[General] SoftwareCount=76 GroupCount=7 Name=Sysinternals Suite [Group0] name=File and Disk Utilities [Group1] name=Networking Utilities [Group2] name=Process Utilities [Group3] name=Security Utilities [Group4] name=System Information Utilites [Group5] name=Miscellaneous Utilities [Group6] name=All Utilities ShowAll=1 [Software0] exe=accesschk.exe exe64=accesschk64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk group=3 Name=AccessChk AppName=AccessChk ShortDesc=Shows accesses the user or group has to files, Registry keys or Windows services LongDesc=As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output. [Software1] exe=AccessEnum.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/AccessEnum group=3 Name=AccessEnum AppName=AccessEnum ShortDesc=Shows who has what access to directories, files and Registry keys on your systems LongDesc=While the flexible security model employed by Windows NT-based systems allows full control over security and file permissions, managing permissions so that users have appropriate access to files, directories and Registry keys can be difficult. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary. [Software2] exe=ADExplorer.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer group=1 Name=ADExplorer AppName=ADExplorer ShortDesc=Advanced Active Directory (AD) viewer and editor LongDesc=Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute. AD Explorer also includes the ability to save snapshots of an AD database for off-line viewing and comparisons. When you load a saved snapshot, you can navigate and explorer it as you would a live database. If you have two snapshots of an AD database you can use AD Explorer's comparison functionality to see what objects, attributes and security permissions changed between them. [Software3] exe=ADInsight.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/adinsight group=1 Name=ADInsight AppName=ADInsight ShortDesc=LDAP (Light-weight Directory Access Protocol) real-time monitoring tool LongDesc=ADInsight is an LDAP (Light-weight Directory Access Protocol) real-time monitoring tool aimed at troubleshooting Active Directory client applications. Use its detailed tracing of Active Directory client-server communications to solve Windows authentication, Exchange, DNS, and other problems. ADInsight uses DLL injection techniques to intercept calls that applications make in the Wldap32.dll library, which is the standard library underlying Active Directory APIs such ldap and ADSI. Unlike network monitoring tools, ADInsight intercepts and interprets all client-side APIs, including those that do not result in transmission to a server. ADInsight monitors any process into which it can load it’s tracing DLL, which means that it does not require administrative permissions, however, if run with administrative rights, it will also monitor system processes, including windows services. [Software4] exe=adrestore.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/adrestore group=1 Name=ADRestore AppName=ADRestore ShortDesc=Undeletes Server 2003 Active Directory objects LongDesc=Windows Server 2003 introduces the ability to restore deleted ("tombstoned") objects. This simple command-line utility enumerates the deleted objects in a domain and gives you the option of restoring each one. For description of the use of AdRestore there is a link on the website . [Software5] exe=Autologon.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/Autologon group=3 Name=Autologon AppName=Autologon ShortDesc=Bypasses password screen during logon LongDesc=Autologon enables you to easily configure Windows’ built-in autologon mechanism. Instead of waiting for a user to enter their name and password, Windows uses the credentials you enter with Autologon, which are encrypted in the Registry, to log on the specified user automatically. Autologon is easy enough to use. Just run autologon.exe, fill in the dialog, and hit Enable. To turn off auto-logon, hit Disable. Also, if the shift key is held down before the system performs an autologon, the autologon will be disabled for that logon. You can also pass the username, domain and password as command-line arguments. [Software6] exe=autoruns.exe exe64=autoruns64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns group=4 Name=Autoruns AppName=Autoruns ShortDesc=Shows what programs are configured to run during system bootup or login LongDesc=This utility shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities. Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Also included in the download package is a command-line equivalent that can output in CSV format, Autorunsc. [Software7] exe=autorunsc.exe exe64=autorunsc64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns group=4 Name=Autoruns Command-line AppName=Autoruns Command-line ShortDesc=Shows what programs are configured to run during system bootup or login. Command-line version LongDesc=This utility shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities. Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Autorunsc is the command-line version of Autoruns that can output in CSV format. [Software8] exe=Bginfo.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/bginfo group=5 Name=BGInfo AppName=BGInfo ShortDesc=Displays relevant information about a Windows computer on the desktop background LongDesc=How many times have you walked up to a system in your office and needed to click through several diagnostic windows to remind yourself of important aspects of its configuration, such as its name, IP address, or operating system version? If you manage multiple computers you probably need BGInfo. It automatically displays relevant information about a Windows computer on the desktop's background, such as the computer name, IP address, service pack version, and more. You can edit any field as well as the font and background colors, and can place it in your startup folder so that it runs every boot, or even configure it to display as the background for the logon screen. [Software9] exe=Cacheset.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/cacheset group=0 Name=CacheSet AppName=CacheSet ShortDesc=Allows to control the Cache Manager's working set size LongDesc=CacheSet is an applet that allows you to manipulate the working-set parameters of the system file cache. Unlike CacheMan, CacheSet runs on all versions of NT and will work without modifications on new Service Pack releases. In addition to providing you the ability to control the minimum and maximum working set sizes, it also allows you to reset the Cache's working set, forcing it to grow as necessary from a minimal starting point. Also unlike CacheMan, changes made with CacheSet have an immediate effect on the size of the Cache. [Software10] exe=Clockres.exe exe64=Clockres64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/clockres group=4 Name=ClockRes AppName=ClockRes ShortDesc=Views resolution of the system clock LongDesc=Ever wondered what the resolution of the system clock was, or perhaps the maximum timer resolution that your application could obtain The answer lies in a simple function named GetSystemTimeAdjustment, and the ClockRes applet performs the function and shows you the result. [Software11] exe=Contig.exe exe64=Contig64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/contig group=0 Name=Contig AppName=Contig ShortDesc=Contig is a utility that defragments a specified file or files. LongDesc=There are a number of NT disk defraggers on the market. These tools are useful for performing a general defragmentation of disks, but while most files are defragmented on drives processed by these utilities, some files may not be. Contig is a single-file defragmenter that attempts to make files contiguous on disk. Its perfect for quickly optimizing files that are continuously becoming fragmented, or that you want to ensure are in as few fragments as possible. [Software12] exe=Coreinfo.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/coreinfo group=4 Name=Coreinfo AppName=Coreinfo ShortDesc=Shows CPU caps and memory topology LongDesc=Coreinfo is a command-line utility that shows you the mapping between logical processors and the physical processor, NUMA node, and socket on which they reside, as well as the cache's assigned to each logical processor. It uses the Windows' GetLogicalProcessorInformation function to obtain this information and prints it to the screen, representing a mapping to a logical processor with an asterisk e.g. '*'. Coreinfo is useful for gaining insight into the processor and cache topology of your system. [Software13] exe=ctrl2cap.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/ctrl2cap group=5 Name=Ctrl2Cap AppName=Ctrl2Cap ShortDesc=Kernel-mode driver that demonstrates keyboard input filtering just above the keyboard class driver in order to turn caps-locks into control keys LongDesc=Ctrl2Cap is a kernel-mode device driver that filters the system's keyboard class driver in order to convert caps-lock characters into control characters. People that migrated to NT from UNIX are used to having the control key located where the caps-lock key is on the standard PC keyboard, so a utility like this is essential for our editing well-being. Install Ctrl2Cap running the command "ctrl2cap /install" from the directory into which you've unzipped the Ctrl2Cap files. To uninstall type "ctrl2cap /uninstall". [Software14] exe=Dbgview.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/debugview group=5 Name=DebugView AppName=DebugView ShortDesc=Monitors debug output on your local system or any computer on the network LongDesc=DebugView is an application that lets you monitor debug output on your local system, or any computer on the network that you can reach via TCP/IP. It is capable of displaying both kernel-mode and Win32 debug output, so you don't need a debugger to catch the debug output your applications or device drivers generate, nor do you need to modify your applications or drivers to use non-standard debug output APIs. [Software15] exe=Desktops.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/desktops group=5 Name=Desktops AppName=Desktops ShortDesc=Organizes your applications on up to four virtual desktops LongDesc=Desktops allows you to organize your applications on up to four virtual desktops. Read email on one, browse the web on the second, and do work in your productivity software on the third, without the clutter of the windows you're not using. After you configure hotkeys for switching desktops, you can create and switch desktops either by clicking on the tray icon to open a desktop preview and switching window, or by using the hotkeys. [Software16] exe=diskext.exe exe64=diskext64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/diskext group=0 Name=DiskExt AppName=DiskExt ShortDesc=Displays volume disk-mappings LongDesc=DiskExt demonstrates the use of the IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS command that returns information about what disks the partitions of a volume are located on (multipartition disks can reside on multiple disks) and where on the disk the partitions are located. [Software17] exe=Diskmon.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/diskmon group=0 Name=DiskMon AppName=DiskMon ShortDesc=Captures all hard disk activity LongDesc=DiskMon is an application that logs and displays all hard disk activity on a Windows system. You can also minimize DiskMon to your system tray where it acts as a disk light, presenting a green icon when there is disk-read activity and a red icon when there is disk-write activity. [Software18] exe=DiskView.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/diskview group=0 Name=DiskView AppName=DiskView ShortDesc=Views disk usage by directory LongDesc=DiskView shows you a graphical map of your disk, allowing you to determine where a file is located or, by clicking on a cluster, seeing which file occupies it. Double-click to get more information about a file to which a cluster is allocated. [Software19] exe=du.exe exe64=du.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/du group=0 Name=DiskUsage AppName=DiskUsage ShortDesc=Reports disk space usage for the specified directory LongDesc=Du (disk usage) reports the disk space usage for the directory you specify. By default it recurses directories to show the total size of a directory and its subdirectories. [Software20] exe=efsdump.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/efsdump group=0 Name=EFSDump AppName=EFSDump ShortDesc=Views encrypted files information LongDesc=Windows 2000 introduces the Encrypting File System (EFS) so that users can protect their sensitive data. Several new APIs make their debut to support this factility, including one-QueryUsersOnEncryptedFile-that lets you see who has access to encrypted files. This applet uses the API to show you what accounts are authorized to access encrypted files. [Software21] exe=handle.exe exe64=handle64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/handle group=2 Name=Handle AppName=Handle ShortDesc=Shows what files are open by which processes LongDesc=Handle is a utility that displays information about open handles for any process in the system. You can use it to see the programs that have a file open, or to see the object types and names of all the handles of a program. You can also get a GUI-based version of this program, Process Explorer, here at Sysinternals. [Software22] exe=hex2dec.exe exe64=hex2dec64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/hex2dec group=5 Name=Hex2dec AppName=Hex2dec ShortDesc=Converts a hexadecimal number to decimal and vice versa LongDesc=Tired of running Calc everytime you want to convert a hexadecimal number to decimal? Now you can convert hex to decimal and vice versa with this simple command-line utility. [Software23] exe=junction.exe exe64=junction64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/junction group=0 Name=Junction AppName=Junction ShortDesc=Creates NTFS symbolic links LongDesc=Windows 2000 and higher supports directory symbolic links, where a directory serves as a symbolic link to another directory on the computer. For example, if the directory D:\SYMLINK specified C:\WINNT\SYSTEM32 as its target, then an application accessing D:\SYMLINK\DRIVERS would in reality be accessing C:\WINNT\SYSTEM32\DRIVERS. Directory symbolic links are known as NTFS junctions in Windows. Unfortunately, Windows comes with no tools for creating junctions - you have to purchase the Win2K Resource Kit, which comes with the linkd program for creating junctions. Junction not only allows you to create NTFS junctions, it allows you to see if files or directories are actually reparse points. Reparse points are the mechanism on which NTFS junctions are based, and they are used by Windows' Remote Storage Service (RSS), as well as volume mount points. [Software24] exe=ldmdump.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/ldmdump group=0 Name=LDMDump AppName=LDMDump ShortDesc=Dumps contents of Logical Disk Manager on-disk database LongDesc=Windows 2000 introduces a new type of disk partitioning scheme that is managed by a component called the Logical Disk Manager (LDM). Basic disks implement standard DOS-style partition tables, whereas Dynamic disks use LDM partitioning. LDM partitioning offers several advantages over DOS partitioning including replication across disks, on-disk storage of advanced volume configuration (spanned volume, mirrored volumes, striped volumes and RAID-5 volumes). My March/April two-part series on Windows NT/2000 storage management in Windows 2000 Magazine describes the details of each partitioning scheme. Other than the Disk Management MMC-snapin and a tool called dmdiag in the Windows 2000 Resource Kit, there are no tools for investigating the internals of the LDM on-disk database that describes a system's partitioning layout. LDMDump is a utility that lets you examine exactly what is stored in a disk's copy of the system LDM database. LDMDump shows you the contents of the LDM database private header, table-of-contents, and object database (where partition, component and volume definitions are stored), and then summarizes its finding with partition table and volume listings. [Software25] exe=Listdlls.exe exe64=Listdlls64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/listdlls group=2 Name=ListDLLs AppName=ListDLLs ShortDesc=Lists all the DLLs that are currently loaded, including where they are loaded and their version numbers LongDesc=ListDLLs is a utility that reports the DLLs loaded into processes. You can use it to list all DLLs loaded into all processes, into a specific process, or to list the processes that have a particular DLL loaded. ListDLLs can also display full version information for DLLs, including their digital signature, and can be used to scan processes for unsigned DLLs. [Software26] exe=livekd.exe exe64=livekd64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/livekd group=4 Name=LiveKd AppName=LiveKd ShortDesc=Uses Microsoft kernel debuggers to examine a live system LongDesc=LiveKd allows you to run the Kd and Windbg Microsoft kernel debuggers, which are part of the Debugging Tools for Windows package, locally on a live system. Execute all the debugger commands that work on crash dump files to look deep inside the system. See the Debugging Tools for Windows documentation and our book for information on how to explore a system with the kernel debuggers. While the latest versions of Windbg and Kd have a similar capability on Windows XP and Server 2003, LiveKD enables more functionality, such as viewing thread stacks with the !thread command, than Windbg and Kd's own live kernel debugging facility. [Software27] exe=LoadOrd.exe exe64=LoadOrd64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/loadorder group=4 Name=LoadOrder AppName=LoadOrder ShortDesc=Shows order in which devices are loaded on Windows system LongDesc=This applet shows you the order that a Windows NT or Windows 2000 system loads device drivers. Note that on Windows 2000 plug-and-play drivers may actually load in a different order than the one calculated, because plug-and-play drivers are loaded on demand during device detection and enumeration. [Software28] exe=logonsessions.exe exe64=logonsessions64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/logonsessions group=3 Name=LogonSessions AppName=LogonSessions ShortDesc=Lists active logon sessions LongDesc=If you think that when you logon to a system there's only one active logon session, this utility will surprise you. It lists the currently active logon sessions and, if you specify the -p option, the processes running in each session. [Software29] exe=movefile.exe exe64=movefile64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/movefile group=0 Name=MoveFile AppName=MoveFile ShortDesc=Schedules file rename and delete commands for the next reboot LongDesc=There are several applications, such as service packs and hotfixes, that must replace a file that's in use and is unable to. Windows therefore provides the MoveFileEx API to rename or delete a file and allows the caller to specify that they want the operation to take place the next time the system boots, before the files are referenced. The MoveFile utililty allows you to schedule move and delete commands for the next reboot. [Software30] exe=LoadOrdC.exe exe64=LoadOrdC64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/loadorder group=4 Name=LoadOrder Command-line AppName=LoadOrder Command-line ShortDesc=Shows order in which devices are loaded on Windows system. Command-line version LongDesc=This applet shows you the order that a Windows NT or Windows 2000 system loads device drivers. Note that on Windows 2000 plug-and-play drivers may actually load in a different order than the one calculated, because plug-and-play drivers are loaded on demand during device detection and enumeration. [Software31] exe=ntfsinfo.exe exe64=ntfsinfo64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/ntfsinfo group=0 Name=NTFSInfo AppName=NTFSInfo ShortDesc=Views detailed information about NTFS volumes LongDesc=NTFSInfo is a little applet that shows you information about NTFS volumes. Its dump includes the size of a drive's allocation units, where key NTFS files are located, and the sizes of the NTFS metadata files on the volume. NTFSInfo works on all versions of NTFS, but NTFS for Windows NT 5.0 has different meta-data files that NTFSInfo has not been programmed for yet. In order for NTFSInfo to work you must have administrative privilege. [Software32] exe=pagedfrg.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/pagedefrag group=0 Name=PageDefrag AppName=PageDefrag ShortDesc=Defragments paging files and Registry hives LongDesc=One of the limitations of the Windows NT/2000 defragmentation interface is that it is not possible to defragment files that are open for exclusive access. Thus, standard defragmentation programs can neither show you how fragmented your paging files or Registry hives are, nor defragment them. Paging and Registry file fragmentation can be one of the leading causes of performance degradation related to file fragmentation in a system. PageDefrag uses advanced techniques to provide you what commercial defragmenters cannot: the ability for you to see how fragmented your paging files and Registry hives are, and to defragment them. In addition, it defragments event log files and Windows 2000/XP hibernation files (where system memory is saved when you hibernate a laptop). [Software33] exe=pendmoves.exe exe64=pendmoves64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/pendmoves group=0 Name=PendMoves AppName=PendMoves ShortDesc=Shows what files are scheduled for delete or rename the next time the system boots LongDesc=There are several applications, such as service packs and hotfixes, that must replace a file that's in use and is unable to. Windows therefore provides the MoveFileEx API to rename or delete a file and allows the caller to specify that they want the operation to take place the next time the system boots, before the files are referenced. Session Manager performs this task by reading the registered rename and delete commands from the HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations value. This applet dumps the contents of the pending rename/delete value and also reports an error when the source file is not accessible. This applet dumps the contents of the pending rename/delete value and also reports an error when the source file is not accessible. [Software34] exe=pipelist.exe exe64=pipelist64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/pipelist group=4 Name=PipeList AppName=PipeList ShortDesc=Displays the named pipes on your system LongDesc=Did you know that the device driver that implements named pipes is actually a file system driver? In fact, the driver's name is NPFS.SYS, for "Named Pipe File System". What you might also find surprising is that its possible to obtain a directory listing of the named pipes defined on a system. This fact is not documented, nor is it possible to do this using the Win32 API. Directly using NtQueryDirectoryFile, the native function that the Win32 FindFile APIs rely on, makes it possible to list the pipes. The directory listing NPFS returns also indicates the maximum number of pipe instances set for each pipe and the number of active instances. [Software35] exe=portmon.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/portmon group=2 Name=Portmon AppName=Portmon ShortDesc=Monitors serial and parallel port activity LongDesc=Portmon is a utility that monitors and displays all serial and parallel port activity on a system. It has advanced filtering and search capabilities that make it a powerful tool for exploring the way Windows works, seeing how applications use ports, or tracking down problems in system or application configurations. [Software36] exe=procdump.exe exe64=procdump64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/procdump group=2 Name=ProcDump AppName=ProcDump ShortDesc=Captures process dumps to isolate and reproduce CPU spikes LongDesc=ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts. [Software37] exe=procexp.exe exe64=procexp64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer group=2 Name=ProcessExplorer AppName=ProcessExplorer ShortDesc=Finds out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more LongDesc=Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded. The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded. The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. [Software38] exe=Sysmon.exe exe64=Sysmon64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon group=3 Name=SystemMonitor AppName=SystemMonitor ShortDesc=Monitors and reports key system activity via the Windows event log. LongDesc=System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network. Note that Sysmon does not provide analysis of the events it generates, nor does it attempt to protect or hide itself from attackers. [Software39] exe=Procmon.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/procmon group=2 Name=ProcessMonitor AppName=ProcessMonitor ShortDesc=Monitors file system, Registry, process, thread and DLL activity in real-time LongDesc=Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit. [Software40] exe=psexec.exe exe64=psexec64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/psexec group=2 Name=PsExec AppName=PsExec ShortDesc=Executes processes remotely LongDesc=PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems. [Software41] exe=psfile.exe exe64=psfile64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/psfile group=1 Name=PsFile AppName=PsFile ShortDesc=Shows what files are opened remotely LongDesc=PsFile is a command-line utility that shows a list of files on a system that are opened remotely, and it also allows you to close opened files either by name or by a file identifier. [Software42] exe=psgetsid.exe exe64=psgetsid64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/psgetsid group=3 Name=PsGetSid AppName=PsGetSid ShortDesc=Displays the SID of a computer or a user LongDesc=PsGetsid allows you to translate SIDs to their display name and vice versa. It works on builtin accounts, domain accounts, and local accounts. [Software43] exe=Psinfo.exe exe64=Psinfo64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/psinfo group=4 Name=PsInfo AppName=PsInfo ShortDesc=Obtains information about system LongDesc=PsInfo is a command-line tool that gathers key information about the local or remote Windows NT/2000 system, including the type of installation, kernel build, registered organization and owner, number of processors and their type, amount of physical memory, the install date of the system, and if its a trial version, the expiration date. [Software44] exe=pskill.exe exe64=pskill64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/pskill group=2 Name=PsKill AppName=PsKill ShortDesc=Terminates local or remote processes LongDesc=Windows NT/2000 does not come with a command-line 'kill' utility. You can get one in the Windows NT or Win2K Resource Kit, but the kit's utility can only terminate processes on the local computer. PsKill is a kill utility that not only does what the Resource Kit's version does, but can also kill processes on remote systems. You don't even have to install a client on the target computer to use PsKill to terminate a remote process. [Software45] exe=pslist.exe exe64=pslist64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/pslist group=2 Name=PsList AppName=PsList ShortDesc=Shows information about processes and threads LongDesc=PsList shows information about processes on local or remote systems. Like Windows NT/2K's built-in PerfMon monitoring tool, PsList uses the Windows NT/2K performance counters to obtain the information it displays. [Software46] exe=psloggedon.exe exe64=psloggedon64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/psloggedon group=3 Name=PsLoggedOn AppName=PsLoggedOn ShortDesc=Shows users logged on to a system LongDesc=You can determine who is using resources on your local computer with the "net" command ("net session"), however, there is no built-in way to determine who is using the resources of a remote computer. In addition, NT comes with no tools to see who is logged onto a computer, either locally or remotely. PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one. If you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on. [Software47] exe=psloglist.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/psloglist group=3 Name=PsLogList AppName=PsLogList ShortDesc=Dumps event log records LongDesc=The Resource Kit comes with a utility, elogdump, that lets you dump the contents of an Event Log on the local or a remote computer. PsLogList is a clone of elogdump except that PsLogList lets you login to remote systems in situations your current set of security credentials would not permit access to the Event Log, and PsLogList retrieves message strings from the computer on which the event log you view resides. [Software48] exe=pspasswd.exe exe64=pspasswd64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/pspasswd group=3 Name=PsPasswd AppName=PsPasswd ShortDesc=Local and remote password changer LongDesc=Systems administrators that manage local administrative accounts on multiple computers regularly need to change the account password as part of standard security practices. PsPasswd is a tool that lets you change an account password on the local or remote systems, enabling administrators to create batch files that run PsPasswd against the computers they manage in order to perform a mass change of the administrator password. PsPasswd uses Windows password reset APIs, so does not send passwords over the network in the clear. [Software49] exe=psservice.exe exe64=psservice64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/psservice group=2 Name=PsService AppName=PsService ShortDesc=Views and controls services LongDesc=PsService is a service viewer and controller for Windows. Like the SC utility that's included in the Windows NT and Windows 2000 Resource Kits, PsService displays the status, configuration, and dependencies of a service, and allows you to start, stop, pause, resume and restart them. Unlike the SC utility, PsService enables you to logon to a remote system using a different account, for cases when the account from which you run it doesn't have required permissions on the remote system. PsService includes a unique service-search capability, which identifies active instances of a service on your network. You would use the search feature if you wanted to locate systems running DHCP servers, for instance. [Software50] exe=psshutdown.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/psshutdown group=3 Name=PsShutdown AppName=PsShutdown ShortDesc=Shutdowns, logoffs and power manages local and remote systems LongDesc=PsShutdown is a command-line utility similar to the shutdown utility from the Windows 2000 Resource Kit, but with the ability to do much more. In addition to supporting the same options for shutting down or rebooting the local or a remote computer, PsShutdown can logoff the console user or lock the console (locking requires Windows 2000 or higher). PsShutdown requires no manual installation of client software. [Software51] exe=pssuspend.exe exe64=pssuspend64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/pssuspend group=2 Name=PsSuspend AppName=PsSuspend ShortDesc=Suspends and resumes processes LongDesc=PsSuspend lets you suspend processes on the local or a remote system, which is desirable in cases where a process is consuming a resource (e.g. network, CPU or disk) that you want to allow different processes to use. Rather than kill the process that's consuming the resource, suspending permits you to let it continue operation at some later point in time. [Software52] exe=RegDelNull.exe exe64=RegDelNull64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull group=5 Name=RegDelNull AppName=RegDelNull ShortDesc=Scans for and deletes Registry keys that contain embedded null-characters LongDesc=This command-line utility searches for and allows you to delete Registry keys that contain embedded-null characters and that are otherwise undeleteable using standard Registry-editing tools. Note: deleting Registry keys may cause the applications they are associated with to fail. [Software53] exe=regjump.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/regjump group=5 Name=RegJump AppName=RegJump ShortDesc=Jumps to the specified registry path in Regedit LongDesc=This little command-line applet takes a registry path and makes Regedit open to that path. It accepts root keys in standard (e.g. HKEY_LOCAL_MACHINE) and abbreviated form (e.g. HKLM). [Software54] exe=Testlimit.exe exe64=Testlimit64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/testlimit group=5 Name=Testlimit AppName=Testlimit ShortDesc=Testlimit is a command-line utility to stress-test your PC and/or applications. LongDesc=Testlimit is a command-line utility that can be used to stress-test your PC and/or applications by simulating low resource conditions for memory, handles, processes, threads and other system objects. [Software55] exe=sdelete.exe exe64=sdelete64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete group=0 Name=SDelete AppName=SDelete ShortDesc=Securely overwrites files and cleanses free space of previously deleted files LongDesc=The only way to ensure that deleted files, as well as files that you encrypt with EFS, are safe from recovery is to use a secure delete application. Secure delete applications overwrite a deleted file's on-disk data using techiques that are shown to make disk data unrecoverable, even using recovery technology that can read patterns in magnetic media that reveal weakly deleted files. You can use SDelete both to securely delete existing files, as well as to securely erase any file data that exists in the unallocated portions of a disk (including files that you have already deleted or encrypted). SDelete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give you confidence that once deleted with SDelete, your file data is gone forever. Note that SDelete securely deletes file data, but not file names located in free disk space. [Software56] exe=ShareEnum.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/shareenum group=1 Name=ShareEnum AppName=ShareEnum ShortDesc=Scans file shares on network and views their security settings LongDesc=An aspect of Windows NT/2000/XP network security that's often overlooked is file shares. A common security flaw occurs when users define file shares with lax security, allowing unauthorized users to see sensitive files. There are no built-in tools to list shares viewable on a network and their security settings, but ShareEnum fills the void and allows you to lock down file shares in your network. [Software57] exe=ShellRunas.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/shellrunas group=2 Name=ShellRunas AppName=ShellRunas ShortDesc=Launches programs as a different user via a convenient shell context-menu entry LongDesc=The command-line Runas utility is handy for launching programs under different accounts, but it’s not convenient if you’re a heavy Explorer user. ShellRunas provides functionality similar to that of Runas to launch programs as a different user via a convenient shell context-menu entry. [Software58] exe=sigcheck.exe exe64=sigcheck64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck group=0 Name=Sigcheck AppName=Sigcheck ShortDesc=Dumps file version information and verify that image is digitally signed LongDesc=Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning. [Software59] exe=streams.exe exe64=streams64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/streams group=0 Name=Streams AppName=Streams ShortDesc=Reveals NTFS alternate streams LongDesc=The NTFS file system provides applications the ability to create alternate data streams of information. Streams will examine the files and directories (note that directories can also have alternate data streams) you specify and inform you of the name and sizes of any named streams it encounters within those files. [Software60] exe=strings.exe exe64=strings64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/strings group=5 Name=Strings AppName=Strings ShortDesc=Searches for ANSI and UNICODE strings in binary images LongDesc=Working on NT and Win2K means that executables and object files will many times have embedded UNICODE strings that you cannot easily see with a standard ASCII strings or grep programs. Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters. [Software61] exe=sync.exe exe64=sync64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/sync group=0 Name=Sync AppName=Sync ShortDesc=Flushes cached data to disk LongDesc=Sync directs the operating system to flush all file system data to disk in order to insure that it is stable and won't be lost in case of a system failure. Otherwise, any modified data present in the cache would be lost. [Software62] exe=tcpvcon.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/tcpvcon group=1 Name=TCPView Command-line AppName=TCPView Command-line ShortDesc=Active sockets command-line viewer LongDesc=TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality. [Software63] exe=Tcpview.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview group=1 Name=TCPView AppName=TCPView ShortDesc=Active sockets viewer LongDesc=TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality. [Software64] exe=vmmap.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/vmmap group=4 Name=VMMap AppName=VMMap ShortDesc=Process virtual and physical memory analysis utility LongDesc=VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process's committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Besides graphical representations of memory usage, VMMap also shows summary information and a detailed process memory map. Powerful filtering and refresh capabilities allow you to identify the sources of process memory usage and the memory cost of application features. Besides flexible views for analyzing live processes, VMMap supports the export of data in multiple forms, including a native format that preserves all the information so that you can load back in. It also includes command-line options that enable scripting scenarios. VMMap is the ideal tool for developers wanting to understand and optimize their application's memory resource usage. [Software65] exe=Volumeid.exe exe64=Volumeid64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/volumeid group=0 Name=VolumeID AppName=VolumeID ShortDesc=Sets Volume ID of FAT or NTFS drives LongDesc=While WinNT/2K and Windows 9x's built-in Label utility lets you change the labels of disk volumes, it does not provide any means for changing volume ids. This utiltity, VolumeID, allows you to change the ids of FAT and NTFS disks (floppies or hard drives). Note that changes on NTFS volumes won't be visible until the next reboot. In addition, you should shut down any applications you have running before changing a volume id. NT may become confused and think that the media (disk) has changed after a FAT volume id has changed and pop up messages indicating that you should reinsert the original disk (!). It may then fail the disk requests of applications using those drives. [Software66] exe=whois.exe exe64=whois64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/whois group=1 Name=Whois AppName=Whois ShortDesc=Shows who owns an Internet address LongDesc=Whois performs the registration record for the domain name or IP address that you specify. [Software67] exe=Winobj.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/winobj group=4 Name=WinObj AppName=WinObj ShortDesc=Object Manager namespace viewer LongDesc=WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's namespace. Winobj may seem similar to the Microsoft SDK's program of the same name, but the SDK version suffers from numerous significant bugs that prevent it from displaying accurate information (e.g. its handle and reference counting information are totally broken). In addition, our WinObj understands many more object types. Finally, Version 2.0 of our WinObj has user-interface enhancements, knows how to open device objects, and will let you view and change object security information using native NT security editors. [Software68] exe=ZoomIt.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/zoomit group=5 Name=ZoomIt AppName=ZoomIt ShortDesc=Presentation utility for zooming and drawing on the screen LongDesc=ZoomIt is screen zoom and annotation tool for technical presentations that include application demonstrations. ZoomIt runs unobtrusively in the tray and activates with customizable hotkeys to zoom in on an area of the screen, move around while zoomed, and draw on the zoomed image. [Software69] exe=disk2vhd.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/disk2vhd group=0 Name=Disk2vhd AppName=Disk2vhd ShortDesc=Simplifies migration of physical systems into virtual machines (p2v) LongDesc=Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft's Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows' Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted). [Software70] exe=RamMap.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/rammap group=4 Name=RAMMap AppName=RAMMap ShortDesc=Advanced physical memory usage analysis utility LongDesc=RAMMap is an advanced physical memory usage analysis utility for Windows Vista and higher. Use RAMMap to gain understanding of the way Windows manages memory, to analyze application memory usage, or to answer specific questions about how RAM is being allocated. RAMMap’s refresh feature enables you to update the display and it includes support for saving and loading memory snapshots. [Software71] exe=FindLinks.exe exe64=FindLinks64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/findlinks group=0 Name=FindLinks AppName=FindLinks ShortDesc=File index and any hard links reporter LongDesc=FindLinks reports the file index and any hard links (alternate file paths on the same volume) that exist for the specified file. A file's data remains allocated so long as at it has at least one file name referencing it. [Software72] exe=psping.exe exe64=psping64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/psping group=1 Name=PsPing AppName=PsPing ShortDesc=PsPing is a command-line utility for measuring network performance LongDesc=PsPing is a command-line utility for measuring network performance. In addition to standard ICMP ping functionality, it can report the latency of connecting to TCP ports, the latency of TCP round-trip communication between systems, and the TCP bandwidth available to a connection between systems. Besides obtaining min, max, and average values in 0.01ms resolution, you can also use PsPing to generate histograms of the results that are easy to import into spreadsheets. [Software73] exe=ru.exe exe64=ru64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/ru group=5 Name=RegistryUsage AppName=RegistryUsage ShortDesc=Registry usage reports the registry space usage for the registry key you specify LongDesc=Ru (registry usage) reports the registry space usage for the registry key you specify. By default it recurses subkeys to show the total size of a key and its subkeys. [Software74] exe=notmyfault.exe exe64=notmyfault64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/notmyfault group=5 Name=NotMyFault AppName=NotMyFault ShortDesc=Notmyfault is a tool that you can use to crash, hang, and cause kernel memory leaks on your Windows system. LongDesc=Notmyfault is a tool that you can use to crash, hang, and cause kernel memory leaks on your Windows system. It’s useful for learning how to identify and diagnose device driver and hardware problems, and you can also use it to generate blue screen dump files on misbehaving systems. Chapter 7 in Windows Internals uses Notmyfault to o demonstrate pool leak troubleshooting and Chapter 14 uses it for crash analysis examples. [Software75] exe=notmyfaultc.exe exe64=notmyfaultc64.exe url=https://docs.microsoft.com/en-us/sysinternals/downloads/notmyfault group=5 Name=NotMyFault Command-line AppName=NotMyFault Command-line ShortDesc=Notmyfault is a tool that you can use to crash, hang, and cause kernel memory leaks on your Windows system. Command-line version LongDesc=Notmyfault is a tool that you can use to crash, hang, and cause kernel memory leaks on your Windows system. It’s useful for learning how to identify and diagnose device driver and hardware problems, and you can also use it to generate blue screen dump files on misbehaving systems. Chapter 7 in Windows Internals uses Notmyfault to o demonstrate pool leak troubleshooting and Chapter 14 uses it for crash analysis examples.