Download - Sysinternals Primer: TechEd 2014 Edition
TWCAaron Margosis,Microsoft Cybersecurity Services
Sysinternals Primer: TechEd 2014 Edition
DCIM-B340
Suite of around 70 systems diagnostics, troubleshooting and management tools
Started in 1996 by Mark Russinovich and Bryce CogswellFreeware, lightweight, single-image, xcopy-deployedCan also execute from Web: \\live.sysinternals.com\tools\<toolname>3 million downloads/monthMost popular tools: Process Explorer, Autoruns, Process Monitor
Authored and maintained by Mark Russinovich (Technical Fellow in Azure)
Many co-authored by Bryce Cogswell (retired in 2010)Two tools have key contributors:
ProcDump – Andrew RichardsLiveKd – Ken Johnson
Windows Sysinternals - www.sysinternals.com
The Sysinternals Administrator’s ReferenceThe official guide to the Sysinternals toolsCovers every tool, every feature, with tipsWritten by Mark Russinovich and Aaron Margosis
Full chapters on the major toolsProcess ExplorerProcess MonitorAutoruns
Other chapters by tool groupSecurity, Process, AD, Desktop, …
Case of the Unexplained
MICROSOFT CONF IDENTIAL – INTERNAL ONLY
{
The Sysinternals Primer Series @ TechEdTechEd 2010
Process Explorer, Process Monitor, PsExec
TechEd 2011
Autoruns, Disk2Vhd, ProcDump, BgInfo, AccessChk
TechEd 2012
“Gems” (Procmon tricks, nerd-out on TS sessions/winsta/desktops, LogonSessions, DU)
TechEd 2013
What’s New/Updated Since the Book
TechEd 2014
More Cool Stuff You Can Do
More Cool Stuff for 2014…VirusTotal integrationOutput as CSVNew AccessChk featuresExport to XML “App Install Recorder”And more…
VirusTotal integration
Sysinternals and VirusTotal.comScans files with 50+ anti-malware enginesVirusTotal APIsHash only or file uploadUser must agree to VirusTotal’s terms of service
Process Explorer inspect running EXE/DLL filesSigCheck inspect any files on disk
SigCheck and VirusTotalsigcheck ... [-v[r][s]] [-u] [-vt] <file or directory>
-v Query VirusTotal for malware based on file hash.Add ‘r’ to open reports for files with non-zero
detection. Add ‘s’ to upload file if not previously scanned by VT.-u When used with -v, reports files that are unknown or
have non-zero detection.-vt Accept VT terms of service without opening web page.
Output as CSV
Output as CSV-c Comma-separated values-ct Tab-delimited CSVSupported by:
SigCheckAutorunsCDU (Disk Usage)RU (Registry Usage)
New AccessChk Features
New AccessChk Features-h SMB Shares (including admin shares)
-f Filtering “uninteresting” entities
RpcLocatorRpcSsRSoPProvsacsvrSamSsSCardSvrScheduleSCPolicySvcseclogonSENSSessionEnvSharedAccessShellHWDetectionSNMP RW CONTOSO\An_Admin_Group RW EveryoneSNMPTRAP
AccessChk -c -w -f %filter% *
SNMP DESCRIPTOR FLAGS: [SE_DACL_PRESENT] [SE_SACL_PRESENT] OWNER: NT AUTHORITY\SYSTEM [0] ACCESS_ALLOWED_ACE_TYPE: BUILTIN\Administrators
SERVICE_ALL_ACCESS [1] ACCESS_ALLOWED_ACE_TYPE: CONTOSO\An_Admin_Group
SERVICE_ALL_ACCESS [2] ACCESS_ALLOWED_ACE_TYPE: Everyone
SERVICE_QUERY_STATUSSERVICE_QUERY_CONFIGSERVICE_INTERROGATESERVICE_ENUMERATE_DEPENDENTSSERVICE_USER_DEFINED_CONTROLREAD_CONTROL
[3] ACCESS_ALLOWED_ACE_TYPE: Everyone [OBJECT_INHERIT_ACE] [CONTAINER_INHERIT_ACE]
SERVICE_QUERY_STATUSSERVICE_QUERY_CONFIGSERVICE_INTERROGATESERVICE_ENUMERATE_DEPENDENTSSERVICE_USER_DEFINED_CONTROLWRITE_DACWRITE_OWNER
[4] ACCESS_ALLOWED_ACE_TYPE: NT AUTHORITY\SYSTEMSERVICE_ALL_ACCESS
AccessChk -c -l SNMP
Export to XML
Export to XML “App Install Recorder”
And more!
And more!Process ExplorerRun At Logon
PsExec 2.11-r to specify name of service and exeEncrypts sensitive data on the wire
PsPing 2.0UDP latency and bandwidth testingTimed testsHistogram customization optionsConfigures necessary firewall rules
And even more!BgInfoSupports Windows 8.1
Disk2Vhd 2.01Support for disks up to 2TBSupport for VHDX-formatted VHDsSupport for WinRE volumesCan capture removable mediaOption to capture live volumes instead of using volume shadow copy
Wrapping up…
Sysinternals Primers @ TechEdProcess Explorer, Process Monitor, and PsExechttp://channel9.msdn.com/Events/TechEd/NorthAmerica/2010/WCL314
Autoruns, Disk2Vhd, ProcDump, BgInfo and AccessChkhttp://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/WCL312
"Gems"http://channel9.msdn.com/events/TechEd/Europe/2012/SIA311
What’s new/updated since the book …http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B313
Sysinternals ResourcesSysinternals web sitehttp://www.Sysinternals.com http://technet.microsoft.com/sysinternals
Sysinternals blog (announces updates)http://blogs.technet.com/b/sysinternals
Mark Russinovich’s blog:http://blogs.technet.com/MarkRussinovich
Windows Sysinternals Administrator’s Referencehttp://www.amazon.com/Windows-Sysinternals-Administrators-Reference-Russinovich/dp/073565672X
More Sysinternals ResourcesBlog posts and utilities by Aaron Margosishttp://blogs.msdn.com/aaron_margosis http://blogs.technet.com/fdcc
Andrew Richards’ blog & Defrag Tools on Channel 9http://blogs.msdn.com/b/andrew_richards/ http://channel9.msdn.com/Shows/Defrag-Tools
Andrew Richards in MSDN Magazine: Writing a Plug-in for Sysinternals ProcDump v4.0http://msdn.microsoft.com/en-us/magazine/hh580738.aspx
DCIM-B368 TWC: Malware Hunting with Mark Russinovich and the Sysinternals Tools
Related content
WIN-B354 Case of the Unexplained: Troubleshooting with Mark RussinovichWIN-B412 Hardcore DebuggingWIN-B413 Windows Performance Deep Dive Troubleshooting DCIM-B359 TWC: Pass-the-Hash: How Attackers Spread and How to Stop Them
Come Visit Us in the Microsoft Solutions Experience!Look for Datacenter and Infrastructure Management
TechExpo Level 1 Hall CD
For More InformationWindows Server 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205286
Windows Server
Microsoft Azure
Microsoft Azurehttp://azure.microsoft.com/en-us/
System Center
System Center 2012 R2http://technet.microsoft.com/en-US/evalcenter/dn205295
Azure Pack Azure Packhttp://www.microsoft.com/en-us/server-cloud/products/windows-azure-pack
ResourcesLearning
Microsoft Certification & Training Resourceswww.microsoft.com/learning
msdnResources for Developers
http://microsoft.com/msdn
TechNetResources for IT Professionals
http://microsoft.com/technet
Sessions on Demandhttp://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.