ADM291
A Tour of Sysinternals Tools
Mark RussinovichWinternals Software
About The SpeakerCo-author of Inside Windows 2000, 3rd Ed. (Microsoft Press) with David SolomonContributing Editor and NTInternals columnist forWindows and .NET MagazineCreator of www.sysinternals.com Co-founder and chief softwarearchitect of Winternals Software (www.winternals.com)Co-creator of Inside Windows 2000—An interactive internals tutorial (on DVD & streaming Windows media)
Outline
About Sysinternals
Monitoring Tools
Systems Administration Tools
File System Tools
About Sysinternals
Started with NTFSDOS, Regmon and Filemon hosted on Andrew Schulman’s site in mid-1996
www.ntinternals.com went live in late 1996
Under a dozen tools
1500 unique visitors/day
Sysinternals Today
Interesting statistics:75 tools, 2-dozen technical articles25,000 unique visitors/day30,000 downloads/day (4 GB of data)150,000 unique visitors/month36,000 newsletter subscribersAlmost 4-dozen KB-article references
Everything on the site is freewareCan’t redistribute without a licenseSource code is licensed for use in commercial products
Outline
About Sysinternals
Monitoring Tools
Systems Administration Tools
File-Related Tools
Monitoring
Filemon
Regmon
Process Explorer
TCPView
Filemon/Regmon
Watch all file system or Registry accesses in real-time
Ideal for troubleshooting broken application installations
Useful for developers tracking down bugs or performance tuning file system access
Work on all Windows® OSs, including 64-bit Windows XP
Used extensively within MicrosoftPSS
Windows XP Application Compatibility
Microsoft® Office 2000
Using Filemon/Regmon
Requires no install or rebootJust start using them
Includes filters for including, excluding, and highlighting output
Can’t include/exclude filter result codes on Filemon for WinNT/2K/XP
Requires admin privilege to runTrick: run once as admin and then you can use them as unprivileged users
How Filemon Works
Filemon uses a driver to intercept file I/O accessA VxD on Windows 9x/Me
A “file system filter driver” on Windows NT®/Windows 2000/Windows XP
ApplicationApplication
Filemon Filemon DriverDriver
FilemonFilemonGUIGUI
File SystemFile SystemDriverDriver
User ModeUser ModeKernel ModeKernel Mode
How Regmon Works
Regmon uses a driver to intercept Registry operations
A “hook” VxD on Windows 9x/Me
A system-call intercepting driver on Windows NT/Windows 2000/Windows XP
ApplicationApplication
Regmon Regmon DriverDriver
RegmonRegmonGUIGUI
Registry Registry SubsystemSubsystem
User ModeUser ModeKernel ModeKernel Mode
Process Explorer
Process Explorer (formerly HandleEx) starts where Task Manager ends:
See detailed information about running processes, including their paths and command-lines
Description of EXE
SID from process security token
View the DLLs processes have loaded, including version numbers
See what handles processes have opened
Examine services running within service processes
Process Explorer works on all Windows platforms
Common Process Explorer Uses
Detect DLL versioning problemsCompare the output from a “good” system with that of a “broken” system
Use the search feature to determine what process is holding a file or directory open
View the state of synchronization objects (mutexes, semaphores, events)
Detect handle leaks using refresh difference highlighting
How Process Explorer Works
Uses undocumented functions for:Enumerating loaded modules with full path names
Enumerating processes and handles
Obtains handle names using the aid of a driver
Related Tools:Handle – command-line handle viewer
Listdlls – command-line DLL viewer
TCPView
GUI version of Netstat
Works on all Windows platforms
Lists active TCP and UDP endpoints Shows endpoint owner on Windows NT/2000/Windows XP/.NET Server
Includes auto-refresh and difference highlighting
You can close established TCP/IP connections
Works using documented and undocumented IPHelper library functions
Other Monitoring Tools
DebugViewMonitor application debug output
DiskmonMonitor hard disk activity
PmonMonitor process and thread activity
PortmonMonitor serial and parallel port traffic
TokenmonMonitor security-related activity
Outline
About Sysinternals
Monitoring Tools
Systems Administration Tools
File-Related Tools
Systems Administration
PsToolsPsList
PsKill
PsInfo
PsLogList
PsService
PsExec
PsSuspend
More…
BgInfo
Autoruns
PsToolsPsTools consists of a total of 11 tools
They all work on Windows NT/Windows 2000/Windows XP
They all work remotely as well as locally
None require manual remote software installation
Where’d the “Ps” come from?The UNIX process listing tool is named “ps”
The first PsTool was a UNIX “ps”-equivalent, PsList
PsList
View detailed information about running processes
Similar to tlist and pulist
Default view is mix of CPU and memory information
Other views show thread details, memory details, or full information
Use the –s switch to run it in a Task Manager-type mode
Works using the performance counter API
WMI is only available by default on Windows 2000/Windows XP, not on Windows NT 4
PsKill
The perfect complement to PsList is PsKill
Similar to Resource Kit Kill and Remote Kill
See a process running on a remote (or local) system with PsList, kill it with PsKill
Unlike Task Manager, PsKill lets you kill any process if you’re an admin
Uses “Debug” privilege
Uses auto-installed remote service and TerminateProcess API
PsInfoGet detailed information about a system
OS version: type (pro, server, etc.)
Service Pack
Hot-fixes
CPU and memory
Uptime
Volume information
Uses documented APIs:Registry (remote, if applicable)
WMI for XP product activation query
PsLogList
Dump and optionally clear event logs
Like eloglist from the Resource KitPsLogList lets you dump logs using alternate credentials
Gets event strings from remote system
Like eloglist, dumps in tab-delimited format for easy import into spreadsheets
Has extensive support for filtering on record type and date range
Uses documented Event Log APIs, which work remotely
PsService
Control Win32® services
Like the Resource Kit’s and XP/Server 2003’s SCUnlike SC, doesn’t make you remember and manually specify a “resume handle”
Same syntax as SC
Omits several esoteric SC options
Search the network for active instances of a service
Uses documented Service Control Manager APIs, which work remotely
PsExec
Remotely execute programsExecutes console programs interactively
Allows you to start programs as yourself , in alternate user credentials, or in the System account
With PsExec you can:Launch a remote command prompt to effect a light-weight telnet
Remote-enable “local only” command-line tools like IpConfig
Uses auto-installed remote service
PsExec
Options of interest include:-s: Run in System account (instead of account of user running PsExec)
-i: Show GUI windows on interactive console
-d: Don’t wait for remote process to terminate
-c: Copy an executable to the remote system
PsSuspend
Microsoft provides no process-suspend utility like PsSuspend for pausing a process that’s using a resource
Memory
CPU
Network
Windows NT and 2000 have no “suspend process” capability, so PsSuspend suspends individual threads
BgInfo (Background Info)
If you manage more than a handful of systems, you’ve run into the “what machine is this” syndrome
BgInfo creates an auto-generated informative desktop background
System name
Memory
IP Address
OS version
Whatever you want!
Autoruns
There are almost 2-dozen places that can be used to configure automatically started applicationsAutoruns shows you all of the locations and displays programs configured to run in them
Double-click a folder or key to jump to it in Explorer or RegeditDouble-click a configured application to view its properties
Outline
About Sysinternals
Monitoring Tools
Systems Administration Tools
File-Related Tools
File-Related Tools
Contig
PageDefrag
Streams
Strings
Contig
Command-line Windows NT/Windows 2000/Windows XP file defragmenter
Useful for:Defragmenting specific files
Creating new contiguous files
Defragmenting entire disks
Uses Windows NT/Windows 2000/Windows XP defragmenting API, documented at Sysinternals
PageDefrag
Defragments paging files and Registry hives at boot time
Implemented as “native” application:Launched by Session Manager because listed in HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute value
Uses “native” API
Uses Contig defragmentation engine
Supports command-line options for scripted install
Streams
Streams, which require NTFS, used to be rarely usedNow there are several components that make use of them:
Services for MacintoshExplorer Viruses
Streams can search directories for files with streams and display their names
Strings
Some executables do not identify themselves with version information or descriptive namesStrings will look inside a file image for printable text that include:
Registry key and value namesDebug stringsFile names Internal build information
After Hours…
The Sysinternals Bluescreen Screen Saver
Check The Site Often…
There are updates, bug fixes, new tools and articles on a regular basis
I’m always open to tool suggestions
Sign up for the newsletter to get inside information on the tools and Windows internals
For More Info...Video: Inside Windows 2000 – An Interactive Tutorial (on DVD & Windows Media)
11 hours of instruction with hands-on lab exercises
Book: Inside Microsoft Windows 2000, Third Edition (Microsoft Press)
Class: Come to London Sep 23-25
Don’t forget to complete the on-line Session Feedback form on Attendee Web site
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
evaluationsevaluations