ADM291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software
About The Speaker Co-author of Inside Windows 2000, 3rd Ed. (Microsoft Press) with David Solomon Contributing Editor and NT Internals columnist for Windows and.NET Magazine Creator of Co-founder and chief software architect of Winternals Software ( Co-creator of Inside Windows 2000—An interactive internals tutorial (on DVD & streaming Windows media)
Outline About Sysinternals Monitoring Tools Systems Administration Tools File System Tools
About Sysinternals Started with NTFSDOS, Regmon and Filemon hosted on Andrew Schulman’s site in mid went live in late 1996 Under a dozen tools 1500 unique visitors/day
Sysinternals Today Interesting statistics: 75 tools, 2-dozen technical articles 25,000 unique visitors/day 30,000 downloads/day (4 GB of data) 150,000 unique visitors/month 36,000 newsletter subscribers Almost 4-dozen KB-article references Everything on the site is freeware Can’t redistribute without a license Source code is licensed for use in commercial products
Outline About Sysinternals Monitoring Tools Systems Administration Tools File-Related Tools
Monitoring Filemon Regmon Process Explorer TCPView
Filemon/Regmon Watch all file system or Registry accesses in real-time Ideal for troubleshooting broken application installations Useful for developers tracking down bugs or performance tuning file system access Work on all Windows ® OSs, including 64-bit Windows XP Used extensively within Microsoft PSS Windows XP Application Compatibility Microsoft ® Office 2000
Using Filemon/Regmon Requires no install or reboot Just start using them Includes filters for including, excluding, and highlighting output Can’t include/exclude filter result codes on Filemon for WinNT/2K/XP Requires admin privilege to run Trick: run once as admin and then you can use them as unprivileged users
How Filemon Works Filemon uses a driver to intercept file I/O access A VxD on Windows 9x/Me A “file system filter driver” on Windows NT ® /Windows 2000/Windows XP Application FilemonDriver FilemonGUI File System Driver User Mode Kernel Mode
How Regmon Works Regmon uses a driver to intercept Registry operations A “hook” VxD on Windows 9x/Me A system-call intercepting driver on Windows NT/Windows 2000/Windows XP Application RegmonDriver RegmonGUI RegistrySubsystem User Mode Kernel Mode
Process Explorer Process Explorer (formerly HandleEx) starts where Task Manager ends: See detailed information about running processes, including their paths and command-lines Description of EXE SID from process security token View the DLLs processes have loaded, including version numbers See what handles processes have opened Examine services running within service processes Process Explorer works on all Windows platforms
Common Process Explorer Uses Detect DLL versioning problems Compare the output from a “good” system with that of a “broken” system Use the search feature to determine what process is holding a file or directory open View the state of synchronization objects (mutexes, semaphores, events) Detect handle leaks using refresh difference highlighting
How Process Explorer Works Uses undocumented functions for: Enumerating loaded modules with full path names Enumerating processes and handles Obtains handle names using the aid of a driver Related Tools: Handle – command-line handle viewer Listdlls – command-line DLL viewer
TCPView GUI version of Netstat Works on all Windows platforms Lists active TCP and UDP endpoints Shows endpoint owner on Windows NT/2000/Windows XP/.NET Server Includes auto-refresh and difference highlighting You can close established TCP/IP connections Works using documented and undocumented IPHelper library functions
Other Monitoring Tools DebugView Monitor application debug output Diskmon Monitor hard disk activity Pmon Monitor process and thread activity Portmon Monitor serial and parallel port traffic Tokenmon Monitor security-related activity
Outline About Sysinternals Monitoring Tools Systems Administration Tools File-Related Tools
Systems Administration PsTools PsList PsKill PsInfo PsLogList PsService PsExec PsSuspend More… BgInfo Autoruns
PsTools PsTools consists of a total of 11 tools They all work on Windows NT/ Windows 2000/Windows XP They all work remotely as well as locally None require manual remote software installation Where’d the “Ps” come from? The UNIX process listing tool is named “ps” The first PsTool was a UNIX “ps”-equivalent, PsList
PsList View detailed information about running processes Similar to tlist and pulist Default view is mix of CPU and memory information Other views show thread details, memory details, or full information Use the –s switch to run it in a Task Manager-type mode Works using the performance counter API WMI is only available by default on Windows 2000/Windows XP, not on Windows NT 4
PsKill The perfect complement to PsList is PsKill Similar to Resource Kit Kill and Remote Kill See a process running on a remote (or local) system with PsList, kill it with PsKill Unlike Task Manager, PsKill lets you kill any process if you’re an admin Uses “Debug” privilege Uses auto-installed remote service and TerminateProcess API
PsInfo Get detailed information about a system OS version: type (pro, server, etc.) Service Pack Hot-fixes CPU and memory Uptime Volume information Uses documented APIs: Registry (remote, if applicable) WMI for XP product activation query
PsLogList Dump and optionally clear event logs Like eloglist from the Resource Kit PsLogList lets you dump logs using alternate credentials Gets event strings from remote system Like eloglist, dumps in tab-delimited format for easy import into spreadsheets Has extensive support for filtering on record type and date range Uses documented Event Log APIs, which work remotely
PsService Control Win32 ® services Like the Resource Kit’s and XP/Server 2003’s SC Unlike SC, doesn’t make you remember and manually specify a “resume handle” Same syntax as SC Omits several esoteric SC options Search the network for active instances of a service Uses documented Service Control Manager APIs, which work remotely
PsExec Remotely execute programs Executes console programs interactively Allows you to start programs as yourself, in alternate user credentials, or in the System account With PsExec you can: Launch a remote command prompt to effect a light-weight telnet Remote-enable “local only” command-line tools like IpConfig Uses auto-installed remote service
PsExec Options of interest include: -s: Run in System account (instead of account of user running PsExec) -i: Show GUI windows on interactive console -d: Don’t wait for remote process to terminate -c: Copy an executable to the remote system
PsSuspend Microsoft provides no process-suspend utility like PsSuspend for pausing a process that’s using a resource Memory CPU Network Windows NT and 2000 have no “suspend process” capability, so PsSuspend suspends individual threads
BgInfo (Background Info) If you manage more than a handful of systems, you’ve run into the “what machine is this” syndrome BgInfo creates an auto-generated informative desktop background System name Memory IP Address OS version Whatever you want!
Autoruns There are almost 2-dozen places that can be used to configure automatically started applications Autoruns shows you all of the locations and displays programs configured to run in them Double-click a folder or key to jump to it in Explorer or Regedit Double-click a configured application to view its properties
Outline About Sysinternals Monitoring Tools Systems Administration Tools File-Related Tools
Contig PageDefrag Streams Strings
Contig Command-line Windows NT/ Windows 2000/Windows XP file defragmenter Useful for: Defragmenting specific files Creating new contiguous files Defragmenting entire disks Uses Windows NT/Windows 2000/Windows XP defragmenting API, documented at Sysinternals
PageDefrag Defragments paging files and Registry hives at boot time Implemented as “native” application: Launched by Session Manager because listed in HKLM\System\CurrentControlSet\Control\Ses sion Manager\BootExecute value Uses “native” API Uses Contig defragmentation engine Supports command-line options for scripted install
Streams Streams, which require NTFS, used to be rarely used Now there are several components that make use of them: Services for Macintosh Explorer Viruses Streams can search directories for files with streams and display their names
Strings Some executables do not identify themselves with version information or descriptive names Strings will look inside a file image for printable text that include: Registry key and value names Debug strings File names Internal build information
After Hours… The Sysinternals Bluescreen Screen Saver
Check The Site Often… There are updates, bug fixes, new tools and articles on a regular basis I’m always open to tool suggestions Sign up for the newsletter to get inside information on the tools and Windows internals
For More Info... Video: Inside Windows 2000 – An Interactive Tutorial (on DVD & Windows Media) 11 hours of instruction with hands-on lab exercises Book: Inside Microsoft Windows 2000, Third Edition (Microsoft Press) Class: Come to London Sep Don’t forget to complete the on-line Session Feedback form on Attendee Web site
Community Resources Most Valuable Professional (MVP) Newsgroups Converse online with Microsoft Newsgroups, including Worldwide User Groups Meet and learn with your peers
evaluations evaluations