Sysinternals utilities are one of the best friends of administrator.Sysinternals was original created back in 1996 by Mark Russinovich and Bryce Cogswell and was bought by Microsoft in 2006. Since then the company has continued to release new tools and improve the existing ones.
The Sysinternals suite consists of the following different categories:
- File and Disk Utilities
- Networking Utilities
- Process Utilities
- Security Utilities
- System Information Utilities
- Miscellaneous Utilities
We will look into some interesting utilities that can come to our rescue in a handy.
TCPView is a program from Windows that shows a detail listings of all the TCP and UDP endpoints on a system, including all the local and remote addresses and state of TCP connections. TCP View is a subset of the NetStat program which provides a more informative and conveniently handled data. On downloading TCPView Tcpvcon and a command-line version with the same functionality comes along as a surprise gift.
TCPView enumerates all the active TCP and UDP endpoints, resolving all IP addresses to their domain name versions. To toggle between the displays of resolved names a toolbar button or menu item can be used. By default, TCPView updates every second, but you can use the Options|Refresh Rate menu item to change the rate.Color Coding: Endpoints which changes state from one update to the next are highlighted in yellow; those which are deleted are shown in red, and new endpoints are shown in green.
One can close any established connections which are labeled as a Established by selecting File|Close Connections, or by right-clicking on a connection and choosing Close Connections from the resulting context menu.
Tcpvcon is similar to use as the built-in Windows netstat utility.
Usage: tcpvcon [-a] [-c] [-n] [process name or PID]
-a Show all endpoints (default is to show established TCP connections).
-c Print output as CSV.
-n Don’t resolve addresses.
The TCPView is a very useful and a handy tool which gives the details in one view to the Administrator.
Process Monitor v3.0
Process Monitor is monitoring tool that shows file system, Registry and process/thread activity. It is a combination of the features of two important Sysinternals utilities, Filemon and Regmon. It adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. It is a powerful utility whose features will make it an important utility in one’s system troubleshooting and malware hunting toolkit.
Overview of Process Monitor Capabilities
Process Monitor includes powerful monitoring and filtering capabilities, including:
- The data captured for operation input and output parameters is more detailed.
- The thread stacks are captured for each operation making it easier to identify the root cause of any operation.
- Capture of process details, including image path, command line, user and session ID
- The event properties columns are configurable and moveable
- The filters can be set for any data field, including fields which are not configured as columns
- Advanced logging architecture scales to tens of millions of captured events and gigabytes of log data
- A process tree tool shows relationship of all processes referenced in a trace
- Easy viewing of process image information
- Boot time logging of all operations is possible.
There are malwares present which analyze whether any of the Sysinternal tools are running and before attack they make sure to close it or change its own behavior. These types of malwares need to be analyzed separately.
If used properly the Sysinternals now called as WinInternals can be very useful and can make you work easier if used properly.
The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. This file contains the individual troubleshooting tools and help files.