adm291 a tour of sysinternals tools mark russinovich winternals software
TRANSCRIPT
![Page 1: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/1.jpg)
ADM291
A Tour of Sysinternals Tools
Mark RussinovichWinternals Software
![Page 2: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/2.jpg)
About The SpeakerCo-author of Inside Windows 2000, 3rd Ed. (Microsoft Press) with David SolomonContributing Editor and NTInternals columnist forWindows and .NET MagazineCreator of www.sysinternals.com Co-founder and chief softwarearchitect of Winternals Software (www.winternals.com)Co-creator of Inside Windows 2000—An interactive internals tutorial (on DVD & streaming Windows media)
![Page 3: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/3.jpg)
Outline
About Sysinternals
Monitoring Tools
Systems Administration Tools
File System Tools
![Page 4: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/4.jpg)
About Sysinternals
Started with NTFSDOS, Regmon and Filemon hosted on Andrew Schulman’s site in mid-1996
www.ntinternals.com went live in late 1996
Under a dozen tools
1500 unique visitors/day
![Page 5: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/5.jpg)
Sysinternals Today
Interesting statistics:75 tools, 2-dozen technical articles25,000 unique visitors/day30,000 downloads/day (4 GB of data)150,000 unique visitors/month36,000 newsletter subscribersAlmost 4-dozen KB-article references
Everything on the site is freewareCan’t redistribute without a licenseSource code is licensed for use in commercial products
![Page 6: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/6.jpg)
Outline
About Sysinternals
Monitoring Tools
Systems Administration Tools
File-Related Tools
![Page 7: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/7.jpg)
Monitoring
Filemon
Regmon
Process Explorer
TCPView
![Page 8: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/8.jpg)
Filemon/Regmon
Watch all file system or Registry accesses in real-time
Ideal for troubleshooting broken application installations
Useful for developers tracking down bugs or performance tuning file system access
Work on all Windows® OSs, including 64-bit Windows XP
Used extensively within MicrosoftPSS
Windows XP Application Compatibility
Microsoft® Office 2000
![Page 9: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/9.jpg)
Using Filemon/Regmon
Requires no install or rebootJust start using them
Includes filters for including, excluding, and highlighting output
Can’t include/exclude filter result codes on Filemon for WinNT/2K/XP
Requires admin privilege to runTrick: run once as admin and then you can use them as unprivileged users
![Page 10: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/10.jpg)
How Filemon Works
Filemon uses a driver to intercept file I/O accessA VxD on Windows 9x/Me
A “file system filter driver” on Windows NT®/Windows 2000/Windows XP
ApplicationApplication
Filemon Filemon DriverDriver
FilemonFilemonGUIGUI
File SystemFile SystemDriverDriver
User ModeUser ModeKernel ModeKernel Mode
![Page 11: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/11.jpg)
How Regmon Works
Regmon uses a driver to intercept Registry operations
A “hook” VxD on Windows 9x/Me
A system-call intercepting driver on Windows NT/Windows 2000/Windows XP
ApplicationApplication
Regmon Regmon DriverDriver
RegmonRegmonGUIGUI
Registry Registry SubsystemSubsystem
User ModeUser ModeKernel ModeKernel Mode
![Page 12: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/12.jpg)
Process Explorer
Process Explorer (formerly HandleEx) starts where Task Manager ends:
See detailed information about running processes, including their paths and command-lines
Description of EXE
SID from process security token
View the DLLs processes have loaded, including version numbers
See what handles processes have opened
Examine services running within service processes
Process Explorer works on all Windows platforms
![Page 13: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/13.jpg)
Common Process Explorer Uses
Detect DLL versioning problemsCompare the output from a “good” system with that of a “broken” system
Use the search feature to determine what process is holding a file or directory open
View the state of synchronization objects (mutexes, semaphores, events)
Detect handle leaks using refresh difference highlighting
![Page 14: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/14.jpg)
How Process Explorer Works
Uses undocumented functions for:Enumerating loaded modules with full path names
Enumerating processes and handles
Obtains handle names using the aid of a driver
Related Tools:Handle – command-line handle viewer
Listdlls – command-line DLL viewer
![Page 15: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/15.jpg)
TCPView
GUI version of Netstat
Works on all Windows platforms
Lists active TCP and UDP endpoints Shows endpoint owner on Windows NT/2000/Windows XP/.NET Server
Includes auto-refresh and difference highlighting
You can close established TCP/IP connections
Works using documented and undocumented IPHelper library functions
![Page 16: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/16.jpg)
Other Monitoring Tools
DebugViewMonitor application debug output
DiskmonMonitor hard disk activity
PmonMonitor process and thread activity
PortmonMonitor serial and parallel port traffic
TokenmonMonitor security-related activity
![Page 17: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/17.jpg)
Outline
About Sysinternals
Monitoring Tools
Systems Administration Tools
File-Related Tools
![Page 18: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/18.jpg)
Systems Administration
PsToolsPsList
PsKill
PsInfo
PsLogList
PsService
PsExec
PsSuspend
More…
BgInfo
Autoruns
![Page 19: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/19.jpg)
PsToolsPsTools consists of a total of 11 tools
They all work on Windows NT/Windows 2000/Windows XP
They all work remotely as well as locally
None require manual remote software installation
Where’d the “Ps” come from?The UNIX process listing tool is named “ps”
The first PsTool was a UNIX “ps”-equivalent, PsList
![Page 20: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/20.jpg)
PsList
View detailed information about running processes
Similar to tlist and pulist
Default view is mix of CPU and memory information
Other views show thread details, memory details, or full information
Use the –s switch to run it in a Task Manager-type mode
Works using the performance counter API
WMI is only available by default on Windows 2000/Windows XP, not on Windows NT 4
![Page 21: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/21.jpg)
PsKill
The perfect complement to PsList is PsKill
Similar to Resource Kit Kill and Remote Kill
See a process running on a remote (or local) system with PsList, kill it with PsKill
Unlike Task Manager, PsKill lets you kill any process if you’re an admin
Uses “Debug” privilege
Uses auto-installed remote service and TerminateProcess API
![Page 22: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/22.jpg)
PsInfoGet detailed information about a system
OS version: type (pro, server, etc.)
Service Pack
Hot-fixes
CPU and memory
Uptime
Volume information
Uses documented APIs:Registry (remote, if applicable)
WMI for XP product activation query
![Page 23: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/23.jpg)
PsLogList
Dump and optionally clear event logs
Like eloglist from the Resource KitPsLogList lets you dump logs using alternate credentials
Gets event strings from remote system
Like eloglist, dumps in tab-delimited format for easy import into spreadsheets
Has extensive support for filtering on record type and date range
Uses documented Event Log APIs, which work remotely
![Page 24: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/24.jpg)
PsService
Control Win32® services
Like the Resource Kit’s and XP/Server 2003’s SCUnlike SC, doesn’t make you remember and manually specify a “resume handle”
Same syntax as SC
Omits several esoteric SC options
Search the network for active instances of a service
Uses documented Service Control Manager APIs, which work remotely
![Page 25: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/25.jpg)
PsExec
Remotely execute programsExecutes console programs interactively
Allows you to start programs as yourself , in alternate user credentials, or in the System account
With PsExec you can:Launch a remote command prompt to effect a light-weight telnet
Remote-enable “local only” command-line tools like IpConfig
Uses auto-installed remote service
![Page 26: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/26.jpg)
PsExec
Options of interest include:-s: Run in System account (instead of account of user running PsExec)
-i: Show GUI windows on interactive console
-d: Don’t wait for remote process to terminate
-c: Copy an executable to the remote system
![Page 27: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/27.jpg)
PsSuspend
Microsoft provides no process-suspend utility like PsSuspend for pausing a process that’s using a resource
Memory
CPU
Network
Windows NT and 2000 have no “suspend process” capability, so PsSuspend suspends individual threads
![Page 28: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/28.jpg)
BgInfo (Background Info)
If you manage more than a handful of systems, you’ve run into the “what machine is this” syndrome
BgInfo creates an auto-generated informative desktop background
System name
Memory
IP Address
OS version
Whatever you want!
![Page 29: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/29.jpg)
Autoruns
There are almost 2-dozen places that can be used to configure automatically started applicationsAutoruns shows you all of the locations and displays programs configured to run in them
Double-click a folder or key to jump to it in Explorer or RegeditDouble-click a configured application to view its properties
![Page 30: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/30.jpg)
Outline
About Sysinternals
Monitoring Tools
Systems Administration Tools
File-Related Tools
![Page 31: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/31.jpg)
File-Related Tools
Contig
PageDefrag
Streams
Strings
![Page 32: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/32.jpg)
Contig
Command-line Windows NT/Windows 2000/Windows XP file defragmenter
Useful for:Defragmenting specific files
Creating new contiguous files
Defragmenting entire disks
Uses Windows NT/Windows 2000/Windows XP defragmenting API, documented at Sysinternals
![Page 33: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/33.jpg)
PageDefrag
Defragments paging files and Registry hives at boot time
Implemented as “native” application:Launched by Session Manager because listed in HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute value
Uses “native” API
Uses Contig defragmentation engine
Supports command-line options for scripted install
![Page 34: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/34.jpg)
Streams
Streams, which require NTFS, used to be rarely usedNow there are several components that make use of them:
Services for MacintoshExplorer Viruses
Streams can search directories for files with streams and display their names
![Page 35: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/35.jpg)
Strings
Some executables do not identify themselves with version information or descriptive namesStrings will look inside a file image for printable text that include:
Registry key and value namesDebug stringsFile names Internal build information
![Page 36: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/36.jpg)
After Hours…
The Sysinternals Bluescreen Screen Saver
![Page 37: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/37.jpg)
Check The Site Often…
There are updates, bug fixes, new tools and articles on a regular basis
I’m always open to tool suggestions
Sign up for the newsletter to get inside information on the tools and Windows internals
![Page 38: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/38.jpg)
For More Info...Video: Inside Windows 2000 – An Interactive Tutorial (on DVD & Windows Media)
11 hours of instruction with hands-on lab exercises
Book: Inside Microsoft Windows 2000, Third Edition (Microsoft Press)
Class: Come to London Sep 23-25
Don’t forget to complete the on-line Session Feedback form on Attendee Web site
![Page 39: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/39.jpg)
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
![Page 40: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/40.jpg)
evaluationsevaluations
![Page 41: ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software](https://reader033.vdocument.in/reader033/viewer/2022051516/56649e115503460f94afd8e5/html5/thumbnails/41.jpg)