IT admin's guide to the Sysinternals suite
A comprehensive collection of articles, videos and more, hand-picked by our editors
IT administrators are only as good as the skills and tools at their disposal. I normally approach desktop tools with the belief that you get what you pay for. There are exceptions, though, and Microsoft's Windows Sysinternals tool set is one of the best freebies in my book. I especially like Sysinternals Process Explorer, currently at version 15, which is a great troubleshooting and investigative utility for enterprise Windows admins, security professionals and forensics analysts.
Here are three Process Explorer features that can relieve some of the pain of day-to-day Windows management:
1. Task Manager is decent in Windows 7 and earlier. Windows 8 Task Manager introduced several Process Explorer-like improvements. But if you just want the best tool of all, you can actually replace Task Manager with Process Explorer altogether. Simply click the Options menu and select Replace Task Manager, as shown in Figure 1.
2. As you can see by the utilization numbers in the screenshot above, I often run my main Windows 8 desktop pretty hard. Given the virtual machines and security testing tools I'm running at any given time, I must continually kill hung processes or investigate what's causing my computer to slow down. A seemingly trivial Windows management feature that adds up over time is the ability to kill processes and all child processes at the same time. If you want to kill more than one process at a time, you can do that quickly by simply selecting the process tree you want to kill and pressing Shift+Delete. This is especially handy for when Web browsers and even Explorer have child processes that are causing the system to misbehave.
3. A nice Windows Process Explorer feature for security analysis and malware investigation is available by right-clicking a process and selecting Properties. As you can see in Figure 2, you can view environment variables, unique text strings and specific threads for each process.
What's really eye-opening are the TCP/IP sessions used by each process. There's always something going on in the background, including certain things that you might not have realized.
You can also see the details of your Windows PC by going to the View menu and selecting System Information. Process Explorer shows a highly detailed view of system utilization, such as the memory utilization shown in Figure 3.
This is good information to know for troubleshooting, as well as for planning for system upgrades and new applications such as Office 2013 and anti-malware. You can use these features of Sysinternals Process Explorer to demonstrate just how complex the Windows systems are that you're responsible for managing.
You could even use Process Explorer as part of security awareness training. You can remind Windows users why they should be careful where they click by showing them everything that's taking place in the background.
If you prefer not to download and run the initial installation (license agreement) for the standalone version of Process Explorer, you can run the tool directly from live.sysinternals.com. Better yet, just install the entire Windows Sysinternals tool set on a thumb drive that you have whenever you need it.
Also, don't overlook the additional value that the Process Monitor tool has to offer in terms of registry and file accesses.
You could probably spend the next month using Process Explorer and still not master it. It's good to know that such tools are available in Windows Sysinternals. The hard part is taking the time to learn how to use them. If you do, they'll no doubt make your job easier.