Windows Sysinternals: advanced system utilities and technical information
docs.microsoft.comThe creator of these tools used to give those really cool "The case of the unexplained" presentations where he used the tools to diagnose and fix real-life Windows problems.
https://docs.microsoft.com/en-us/sysinternals/resources/webc...
I‘m on Mac and Linux since 10 years now, but Sysinternals is the one thing that kept me on Windows for the 10 years before as a hacker. It was the first thing that landed on any new machine and let me learn and debug so many things about my computer.
Microsoft did the right thing to assimilate them, the guy behind was top notch and I remember them fondly.
Don‘t know how they evolved the last decade though.
Ditto here. And Russinovic was the one who revealed the infamous sony rootkit using these tools IIRC. Great memories of my time when I used Windows.
So that's why RootkitRevealer does not work with newer versions of Windows.
My understanding is that RootkitRevealer is no longer being maintained since it was being used by malware authors to evade detections. The age old cat and mouse game.
True that. The guy was top notch indeed and is now CTO of Azure.
Use https://live.sysinternals.com to quickly grab one of these tools with no fuss
Process Monitor (ProcMon) is one of the best diagnostic tools on the planet. I’ve used it to find why my machine booted slowly (encrypted font?!), what sort of network activity is holding up an app, why my USB device was sucking at wake-from-sleep, etc.
Process Explorer (ProcExp) is amazing at inspecting processes, eg to see their environment variables, see what process integrity levels look like, find out what process has what path open (eg since Windows won’t let you delete open files), etc. It’s a good complement to Task Manager.
TCPView is great for some weird cases. I used it once to find a bad web server as I could see my http requests were failing when the load balancer sent me to a specific IP. This impressed my web developer friends who weren’t used to seeing really accessible but low level diagnostic tools.
All the memory tools are great too.
Since yesteryears, my core tool set of choice has been:
- sysinternals
- nirsoft
- UnxUtils
- powershell
- powertoys
Is there an alternative to Everything [1](file search with immediate results) and Ditto [2](clipboard manager) among those you've listed ? I can't live without them on Windows to be honest.
[1] http://www.voidtools.com/support/everything/ [2] https://github.com/sabrogden/Ditto/wiki
I use clipdiary instead of Ditto and share the Db across using a filesync for a eternal and shared clipboard history.
The main site is http://softvoile.com/
Clipdiary is https://clipdiary.com
Though my db syncing doesn't always work like a charm, it still gets the job done. Use the freeware version which should be super sufficient for most of the users.
Checkout other tools which are good such as Flashnote.
> Is there an alternative to Everything
I use AstroGrep but it scans the drive, rather than indexing it (find vs. locate)
Listary is a good ui for full text search, and integrates with the default file dialogs nicely too.
Dammit, I forgot about VoidTools. Ditto looks interesting.
> RE: powershell ... yup Russinovic gave us that too :)
Nope, that was Jeffrey Snover.
A proper Sysinternals equivalent set of tools is sorely missed on macOS. Trying to do DFIR on them mostly sucks compared to whats available on Windows. (Open to hearing anyone who has particular favorites or recommendations)
Ah, good old days of using these to disable auto-run programs (with some of them viruses) on Windows XP and 7.
And procexp! It's just the better task manager.
ProcessHacker (https://processhacker.sourceforge.io/) is also a worthy competitor to the Process Explorer.
I second that, because ProcessHacker was the only tool I found to let me set the I/O priority of a process.
Thirded, because at some point, ProcessExplorer started recording the resource usage history of a process (CPU usage, memory, I/O) only the moment you explicitly opened that particular process's properties window for the first time.
Because the last version of ProcessExplorer that didn't exhibit that behaviour no longer works on current Windows versions (certainly not 10, and I'm no longer sure whether 7 wasn't already problematic, too), ProcessHacker instead it is then.
When I worked as a Windows admin, the SysInternals tools were usually among the first things I installed on a new server or workstation.
Personally, I do not understand why Microsoft does not include them by default on Windows, they are just so useful.
My guess is that they're not included due to internal politics. They were developed by Russinovich before he joined of Microsoft. I believe he mentioned in an interview that he used some undocumented windows APIs and that some Microsoft engineers were not happy about that.
BTW another great diagnostics tools for Windows that I've come across is the Windows Performance Analyzer. One needed to install it separately before, not sure about that nowadays.
Is there any recent book worth a read, which covers Windows internals for latest versions?
Yes. Windows Internals 7th edition https://www.amazon.com/Windows-Internals-Part-Developer-Refe...
dont forget to exclude your sysinternals/nirsoft-tools-dir from av
On the contrary: adding psexec.exe to our EDR's blocklist has had tangible positive impacts.
Legitimate remote execution in 2021 can be achieved using a range of supported options, and when I see this alert trigger in a monitored environment there's nearly always something malicious going on. The catch of course, is that you explain this to everyone and get them on board, as opposed to just doing it.