Disk Usage

ntSometimes finding the size of a directory is convenient, but do you want to know the size on disk?  Sure Windows explorer can provide some information about the size of a directory; however ,I haven’t found that method particularly useful. Many times getting to the information when I need it is a bit of a hassle. This command line utility can display the size of the specified directory and files contained within it.

n

ntThe command usage and the arguments it takes are below:

n

ntUsage: du [[-v] [-l ] | [-n]] [-q] (file or directory)

n

nt
• ntt-l Specify the subdirectory depth to use, the utility defaults to all levels

nt

• ntt-n Don’t recurse

nt

• ntt-q Do not print the banner

nt

• ntt-u Unique files or folders only please

nt

• ntt-v Show information in intermediate directories
  ntt 

n

Page Defrag

ntWindows has a bit of a tendency to allow files to get fragmented and perform less than optimally, and for files/folders there are countless tools and utilities to help keep your system in top shape. Many of these tools (especially the built in tool for defragmentation) doesn’t do much for the registry and paging files. Page Defrag will help you get the page files and registry under control.

n

ntNote: In testing, it seems that Page Defrag is a 32bit-only utility.

SDelete

ntEven after a file is deleted, many times it can still be recovered and may be a problem when trying to recycle a clean system or repurpose it. SDelete conforms to Department of Defense regulations / standards for file wiping. When used to remove files or folders, the items deleted will be removed.

n

ntSDelete is run from the command line and takes the following parameters:

n

nt
• ntt-c This argument zeroes free disk space

nt

• ntt-p passes This argument allows you to specify the number of passes to use (-P 3 for 3 passes)

nt

• ntt-q Silent execution

nt

• ntt-s Subdirectory recursion

nt

• ntt-z Cleans free space

n

LoadOrder

ntDevice drivers in Windows are rather important when it comes to proper system operation, but when you start Windows, Microsoft doesn’t often show off the order in which these additional devices are added and installed.  LoadOrder helps to present the order in which items were loaded by Windows.  As an added bonus, services are included here too.

Handle

ntThis utility allows you to see the handles that are open on your system and will, with arguments allow you to close (albeit forcibly) handles to running applications. 

n

ntThe usage and arguments for Handle are:

n

nt
• ntt-a Dumps all information

nt

• ntt-c Closes handles specified u2013 can cause system instability

nt

• ntt-l Shows only profile section handles

nt

• ntt-y Do not prompt for handle close

nt

• ntt-s Display a count of each handle type that is open

nt

• ntt-u Display the user who owns each handle

nt

• ntt-p Dump the handles belonging to a specified process

nt

• nttName Search for handles related to the supplied object name

n

LogonSessions

ntLogging on to Windows just isn’t what it used to be, depending on the version you are accessing of course. LogonSessions will display all of the sessions currently logged on to a given system, because like potato chips, these days, having just one is highly unlikely.  The only argument available for LogonSessions is u2013p which shows the processes available for each logon session.  Oh, and when run on my laptop for testing for this post, there were eight sessions running.

PSInfo

ntPSInfo falls in the PS tools suite of products, but I thought it particularly interesting because of the amount of information it returns. The idea here is to allow a logged on user to gain system information from their system or a remote system with little effort. Specifying the \\computername option will point PSInfo at a remote system. Another way to run PSInfo is to point it at a file containing a list of remote systems, this will return the info for each remote system listed.

n

ntWhen run with no arguments, the utility returns basic system information about your local machine. The arguments I found most interesting were u2013h for installed hotfixes and u2013s for installed software.

RootkitRevealer

ntWhen looking at this utility, it seemed to be a no brainer to include it here, but it seems to work only on 32 bit systems prior to Win 7. It also runs as a random service when executed (for the duration of execution) to reduce the possibility of being hijacked by a rootkit. I am hoping that the team behind Sysinternals releases a Win 7 ready version of this tool very soon.

n

ntThe utility can be started from the command line or a double-click and detects places where Rootkits might be hiding on your system. Is it perfect, no, but it does do a pretty thorough job.

n

ntThe screenshot was taken on a 32bit Windows XP VM with very little more than Windows updates applied.

RegJump

ntThis utility is a convenient command line way to get into the registry where you need to be rather than chasing down the hive that is needed. This will allow you to start out right at HKey-Current-User or elsewhere in the registry with minimal typing. The feature of this utility that really stands out is the fact that it supports abbreviations and standard notation for registry hives, so both HKEY-CURRENT-USER and HKCU will work with the RegJump command line entry.

n

ntThese utilities provided a great amount of information with rather minimal effort. Because Sysinternals utilities are free to download, there is no reason not to check them out. They do make a great addition to any Windows admin’s toolkit. It is important to note that some of the utilities included here, but not all, require Administrator access. In many cases, when using these tools I will run them with an elevated command prompt for ease of use.