Sysinternals utilities include advanced system utilities and technical information hosted on the Sysinternals website which was created in 1996 by Mark RuIt aims it aims to help you manage, troubleshoot, and diagnose your Windows systems and applications. You can use these powerful tools to optimize any Windows system’s reliability, efficiency, performance, and security.
Sysinternals has a Suite with 70+ system diagnostics, troubleshooting, and management tools. It is freeware, lightweight, single-image, and xcopy-deployed. It supports different architectures for versions x86, x64, ARM64, and Nano Server. The principle around the tools is that they are single-file and intuitive which means that you can download one tool and run it across a system and it will dynamically detect the system. Once the utilities are terminated, they clean automatically.
You can also access the tools without downloading them manually through Sysinternals Live. It is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool’s Sysinternals Live path into Windows Explorer as live.sysinternals.com/<toolname> or command prompt as \\live.sysinternals.com\tools\<toolname> to access the tool.
Sysinternals has an official book called Troubleshooting with the Windows Sysinternals Tools that contains in detail all the tools and how to use them to troubleshoot Windows and advance your systems management skills. This book can be purchased from Online retailers; Microsoft Press Store, Amazon, Barnes & Noble, and Independent booksellers.
The Sysinternals utilities are divided into the following utilities;
- File and Disk Utilities check the file usage and disk status. The popular tool in this category is the Process Monitor which monitors file system, Registry, process, thread, and DLL activity in real-time.
- Process Utilities monitor and troubleshoot running applications. The popular application is Process Explorer which finds out what files, registry keys, and other objects processes have open, which DLLs they have loaded and more.
- Networking Utilities monitor connections between desktop and server systems. The common tool in this category is AD Explorer which is an advanced Active Directory (AD) viewer and editor.
- Security Utilities feature security-based utilities. The popular tool in this category is AccessChk which shows you the access the user or group you specify has to files, Registry keys, or Windows services.
- System Information Utilities hosts applications that display normal system information like Autoruns which sees what programs are configured to startup automatically when your system boots and you log in.
- Miscellaneous Utilities hosts applications that do not fit into any other category. The common tools in this category include BgInfo which automatically generates desktop backgrounds that include important information about the system including IP addresses, computer names, network adapters, and more.
This guide shows you how to install and use Sysinternals utilities on Windows 11 / Windows 10.
Install Sysinternals utilities on Windows 11 / Windows 10
After downloading, extract the Zip file to have a list of all the tools included in the suite.
Something to note is that the suite contains files for both 64bit version systems and 32bit versions. The 64-bit has the postfix 64 at the end. You can run that if your system is 64bit. The 32bit version would still work on a 64bit system.
You can rename the folder to a simpler name like Tools then move it to the C: disk root directory for easier access, especially for tools that use the command line.
Popular tools in Sysinternals Suite
We will have a look at the common tools in the Sysinternals suite.
1. Process Explorer
The Process explorer views process handles and loaded Dynamic-link Libraries (DLLs). It also checks CPU and memory activity. It’s an alternative to the task manager program. It also has a powerful search capability that shows you which processes have particular handles opened or DLLs loaded. To run the tool, Find procexp on the list of tools and double click to launch it.
Accept the License Agreement
The Process Explorer tool opens as shown below.
The options for a process are listed below.
You can add more columns to get additional information about these processes. Right-click on top of any column and click select columns…
Then from the available columns, mark their corresponding checkboxes to add the column, then click save.
To get more information about handles and DLLs that are loaded into the process, go to View>>Show Lower Pane.
To search for a specific handle or DLL, Go to Find>>Find Handle or DLL…
AutoRuns shows you what programs are configured to run during system bootup or login. It also shows when you start various built-in Windows applications like Internet Explorer, Explorer, and media players.
To launch AutoRuns, run Autoruns from the suite list. Accept the License agreement if it is the first time you are running the tool. It opens as shown below. It categorizes programs into different categories.
To view properties, Right-click on the executable and select Properties from the options. You can also search online for an entry that you are not sure of.
You can also check an entry for malicious content. For example, if I want to check for any virus on the AnyDesk application, right-click on the entry and select Check Virus Total. Then under the Virus Total column at the end of the entry, click on the Number similar to one below.
Then it will open on your browser. if you check on the Summary tab, you should see something similar to mine below.
To disable an auto-start entry uncheck its check box.
3. Process Monitor
Process Monitor is a monitoring tool that captures real-time file system, registry, and process/thread activity. It has non-destructive filters that allow you to set filters without losing data. Process Monitor is excellent for troubleshooting and dynamic malware analysis.
To Launch Process Monitor, run procmon from the suite list. If you are opening it for the first time, Accept the Licence Agreement to continue. It opens as shown below.
Right-clicking on a process provides more options.
ProcDump is a command-line utility that monitors an application for CPU spikes and generates crash dumps during a spike. A developer or an administrator uses these crash dumps to determine the cause of the spike. It supports .NET processes. It can set triggers e.g, only capture a dump if the CPU goes above a certain limit. ProcDump can be installed as a Postmodern debugger in that it can be registered on the system to capture dumps of any process.
To Launch ProcDump, go to your command line interface and install it using the following command. This installs the Proc Dump and sets the folder to where the dumps are stored. You will need to first change to the directory where the tools are.
cd Tools procdump.exe -i C:\Users\Admin\Desktop\ProcDumps
Accept the Licence agreement to continue with the installation. Sample Output is shown below.
ProcDump v10.11 - Sysinternals process dump utility Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards Sysinternals - www.sysinternals.com Set to: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug (REG_SZ) Auto = 1 (REG_SZ) Debugger = "C:\Tools\procdump.exe" -accepteula -j "C:\Users\Admin\Desktop\ProcDumps" %ld %ld %p Set to: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AeDebug (REG_SZ) Auto = 1 (REG_SZ) Debugger = "C:\Tools\procdump.exe" -accepteula -j "C:\Users\Admin\Desktop\ProcDumps" %ld %ld %p ProcDump is now set as the Just-in-time (AeDebug) debugger.
Write a mini dump of a process named ‘notepad++’:
$ procdump notepad++ [00:18:31] Dump 1 initiated: C:\Tools\notepad++.exe_220723_001831.dmp [00:18:32] Dump 1 complete: 2 MB written in 1.5 seconds [00:18:32] Dump count reached.
Write a full dump of a process with PID ‘1400’:
$ procdump -ma 1400 [00:17:18] Dump 1 initiated: C:\Tools\AnyDesk.exe_220723_001718.dmp [00:17:20] Dump 1 writing: Estimated dump file size is 78 MB. [00:17:26] Dump 1 complete: 78 MB written in 8.0 seconds [00:17:27] Dump count reached.
You can find more examples of writing dumps of files from ProcDump.
System Monitor (Sysmon) is a system service that provides detailed information about process creation, network connections, and changes to file creation time. It remains consistent even after a system reboots. You can identify malicious or anomalous activity and understand how intruders and malware operate on your network while using events generated by Sysmon.
To install Sysmon, run the following command. Accept the License Agreement to continue with the installation.
\Tools> sysmon64 -i System Monitor v13.34 - System activity monitor By Mark Russinovich and Thomas Garnier Copyright (C) 2014-2022 Microsoft Corporation Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved. Sysinternals - www.sysinternals.com Sysmon64 installed. SysmonDrv installed. Starting SysmonDrv. SysmonDrv started. Starting Sysmon64.. Sysmon64 started.
To Dump the current configuration.
\Tools> sysmon -c Current configuration: - Service name: Sysmon - Driver name: SysmonDrv - Config file: C:\Tools\sysmon64 -i - HashingAlgorithms: SHA256 - Network connection: disabled - Archive Directory: - - Image loading: disabled - CRL checking: enabled - DNS lookup: enabled No rules installed
PsTools is a suite of command line tools that allow you to manage remote systems as well as local ones. All tools in the suite have the prefix ‘Ps’ that is adopted from the standard UNIX process listing command-line tool named “ps”. They include PsList, PsExec, PsFile, PsKill, PsPing, PsInfo, PsGetSid, etc.
To install these tools, run the name of the tool on the Command prompt. Accept the Service License agreement and you are clear to use the tool. An example is PsList. To install PsList, run the following command on the Command Prompt.
Another example would be PsInfo which lists information about a system.
\Tools> psinfo PsInfo v1.78 - Local and remote system information viewer Copyright (C) 2001-2016 Mark Russinovich Sysinternals - www.sysinternals.com System information for \\NJERI: Uptime: 0 days 1 hour 2 minutes 5 seconds Kernel version: Windows 10 Enterprise, Multiprocessor Free Product type: Professional Product version: 6.3 Service pack: 0 Kernel build number: 19044 Registered organization: Registered owner: Admin IE version: 9.0000 System root: C:\WINDOWS Processors: 4 Processor speed: 2.2 GHz Processor type: Intel(R) Core(TM) i5-3427U CPU @ Physical memory: 4906 MB Video driver: Intel(R) HD Graphics 4000
More PsTools utilities can be found at PsTools.
This guide has shown you how to install and use Sysinternals utilities on Windows 11 / Windows 10. Sysinternals utilities is a suite of tools that assist in system administration, management, monitoring, and other tasks on a Windows environment. Try them out!
Other tools to check out on Windows: