Sysinternals Still Essential for Desktop Troubleshooting ’s Windows suite has long been a go-to toolbox for desktop admins. See why the free software is still useful for endpoint troubleshooting.

EDITOR’S NOTE FIVE WINDOWS THE WINDOWS WINDOWS 8 SYSINTERNALS SYSINTERNALS SUITE SHOPS WAIT FOR UTILITIES FOR HAS DEEP ROOTS, SYSINTERNALS DESKTOP ADMINS IS ABSOLUTELY SUPPORT FROM NECESSARY MICROSOFT EDITOR’S NOTE Get to Know Windows Troubleshooting Tools

Many desktop administrators have Editor Maggie Jones then takes a look at HOME relied on Windows Sysinternals for years, since Sysinternals’ history and why every endpoint EDITOR’S NOTE the free tools in the suite are often more capa- admin should know about it. Finally, consultant ble than those built into Microsoft’s software. Kevin Beaver discusses the apparent lack of FIVE WINDOWS SYSINTERNALS Although these troubleshooting tools are easy support for Windows 8 and argues that many UTILITIES FOR to download, there are so many that it’s easy to of the tools are still relevant, even as Microsoft DESKTOP ADMINS overlook potentially helpful ones. moves support to the Win- THE WINDOWS In our feature article, Microsoft MVP Brien dows Store. n SYSINTERNALS SUITE HAS DEEP ROOTS, Posey takes a look at five valuable Sysinternals IS ABSOLUTELY tools that provide insight into how Windows Eugene Demaitre NECESSARY systems are performing and aid file manage- Associate Managing Editor WINDOWS 8 SHOPS ment. Note that we also link to ongoing cover- End User Computing Group, WAIT FOR SYSINTERNALS age of other utilities. TechTarget SUPPORT FROM MICROSOFT

2 SYSINTERNALS STILL ESSENTIAL FOR DESKTOP TROUBLESHOOTING FIVE SYSINTERNALS TOOLS Five Windows Sysinternals Utilities for Desktop Admins

If you need to gain insight into Win- ACCESSCHK HOME dows systems, the Sysinternals utilities are We have all run into situations in which a EDITOR’S NOTE among the best. Microsoft’s collection goes seemingly simple repair or maintenance opera- way beyond the functionality of native Win- tion is halted by unexpected security restric- FIVE WINDOWS SYSINTERNALS dows tools and provides some fairly advanced tions. The AccessChk utility can help you to UTILITIES FOR capabilities. determine which permissions are in effect. DESKTOP ADMINS The Windows Sysinternals site contains The tool works for files, folders, registry THE WINDOWS dozens of free utilities for viewing or trouble- keys, Windows services and global objects. It is SYSINTERNALS SUITE HAS DEEP ROOTS, shooting individual operating system compo- also useful for verifying that system resources IS ABSOLUTELY nents. Before we look at my picks, be aware have received the proper level of security. NECESSARY that the Sysinternals library has existed for WINDOWS 8 SHOPS some time. Many of the tools were created for WAIT FOR SYSINTERNALS older OSes such as Windows XP or Vista, so HANDLE SUPPORT FROM not every tool in the Sysinternals collection One of the more frustrating experiences for MICROSOFT will work with modern Windows versions. an end user is the inability to save, move or Although none of these utilities is designed rename a file because Windows claims that the specifically for Windows 8, some of them can file is in use. TheHandle utility (which is now be helpful for addressing Windows 8 problems. in version 4.0) displays information about open Here are five Sysinternals tools that any IT handles for any system process. In other words, professional who is tasked with troubleshoot- you can use this utility to figure out which pro- ing Windows endpoints should know about. gram has a file locked open.

3 SYSINTERNALS STILL ESSENTIAL FOR DESKTOP TROUBLESHOOTING FIVE SYSINTERNALS TOOLS executable and the system services that are Process Explorer is an excellent tool for anyone related to the process. who is trying to track down a system perfor- One thing that makes Process Explorer mance problem. It displays all of the processes such a great troubleshooting aid is that it can that are running on the system, as well as the help detect malware. The software is able to CPU and memory usage for each process. verify image signatures, and it is able to check HOME Although some might be quick to point out VirusTotal.com to see if the process is related EDITOR’S NOTE that Windows offers similar to a virus. functionality, this utility offers capabilities that In addition, the software can terminate, sus- FIVE WINDOWS SYSINTERNALS are far beyond those of the Task Manager. In pend or restart a process, and it can adjust a UTILITIES FOR fact, includes a menu option process’s priority, among a number of other DESKTOP ADMINS that allows you to replace Task Manager with things. THE WINDOWS Process Explorer. SYSINTERNALS SUITE HAS DEEP ROOTS, Process Explorer has lots of information IS ABSOLUTELY about the processes that are running on a sys- PSTOOLS NECESSARY tem. In addition to resource statistics, the PsTools is a collection of 13 command-line WINDOWS 8 SHOPS software also lists the name of the vendor that tools that can be useful for diagnostic pur- WAIT FOR SYSINTERNALS created the process and a (usually) meaningful poses. For example, the PsInfo command SUPPORT FROM description of what the process is or what it provides basic information such as the Win- MICROSOFT does. dows version, system uptime, the kernel build The utility lists processes in a tree view number, the processor type and the amount of that allows you to see the dependencies for memory that is available in the system. each process. Hovering over a process with However, the PsInfo tool may have a bug the mouse pointer causes Windows to display related to memory reporting. My computer information such as the command line used has 16 GB of physical memory, but the utility to launch the process, the path to the process reported less than 2 GB of memory.

4 SYSINTERNALS STILL ESSENTIAL FOR DESKTOP TROUBLESHOOTING FIVE SYSINTERNALS TOOLS PsTools includes the following tools: Windows Server 2003 and higher. Second, the tools included in PsTools tend to be easier to ■■ PsExec: Remotely executes processes use than some of the PowerShell cmdlets. ■■ PsFile: Shows files opened remotely ■■ PsGetSid: Displays the computer’s SID ■■ PsPing: Measures network performance TCPVIEW HOME ■■ PsInfo: Displays basic information about the TCPView is an excellent tool for trouble- EDITOR’S NOTE system shooting network problems. It can display a ■■ PsKill: Terminates a running process near-real-time view of how the processes on a FIVE WINDOWS SYSINTERNALS ■■ PsList: Lists detailed information about system are using the networking stack. For each UTILITIES FOR running processes process, you can view the Process ID, protocol, DESKTOP ADMINS ■■ PsLoggedOn: Shows who is logged onto the local address and local port number, remote THE WINDOWS system, both locally and through resource address, and remote port number. Admins can SYSINTERNALS SUITE HAS DEEP ROOTS, sharing also see state, the number of sent packets, the IS ABSOLUTELY ■■ PsLogList: Dumps event log records number of sent bites, the number of received NECESSARY ■■ PsPassword: Changes account passwords packets and the number of received bytes. WINDOWS 8 SHOPS ■■ PsService: A command-line tool for viewing Although this information would be WAIT FOR SYSINTERNALS and controlling system services extremely helpful by itself, a few other features SUPPORT FROM ■■ PsShutdown: Forces a reboot or a shutdown make this tool really useful. For starters, the MICROSOFT of the system tool uses highlighting to show which processes ■■ PsSuspend: Suspends a running process are using the network at a given moment. The tool also allows you to view proper- Admittedly, all of the PsTools functions exist ties (such as the underlying executable file) for in PowerShell. However, there are a couple of each process, and you can terminate a process advantages to using PsTools. First, it works or close a network connection with a couple of across OS versions—including Windows XP, mouse clicks. The utility even includes a Who

5 SYSINTERNALS STILL ESSENTIAL FOR DESKTOP TROUBLESHOOTING FIVE SYSINTERNALS TOOLS Is function that helps you determine the iden- for the person who is tasked with diagnosing a tity of an unknown connection. problem. In order to effectively troubleshoot a sys- There are many other excellent Sysinternals tem, it is necessary to have accurate diagnostic utilities beyond those covered here, including information. Although all of the diagnostic Active Directory Explorer, BgInfo and Process information displayed by the utility is viewable Monitor. I encourage you to explore some of HOME in other areas of the OS, displaying this infor- these other tools. You can even download the EDITOR’S NOTE mation on the desktop can be a huge timesaver entire software suite as a bundle. —Brien Posey

FIVE WINDOWS SYSINTERNALS UTILITIES FOR DESKTOP ADMINS

THE WINDOWS SYSINTERNALS SUITE HAS DEEP ROOTS, IS ABSOLUTELY NECESSARY

WINDOWS 8 SHOPS WAIT FOR SYSINTERNALS SUPPORT FROM MICROSOFT

6 SYSINTERNALS STILL ESSENTIAL FOR DESKTOP TROUBLESHOOTING SYSINTERNALS FAQ The Windows Sysinternals Suite Has Deep Roots, Is Absolutely Necessary

The tools that are available to IT admin- When Sysinternals began, there were a hand- HOME istrators in Windows Sysinternals can make ful of tools to make administrators’ work easier, EDITOR’S NOTE work a lot easier, but many people don’t even but today there are more than 100. know about Microsoft’s free suite. Russinovich wrote a book called Windows FIVE WINDOWS SYSINTERNALS The tools that come with Windows and Sysinternals Administrator’s Reference that pro- UTILITIES FOR Windows Server will help you put out fires, vides an in-depth look at how Windows works, DESKTOP ADMINS but if you want to simplify some tasks, Sysin- how to use various utilities and how to trou- THE WINDOWS ternals is a must. Check out some basic facts bleshoot some Windows problems. SYSINTERNALS SUITE HAS DEEP ROOTS, about Windows Sysinternals tools in this FAQ, IS ABSOLUTELY and learn a little more about some utilities that NECESSARY can make your life easier. HOW DO I ACCESS SYSINTERNALS? WINDOWS 8 SHOPS KirySoft’s Windows System Control Center has WAIT FOR SYSINTERNALS the 100-plus Sysinternals tools, as well as Nir- SUPPORT FROM WHERE DID WINDOWS Soft utilities. You could also access Sysinternals MICROSOFT SYSINTERNALS COME FROM? through Microsoft’s website or preload the util- Windows Sysinternals is a repository for free- ities on a thumb drive and access them that way. ware utilities developed by and Bryce Cogswell starting in 1995. Microsoft acquired Sysinternals in 2006. Program catego- WHAT ARE SOME USEFUL ries include file and disk, networking, process, SYSINTERNALS UTILITIES? security and system information. Process Explorer and Process Monitor are

7 SYSINTERNALS STILL ESSENTIAL FOR DESKTOP TROUBLESHOOTING SYSINTERNALS FAQ favorites among admins because they’re great HOW CAN I USE PROCESS EXPLORER for cleaning up PCs, but many other useful TO EASE WINDOWS 8 MANAGEMENT? Windows Sysinternals tools exist. For instance, In Windows 8, Task Manager and Process Autoruns can improve software debug- Explorer are pretty similar, and you can replace ging, and Contig makes sure that all files get Task Manager with Process Explorer if you defragmented. want. You can also processes and all their HOME Desktops can arrange programs on virtual child processes to make your computer run EDITOR’S NOTE desktops, and NotMyFault deliberately crashes faster. Process Explorer allows you to perform a a system, which is useful if you need to test security analysis or a malware investigation. FIVE WINDOWS SYSINTERNALS resiliency. You can view your PC’s system-utilization UTILITIES FOR Other tools include RAMMap, which lets details and use Process Explorer to show the DESKTOP ADMINS you map out how physical memory gets used, users of all the processes running in the back- THE WINDOWS and VolumeID, for troubleshooting disk image ground of their machines to remind them to be SYSINTERNALS SUITE HAS DEEP ROOTS, backup and restore problems. aware of security. —Margaret Jones IS ABSOLUTELY NECESSARY

WINDOWS 8 SHOPS WAIT FOR SYSINTERNALS SUPPORT FROM MICROSOFT

8 SYSINTERNALS STILL ESSENTIAL FOR DESKTOP TROUBLESHOOTING WAITING FOR WINDOWS 8 SUPPORT Windows 8 Shops Wait for Sysinternals Support From Microsoft

Microsoft’s Sysinternals suite is a I run Windows Sysinternals tools quite often HOME helpful repository for free Windows utilities, and recommend that you do the same. They EDITOR’S NOTE but I’m not aware of any Sysinternals tools provide an amazing amount of information and that are made specifically for Windows 8. utility when managing, securing and trouble- FIVE WINDOWS SYSINTERNALS Not surprisingly, a search for “Sysinternals” shooting Windows. The minimum require- UTILITIES FOR in the Windows Store returns nothing. So- ments are Windows XP and Server 2003, which DESKTOP ADMINS called Modern UI-style applications (not to isn’t asking too much. THE WINDOWS be confused with the controversial user One of my favorite Windows Sysinternals SYSINTERNALS SUITE HAS DEEP ROOTS, interface) are aimed at a different audience tools is a neat resource I use in security assess- IS ABSOLUTELY altogether. ments, AccessEnum, which shows you who has NECESSARY The good news is that software from the Sys- access to shares on your network. WINDOWS 8 SHOPS internals suite will run on Windows 8, includ- In addition to Microsoft’s main TechNet site WAIT FOR SYSINTERNALS ing some of the older tools such as Sync and for Windows Sysinternals, you can download SUPPORT FROM NTFSInfo. and run the tools directly. —Kevin Beaver MICROSOFT

9 SYSINTERNALS STILL ESSENTIAL FOR DESKTOP TROUBLESHOOTING ABOUT THE AUTHORS BRIEN POSEY is a seven-time Microsoft MVP with two de- cades of IT experience, with expertise in SharePoint ad- ministration. Prior to becoming a freelance writer, Posey served as chief information officer for a national chain of hospitals and healthcare facilities. He has also worked as a network administrator for some of the nation’s largest in- Sysinternals Still Essential for Desktop Troubleshooting is a HOME surance companies and for the Department of Defense at SearchEnterpriseDesktop.com e-publication. Fort Knox. EDITOR’S NOTE Colin Steele | Associate Editorial Director

FIVE WINDOWS MAGGIE JONES is the associate site editor of SearchVir- Eugene Demaitre | Associate Managing Editor SYSINTERNALS UTILITIES FOR tualDesktop.com and has contributed to SearchConsum- DESKTOP ADMINS erization.com and SearchEnterpriseDesktop.com. Before Linda Koury | Director of Online Design joining TechTarget, Jones worked as an editorial assistant THE WINDOWS Neva Maniscalco | Graphic Designer SYSINTERNALS SUITE on the book The Self-Made Myth. HAS DEEP ROOTS, IS ABSOLUTELY Rebecca Kitchens | Publisher NECESSARY KEVIN BEAVER is an information security consultant, [email protected] speaker and expert witness at Atlanta-based Principle WINDOWS 8 SHOPS WAIT FOR Logic LLC. With more than 25 years of experience in the TechTarget SYSINTERNALS industry, Beaver specializes in performing independent 275 Grove Street, Newton, MA 02466 SUPPORT FROM vulnerability assessments of network systems, as well as MICROSOFT www.techtarget.com Web and mobile applications. He has authored/co-au- © 2015 TechTarget Inc. No part of this publication may be transmitted or re- produced in any form or by any means without written permission from the thored 11 books, including the best-selling Hacking for publisher. TechTarget reprints are available through The YGS Group. Dummies. In addition, he’s the creator of the Security on About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep Wheels audio books and blog providing security learning store of news, advice and analysis about the technologies, products and pro- cesses crucial to your job. Our live and virtual events give you direct access to for IT pros on the go. independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

COVER ART: FOTOLIA

10 SYSINTERNALS STILL ESSENTIAL FOR DESKTOP TROUBLESHOOTING