Forensics Wiki
Register
Advertisement

Sysinternals utilities were originally created in 1996 by Mark Russinovich and Bryce Cogswell. Sysinternals is a Windows based collection of tools that allows you to manage, troubleshoot, diagnose, and conduct forensic research on Windows systems and applications. The tools are still useful today in analysizing Windows machines.

Sysinternals Live[]

Sysinternals Live is a relatively new service that enables you to execute Sysinternals tools directly from the Internet without having to download them. To do this you simply need to enter the tools path in Windows Explorer or the command prompt using this format. http://live.sysinternals.com/<toolname>

Included Utilities[]

The following tools are included in Sysinternals

  • AccessChk - Lets you see what type of access users and groups have to files, directories, registry keys, etc.
  • AccessEnum - Full view of your file system and registry security settings.
  • AdExplorer - Active Directory viewer and editor.
  • AdInsight - LDAP real-time monitoring tool used to troubleshoot Active Directory applications.
  • AdRestore - Abilty to restore deleted Active Directory Objects.
  • Autologon - Easily configure autologon mechanism.
  • Autoruns - Displays programs that are configured to run at start up.
  • BgInfo - Displays relevant information about the computer on the desktop, such as computer name, IP address, etc.
  • CacheSet - An Applet to manimuplate the working-set parameters of the system file cache.
  • ClockRes - Shows the resolution of the system clock.
  • Contig - Defragments a specified file or files.
  • Coreinfo - Shows you the mapping between logical processors and the physical processor.
  • Ctrl2Cap - Kernel-mode device driver that filters the system's keyboard class driver.
  • DebugView - Monitors debug output on your local system.
  • Desktops - Allows you to organize up to four virtual desktops.
  • Disk2vhd - Creates VHD (Virtual Hard Disk) versions of physical disks.
  • DiskExt - Returns information about what disks the partition of a volume is located on.
  • DiskMon - Logs and displays all hard disk activity.
  • DiskView - A graphical map of your hard drive.
  • DiskUsage (DU) - Reports the disk space usage for a specified directory.
  • EFSDump - Allows you to see who has access to encrypted files.
  • FindLinks - Reports the file index and hard links that exist for a specified file.
  • Handle - Displays information about open handles for any process.
  • Hex2dec - Converts Hex to Decimal and vice versa.
  • Junction - Creates junctions (symbolic links that combine directories from multiple locations)
  • LDMDump - Let's you examine exactly what is stored in a disks copy of the system.
  • ListDLLs - Reports the DLL's that are loaded into processes.
  • LiveKd - Allows you to run the Kd and Windbg kernel debuggers.
  • LoadOrder - Shows the order in which the system loads device drivers.
  • LogonSessions - Lists currently active logon sessions.
  • MoveFile - Dumps the content of the pending rename/delete value.
  • NTFSInfo - Shows you information about NTFS volumes.
  • PageDefrag - Shows you have fragmented your paging files and registry hives are.
  • PendMoves - Dumps the content of the pending rename/delete value.
  • PipeList - Lists the pipes.
  • PortMon - Monitors and displays all serial and parallel port activity.
  • ProcDump - Monitors CPU spikes.
  • Process Explorer - Shows information about which handles and DLL processes are loaded.
  • Process Monitor - Shows real-time file system, registry, and process/thread activity.
  • PsExec - Allows you to execute processes on remote systems.
  • PsGetSid - Allows you to translate SID's to their displayname and vice versa.
  • PsInfo - Gathers key information about the local or remote system including kernel build and the amount of memory.
  • PsPing - Implements ping functionality.
  • PsKill - Can kill processes on local and remote systems.
  • PsList - Displays information about processes, memory, and threads.
  • PsLoggedOn - This whos who is using what resources on a local or remote machine.
  • PsLogList - Allows you to login to remote systems in situations where security credentials do not permit it.
  • PsPasswd - Allows you to change an account password on local or remote systems.
  • PsService - A service viewer and controller for Windows.
  • PsShutdown - Allows you to logoff the console user or lock the console among other things.
  • PsSuspend - Allows you to suspend processes on the local or a remote system.
  • RAMMap - A physical memory usage analysis tool to see how Windows is assigning physical memory.
  • RegDelNull - Allows you to search for and delete registry keys.
  • Registry Usage (RU) - Reports the registry space usage.
  • RegJump - Opens Regedit directly to a specified registry path.
  • RootkitRevealer - Detects rootkits.
  • SDelete - Allows you to delete one or more files/directories or to cleanse the free space on a drive.
  • ShareEnum - Allows you to lock down file shares.
  • ShellRunas - Allows you to launch programs under different accounts.
  • SigCheck - Shows file version number, timestamp, and digital signature details.
  • Streams - Allows you to see which NTFS files have alternate streams associated with them.
  • Strings - Searches files for a specified string.
  • Sync - Allows you to flush all file system data to disk.
  • TCPView - Shows detailed listings of all TCP and UDP endpoints on your system.
  • VMMap - A process virtual and physical memory analysis tool.
  • VolumeID - Allows you to change the ids of FAT and NTFS disks.
  • WhoIs - Performs a registration record for the specified domain name or IP address.
  • WinObj - Displays information of the NT Object Manager's name space.
  • ZoomIt - A screen zoom and annotaton tool for technical presentations.
Advertisement