Windows Sysinternals: advanced system utilities and technical information (opens in new tab)

(docs.microsoft.com)

64 pointsvsto4y ago25 comments

25 comments

23 comments · 9 top-level

desktopninja4y ago· 6 in thread

Since yesteryears, my core tool set of choice has been:

  - sysinternals

  - nirsoft

  - UnxUtils

  - powershell

  - powertoys

RE: powershell ... yup Russinovic gave us that too :)

vstoOP4y ago

Is there an alternative to Everything [1](file search with immediate results) and Ditto [2](clipboard manager) among those you've listed ? I can't live without them on Windows to be honest.

[1] http://www.voidtools.com/support/everything/ [2] https://github.com/sabrogden/Ditto/wiki

indianmouse4y ago

I use clipdiary instead of Ditto and share the Db across using a filesync for a eternal and shared clipboard history.

The main site is http://softvoile.com/

Clipdiary is https://clipdiary.com

Though my db syncing doesn't always work like a charm, it still gets the job done. Use the freeware version which should be super sufficient for most of the users.

Checkout other tools which are good such as Flashnote.

thefz4y ago

> Is there an alternative to Everything

I use AstroGrep but it scans the drive, rather than indexing it (find vs. locate)

mdpm4y ago

Listary is a good ui for full text search, and integrates with the default file dialogs nicely too.

desktopninja4y ago

Dammit, I forgot about VoidTools. Ditto looks interesting.

chokolad4y ago

> RE: powershell ... yup Russinovic gave us that too :)

Nope, that was Jeffrey Snover.

endymi0n4y ago· 3 in thread

I‘m on Mac and Linux since 10 years now, but Sysinternals is the one thing that kept me on Windows for the 10 years before as a hacker. It was the first thing that landed on any new machine and let me learn and debug so many things about my computer.

Microsoft did the right thing to assimilate them, the guy behind was top notch and I remember them fondly.

Don‘t know how they evolved the last decade though.

xtracto4y ago

Ditto here. And Russinovic was the one who revealed the infamous sony rootkit using these tools IIRC. Great memories of my time when I used Windows.

hulitu4y ago

So that's why RootkitRevealer does not work with newer versions of Windows.

1 more reply

vstoOP4y ago

True that. The guy was top notch indeed and is now CTO of Azure.

joshxyz4y ago· 2 in thread

Ah, good old days of using these to disable auto-run programs (with some of them viruses) on Windows XP and 7.

And procexp! It's just the better task manager.

T3OU-7364y ago

ProcessHacker (https://processhacker.sourceforge.io/) is also a worthy competitor to the Process Explorer.

krylon4y ago

I second that, because ProcessHacker was the only tool I found to let me set the I/O priority of a process.

1 more reply

krylon4y ago· 1 in thread

When I worked as a Windows admin, the SysInternals tools were usually among the first things I installed on a new server or workstation.

Personally, I do not understand why Microsoft does not include them by default on Windows, they are just so useful.

vstoOP4y ago

My guess is that they're not included due to internal politics. They were developed by Russinovich before he joined of Microsoft. I believe he mentioned in an interview that he used some undocumented windows APIs and that some Microsoft engineers were not happy about that.

BTW another great diagnostics tools for Windows that I've come across is the Windows Performance Analyzer. One needed to install it separately before, not sure about that nowadays.

zenlot4y ago· 1 in thread

Is there any recent book worth a read, which covers Windows internals for latest versions?

eeeficus4y ago

Yes. Windows Internals 7th edition https://www.amazon.com/Windows-Internals-Part-Developer-Refe...

alpenbazi4y ago· 1 in thread

dont forget to exclude your sysinternals/nirsoft-tools-dir from av

technion4y ago

On the contrary: adding psexec.exe to our EDR's blocklist has had tangible positive impacts.

Legitimate remote execution in 2021 can be achieved using a range of supported options, and when I see this alert trigger in a monitored environment there's nearly always something malicious going on. The catch of course, is that you explain this to everyone and get them on board, as opposed to just doing it.

vstoOP4y ago

The creator of these tools used to give those really cool "The case of the unexplained" presentations where he used the tools to diagnose and fix real-life Windows problems.

https://docs.microsoft.com/en-us/sysinternals/resources/webc...

altano4y ago

Use https://live.sysinternals.com to quickly grab one of these tools with no fuss

Process Monitor (ProcMon) is one of the best diagnostic tools on the planet. I’ve used it to find why my machine booted slowly (encrypted font?!), what sort of network activity is holding up an app, why my USB device was sucking at wake-from-sleep, etc.

Process Explorer (ProcExp) is amazing at inspecting processes, eg to see their environment variables, see what process integrity levels look like, find out what process has what path open (eg since Windows won’t let you delete open files), etc. It’s a good complement to Task Manager.

TCPView is great for some weird cases. I used it once to find a bad web server as I could see my http requests were failing when the load balancer sent me to a specific IP. This impressed my web developer friends who weren’t used to seeing really accessible but low level diagnostic tools.

All the memory tools are great too.

secfirstmd4y ago

A proper Sysinternals equivalent set of tools is sorely missed on macOS. Trying to do DFIR on them mostly sucks compared to whats available on Windows. (Open to hearing anyone who has particular favorites or recommendations)

j / k navigate · click thread line to collapse

25 comments

23 comments · 9 top-level

desktopninja4y ago· 6 in thread

Since yesteryears, my core tool set of choice has been:

  - sysinternals

  - nirsoft

  - UnxUtils

  - powershell

  - powertoys

RE: powershell ... yup Russinovic gave us that too :)

vstoOP4y ago

Is there an alternative to Everything [1](file search with immediate results) and Ditto [2](clipboard manager) among those you've listed ? I can't live without them on Windows to be honest.

[1] http://www.voidtools.com/support/everything/ [2] https://github.com/sabrogden/Ditto/wiki

indianmouse4y ago

I use clipdiary instead of Ditto and share the Db across using a filesync for a eternal and shared clipboard history.

The main site is http://softvoile.com/

Clipdiary is https://clipdiary.com

Though my db syncing doesn't always work like a charm, it still gets the job done. Use the freeware version which should be super sufficient for most of the users.

Checkout other tools which are good such as Flashnote.

thefz4y ago

> Is there an alternative to Everything

I use AstroGrep but it scans the drive, rather than indexing it (find vs. locate)

mdpm4y ago

Listary is a good ui for full text search, and integrates with the default file dialogs nicely too.

desktopninja4y ago

Dammit, I forgot about VoidTools. Ditto looks interesting.

chokolad4y ago

> RE: powershell ... yup Russinovic gave us that too :)

Nope, that was Jeffrey Snover.

endymi0n4y ago· 3 in thread

Microsoft did the right thing to assimilate them, the guy behind was top notch and I remember them fondly.

Don‘t know how they evolved the last decade though.

xtracto4y ago

Ditto here. And Russinovic was the one who revealed the infamous sony rootkit using these tools IIRC. Great memories of my time when I used Windows.

hulitu4y ago

So that's why RootkitRevealer does not work with newer versions of Windows.

1 more reply

vstoOP4y ago

True that. The guy was top notch indeed and is now CTO of Azure.

joshxyz4y ago· 2 in thread

Ah, good old days of using these to disable auto-run programs (with some of them viruses) on Windows XP and 7.

And procexp! It's just the better task manager.

T3OU-7364y ago

ProcessHacker (https://processhacker.sourceforge.io/) is also a worthy competitor to the Process Explorer.

krylon4y ago

I second that, because ProcessHacker was the only tool I found to let me set the I/O priority of a process.

1 more reply

krylon4y ago· 1 in thread

When I worked as a Windows admin, the SysInternals tools were usually among the first things I installed on a new server or workstation.

Personally, I do not understand why Microsoft does not include them by default on Windows, they are just so useful.

vstoOP4y ago

BTW another great diagnostics tools for Windows that I've come across is the Windows Performance Analyzer. One needed to install it separately before, not sure about that nowadays.

zenlot4y ago· 1 in thread

Is there any recent book worth a read, which covers Windows internals for latest versions?

eeeficus4y ago

Yes. Windows Internals 7th edition https://www.amazon.com/Windows-Internals-Part-Developer-Refe...

alpenbazi4y ago· 1 in thread

dont forget to exclude your sysinternals/nirsoft-tools-dir from av

technion4y ago

On the contrary: adding psexec.exe to our EDR's blocklist has had tangible positive impacts.

vstoOP4y ago

The creator of these tools used to give those really cool "The case of the unexplained" presentations where he used the tools to diagnose and fix real-life Windows problems.

https://docs.microsoft.com/en-us/sysinternals/resources/webc...

altano4y ago

Use https://live.sysinternals.com to quickly grab one of these tools with no fuss

All the memory tools are great too.

secfirstmd4y ago

j / k navigate · click thread line to collapse