Forgot your password?
typodupeerror
Windows Software Technology

The Hidden Treasures of Sysinternals 356

Posted by kdawson
from the right-tools-for-the-job dept.
Barence writes "PC Pro contributing editor Jon Honeyball has written a nice feature on the latest treasures to be found on the Windows Sysinternals website. Among them are a tool for creating virtual hard disks from physical drives, a hard disk read-write monitoring tool, and a utility for putting ISO images onto flash drives. They're free, but they're effective."
This discussion has been archived. No new comments can be posted.

The Hidden Treasures of Sysinternals

Comments Filter:
  • pstools best by far (Score:2, Informative)

    by Anonymous Coward

    psexec has saved my ass SO many times it's not even funny. psexec \\almostcrashedserver cmd.exe

  • Duh (Score:5, Insightful)

    by afidel (530433) on Tuesday February 09, 2010 @03:51PM (#31076766)
    There's a reason MS bought the company and hired Mark, he consistently puts out the most useful tools for in the trenches Windows diagnostics. Heck MS's PSS would routinely have you use his tools even before the purchase because nothing they put out internally was nearly as useful.
    • Re: (Score:3, Interesting)

      by Jeng (926980)

      And here I thought that Mark got hired to turn Windows Vista into Windows 7. ( I have no idea, but it was my thought at the time that they bought the best kernal hacker out there to redo Vista. )

      Glad to see that not only are Marks old free tools still free, but that Microsoft is allowing new tools of his to be free also. Very un-microsoft of microsoft.

    • Re: (Score:3, Interesting)

      by EvanED (569694)

      Heck MS's PSS would routinely have you use his tools even before the purchase because nothing they put out internally was nearly as useful.

      Around the time MS hired Russinovich a lot of people on Slashdot were worried that it would mean the death of Sysinternals's tools, but what you say is why that argument was almost ridiculous: there'd have been open revolt within MS if that went down.

      (I suppose they could have kept the tools internal to MS, but that didn't seem likely.)

    • Re:Duh (Score:5, Funny)

      by bertok (226922) on Tuesday February 09, 2010 @05:01PM (#31077800)

      There's a reason MS bought the company and hired Mark, he consistently puts out the most useful tools for in the trenches Windows diagnostics. Heck MS's PSS would routinely have you use his tools even before the purchase because nothing they put out internally was nearly as useful.

      And the very first thing they did, within mere days of the acquisition, is they took his ultra-efficient, elegant little tools and put a 200KB EULA popup into every one of them.

      A GUI popup.

      Even into the command line tools.

      I threw up in my mouth a little when I saw that.

      • Re:Duh (Score:5, Informative)

        by Anonymous Coward on Tuesday February 09, 2010 @05:31PM (#31078296)

        Might be a pain, but you can always use the /accepteula command-line switch...

      • Re:Duh (Score:5, Insightful)

        by RAMMS+EIN (578166) on Tuesday February 09, 2010 @05:45PM (#31078524) Homepage Journal

        ``And the very first thing they did, within mere days of the acquisition, is they took his ultra-efficient, elegant little tools and put a 200KB EULA popup into every one of them.''

        A fine example of how proprietary software is so much more user-friendly than open-source software.

        ``A GUI popup.

        Even into the command line tools.''

        That, of course, is to make them more user-friendly. Everybody knows the command-line is just for Unix hippies who still live in the 1970s.

      • by riffer (75940) *
        Yeah, me too. I was horrified. In fact, as soon as I read that Mark was going to the dark side, I did a full rip of the entire SysInternals website, just to make sure I'd have an untainted copy of all his wonderful, useful Windows tools. I was very glad I did that when I saw Microsoft freaking triple the size of some of the binaries...
  • Best Buy (Score:5, Funny)

    by liquidpele (663430) on Tuesday February 09, 2010 @03:53PM (#31076788) Journal
    I bet Best Buy could sure use these
    • Re: (Score:2, Insightful)

      by zero0ne (1309517)

      I understand the joke... but lets be serious here, I would be surprised if even 5% of their staff understands how to use these tools correctly.

      When they first started GeekSquad in my area, I was there for a total of 3 months (~15/hr was a good chunk of cash for a college student).

      I saw:

      - people returning towers that ended up having the actual folder we used to document our steps INSIDE the case (surprised the thing didnt overheat)

      - employees trying to remove a power supply without properly unscrewing and de

  • by tjstork (137384) <todd,bandrowsky&gmail,com> on Tuesday February 09, 2010 @03:53PM (#31076792) Homepage Journal

    You know, sysinternals was amazing piece of reverse engineering work and some of the utilities that came out of it were pretty interesting as examples of that reverse engineering work.

    But...

    All that stuff is junk compared to what Linux does for utilities!

    I mean, my ubuntu has had burning ISOs and copying them any which way now for at leas 5 years. I can type sensors and get the motherboard temperature, fan speeds, everything. I mean, if you are into doing hardware and low level OS hardware interfacing stuff, there's enough gobblygook in /proc to keep anyone happy from Linux, and then there's all the log files and then the source.

    I mean, yeah, Windows has its advantages, but sysinternals isn't one of them. sysinternals is just proof that for a lot of applications you have to be a hero to get it to do anything simply because the source is closed.

    • by heffrey (229704) on Tuesday February 09, 2010 @04:07PM (#31077036)

      Let me see if I've got this straight. A great set of tools that run on Windows demonstrates how rubbish Windows is. A great set of tools that run on Linux demonstrates how fantastic Linux is.

      This sounds a bit like Raymond Chen's post today: http://blogs.msdn.com/oldnewthing/archive/2010/02/09/9960102.aspx [msdn.com].

      • by Whatsisname (891214) on Tuesday February 09, 2010 @04:13PM (#31077128) Homepage

        The tools on sysinternals are tools that should come with windows from day one.

        • Re: (Score:3, Funny)

          Why? Most people won't use them. Then what will happen is you same people would be the whining about how Microsoft is "bloating" Windows with all sorts of applications.

          • Re: (Score:3, Insightful)

            by Pr0xY (526811)

            Why compromise and have the installer have a checkbox for "advanced tools?" 99% of people will blindly click next without checking it, they won't get it, the other 1% will actually read what is being asked of them and possibly install it.

            Seems like it would be simple to include it without bloating things at all.

            • The vast majority of Windows users never use the installer. It comes preinstalled on a system they buy from an OEM.
          • You're trying to apply logic to a religious war. :)
          • Re: (Score:3, Insightful)

            by mcgrew (92797) *

            "Bloat" isn't putting apps on a CD you can choose to install or not, it's forcing unnecessary features that few will use in an app or OS.

            IE is bloat, since it's welded to the OS and there are superior alternatives; on most people I know who use windows, it's superflous since they use Firefox.

            IINM these utilities, both in Windows in Linux, aren't mandatory like IE is.

          • Why? Most people won't use them.

            Grep and wget. Anyone who discovers these two, really simple to use command line (well, shell, lets get politically correct here) utilities, whether Windows nubes or not, are usually shocked by their complete and utter lack on said platform. Linux gurus can't understand why the DOS shell doesn't have them, and nubes wonder how in the world they never found out about them. After I install windows ports on their systems they say they have started using the DOS shell to use these two utils all the time. I've s

        • Re: (Score:2, Troll)

          by BarryJacobsen (526926)

          The tools on sysinternals are tools that should come with windows from day one.

          Yeah. And an image editor - wait, no, 3 image editors a few which work only on the command line. And five word processors. Ten calculators. A utility to write random data to the disk.

          The average user doesn't need these tools. The people who can make use of them without messing other things up already know about them.

          • Re: (Score:3, Funny)

            by houstonbofh (602064)

            Yeah. And an image editor - wait, no, 3 image editors a few which work only on the command line. And five word processors. Ten calculators. A utility to write random data to the disk.

            You want MS Word to come for free? That is asking a lot...

          • Re: (Score:3, Insightful)

            by Quantumstate (1295210)

            But it still fits on one CD while Windows 7 with much less content somehow manages to fill a DVD.

        • Re: (Score:3, Informative)

          by heffrey (229704)

          Anyone who is capable of using these tools is capable of finding them. Personally, on all machines that I use I copy a folder containing around 200 useful utilities (e.g. grep, ls, cat, cp, bzip2, cpuz, console, depends, ps*, diff, gawk, gzip, less, strings, rapidee, sleep, tar, touch, whoami, whois, zip) and then add it to the path. But, I don't think my mum's going to be using psexec anytime soon.

      • Re: (Score:2, Insightful)

        Let me see if I've got this straight. A great set of tools that run on Windows demonstrates how rubbish Windows is. A great set of tools that run on Linux demonstrates how fantastic Linux is.

        Yep. As pointed out by the GP, the Sysinternal Windows tools are a by-product of reverse engineering. Specifically, they seem to heavily rely upon the Windows Native API (NTAPI) since the Windows 32 subsytem (Win32) wouldn't readily or at all allow them to do what they do. Since the NTAPI is rather undocumented, it w

      • by schon (31600)

        Let me see if I've got this straight.

        Nope, you don't have it "straight". Allow me to point out where your misunderstanding lies.

        A great set of tools that run on Windows demonstrates how rubbish Windows is. A great set of tools that run on Linux demonstrates how fantastic Linux is.

        No, a great set of tools that doesn't come with Windows demonstrates how rubbish Windows is. A great set of tools that Linux comes with demonstrates how fantastic Linux is.

        I don't blame you for not understanding this - after all, it's only the title of his post, and you only quoted it once.

    • by Machtyn (759119)
      I agreed with you right up until you stated sysinternals isn't one of Windows advantages. Just because it is bringing similar *nix functionality to Windows doesn't make it disadvantageous. I would argue that without sysinternals, Windows would be bunk compared to *nix systems (from a administrative and/or development standpoint.)
    • Re: (Score:3, Insightful)

      by The Bungi (221687)

      How these tools are used and % of userbase that cares about them:

      Windows:

      - <- Developers
      ------------------- <- Everyone else

      Linux:

      ------------------- <- Developers
      - <- Everyone else

      Do you really think the average office worker cares about examining mount points or finding out how many USER handles a process is using? That's why Microsoft doesn't ship any of that with Windows, and they probably never will. More importantly, I'd rather have a third party write these kinds of tools. They're not lim

    • by COMON$ (806135)
      Well the more irritating thing here is that this is not news. I am a windows guy, however:

      1.ESX has been doing P2V on the fly for free for years.

      2. Diskmon has been out so long that I assumed everyone knew about it.

      3. ISO utility? Seriously? Makes me wonder where all of you were before CD ROM drives, anyone remember doing upgrades from hard disk after copying the OS down so it would install? what year was that '95?

      For once I have to side with the Linux snobs...this is OLD news for anyone who has bee

    • I was unaware that there was an equivalent (in terms of features and ease of use) to Process Explorer or FileMon on linux. Mind sharing what they are?

      Keep in mind that there may be multiple sources for all that info on linux (running strings on binary etc) but the beauty of ProcExp is that it has tons of useful information at a glance-- what services are spawned under a given process, what threads are in use (and their CPU usage), the commandline used to start an image, strings within both the binary a
  • First? (Score:5, Informative)

    by I_have_a_life (1582721) on Tuesday February 09, 2010 @03:53PM (#31076796)

    Process Explorer is what Windows should ship with instead of task manager.

    Process Monitor is so kick ass... I can't even put it in words.

    • by Spad (470073)

      I'm still rather disappointed that Windows 7 didn't ship with Process Explorer as a replacement for Task Manager, it's almost universally better,

      • by Dishevel (1105119) *
        Almost?
        • by jgtg32a (1173373)

          The first tab of Task Manager is kinda nice to have, it shows all of the active windows. It saves me the trouble of digging through all the processes or running the identify function in PE

      • by Antity-H (535635)

        almost ? it _is_ universally better !

    • "Access Denied" (Score:4, Insightful)

      by TheNinjaroach (878876) on Tuesday February 09, 2010 @05:05PM (#31077866)
      Process Explorer kicks the crap out of Task Manager simply for the fact that it doesn't give access denied error messages to admins trying to end protected system processes. Try ending the same processes with Process Explorer and it "just works" -- which goes to show that the Task Manager error message has nothing to do with actual account privileges. The first time I found this I realized it's no wonder Windows has such a problem with malware, the applications I run have more access to my system processes than I do!
    • Re: (Score:3, Informative)

      by Idbar (1034346)
      I start using it, because you were able to run a search of the files used by processes. Particularly, when you're trying to move or delete a file and Windows complains that "something is using the file". Since then, it's a must have on any Windows machine I use.
  • by Anonymous Coward on Tuesday February 09, 2010 @03:55PM (#31076812)

    Not to be confused with the Sisinternals porn website.

    • Re: (Score:3, Informative)

      by Ksevio (865461)
      So that everyone else doesn't have to check, there isn't actually a porn website called "Sisinternals"...yet.
  • by Anonymous Coward on Tuesday February 09, 2010 @03:57PM (#31076852)

    > They're free, but they're effective.

    What an unusual combination of attributes!

    • by Machtyn (759119)
      I know! It's like that free "demo" language program I keep hearing about! I can't believe they're giving away a FREE "demo".
    • by mcgrew (92797) *

      They're free, but they're effective.
      What an unusual combination of attributes!

      Air and sunshine are free, and they're pretty effective, too. What is it with people that they equate "free" with "worthless?"

  • by gblackwo (1087063) on Tuesday February 09, 2010 @03:58PM (#31076862) Homepage
    This is very useful- I was one of the people who stuck the Windows 7 MSDNAA downloaded iso onto a flash drive in order to install it to my desktop and laptop.

    The more difficult part for normal users is not extracting the iso to the drive but making the drive bootable- which unless you have a utility (Like the one in the article)- requires some command line work. This would make the process way quicker.
    • I think I would be able to use all 3 of the tools they mentioned in the summary - I also enjoy the idea of an ISO boot from a flash drive - as that means I only ever have to store all my ISO's on a hard drive, and then put them on the flash drive when I need to use them, no more need for blank CD's.

      I also think creating virtual hard drives from physical ones is a good idea. I have been trying to go more virtual lately, just to keep up with the trends and add some security, but its difficult to get into full

      • I always use the program that ubuntu provides to make live usb ubuntu installs (unetbootin or something). It has an option to use any ISO rather than pulling down the ubuntu files.

        It's not great though (it likes to stop in the middle and you have no way of knowing if it is just going slow or has crashed)...I'll have to give this a try.

  • by mbourgon (186257) on Tuesday February 09, 2010 @04:00PM (#31076916) Homepage

    Tried using it on my box as a backup tool for a clean install of Win7. AVOID IF YOU ARE GOING TO USE THE SAME PHYSICAL DRIVE. Windows 7 couldn't mount or boot it. Known issue, and extremely aggravating.

    • by klocwerk (48514) on Tuesday February 09, 2010 @04:41PM (#31077532) Homepage

      It says so in the readme file, and it's a feature not a bug to keep you from hosing your system because you didn't read the readme...

      When you first fire up the new VHD it replaces the disk ID with a new one so that it's unique. This causes much trouble if the computer has two of the same disk ID at the same time when it goes to change one, as you might imagine.

  • by lymond01 (314120) on Tuesday February 09, 2010 @04:09PM (#31077078)

    I used SelfImage [excelcia.org] recently to dd [die.net] a windows 2003 box to an LVM-based virtual machine on Proxmox [proxmox.com], a Debian-based Virtual Machine Server. Worked a treat. While I see the benefit of created a Microsoft VHD if you're an MS shop, we're a mix so being able to pump a live physical disk into a remote logical volume was great.

  • One of the reasons I can't use Windows for real work is because of the lack of multidesktop. For me is very important the ability to switch from one desktop to other, never having the screen of the taskbar cluttered, having my "graphic things" open in a desktop, and my "programming things" in other. I can't understand how people can work withouth it. Is like browsing withouth tabs, only worse :-)

    I know that there are a few free and now free tools that try to provide MD to windows, but all falls flat. The g

    • by Jaysyn (203771)

      WinXP had multiple desktops if you just installed one of the free PowerToys.

      • The trouble with virtual desktops isn't so much the virtual desktops themselves, which more or less work fine(the one from Sysinternals even uses the actual Windows desktop objects, not some nasty window hiding hack) though are subject to some limitations since MS never really intended for them; but the fact that most application developers never considered them as a possibility.

        Running any of the Windows virtual desktop setups for any length of time is a good way to run into some really, really, weird b
    • by Spad (470073)

      Powershell is a massive improvement over the traditional Windows console (which really hasn't changed significantly since the early DOS days); yes, it is in part just a re-implementation of but it is a joy to work with as a Windows admin.

      • by Spad (470073)

        That obviously should have said:

        ...just a re-implementation of <insert favourite *nix shell here>...

        • Re: (Score:2, Insightful)

          by EvanED (569694)

          That's obviously coming from someone who hasn't spend much time with PowerShell.

          I don't make the claim that PS is better (or worse) than the Unix shells, but it does bring a bunch of things to the table that aren't in any common shell. In particular, the ability to pipe objects between processes instead of just text.

          In fact, besides "a capable command line tool", there's really almost nothing that MS took from Unix with PowerShell. (In particular, in some very obnoxious ways it still behaves like cmd.exe, a

          • by devent (1627873) on Tuesday February 09, 2010 @08:48PM (#31080654) Homepage

            Oh yes, that's really easier that to type ls -l, ps -ef or ps -ef|grep firefox

            Sorry, but the real advantages in the *nix shells is that every output is just plain simple text. That means, I can grep it, parse it, format it what ever I like and won't be restricted to the PowerShell to do anything use full.

            • Re: (Score:3, Insightful)

              by EvanED (569694)

              Oh yes, that's really easier that to type ls -l, ps -ef or ps -ef|grep firefox

              Okay, now what's your command line for printing just the file name and it's size? (Pretend you can't use 'du' or something like that.) Or just a list of process IDs with their command lines. (Both of these may be possible -- but the point is that the means of doing so isn't discoverable, you have to read the docs. In PowerShell, these operations *are* somewhat discoverable.)

              Besides, I never claimed that PowerShell was better or ea

      • by Antity-H (535635)

        I just wish they would include some kind of sed in the default shell

        oh and while I am at it, how about a way to set a variable from the result of an expression without resorting to a pseudo for loop ?
        you know something like
        set var=`echo toto`
        instead of
        for /F %%x in (`echo toto`) do set var=%%x

        even better how about an improved version of echo which would be able to write the following to a file when %var% is 1 ?
        echo var=%var%>>test.bat

        try it and have sooooo much fun discovering that the "right" syntax

    • Re: (Score:2, Informative)

      The guy behind sysinternals tried to, and was almost a success, but nope.

      Is the failure you're talking about this [microsoft.com]?

      What are the shortcomings of Sysinternals' Desktops?

      I haven't tried other solutions but I occasionally use this and it works fairly well.

      • by jgtg32a (1173373)

        It acts a bit funny with FF, you can only have FF open on 1 of the desktops. You can't move programs between desktops. Those are really the only two problems I have.
         
        I love that Desktops

  • disk2vhd (Score:3, Informative)

    by micromuncher (171881) on Tuesday February 09, 2010 @04:14PM (#31077144) Homepage

    This was a god send to me, after VMWare Converter could not/would not convert a machine of mine, even after registry and driver cleaning, it just failed near the end without a meaningful error message in the log.

    I used disk2vhd, booted up the image in VirtualBox, and bingo - working image.

  • by noidentity (188756) on Tuesday February 09, 2010 @04:14PM (#31077152)

    They're free and they're effective

    There, fixed that for you. Saying "free but effective" suggests that free implies ineffective.

  • by syousef (465911) on Tuesday February 09, 2010 @04:14PM (#31077154) Journal

    They're excellent for a wide range of things. Filemon (now superceded but still available) is an excellent tool for working out what files a piece of software is opening (eg. if you're trying to find config files). Regmon does something similar for the registry. Process explorer is stellar for getting more detail on a process than task manager will ever give (like where the image is running from and what DLLs it's using). Sysinternals filled a gap in diagnostic software. In a Windows environment they're as basic to me as netstat or ping. (speaking of which check out sysinternals tcpview). Especially good for tracing a user mode process right through. There are a lot of other utils to unlock the power of your Windows environment too.

    Two sysinternals that weren't mentioned worth knowing about:

    streams - view or remove hidden file streams attached to a file not normally seen in explorer. Especially good for removing that pesky "downloaded files are bad" warning when something is marked as being from the Internet zone.

    junction - One of a handful of tools that allows you to create junctions (simliar to but not the same as hard directory links) in Windows XP.

    The other non-sys-internals thing that every power user should know about is windbg and the debugging symbols. Indespesible for tracking down the culprit if you get blue screens due to device drivers (though obviously non-developers are not going to be able to do much about fixing the fault apart from downloading a different version or removing the device driver)

    • Now that I read more carefully author of referenced article must mean Filemon not Diskmon. Diskmon doesn't tell you what files are open (at least not the version I have). Filemon does.

      • It still tells you which process is thrashing the disk, which is what he wanted to find out.

        • by vrt3 (62368)

          It still tells you which process is thrashing the disk, which is what he wanted to find out.

          That would be interesting indeed, but how do I do that? I just downloaded it to try it, but the only columns I see are a sequence number, time, duration, the disk number, request type, sector number and length. I can't find a process ID or process name anywhere.

  • For speedy access (Score:5, Informative)

    by Spad (470073) <slashdotNO@SPAMspad.co.uk> on Tuesday February 09, 2010 @04:16PM (#31077172) Homepage

    Don't forget live.sysinternals.com [sysinternals.com] for instant access to any of the tools.

  • Barely related to the topic (except that the Sysinternals monitors did a lot of this first), but I've had limited success googling...

    The Windows 7 Performance Monitor is very very nice... what utilities under Linux would give it similar abilities to show per-process cpu/mem/disk/network/file/I/O usage?

    So far I've managed to scrape together a variety of disparate tools to report on most of those things, but it would be nice if it could all be builtin to e.g. gkrellm or gnome-system-monitor or something.

    * (th

    • Re: (Score:2, Informative)

      by eeeuh (165197)

      Maybe you could give atop http://www.atoptool.nl/ [atoptool.nl] a try?
      It shows (per process) disk-IO and nicely integrates cpu/disk/network/io statistics, it can also store statistics for later playback.

      When trying to trace which file is getting a lot of IO you might want to take al look at the filedescriptors in /proc//fd in conjunction with lsof/strace. I Don't know of a nicely integrated tool for that unfortunately.

    • What's Running is easy to use and provides lots of info on Processes, services, IP connections, modules, drivers, plus associated file locations, memory use, and other bits.
      http://www.whatsrunning.net/main.aspx/ [whatsrunning.net]
  • windowssucks tag? (Score:3, Insightful)

    by Angst Badger (8636) on Tuesday February 09, 2010 @04:20PM (#31077220)

    Well, yes, of course Windows sucks, but the SysInternals package really does mitigate the suckage to a surprising degree. Arguably, it's stuff that should have been part of Windows all along. I've been using it for a couple of years and it has made it much, much easier to beat Windows into submission. It's also extremely useful for finding and removing the crap that virus and malware scanners are apparently incapable of dealing with, as well as finding the mounds of not-actually-temporary temporary files that both Windows and a lot of applications like to consume unreasonable amounts of drive space with.

  • Wonderful tools (Score:5, Interesting)

    by Sycraft-fu (314770) on Tuesday February 09, 2010 @04:20PM (#31077230)

    These have been available for a long time, used to just be from a site called Sysinternals run by Russonivich before Microsoft hired him. This guy is, literally, the person who wrote the book on Windows. Windows Internals is the current name, used to be called Inside Windows 2000. A wonderful technical document of the internal workings of Windows.

    At any rate, Russonivich produces extremely useful tools. Not the sort of thing you want in the hands of inexperienced users, as many of them can break your system, but extremely powerful. I use them all the time in the course of my job, especially when there's manual malware removal that needs to be done. So far, malware is unaware of the ability to suspend a process, which Process Explorer will do. So you suspend the malware, its watcher process doesn't know to restart it. You then use autoruns to remove the startup entries. At that point you can reboot, it won't start, and you can clean up the residuals.

    • by Krneki (1192201)
      +1 Suspend is an awesome function to quickly disable viruses.
  • It's not from sysinternals, but for tiny little utils, Spacemonger - the older version - not the new "installable" one - is absolutely fantastic for finding out where disk-space went..... can't live without it in any windows shop.

One small step for man, one giant stumble for mankind.

Working...