Sysinternals Suite 10/27/2015 Portable - for configuration, optimization, testing

- a large package of technical utilities for configuring, optimizing, testing, identifying and fixing errors in operating systems of the Windows family.

The range of application of this package is quite wide, because the utilities from it cover many areas of the operating system. For example, the Autoruns utility controls Autoload, Process Monitor monitors all actions occurring in the computer's file system, and the PageDefrag utility optimizes and defragments the system registry.

List of utilities included in the composition:
AccessChk, AccessEnum, AdExplorer, AdRestore, Autologon, Autoruns, BgInfo, CacheSet, ClockRes, Contig, Coreinfo, Ctrl2Cap, DebugView, Desktops, DiskExt, DiskMon, DiskView, Disk Usage (DU), EFSDump, FileMon, Handle, Hex2dec, Junction, LDMDump, ListDLLs, LiveKd, LoadOrder, LogonSessions, NewSid, NTFSInfo, PageDefrag, PendMoves, PortMon, ProcessExplorer, Process Monitor, ProcFeatures, PsExec, PsFile, PsGetSid, PsInfo, PsKill, PsList, PsLoggedOn, PsLogList, PsPasswd, PsService, PsShutdown, PsSuspend , RegDelNull, RegJump, RegMon, RootkitRevealer, SDelete, ShareEnum, ShellRunas, SigCheck, Streams, Strings, Sync, TCPView, VolumeID, WhoIs, WinObj, VMMap, ZoomIt

Includes:

• AccessChk is a command line tool for viewing effective permissions for files, registry keys, services, processes, kernel objects, and more.
• AccessEnum is a simple yet powerful security tool that shows who has access to directories, files and registry keys on your system. With it, you can find holes in your rights.
• AdExplorer Active Directory Explorer is an advanced viewer and editor for Active Directory (AD).
• AdInsight is a real-time LDAP (Light-weight Directory Access Protocol) monitoring tool aimed at troubleshooting Active Directory client applications.
• AdRestore restores Server 2003 Active Directory objects.
• Autologon password bypass on login.
• Autoruns shows which programs run automatically at system boot or at login. Autoruns also displays a complete list of registry paths and file locations for applications that can be configured to run automatically.
• BgInfo is a fully customizable program that automatically generates desktop wallpapers that contain important system information, including IP addresses, computer name, network adapters, and more.
• CacheSet is a program that allows you to control the working set size of the Cache Manager using functions provided by NT. It is compatible with all versions of NT.
• ClockRes View the resolution of the system clock, which is also the maximum timer resolution.
• Contig Would you like a quick defragmentation of frequently used files? Use Contig to optimize individual files, or create new related files.
• Coreinfo is a command line utility that shows the mapping between logical and physical processors, the NUMA node and socket they are located on, and the cache assigned to each logical processor.
• Ctrl2Cap is a kernel-mode driver that demonstrates keyboard input filtering ahead of the keyboard class driver to turn Caps-Lock into CTRL keys. Filtering at this level allows you to convert and hide keys before NT "sees" them. Ctrl2cap also shows how to use NtDisplayString() to print blue screen initialization messages.
• DebugView this program intercepts calls made to DbgPrint by device drivers and OutputDebugString made by Win32 programs. This allows you to view and capture the output of a debugging session on your local machine or over the Internet without an active debugger.
• Desktops allows you to organize your applications into up to four virtual desktops.
• Disk2vhd is a utility that creates VHD (Microsoft's Virtual Hard Disk virtual machine disk format) versions of physical disks for use in a Microsoft Virtual PC or Microsoft Hyper-V virtual machine.
• DiskExt shows the amount of disk mappings.
• DiskMon this utility intercepts all hard drive activity or acts as a software "light bulb" of disk activity in the system tray.
• DiskView is a utility for graphical display of disk sectors.
• Disk Usage (DU) view the disk space usage in the directory.
• EFSDump view information about encrypted files.
• FindLinks reports the index of the file and any hard links that exist for the specified file.
• Handle is a handy command line utility that will show you which processes have files open, and more.
• Hex2dec Convert hexadecimal to decimal and vice versa.
• Junction creates Win2K NTFS symbolic links.
• LDMDump Dumps the contents of the Logical Disk Manager database on disk that describes the partitioning of Windows 2000 dynamic disks.
• ListDLLs A list of all DLLs that are currently loaded, including where they are loaded and their version numbers. Version 2.0 displays the full path of loaded modules.
• LiveKd uses Microsoft's kernel debuggers to examine the live system.
• LoadOrder View the boot order of devices on your WinNT/2K system.
• LogonSessions A list of active logon sessions.
• MoveFile allows you to schedule move and delete commands for the next reboot.
• NTFSInfo Use NTFSInfo to see detailed information about NTFS volumes, including the size and location of the Master File Table (MFT) and MFT zone, and the sizes of NTFS metadata files.
• PageDefrag defragments your swap files and registry branches.
• PendMoves lists a list of file rename and delete commands that will be executed on the next boot.
• PipeList gets a list of named pipe directories defined on the system.
• PortMon is an advanced serial and parallel port activity monitoring tool. It knows about all standard serial and parallel IOCTLs and even shows some of the transmitted and received data. Version 3.x has a powerful, improved interface and advanced filtering options.
• ProcDump is a command line utility designed to monitor applications for peaks in CPU usage and generate crash dumps during a spike that an administrator or developer can use to determine the cause of a spike.
• The ProcessExplorer utility allows you to find out what files, registry keys and other processes, objects are open, what libraries are loaded by them, and much more. This unique powerful utility will even show you who owns each process.
• ProcessMonitor monitor file system, registry, processes, threads and DLL activity in real time.
• PsExec executes processes with restricted user rights.
• PsFile shows which files are open remotely.
• PsGetSid displays the computer identifier (SID) or user.
• PsInfo displays information about the system.
• PsKill terminates local or remote processes.
• PsList shows information about processes and threads.
• PsLoggedOn shows the users logged into the system.
• PsLogList Dumps the event log entry.
• PsPasswd change the account password.
• PsService view and manage services.
• PsShutdown shuts down and optionally restarts the computer.
• PsSuspend Suspend and resume processes.
• RAMMap is a physical memory usage analysis utility for Windows Vista and higher.
• RegDelNull checks and removes registry keys containing null characters that cannot be removed by standard registry editing tools.
• RegJump jump to the registry path specified in Regedit.
• RootkitRevealer scans your system for rootkit threats.
• SDelete with this DoD-compliant secure delete program, you will securely overwrite important files and clean up the free space of previously deleted files.
• ShareEnum scans files shared on the network and looks at their security settings to close security holes.
• ShellRunas run programs as another user through a convenient shell context menu entry.
• SigCheck Dump file version information and verify digital signature.
• Streams detects alternate NTFS streams.
• Strings search for ANSI and UNICODE strings in binary images.
• Sync clears data cached to disk.
• TCPView command line active socket viewer.
• VMMap is a utility for analyzing virtual and physical memory processes.
• VolumeID Set Volume ID on FAT or NTFS drives.
• WhoIs shows who owns the Internet address.
• WinObj is the Object Manager's name viewer.
• ZoomIt is a presentation utility for zooming and drawing on the screen.

Where can I download

Download addresses for SysInternals Suite utilities:
http://www.sysinternals.com
https://technet.microsoft.com/en-us/sysinternals
https://technet.microsoft.com/en-us/sysinternals

It is included in the kit

The set of utilities is quite large - over 70 programs for various purposes. I will give only a general list of utilities with a brief description. On the site you can get quite detailed information about each utility. And the potential of some of these utilities is truly enormous. The most useful (in my subjective opinion) utilities are highlighted in bold. Utilities for which (yet) there is no Russian description are in italics.

Useful key for all SysInternals Suite utilities

Any(including any console) utility from the SysInternals set when first running on a computer requires acceptance of the license agreement. When creating batch files that will run on multiple computers (for example, on all computers in a domain), this can be extremely inconvenient. Therefore, when running from a batch file, you can add a switch to the command line that automates the acceptance of the license agreement: /AcceptEULA , for example.

    Sysinternals Tools is a set of free programs for administering and monitoring computers running Windows operating systems. Sysinternals (Winternals) programs were originally developed by Winternals Software L.P. under the leadership of two developers - Mark Russinovich (Mark Russinovich) and Bryce Cogswell (Bryce Cogswell). In July 2006, Microsoft acquired Winternals Software LP and all of its products. The Sysinternals website has now moved to the Microsoft web portal and has become part of Microsoft TechNet. Microsoft Technet now has a Windows Sysinternals section where you can download the complete set of utilities Sysinternals Suit in the form of an archive, or separate utilities from its composition.

Currently, the Windows Sysinternals toolkit can be used even without downloading to a local computer thanks to the ability to share a Sysinternals Live resource, which can be mounted as a network drive, which is assigned, for example, the letter R:

net use R: \\live.sysinternals.com\tools

With a network drive, of course, the data exchange speed is much lower than with a local one, but you can work with it without any problems, like with a regular local drive, including on the command line. So, for example, the command

start R:\autoruns.exe

Utility autoruns.exe can be launched in a separate window. Thus, being in any place where there is Internet access, you can use the most functional and efficient set of tools for Windows - Sysinternals Suite.

    Most of the Sysinternals Suite utilities require administrative privileges to be fully functional. For operating systems of the Windows 2000/XP family, it is sufficient that the user works under an account that is a member of the Administrators group. In the environment of operating systems Widows Vista/Windows 7, it is necessary to launch the utilities using the "Run as administrator" context menu item. Command files that use command-line utilities must also be run under the context of an account with administrative privileges.

Package Sysinternal Suite includes several dozens of small utilities, both console and GUI, many of which are widely known among system administrators and advanced users - the PSTools software package, Process Monitor monitoring utilities, Autoruns, Process Explorer, RootkitRevealer anti-rootkit, etc. . Many of them are discussed in separate articles, links to which you will find on the main page of the site in the section Windows. The Sysinternals Suite package is updated several times a year, its composition may change - program versions change, some of the utilities are removed, some are added, but the main set has existed for more than ten years, which indicates its demand among administrators and competent users of operating systems of the Windows family. The command line options of the console utilities and the graphical user interface for most programs are very similar, which greatly simplifies their practical use.

AccessChk

Accesschk- console utility for viewing user access rights to files, directories, keys and registry keys, processes and threads.

accesschk -u user1 -c MpsSvc -v- display user rights user1 in relation to the service MpsSvc(Windows 7 firewall. Let me remind you that in a Windows Vista/Windows 7 environment, the Accesschk utility must be run as an administrator). Key -v means verbose output. If this key is not set, then the user's rights are indicated by symbols R(Read) and W(Write). Display R means permission to view the status (Query_Status), configuration (Query_Config) and start (Service_Start) of the service. W means that you have the right to change the configuration and state of the service. Combination RW means that you have access to any valid actions with respect to the service. (Service_All_Access). If a key is given -v then instead of characters R and W R displays a description of permissions, such as Service_All_Access- full access allowed

accesschk -c MpsSvc -w -v- display a list of accounts with full access rights (key -w) to the service MpsSvc.

accesschk -u user1 -c * -w -v- display a list of services to which user1 has full access.

accesschk -u user1 -k hklm\security- display user1 user's access rights to section subsections HKLM\SECURITY register.

accesschk -u user1 -k hklm\security -d- the -d switch means processing only the top level (file system directory or registry key)

accesschk -u user1 C:\Users -d- display the rights of the user1 user in relation to the directory C:\Users

accesschk -u user1 C:\Users- display the rights of the user1 user in relation to the subdirectories of the C:\Users directory

accesschk C:\Users -w- display a list of accounts that have full access to the C:\Users directory

accesschk -u user1 -p wininit -v- display the rights of the user1 user in relation to the process wininit

Unfortunately, the accesschk utility cannot (at least, at the time of this writing it could not) work with the names of accounts, services, and directories containing Russian characters.

AccessEnum

AccessEnum- a utility for viewing the rights of accounts in relation to the elements of the file system and the Windows registry.

CacheSet

Utility CacheSet is an application that allows you to manage the Working Set parameters of the system's file cache. It is used to select the optimal parameters and increase the speed and stability of the PC. By changing the minimum and maximum values ​​of the size of the working cache, you can achieve some increase in system performance.

Setting new minimum and maximum values ​​occurs when you press the button apply. Button reset allows you to return the values ​​of the minimum and maximum cache sizes that were set at the time the utility was launched.

Contig

Contig- a command line utility to increase system performance by defragmenting individual, frequently used files. It is convenient to use for defragmenting virtual machine files, ISO images on bootable flash drives using a bootloader Grub, which may require an unfragmented image file to defragment some of the files read from disk frequently.

contig.exe /?- issue a certificate on the use of the utility.

Contig.exe -a E:\SonyaLiveCD.iso- analyze the fragmentation of the file E:\SonyaLiveCD_15.10.2010.iso

Contig.exe E:\SonyaLiveCD_15.10.2010.iso- defragment the specified file.

Contig.exe -a -s C:\windows\*.exe- analyze all files with the extension exe in the C:\Windows directory and its subdirectories (key -s)

Contig.exe C:\windows\system32\*.exe- defragment all files with extension exe in the system directory C:\Windows\System32

Improve system performance with targeted use Contig.exe generally higher than what can be obtained using standard Windows defragmentation tools.

Disk2vhd

Utility Disk2vhd is used to create a virtual hard disk in the VHD format of a Microsoft virtual machine (Virtual Hard Disk - Microsoft's Virtual Machine disk format) based on data from the physical disk of a real machine. The operation to create a virtual machine disk can be performed directly in the operating system environment. Disk2vhd allows you to choose to convert any of the logical disks of a real computer and convert it to a virtual disk that can be used to work in a virtual machine environment Microsoft Virtual PC.

DiskMon

DiskMon- allows you to monitor I / O operations for hard drives in the environment of operating systems of the Windows family. The program can also be used as a software indicator of hard disk access - when minimized, the icon on the taskbar is displayed in green during a read operation from a disk, and red - during a write operation.

The main window of the program displays the disk number in the system (the Disk column), the type of operation (the Requst column), the number of the sector on the disk that was accessed (the Sector column), and the size of the data field (the Lenth column). If you need to determine which file the sector with a certain number is related to, you can use the console utility NFI.EXE (NTFS File Sector Information Utility) from the Support Tools package from Microsoft.
command line format
nfi.exe Drive Sector number
nfi.exe C:655234- display the name of the file that owns sector 655234
nfi.exe C:0xBF5E34- the same, but the sector number is given in hexadecimal number system
As a result of executing the command, a message will be displayed

***Logical sector 12541492 (0xbf5e34) on drive C is in file number 49502.
\WINDOWS\system32\D3DCompiler_38.dll

Those. the sector we are interested in belongs to the D3DCompiler_38.dll file in the Windows\system32 directory.

disk view

Program disk view allows you to get a graphical map of disk space usage:

The choice of a disk for viewing is carried out in the field Volume bottom of the program window. After selecting a disk and pressing the button Refresh the program scans and displays a map of the location of files and directories. The lower window displays a kind of scale for the location of data relative to the beginning of the disk. The color of the plot corresponds to the characteristic features of the displayed cluster groups. You can use the menu for color coding help. Help-Legend. . .:

First cluster of the fragment- the color of the initial cluster in the chain.
Contiguous file cluster- the cluster belongs to a continuous (not fragmented) file.
Fragmented file cluster- the cluster belongs to the fragmented file.
System file cluster- the cluster belongs to a system file
Unused cluster- cluster belongs to free space
Unused cluster in MFT zone- free cluster in the MFT zone of the disk table of contents
User Highlighted File cluster- the cluster belongs to the file selected by the user.

The upper window displays a more detailed map of the location of the data. The scroll bar allows you to select the display area. Selecting any point of the disk space with the pointer in the lower window causes the cluster map to be displayed for the selected section of the file system in the upper one. The button is used to change the map detail level. Zoom at the bottom of the main program window. Clicking on the cluster map in the top window will display the filename in the field high light and color selection of the group of clusters corresponding to it. Double clicking on the field of displayed clusters, in the upper window, opens the properties window:

To display the degree of disk usage and information about the number of files and fragments, use the menu "File" - "Statistics"

DU

du.exe- command line utility for determining disk space usage statistics in directories of the Windows file system. To get a list of keys, you can run du.exe without parameters, or with the parameter /? . Examples of using the utility:

du.exe C:\- display information about the use of the root directory of drive C: - the number of files, subdirectories and the amount of disk space occupied.

FileMon

FileMon(File Monitor) is a utility for real-time monitoring of all file system activity. Allows you to determine which processes are accessing files and directories, which operations are performed on which objects by the file system. The FileMon utility has now been replaced by the utility Process Monitor (ProcMon). A detailed description and how to use both programs are given in separate articles:

Using these utilities, you can easily determine the list of file resources used by the application, find configuration files, determine the causes of crashes or other problems associated with the use of Windows files and directories.

MoveFile

MoveFile allows you to delete or migrate the file the next time you restart Windows. It is used in cases where the file has been exclusively captured by some application or service and it is impossible to delete or transfer it by conventional means. Usage example:

Movefile.exe "C:\Documents And Settings\user\Local Settings\TEMP\svchost.exe" C:\virus\svchost.ex_

The file transfer operation is actually performed by the Windows Session Manager (Session Manager SMSS.EXE), which during the system boot process reads the rename and delete commands registered by the MoveFile utility from the registry key
HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations .
After the migration is completed, this registry key will be deleted. To view the transfers planned by the MoveFile utility, you can use the utility PendMoves from the Sysinternals Suite.

PageDefrag (pagedfrg.exe) in popularity for many years it has been in 4-5 place among the utilities from Sysinternals. Allows you to increase system performance by defragmenting the registry files (SYSTEM, SOFTWARE, SAM, SECURITY, DEFAULT files of the \windows\system32\config directory), system logs (in the same directory) and the paging file (pagefile.sys).

After running, the utility displays a list of files that can be processed and the degree of their fragmentation.

For defragmentation, the system service created by the utility is used. pgdfgsvc.exe and, as in the case of the utility MoveFile, - Windows Session Manager ( SMSS.EXE(abbreviation for English. Session Manager Subsystem Service) - session management subsystem in Windows). The session manager processes the registry key during the system boot process
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
This key contains information about the programs that must be executed by the SMSS.EXE manager during the Windows boot process. By default, these are file system checkers. The utility adds commands to this key that ensure the start of the service pgdfgsvc and, accordingly, the defragmentation of system files, performed before they are required for system deployment. If necessary, you can cancel defragmentation, run it once, or set it to run every time Windows starts.

PageDefrag can be run in console mode, adjusting settings using command line options.

pagedefrag [-e | -o | -n] [-t]

-e- Defrag on every boot
-o- One time defragmentation
-n- cancel defragmentation
-t- Countdown in seconds before defragmentation starts

Examples:

pagedefrag -e -t 10- perform defragmentation on every boot and set a sleep mode of 10 seconds to cancel execution when the user presses any key.

Run a one-time defragmentation the next time you reboot your system.

Cancel a previously scheduled defragmentation.

Sysinternals Suite utilities for networking.

ADRestore

ADRestore allows you to view the list of deleted Active Directory (AD) objects and, if necessary, restore the selected ones. Key is used to get help. /? . When run without parameters, the utility displays a list of AD objects marked as deleted.

Examples:

adrestore > C:\adodel.txt- output a list of all AD objects marked as deleted to the file C:\adodel.txt
adrestore.exe laserjet- display a list of remote AD objects whose name contains the string "laserjet"
adrestore -r
adrestore -r- display a list of AD objects with a request to restore.

A utility for monitoring data exchange between a client and a server over a protocol LDAP. Very useful when looking for reasons for abnormal behavior of services and applications in an Active Directory environment, monitoring permissions, looking for reasons for poor performance, and just to study the mechanism of interaction between AD objects.

There is built-in help in English. Right-clicking on the event line allows you to call up a context menu that allows you to get a brief description of the properties of the event, the name and path of the process associated with it, go to the previous or next event that ended in an error. Information is displayed in the form of columns, the composition of which can be changed

Filters for searching and highlighting events are used in the same way as in most GUI-based Sysinternals utilities. At default settings, lines highlighted in red refer to events that ended with an error. The context menu also allows you to call directly from the ADInsight environment another program from the Sysinternals Suite package - Active Directory Explorer ADExplorer, used to view the AD data structure and is similar in features and user interface to the utility ADSIEdit from Microsoft.

TCPView

TCPView- consistently ranks among the top ten most popular Sysinternals Suite utilities. Used to display a list of all TCP and UDP connections established in the system with detailed data, including indication of local and remote addresses and the state of TCP connections. On Windows XP and older operating systems, TCPView also displays the name of the process that owns the connection. In a sense, TCPView is an addition to the standard Windows operating system utility. netstat.exe, but in addition to presenting data about connections in a convenient form, it allows you to perform additional actions - break a specific connection, terminate the process that created the connection, and determine the name of the host participating in the connection.

The context menu called by the right mouse button allows you to perform certain actions on the selected connection:

Proces Properties- display the properties of the process associated with this connection. Displays the process name, version, name and path of the executable file.

End Process- end the process associated with this connection.

close connection- Force termination of the selected connection.

Whois- execute a request to obtain data about the node participating in this connection.

Copy- copy the information of this line to the clipboard.

Using the main menu of the program, you can save data on all current connections to a text file (menu File-Save) . As part of the Sysinternals Suite, in addition to the TCPView program, there is a console version tcpvcon with the same functionality.

Sysinternals Suite utilities for analyzing process information.

A utility for tracking points of automatic launch of programs. An article about Autoruns is posted in the "Security" section.
- a utility for monitoring the activity of processes in Windows (memory, CPU usage, file and registry access, network activity, etc.).
- a utility for monitoring the use of system resources by individual processes.
PSTools is a set of command-line utilities for launching applications remotely (PSExec), getting a list of processes on a local or remote computer (PSList), forcibly terminating tasks (Pskill), and managing services (PSService). In addition, the PsTools suite includes utilities for restarting or shutting down computers, displaying the contents of event logs, searching for registered users on the network, and much more.

ListDLLs

ListDLLs is a command line utility for getting a list of used DLLs by individual processes. When run without parameters, a list of all processes and all loaded libraries is displayed on the screen. A hint on how to use the utility can be obtained using the key /? . Command line format:

listdlls [-r] [-v | -u]
or
listdlls [-r] [-v] [-d dllname]

processname- the name (or part of the name) of the process for which you want to display a list of loaded DLLs.
pid- the process ID for which you want to display a list of loaded DLLs.
-d dllname- the name of the DLL.
-r display DLLs that are moved because they are not loaded at their base address
-u- display only those modules that do not have a digital signature.
-v- display the version of the DLL.

Examples of using:

listdlls- display a list of all processes and all loaded DLLs

listdll win- display a list of DLLs for all processes whose name starts with the string "win"

listdlls winlogon- display a list of DLLs used by the process winlogon

listdlls 495- display a list of DLLs used by the process with ID number PID=495

listdlls -d ntdll.dll- display a list of processes using the library ntdll.dll

Handle

Handle- command line utility for displaying information about open descriptors (handles) for any process in the system. It allows you to see which programs opened the file, with what access rights, object types and program descriptor names, and, if necessary, forcibly close the file by its descriptor number. When run without parameters, a complete list of descriptors of all currently open files is displayed on the screen. A hint on how to use the program can be obtained by entering the key /? . Command line format:

handle [[-a [-l]] [-u] | [-c [-y]] | [-s]] [-p | ]
-a- output information about all descriptors.
-c- close the file with the specified descriptor number. Be aware that forcibly closing a file may cause the process to crash or data to be lost.
-y- do not require confirmation when closing a file descriptor.
-s- display counters for each type of open descriptors.
-u- display the name of the user under whose account context the file is opened.
-p- display handles opened by the process with the specified name (part of the name). or PID

Examples of using:

handle | more- display a list of all open handles of all processes in paging mode.
handle -p winlogon- display a list of file descriptors opened by the process named winlogon
handle -p winlogon > C:\winlogonh.txt- the same as in the previous case, but with the output redirected to the file C:\winlogonh.txt
handle-u- List all file descriptors of all processes, displaying the account associated with the process.
handle -u user1- display a list of file descriptors opened in the context of the user account named "user1"
handle -s- display counters for each type and the total number of open descriptors.

Sysinternals Suite Security Utilities.

Security utilities include programs for determining automatic start points (Autoruns), monitoring processes (ProcMon), checking access rights to system resources, etc. But, in addition, the Sysinternals Suite package includes a utility whose main purpose is to detect rootkits (rootkits) when the system is infected with viruses that implement special mechanisms to hide their presence in the system.

The term "rootkit" in relation to spyware, trojans, and other malicious software means that to hide its presence from antivirus programs, it intercepts system functions and corrects the results of their execution in such a way that it is not possible to detect some files, directories and network connections created by malware. So, for example, when requesting a list of files in a directory, information about the file of the virus itself can be removed from the results. In reality, such a file is present in the file system, but it is invisible to software tools that use API functions intercepted by a virus. Rootkit programs are divided into several classes depending on the ability to remain functional after a computer reboot and the type of startup (in user mode or in kernel mode). But the main feature of rootkits is the interception and correction of the results of system calls.

The principle of operation is based on the use of, in addition to the standard functions of the API interfaces for the file system and registry, its own subroutines that implement the same functions. Inconsistency in the results obtained may indicate the presence of a rootkit program. RootkitRevealer performs a registry and file system scan on button click Scan and displays the results of its work in the main window.

    Path- path of the file or registry key.
Timestamp- Modification time.
size- the size
Description- description of the event - a sign of the possible presence of a rootkit in the system.

The program does not perform any virus removal operations and does not even point to specific malware files. The conclusion about their presence should be made by the user himself, after analyzing the results of the scan.

First of all, files and registry keys for which in the field Description) event description is present "Hidden from Windows API"- hidden from the Windows API. In the vast majority of cases, the scan results line indicates the presence of a rootkit , since usually only service files related to the NTFS file system (whose names begin with the sign $ - $BitMap, $BadClus, $MFT, etc.) When scanning, you can disable the display of events associated with standard hidden service files using the menu Options- tick the box Hide Standard NTFS Metadata Files. In addition, keep in mind that some antiviruses hide their files from the Windows API in the same way as malware, and each line of scan results with the sign Hidden from Windows API requires additional analysis - in which directory the hidden file is located, its name, extension, size, modification time. In the above scanning example, hidden from the Windows API are files with the .sys extension, located in the drivers directory (C:\Windows\system32\drivers) and having a size of tens of kilobytes - these are the rootkit drivers.

Other possible event descriptions in the field Description may be a false alarm and indicate that the execution of some API function ended with a suspicious result. This is usually caused by the fact that during the scanning process in the Windows multitasking environment, one of the programs performed a modification of the data being checked, or legitimate software uses specialized methods similar to those used by virus creators.

Key name contains embedded nulls- the name of the registry key contains spaces, which can make such a key invisible to the standard registry editor.

Data mismatch between Windows API and raw hive data- discrepancy between the registry key data obtained using the Windows API and the real data of the registry hive. May be caused by a change in registry data that occurred during the scan.

Access denied- Access is denied. In practice, such a description occurs when there are CD / DVD drive emulation tools installed in the system (Alcohol 120, Daemon Tools), some anti-virus products that use the SPTD.SYS driver.

Please note that RootkitRevealer scans from a copy of itself with a random filename running as a Windows service. This type of startup makes it difficult for viruses to detect it and forcibly end the scan procedure. Therefore, it is normal to have a process with an obscure name while running RootkitRevealer, but there are times when a virus blocks the launch of a program, for example, named "RootkitRevealer". In this case, the program simply does not start, which, by the way, is already a very significant sign of the presence of a virus in the system. In this case, you can simply rename the executable file, or better yet, copy it in the current directory under a different random name.

It is possible to launch RootkitRevealer with parameters on the command line:

rootkitrevealer [-a] [-c] [-m] [-r]

-a- automatically scan and end.
-c- generate scan results in CSV format
-m- scan NTFS metadata
-r- do not scan the Windows registry
log file- name and path of the file to save the scan results.

Run example:

rootkitrevealer -a C:\RootkitRevealer.log- perform a scan with writing to the C:\RootkitRevealer.log file and end.

An indispensable set of free utilities for maintaining and managing Windows. Collection SysInternal Suite contains over 120 free tools and applications. Basically, the utilities are designed to configure, optimize and test the Windows operating system, as well as to work with third-party applications. In addition, useful utilities for diagnosing the main hardware of the computer are included.

The SysInternals Suite contains all the useful tools for maintaining and troubleshooting Windows. Most of the utilities have been developed and maintained by one of Microsoft's most famous technical contributors, Mark Russinovich.

The utilities included in the assembly are mainly intended for experienced PC users, since many of them have access to hidden system settings and can disrupt Windows if handled incorrectly.

Some of the most popular system utilities:

Process Explorer

Allows you to control active processes in the system in every possible way. Provides the ability to manage resource priorities for any of the displayed processes. Able to completely close the process or restart again.

autoruns

A very powerful application for autostart management. Defines and allows you to control the connection of drivers, modules, services and other components in place with the system startup. The program has a large set of tools for controlling and configuring various parameters of Windows operating systems.

Desktops

A small and useful program for creating and managing virtual desktops. Supports the creation of up to 4 desktops, which will help distribute your icons and other objects for more convenient and functional work.

The full list of utilities included in the Sysinternals Suite:

accesschk, accesschk64, AccessEnum, ADExplorer, ADInsight, adrestore, Autologon, Autoruns, Autoruns64, autorunsc, autorunsc64, Bginfo, Cacheset, Clockres, Clockres64, Contig, Contig64, Coreinfo, ctrl2cap, Dbgview, Desktops, disk2vhd, diskext, diskext64, Diskmon, DiskView, du, du64, efsdump, FindLinks, FindLinks64, handle, handle64, hex2dec, hex2dec64, junction, junction64, ldmdump, Listdlls, Listdlls64, livekd, livekd64, LoadOrd, LoadOrd64, LoadOrdC, LoadOrdC64, logonsessions, logonsessions64, movefile, movefile64, notmyfault notmyfault64 pskill, pskill64, pslist, pslist64, PsLoggedon, PsLoggedon64, psloglist, pspasswd, pspasswd64, psping, psping64, PsService, PsService64, psshutdown, pssuspend, pssuspend64, RAMMap, RegDelNull, RegDelNull64, regj ump, RootkitRevealer, ru, ru64, sdelete, sdelete64, ShareEnum, ShellRunas, sigcheck, sigcheck64, streams, streams64, strings, strings64, sync, sync64, Sysmon, Sysmon64, Tcpvcon, Tcpview, Testlimit, Testlimit64, vmmap, Volumeid, Volumeid64, whois, whois64, Winobj, ZoomIt.

Windows Sysinternals Tools(Sysinternals Suite) is a collection of system utilities designed to help users diagnose and fix problems with Windows applications and services.

Because Windows is the most widely used operating system, many programs must be compatible with its features to avoid errors. Before a program can be presented to end users, it must be tested and analyzed. Some applications are specifically designed for this purpose and are useful tools for developers.

Overview of Windows Sysinternals Tools Features

necessary diagnostic tools in one product

The individual tools in this solution were originally developed by Mark Russinovich, a Microsoft technical officer. The developer co-founded Winternals, which was the original brand for most of the Sysinternals Suite utilities.

However, Winternals was acquired by Microsoft in 2006, resulting in most of the utilities being owned by Redmond. Many of them are available as separate downloads and as part of a toolkit that will appeal to IT professionals, in particular system administrators.

The solution includes more than 70 utilities designed to detect and fix errors related to the disk subsystem, network and security issues, as well as provide information about processes and the system. The product includes a very rich set of utilities, so we will consider the most popular programs in the package.

Monitor running processes and manage startup programs

Included in the package Process Explorer provides detailed information about running processes and memory consumption, allows you to track which services consume the most computer resources.

Via autoruns the user can manage startup objects, and Process Monitor will monitor file activity and registry activity in real time. Administrators of local and remote Windows NT / 2K systems can use PsTools command line options to quickly execute processes and get information about their operation.

Other tools include RootkitRevealer - detects kernel mode rootkits, TCPView - shows TCP and UDP settings, Desktops - allows you to manage applications on a system with multiple desktops, SDelete - overwrites sensitive data when cleaning the system to free up space, Sigcheck - detects digitally signed images .

SWindows Sysinternals Tools is a useful collection of tools that will help system administrators diagnose and fix problems in areas ranging from the file system to networking and security settings.

Windows Sysinternals Tools

AccessChk, AccessEnum, AdExplorer, AdInsight, AdRestore, Autologon, Autoruns, BgInfo, CacheSet, ClockRes, Contig, Coreinfo, Ctrl2Cap, DebugView, Desktops, Disk2vhd, DiskExt, DiskMon, DiskView, Disk Usage (DU), EFSDump, FindLinks, Handle, Hex2dec, Junction, LDMDump, ListDLLs, LiveKd, LoadOrder, LogonSessions, MoveFile, NTFSInfo, PendMoves, PipeList, PortMon, ProcDump, Process Explorer, Process Monitor, PsExec, PsFile, PsGetSid, PsInfo, PsPing, PsKill, PsList, PsLoggedOn, PsLogList, PsPasswd, PsService, PsShutdown, PsSuspend, RAMMap, RegDelNull, Registry Usage (RU), RegJump, SDelete, ShareEnum, ShellRunas, Sigcheck, Streams, Strings, Sync, Sysmon, TCPView, VMMap, VolumeID, WhoIs, WinObj, ZoomIt