Inside Windows Internals: Thanks to Sysinternals

Sysinternals has long been renowned as one of the best sources for Windows tools and utilities. You can still see it at work under the Microsoft umbrella by typing www.microsoft.com/sysinternals into your favorite browser.

Let me explain the apparently redundant gobbledygook that makes up the title for this story. Inside Windows and Windows Internals make up the chief portions of some titles that represent 4 editions of the same book. Individually, and in the aggregate, these tomes offer the best inside look at Windows at work around. Just for the record, the book was entitled Inside Microsoft Windows NT for its first two editions, then became Inside Microsoft Windows 2000, 3e, and is now called Microsoft Windows Internals, 4e, with a 5e underway for November 2008 delivery (4e covers Server 2003 and XP, while 5e adds Server 2008 and Vista). The big-gun author who joined this book for the third and all subsequent editions is named Mark Russinovich, who is also one of the world’s leading experts on Windows internals, and who co-founded a company called Sysinternals in 1996 that was acquired by Microsoft in 2006. It takes no leap of faith to understand that Microsoft really bought Russinovich when they bought that company, and his name and work is splattered all over the Microsoft Web site. Hopefully, this makes the story’s title as clear as it gets!

Sysinternals has long been renowned as one of the best sources for Windows tools and utilities. You can still find its ongoing efforts under the Microsoft umbrella by typing this URL into your favorite Web browser: www.microsoft.com/sysinternals. Though the page is now entitled “Windows Sysinternals” and bears the four-color Windows flag icon as well, it’s clear that Russinovich remains actively engaged in building cool Windows tools, and in maintaining the excellent stable of tools that makes Sysinternals such a name to conjure with among Windows cognoscenti.

If you visit this page, you’ll find a veritable cornucopia of Windows power tools organized into these buckets:

  • File and Disk Utilities: AccessChk, AccessEnum, CacheSet, Congitg, DiskExt, DiskMon, DiskView, Disk Usage (DU), EFSDump, FileMon, Junction, LDMDump, MoveFile, NTFSInfo, PageDefrag, PendMoves, Process Monitor, PSFile, PSTools, SDelete, ShareEnum, Sigcheck, Streams, Sync, VolumeID.
  • Networking Utilities: AD Explorer, AD Insight, AdRestore, PsFile, PsTools, ShareEnum, TCPView, Whois.
  • Process Utilities: Autorns, FileMon, ListDLLs, PortMon, Process Explorer, Process Monitor, PsExec, PSGetSid, PsKill, PsList, PsService, PsSuspend, PsTools, RegMon, ShellRunas.
  • Security Utilities: AccessChk, AccessEnum, Autologon, LogonSessions, NewSID, Process Explorer, PsExec, PsLoggedOn, PSLogList, PsTools, RootkitRevealer, SDelete, ShareEnum, ShellRunas, Sigcheck.
  • System Information: Autoruns, ClockRes, Filemon, Handle, LiveKd, LoadOrder, LogonSessions, PendMoves, Process Explorer, Process Monitor,  Proc Features, PsInfo, PsLoggedOn, PsTools, RegMon, WinObj.
  • Miscellaneous Utilities: AD (Active Directory) Explorer, AdRestore, Autologon, BgInfo, BlueScreen, Ctrl2Cap, DebugView, Hex2dec, PsLogList, PsTools, RegDelNull, RegJump, Strings, ZoomIt.

Astute inspectors of the preceding lists will recognize that there’s some overlap among them. That’s because tools mentioned more than once have applications or uses relevant to multiple categories. There’s no need for anybody to inflate the value or significance of these tools by double (or multiple) counting them, so this is no mere marketing ploy at work (besides, all these tools are FREE). Their uses will become apparent, and in some cases indispensable, to those who take the time to get to know them.

These Sysinternals utilities used to come only in ZIP archives that you downloaded and unpacked on your hard disk and then executed as you needed them. While this observation remains true, you can also visit a live Website and execute any of these utilities from inside a Web browser or in a command window (the former works for standalone Windows applications such as personal favorite TCPView, the latter is required for command line utilities such as ntfsinfo.exe).

Here’s how to make this work for a command line utility, taking the aforementioned ntfsinfo.exe as the case in point:

  1. Open a command window (type cmd into the start menu search box)
  2. Type \\live.sysinternals.com\tools\<cmd> <cmd arguments> as shown in the following screen shot, where that turns into \\live.sysinternals.com\tools\ntfsinfo.exe c(where C is the drive letter for which we want to see NTFS file system information)Sysinternals command line utility
  3. For runtime programs, such as TCP View, simply double-click the filename in the live.sysinternals.com directory listing, as shown in the next screenshot.Calling a runtime program
  4. This will provoke a File Download Security warning window, where you should click the Run button,  followed by a “Do you want to run this software?” window, where you should click Run again. After that, the application pops up as shown in the next screenshot. It’s that easy!TCPView

Of course, you have to know how to use the command line utilities, and how to interpret the results of the GUI programs. What you see in the preceding screenshot is a list of process names with TCP or UDP ports open, along with associated address and state information. The blue line indicates the open TCP session we’re using to run TCPview remotely from the Sysinternals Live server (a green line indicates new TCP or UDP ports being opened; a red one indicates TCP or UDP ports being closed; and yellow indicates a port that has changed status since the last update, which occurs every second by default).

But I think Windows heads, power users, and admins will find the goodies at Sysinternals pay handsome dividends on time spent learning what’s what, and how to use the utilities of interest. Try them, and I’m pretty sure you’ll like them all, and end up using quite a few regularly.

facebookgoogle_pluslinkedin
facebookgoogle_pluslinkedin
This entry was posted in ViztaView.com Archive and tagged , by Ed Tittel. Bookmark the permalink.

About Ed Tittel

Full-time freelance writer, researcher and occasional expert witness, I specialize in Windows operating systems, information security, markup languages, and Web development tools and environments. I blog for numerous Websites, still write (or revise) the occasional book, and write lots of articles, white papers, tech briefs, and so forth.

Comments

Inside Windows Internals: Thanks to Sysinternals — 2 Comments

    • Dear Bobby:
      You can either grab the current version Windows Internals 6, Vols 1 & 2, or you can wait until mid to late 2016, when the Windows Internals 7 volumes should become available. Personally, I think these books are good and valuable enough to make it worth buying the current edition right now (about $53 for paper, $35 ebooks, at Amazon) and then also buying the next edition as well, as soon as it becomes available.
      HTH, and thanks for your comment,
      –Ed–

Leave a Reply

Your email address will not be published. Required fields are marked *