Five favorite Sysinternals tools and what they do

Derek Schauland lists his favorite Sysinternals tools -- the ones he uses the most often -- and shows what each of them does.

Sysinternals has been around for quite some time and was acquired by Microsoft in 2006. As many of you know, these are great little tools for getting some heavy hitting Windows things done and sometimes done better than when using the built in tools for a task.

The entire suite of products is available for download at

While this is the easiest way to get the tools because they are bundled together, there are some tools that I find myself using far more than others. This post will focus on my five favorite tools in the Sysinternals collection (or the ones that I use the most).

#1 PsList and PsKill

I listed these together because I typically use them in that order. The goal here is to see processes on a machine -- with PsList, I find the process ID, and then use PsKill to terminate said process. Suppose a system on your network is performing very slowly, Task Manager is a great tool but only works on the local machine and many times interrupting a user for investigative work is something frowned upon even when things are not performing as they wish.

With PSList, you can use a command like the one below to get an overall list of the processes running on a remote machine.

C:\Sysinternals> PSList \\remotemachine1
The arguments available for PSList, shown in Figure A, are:
  • -d shows thread details
  • -m shows memory details
  • -x shows processes, memory, and thread information (or the whole works)
  • -t shows the process tree
  • -s[n] runs PsList in task manager mode for the number of seconds specified for n
  • -r n shows task manager mode refresh rate in seconds
  • \\computername shows the processes running on the remote computer specified
  • -u is the username for remote PC access
  • -p is the password for remote PC access
  • Name shows process information for all processes beginning with the name specified, for example, a command like pslist -d chrome shows all the process details for processes beginning with Chrome
  • -e shows process information about exact matches for the name specified
  • Pid shows information about the process specified

Figure A

PsList showing all of its arguments

As you can see there are quite a few ways to return information with PSList and the best part is the fact that it works on local and remote machines.

PSKill works similarly to PSList except it is used to terminate processes by process ID.  Once you have obtained the process ID for an application or service, you can enter a command like the one below to terminate that process on the remote machine.

C:\Sysinternals> PSKill -t \\remotemachine1 -u <username> -p <password> <process ID>

Note: When using PSKill you will need to specify a username and password with access to the remote machine; leaving the password out will cause the utility to prompt you for a password.

To see a general list of processes on your local machine, simply navigate to the directory where you unpacked PSList in a command prompt and enter PSList. You will be prompted to accept a license agreement on first run, but it does not prompt again after that. For the syntax and arguments available in PSList, type PSList /? (or PSKill /? if you are using that utility).

#2 Process Explorer

Process Explorer is a great tool for digging into open files or resources. Trying to open a file, but getting a notification that it is already open? Process Explorer can help determine which application or process has the file open. It is a GUI-based utility and can be used as a task manager replacement. The utility has two panes of information, the top pane shoes currently active processes on your system and includes information about the name, the account that owns the process, and the CPU usage of the process.

The bottom pane of Process Explorer has two modes of operation, handle mode and DLL mode. When handle mode is enabled, selecting a process in the top portion of the window will show you the handles that the process has open. In DLL mode the pane displays the DLLs and memory mapped files loaded by the selected process.

In essence, the Process Explorer utility takes task manager to a whole new level by drilling into the processes running on your system. Figure B shows process explorer running on my system as I write this with OneNote selected.

Figure B

Process Explorer in action

#3 ZoomIt

ZoomIt is a utility for the public speaker in all of us. When presenting information, sometimes it is helpful to show a certain area of the screen magnified to call attention to a dialog box or other item. This is what ZoomIt does in a nutshell.

When configured, it will integrate with PowerPoint to allow macro keys to trigger functions during a presentation. Figure C shows the configuration dialog box for ZoomIt.

Figure C

Setup ZoomIt for the first time

The items available to configure are:

  • Zoom: This option will allow you to turn zoom on or off, when its turned on, the scroll wheel on a mouse or the up/down arrow keys control the amount of zoom.
  • Live Zoom: Supported in Windows Vista and later versions, this option shows updates (if any) in a window while zoomed.
  • Draw: This setting allows you to draw on the screen with the left mouse button while zoom is active. If you want to draw without zoom enabled, you can use Ctrl+2 to enable drawing.
  • Type: From within Drawing mode, pressing [t] will enable type mode which allows you to type over the screen. Escape on the keyboard or the left mouse button exits type mode.
  • Break: Allows you to configure a break timer as needed for presentations. When enabled, a countdown timer is displayed on the screen as shown in Figure D.

Figure D

Time for a break

#4 PsLoggedOn

Finding the user who is logged on to a system can be quite a challenge. Sure, the net session built-in command can do the job on a local system, but many times you already know who is logged in on your local system.

Sysinternals has come up with a utility, and a definition of locally logged in, that might be a bit more useful. PsLoggedOn uses a registry scan to look through the HKEY_USERS key to see which profiles are loaded. Looking at the keys with a user ID SID, PsLoggedOn looks up the username of the SID and displays it. This shows you who is logged on in any session to a PC.

When querying remote systems, your userid will be found as a connected user session as well.

The remote and local users are returned separately to help distinguish logon types, shown in Figure E.

Figure E

Users logged on to my local system

While PsLoggedOn isn't the fanciest tool, it is very useful when trying to track down a user.

#5 Autoruns

You know how malware likes to invade the startup folder and other locations on infected systems? Seems that these are the hardest things to find and get rid of when trying to clean up spyware/malware/ infections. Autoruns can help with that. It looks through all possible locations where applications can be listed to automatically start when Windows starts and displays them to you in a tabbed, easy-to-follow GUI.

You can hide Microsoft-signed entries to eliminate the good items from the list of things that start up on your system.

Figure F shows the Autoruns utility. When I first discovered this one I was a bit shocked by the number of things that auto-start in a standard Windows installation.

Figure F

Autoruns finds things that start up when Windows starts

The application also allows information to be compared between runs. You will need to save/export scans to compare the previous to the current, but selecting File | Save will create the file needed.

Those are the utilities from Sysinternals that I use most often and a bit about what they do. Next time, I will dig into a few other utilities that might not be quite so popular or well known. What are your favorites?