BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
If you need to gain insight into a Microsoft Windows environment, Sysinternals utilities are among the best tools. Microsoft's collection goes way beyond the functionality of native Windows tools and provides some fairly advanced capabilities.
The Windows Sysinternals site contains dozens of utilities, much of which are freeware, for viewing or troubleshooting individual operating system components. Be aware the Sysinternals library has existed for some time. Many of the tools were created for older OSes such as Windows XP or Vista, so not all the Sysinternals utilities collection works with modern Windows versions.
Although none of these Sysinternals utilities is designed specifically for Windows 10, some of them can help address Windows 10 problems. Explore ten Sysinternals tools any IT professional troubleshooting Windows endpoints should know about.
Unexpected security restrictions can easily stand in the way of a seemingly simple repair or maintenance operation. The AccessChk utility helps you determine which permissions are in effect.
The tool works for files, folders, registry keys, Windows services and global objects. AccessChk is also useful for verifying system resources have received the proper level of security.
Over time, Windows desktops tend to accumulate processes that launch automatically when the system starts. Although Windows contains a built-in system configuration utility known as MSConfig, this utility may not always show all of the processes that run at Startup. This is especially true for processes related to a malware infection. In contrast, AutoRuns provides deep insight into the processes configured to run at System Startup. AutoRuns is even able to display startup information for individual components such as browsers and sidebar gadgets (Figure A).
BgInfo is a simple tool that displays a system's vital statistics on the desktop as wallpaper. It can be immensely helpful because key system information is immediately available when anyone signs on to a system. Even if a user requests help over the telephone, the user can provide the support person with relevant information directly from the Windows desktop.
The utility is fully customizable (Figure B). You have complete control over the information BgInfo displays, as well as the color, position and even the font it uses. This allows you to omit any information from the display you deem to pose a security risk. It also allows you to display the information in a color that is visible against the desktop background.
As its name implies, Disk2vhd is designed to create a virtual hard disk based on a physical computer.
Although this utility was probably created as a tool for helping Windows Server admins virtualize physical servers, it works equally well for creating virtual desktops.
Even if you aren't planning to use desktop virtualization, a virtualized copy of a corporate desktop can be handy for testing purposes, especially where upgrades are concerned.
Disk2vhd is an older utility, and therefore does not support the VHDX virtual hard disk format. As such, the maximum virtual hard disk size is 127 GB.
One of the more frustrating experiences for an end user is the inability to save, move or rename a file because Windows claims the file is in use. The Handle utility displays information about open handles for any system process. In other words, you can use Handle to figure out which program has a locked file open.
Process Explorer is an excellent tool for anyone tracking down a system performance problem. It displays all the processes running on the system, as well as the CPU and memory usage for each process.
Although some might be quick to point out Windows Task Manager offers similar functionality, Process Explorer offers capabilities far beyond those of the Task Manager. In fact, Process Monitor includes a menu option that lets you replace Task Manager with Process Explorer.
Process Explorer has lots of information about the processes running on a system. In addition to basic resource statistics, the software lists the name of the vendor that created the process and a meaningful description of what the process is or what it does.
A tree view shows the dependencies for each process. Hovering over a process with the mouse pointer displays information such as the command prompt that launches the process, the path to the process executable and the system services related to the process.
Process Explorer can help detect malware by verifying image signatures and checking VirusTotal.com to see if the process is related to a virus.
In addition, the software can terminate, suspend or restart a process, and adjust a process's priority, among other functions.
The Ping utility is commonly used to test network connectivity. PsPing is a more advanced version of the Windows Ping utility. The native Ping tool performs ICMP pings. In contrast, PsPing can perform both ICMP and TCP pings. Furthermore, this tool can perform bandwidth tests and latency tests, all from this simple command-line utility.
PsTools is a collection of 13 command-line tools you can use for diagnostic purposes. For example, the PsInfo command provides basic information such as the Windows version, system uptime, the kernel build number, the processor type and the amount of memory available in the system.
The PsInfo tool may have a bug related to memory reporting, however. My computer, for example, has 16 GB of physical memory, but the utility reported less than 2 GB of memory.
PsTools includes the following tools:
- PsExec: Remotely executes processes
- PsFile: Shows files opened remotely
- PsGetSid: Displays the computer's security identifier
- PsPing: Measures network performance
- PsInfo: Displays basic information about the system
- PsKill: Terminates a running process
- PsList: Lists detailed information about running processes
- PsLoggedOn: Shows who is logged onto the system, both locally and through resource sharing
- PsLogList: Dumps event log records
- PsPassword: Changes account passwords
- PsService: A command-line utility for viewing and controlling system services
- PsShutdown: Forces a reboot or a shutdown of the system
- PsSuspend: Suspends a running process
All of the PsTools functions exist in PowerShell but, there are advantages to using PsTools. First, it works across OS versions, including Windows XP, Windows Server 2003 and higher. Second, the tools included in PsTools tend to be easier to use than some of the PowerShell cmdlets.
The ShellRunas tool tends to be especially helpful if you must troubleshoot problems with applications that run on a Microsoft Windows environment on a desktop. The tool adds a shortcut to application context menus that allows you to run an application that isn't working as a different user in an effort to determine whether the problem is permissions related. Not only can you use ShellRunas to run an application with administrative privileges, but a user who is logged in as an administrator can use ShellRunas to run an application as a standard user to see how the application behaves.
To use ShellRunas you must run ShellRunas from a Command Prompt window, and specify the /REG switch. Doing so registers the shell extension and prepares it for use. It is only necessary to do this once. Once you register the shell extension, the Run As A Different User menu option permanently exists unless an you unregister the extension.
TCPView is an excellent tool for troubleshooting network problems. It displays a near-real-time view of how the processes on a system are using the networking stack. For each process, you can view the Process ID, protocol, local address and local port number, remote address and remote port number. Admins can also see state, the number of sent packets, the number of sent bites, the number of received packets and the number of received bytes.
Although this information would be extremely helpful by itself, a few other features make TCPView really useful. For starters, the tool uses highlighting to show which processes are using the network at a given moment.
The tool also lets you view properties such as the underlying executable file for each process, and you can terminate a process or close a network connection with a couple of mouse clicks. The utility even includes a function that helps you determine the identity of an unknown connection.
To effectively troubleshoot a system you need accurate diagnostic information. Although the diagnostic information TCPView displays is viewable in other areas of the OS, showing the information on the desktop is a huge timesaver if you are tasked with diagnosing a problem.
What new Windows 7 security tools are available?
IT admin's guide to the Sysinternals suite
Comprehensive guide to desktop monitoring tools, including Sysinternals