Windows® Sysinternals Administrator’s Reference

Windows® Sysinternals Administrator’s Reference

by Mark E. Russinovich and Aaron Margosis
Released June 2011
Publisher(s): Microsoft Press
ISBN: 9780735662728

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Get in-depth guidance—and inside insights—for using the Windows Sysinternals tools available from Microsoft TechNet. Guided by Sysinternals creator Mark Russinovich and Windows expert Aaron Margosis, you’ll drill into the features and functions of dozens of free file, disk, process, security, and Windows management tools. And you’ll learn how to apply the book’s best practices to help resolve your own technical issues the way the experts do.

Diagnose. Troubleshoot. Optimize.

  • Analyze CPU spikes, memory leaks, and other system problems

  • Get a comprehensive view of file, disk, registry, process/thread, and network activity

  • Diagnose and troubleshoot issues with Active Directory

  • Easily scan, disable, and remove autostart applications and components

  • Monitor application debug output

  • Generate trigger-based memory dumps for application troubleshooting

  • Audit and analyze file digital signatures, permissions, and other security information

  • Execute Sysinternals management tools on one or more remote computers

  • Master Process Explorer, Process Monitor, and Autoruns

    •

    Table of contents

    1. Windows® Sysinternals Administrator’s Reference
    2. Dedication
    3. Foreword
    4. Introduction
      1. Tools the Book Covers
      2. The History of Sysinternals
      3. Who Should Read This Book
        1. Assumptions
      4. Organization of This Book
      5. Conventions and Features in This Book
      6. System Requirements
      7. Acknowledgments
      8. Errata & Book Support
      9. We Want to Hear from You
      10. Stay in Touch
    5. I. Getting Started
      1. 1. Getting Started with the Sysinternals Utilities
        1. Overview of the Utilities
        2. The Windows Sysinternals Web Site
          1. Downloading the Utilities
          2. Running the Utilities Directly from the Web
          3. Single Executable Image
          4. The Windows Sysinternals Forums
          5. Windows Sysinternals Site Blog
          6. Mark’s Blog
          7. Mark’s Webcasts
        3. Sysinternals License Information
          1. End User License Agreement and the /accepteula Switch
          2. Frequently Asked Questions About Sysinternals Licensing
      2. 2. Windows Core Concepts
        1. Administrative Rights
          1. Running a Program with Administrative Rights on Windows XP and Windows Server 2003
          2. Running a Program with Administrative Rights on Windows Vista or Newer
        2. Processes, Threads, and Jobs
        3. User Mode and Kernel Mode
        4. Handles
        5. Call Stacks and Symbols
          1. What Is a Call Stack?
          2. What Are Symbols?
          3. Configuring Symbols
        6. Sessions, Window Stations, Desktops, and Window Messages
          1. Terminal Services Sessions
          2. Window Stations
          3. Desktops
          4. Window Messages
    6. II. Usage Guide
      1. 3. Process Explorer
        1. Procexp Overview
          1. Measuring CPU Consumption
          2. Administrative Rights
        2. Main Window
          1. Process List
            1. Process Highlighting
            2. Updating the Display
            3. Default Columns
            4. Process Tree
            5. Tooltips
            6. What You Can Expect to See
              1. System processes
              2. Startup and Logon Processes
              3. User Processes
            7. Process Actions
          2. Customizing Column Selections
            1. Process Image Tab
            2. Process Performance Tab
            3. Process Memory Tab
            4. .NET Tab
            5. Process I/O Tab
            6. Process Network Tab
            7. Process Disk Tab
            8. Column Sets
          3. Saving Displayed Data
          4. Toolbar Reference
            1. Graphs
            2. Toolbar Buttons
          5. Identifying the Process That Owns a Window
          6. Status Bar
        3. DLLs and Handles
          1. Finding DLLs or Handles
          2. DLL View
            1. Customizing DLL View
            2. Peering Deeper into DLLs
          3. Handle View
            1. Customizing Handle View
        4. Process Details
          1. Image Tab
          2. Performance Tab
          3. Performance Graph Tab
          4. Threads Tab
          5. TCP/IP Tab
          6. Security Tab
          7. Environment Tab
          8. Strings Tab
          9. Services Tab
          10. .NET Tabs
          11. Job Tab
        5. Thread Details
        6. Verifying Image Signatures
        7. System Information
        8. Display Options
        9. Procexp as a Task Manager Replacement
          1. Creating Processes from Procexp
          2. Other User Sessions
        10. Miscellaneous Features
          1. Shutdown Options
          2. Command-Line Switches
          3. Restoring Procexp Defaults
        11. Keyboard Shortcut Reference
      2. 4. Process Monitor
        1. Getting Started with Procmon
        2. Events
          1. Understanding the Column Display Defaults
          2. Customizing the Column Display
          3. Event Properties Dialog Box
            1. Event Tab
            2. Process Tab
            3. Stack Tab
          4. Displaying Profiling Events
          5. Finding an Event
          6. Copying Event Data
          7. Jumping to a Registry or File Location
          8. Searching Online
        3. Filtering and Highlighting
          1. Configuring Filters
          2. Configuring Highlighting
          3. Advanced Output
          4. Saving Filters for Later Use
        4. Process Tree
        5. Saving and Opening Procmon Traces
          1. Saving Procmon Traces
          2. Opening Saved Procmon Traces
        6. Logging Boot, Post-Logoff, and Shutdown Activity
          1. Boot Logging
          2. Keeping Procmon Running After Logoff
        7. Long-Running Traces and Controlling Log Sizes
          1. Drop Filtered Events
          2. History Depth
          3. Backing Files
        8. Importing and Exporting Configuration Settings
        9. Automating Procmon: Command-Line Options
        10. Analysis Tools
          1. Process Activity Summary
          2. File Summary
          3. Registry Summary
          4. Stack Summary
          5. Network Summary
          6. Cross Reference Summary
          7. Count Occurrences
        11. Injecting Debug Output into Procmon Traces
        12. Toolbar Reference
      3. 5. Autoruns
        1. Autoruns Fundamentals
          1. Disabling or Deleting Autostart Entries
          2. Autoruns and Administrative Permissions
          3. Verifying Code Signatures
          4. Hiding Microsoft Entries
          5. Getting More Information About an Entry
          6. Viewing the Autostarts of Other Users
          7. Viewing ASEPs of an Offline System
          8. Listing Unused ASEPs
          9. Changing the Font
        2. Autostart Categories
          1. Logon
          2. Explorer
          3. Internet Explorer
          4. Scheduled Tasks
          5. Services
          6. Drivers
          7. Codecs
          8. Boot Execute
          9. Image Hijacks
          10. AppInit
          11. KnownDLLs
          12. Winlogon
          13. Winsock Providers
          14. Print Monitors
          15. LSA Providers
          16. Network Providers
          17. Sidebar Gadgets
        3. Saving and Comparing Results
          1. Saving as Tab-Delimited Text
          2. Saving in Binary (.arn) Format
          3. Viewing and Comparing Saved Results
        4. AutorunsC
        5. Autoruns and Malware
      4. 6. PsTools
        1. Common Features
          1. Remote Operations
            1. Remote Operations on Multiple Computers
            2. Alternate Credentials
          2. Troubleshooting Remote PsTools Connections
            1. Basic Connectivity
            2. User Accounts
        2. PsExec
          1. Remote Process Exit
          2. Redirected Console Output
          3. PsExec Alternate Credentials
          4. PsExec Command-Line Options
          5. Process Performance Options
          6. Remote Connectivity Options
          7. Runtime Environment Options
        3. PsFile
        4. PsGetSid
        5. PsInfo
        6. PsKill
        7. PsList
        8. PsLoggedOn
        9. PsLogList
        10. PsPasswd
        11. PsService
          1. Query
          2. Config
          3. Depend
          4. Security
          5. Find
          6. SetConfig
          7. Start, Stop, Restart, Pause, Continue
        12. PsShutdown
        13. PsSuspend
        14. PsTools Command-Line Syntax
          1. PsExec
          2. PsFile
          3. PsGetSid
          4. PsInfo
          5. PsKill
          6. PsList
          7. PsLoggedOn
          8. PsLogList
          9. PsPasswd
          10. PsService
          11. PsShutdown
          12. PsSuspend
        15. PsTools System Requirements
      5. 7. Process and Diagnostic Utilities
        1. VMMap
          1. Starting VMMap and Choosing a Process
            1. View a Running Process
            2. Launch and Trace a New Process
          2. The VMMap window
          3. Memory Types
          4. Memory Information
          5. Timeline and Snapshots
          6. Viewing Text Within Memory Regions
          7. Finding and Copying Text
          8. Viewing Allocations from Instrumented Processes
          9. Address Space Fragmentation
          10. Saving and Loading Snapshot Results
          11. VMMap Command-Line Options
            1. –64
            2. –p {PID | processname} [outputfile]
            3. –o inputfile
          12. Restoring VMMap defaults
        2. ProcDump
          1. Command-Line Syntax
          2. Specifying Which Process to Monitor
          3. Specifying the Dump File Path
          4. Specifying Criteria for a Dump
          5. Dump File Options
          6. Miniplus Dumps
          7. Running ProcDump Noninteractively
          8. Capturing All Application Crashes with ProcDump
          9. Viewing the Dump in the Debugger
        3. DebugView
          1. What Is Debug Output?
          2. The DebugView Display
          3. Capturing User-Mode Debug Output
          4. Capturing Kernel-Mode Debug Output
          5. Searching, Filtering, and Highlighting Output
            1. Clearing the Display
            2. Searching
            3. Filtering
            4. Highlighting
            5. Saving and Restoring Filter and Highlight Rules
            6. History Depth
          6. Saving, Logging, and Printing
            1. Logging
            2. Printing
          7. Remote Monitoring
            1. Running the DebugView Agent
        4. LiveKd
          1. LiveKd Requirements
          2. Running LiveKd
          3. LiveKd Examples
        5. ListDLLs
        6. Handle
          1. Handle List and Search
          2. Handle Counts
          3. Closing Handles
      6. 8. Security Utilities
        1. SigCheck
          1. Signature Verification
          2. Which Files to Scan
          3. Additional File Information
          4. Output Format
        2. AccessChk
          1. What Are “Effective Permissions”?
          2. Using AccessChk
          3. Object Type
          4. Searching for Access Rights
          5. Output Options
        3. AccessEnum
        4. ShareEnum
        5. ShellRunAs
        6. Autologon
        7. LogonSessions
        8. SDelete
          1. Using SDelete
          2. How SDelete Works
      7. 9. Active Directory Utilities
        1. AdExplorer
          1. Connecting to a Domain
          2. The AdExplorer Display
          3. Objects
          4. Attributes
          5. Searching
          6. Snapshots
          7. AdExplorer Configuration
        2. AdInsight
          1. AdInsight Data Capture
          2. Display Options
            1. Setting Time Display Options
            2. Display Names
          3. Finding Information of Interest
            1. Finding Text
            2. Highlighting Events
            3. Viewing Associated Events
            4. Finding Event Errors
          4. Filtering Results
          5. Saving and Exporting AdInsight Data
          6. Command-Line Options
        3. AdRestore
      8. 10. Desktop Utilities
        1. BgInfo
          1. Configuring Data to Display
          2. Appearance Options
          3. Saving BgInfo Configuration for Later Use
          4. Other Output Options
          5. Updating Other Desktops
        2. Desktops
        3. ZoomIt
          1. Using ZoomIt
          2. Zoom Mode
          3. Drawing Mode
          4. Typing Mode
          5. Break Timer
          6. LiveZoom
      9. 11. File Utilities
        1. Strings
        2. Streams
        3. NTFS Link Utilities
          1. Junction
          2. FindLinks
        4. DU (Disk Usage)
        5. Post-Reboot File Operation Utilities
          1. PendMoves
          2. MoveFile
      10. 12. Disk Utilities
        1. Disk2Vhd
        2. Diskmon
        3. Sync
        4. DiskView
        5. Contig
        6. PageDefrag
        7. DiskExt
        8. LDMDump
        9. VolumeID
      11. 13. Network and Communication Utilities
        1. TCPView
        2. Whois
        3. Portmon
          1. Searching, Filtering, and Highlighting
          2. Saving, Logging, and Printing
      12. 14. System Information Utilities
        1. RAMMap
          1. Use Counts
          2. Processes
          3. Priority Summary
          4. Physical Pages
          5. Physical Ranges
          6. File Summary
          7. File Details
          8. Purging Physical Memory
          9. Saving and Loading Snapshots
        2. CoreInfo
        3. ProcFeatures
        4. WinObj
        5. LoadOrder
        6. PipeList
        7. ClockRes
      13. 15. Miscellaneous Utilities
        1. RegJump
        2. Hex2Dec
        3. RegDelNull
        4. Bluescreen Screen Saver
        5. Ctrl2Cap
    7. III. Troubleshooting—“The Case of the Unexplained...”
      1. 16. Error Messages
        1. The Case of the Locked Folder
        2. The Case of the Failed AV Update
        3. The Case of the Failed Lotus Notes Backups
        4. The Case of the Failed Play-To
        5. The Case of the Crashing Proksi Utility
        6. The Case of the Installation Failure
          1. The Troubleshooting
          2. The Analysis
            1. What Is IniFileMapping?
            2. What Is Autorun.inf?
            3. Why Did This Computer Have an IniFileMapping for Autorun.inf?
            4. Why Did This Application Install Fail?
        7. The Case of the Missing Folder Association
        8. The Case of the Temporary Registry Profiles
      2. 17. Hangs and Sluggish Performance
        1. The Case of the IExplore-Pegged CPU
        2. The Case of the Excessive ReadyBoost
        3. The Case of the Slow Keynote Demo
        4. The Case of the Slow Project File Opens
        5. The Compound Case of the Outlook Hangs
      3. 18. Malware
        1. The Case of the Sysinternals-Blocking Malware
        2. The Case of the Process-Killing Malware
        3. The Case of the Fake System Component
        4. The Case of the Mysterious ASEP
    8. A. About the Authors
    9. Index
    10. About the Authors
    11. Copyright

    Product information

    • Title: Windows® Sysinternals Administrator’s Reference
    • Author(s): Mark E. Russinovich and Aaron Margosis
    • Release date: June 2011
    • Publisher(s): Microsoft Press
    • ISBN: 9780735662728