What are SysInternals?
University of Central Florida
If there were one set of trouble shooting tools that I would suggest you add to your USB thumb drive recovery tool kit. It would be several of the Sysinternals freeware utilities from the Microsoft website. Windows Sysinternals is a suite of over 70 freeware utilities that was originally created by Mark Russinovich and Bryce Cogswell that is employed to observe, examine, operate and troubleshoot the Windows operating system. Which Microsoft now have possession of and presents on its TechNet site. These tools are executable files and will not require installation to run. Administrators can retrieve the utilities from the website TechNet either as a single suite download or individually or run them right from the Sysinternals Live service. A little bit of history on these helpful tools, they come from two computer science Windows internals geniuses. Named Mark Russinovich and Bryce Cogswell, their company Wind Tunnel Software became Sysinternals and was ultimately purchased by Microsoft. Microsoft TechNet now host these freeware tools which can be used for IT administration, system recovery, system maintenance and so on. They are fantastic powerful tools and I will discuss only a small handful of these tools.
One of their tools is a tool they sold called ERD commander 2005 was a full-fledged Windows type environment based on Windows pre-installation environment. Windows PE enabled you to reset administrator passwords you could get network support you could do everything from outside a broken system boot off the ERD commander cd and be able to perform that surgery. Now Microsoft has rebranded ERD commander it’s called the diagnostics and recovery tools dart kit and its part of the Microsoft desktop optimization pack for software assurance MDOT. If you are a software assurance customer or by contrast you’re a customer of Windows Intune, then you qualify for MDOT. So, if I don’t have my own personal recovery thumb drive available and I’m helping someone out maybe their computer is just slow beyond belief. Maybe the user suspects their system have been infected with malware. I can hit live.sysinternals.com to get one click direct down load access to the suite of sysinternals utilities. If we hit the about this site text file it gives a brief discussion of the site and it gives you a link to the public home page here at technapmircrosoft.com
The “Process Explorer”, which is already well known by itself. Its basically like the task manager on steroids. It will not only show you what programs are running, but also sub processes it’s using and a million other details I honestly don’t know enough about to explain. One cool feature is the ability to search any process using a website called Virus Total which is owned by Google and will run the file through a whole bunch of antiviruses. So, if you see a certain process that looks suspicious, you can scan it to be sure. You can also search for “handles”, meaning what files are being used by programs. So, if you are trying to move a file, and can’t because it’s in use. You can search for that and see what’s using it. You even have the option to replace the regular task manager. With the Process Explorer if you want. Next, we have the “Process Monitor”, which based on the name you might think is like what I previously stated. But not really, the Process Monitor like the name suggests monitors what all the running processes on your computer are doing and will output literally everything into a log depending on what filters you set. If you ever wondered what your computer does even when it’s just sitting idle you’re in for a surprise because you will literally see hundreds of thousands of operations going on in a matter of seconds. These might be programs calling registry keys, writing to files, reading files, making network requests. Pretty much everything going on in your computer will be listed right here. It’s a ton of data so it’s probably better to filter for specific programs and operations. But if you’ve ever had a program behaving strangely or crashing process monitor could be a good place to start looking why.
The third tool is “Autoruns”, which is a simple and powerful program that lists everything that starts up with your computer. Windows does have a feature like this built in but that doesn’t always show everything that does get loaded. Autoruns will not only show you what programs start up on boot but also services what registry keys are being called, scheduled tasks, drivers being loaded, even what media codecs get loaded. You’re not going to see any of that in the task manager, or msconfig window. This is extremely useful especially if you notice something starting up with Windows. But you don’t know how or why, you may find it here, so you can figure it out. In the options you’ll again be able to have it scan everything with Virus Total for this too. The fourth tool is “TCPView”, which is all about network activity. To put it simply it will show you every network connection coming in and out of your computer which program is using it, what port it’s on and more. This can be useful in a lot of situations, perhaps there’s something using up a ton of bandwidth and you don’t know what it is or why. You could start out with the built-in resource monitor in Windows which will tell you what program is using the bandwidth, but you probably want to know what it’s connected to? That’s where TCPView comes in and here’s another cool feature. When you find the process, you are looking for it will tell you the remote IP address. But that doesn’t really help much, if you right click and hit “Whois” it will run a whois search and give you information about the IP address and hopefully what website or service it is. You can even close the connection yourself. However, just watch out in case it starts to back up again. Nonetheless, a lot of uses for this if you know what you are doing.
The fifth tool is called “Zoom It” this one is great for presentations and simply lets you zoom in and out of the screen easily. All you do is press Ctrl+1 and it zooms in and you can move around great if you need to show something small. If you want to draw on the screen to circle something maybe, you can press Ctrl 2 and do that, and escape to cancel. A neat little program you can use in the future. The sixth and last most important tool I would recommend is called “NotMyFault”, and well it crashes your computer. Yes, on purpose so besides pranking your friends you might be wondering what the heck this could possibly be used for? Well it might be useful if you want to learn about different types of crashes, and you can see the several crashes to choose from. Maybe you want to use it as an example or even cause a blue screen, so you can get a dump file.
In closing these are just my top six personal picks and what was formerly known as the ERD commander was a bonus I believed was worth mentioning. But keep in mind there are many more utilities available in Sysinternals some of which I’m unfamiliar with but would love to know more about and can through research, patience and time.