IT admin's guide to the Sysinternals suite
A comprehensive collection of articles, videos and more, hand-picked by our editors
IT administrators who use Windows Sysinternals utilities can be more productive than their peers who haven't yet discovered them. One of the architects and developers of this tool suite has teamed up with a longtime public-sector Windows administrator and security expert to write the Windows Sysinternals Administrator's Reference.
The people behind Sysinternals -- a company that Microsoft acquired in 2006 -- were Mark Russinovich and Bryce Cogswell. Back in 1995, they started writing tools for Windows NT that exposed and manipulated systems internals, hence the name of the company and the tool set.
For over a decade, Sysinternals (and its for-profit sister company, Winternals) has offered utilities for making life easier for Windows systems admins. Today, Russinovich is a technical fellow at Microsoft and the principal author of Windows Internals, 5th Edition, a detailed look at the operating system's inner workings that covers up to Windows 7 and Windows Server 2008 R2. A new edition for Windows 8 is undoubtedly already in the works. The collaborator on his latest book venture is Aaron Margosis, a consultant and Windows expert.
Windows Sysinternals has grown from the original handful of tools introduced in 1995 to encompass a collection of more than 100 utilities to manage and analyze files and disks, networking, processes, security and more in the Windows environment. Sysinternals has its own subsite in Microsoft TechNet where IT professionals can obtain and use this powerful and free collection of software tools.
The Windows Sysinternals Administrator's Reference is more than just documentation and usage instructions -- the help files included with these tools are better sources for that kind of information. Instead, this book provides an organized tour through the common user interface that most of these tools share (except for command-line only items), along with a detailed usage guide for numerous tools, either by name or by category. This makes up Part II of the book, as shown in Figure 1.
The Usage Guide part of the book not only explains the tools but is also a master-level tutorial on how Windows works -- and how these tools can help users dig into and observe those workings. I've been using Process Explorer (procexp.exe) and Process Monitor (procmon.exe) for years, but I learned more about what they can do and how best to perform such tasks after an hour and a half spent with Chapters 3 and 4 open in front of a Windows machine than I'd learned in 10-plus years of fiddling with these programs on my own.
Digging into Windows Sysinternals tools
Chapter 3 discusses Process Explorer. It was extremely helpful to learn more about how process details -- tabs for performance, graphs, threads, TCP/IP, security, environment and more -- really worked and what they had to show. This immediately helped focus my Windows troubleshooting, particularly when specific applications or processes went bonkers, as they sometimes do.
Chapter 4, about Process Monitor, helped me dig into profiling events both deeply and effectively. I now know how processes work inside Windows, as well as how events and activities that touch the Windows registry, file system, networks, etc. truly operate. In turn, this helped me make better sense of procmon traces and understand the significance of their contents.
The same observations apply to the chapters on Autorun, a microscopic tool for examining everything that starts up and runs automatically when Windows boots, and Pstools, a collection of command-line utilities for examining and operating Windows system functions both locally and remotely.
Exploring grouped Windows Sysinternals utilities
This portion of the book comprises about half of its overall content. It's a huge grab bag of specialized diagnostic and operational tools that affect a great deal of system functionality. The best way to understand what's available is to scan these chapters to find items of interest, and then to dig into individual utilities as needed. I found the instructions on how to copy messages and content from various display windows in many utilities very useful for search and documentation purposes. These chapters also offered lots of tips on how to choose specific utility options and settings.
More on Windows Sysinternals:
Sysinternals tools can help clean your Windows systems
Sysinternals tools: A must-have for every Windows security toolbox
Using Sysinternals tools in security management scenarios
Free open source security tools for finding and fixing Windows flaws
Sysinternals Autoruns utility beefs up software debugging
Using the Microsoft Sysinternals suite for a computer systems audit
In particular, I found the chapters on desktop, file, disk, network and communication, and system information to be of great interest. Chapter 15 is about miscellaneous utilities and includes a handful of interesting widgets, including a potentially heart attack-inducing item called the "Bluescreen Screen Saver" that "realistically simulates an endless cycle of 'Blue Screen of Death' (BSOD) crashes and system restarts. For each simulated crash, Bluescreen randomly picks a bug check code and displays realistic data corresponding to that code." Ouch!
A killer troubleshooting guide
In the grand tradition of saving the best for last, the third and final part of the book delivers a troubleshooting tutorial that exposes Russinovich's experiences with mysterious error messages and how he used Windows Sysinternals tools to diagnose and fix the root causes.
In Chapter 16, he deals with a stubborn locked folder, a failed antivirus update that left a system unbootable, a missing folder association and more. Chapter 17 explores some causes for system hangs and sluggish performance, including Internet Explorer run amok (and consuming all CPU resources), ReadyBoost driver issues and repeated Outlook hangs.
Chapter 18 takes a similar tack with malware, explaining how admins can use Sysinternals tools to identify and remove unwanted software from infected systems. The only thing missing from this part of the book is an explanation of how to apply these techniques to other typical Windows gotchas, but that is something that comes from repeated use and increasing familiarity with the tool set.
Unless you already know Windows Sysinternals tools cold, anybody who works regularly with Windows systems will find a wealth of useful insight and information here. You will also get to know as valuable a set of elements for any systems admins' toolbox as you're likely to find anywhere. And because the tools themselves are free, the cost of the book is a minor consideration in light of the information and capability they can deliver.
ABOUT THE AUTHOR:
Ed Tittel is a freelance writer, consultant and occasional expert witness. He posts three times weekly on Windows topics for TechTarget's Enterprise Desktop Windows blog. Tittel contributed to the Que book Windows 7 in Depth, and is a named author for the upcoming Windows 8 edition of that book. In addition, he has written on Windows desktop certification exams for Windows NT, 2000, XP and 7.