Windows Sysinternals: What They Are and How to Use Them
Have you ever wished you could have ultimate control over your Windows PC? Having the power to not just peek under the hood of almost any Windows process or application, but also the ability to see what files and registry keys your applications are accessing in real-time, is amazing.
Sign up forfree
Forgot your password?
Create an account
*Required: 8 chars, 1 capital letter, 1 number
By continuing, you agree to thePrivacy PolicyandTerms of Use.You also agree to receive our newsletters, you’re able to opt-out any time.
A Brief History of Sysinternals
Sysinternals is a collection of free system, administration, and troubleshooting utilities for Windows.
Sysinternals go almost as far back as Windows itself, with the first iteration dating back to 1996. Since then, the Sysinternals suite has evolved with each successive version of Windows, with the arsenal expanding to over 70 distinct utilities. Microsoft outright purchased and acquired the software in 2006, and has kept it free and available for download as either a complete package or individually.
Sysinternals also receives regular updates with new utilities being added over time. Best of all, the software is portable and doesn’t require you to install it. Most of the utilities are simple EXE files you can put on a USB flash drive and add to yourWindows portable app toolkit for system administration.
How to Get Sysinternals
First, you’ll need to load Sysinternals onto your PC. Thankfully, this isn’t difficult.
Download Directly From Microsoft
To get started, visit theSysinternals Utilities Index, where you can also read a short description of each tool’s function.
If you opt to download the full Sysinternals suite, your browser will download a ZIP file of around 45MB.
In your downloads folder, simplyright-clickonSysinternalsSuite.zipand selectExtract All.Then, configure a destination folder of your choice and click theExtractbutton.
Now you are free to explore and use the tools as you see fit. It’s worth bearing in mind that most of the tools require administrator access, so be sure toright-clickon each tool and selectRun as administratorbefore use.
Running the Tools From SysInternals Live
Sysinternals Live is a service provided by Microsoft that enables you to execute Sysinternals tools directly from the web.
you may run an individual tool directly by entering the tool’s Sysinternals Live path into either Windows Explorer or the Run dialog. Use the following syntax:\live.sysinternals.com\tools<toolname>
PressWin+Rto bring up the Run dialog. Specify the tool name at the end of the path and hitEnteror pressOK.
After a moment or two, you will be met with aSecurity Warningwhere you’re able to simply selectRunto continue. Note that you can view the entireMicrosoft Sysinternals Live tools directoryin your browser.
What Can You Do With Sysinternals?
Whilst it is unlikely that any one person will ever make use of all the tools available within the suite, there is a plethora of utilities at your disposal.
There are tools such as Process Monitor, which monitors file system, registry, process, thread, and DLL activity in real time. Process Explorer, on the other hand, is similar to Windows Task Manager but with a ton of additional features.
Autoruns helps you manage Windows startup processes as well as detect particularly pesky embedded malware. Seehow to manage Windows Startup programs with Autorunsfor more information.
SDelete, which is a DoD-compliant secure delete program, also cleanses your free space and leaves no traces of previously deleted files.
There are also a variety of heavy-duty command line utilities that help with everything from network and file share security to advanced Active Directory installations and many more.
Next, let’s look at some of the more popular tools and how you might want to use them.
Process Explorer: Task Manager’s Big Brother
When you open Process Explorer for the first time, you may be slightly overwhelmed by the sheer amount of options and data you are presented with.
On the left pane, there is the hierarchical tree view which lists all processes and sub-processes running on your computer. Next to that, you will find the CPU and RAM usage,PID(process identifier),Description, andCompany Nameall presented in columns that can be sorted and customized.
In the toolbar, there are mini activity graphs forCPU,Physical Memory, andInput / Outputthat once clicked open in a separate window. UnderOptions>Tray Iconsyou can also select which activity you would like to have displayed in your Windows Taskbar when you minimize the application.
One of the major differences between Process Explorer and Windows Task Manager is the color-coded key used to identify different types of processes. You can bring this key up by going toOptions>Color Selection. Keep an eye out for processes marked in purple as these contain compressed code and could be a sign of hidden malware.
Right-clicking on any process will display a set of options, enabling you toSet Priority,Kill,Kill Process Tree,Suspendthe process, and more.
Process Monitor: The Ultimate Windows Log
Process Monitor is quite different from Process Explorer.
Process Monitor allows you to capture a log of every single event that happens on your Windows PC. With Process Monitor, you may see which registry keys are being updated by any application. Even if a service or application is spawning a new process, changing the file system in some way, or connecting to a network, you can track it with Process Monitor.
When you first open Process Monitor, you will be greeted with an enormous amount of rows and data. In the background, Process Monitor will continue logging any registry, file system, network, process, and profiling event that may occur. This means that the list of data will rapidly grow even if your machine is idling away, as services interact with your system.
The key to using Process Monitor effectively is to filter out and only focus on the events that interest you. For example: to quickly filter out Microsoft processes you can go toOptions>Select Columnsand includeCompany Name. Then simply by right-clicking on the column, you can use the Include / Exclude function in the context menu to quickly filter these events out.
Double-clicking or right-clicking on an event and selectingPropertieswill open an additional dialog with a wealth of information. From this dialog, you will be able to determine the class of the event (i.e. File System or RegistryQueryKey,) the path to the physical operation, and the result.
From here you can dig even deeper by going to theStacktab where you can see the individual DLL files associated with the event.
By default, Process Monitor uses your computer’s virtual memory to store events which is temporary. If you go toFile>Backing Filesyou can specify a file for the data to be written and saved to.
Autoruns: Configuring Startup Processes and Applications
Windows provides a few options for dealing with startup processes and applications out of the box. Task Manager, for example, has a dedicatedStartup appssection within its navigation pane. The same information can also be found in theSettingsapp underApps>Startup.
Whilst this is probably good enough for most people, it doesn’t really give you a full picture of what is being loaded each time you boot up your PC. In reality, there are many more sophisticated ways software can be configured to auto-start on Windows. There are browser helper objects, scheduled tasks, services, drivers, and even some nearly undetectable methods like image hijacks and AppInit_dlls.
If you are looking for a comprehensive list of startup items then Autoruns is your answer.
By default, when you first open Autoruns you will land on theEverythingtab. This displays every single startup item from each and every tab. Naturally, you can cycle through the tabs to distill the information further.
Each tab gives you an idea of the mechanism being used by the startup item. For example, theLogontab displays all items loaded when your user logs in to Windows. TheExplorertab on the other hand lists all startup items that attach themselves to the File Explorer process when it runs.
To stop any startup item from running, simplyuncheckthe checkbox next to the program on the left. That’s all there is to it. Just be careful when deselecting anything in theDriversandServicestabs as most of these are essential for your Windows apps and components.
Sysinternals Offers So Much More
Hopefully what we have covered so far has turned you on to the idea of Sysinternals. Whether you want a complete snapshot of everything happening on your PC with Process Explorer, the granular detail exposed by Process Monitor, or the ultimate authority of what programs get to run at startup with Autoruns, Sysinternals has a tool for just about everything.
We’ve only covered the basics of what’s possible using the tools in the Sysinternals suite. Feel free to explore them on your own, but just remember with great power comes great responsibility.
PowerToys gives you free utilities for Windows that can turn you into a power user. Let’s see how to use the tools it offers.
My foolproof plan is to use Windows 10 until 2030, with the latest security updates.
Not Linux, not Windows. Something better.
Goodbye sending links via other apps.
Obsidian finally feels complete.
You’ve been quoting these famous films wrong all along!
