Windows Sysinternals Tools

Find utilities to help you reveal rootkits, track down and terminate runaway processes, and remove unwanted programs from system start up

Michael Otey

March 19, 2010

4 Min Read
ITPro Today logo in a gray background | ITPro Today

Sysinternals utilities have long been the administrator's best friend. Sysinternals was created in 1996 by Mark Russinovich and Bryce Cogswell, who gained notoriety for the powerful and practical Windows utilities they created. The Sysinternals toolset hasn't stagnated since Microsoft acquired it back in 2006. The company has continued to release new tools and improve existing ones. If you're new to Windows administration and haven't seen these utilities, you'll be blown away. Even if you have seen them, you might be surprised at many of the new tools and features that have been added. In this column, I'll share my favorite Sysinternals tools.

10. RootkitRevealer—Rootkits are a type of malware that are designed to hide their presence from antivirus and antispyware solutions. Rootkits often work by intercepting and changing system API calls. RootkitRevealer runs as a randomly named service and detects rootkits by comparing the results of Windows API calls with the contents of the system's file structures. You can get RootkitRevealer here.

9. ZoomIt—Although it's not really an administrative tool, ZoomIt is a favorite of mine for doing presentations. ZoomIt magnifies portions of the screen, which really helps you to draw attention to important points. ZoomIt also lets you create basic annotations on the screen. You can get ZoomIt here.

8. LogonSessions—This command-line utility shows you all the sessions that are currently logged on to your Windows system. It shows the username along with logon type, such as Service, Network, or Interactive. You can download LogonSessions here.

7. ShareEnum—Keeping your organization's file shares under control can be a challenge—particularly when end users and departments create their own shares, leaving you with lots of unused, obsolete shares on your network. ShareEnum can help you control the proliferation of file shares by listing all the available shares on your network as well as their basic security information. ShareEnum is available here.

6. ShellRunas—There are times when you want to run certain programs under a different set of logon credentials but you don't want to have to log off, then log back on again. ShellRunas adds a context menu option to Windows Explorer that lets you start a program using a different user ID and password. You can get ShellRunas here.

5. TCPView for Windows—TCPView is another program that can give you important information about what's happening beneath the surface of your Windows systems. TCPView shows all your open TCP and UDP connections. TCPView lists the process name that the local port used and the remote address the process is connected to. You can get TCPView here.

4. Process Explorer—Process Explorer is a great tool for tracking down runaway programs and programs with memory leaks. Process Explorer shows you all the running processes on your system and lets you see the DLLs that are loaded as well as the CPU and memory utilization of each process. You can get Process Explorer here.

3. Autoruns for Windows—Discovering and optimizing the programs that run automatically when your system boots up is one of the best ways to improve your system performance. So many programs surreptitiously invade your system's boot space that over time you might be shocked to see what's running when your system starts up. Autoruns displays all the registry and file locations that enable applications to run at boot and gives you the information you need to intelligently delete unwanted autostarting programs. Autoruns is found here.

2. PsTools—The PsTools suite is a collection of 13 command-line tools that perform a number of useful tasks. For instance, PsExec executes processes on remote computers, and PsList displays information about running processes. PsKill terminates a process, PsLoggedOn shows all the local logins, and PsUptime shows the time since the last reboot. The PsTools suite is found here.

1. Disk2vhd—Although PsTools is a great collection of super-useful utilities, lately I've been doing a lot of virtualization work, so Disk2vhd is my new favorite tool. Disk2vhd is a physical-to-virtual (P2V) disk-conversion utility. Unlike some other P2V tools, Disk2vhd uses volume snapshots to allow it to copy any disk volume—including the one running Disk2vhd. Disk2vhd is found here.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like