ADM291

A Tour of Sysinternals Tools 

Mark RussinovichWinternals Software

About The SpeakerCo-author of Inside Windows 2000, 3rd Ed. (Microsoft Press) with David SolomonContributing Editor and NTInternals columnist forWindows and .NET MagazineCreator of www.sysinternals.com Co-founder and chief softwarearchitect of Winternals Software (www.winternals.com)Co-creator of Inside Windows 2000—An interactive internals tutorial (on DVD & streaming Windows media)

Outline

About Sysinternals

Monitoring Tools

Systems Administration Tools

File System Tools

About Sysinternals

Started with NTFSDOS, Regmon and Filemon hosted on Andrew Schulman’s site in mid-1996

www.ntinternals.com went live in late 1996

Under a dozen tools

1500 unique visitors/day

Sysinternals Today

Interesting statistics:75 tools, 2-dozen technical articles25,000 unique visitors/day30,000 downloads/day (4 GB of data)150,000 unique visitors/month36,000 newsletter subscribersAlmost 4-dozen KB-article references

Everything on the site is freewareCan’t redistribute without a licenseSource code is licensed for use in commercial products

Outline

About Sysinternals

Monitoring Tools

Systems Administration Tools

File-Related Tools

Monitoring

Filemon

Regmon

Process Explorer

TCPView

Filemon/Regmon

Watch all file system or Registry accesses in real-time

Ideal for troubleshooting broken application installations

Useful for developers tracking down bugs or performance tuning file system access

Work on all Windows® OSs, including 64-bit Windows XP

Used extensively within MicrosoftPSS

Windows XP Application Compatibility

Microsoft® Office 2000

Using Filemon/Regmon

Requires no install or rebootJust start using them

Includes filters for including, excluding, and highlighting output

Can’t include/exclude filter result codes on Filemon for WinNT/2K/XP

Requires admin privilege to runTrick: run once as admin and then you can use them as unprivileged users

How Filemon Works

Filemon uses a driver to intercept file I/O accessA VxD on Windows 9x/Me

A “file system filter driver” on Windows NT®/Windows 2000/Windows XP

ApplicationApplication

Filemon Filemon DriverDriver

FilemonFilemonGUIGUI

File SystemFile SystemDriverDriver

User ModeUser ModeKernel ModeKernel Mode

How Regmon Works

Regmon uses a driver to intercept Registry operations

A “hook” VxD on Windows 9x/Me

A system-call intercepting driver on Windows NT/Windows 2000/Windows XP

ApplicationApplication

Regmon Regmon DriverDriver

RegmonRegmonGUIGUI

Registry Registry SubsystemSubsystem

User ModeUser ModeKernel ModeKernel Mode

Process Explorer

Process Explorer (formerly HandleEx) starts where Task Manager ends:

See detailed information about running processes, including their paths and command-lines

Description of EXE

SID from process security token

View the DLLs processes have loaded, including version numbers

See what handles processes have opened

Examine services running within service processes

Process Explorer works on all Windows platforms

Common Process Explorer Uses

Detect DLL versioning problemsCompare the output from a “good” system with that of a “broken” system

Use the search feature to determine what process is holding a file or directory open

View the state of synchronization objects (mutexes, semaphores, events)

Detect handle leaks using refresh difference highlighting

How Process Explorer Works

Uses undocumented functions for:Enumerating loaded modules with full path names

Enumerating processes and handles

Obtains handle names using the aid of a driver

Related Tools:Handle – command-line handle viewer

Listdlls – command-line DLL viewer

TCPView

GUI version of Netstat

Works on all Windows platforms

Lists active TCP and UDP endpoints Shows endpoint owner on Windows NT/2000/Windows XP/.NET Server

Includes auto-refresh and difference highlighting

You can close established TCP/IP connections

Works using documented and undocumented IPHelper library functions

Other Monitoring Tools

DebugViewMonitor application debug output

DiskmonMonitor hard disk activity

PmonMonitor process and thread activity

PortmonMonitor serial and parallel port traffic

TokenmonMonitor security-related activity

Outline

About Sysinternals

Monitoring Tools

Systems Administration Tools

File-Related Tools

Systems Administration

PsToolsPsList

PsKill

PsInfo

PsLogList

PsService

PsExec

PsSuspend

More…

BgInfo

Autoruns

PsToolsPsTools consists of a total of 11 tools

They all work on Windows NT/Windows 2000/Windows XP

They all work remotely as well as locally

None require manual remote software installation

Where’d the “Ps” come from?The UNIX process listing tool is named “ps”

The first PsTool was a UNIX “ps”-equivalent, PsList

PsList

View detailed information about running processes

Similar to tlist and pulist

Default view is mix of CPU and memory information

Other views show thread details, memory details, or full information

Use the –s switch to run it in a Task Manager-type mode

Works using the performance counter API

WMI is only available by default on Windows 2000/Windows XP, not on Windows NT 4

PsKill

The perfect complement to PsList is PsKill

Similar to Resource Kit Kill and Remote Kill

See a process running on a remote (or local) system with PsList, kill it with PsKill

Unlike Task Manager, PsKill lets you kill any process if you’re an admin

Uses “Debug” privilege

Uses auto-installed remote service and TerminateProcess API

PsInfoGet detailed information about a system

OS version: type (pro, server, etc.)

Service Pack

Hot-fixes

CPU and memory

Uptime

Volume information

Uses documented APIs:Registry (remote, if applicable)

WMI for XP product activation query

PsLogList

Dump and optionally clear event logs

Like eloglist from the Resource KitPsLogList lets you dump logs using alternate credentials

Gets event strings from remote system

Like eloglist, dumps in tab-delimited format for easy import into spreadsheets

Has extensive support for filtering on record type and date range

Uses documented Event Log APIs, which work remotely

PsService

Control Win32® services

Like the Resource Kit’s and XP/Server 2003’s SCUnlike SC, doesn’t make you remember and manually specify a “resume handle”

Same syntax as SC

Omits several esoteric SC options

Search the network for active instances of a service

Uses documented Service Control Manager APIs, which work remotely

PsExec

Remotely execute programsExecutes console programs interactively

Allows you to start programs as yourself , in alternate user credentials, or in the System account

With PsExec you can:Launch a remote command prompt to effect a light-weight telnet

Remote-enable “local only” command-line tools like IpConfig

Uses auto-installed remote service

PsExec

Options of interest include:-s: Run in System account (instead of account of user running PsExec)

-i: Show GUI windows on interactive console

-d: Don’t wait for remote process to terminate

-c: Copy an executable to the remote system

PsSuspend

Microsoft provides no process-suspend utility like PsSuspend for pausing a process that’s using a resource

Memory

CPU

Network

Windows NT and 2000 have no “suspend process” capability, so PsSuspend suspends individual threads

BgInfo (Background Info)

If you manage more than a handful of systems, you’ve run into the “what machine is this” syndrome

BgInfo creates an auto-generated informative desktop background

System name

Memory

IP Address

OS version

Whatever you want!

Autoruns

There are almost 2-dozen places that can be used to configure automatically started applicationsAutoruns shows you all of the locations and displays programs configured to run in them

Double-click a folder or key to jump to it in Explorer or RegeditDouble-click a configured application to view its properties

Outline

About Sysinternals

Monitoring Tools

Systems Administration Tools

File-Related Tools

File-Related Tools

Contig

PageDefrag

Streams

Strings

Contig

Command-line Windows NT/Windows 2000/Windows XP file defragmenter

Useful for:Defragmenting specific files

Creating new contiguous files

Defragmenting entire disks

Uses Windows NT/Windows 2000/Windows XP defragmenting API, documented at Sysinternals

PageDefrag

Defragments paging files and Registry hives at boot time

Implemented as “native” application:Launched by Session Manager because listed in HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute value

Uses “native” API

Uses Contig defragmentation engine

Supports command-line options for scripted install

Streams

Streams, which require NTFS, used to be rarely usedNow there are several components that make use of them:

Services for MacintoshExplorer Viruses

Streams can search directories for files with streams and display their names

Strings

Some executables do not identify themselves with version information or descriptive namesStrings will look inside a file image for printable text that include:

Registry key and value namesDebug stringsFile names Internal build information

After Hours…

The Sysinternals Bluescreen Screen Saver

Check The Site Often…

There are updates, bug fixes, new tools and articles on a regular basis

I’m always open to tool suggestions

Sign up for the newsletter to get inside information on the tools and Windows internals

For More Info...Video: Inside Windows 2000 – An Interactive Tutorial (on DVD & Windows Media)

11 hours of instruction with hands-on lab exercises

Book: Inside Microsoft Windows 2000, Third Edition (Microsoft Press)

Class: Come to London Sep 23-25

Don’t forget to complete the on-line Session Feedback form on Attendee Web site

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

evaluationsevaluations