Learn about some Sysinternals tools that might be flying under the radar

Derek Schauland follows up his post on favorite Sysinternals tools to point out a few that may not be as familiar. Here are his recommendations.

In a previous post, I looked at five tools that I use rather regularly from Sysinternals. This time I want to do a part two that features utilities I don't use as often, but that are also very helpful when you need them. Don't get me wrong, all of the tools by Russinovich and gang are very useful -- except maybe the Blue Screen of Death Screensaver -- but some of them don't get as much attention.

The first one I want to mention isn't really a tool or utility, but a service that allows you to execute the utilities from Sysinternals right from the web within Windows Explorer. Sysinternals Live takes the download out of the equation.  Simply navigate to http://live.sysinternals.com/. to execute. Now that the online execution of utilities is out of the way, we can look into a few tools that may be lesser known to some people, or those new to Sysinternals.

#1 Contig

There are any number of disk defragmentation utilities to handle the majority of file fragmentation. Some files have trouble with disk defragmenting applications and for one reason or another cannot be corrected. This is where you might use Contig. It is a single file defrag utility which can be helpful if you use a file often and suspect it might be suffering from performance issues due to fragmentation.

Contig uses the following arguments:

  • -v Prints out information about the operations being performed
  • -a Analyzes the specified file and return fragmentation information
  • -q Runs Contig in quiet mode; this switch overrides -v if the two are specified together. When quiet mode completes, a summary of the actions performed is displayed.
  • -s Runs Contig with recursive processing of subdirectories to help accommodate wildcards.
  • [filename] Specifies the path to the file you wish to defragment.

The syntax for using Contig to defragment a file on the desktop might look like this:

Contig -v "c:\test.docx"

Figure A shows the output of Contig as run on test.docx.

Figure A

Contig executed on a test file (click to enlarge)

Contig can also be used to create new contiguous files by specifying the -n argument and the [file name length] arguments.

#2 Disk2vhd

Disk2vhd creates a virtual hard disk file from a physical system for use with Hyper-V or even with Windows 7 or Server 2008 R2.

Operating Systems supported by Disk2vhd are Windows XP SP2, Windows Server 2003 SP1 and higher, including 64-bit versions of these systems.

A great use of this utility might be to create a snapshot of an entire disk for backup purposes. There are also options that allow disk2vhd to be run at the command line. These options can be used to script vhd creation. Using the utility in this way would allow you to use Task Scheduler and Disk2vhd to create a snapshot of your PC at scheduled intervals with no user intervention.

One caveat: When creating vhds, be sure not to attach them to the same system you created them from if you are going to boot from the vhd. Note: Windows 7 and Windows Server 2008 R2 support booting from a vhd file. Doing this can cause collisions of the drive signature in the boot configuration database. #3 MoveFile

As we all know there are times when files need to be moved or deleted to help get things cleaned off of a PC (malware/bots/viruses). Sometimes this cannot be done because files are in use which prevents actions on the file(s) until they are closed or the computer is rebooted.

What MoveFile does is provide an API that marks files for move/rename/delete at the next restart of the Windows system. Doing this allows the file to be acted on before it is referenced by the system.

To delete a file at the next restart for example, you would enter the following on the command line:

C:\> movefile test.exe ""

The empty destination "" tells movefile to delete the file when the system reboots. Although this seems very simple, I think it might be a very useful tool to help in the removal of spyware on a system by marking files for deletion or move to a quarantine directory at system restart.

#4 PSFile

The PStools set of utilities are definitely popular and extremely useful, but one that I recently discovered is PSFile. This utility shows files on a system that are open by remote systems by default, but can be passed parameters to return information about remote systems as well.

To see open files on a remote system, try the following PsFile command:

Psfile \\computername -u username -p password [path]

This tool is a good way to check for open files on file servers when users might report read only issues or have problems getting files open properly.

# 5 Sync

This utility was created to mirror a UNIX utility that will allow you to flush cached file system data to disk. Doing this can help prevent problems with lost system information in the event of a system failure, and help to ensure live system information is getting written to disk.

The way I see this being useful depends on how stable you feel your system is. If your computer tends to crash more than you would like (or if you are testing some scenarios), you might create a scheduled task to ensure that the system info is flushed back to disk once per hour or some other pre-defined time frame.

Another cool thing about this sync utility is that USB or ZIP drives or other removable drives can be flushed. You will need administrative privileges to use Sync.

The options available for Sync are listed below:

  • -r To flush removable drives
  • -e To eject removable drive
  • [drive letter list] To flush only the specified drives

These are a few of the lesser used tools that I thought others would like to know about if you're new to the Sysinternals suite or just in the habit of using the same ones all of the time. Which Sysinternals utilities have you been trying out lately? Do you have any favorites that might not be on the exceptionally popular list?