Basics of the Windows Sysinternals Suite

The Windows Sysinternal suite provides an advanced way of troubleshooting the windows operating system than what comes with Windows by default. The Sysinternals suite contains 60+ different tools with a range of different functionalities, allowing anyone who decides to take the time and get a good understanding of these tools the ability to become proficient at troubleshooting within Windows. This writeup is going to be an introduction to Sysinternals, covering only the most popular tools within the suite, but I plan on making more in depth writeups on individual use cases / tools in the future.

There are many resources available for anyone looking to take the next step into the Sysinternals suite, both free and paid. Personally I have been reading “Troubleshooting with the Windows Sysinternals Tools” by Mark Russinovich. Mark is the creator of the tools and it goes very in depth with each tool. There are also tutorial videos on YouTube by Mark where he explains different topics within the suite, and multiple articles posted by Microsoft on learn.microsoft.com. Personally I enjoy having a physical book right next to me to search for answers.

Popular Tools:

Of the many tools available within the suite, there are 6 tools that are considered to be the most popular that we are going to be covering:

• Process Explorer
• Autoruns
• Process Monitor
• Sysmon
• ProcDumps
• PsTools

As stated earlier I plan to cover many more tools in the future, but let’s start to look at the basics of each of these tools.

Process Explorer:

Many people consider process explorer to be task manager on steroids. Essentially process explorer is task manger, but it provides much more details on the processes running on the computer. You are able to search for what process is using a file, parent and child processes , the user running a process, security tokens that apply to a specific process, and much much more. You could seriously study process explorer for months on end before fully understanding all the information available within this tool. Process explorer comes with a lot of options not toggled on by default that can give you extensive information about any process running on the computer.

Process Explorer shows CPU usage, memory usage, virtual memory usage and more

Process Monitor:

Process Monitor is similar to process explorer, in that it shows a list of processes within the systems operating system. The difference here is that process monitor is more of a historical overview of the processes, as opposed to process explorer showing currently running processes. To describe it simply, Process Monitor is essentially a giant log file of processes that have run from the boot of the system all the way to the shutdown of a system. It shows results of processes, such as successful completions, and different error messages, as well as details about the ending of the process.

Autoruns:

Autoruns tells you what is configured to automatically run within your system. It contains different sections for different instances when a process will automatically run. For example it shows what will autorun when you logon to your system, what will run when you open file explorer, different tasks and drivers scheduled to run, and so on. A really nice feature it has is the ability to hide all Microsoft/Windows configurations, so you can only view process that have been added by 3rd parties.

This tool is extremely useful when trying to figure out if a specific process is malicious or not. Any process within autorun can be ran through a built in option called virus total, created by google, that sends the process through numerous anti-virus scanning protocols to see if it comes back with anything that could identify that it is malicious.

Different processes set to autorun, such as OneDrive and Microsoft Teams

ProcDump:

The main utility of ProcDump is creating dump files for figuring out why a particular system is crashing. Dump triggers can be created to figure out why a piece of hardware is spiking, why a particular application is crashing/hanging, and more. This tool is used on the command line.

Parameters that can be used to configure a dump using ProcDump

PsTools:

PsTools is actually a collection of tools used on the command line. Within PsTools there are 13 different commands used for a wide variety of different instances within Windows. Within PsTools the most popular of them is PsExec.

PsExec allows you to execute programs remotely on a system. For example you can remotely connect to a different systems command prompt and run task manger or any other troubleshooting process. Similar to SSH where you can remotely connect to a system and interact with it via CLI.

Using PsExec to run ipconfig on a remote machine

SysMon:

SysMon monitors and reports key system activity within the Windows event log. SysMon records security related data, and is especially useful for identifying malicious or anomalous activity. SysMon gives detailed information about process creations, network connections, and changes to file creation times. SysMon logs almost 30 different events that can happen within Windows and saves them to the SysMon log file.

SysMon highlighting that powershell.exe was ran on the machine

Conclusion

This writeup is BARELY scratching the surface of the Windows Sysinternals suite. I encourage anyone who has not looked into the Sysinternals tools to download the suite and begin experimenting. Some of the tools within this suite makes tasks such as dealing with malware and troubleshooting why a system/program is crashing much faster in terms of coming to a conclusion.

I plan to do more writeups and projects going deeper into ideas such as basic troubleshooting, finding and removing malware, and more which will be posted as writeups on this Medium as well as my personal GitHub.