SysInternals originally started out as a website created by Bryce Cogswell and Mark Russinovich’s company, Winternals Software LP, in 1996. It hosted a large list of Windows applications that allow a systems administrator to analyse and diagnose Window’s system issues. Although Microsoft eventually acquired the company in 2006, the SysInternal tools have been continually updated for free download. SysInternals provides applications for examining system processes, viewing networking internals, accessing detailed file system information as well as presentation tools. Most consider it a mandatory tool belt for Windows systems administrators.
There are two easy ways to install SysInternals.
Download the suite from the Microsoft’s SysInternals Utility Index,
or if you have Chocolately already installed, just use the choco command.
choco install sysinternals
Here are the most useful programs in the suite.
AutoRuns allows you to get a detailed look into the locations that will start a program on Windows boot up. You can disable, delete or look up the entries with Virus Total.
BGInfo is a simple program that burns system information into your background wallpaper. Useful when administrating a large network of Windows servers or workstations and you want quick access to all the important details on the specific machine you are on in one glance.
Sometimes getting a copy of the disk of the computer you are working on is vital for additional troubling shooting off site. Dis2vhd can convert an image of each drive on the machine to a virtual hard drive.
Not My Fault
Normally you don’t want to crash your own system. But if you are development testing and need specific crash logs, you can crash Windows with 8 different types of events that will take you system down immediately.
Process Explorer is one of the most popular tools in the SysInternals suite. PE is the Window’s task manager on steroids. Some of the most useful features of PE is it allows you to see closing processes that have just closed when looking for malware that is trying to hide. This program allows you to dig down into process detailed information and even let’s you search each process with VirusTotal if it looks suspicious after analysis.
Another popular tool in the suite is Process Monitor. It shows current operations being performed on the file system, registry, and specific processes or threads. This is useful when analyzing what a potential malicious executable is actually doing on the system.
There are many tools for securely deleting a file on a computer. One of the many command line tools, SDelete, allows you to delete sensitive files right from the suite.
SigCheck is another useful tool for the terminal. Not only can you check file hashes to confirm they haven’t been tampered with, you can also upload a file to VirusTotal and get the file information to confirm it is a safe file.
TCPView allows you to see all the network connections being done on the system and which process it is being used by. If you are unsure where a program is trying to reach out to on the internet, this can be very useful in diagnosing potential malware.