The four reasons why I enjoy the Microsoft Sysinternals utilities so much are:

• They consume very little system resources
• They are self-contained—there is no installer and you can run the tools directly from USB media
• They are extremely well documented
• They are free!

What are the Sysinternals utilities, you ask? This is a collection of freeware Windows system tools originally developed by these two geniuses from Austin, Texas, Mark Russinovich and Bryce Cogswell. Microsoft bought the toolset (and company) from Russinovich and Cogswell in 2006 and took the men on as employees, where they continue to enhance the tools, write about them, and so forth.

Accessing the tools

You can find download links to the free Sysinternals tools all over the Internet. However, both for security’s sake, as well as my desire to obtain the latest bits for any software I install, I always download the utilities from Microsoft’s own site, live.sysinternals.com, shown in the screenshot below

The sysinternals app library

No, the live.sysinternals.com site isn’t anything pretty to look at, but the site hosts the latest versions of these tools, and they are so small that you can download and use them at any time on any Windows system with a single mouse click. Can’t beat that for convenience, can you?

If you want a “glossier” front end to the Sysinternals utilities, you can always visit the Windows Sysinternals home page at the Microsoft TechNet Web site.

Tool #1: Autoruns

The reason why I love Autoruns is that the tool provides clear insight into exactly which processes and services are set to auto-start on the target system. Thus, you can use Autoruns to quickly diagnose a slow or malware-infested system, and take corrective action directly from the interface.

Autoruns

Check out the Autoruns home page for full documentation on this wonderful utility.

Tool #2: Contig

Contig is a command-line file defragmenter. I use Contig on a regular basis to defragment my Microsoft Outlook .PST archive files. This tool really speeds up my Outlook performance, let me tell you!

Contig

You can learn everything you ever wanted to know about Contig by visiting the Contig documentation home page at TechNet.

Tool #3: Process Explorer

Like Autoruns, Process Explorer provides you with keen insight into what processes are running on the target system. However, Process Explorer lets you know what processes are currently in memory. Not only that, you also can display those processes in a tree view to determine parent-child relationships among those processes.

Process Explorer

The second thing I love about Process Explorer is the flexibility the tool gives you in managing running processes. As you can see in Figure 5, right-clicking on a process in the process list allows you not only to kill the process, but also kill the entire process tree, change runtime priority, debug the process, restart it, and so forth.

Process control options

Visit the Process Explorer home page for full documentation for this tool.

Tool #4: ZoomIt

Because I am a trainer, I do a lot of live presentations. To this end, it is oftentimes useful, if not absolutely required, that I make my screen readable to my students or attendees.

ZoomIt runs in the system tray and enables you to magnify your screen with a single keystroke. The default zoom toggle is Ctrl+1; however, as you can see in Figure 6, you can change the key binding to your preference.

ZoomIt, Zoom tab

Not only does ZoomIt allow you to quickly and easily zoom your display, but it also enables you to annotate, or mark up, your display!

ZoomIt, Draw tab

In my opinion ZoomIt is a required utility not only for technical trainers but for any IT professional who gives presentations.

Visit the ZoomIt home page for full usage instructions.

Conclusion

I hope that this piece “fired you up” with enthusiasm for the Windows Sysinternals utilities; they are really awesome. Although we focuses on just four tools in this article, I use almost every tool in the suite. However, if I were to select three runners-up, they would be:

• Bginfo: Create custom desktop backgrounds that display system information
• Desktops: Spawn up to four virtual desktops on your PC
• TCPView: I call this “netstat on steroids”

For Further Study

• Windows Sysinternals Home Page
• Windows Sysinternals Administrator’s Reference
• Windows Sysinternals Learning Resources
• Windows Sysinternals Tutorials

• FREE: Windows System Control Center – Launch Sysinternals and NirSoft tools from the web (2)
• FREE: Autoruns – Manage Windows startup programs (0)
• FREE: Disk2vhd – A simple P2V tool that creates VHDs for Hyper-V and Virtual PC (9)
• Help in Sysinternals tool says “Navigation to the webpage was canceled” (7)
• FREE: Process Monitor – View file system, registry, and network activity (1)

Even though WSCC isn’t delivered with the Sysinternals or the NirSoft tools, you can use all these great free admin tools immediately without the need to download because WSCC just launches them through the web. For the bigger tools, this can increase the time it takes for the tool to start. However, if you launch the utility a second time while WSCC is still open, it will be loaded from a local cache. Of course, the launch speed depends on your available bandwidth.

If you prefer to store the tools of both suites locally, WSCC can download them all in one go and store them automatically in the correct folder. WSCC recognizes which tools are locally available when you start it. If you use WSCC’s integrated download feature, you might want to delete the zip files in the Data folder to save space on your USB stick.

The main advantage of launching the tools through the web is that you always automatically have the latest version. However, WSCC also has an update feature that allows you to check if any Sysinternals or NirSoft tools have been updated. This method also detects new tools.

It is also possible to combine both methods. That is, you can store your most important utilities locally and launch the tools you need only every now and then through the web. WSCC displays an icon in front of the tools that tells you whether the local or the online version will be launched.

Instead of downloading all tools at once, you can simply right-click a particular tool and then select “Check for updates.” This will “install” the tool locally if you didn’t download it yet.

Despite the fact that launching the online version can take more time, another downside of this method is that the help files are unavailable. For installed tools, a question mark symbol is displayed next to a short description of the tool.

Unfortunately, WSCC only supports Sysinternals and NirSoft; that is, you can’t add other admin tools to its interface. The reason for this is that only those tool suites offer a “web API.”

So what has WSCC to do with cloud computing? Well, I think, this tool demonstrates how future Windows versions could unite the cloud-based approach with the PC model. As I outlined in my Windows 8 wish list, this will only happen if Microsoft provides the corresponding streaming API that ensures that only those parts of an application that the user currently needs are downloaded.

Wouldn’t it be cool if all your Windows apps were available on every Windows PC you log on to? Well, you will have to wait some more time for this happen. In the meantime, you can at least launch your NirSoft and Sysinternals tools from the cloud conveniently with WSCC.

I have tested WSCC 1.8.9.4 on Windows Server 2003 and Vista. The tool didn’t work on Windows PE 3.

Windows System Control Center (WSCC)

• Raffle: ManageEngine Desktop Central – Part 2: Features (2)
• Raffle: ManageEngine Desktop Central – Part 1: Overview (0)
• FREE: Workspace Manager Express – A roaming user profiles alternative (0)
• Spiceworks installation guide (1)
• FREE: nspaces – Virtual Desktop Manager (3)

I added the tool to the 4sysops database of free admin utilities almost three years ago. Since Autoruns 10, which was released yesterday, is a major update I had a look at the new features. For those who don’t know this essential admin tool yet, here is the revised introduction of my original review:

Autoruns is the most comprehensive auto startup managing tool. Windows offers many options to auto-start applications, and Autoruns knows them all. Whenever I install a new application, the first thing I do when the setup program is finished is to launch Autoruns to see what startup programs have been added. Often they only eat resources and slow down the computer without being really useful. With Autoruns you can easily disable these startup programs and, if you realize later that you want to activate them again, it only costs you a mouse click.

I also launch Autoruns if I suspect that a computer has been infected with spyware. Many spyware programs are not smart enough to hide from Autoruns and can be easily removed with the tool.

The only disadvantage of Autoruns is its complexity. It displays so many different entries in numerous different locations that you easily lose track of things. However, in most cases it is enough to check the first five folders in the Everything tab, the Winlogon tab, the Scheduled Tasks tab, and the Services tab. The majority of startup programs can be found there.

Autoruns not only allows you to manage startup programs but also all kinds of additions that third-party applications have added to Windows. For example you can get an overview of Explorer extensions, codecs, and Sidebar gadgets. Since some startup program options are user dependent, you can switch the user account easily through the User menu.

Autoruns 10 on Windows PE 3.0

The most interesting new feature of Autoruns 10 is the ability to run the tool on Windows PE and scan startup programs of an offline Windows installation. I have tried Autoruns with Windows PE 3.0 and I just have one complaint. The default screen resolution of Windows PE is 800×600, and Autoruns is not really prepared for that. That is, even the smallest window size doesn’t fit completely on the screen. I recommend maximizing the Autoruns window because otherwise it is difficult to use the tool.

In most cases you don’t want to manage the startup programs of Windows PE but of the Windows version that is installed on the PC. You’ll find the new feature that allows you to scan an offline Windows installation in the File menu. All you have to do is specify the system root folder of the Windows installation and the profile path of the user account you want to examine.

Unfortunately, in my test the browse-to-folder function that enables you to navigate to the system root folder and user profile did not work in my test on Windows PE 3.0. I had to add the path manually. This feature worked flawlessly under Windows 7.

Another change in Autoruns 10 is that Windows entries are not displayed by default. In version 9 this feature was disabled by default. This certainly makes sense because in most cases you don’t want to mess with Windows startup programs.

The Sysinternals blog also mentions that .exe and .cmd extension handlers have been added. I suppose the author didn’t mean that Autoruns adds new handlers but that the tool is able to detect modifications by third-party applications. But since I am not sure exactly what this new feature does, and before I write something wrong, I am asking 4sysops readers for help.

Autoruns

• Raffle: ManageEngine Desktop Central – Part 2: Features (2)
• Raffle: ManageEngine Desktop Central – Part 1: Overview (0)
• FREE: Workspace Manager Express – A roaming user profiles alternative (0)
• Spiceworks installation guide (1)
• FREE: nspaces – Virtual Desktop Manager (3)

The size of the standalone tool is only 670KB, so you shouldn’t expect wonders. I tried Disk2vhd on a Windows 7 system. I encountered my first problem with it when I had to decide which partition to convert. My boot and my system partition are separated. I selected them both and Disk2vhd packed them in one VHD file without complaining. The result was that neither Virtual PC 2007 SP1 nor the successor Windows Virtual PC was able to recognize the VHD. I didn’t try it with Hyper-V, but, I guess, the result would have been the same. Perhaps, it would have worked If I ran the tool twice to create two separate VHD files. But I didn’t explore this path because I have a 64-bit system and Virtual PC doesn’t support 64-bit guests.

I then tried something different for which the tool was not really made for. I used it within a VMware Workstation virtual machine. Disk2vhd was indeed able to create a VHD from the VMDK disk. I could even write the VHD file to a shared drive on the host system. This probably means that the utility also supports network shares as destinations. Not every P2V tool has this feature. Unfortunately, I wasn’t able to boot with this VHD in Virtual PC 2007 SP1 and Windows Virtual PC. The virtual machine always hung. I then tried to boot in Safe Mode. Virtual PC was loading the drivers, but then the virtual machine hanged again. Syspreping the source VM didn’t help either, however, my guts tell me that this could work with a little more fiddling.

I admit my test Disk2vhd was not really fair. I suppose the tool works fine in common environments. Please share your experiences if you tried the tool already.

Disk2vhd

• My favorite Sysinternals utilities (7)
• FREE: Windows System Control Center – Launch Sysinternals and NirSoft tools from the web (2)
• FREE: Autoruns – Manage Windows startup programs (0)
• Help in Sysinternals tool says “Navigation to the webpage was canceled” (7)
• FREE: Process Monitor – View file system, registry, and network activity (1)

I don’t know how I could retype an address in the Windows help interface; however, I don’t think that would work, anyway. The cause of the problem is related to Vista’s “Preserve zone information in file attachment” feature, which is a security feature that ensures that downloaded files of certain types can’t be opened. The help files of Sysinternal tools are compiled HTML, which Vista considers a threat.

There are several ways to convince Vista that opening a Sysinternals help file is relatively safe. The easiest way is simply to unblock the .chm file in its properties menu (see screenshot). I like the explanation there: “This file came from another computer and might be blocked to help protect this computer.” I suppose most of the files on my computer come from another computer. I am glad that Vista doesn’t consider them a threat as well.

If you don’t want to be bothered by this problem again, you can just disable this zone information-in-file-attachment thing using the Group Policy Object editor (type “gpedit.msc” at the Start Search prompt). The setting can be found under User Configuration | Administrative Templates | Windows Components | Attachment Manager. Don’t forget to run gpupdate /force on the command prompt if you want the setting to take effect immediately.

Daniel Petri has described this Vista feature in more detail and offers two more methods for disabling it.

• My favorite Sysinternals utilities (7)
• FREE: Windows System Control Center – Launch Sysinternals and NirSoft tools from the web (2)
• FREE: Autoruns – Manage Windows startup programs (0)
• FREE: Disk2vhd – A simple P2V tool that creates VHDs for Hyper-V and Virtual PC (9)
• FREE: Process Monitor – View file system, registry, and network activity (1)

This well-known Microsoft tool was already in the 4sysops free admin tool list, but I decided to add a new entry because a new version is now available. The old post was also about Process Explorer, which I reviewed two years ago. I transferred your votes to these articles.

I guess that Process Monitor is in the tool box of many admins, because it is one of the most important troubleshooting tools. The old version, 1.37, allowed you to monitor file system and registry activity. The most important new feature of version 2.0 is that you can now also monitor the network activity of processes.

When you launch Process Monitor the first time, you will be overwhelmed by all the system activity. If you wonder, sometimes, why your computer is slow, you will get a better understanding after you see how many tasks a modern operating system has to perform, simultaneously.

To track down the cause of a malfunctioning program, it is essential that you utilize the powerful filter. If you already know the program that is causing the problem, you can restrict Process Monitor’s output to this program name. If the problem is a bit more complex, I usually enable the autoscroll feature and watch all system activity until something suspicious attracts my attention. Then, I limit the output with the filter by looking for common characteristics of the processes that interest me.

Another way to reduce the output is to let Process Monitor only display registry, file system, network, process and thread, or profiling events. You can use the icons on the right side of the toolbar for this purpose.

If you limit the output to network activity, you can try one of the new features of version 2.0. Process Monitor certainly can’t replace a network sniffing tool, but its filter can also be very useful for network-related troubleshooting. Enabling the Process and Thread option will track the creation and exit of processes and threats. Profiling scans all active threads and generates statistical data, such as the user time and the kernel time of the process.

New features in Process Monitor 2.6

The Sysinternals blog lists three new features: by-extension and by-directory views in the File Summary dialog; a new Network Summary view, quick filtering in all the summary views, and additional IOCTL and error-result decoding.

The File Summary dialog can be accessed from Procmon’s Tools menu. The File Summary gives an overview of the operating system’s file-related activities (see screenshot). Procmon 2.5 offers by-extension and by-directory views in addition to the by-path view found in version 2.0. These new views are quite useful for monitoring file activities because the files can be found much easier than in the by-path view. For example, to see if a certain directory has been accessed by an application, simply navigate to the corresponding folder in the by-directory view. Note that Procmon’s summary views only give an overview of recent changes and are not updated continually as they are in the main interface.

The new quick filtering features in the summary views are also useful, enabling the user to add new Procmon filters easily. For example, to add a filter that will limit the output to events that are related to a specific directory, simply double click on the corresponding folder in the File Summary.

I didn’t find any new features in the Network Summary view (except the aforementioned filter link). Perhaps the author of the Sysinternals blog post mistakenly thinks the Network Summary feature is new to version 2.5. I also didn’t find the new IOCTL (input-output-control) and error-result decoding features mentioned in the blog post. However, I might have missed something, so let me know if you find any new features.

Process Monitor

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)

The directory only lists the DOS-style name of the Sysinternals tools. If you are not a Sysinternals geek, you will hardly find your way around in there. So what is the purpose of this? Well, you can launch the Sysinternals tools from the command prompt with \\live.sysinternals.com\tools\<toolname>. This is could be useful, if you work on a desktop where you don’t have your toolbox at hand.

But, on second thought, wouldn’t it be easier just to copy them all to a memory stick? It is not only more convenient to access the tools this way but also faster. The good thing about this directory is that I know now how much space the Sysinternals tools require. You won’t believe it, but it is just 23 MB. See how easy it is to get all this “Live experience” with a cheap USB stick? Now, before you start clicking to download them all, I suggest that you just map “Sysinternals Live” to a drive letter with \\live.sysinternals.com\tools\.

The reaction on the blogosphere was largely positive, but in my opinion Mark Russinovich is damaging the Live brand with something like this. I expect a little more from “Live” than a simple listing of a couple of tools. If Sysinternals Live would be a Silverlight app containing the documentation of all of the tools, then this would be something really cool.

• My favorite Sysinternals utilities (7)
• FREE: Windows System Control Center – Launch Sysinternals and NirSoft tools from the web (2)
• FREE: Autoruns – Manage Windows startup programs (0)
• FREE: Disk2vhd – A simple P2V tool that creates VHDs for Hyper-V and Virtual PC (9)
• Help in Sysinternals tool says “Navigation to the webpage was canceled” (7)

TCPView lists the process, the local TCP port, the remote address and the state of the TCP connection. If you want to get more details about the program, for example where the exe file is located, you just have to right click and select “Process Properties”. You can also terminate a connection or end the process. There is a command line version of TCPView (Tcpvcon) which is similar to netstat. TCPView runs Windows Server 2008/Vista/NT/2000/XP and Windows 98/Me.

TCPView

• Poll: Are you currently using a monitoring solution? (11)
• FREE: Zenmap: Windows GUI for nmap (0)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)

Tools such as RunAsAdmin or RunAsLimitedUser allow you to run commands only with a certain account. Windows XP and Windows Server 2003 already have this run as option in the context menu of Windows Explorer. Microsoft removed it for some reason in Windows Vista and Server 2008. ShellRunas weeds out this mistake. You can use ShellRunas from Windows Explorer by right clicking on the application you want to start and then on “Run as different user”.

The most common use would be if you want to check whether a program works properly with certain credentials. Or you can use it if you need admin privileges of another Windows domain. ShellRunas works on the command prompt as well.

Before you can use the tool in Windows Explorer you have to run ShellRunas once from the command line with ShellRunas /reg. These are command line switches, the tool understands:

Usage: shellrunas [/reg | [/quietreg ] | /regnetonly [/quiet] | unreg | [/netonly] <program> <arguments>

/reg Registers ShellRunas shell context-menu entry

/regnetonly Registers Shell /netonly context-menu entry

Note: a command prompt will flash when the program starts

/unreg Unregisters ShellRunas shell context-menu entry

/quiet Register or unregisters ShellRunas shell context-menu entry without result dialog

/netonly Use if specified credentials are for remote access only

<program> Runs program with specified credentials and parameters

ShellRunas

• FREE: PhoneFactor – Mobile phone based two-factor authentication (1)
• How to disable USB drive use in an Active Directory domain (0)
• Service Account best practices – Part 2: Least Privilege implementation (0)
• Four fast ways to improve security in SQL Server 2008 R2 (12)
• Managed Service Accounts in Windows Server 2008 R2 (7)

• My favorite Sysinternals utilities (7)
• FREE: Windows System Control Center – Launch Sysinternals and NirSoft tools from the web (2)
• FREE: Autoruns – Manage Windows startup programs (0)
• FREE: Disk2vhd – A simple P2V tool that creates VHDs for Hyper-V and Virtual PC (9)
• Help in Sysinternals tool says “Navigation to the webpage was canceled” (7)

The Sysinternals Troubleshooting Utilities for the various aspets of Windows administration. (Not only Procmon or Proc Explorer)

Sysinternals Suite

• My favorite Sysinternals utilities (7)
• FREE: Windows System Control Center – Launch Sysinternals and NirSoft tools from the web (2)
• FREE: Autoruns – Manage Windows startup programs (0)
• FREE: Disk2vhd – A simple P2V tool that creates VHDs for Hyper-V and Virtual PC (9)
• Help in Sysinternals tool says “Navigation to the webpage was canceled” (7)

Process Monitor and Process Explorer

• Service Account best practices – Part 2: Least Privilege implementation (0)
• Service Account best practices Part 1: Choosing a Service Account (0)
• My favorite Sysinternals utilities (7)
• Raffle: VisualCron – An advanced task scheduler for Windows (0)
• AutoAdministrator 2.3 – Part 3: Remote execute: Programs, services, shutdown/reboot (0)

Process Explorer is certainly a must-have tool for any admin. I blogged about Process Explorer 10 a while ago. What I don’t like about it, is its sparse documentation. Some of the new features sound quite interesting, but searching for them in the Help file won’t reveal much in most cases. For example, I wanted to find out what “Show details for all processes elevation menu item on Vista” is supposed to mean. But my full text search for “elevation” got no hits.

By the way, I wasn’t able to view the Help file at all on my Vista machine. I only got “Navigation to the Web page was cancelled – What you can try: Retype the address”. Well, I didn’t type an address in the first place when I clicked on Help in Process Explorer, so I really don’t know what “retype” is supposed to mean here. Anyway, I was able to access Help on an XP machine.

One of the “new features” of Process Explorer 11 is that you can now launch it without elevating it. However, some of its most interesting functionality won’t be available then. For example, you won’t be able to view the handles and DLLs in the lower pane. So if you just double click on Process Explorer, its functionality will be reduced. To work with all its features under Vista, you have to right click on its icon and run it as administrator.

Another new feature is the “new tree list control for better UI responsiveness“. I don’t know exactly what is that supposed to mean. I realized, however, that the tree list doesn’t display the icons of the corresponding apps, anymore. This was always quite helpful in finding a program, quickly. On XP, the icons still show up, though.

Process Explorer

• Service Account best practices – Part 2: Least Privilege implementation (0)
• Service Account best practices Part 1: Choosing a Service Account (0)
• Dedicated Administrator Connection (DAC) in SQL Server 2008 R2 (3)
• My favorite Sysinternals utilities (7)
• Raffle: VisualCron – An advanced task scheduler for Windows (0)

I usually don’t worry so much about viruses and worms anymore because it seems to me that this threat is mostly under control nowadays. However, I always feel a bit uncomfortable when I think about rootkits. Viruses try to spread and often enough they damage their hosts, which makes them easier to detect. But rootkits just hide. It lies in their nature that you simply don’t know of them.

I just played a little with McAfee Rootkit Detective and it indeed found a couple of hidden registry entries and hooked services on my system. The hooked services belong to my Sunbelt Personal Firewall. I wasn’t able to track down the application that created the hidden registry keys, so I just deleted them all. Since this is a test system it is quite probable that they belong to spyware that was installed with one of the tools I tested.

Note that this was just a virtual machine and I created a snapshot before I deleted registry keys. If you intend to mess with the registry on one of your computers, I highly recommend creating a backup of the registry database before you do this even though McAfee Detective has an undo function. I like it that one can delete suspicious registry entries with McAfee Detective. This is an advantage over Sysinternals RootkitRevealer which I usually use when I am on the hunt for rootkits.

I don’t like the window size of Rootkit Detective though, it is quite small and one can’t resize it. So you always have to scroll to read the full path of a registry entry. Another downside of the tool is that it doesn’t support Vista. This is quite strange considering that it was just released recently.

What is your favorite rootkit hunting tool?

• My favorite Sysinternals utilities (7)
• FREE: Windows System Control Center – Launch Sysinternals and NirSoft tools from the web (2)
• FREE: Autoruns – Manage Windows startup programs (0)
• FREE: Disk2vhd – A simple P2V tool that creates VHDs for Hyper-V and Virtual PC (9)
• Help in Sysinternals tool says “Navigation to the webpage was canceled” (7)

Process Monitor is probably the first tool you would pull out whenever an application runs amok. It helps you analyze the behavior of an app by monitoring its file system, Registry and process/thread activity. Version 1.21 supports XML export and Microsoft says that performance was improved and some bugs were fixed. However, I still have the problem that Process Monitor hangs on some Vista machines. It seems like I am not the only one who is affected by this bug. This is a serious one because you can’t shutdown Vista anymore once you launched Procmon. You have to pull the power plug!

TCPview is more or less a GUI version of the netstat tool that comes with Windows. It allows you to view TCP and UDP connections on your system. This is very useful if you want to find out to which remote systems an application is connecting. If you are afraid that you have been infected by spyware, then TCPview is the tool you should use to start analyzing your system. The most important new feature of TCPView 2.5 is that it now supports Vista including IPv6.

PSExec is my favorite tool to connect to a remote machine on the command line. It is comparable with telnet in the UNIX world. The good thing is that you don’t have to install anything on the host. You can also use the tool to remotely launch applications from the command line. The priority switch of PSExec v1.85 has the new background option which allows you to run an app with low memory and I/O priority on Vista machines.

• My favorite Sysinternals utilities (7)
• FREE: Windows System Control Center – Launch Sysinternals and NirSoft tools from the web (2)
• FREE: Autoruns – Manage Windows startup programs (0)
• FREE: Disk2vhd – A simple P2V tool that creates VHDs for Hyper-V and Virtual PC (9)
• Help in Sysinternals tool says “Navigation to the webpage was canceled” (7)

He stated that Microsoft added “destructive filtering“. Well, I hope they didn’t because that certainly wouldn’t be a constructive contribution to the stability of my computer. However, when I first run it on my desktop I thought for a moment MS really did. Process Monitor hanged and I wasn’t able to close the program. Even killing its process didn’t help. I, then, tried to reboot my Vista machine. I waited for about 20 minutes, but Vista hanged, too. I had no other choice but to pull the power plug. After I rebooted, Process Monitor still showed the same behavior.

I tried the tool on two other Vista machines, and it worked there without problems. So, it seems like my desktop is just screwed up and MS didn’t add “destructive” filtering. The real name of the feature is non-destructive filtering and it’s not new because the predecessors of version 1.2 already supported it. It just means that Process Monitor’s filters only affect the display of events, but not the event data itself. So it is not really revolutionary.

Process Monitor 1.2 has some new features, though. You can now open log files on a 64 bit machine that were generated on a 32 bit system. Process Monitor has the new switch “/run32” for this purpose which does nothing else than run the 32 bit version of the tool. Well, that’s not really exciting either, is it?

There is another new feature that sounds interesting in the SearchWinIT article:

Also included in the latest version is a feature that lets users better see how each process is running during an activity trace by showing a graph for each one.

Unfortunately, Procmon 1.2 doesn’t really allow you to “see how each process is running” (whatever that is supposed to mean). It only displays the activity span for each process (see screenshot) in the Process Activity Summary window (formerly called Process Summary). So this feature only gives you some limited information about the process’ activity during a certain time span. I suppose, I won’t need this feature either. Would you?

I found a third new feature which the SearchWinIT article doesn’t mention. In the tools menu, there is new the new point “Activity Summary“. I must admit, I don’t really understand the purpose of this feature. It is a graphical representation of the overall process activity based on the number of events or the elapsed time. I wasn’t able to find something about this in the help file.

I will just continue using Process Monitor 1.12. If the author of the article, whose name is SearchWinIT.com staff, didn’t just try to repeat what a marketing guy from Microsoft told him/her/it, but wrote a real review about Procmon’s new features, I probably wouldn’t have downloaded the new version.

• My favorite Sysinternals utilities (7)
• FREE: Windows System Control Center – Launch Sysinternals and NirSoft tools from the web (2)
• FREE: Autoruns – Manage Windows startup programs (0)
• FREE: Disk2vhd – A simple P2V tool that creates VHDs for Hyper-V and Virtual PC (9)
• Help in Sysinternals tool says “Navigation to the webpage was canceled” (7)

The latter feature is quite helpful, if you have to edit the same object frequently. Active Directory Explorer allows you to add favorites for this purpose.

Creating a snapshot of the AD database can be done with just a mouse click. This is fast and easy compared to creating snapshots with ntdsutil in Windows Server 2008. However, as far as I know, you can’t use the snapshots created with Active Directory Explorer as backup. You only can browse and search in those snapshots.

It is also possible to compare two snapshots. This is useful if you want to know which changes have been made to the AD database by an application, for example. You can restrict the comparison to certain objects and attributes. Unfortunately, AD Explorer doesn’t allow you to save or to export the output.

AD Explorer has one major shortcoming compared with ADSIedit. It seems one can’t modify attributes with empty values. If Bryce Cogswell and Mark Russinovich add this feature in the next version of this nifty utility, you won’t need ADSI Edit anymore.

• My favorite Sysinternals utilities (7)
• FREE: Windows System Control Center – Launch Sysinternals and NirSoft tools from the web (2)
• FREE: Autoruns – Manage Windows startup programs (0)
• FREE: Disk2vhd – A simple P2V tool that creates VHDs for Hyper-V and Virtual PC (9)
• Help in Sysinternals tool says “Navigation to the webpage was canceled” (7)

Process Monitor is a free tool that allows you to monitor in real-time file system, registry and process/thread activity. According to the SearchWinIT article, Process Monitor 1.12 has a new tool bar and you can now cancel a search process. However, the most interesting new feature certainly is the boot logging feature. It enables you to analyze a Windows system that is having problems during the boot process.

You can enable boot logging by selecting the corresponding menu point under Options. When you boot Windows the next time, Process Monitor will log all system activity. You can then save the log file in the process monitor format (pfl) when you start the monitoring tool after the reboot. This file can be opened with Process Monitor for later analysis. It is then also possible to save log files in CSV format if you want to use another tool to analyze system activity.

• Poll: Are you currently using a monitoring solution? (11)
• SCOM 2012 review – Part 8: Dashboards (0)
• SCOM 2012 review – Part 7: Linux and JEE monitoring (4)
• Notifications and Custom Commands in Nagwin/Nrpe (0)
• SCOM 2012 review – Part 6: Application Performance Monitoring (APM) (1)

Here is a list with short description of each command:

• PsExec – execute processes remotely
• PsFile – shows files opened remotely
• PsGetSid – display the SID of a computer or a user
• PsInfo – list information about a system
• PsKill – kill processes by name or process ID
• PsList – list detailed information about processes
• PsLoggedOn – see who’s logged on locally and via resource sharing (full source is included)
• PsLogList – dump event log records
• PsPasswd – changes account passwords
• PsService – view and control services
• PsShutdown – shuts down and optionally reboots a computer
• PsSuspend – suspends processes

• My favorite Sysinternals utilities (7)
• FREE: Windows System Control Center – Launch Sysinternals and NirSoft tools from the web (2)
• FREE: Autoruns – Manage Windows startup programs (0)
• FREE: Disk2vhd – A simple P2V tool that creates VHDs for Hyper-V and Virtual PC (9)
• Help in Sysinternals tool says “Navigation to the webpage was canceled” (7)