Google
 

Monday, July 16, 2007

System Internals Tools 1

  1. Process Explorer for Windows v10.21

    Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

    The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.

    The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.

    Process Explorer works on Windows 9x/Me, Windows NT 4.0, Windows 2000, Windows XP, Server 2003, and 64-bit versions of Windows for x64 and IA64 processors, and Windows Vista.

  2. CPU Usage by Processes (qslice.exe)
    Shows the percentage of total CPU usage per process.

  3. TList.exe
    The TList tool is a task-list application that prints a list of tasks to standard out (stdout). It can be used to determine the Process ID.

  4. Debugging Tools for Windows

    You can use Debugging Tools for Windows to debug drivers, applications, and services on systems running Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server codename "Longhorn," as well as for debugging the operating system itself. Versions of the Debugging Tools for Windows package are available for 32-bit x86, native Intel Itanium, and native x64 platforms.

  5. Windows Server 2003 Resource Kit Tools
    The Microsoft® Windows® Server 2003 Resource Kit Tools are a set of tools to help administrators streamline management tasks such as troubleshooting operating system issues, managing Active Directory®, configuring networking and security features, and automating application deployment.

  6. Windows Server 2003 Administration Tools Pack
    The Windows Server 2003 Administration Tools Pack (adminpak.msi) provides server management tools that allow administrators to remotely manage Windows 2000 Servers & Windows Server 2003 family servers. This is the final version (build 3790) of the adminpak.msi file.

  7. Windows XP Support Tools
    The Windows Support Tools for Microsoft Windows XP are intended for use by Microsoft support personnel and experienced users to assist in diagnosing and resolving computer problems.

  8. AutoRuns for Windows v8.70

    This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.

    Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Also included in the download package is a command-line equivalent that can output in CSV format, Autorunsc.

    You'll probably be surprised at how many executables are launched automatically!

    Autoruns works on all versions of Windows including 64-bit versions.

  9. ListDLLs v2.25

    A question that I often get asked is "Do you know of a utility that will show me which DLLs are loaded on Windows 9x or NT ". The answer I gave up until recently was "no", until I discovered a tool in the Windows NT Resource Kit called tlist that does show this information. I decided to write a free-ware version, ListDLLs. Unlike tlist, however, ListDLLs is able to show you the full path names of loaded modules - not just their base names. In addition, ListDLLs will flag loaded DLLs that have different version numbers than their corresponding on-disk files (which occurs when the file is updated after a program loads the DLL), and can tell you which DLLs were relocated because they are not loaded at their base address.

    You can also get Process Explorer, a GUI-based version of this program, here at Sysinternals.

  10. EFSDump v1.02

    Windows 2000 introduces the Encrypting File System (EFS) so that users can protect their sensitive data. Several new APIs make their debut to support this factility, including one - QueryUsersOnEncryptedFile - that lets you see who has access to encrypted files. This applet uses the API to show you what accounts are authorized to access encrypted files.

  11. FileMon for Windows v7.04

    Note: Filemon and Regmon have been replaced by Process Monitor on versions of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista. Filemon and Regmon remain for legacy operating system support, including Windows 9x.

    FileMon monitors and displays file system activity on a system in real-time. Its advanced capabilities make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. Filemon's timestamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. FileMon is so easy to use that you'll be an expert within minutes. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, and if you find that you're getting information overload, simply set up one or more filters.

    FileMon works on NT 4.0, Windows 2000, Windows XP, Windows XP and Windows Server -bit Edition, Windows 2003 Server, Windows 95, Windows 98 and Windows ME.

  12. Handle

    Ever wondered which program has a particular file or directory open? Now you can find out. Handle is a utility that displays information about open handles for any process in the system. You can use it to see the programs that have a file open, or to see the object types and names of all the handles of a program.

    You can also get a GUI-based version of this program, Process Explorer, here at Sysinternals.

  13. Junction

    Windows 2000 and higher supports directory symbolic links, where a directory serves as a symbolic link to another directory on the computer. For example, if the directory D:\SYMLINK specified C:\WINNT\SYSTEM32 as its target, then an application accessing D:\SYMLINK\DRIVERS would in reality be accessing C:\WINNT\SYSTEM32\DRIVERS. Directory symbolic links are known as NTFS junctions in Windows. Unfortunately, Windows comes with no tools for creating junctions - you have to purchase the Win2K Resource Kit, which comes with the linkd program for creating junctions. I therefore decided to write my own junction-creating tool: Junction. Junction not only allows you to create NTFS junctions, it allows you to see if files or directories are actually reparse points. Reparse points are the mechanism on which NTFS junctions are based, and they are used by Windows' Remote Storage Service (RSS), as well as volume mount points.

    Please read this Microsoft KB article for tips on using junctions.

    Note that Windows does not support junctions to directories on remote shares.

  14. LiveKd

    LiveKD, a utility I wrote for the CD included with Inside Windows 2000, 3rd Edition, is now freely available. LiveKD allows you to run the Kd and Windbg Microsoft kernel debuggers, which are part of the Debugging Tools for Windows package, locally on a live system. Execute all the debugger commands that work on crash dump files to look deep inside the system. See the Debugging Tools for Windows documentation and our book for information on how to explore a system with the kernel debuggers.

    While the latest versions of Windbg and Kd have a similar capability on Windows XP and Server 2003, LiveKD works on NT 4 through Server 2003, including x64 versions of Windows, and enables more functionality, such as viewing thread stacks with the !thread command, than Windbg and Kd's own live kernel debugging facility.

  15. LogonSessions

    If you think that when you logon to a system there's only one active logon sessions this utility will surprise you. It lists the currently active logon sessions and, if you specify the -p option, the processes running in each session. LogonSessions works on Windows 2000 and higher.

  16. Winobj

    WinObj is a must-have tool if you are a system administrator concerned about security, a developer tracking down object-related problems, or just curious about the Object Manager namespace.

    WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's name space. Winobj may seem similar to the Microsoft SDK's program of the same name, but the SDK version suffers from numerous significant bugs that prevent it from displaying accurate information (e.g. its handle and reference counting information are totally broken). In addition, our WinObj understands many more object types. Finally, Version 2.0 of our WinObj has user-interface enhancements, knows how to open device objects, and will let you view and change object security information using native NT security editors.

  17. PendMoves

    There are several applications, such as service packs and hotfixes, that must replace a file that's in use and is unable to. Windows therefore provides the MoveFileEx API to rename or delete a file and allows the caller to specify that they want the operation to take place the next time the system boots, before the files are referenced. Session Manager performs this task by reading the registered rename and delete commands from the HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations value.

    This applet dumps the contents of the pending rename/delete value and also reports an error when the source file is not accessible.

  18. PsGetSid

    Have you performed a rollout and only to discover that your network might suffer from the SID duplication problem In order to know which systems have to be assigned a new SID (using a SID updater like our own NewSID) you have to know what a computer's machine SID is. Up until now there's been no way to tell the machine SID without knowing Regedit tricks and exactly where to look in the Registry. PsGetSid makes reading a computer's SID easy, and works across the network so that you can query SIDs remotely. PsGetSid also lets you see the SIDs of user accounts and translate a SID into the name that represents it.

  19. Regmon

    Note: Filemon and Regmon have been replaced by Process Monitor on versions of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista. Filemon and Regmon remain for legacy operating system support, including Windows 9x.

    Regmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. This advanced utility takes you one step beyond what static Registry tools can do, to let you see and understand exactly how programs use the Registry. With static tools you might be able to see what Registry values and keys changed. With Regmon you'll see how the values and keys changed..

    Regmon works on Windows NT/2000/XP/2003, Windows 95/98/Me and Windows 64-bit for x64.

  20. TCPView for Windows v2.4

    TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows NT, 2000 and XP TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.

    TCPView works on Windows NT/2000/XP and Windows 98/Me. You can use TCPView on Windows 95 if you get the Windows 95 Winsock 2 Update from Microsoft.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)