularly useful. Many times, getting to the information when I need it is a bit of a hassle. This command-line utility can display the size of the specified directory and files contained within it (Figure B). Here are the command usage and the arguments it takes:

Usage: du [[-v] [-l ] | [-n]] [-q] (file or directory)

  • -l — Specify the subdirectory depth to use, the utility defaults to all levels
  • -n   -Don’t recurse
  • -q — Don’t print the banner
  • -u — Unique files or folders only please
  • -v — Show information in intermediate directories
Disk Usage Du

3: Page Defrag

Windows has a bit of a tendency to allow files to get fragmented and perform less than optimally. For files and folders, there are countless tools and utilities to help keep your system in top shape. But many of these tools (especially the built-in tool for defragmentation) don’t do much for the registry and paging files. Page Defrag (Figure C) will help you get the page files and registry under control.

Figure C

Page Defrag

Note: In testing, it seems that Page Defrag is a 32bit-only utility.

4: SDelete

Even after a file is deleted, many times it can still be recovered and may be a problem when you’re trying to recycle a clean system or repurpose it. SDelete (Figure D) conforms to Department of Defense regulations/standards for file wiping. When used to remove files or folders, the items deleted will be removed.

SDelete is run from the command line and takes the following parameters:

  • -c — Zeroes free disk space
  • -p passes — Allows you to specify the number of passes to use (-P 3 for 3 passes)
  • -q — Silent execution
  • -s — Subdirectory recursion
  • -z — Cleans free space

Figure D


5: LoadOrder

Device drivers in Windows are rather important when it comes to proper system operation, but when you start Windows, Microsoft often doesn’t show the order in which these additional devices are added and installed. LoadOrder (Figure E) presents the order in which items were loaded by Windows. As an added bonus, services are included here too.

Figure E


6: Handle

This utility (Figure F) allows you to see the handles that are open on your system and will, with arguments, allow you to close (albeit forcibly) handles to running applications.

The usage and arguments for Handle are:

  • -a — Dumps all information
  • -c <handle> — Closes handles specified; can cause system instability
  • -l — Shows only profile section handles
  • -y — Do not prompt for handle close
  • -s — Display a count of each handle type that is open
  • -u — Display the user who owns each handle
  • -p <pid> — Dump the handles belonging to a specified process
  • Name — Search for handles related to the supplied object name

Figure F


7: LogonSessions

Logging on to Windows just isn’t what it used to be, depending on the version. LogonSessions (Figure G) will display all the sessions currently logged on to a given system. Like potato chips, just one is highly unlikely. The only argument available for LogonSessions is -p, which shows the processes available for each logon session. Oh, and when run on my laptop for testing for this post, there were eight sessions running.


8: PSInfo

PSInfo (Figure H) falls in the PS tools suite of products, but I thought it particularly interesting because of the amount of information it returns. The idea here is to allow logged-on users to gain system information from their system or a remote system with little effort. Specifying the \\computername option will point PSInfo at a remote system. Another way to run PSInfo is to point it at a file containing a list of remote systems. This will return the info for each remote system listed.

When run with no arguments, the utility returns basic system information about your local machine. The arguments I found most interesting were -h for installed hotfixes and -s for installed software.

Figure H


9: RootkitRevealer

When looking at this utility, it seemed to be a no brainer to include it here. But it seems to work only on 32-bit systems prior to Windows 7. It also runs as a random service when executed (for the duration of execution) to reduce the possibility of being hijacked by a rootkit. I am hoping that the team behind Sysinternals releases a Win 7-ready version of this tool soon.

The utility can be started from the command line or by a double-click and detects places where rootkits might be hiding on your system. Is it perfect? No. But it does do a pretty thorough job.

The screenshot in Figure I was taken on a 32-bit Windows XP VM with little more than Windows updates applied.

Figure I


10: RegJump

RegJump (Figure J) provides a convenient command-line way to get into the registry where you need to be so you don’t have to chase down the hive you need. This will allow you to start out right at HKey-Current-User or elsewhere in the registry with minimal typing. The feature that really stands out is its support for abbreviations and standard notation for registry hives, so both HKEY-CURRENT-USER and HKCU will work with the RegJump command-line entry.

Figure J


Give them a try

These utilities provide a great amount of information with a minimum of effort. Because Sysinternals utilities are free to download, there’s no reason not to check them out. They make a great addition to any Windows admin’s toolkit. It is important to note that some of the utilities included here require Administrator access. In many cases, I will run these tools with an elevated command prompt for ease of use.