Embed Size (px)
Citation preview
1.What Are the SysInternals Tools and How Do You Use Them?
Sysinternals Tools :
Sysinternals Tools were originally operated by Winternals Software LP and then acquired by Microsoft and its assets on 18 July 2006.
Now this tools are part of Microsoft TechNet website and they are offering technical resources and utilities to manage, diagnose, troubleshoot, and monitor Microsoft Windows environment.
Development of most of this utilities are done in C, C++ or assembly language. The code was compatible with Visual C++ v.6.0 and could be compiled with little effort by Windows developer.
Not all the utilities comes with source code or lesser version would be available with the source. And letter 64 bit and Linux versions were released.
How To Use :
Sysinternals Tools can be easily downloaded from Microsoft’s Technet website as zip filewith all utilities, or downloading zip file for the individual application as per usage.
Tools are portable so you don’t need to install them after extracting from zip file. Sysinternals Tools can be used though USB sticks or Live CDs as they are portable and
can be carried out easily. If you don’t want troubles like downloading, unzipping and running them placing
through locally or from CDs or from USB sticks, you can just simply type \\live.sysinternals.com\ from Windows run box.
After running command you will be able to see three shared folder named Files ,Tools and WindowsInternals.
JIGAR LAD i
After that you have to select Tools to view list of tools available by Sysinternals Suit.
After listing all the tools available, you have to just double click on the tool or typing it’s location will also do a bit fast work.
JIGAR LAD ii
Running tools this way will require good internet connection.
Below are the short description of some Sysinternals Tools :
AccessEnum : It displays who has access to the files and folders within a directory. Although every file/directory is examined, AccessEnum displays only those with permissions that differ from their parent folder, allowing you to quickly determine deviations in your security policy.
Clockres: It gives resolution of the system clock, or perhaps the maximum timer resolution that your application could obtain The answer lies in a simple function
JIGAR LAD iii
named GetSystemTimeAdjustment, and the ClockRes applet performs the function and shows you the result.
Coreinfo : It dumps the information on system CPU and memory topology. Provides each and every information of system.
DebugView: It is an application that lets you monitor debug output on your local system, or any computer on the network that you can reach via TCP/IP.
JIGAR LAD iv
Disk2VHD: Disk2vhd is a utility that creates VHD or VHDX versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines.
Diskext: Diskext is a valueable utility. It links drive letters to disk extents, volume name and disk numbers.
DiskView: It is the leading disk space usage manager that shows how disk space is being utilized, and gives a visual report of disk health - all within Windows Explorer.
JIGAR LAD v
PsGetsid: It allows you to translate SIDs to their display name and vice versa. It works on built-in accounts, domain accounts, and local accounts.
PsInfo: List information about a system including the type of installation, kernel build, registered organization, owner, processor details, physical memory and the system install date.
JIGAR LAD vi
RamMap: Tool which tells you more about how RAM is being used on your PC. The program is targeted very much at developers and Windows experts, but it also has some elements which will be useful to just about everyone.
2. Understanding Process Explorer.
Description:
Process Explorer is an advanced process
JIGAR LAD vii
management utility that picks up where Task Manager leaves off. It will show you detailed information about a process including its icon, command-line, full image path, memory statistics, user account, security attributes, and more. When you zoom in on a particular process you can list the DLLs it has loaded or the operating system resource handles it has open. A search capability enables you to track down a process that has a resource opened, such as a file, directory or Registry key, or to view the list of processes that have a DLL loaded.
Features:
It shows child process and their relationship with tree view.
Provides exact information about CPU usage.
Can be considered as best alternative of Task Manager in windows.
Can know which process is using which DLL files.
Can know which process is running an open window.
Can know which process has a file or folder open and locked.
Provides complete information about process and related threads, memory usage, handles, objects.
Can Kill process with all child process or extended process related to it.
Can pause any process.
The latest version is having module of VirusTotal that we can check a process for viruses without leaving Process Explorer.
Next is the process listing screen which shows the parent process and child process under them with different colors for easily identifying them.
JIGAR LAD viii
Process The file name of the executable along with the icon if one exists.
CPU The percentage of CPU time in the last
Private Bytes The amount of memory allocated to this program alone.
Working Set The amount of actual RAM allocated to this program by Windows.
PID The process identifier.
Description The description, if the application has one.
Company Name
this one is more useful than you think. If something isn’t quite right, start by looking for processes that aren’t by Microsoft.
To get idea about what color is indicating which information in the process screen see the
JIGAR LAD ix
below image.
Now let see what actions we can take on individual process.
WindowHas options including Bring to Front, which can be useful to help identify the window associated with a process. If there are no windows for that process, it will be grayed out.
Set Affinity
Set PriorityYou can use this to configure the priority of a process. This is mostly useful for taming a runaway process that you don’t want to kill.
Kill Process This quickly kills that process.
Kill Process Tree This kills the item in the list and children of that parent process.
RestartSpectacularly useful while testing, this just kills the process and then restarts it. It’s worth noting that killing processes might result in lost data.
JIGAR LAD x
SuspendThis handy option is great for troubleshooting when a process is out of control. You can simply suspend the process rather than kill it, and check to see if anything is out of whack.
Check ViruseTotal
This is a new option that we’ll explain further along. It’s quite handy really, as it checks the process for viruses.
Search Online This will just search the web for the name of the process.
Verifying Application Identity:
As shown in above image we can verify application’s identity weather it is trusted one or not.
It can also be used to verify if there is any malicious application running and which resources it uses.
JIGAR LAD xi
