0% found this document useful (0 votes)

20 views261 pages

ProcDump Systemctl

The Sysinternals website, created in 1996 by Mark Russinovich, offers advanced system utilities and technical information for managing Windows and Linux systems. Recent updates include new versions of tools like RDCMan and ProcDump, as well as the introduction of Sysinternals Live, which allows users to run tools directly from the web. The document also lists various Sysinternals utilities, their functionalities, and recent updates to enhance system management and troubleshooting.

Uploaded by

agyekumsamuel055

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

20 views261 pages

ProcDump Systemctl

Uploaded by

agyekumsamuel055

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 261

Tell us about your PDF experience.

Sysinternals
Article • 05/05/2025

The Sysinternals web site was created in 1996 by Mark Russinovich to host his advanced
system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find
Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows and Linux
systems and applications.

Read the official guide to the Sysinternals tools, Troubleshooting with the Windows
Sysinternals Tools
Read the Sysinternals Blog for a detailed change feed of tool updates
Watch Mark's Sysinternals Update videos on YouTube
Watch Mark’s top-rated Case-of-the-Unexplained troubleshooting presentations and
other webcasts
Read Mark’s Blog which highlight use of the tools to solve real problems
Check out the Sysinternals Learning Resources page
Post your questions in the Sysinternals Forum

Sysinternals Live
Sysinternals Live is a service that enables you to run Sysinternals tools directly from the Web
without manually downloading them.

Enter a tool's Sysinternals Live path in Windows Explorer as live.sysinternals.com/<toolname>

or \\live.sysinternals.com\tools\<toolname> . In a command prompt use
\\live.sysinternals.com\tools\<toolname> .

You can view the entire Sysinternals Live tools directory in a browser or Windows Explorer at
https://live.sysinternals.com/ .

What's New

What's New (May 5, 2025)

RDCMan v3.0
This update to RDCMan, a tool for managing and connecting to Remote Desktop
sessions, implements Windows 11 Terminal Services client features, and adds a series of
security and quality of life improvements, like seamless session resizing, keyboard
navigation, IPv6 support, and modern cryptography.

What's New (March 20, 2025)

Sysinternals Azure DevOps Extension
The Sysinternals ADO Task extension brings the power of Sysinternals tools directly into
your Azure DevOps pipelines, enabling you to troubleshoot build and release issues.

What's New (February 13, 2025)

Ctrl2Cap v3.0
Ctrl2Cap, a tool to help remap the Caps Lock key to Ctrl, has been updated to run on
Windows 10 and 11, and not require a driver.

What's New (January 29, 2025)

ZoomIt in PowerToys v0.88
ZoomIt is now part of Microsoft PowerToys and open source. ZoomIt will continue being
available from Sysinternals, as a stand-alone tool.

ProcDump 3.4 for Linux

ProcDump for Linux, a convenient way for developers to generate core dumps, now
includes ARM64 support.

What's New (December 16, 2024)

ZoomIt v9.0
This update to ZoomIt, a screen magnification and annotation tool, adds LiveDraw to
LiveZoom, enables ZoomIt drawing and annotation on top of live windows and the
desktop.

What's New (November 13, 2024)

ProcDump 1.0 for Mac
We’re excited to announce the release of ProcDump 1.0 for Mac , a tool that generates
process crash dumps with support for triggers like CPU and memory usage. ProcDump
functionality is now available on Windows, Linux, and macOS so that users on all
platforms can leverage the same powerful ProcDump capabilities.
Sysinternals Utilities Index
Article • 05/05/2025

Sysinternals Suite
The entire set of Sysinternals Utilities rolled up into a single download.

Sysinternals Suite for Nano Server

Sysinternals Utilities for Nano Server in a single download.

Sysinternals Suite for ARM64

Sysinternals Utilities for ARM64 in a single download.

Sysinternals Suite from the Microsoft Store

Sysinternals Utilities installation and updates via Microsoft Store.

AccessChk
v6.15 (May 11, 2022)
AccessChk is a command-line tool for viewing the effective permissions on files, registry keys,
services, processes, kernel objects, and more.

AccessEnum
v1.35 (September 29, 2022)
This simple yet powerful security tool shows you who has what access to directories, files and
Registry keys on your systems. Use it to find holes in your permissions.

AdExplorer
v1.52 (November 28, 2022)
Active Directory Explorer is an advanced Active Directory (AD) viewer and editor.

AdInsight
v1.2 (October 26, 2015)
An LDAP (Light-weight Directory Access Protocol) real-time monitoring tool aimed at
troubleshooting Active Directory client applications.

AdRestore
v1.2 (November 25, 2020)
Undelete Server 2003 Active Directory objects.

Autologon
v3.10 (August 29, 2016)
Bypass password screen during logon.

Autoruns
v14.11 (February 6, 2024)
See what programs are configured to startup automatically when your system boots and you
login. Autoruns also shows you the full list of Registry and file locations where applications can
configure auto-start settings.

BgInfo
v4.33 (February 13, 2025)
This fully-configurable program automatically generates desktop backgrounds that include
important information about the system including IP addresses, computer name, network
adapters, and more.

BlueScreen
v3.2 (November 1, 2006)
This screen saver not only accurately simulates Blue Screens, but simulated reboots as well
(complete with CHKDSK), and works on Windows NT 4, Windows 2000, Windows XP, Server
2003 and Windows 95 and 98.

CacheSet
v1.02 (December 16, 2021)
CacheSet is a program that allows you to control the Cache Manager's working set size using
functions provided by NT. It's compatible with all versions of NT.

ClockRes
v2.1 (July 4, 2016)
View the resolution of the system clock, which is also the maximum timer resolution.

Contig
v1.83 (March 9, 2023)
Wish you could quickly defragment your frequently used files? Use Contig to optimize
individual files, or to create new files that are contiguous.

Coreinfo
v3.6 (September 29, 2022)
Coreinfo is a new command-line utility that shows you the mapping between logical
processors and the physical processor, NUMA node, and socket on which they reside, as well as
the cache’s assigned to each logical processor.

Ctrl2Cap
v3.0 (February 13, 2025)
Ctrl2Cap is a tool to help remap the Caps Lock key to Ctrl.

DebugView
v4.90 (April 23, 2019)
Another first from Sysinternals: This program intercepts calls made to DbgPrint by device
drivers and OutputDebugString made by Win32 programs. It allows for viewing and recording
of debug session output on your local machine or across the Internet without an active
debugger.

Desktops
v2.01 (October 12, 2021)
This new utility enables you to create up to four virtual desktops and to use a tray interface or
hotkeys to preview what’s on each desktop and easily switch between them.

Disk2vhd
v2.02 (October 12, 2021)
Disk2vhd simplifies the migration of physical systems into virtual machines (p2v.md).

DiskExt
v1.2 (July 4, 2016)
Display volume disk-mappings.

Diskmon
v2.02 (October 12, 2021)
This utility captures all hard disk activity or acts like a software disk activity light in your system
tray.

DiskView
v2.41 (October 15, 2020)
Graphical disk sector utility.

Disk Usage (DU)

v1.62 (November 04, 2020)
View disk usage by directory.

EFSDump
v1.03 (October 12, 2021)
View information for encrypted files.

FindLinks
v1.1 (July 4, 2016)
FindLinks reports the file index and any hard links (alternate file paths on the same volume.md)
that exist for the specified file. A file's data remains allocated so long as at it has at least one
file name referencing it.

Handle
v5.0 (October 26, 2022)
This handy command-line utility will show you what files are open by which processes, and
much more.
Hex2dec
v1.1 (July 4, 2016)
Convert hex numbers to decimal and vice versa.

Junction
v1.07 (July 4, 2016)
Create Win2K NTFS symbolic links.

LDMDump
v1.02 (November 1, 2006)
Dump the contents of the Logical Disk Manager's on-disk database, which describes the
partitioning of Windows 2000 Dynamic disks.

ListDLLs
v3.2 (July 4, 2016)
List all the DLLs that are currently loaded, including where they are loaded and their version
numbers.

LiveKd
v5.62 (May 16, 2017)
Use Microsoft kernel debuggers to examine a live system.

LoadOrder
v1.02 (October 12, 2021)
See the order in which devices are loaded on your WinNT/2K system.

LogonSessions
v1.41 (November 25, 2020)
List the active logon sessions on a system.

MoveFile
v1.02 (September 17, 2020)
Allows you to schedule move and delete commands for the next reboot.

NotMyFault
v4.21 (September 29, 2022)
Notmyfault is a tool that you can use to crash, hang, and cause kernel memory leaks on your
Windows system.

NTFSInfo
v1.2 (July 4, 2016)
Use NTFSInfo to see detailed information about NTFS volumes, including the size and location
of the Master File Table (MFT) and MFT-zone, as well as the sizes of the NTFS meta-data files.
PendMoves
v1.3 (September 17, 2020)
Enumerate the list of file rename and delete commands that will be executed the next boot.

PipeList
v1.02 (July 4, 2016)
Displays the named pipes on your system, including the number of maximum instances and
active instances for each pipe.

PortMon
v3.03 (January 12, 2012)
Monitor serial and parallel port activity with this advanced monitoring tool. It knows about all
standard serial and parallel IOCTLs and even shows you a portion of the data being sent and
received. Version 3.x has powerful new UI enhancements and advanced filtering capabilities.

ProcDump
v11.0 (November 3, 2022)
This command-line utility is aimed at capturing process dumps of otherwise difficult to isolate
and reproduce CPU spikes. It also serves as a general process dump creation utility and can
also monitor and generate process dumps when a process has a hung window or unhandled
exception.

Process Explorer
v17.06 (May 28, 2024)
Find out what files, registry keys and other objects processes have open, which DLLs they have
loaded, and more. This uniquely powerful utility will even show you who owns each process.

Process Monitor
v4.01 (June 20, 2024)
Monitor file system, Registry, process, thread and DLL activity in real-time.

PsExec
v2.43 (April 11, 2023)
Execute processes on remote systems.

PsFile
v1.04 (March 30, 2023)
See what files are opened remotely.

PsGetSid
v1.46 (March 30, 2023)
Displays the SID of a computer or a user.
PsInfo
v1.79 (March 30, 2023)
Obtain information about a system.

PsKill
v1.17 (March 30, 2023)
Terminate local or remote processes.

PsPing
v2.12 (March 30, 2023)
Measure network performance.

PsList
v1.41 (March 30, 2023)
Show information about processes and threads.

PsLoggedOn
v1.35 (June 29, 2016)
Show users logged on to a system.

PsLogList
v2.82 (March 30, 2023)
Dump event log records.

PsPasswd
v1.25 (March 30, 2023)
Changes account passwords.

PsService
v2.26 (March 30, 2023)
View and control services.

PsShutdown
v2.6 (March 30, 2023)
Shuts down and optionally reboots a computer.

PsSuspend
v1.08 (March 30, 2023)
Suspend and resume processes.

PsTools
v2.51 (April 11, 2023)
The PsTools suite includes command-line utilities for listing the processes running on local or
remote computers, running processes remotely, rebooting computers, dumping event logs,
and more.

RAMMap
v1.61 (May 11, 2022)
An advanced physical memory usage analysis utility that presents usage information in
different ways on its several different tabs.

RDCMan
v3.1 (May 5, 2025)
Manage multiple remote desktop connections.

RegDelNull
v1.11 (July 4, 2016)
Scan for and delete Registry keys that contain embedded null-characters that are otherwise
undeleteable by standard Registry-editing tools.

Registry Usage (RU)

v1.2 (July 4, 2016)
View the registry space usage for the specified registry key.

RegJump
v1.11 (October 12, 2021)
Jump to the registry path you specify in Regedit.

SDelete
v2.05 (September 29, 2023)
Securely overwrite your sensitive files and cleanse your free space of previously deleted files
using this DoD-compliant secure delete program.

ShareEnum
v1.61 (October 12, 2021)
Scan file shares on your network and view their security settings to close security holes.

ShellRunas
v1.02 (October 12, 2021)
Launch programs as a different user via a convenient shell context-menu entry.

Sigcheck
v2.90 (July 19, 2022)
Dump file version information and verify that images on your system are digitally signed.

Streams
v1.6 (July 4, 2016)
Reveal NTFS alternate streams.

Strings
v2.54 (June 22, 2021)
Search for ANSI and UNICODE strings in binary images.

Sync
v2.2 (July 4, 2016)
Flush cached data to disk.

Sysmon
v15.15 (July 23, 2024)
Monitors and reports key system activity via the Windows event log.

TCPView
v4.19 (April 11, 2023)
Active socket viewer.

VMMap
v3.4 (October 18, 2023)
VMMap is a process virtual and physical memory analysis utility.

VolumeId
v2.1 (July 4, 2016)
Set Volume ID of FAT or NTFS drives.

Whois
v1.20 (December 11, 2019)
See who owns an Internet address.

WinObj
v3.14 (January 27, 2022)
The ultimate Object Manager namespace viewer is here.

ZoomIt
v9.0 (December 16, 2024)
Presentation utility for zooming and drawing on the screen.
Sysinternals File and Disk Utilities
Article • 07/27/2021

AccessChk
This tool shows you the accesses the user or group you specify has to files, Registry keys
or Windows services.

AccessEnum
This simple yet powerful security tool shows you who has what access to directories,
files and Registry keys on your systems. Use it to find holes in your permissions.

CacheSet
CacheSet is a program that allows you to control the Cache Manager's working set size
using functions provided by NT. It's compatible with all versions of NT.

Contig
Wish you could quickly defragment your frequently used files? Use Contig to optimize
individual files, or to create new files that are contiguous.

Disk2vhd
Disk2vhd simplifies the migration of physical systems into virtual machines (p2v).

DiskExt
Display volume disk-mappings.

DiskMon
This utility captures all hard disk activity or acts like a software disk activity light in your
system tray.

DiskView
Graphical disk sector utility.

Disk Usage (DU)

View disk usage by directory.

EFSDump
View information for encrypted files.

FindLinks
FindLinks reports the file index and any hard links (alternate file paths on the same
volume) that exist for the specified file. A file's data remains allocated so long as at it
has at least one file name referencing it.
Junction
Create Win2K NTFS symbolic links.

LDMDump
Dump the contents of the Logical Disk Manager"s on-disk database, which describes the
partitioning of Windows 2000 Dynamic disks.

MoveFile
Schedule file rename and delete commands for the next reboot. This can be useful for
cleaning stubborn or in-use malware files.

NTFSInfo
Use NTFSInfo to see detailed information about NTFS volumes, including the size and
location of the Master File Table (MFT) and MFT-zone, as well as the sizes of the NTFS
meta-data files.

PendMoves
See what files are scheduled for delete or rename the next time the system boots.

Process Monitor
Monitor file system, Registry, process, thread and DLL activity in real-time.

PsFile
See what files are opened remotely.

PsTools
The PsTools suite includes command-line utilities for listing the processes running on
local or remote computers, running processes remotely, rebooting computers, dumping
event logs, and more.

SDelete
Securely overwrite your sensitive files and cleanse your free space of previously deleted
files using this DoD-compliant secure delete program.

ShareEnum
Scan file shares on your network and view their security settings to close security holes.

Sigcheck
Dump file version information and verify that images on your system are digitally
signed.

Streams
Reveal NTFS alternate streams.
Sync
Flush cached data to disk.

VolumeID
Set Volume ID of FAT or NTFS drives.
AccessChk v6.15
Article • 05/11/2022

By Mark Russinovich

Published: May 11, 2022

Download AccessChk (1 MB)

Run now from Sysinternals Live .

Introduction
As a part of ensuring that they've created a secure environment Windows administrators
often need to know what kind of accesses specific users or groups have to resources
including files, directories, Registry keys, global objects and Windows services.
AccessChk quickly answers these questions with an intuitive interface and output.

Installation
AccessChk is a console program. Copy AccessChk onto your executable path. Typing
"accesschk" displays its usage syntax.

Using AccessChk
Usage:

Windows Command Prompt

accesschk [-s][-e][-u][-r][-w][-n][-v]-[f <account>,...][[-a]|[-k]|[-p [-f]

[-t]]|[-h][-o [-t <object type>]][-c]|[-d]] [[-l [-i]]|[username]] <file,
directory, registry key, process, service, object>

Parameter Description

-a Name is a Windows account right. Specify "*" as the name to show all rights
assigned to a user. Note that when you specify a specific right, only groups and
accounts directly assigned to the right are displayed.

-c Name is a Windows Service, e.g. ssdpsrv . Specify "*" as the name to show all
services and scmanager to check the security of the Service Control Manager.
Parameter Description

-d Only process directories or top-level keys

-e Only show explicitly set-Integrity Levels (Windows Vista and higher only)

-f If following -p , shows full process token information including groups and

privileges. Otherwise is a list of comma-separated accounts to filter from the output.

-h Name is a file or printer share. Specify "*" as the name to show all shares.

-i Ignore objects with only inherited ACEs when dumping full access control lists.

-k Name is a Registry key, e.g. hklm\software

-l Show full security descriptor. Add -i to ignore inherited ACEs.

-n Show only objects that have no access

-o Name is an object in the Object Manager namespace (default is root). To view the
contents of a directory, specify the name with a trailing backslash or add -s . Add -t
and an object type (e.g. section) to see only objects of a specific type.

-p Name is a process name or PID, e.g. cmd.exe (specify "*" as the name to show all
processes). Add -f to show full process token information, including groups and
privileges. Add -t to show threads.

-nobanner Do not display the startup banner and copyright message.

-r Show only objects that have read access

-s Recurse

-t Object type filter, e.g. "section"

-u Suppress errors

-v Verbose (includes Windows Vista Integrity Level)

-w Show only objects that have write access

If you specify a user or group name and path, AccessChk will report the effective
permissions for that account; otherwise it will show the effective access for accounts
referenced in the security descriptor.

By default, the path name is interpreted as a file system path (use the "\pipe\" prefix to
specify a named pipe path). For each object, AccessChk prints R if the account has read
access, W for write access, and nothing if it has neither. The -v switch has AccessChk
dump the specific accesses granted to an account.
Examples
The following command reports the accesses that the Power Users account has to files
and directories in \Windows\System32 :

Windows Command Prompt

accesschk "power users" c:\windows\system32

This command shows which Windows services members of the Users group have write
access to:

Windows Command Prompt

accesschk users -cw *

To see what Registry keys under HKLM\CurrentUser a specific account has no access to:

Windows Command Prompt

accesschk -kns austin\mruss hklm\software

To see the security on the HKLM\Software key:

Windows Command Prompt

accesschk -k hklm\software

To see all files under \Users\Mark on Vista that have an explicit integrity level:

Windows Command Prompt

accesschk -e -s c:\users\mark

To see all global objects that Everyone can modify:

Windows Command Prompt

accesschk -wuo everyone \basednamedobjects

Download AccessChk (1 MB)

Run now from Sysinternals Live .
AccessEnum v1.35
Article • 09/29/2022

By Mark Russinovich

Published: September 29, 2022

Download AccessEnum (135 KB)

Run now from Sysinternals Live .

Introduction
While the flexible security model employed by Windows NT-based systems allows full
control over security and file permissions, managing permissions so that users have
appropriate access to files, directories and Registry keys can be difficult. There's no built-
in way to quickly view user accesses to a tree of directories or keys. AccessEnum gives
you a full view of your file system and Registry security settings in seconds, making it
the ideal tool for helping you find security holes and lock down permissions where
necessary.

How It Works
AccessEnum uses standard Windows security APIs to populate its listview with read, write
and deny access information.

Download AccessEnum (135 KB)

Run now from Sysinternals Live .

CacheSet v1.02
Article • 12/16/2021

By Mark Russinovich

Published: December 16, 2021

Download CacheSet (417 KB)

Run now from Sysinternals Live .

Introduction
CacheSet is an applet that allows you to manipulate the working-set parameters of the
system file cache. Unlike CacheMan, CacheSet runs on all versions of NT and will work
without modifications on new Service Pack releases. In addition to providing you the
ability to control the minimum and maximum working set sizes, it also allows you to
reset the Cache's working set, forcing it to grow as necessary from a minimal starting
point. Also unlike CacheMan, changes made with CacheSet have an immediate effect on
the size of the Cache.

Use CacheSet to performance tune the system Cache size in a way not possible without
tweaking internal variables the way CacheMan does.

Note: To use CacheSet on NT 4.0 Service Pack 4 and later you must have the "Increase
Quota" privilege (administrator accounts have this privilege by default). CacheSet has
been updated to enable this privilege so that it works on SP4.

Installation and Use

After it starts it presents the system file cache's current size (updated twice a second),
it's peak size (the largest it's been since the last reboot), and lets you set new minimum
and maximum working set sizes.

Setting New Sizes Simply enter the new minimum and maximum sizes and hit the Apply
button. If you get an error, then one of the following conditions holds: you've entered a
maximum that is smaller than the minimum, the minimum you've entered is smaller
than the minimum system working-set size, or the maximum you've entered is larger
than the maximum system working-set sizes. Adjust the values you've entered and try
again.

You may notice that the Cache's size changes immediately and then proceeds to shrink
or grow quickly. This is because the system automatically trims working sets once a
second. The Cache pages that are released are still in memory, but can be relinquished
quickly for use by other programs that need more memory. Similarly, the Cache can
eaily regain pages as applications access file system data.

Resetting Previous Values At any time you can restore the Cache's working set values
that were active when you last started CacheSet by hitting the Reset button.

Clearing the Cache's Working Set You can force the Cache to release all of it's pages by
pressing the Clear button. Note that the Cache can grow again as necessary, and that
this is not the same as flushing the Cache - pages that were assigned to it are simply
made available to other programs and can be reclaimed by the Cache.

Using the Command-Line Interface You can enter the minimum and maximum working
set sizes on CacheSet's command line. CacheSet will apply these new values silently.
Thus, you can add CacheSet to your Start program group to automatically set the
Cache's sizes every time you boot.

Usage: CacheSet [minimum working set] [maximum working set]

How It Works
CacheSet uses a NtQuerySystemInformation call to obtain information about the
Cache's settings and NtSetSystemInformation to set new sizing information. The
working-set information for a process serves as guidelines for NT's Memory Manager
regarding how many pages of physical memory should be assigned to the application.
Because they are guidelines, conditions can result such that the Memory Manager grows
a working-set to a size greater than the maximum, or shrinks it to less than the
minimum. However, the settings are factors that will affect the overall allocation, and
hence responsiveness, of an application. In the case of CacheSet the application is the
file system Cache.

Internally NtSetSystemInformation calls MmAdjustWorkingSetSize, which either grows

an application's working set or trims it. If the third parameter passed to
MmAdjustWorkingSetSize is 1, the system Cache's working set is adjusted, otherwise
the adjustment occurs on the current process (the system information calls affect only
the system cache). Passing in a minimum and maximum of -1 causes
MmAjustWorkingSetSize to perform a working-set clear operation, releasing all pages
from the application's working set.

Download CacheSet (417 KB)

Run now from Sysinternals Live .

Runs on:

Client: Windows Vista and higher.

Server: Windows Server 2008 and higher.
Contig v1.83
Article • 03/09/2023

By Mark Russinovich

Published: March 9, 2023

Download Contig (366 KB)

Introduction
There are a number of NT disk defraggers on the market, including Winternals Defrag
Manager. These tools are useful for performing a general defragmentation of disks, but
while most files are defragmented on drives processed by these utilities, some files may
not be. In addition, it is difficult to ensure that particular files that are frequently used
are defragmented - they may remain fragmented for reasons that are specific to the
defragmentation algorithms used by the defragging product that has been applied.
Finally, even if all files have been defragmented, subsequent changes to critical files
could cause them to become fragmented. Only by running an entire defrag operation
can one hope that they might be defragmented again.

Contig is a single-file defragmenter that attempts to make files contiguous on disk. Its
perfect for quickly optimizing files that are continuously becoming fragmented, or that
you want to ensure are in as few fragments as possible.

Using Contig
Contig is a utility that defragments a specified file or files. Use it to optimize execution of
your frequently used files.

Usage:

Windows Command Prompt

Contig.exe [-a] [-s] [-q] [-v] [existing file]

Contig.exe [-f] [-q] [-v] [drive:]
Contig.exe [-v] [-l] -n [new file] [new file length]

Parameter Description

-a Analyze fragmentation
Parameter Description

-f Analyze free space fragmentation

-l Set valid data length for quick file creation (requires administrator rights)

-q Quiet mode

-s Recurse subdirectories

-v Verbose

Contig can also analyze and defragment the following NTFS metadata files:

$Mft
$LogFile
$Volume
$AttrDef
$Bitmap
$Boot
$BadClus
$Secure
$UpCase
$Extend

How it Works
Contig uses the native Windows NT defragmentation support that was introduced with
NT 4.0 (see my documentation of the defrag APIs for more information). It first scans the
disk collecting the locations and sizes of free areas. Then it determines where the file in
question is located. Next, Contig decides whether the file can be optimized, based on
free areas and the number of fragments the file currently consists of. If the file can be
optimized, it is moved into the free spaces of the disk.

More Information
Helen Custer's Inside Windows NT provides a good overview of the Object Manager
name space, and Mark's October 1997 Windows NT Magazine column,"Inside the Object
Manager", is (of course) an excellent overview.

Download Contig (366 KB)

Runs on:
Client: Windows 8.1 and higher.
Server: Windows Server 2012 and higher.
Nano Server: 2016 and higher.
Disk2vhd v2.02
Article • 10/12/2021

By Mark Russinovich

Published: October 12, 2021

Download Disk2vhd (564 KB)

Run now from Sysinternals Live .

Introduction
Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft's Virtual Machine
disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft
Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-
to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses
Windows' Volume Snapshot capability, introduced in Windows XP, to create consistent
point-in-time snapshots of the volumes you want to include in a conversion. You can
even have Disk2vhd create the VHDs on local volumes, even ones being converted
(though performance is better when the VHD is on a disk different than ones being
converted).

The Disk2vhd user interface lists the volumes present on the system:

It will create one VHD for each disk on which selected volumes reside. It preserves the
partitioning information of the disk, but only copies the data contents for volumes on
the disk that are selected. This enables you to capture just system volumes and exclude
data volumes, for example.
Virtual PC supports a maximum virtual disk size of 127GB. If you create a VHD from
a larger disk it will not be accessible from a Virtual PC VM.

To use VHDs produced by Disk2vhd, create a VM with the desired characteristics and
add the VHDs to the VM's configuration as IDE disks. On first boot, a VM booting a
captured copy of Windows will detect the VM's hardware and automatically install
drivers, if present in the image. If the required drivers are not present, install them via
the Virtual PC or Hyper-V integration components. You can also attach to VHDs using
the Windows 7 or Windows Server 2008 R2 Disk Management or Diskpart utilities.

Do not attach to VHDs on the same system on which you created them if you plan
on booting from them. If you do so, Windows will assign the VHD a new disk
signature to avoid a collision with the signature of the VHD’s source disk. Windows
references disks in the boot configuration database (BCD) by disk signature, so
when that happens Windows booted in a VM will fail to locate the boot disk.

Disk2vhd does not support the conversion of volumes with Bitlocker enabled. If you
wish to create a VHD for such a volume, turn off Bitlocker and wait for the volume to
be fully decrypted first.

Disk2vhd runs on Windows Vista, Windows Server 2008, and higher, including x64
systems.

Here's a screenshot of a copy of a Windows Server 2008 R2 Hyper-V system running in a

virtual machine on top of the system it was made from:

(click image to zoom)

Command Line Usage

Disk2vhd includes command-line options that enable you to script the creation of VHDs.
Specify the volumes you want included in a snapshot by drive letter (e.g. c:) or use "*" to
include all volumes.

Usage: disk2vhd <[drive: [drive:]...]|[*]> <vhdfile>

Example: disk2vhd * c:\vhd\snapshot.vhd

Physical-to-virtual hard drive migration of a Windows installation is a valid function

for customers with Software Assurance and full retail copies of Windows XP,
Windows Vista, and Windows 7. Software Assurance provides users valuable
benefits—please contact Microsoft Corporation for further information. Windows
XP, Windows Vista and Windows 7 installed by Original Equipment Manufacturers
(OEM) using OEM versions of these products may not be transferred to a virtual
hard drive in accordance with Microsoft licensing terms.

Download Disk2vhd (564 KB)

Run now from Sysinternals Live .

DiskExt v1.2
Article • 03/23/2021

By Mark Russinovich

Published: July 4, 2016

Download DiskExt (498 KB)

Introduction
DiskExt demonstrates the use of the IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS
command that returns information about what disks the partitions of a volume are
located on (multipartition disks can reside on multiple disks) and where on the disk the
partitions are located.

Download DiskExt (498 KB)

DiskMon for Windows v2.02
Article • 10/12/2021

By Mark Russinovich

Published: October 12, 2021

Download Diskmon (488 KB)

Run now from Sysinternals Live .

Introduction
DiskMon is an application that logs and displays all hard disk activity on a Windows
system. You can also minimize DiskMon to your system tray where it acts as a disk light,
presenting a green icon when there is disk-read activity and a red icon when there is
disk-write activity.

Installation and Use

Installing DiskMon is as easy as unzipping it and typing, "diskmon." The menus and
toolbar buttons can be used to disable event capturing, control the scrolling of the
listview, and to save the listview contents to an ASCII file.

To have DiskMon function as a disk light in your system tray, select the Options|Minimize
to Tray menu item, or start DiskMon with a "/l" (lower-case L) command-line switch e.g.
diskmon /l. To reactivate the DiskMon window double-click on the DiskMon tray icon. To
create a shortcut to Diskmon in the tray create a shortcut in your Program Files\Startup
folder, edit the properties of the shortcut and set the Target to point at the executable
with the path in quotations and the switch outside the quotes:

"C:\Sysinternals Tools\Diskmon.exe" /l

Read and write offsets are presented in terms of sectors (512 bytes). Events can be either
timed for their duration (in microseconds), or stamped with the absolute time that they
were initiated. The History Depth dialog can be used to specify the maximum number of
records that will be kept in the GUI (0 signifies no limit).
Implementation
DiskMon uses kernel event tracing. Event tracing is documented in the Microsoft
Platform SDK and the SDK contains source code to TraceDmp, on which DiskMon is
based.

Download Diskmon (488 KB)

Run now from Sysinternals Live .

Disk Usage v1.62
Article • 07/19/2022

By Mark Russinovich

Published: November 04, 2020

] Download Du (1.62 MB)

Introduction
Du (disk usage) reports the disk space usage for the directory you specify. By default it
recurses directories to show the total size of a directory and its subdirectories.

Using Disk Usage (DU)

Usage: du [-c[t]] [-l <levels> | -n | -v] [-u] [-q] <directory>

Parameter Description

-c Print output as CSV. Use -ct for tab delimiting.

-l Specify subdirectory depth of information (default is 0 levels).

-n Do not recurse.

-v Show size (in KB) of intermediate directories.

-u Count each instance of a hardlinked file.

-q Quiet.

-nobanner Do not display the startup banner and copyright message.

CSV output is formatted as:

Path, CurrentFileCount, CurrentFileSize, FileCount, DirectoryCount, DirectorySize,

DirectorySizeOnDisk

Download Du (1.62 MB)

DiskView v2.41
Article • 03/23/2021

By Mark Russinovich

Published: October 15, 2020

Download DiskView (800 KB)

Run now from Sysinternals Live .

Introduction
DiskView shows you a graphical map of your disk, allowing you to determine where a
file is located or, by clicking on a cluster, seeing which file occupies it. Double-click to
get more information about a file to which a cluster is allocated.

Download DiskView (800 KB)

Run now from Sysinternals Live .

EFSDump v1.03
Article • 10/12/2021

By Mark Russinovich

Published: October 12, 2021

Download EFSDump (161 KB)

Introduction
Windows 2000 introduces the Encrypting File System (EFS) so that users can protect
their sensitive data. Several new APIs make their debut to support this facility, including
one-QueryUsersOnEncryptedFile-that lets you see who has access to encrypted files.
This applet uses the API to show you what accounts are authorized to access encrypted
files.

Using EFSDump
Parameter Description

-s Recurse subdirectories.

EFSDump takes wildcards e.g. 'efsdump *.txt'.

Download EFSDump (161 KB)

Runs on:

Client: Windows Vista and higher.

Server: Windows Server 2008 and higher.
LDMDump v1.02
Article • 03/23/2021

By Mark Russinovich

Published: November 1, 2006

Download LDMDump (43 KB)

Introduction
Windows 2000 introduces a new type of disk partitioning scheme that is managed by a
component called the Logical Disk Manager (LDM). Basic disks implement standard
DOS-style partition tables, whereas Dynamic disks use LDM partitioning. LDM
partitioning offers several advantages over DOS partitioning including replication across
disks, on-disk storage of advanced volume configuration (spanned volume, mirrored
volumes, striped volumes and RAID-5 volumes). My March/April two-part series on
Windows NT/2000 storage management in Windows 2000 Magazine describes the
details of each partitioning scheme.

Other than the Disk Management MMC-snapin and a tool called dmdiag in the
Windows 2000 Resource Kit, there are no tools for investigating the internals of the LDM
on-disk database that describes a system's partitioning layout. LDMDump is a utility that
lets you examine exactly what is stored in a disk's copy of the system LDM database.
LDMDump shows you the contents of the LDM database private header, table-of-
contents, and object database (where partition, component and volume definitions are
stored), and then summarizes its finding with partition table and volume listings.

Installing and Using LDMDump

To use LDMDump simply pass it the identifier of a disk.

Usage: ldmdump [- ] [-d#]

Parameter Description

- Displays the supported options and the units of measurement used for output
values.

-d# Specifies the number of the disk for LDMDump to examine. For example, "ldmdump
/d0" has LDMDump show the LDM database information stored on disk 0.
How it Works
There are no published APIs available for obtaining detailed information about a disk's
LDM partitioning, and the LDM database format is completely undocumented.
LDMDump was developed based on study of LDM database contents on a variety of
different systems and under changing conditions.

More Information
For more information on the LDM on-disk structure, see:

Inside Storage Management, Part 2, by Mark Russinovich, Windows 2000 Magazine,

April 2000.

Download LDMDump (43 KB)

Runs on:

Client: Windows Vista and higher.

Server: Windows Server 2008 and higher.
PendMoves v1.3 and MoveFile v1.02
Article • 10/15/2021

By Mark Russinovich Published: September 17, 2020

Download PendMoves and MoveFile (988 KB)

Introduction
There are several applications, such as service packs and hotfixes, that must replace a file
that's in use and is unable to. Windows therefore provides the MoveFileEx API to
rename or delete a file and allows the caller to specify that they want the operation to
take place the next time the system boots,before the files are referenced. Session
Manager performs this task by reading the registered rename and delete commands
from the HKLM\System\CurrentControlSet\Control\Session
Manager\PendingFileRenameOperations value.

PendMoves Usage
This applet dumps the contents of the pending rename/delete value and also reports an
error when the source file is notaccessible.

Usage: pendmoves
Here is example output that shows a temporary installation file is scheduled for deletion
at the next reboot:

Shell

C:\\>pendmoves
PendMove v1.2
Copyright (C) 2013 Mark Russinovich
Sysinternals - www.sysinternals.com

Source: C:\\Config.Msi\\3ec7bbbf.rbf
Target: DELETE

MoveFile usage
The included MoveFile utililty allows you to schedule move and delete commands for
the next reboot: usage: movefile [source] [dest]
Specifying an empty destination ("") deletes the source at boot. An example that deletes
test.exe is:

Shell

movefile test.exe ""

Download PendMoves and MoveFile (988 KB)

NTFSInfo v1.2
Article • 03/23/2021

By Mark Russinovich

Published: July 4, 2016

Download NTFSInfo (143 KB)

Introduction
NTFSInfo is a little applet that shows you information about NTFS volumes. Its dump
includes the size of a drive's allocation units, where key NTFS files are located, and the
sizes of the NTFS metadata files on the volume. This information is typically of little
more than curiosity value, but NTFSInfo does show some interesting things. For
example, you've probably heard about the NTFS equivalent of the FAT file system's File
Allocation Table. Its called the Master File Table (MFT), and it is made up of constant
sized records that describe the location of all the files and directories on the drive.
What's surprising about the MFT is that it is managed as a file, just like any other.
NTFSInfo will show you where on the disk (in terms of clusters) the MFT is located and
how large it is, in addition to specifying how large the volume's clusters and MFT
records are. In order to protect the MFT from fragmentation, NTFS reserves a portion of
the disk around the MFT that it will not allocate to other files unless disk space runs low.
This area is known as the MFT-Zone and NTFSInfo will tell you where on the disk the
MFT-Zone is located and what percentage of the drive is reserved for it.

You might also be surprised to know that like the MFT, all NTFS meta-data are managed
in files. For instance, there is a file called $Boot that is mapped to cover the drive's boot
sector. The volume's cluster map is maintained in another file named $Bitmap. These
files reside right in the NTFS root directory, but you can't see them unless you know
they are there. Try typing "dir /ah $boot" at the root directory of an NTFS volume and
you'll actually see the $boot file. NTFSInfo performs the equivalent of the "dir /ah" to
show you the names and sizes of all of NTFS (3.51 and 4.0) meta-data files.

NTFSInfo is intended to accompany my January 1998 Windows NT Magazine "NT

Internals" column, which describes NTFS internal data structures.

Installation and Usage

NTFSInfo works on all versions of NTFS, but NTFS for Windows NT 5.0 has different
meta-data files that NTFSInfo has not been programmed for yet. In order for NTFSInfo to
work you must have administrative privilege.

Usage: NTFSInfo x

Parameter Description

x The drive letter of the NTFS volume that you want to examine.

How It Works
NTFSInfo uses an undocumented File System Control (FSCTL) call to obtain information
from NTFS about a volume. It prints this information along with a directory dump of
NTFS meta-data files.

Download NTFSInfo (143 KB)

Runs on:

Client: Windows Vista and higher

Server: Windows Server 2008 and higher
Nano Server: 2016 and higher
PendMoves v1.3 and MoveFile v1.02
Article • 10/15/2021

By Mark Russinovich Published: September 17, 2020

Download PendMoves and MoveFile (988 KB)

PendMoves Usage
This applet dumps the contents of the pending rename/delete value and also reports an
error when the source file is notaccessible.

Usage: pendmoves
Here is example output that shows a temporary installation file is scheduled for deletion
at the next reboot:

Shell

C:\\>pendmoves
PendMove v1.2
Copyright (C) 2013 Mark Russinovich
Sysinternals - www.sysinternals.com

Source: C:\\Config.Msi\\3ec7bbbf.rbf
Target: DELETE

Shell

movefile test.exe ""

Download PendMoves and MoveFile (988 KB)

RegMon for Windows v7.04
Article • 03/23/2021

By Mark Russinovich

Published: November 1, 2006

RegMon and FileMon are no longer available for download. They have been replaced by
Process Monitor on versions of Windows starting with Windows 2000 SP4, Windows XP
SP2, Windows Server 2003 SP1, and Windows Vista.

Related Utilities
Here are some other monitoring tools available at Sysinternals:

PortMon - a serial and parallel port monitor

Process Monitor - a process and thread monitor
DiskMon - a hard disk monitor
DebugView - a debug output monitor
SDelete v2.05
Article • 07/19/2022

By Mark Russinovich

Published: September 29, 2023

Download SDelete (304 KB)

Introduction
One feature of Windows NT/2000's (Win2K) C2-compliance is that it implements object
reuse protection. This means that when an application allocates file space or virtual
memory it is unable to view data that was previously stored in the resources Windows
NT/2K allocates for it. Windows NT zero-fills memory and zeroes the sectors on disk
where a file is placed before it presents either type of resource to an application.
However, object reuse does not dictate that the space that a file occupies before it is
deleted be zeroed. This is because Windows NT/2K is designed with the assumption that
the operating system controls access to system resources. However, when the operating
system is not active it is possible to use raw disk editors and recovery tools to view and
recover data that the operating system has deallocated. Even when you encrypt files
with Win2K's Encrypting File System (EFS), a file's original unencrypted file data is left on
the disk after a new encrypted version of the file is created.

The only way to ensure that deleted files, as well as files that you encrypt with EFS, are
safe from recovery is to use a secure delete application. Secure delete applications
overwrite a deleted file's on-disk data using techniques that are shown to make disk
data unrecoverable, even using recovery technology that can read patterns in magnetic
media that reveal weakly deleted files. SDelete (Secure Delete) is such an application.
You can use SDelete both to securely delete existing files, as well as to securely erase any
file data that exists in the unallocated portions of a disk (including files that you have
already deleted or encrypted). SDelete implements the Department of Defense clearing
and sanitizing standard DOD 5220.22-M, to give you confidence that once deleted with
SDelete, your file data is gone forever. Note that SDelete securely deletes file data, but
not file names located in free disk space.

Using SDelete
SDelete is a command line utility that takes a number of options. In any given use, it
allows you to delete one or more files and/or directories, or to cleanse the free space on
a logical disk. SDelete accepts wild card characters as part of the directory or file
specifier.

Usage:

Windows Command Prompt

sdelete [-p passes] [-r] [-s] [-q] [-f] <file or directory [...]>
sdelete [-p passes] [-q] [-z|-c] <drive letter [...]>
sdelete [-p passes] [-q] [-z|-c] <physical disk number [...]>

Parameter Description

-c Clean free space.

-f Force arguments containing only letters to be treated as a file/directory rather than

a disk.
Not required if the argument contains other characters (path separators or file
extensions for example).

-p Specifies number of overwrite passes (default is 1).

-q Quiet mode.

-r Remove Read-Only attribute.

-s Recurse subdirectories.

-z Zero free space (good for virtual disk optimization).

-nobanner Do not display the startup banner and copyright message.

Disks must not have any volumes in order to be cleaned.

For drive letters, include : , for example D: .

How SDelete Works

Securely deleting a file that has no special attributes is relatively straight-forward: the
secure delete program simply overwrites the file with the secure delete pattern. What is
more tricky is securely deleting Windows NT/2K compressed, encrypted and sparse files,
and securely cleansing disk free spaces.

Compressed, encrypted and sparse are managed by NTFS in 16-cluster blocks. If a

program writes to an existing portion of such a file NTFS allocates new space on the disk
to store the new data and after the new data has been written, deallocates the clusters
previously occupied by the file. NTFS takes this conservative approach for reasons
related to data integrity, and in the case of compressed and sparse files, in case a new
allocation is larger than what exists (the new compressed data is bigger than the old
compressed data). Thus, overwriting such a file will not succeed in deleting the file's
contents from the disk.

To handle these types of files SDelete relies on the defragmentation API. Using the
defragmentation API, SDelete can determine precisely which clusters on a disk are
occupied by data belonging to compressed, sparse and encrypted files. Once SDelete
knows which clusters contain the file's data, it can open the disk for raw access and
overwrite those clusters.

Cleaning free space presents another challenge. Since FAT and NTFS provide no means
for an application to directly address free space, SDelete has one of two options. The
first is that it can, like it does for compressed, sparse and encrypted files, open the disk
for raw access and overwrite the free space. This approach suffers from a big problem:
even if SDelete were coded to be fully capable of calculating the free space portions of
NTFS and FAT drives (something that's not trivial), it would run the risk of collision with
active file operations taking place on the system. For example, say SDelete determines
that a cluster is free, and just at that moment the file system driver (FAT, NTFS) decides
to allocate the cluster for a file that another application is modifying. The file system
driver writes the new data to the cluster, and then SDelete comes along and overwrites
the freshly written data: the file's new data is gone. The problem is even worse if the
cluster is allocated for file system metadata since SDelete will corrupt the file system's
on-disk structures.

The second approach, and the one SDelete takes, is to indirectly overwrite free space.
First, SDelete allocates the largest file it can. SDelete does this using non-cached file I/O
so that the contents of the NT file system cache will not be thrown out and replaced
with useless data associated with SDelete's space-hogging file. Because non-cached file
I/O must be sector (512-byte) aligned, there might be some leftover space that isn't
allocated for the SDelete file even when SDelete cannot further grow the file. To grab any
remaining space SDelete next allocates the largest cached file it can. For both of these
files SDelete performs a secure overwrite, ensuring that all the disk space that was
previously free becomes securely cleansed.

On NTFS drives SDelete's job isn't necessarily through after it allocates and overwrites
the two files. SDelete must also fill any existing free portions of the NTFS MFT (Master
File Table) with files that fit within an MFT record. An MFT record is typically 1KB in size,
and every file or directory on a disk requires at least one MFT record. Small files are
stored entirely within their MFT record, while files that don't fit within a record are
allocated clusters outside the MFT. All SDelete has to do to take care of the free MFT
space is allocate the largest file it can - when the file occupies all the available space in
an MFT Record NTFS will prevent the file from getting larger, since there are no free
clusters left on the disk (they are being held by the two files SDelete previously
allocated). SDelete then repeats the process. When SDelete can no longer even create a
new file, it knows that all the previously free records in the MFT have been completely
filled with securely overwritten files.

To overwrite file names of a file that you delete, SDelete renames the file 26 times, each
time replacing each character of the file's name with a successive alphabetic character.
For instance, the first rename of "foo.txt" would be to "AAA.AAA".

The reason that SDelete does not securely delete file names when cleaning disk free
space is that deleting them would require direct manipulation of directory structures.
Directory structures can have free space containing deleted file names, but the free
directory space is not available for allocation to other files. Hence, SDelete has no way of
allocating this free space so that it can securely overwrite it.

Download SDelete (304 KB)

Runs on:

Client: Windows 10 and higher.

Server: Windows Server 2012 and higher.
Nano Server: 2016 and higher.
Sigcheck v2.90
Article • 07/19/2022

By Mark Russinovich

Published: July 19, 2022

Download Sigcheck (664 KB)

Introduction
Sigcheck is a command-line utility that shows file version number, timestamp
information, and digital signature details, including certificate chains. It also includes an
option to check a file’s status on VirusTotal , a site that performs automated file
scanning against over 40 antivirus engines, and an option to upload a file for scanning.

usage:

Windows Command Prompt

sigcheck [-a][-h][-i][-e][-l][-n][[-s]|[-c|-ct]|[-m]][-q][-r][-u][-vt][-v[r]
[s]][-f catalog file] <file or directory>

sigcheck -d [-c|-ct] <file or directory>

usage: sigcheck -t[u][v] [-i] [-c|-ct] <certificate store name|*>

Parameter Description

-a Show extended version information. The entropy measure reported is the bits per
byte of information of the file's contents.

-accepteula Silently accept the Sigcheck EULA (no interactive prompt)

-c CSV output with comma delimiter

-ct CSV output with tab delimiter

-d Dump contents of a catalog file

-e Scan executable images only (regardless of their extension)

-f Look for signature in the specified catalog file

-h Show file hashes

Parameter Description

-i Show catalog name and signing chain

-l Traverse symbolic links and directory junctions

-m Dump manifest

-n Only show file version number

-o Performs Virus Total lookups of hashes captured in a CSV file previously captured
by Sigcheck when using the -h option. This usage is intended for scans of offline
systems.

-nobanner Do not display the startup banner and copyright message.

-r Disable check for certificate revocation

-p Verify signatures against the specified policy, represented by its GUID.

-s Recurse subdirectories

-t[u][v] Dump contents of specified certificate store ('*' for all stores).
Specify -tu to query the user store (machine store is the default).
Append '-v' to have Sigcheck download the trusted Microsoft root certificate list
and only output valid certificates not rooted to a certificate on that list. If the site
is not accessible, authrootstl.cab or authroot.stl in the current directory are used
instead, if present.

-u If VirusTotal check is enabled, show files that are unknown by VirusTotal or have
non-zero detection, otherwise show only unsigned files.

-v[rs] Query VirusTotal (www.virustotal.com ) for malware based on file hash.

Add 'r' to open reports for files with non-zero detection.
Files reported as not previously scanned will be uploaded to VirusTotal if the 's'
option is specified. Note scan results may not be available for five or more
minutes.

-vt Before using VirusTotal features, you must accept VirusTotal terms of service. See:
https://www.virustotal.com/en/about/terms-of-service/ If you haven't accepted
the terms and you omit this option, you will be interactively prompted.

One way to use the tool is to check for unsigned files in your \Windows\System32
directories with this command:

Windows Command Prompt

sigcheck -u -e c:\windows\system32

You should investigate the purpose of any files that are not signed.
Download Sigcheck (664 KB)

Runs on:

Client: Windows 8.1 and higher

Server: Windows Server 2012 and higher
Nano Server: 2016 and higher

Learn More
Malware Hunting with the Sysinternals Tools
In this presentation, Mark shows how to use the Sysinternals tools to identify,
analyze and clean malware.
Streams v1.6
Article • 03/23/2021

By Mark Russinovich

Published: July 4, 2016

Download Streams (499 KB)

Introduction
The NTFS file system provides applications the ability to create alternate data streams of
information. By default, all data is stored in a file's main unnamed data stream, but by
using the syntax 'file:stream', you are able to read and write to alternates. Not all
applications are written to access alternate streams, but you can demonstrate streams
very simply. First, change to a directory on a NTFS drive from within a command
prompt. Next, type 'echo hello > test:stream'. You've just created a stream named
'stream' that is associated with the file 'test'. Note that when you look at the size of test
it is reported as 0, and the file looks empty when opened in any text editor. To see your
stream enter 'more < test:stream' (the type command doesn't accept stream syntax so
you have to use more).

NT does not come with any tools that let you see which NTFS files have streams
associated with them, so I've written one myself. Streams will examine the files and
directories (note that directories can also have alternate data streams) you specify and
inform you of the name and sizes of any named streams it encounters within those files.
Streams makes use of an undocumented native function for retrieving file stream
information.

Using Streams
Usage: streams [-s] [-d] <file or directory>

Parameter Description

-s Recurse subdirectories.

-d Delete streams.

Streams takes wildcards e.g. 'streams *.txt'.

Download Streams (499 KB)

Runs on:

Client: Windows Vista and higher

Server: Windows Server 2008 and higher
Nano Server: 2016 and higher
Sync v2.2
Article • 03/23/2021

By Mark Russinovich

Published: July 4, 2016

Download Sync (500 KB)

Introduction
UNIX provides a standard utility called Sync, which can be used to direct the operating
system to flush all file system data to disk in order to insure that it is stable and won't be
lost in case of a system failure. Otherwise, any modified data present in the cache would
be lost. Here is an equivalent that I wrote, called Sync, that works on all versions of
Windows. Use it whenever you want to know that modified file data is safely stored on
your hard drives. Unfortunately, Sync requires administrative privileges to run. This
version also lets you flush removable drives such as ZIP drives.

Using Sync
Usage: sync [-r] [-e] [drive letter list]

Parameter Description

-r Flush removable drives.

-e Ejects removable drives.

Specifying specific drives (e.g. "c e") will result in Sync only flushing those drives.

Download Sync (500 KB)

Runs on:

Client: Windows Vista and higher

Server: Windows Server 2008 and higher
Nano Server: 2016 and higher
VolumeID v2.1
Article • 06/07/2023

By Mark Russinovich

Published: July 4, 2016

Download VolumeID (194 KB)

Introduction
While Windows NT/2000 and Windows 95 and 98's built-in Label utility lets you change
the labels of disk volumes, it does not provide any means for changing volume ids. This
utility, VolumeID, allows you to change the ids of FAT and NTFS disks (floppies or hard
drives).

Usage: volumeid <driveletter:> xxxx-xxxx

This is a command-line program that you must run from a command-prompt window.

Note that changes on NTFS volumes won't be visible until the next reboot. In addition,
you should shut down any applications you have running before changing a volume id.
NT may become confused and think that the media (disk) has changed after a FAT
volume id has changed and pop up messages indicating that you should reinsert the
original disk (!). It may then fail the disk requests of applications using those drives.

Download VolumeID (194 KB)

Runs on:

Client: Windows Vista and higher

Server: Windows Server 2008 and higher
Nano Server: 2016 and higher
Sysinternals Networking Utilities
Article • 03/23/2021

AD Explorer
Active Directory Explorer is an advanced Active Directory (AD) viewer and editor.

AD Insight
AD Insight is an LDAP (Light-weight Directory Access Protocol) real-time monitoring tool
aimed at troubleshooting Active Directory client applications.

AdRestore
Undelete Server 2003 Active Directory objects.

PipeList
Displays the named pipes on your system, including the number of maximum instances
and active instances for each pipe.

PsFile
See what files are opened remotely.

PsPing
Measures network performance.

ShareEnum
Scan file shares on your network and view their security settings to close security holes.

TCPView
Active socket command-line viewer.

Whois
See who owns an Internet address.
Active Directory Explorer v1.52
Article • 11/28/2022

By Mark Russinovich

Published: November 28, 2022

Download AdExplorer (1.1 MB)

Run now from Sysinternals Live .

Introduction
Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and
editor. You can use AD Explorer to easily navigate an AD database, define favorite
locations, view object properties and attributes without having to open dialog boxes,
edit permissions, view an object's schema, and execute sophisticated searches that you
can save and re-execute.

AD Explorer also includes the ability to save snapshots of an AD database for off-line
viewing and comparisons. When you load a saved snapshot, you can navigate and
explore it as you would a live database. If you have two snapshots of an AD database
you can use AD Explorer's comparison functionality to see what objects, attributes and
security permissions changed between them.

Download AdExplorer (1.1 MB)

Run now from Sysinternals Live .

Insight for Active Directory v1.2
Article • 03/23/2021

By Mark Russinovich

Published: October 26, 2015

Download AdInsight (3.3 MB)

Run now from Sysinternals Live .

Introduction
ADInsight is an LDAP (Light-weight Directory Access Protocol) real-time monitoring tool
aimed at troubleshooting Active Directory client applications. Use its detailed tracing of
Active Directory client-server communications to solve Windows authentication,
Exchange, DNS, and other problems.

ADInsight uses DLL injection techniques to intercept calls that applications make in the
Wldap32.dll library, which is the standard library underlying Active Directory APIs such
ldap and ADSI. Unlike network monitoring tools, ADInsight intercepts and interprets all
client-side APIs, including those that do not result in transmission to a server. ADInsight
monitors any process into which it can load it’s tracing DLL, which means that it does
not require administrative permissions, however, if run with administrative rights, it will
also monitor system processes, including windows services.

Download AdInsight (3.3 MB)

Run now from Sysinternals Live .

Runs on:

Client: Windows Vista and higher.

Server: Windows Server 2008 and higher.

Related Links
The Sysinternals AdRestore utility enables you to restore deleted objects on Windows
Server 2003 domains.

AD Explorer is an advanced Active Directory (AD) viewer and editor.

AdRestore v1.2
Article • 03/23/2021

By Mark Russinovich

Published: November 25, 2020

Download AdRestore (512 KB)

Introduction
Windows Server 2003 introduces the ability to restore deleted ("tombstoned") objects.
This simple command-line utility enumerates the deleted objects in a domain and gives
you the option of restoring each one. Source code is based on sample code in the
Microsoft Platform SDK. This MS KB article describes the use of AdRestore:

840001: How to restore deleted user accounts and their group memberships in Active
Directory

Download AdRestore 512 KB)

PipeList v1.02
Article • 03/23/2021

Published: July 4, 2016

Download PipeList (496 KB)

Introduction
Did you know that the device driver that implements named pipes is actually a file
system driver? In fact, the driver's name is NPFS.SYS, for "Named Pipe File System".
What you might also find surprising is that its possible to obtain a directory listing of the
named pipes defined on a system. This fact is not documented, nor is it possible to do
this using the Win32 API. Directly using NtQueryDirectoryFile, the native function that
the Win32 FindFile APIs rely on, makes it possible to list the pipes. The directory listing
NPFS returns also indicates the maximum number of pipe instances set for each pipe
and the number of active instances.

Download PipeList (496 KB)

Runs on:

Client: Windows Vista and higher

Server: Windows Server 2008 and higher
Nano Server: 2016 and higher
PsFile v1.04
Article • 03/30/2023

By Mark Russinovich

Published: March 30, 2023

Download PsTools (5 MB)

Introduction
The "net file" command shows you a list of the files that other computers have opened
on the system upon which you execute the command, however it truncates long path
names and doesn't let you see that information for remote systems. PsFile is a
command-line utility that shows a list of files on a system that are opened remotely, and
it also allows you to close opened files either by name or by a file identifier.

Installation
Just copy PsFile onto your executable path, and type "psfile".

Using PsFile
The default behavior of PsFile is to list the files on the local system that are open by
remote systems. Typing a command followed by "- " displays information on the syntax
for the command.

Usage: psfile [\\RemoteComputer [-u Username [-p Password]]] [[Id | path] [-c]]

Parameter Description

-u Specifies optional user name for login to remote computer.

-p Specifies password for user name. If this is omitted, you will be prompted to enter
the password without it being echoed to the screen.

Id Identifier (as assigned by PsFile) of the file for which to display information or to
close.

Path Full or partial path of files to match for information display or close.

-c Closes the files identifed by ID or path.

How it Works
PsFile uses the NET API, which is documented in the Platform SDK.

Download PsTools (5 MB)

PsTools

PsFile is part of a growing kit of Sysinternals command-line tools that aid in the
administration of local and remote systems named PsTools.

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.
PsPing v2.12
Article • 03/30/2023

By Mark Russinovich

Published: March 30, 2023

Download PsTools (5 MB)

Introduction
PsPing implements Ping functionality, TCP ping, latency and bandwidth measurement.
Use the following command-line options to show the usage for each test type:

Installation
Copy PsPing onto your executable path. Typing "psping" displays its usage syntax.

Using PsPing
PsPing implements Ping functionality, TCP ping, latency and bandwidth measurement.
Use the following command-line options to show the usage for each test type:

Usage:

Windows Command Prompt

psping -? [i|t|l|b\]

Parameter Description

-? I Usage for ICMP ping.

-? T Usage for TCP ping.

-? L Usage for latency test.

-? B Usage for bandwidth test.

ICMP ping usage:

Windows Command Prompt

psping [[-6]|[-4]] [-h [buckets | <val1>,<val2>,...]] [-i <interval>] [-l
<requestsize>[k|m] [-q] [-t|-n <count>] [-w <count>] <destination>

Parameter Description

-h Print histogram (default bucket count is 20).

If you specify a single argument, it's interpreted as a bucket count and the
histogram will contain that number of buckets covering the entire time range of
values. Specify a comma-separated list of times to create a custom histogram (e.g.
"0.01,0.05,1,5,10").

-i Interval in seconds. Specify 0 for fast ping.

-l Request size. Append 'k' for kilobytes and 'm' for megabytes.

-n Number of pings or append 's' to specify seconds e.g. '10s'.

-q Don't output during pings.

-t Ping until stopped with Ctrl+C and type Ctrl+Break for statistics.

-w Warmup with the specified number of iterations (default is 1).

-4 Force using IPv4.

-6 Force using IPv6.

For high-speed ping tests use -q and -i 0.

TCP ping usage:

Windows Command Prompt

psping [[-6]|[-4]] [-h [buckets | <val1>,<val2>,...]] [-i <interval>] [-l

Parameter Description

-h Print histogram (default bucket count is 20).

-i Interval in seconds. Specify 0 for fast ping.

-l Request size. Append 'k' for kilobytes and 'm' for megabytes.
Parameter Description

-n Number of pings or append 's' to specify seconds e.g. '10s'.

-q Don't output during pings.

-t Ping until stopped with Ctrl+C and type Ctrl+Break for statistics.

-w Warmup with the specified number of iterations (default is 1).

-4 Force using IPv4.

-6 Force using IPv6.

For high-speed ping tests use -q and -i 0.

TCP and UDP latency usage:

server:

Windows Command Prompt

psping [[-6]|[-4]] [-f] <-s source:sourceport>

client:

Windows Command Prompt

psping [[-6]|[-4]] [-f] [-u] [-h [buckets | <val1>,<val2>,...]] [-r] <-l

requestsize>[k|m]] <-n count> [-w <count>] <destination:destport>

Parameter Description

-f Open source firewall port during the run.

-u UDP (default is TCP).

-h Print histogram (default bucket count is 20).

-l Request size. Append 'k' for kilobytes and 'm' for megabytes.

-n Number of sends/receives. Append 's' to specify seconds e.g. '10s'

-r Receive from the server instead of sending.

Parameter Description

-w Warmup with the specified number of iterations (default is 5).

-4 Force using IPv4.

-6 Force using IPv6.

-s Server listening address and port.

The server can serve both latency and bandwidth tests and remains active until you
terminate it with Control-C.

TCP and UDP bandwidth usage:

server:

Windows Command Prompt

psping [[-6]|[-4]] [-f] <-s source:sourceport>

client:

Windows Command Prompt

psping [-b] [[-6]|[-4]] [-f] [-u] [-h [buckets | <val1>,<val2>,...]] [-r] <-
l requestsize>[k|m]] <-n count> [-i <outstanding>] [-w <count>]
<destination:destport>

Parameter Description

-f Open source firewall port during the run.

-u UDP (default is TCP).

-b Bandwidth test.

-h Print histogram (default bucket count is 20).

-i Number of outstanding I/Os (default is min of 16 and 2x CPU cores).

-l Request size. Append 'k' for kilobytes and 'm' for megabytes.

-n Number of sends/receives. Append 's' to specify seconds e.g. '10s'

Parameter Description

-r Receive from the server instead of sending.

-w Warmup for the specified iterations (default is 2x CPU cores).

-4 Force using IPv4.

-6 Force using IPv6.

-s Server listening address and port.

The server can serve both latency and bandwidth tests and remains active until you
terminate it with Control-C.

Examples
This command executes an ICMP ping test for 10 iterations with 3 warmup iterations:

Windows Command Prompt

psping -n 10 -w 3 marklap

To execute a TCP connect test, specify the port number. The following command
executes connect attempts against the target as quickly as possible, only printing a
summary when finished with the 100 iterations and 1 warmup iteration:

Windows Command Prompt

psping -n 100 -i 0 -q marklap:80

To configure a server for latency and bandwidth tests, simply specify the -s option and
the source address and port the server will bind to:

Windows Command Prompt

psping -s 192.168.2.2:5000

A buffer size is required to perform a TCP latency test. This example measures the round
trip latency of sending an 8KB packet to the target server, printing a histogram with 100
buckets when completed:

Windows Command Prompt

psping -l 8k -n 10000 -h 100 192.168.2.2:5000

This command tests bandwidth to a PsPing server listening at the target IP address for
10 seconds and produces a histogram with 100 buckets. Note that the test must run for
at least one second after warmup for a histogram to generate. Simply add -u to have
PsPing perform a UDP bandwidth test.

Windows Command Prompt

psping -b -l 8k -n 10000 -h 100 192.168.2.2:5000

Download PsTools (5 MB)

PsTools

PsPing is part of a growing kit of Sysinternals command-line tools that aid in the
administration of local and remote systems named PsTools.

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.
ShareEnum v1.61
Article • 10/12/2021

By Mark Russinovich

Published: October 12, 2021

Download ShareEnum (483 KB)

Run now from Sysinternals Live .

Introduction
An aspect of Windows NT/2000/XP network security that's often overlooked is file
shares. A common security flaw occurs when users define file shares with lax security,
allowing unauthorized users to see sensitive files. There are no built-in tools to list
shares viewable on a network and their security settings, but ShareEnum fills the void
and allows you to lock down file shares in your network.

When you run ShareEnum it uses NetBIOS enumeration to scan all the computers within
the domains accessible to it, showing file and print shares and their security settings.
Because only a domain administrator has the ability to view all network resources,
ShareEnum is most effective when you run it from a domain administrator account.

How It Works
ShareEnum uses WNetEnumResource to enumerate domains and the computers within
them and NetShareEnum to enumerate shares on computers.

Download ShareEnum (483 KB)

Run now from Sysinternals Live .

Runs on:

Client: Windows Vista and higher.

Server: Windows Server 2008 and higher.
TCPView v4.19
Article • 04/11/2023

By Mark Russinovich

Published: April 11, 2023

Download TCPView (1.5 MB)

Run now from Sysinternals Live .

Introduction
TCPView is a Windows program that will show you detailed listings of all TCP and UDP
endpoints on your system, including the local and remote addresses and state of TCP
connections. On Windows Server 2008, Vista, and XP, TCPView also reports the name of
the process that owns the endpoint. TCPView provides a more informative and
conveniently presented subset of the Netstat program that ships with Windows. The
TCPView download includes Tcpvcon, a command-line version with the same
functionality.

Using TCPView
When you start TCPView it will enumerate all active TCP and UDP endpoints, resolving
all IP addresses to their domain name versions. You can use a toolbar button or menu
item to toggle the display of resolved names. TCPView shows the name of the process
that owns each endpoint, including the service name (if any).

By default, TCPView updates every second, but you can use the Options|Refresh Rate
menu item to change the rate. Endpoints that change state from one update to the next
are highlighted in yellow; those that are deleted are shown in red, and new endpoints
are shown in green.

You can close established TCP/IP connections (those labeled with a state of
ESTABLISHED) by selecting File|Close Connections, or by right-clicking on a connection
and choosing Close Connections from the resulting context menu.

You can save TCPView's output window to a file using the Save menu item.

Using Tcpvcon
Tcpvcon usage is similar to that of the built-in Windows netstat utility:

Usage:

Shell

tcpvcon [-a] [-c] [-n] [process name or PID]

Parameter Description

-a Show all endpoints (default is to show established TCP connections).

-c Print output as CSV.

-n Don't resolve addresses.

Download TCPView (1.5 MB)

Run now from Sysinternals Live .

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.
Whois v1.21
Article • 03/23/2021

By Mark Russinovich

Published: December 11, 2019

Download Whois (585 KB)

Introduction
Whois performs the registration record for the domain name or IP address that you
specify.

Usage
Usage: whois [-v] domainname [whois.server]

Parameter Description

-v Print whois information for referrals

Domainname can be either a DNS name (e.g. www.sysinternals.com ) or IP address

(e.g. 66.193.254.46).

Download Whois (585 KB)

Runs on:

Client: Windows Vista and higher

Server: Windows Server 2008 and higher
Nano Server: 2016 and higher
Sysinternals Process Utilities
Article • 03/23/2021

Autoruns
See what programs are configured to startup automatically when your system boots and
you login. Autoruns also shows you the full list of Registry and file locations where
applications can configure auto-start settings.

Handle
This handy command-line utility will show you what files are open by which processes,
and much more.

ListDLLs
List all the DLLs that are currently loaded, including where they are loaded and their
version numbers. Version 2.0 prints the full path names of loaded modules.

PortMon
Monitor serial and parallel port activity with this advanced monitoring tool. It knows
about all standard serial and parallel IOCTLs and even shows you a portion of the data
being sent and received. Version 3.x has powerful new UI enhancements and advanced
filtering capabilities.

ProcDump
This new command-line utility is aimed at capturing process dumps of otherwise
difficult to isolate and reproduce CPU spikes. It also serves as a general process dump
creation utility and can also monitor and generate process dumps when a process has a
hung window or unhandled exception.

Process Explorer
Find out what files, registry keys and other objects processes have open, which DLLs
they have loaded, and more. This uniquely powerful utility will even show you who owns
each process.

Process Monitor
Monitor file system, Registry, process, thread and DLL activity in real-time.

PsExec
Execute processes remotely.

PsGetSid
Displays the SID of a computer or a user.
PsKill
Terminate local or remote processes.

PsList
Show information about processes and threads.

PsService
View and control services.

PsSuspend
Suspend and resume processes.

ShellRunas
Launch programs as a different user via a convenient shell context-menu entry.

VMMap
See a breakdown of a process's committed virtual memory types as well as the amount
of physical memory (working set) assigned by the operating system to those types.
Identify the sources of process memory usage and the memory cost of application
features.
Autoruns for Windows v14.11
Article • 02/06/2024

By Mark Russinovich

Published: February 6, 2024

Download Autoruns and Autorunsc (2.8 MB)

Run now from Sysinternals Live .

https://www.microsoft.com/en-us/videoplayer/embed/RW14GhU?
autoplay=true&loop=true&controls=false&postJsllMsg=true

Created with ZoomIt

Introduction
This utility, which has the most comprehensive knowledge of auto-starting locations of
any startup monitor, shows you what programs are configured to run during system
bootup or login, and when you start various built-in Windows applications like Internet
Explorer, Explorer and media players. These programs and drivers include ones in your
startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell
extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services,
and much more. Autoruns goes way beyond other autostart utilities.

Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party
auto-starting images that have been added to your system and it has support for
looking at the auto-starting images configured for other accounts configured on a
system. Also included in the download package is a command-line equivalent that can
output in CSV format, Autorunsc.

You'll probably be surprised at how many executables are launched automatically!

Usage
Simply run Autoruns and it shows you the currently configured auto-start applications as
well as the full list of Registry and file system locations available for auto-start
configuration. Autostart locations displayed by Autoruns include logon entries, Explorer
add-ons, Internet Explorer add-ons including Browser Helper Objects (BHOs), Appinit
DLLs, image hijacks, boot execute images, Winlogon notification DLLs, Windows Services
and Winsock Layered Service Providers, media codecs, and more. Switch tabs to view
autostarts from different categories.

To view the properties of an executable configured to run automatically, select it and

use the Properties menu item or toolbar button. If Process Explorer is running and there
is an active process executing the selected executable then the Process Explorer menu
item in the Entry menu will open the process properties dialog box for the process
executing the selected image.

Navigate to the Registry or file system location displayed or the configuration of an

auto-start item by selecting the item and using the Jump to Entry menu item or toolbar
button, and navigate to the location of an autostart image.

To disable an auto-start entry uncheck its check box. To delete an auto-start

configuration entry use the Delete menu item or toolbar button.

The Options menu includes several display filtering options, such as only showing non-
Windows entries, as well as access to a scan options dialog from where you can enable
signature verification and Virus Total hash and file submission.

Select entries in the User menu to view auto-starting images for different user accounts.

More information on display options and additional information is available in the on-
line help.

Autorunsc Usage
Autorunsc is the command-line version of Autoruns. Its usage syntax is:

Usage: autorunsc [-a <*|bdeghiklmoprsw>] [-c|-ct] [-h] [-m] [-s] [-u] [-vt] [[-z ] |
[user]]]

ﾉ Expand table

Parameter Description

-a Autostart entry selection:

* All.

b Boot execute.

d Appinit DLLs.

e Explorer addons.
Parameter Description

g Sidebar gadgets (Vista and higher)

h Image hijacks.

i Internet Explorer addons.

k Known DLLs.

l Logon startups (this is the default).

m WMI entries.

n Winsock protocol and network providers.

o Codecs.

p Printer monitor DLLs.

r LSA security providers.

s Autostart services and non-disabled drivers.

t Scheduled tasks.

w Winlogon entries.

-c Print output as CSV.

-ct Print output as tab-delimited values.

-h Show file hashes.

-m Hide Microsoft entries (signed entries if used with -v).

-s Verify digital signatures.

-t Show timestamps in normalized UTC (YYYYMMDD-hhmmss).

-u If VirusTotal check is enabled, show files that are unknown by VirusTotal or have
non-zero detection, otherwise show only unsigned files.

-x Print output as XML.

-v[rs] Query VirusTotal for malware based on file hash. Add 'r' to open reports for files
with non-zero detection. Files reported as not previously scanned will be uploaded
to VirusTotal if the 's' option is specified. Note scan results may not be available for
five or more minutes.

-vt Before using VirusTotal features, you must accept the VirusTotal terms of service . If
you haven't accepted the terms and you omit this option, you will be interactively
prompted.
Parameter Description

-z Specifies the offline Windows system to scan.

user Specifies the name of the user account for which autorun items will be shown.
Specify '*' to scan all user profiles.

Related Links
Windows Internals Book The official updates and errata page for the definitive
book on Windows internals, by Mark Russinovich and David Solomon.
Windows Sysinternals Administrator's Reference The official guide to the
Sysinternals utilities by Mark Russinovich and Aaron Margosis, including
descriptions of all the tools, their features, how to use them for troubleshooting,
and example real-world cases of their use.

Download
Download Autoruns and Autorunsc (2.8 MB)
Run now from Sysinternals Live .
Handle v5.0
Article • 10/26/2022

By Mark Russinovich

Published: October 26, 2022

Download Handle (729 KB)

Introduction
Ever wondered which program has a particular file or directory open? Now you can find
out. Handle is a utility that displays information about open handles for any process in
the system. You can use it to see the programs that have a file open, or to see the object
types and names of all the handles of a program.

You can also get a GUI-based version of this program, Process Explorer, here at
Sysinternals.

Installation
You run Handle by typing "handle". You must have administrative privilege to run
Handle.

Usage
Handle is targeted at searching for open file references, so if you do not specify any
command-line parameters it will list the values of all the handles in the system that refer
to open files and the names of the files. It also takes several parameters that modify this
behavior.

usage: handle [[-a [-l]] [-v|-vt] [-u] | [-c <handle> [-y]] | [-s]] [-p <process>|
<pid>] [name]

Parameter Description

-a Dump information about all types of handles, not just those that refer to files. Other
types include ports, Registry keys, synchronization primitives, threads, and
processes.

-l Just show pagefile-backed section handles.

Parameter Description

-c Closes the specified handle (interpreted as a hexadecimal number). You must specify
the process by its PID.
WARNING: Closing handles can cause application or system instability.

-g Print granted access.

-y Don't prompt for close handle confirmation.

-s Print count of each type of handle open.

-u Show the owning user name when searching for handles.

-v CSV output with comma delimiter.

-vt CSV output with tab delimiter.

-p Instead of examining all the handles in the system, this parameter narrows Handle's
scan to those processes that begin with the name process. Thus:
handle -p exp
would dump the open files for all processes that start with "exp", which would
include Explorer.

name This parameter is present so that you can direct Handle to search for references to
an object with a particular name.
For example, if you wanted to know which process (if any) has
"c:\windows\system32" open you could type:
handle windows\system
The name match is case-insensitive and the fragment specified can be anywhere in
the paths you are interested in.

Handle Output
When not in search mode (enabled by specifying a name fragment as a parameter),
Handle divides its output into sections for each process it is printing handle information
for. Dashed lines are used as a separator, immediately below which you will see the
process name and its process id (PID). Beneath the process name are listed handle
values (in hexadecimal), the type of object the handle is associated with, and the name
of the object if it has one.

When in search mode, Handle prints the process names and id's are listed on the left
side and the names of the objects that had a match are on the right.

More Information
You can find more information on the Object Manager in Windows Internals, 4th Edition
or by browsing the Object Manager name-space with WinObj.

Download Handle (729 KB)

ListDLLs v3.2
Article • 03/23/2021

By Mark Russinovich

Published: July 4, 2016

Download ListDLLs (307 KB)

Introduction
ListDLLs is a utility that reports the DLLs loaded into processes. You can use it to list all
DLLs loaded into all processes, into a specific process, or to list the processes that have a
particular DLL loaded. ListDLLs can also display full version information for DLLs,
including their digital signature, and can be used to scan processes for unsigned DLLs.

Usage
listdlls [-r] [-v | -u] [processname|pid]
listdlls [-r] [-v] [-d dllname]

Parameter Description

processname Dump DLLs loaded by process (partial name accepted).

pid Dump DLLs associated with the specified process id.

dllname Show only processes that have loaded the specified DLL.

-r Flag DLLs that relocated because they are not loaded at their base address.

-u Only list unsigned DLLs.

-v Show DLL version information.

Examples
List the DLLs loaded into Outlook.exe, including their version information:

listdlls -v outlook

List any unsigned DLLs loaded into any process:

listdlls -u

Show processes that have loaded MSO.DLL:

listdlls -d mso.dll

Download ListDLLs (307 KB)

Runs on:

Client: Windows Vista and higher

Server: Windows Server 2008 and higher
Nano Server: 2016 and higher
Portmon for Windows v3.03
Article • 07/19/2022

By Mark Russinovich

Published: January 12, 2012

Download Portmon (226 KB)

Run now from Sysinternals Live .

Introduction
Portmon is a utility that monitors and displays all serial and parallel port activity on a
system. It has advanced filtering and search capabilities that make it a powerful tool for
exploring the way Windows works, seeing how applications use ports, or tracking down
problems in system or application configurations.

Portmon 3.x
Version 3.x of Portmon marks the introduction of a number of powerful features.

Remote monitoring: Capture kernel-mode and/or Win32 debug output from any
computer accessible via TCP/IP - even across the Internet. You can monitor
multiple remote computers simultaneously. Portmon will even install its client
software itself if you are running it on a Windows NT/2K system and are capturing
from another Windows NT/2K system in the same Network Neighborhood.
Most-recent-filter lists:Portmon has been extended with powerful filtering
capabilities and it remembers your most recent filter selections, with an interface
that makes it easy to reselect them.
Clipboard copy: Select multiple lines in the output window and copy their contents
to the clipboard.
Highlighting: Highlight debug output that matches your highlighting filter, and
even customize the highlighting colors.
Log-to-file: Write debug output to a file as its being captured.
Printing: Print all or part of captured debug output to a printer.
One-file payload:Portmon is now implemented as one file.

The on-line help-file describes all these features, and more, in detail.
Installation and Use
Simply execute the Portmon program file (portmon.exe) and Portmon will immediately
start capturing debug output. To run Portmon on Windows 95 you must get the
WinSock2 update from Microsoft. Note that if you run Portmon on Windows NT/2K
portmon.exe must be located on a non-network drive and you must have administrative
privilege. Menus, hot-keys, or toolbar buttons can be used to clear the window, save the
monitored data to a file, search output, change the window font, and more. The on-line
help describes all of Portmon's features.

Portmon understands all serial and parallel port I/O control (IOCTLs) commands and will
display them along with interesting information regarding their associated parameters.
For read and write requests Portmon displays the first several dozen bytes of the buffer,
using '.' to represent non-printable characters. The Show Hex menu option lets you
toggle between ASCII and raw hex output of buffer data.

How it Works: WinNT

The Portmon GUI is responsible for identifying serial and parallel ports. It does so by
enumerating the serial ports that are configured under
HKEY_LOCAL_MACHINE\Hardware\DeviceMap\SerialComm and the parallel ports
defined under HKEY_LOCAL_MACHINE\Hardware\DeviceMap\Parallel Ports. These keys
contain the mappings between serial and parallel port device names and the Win32-
accessible names.

When you select a port to monitor, Portmon sends a request to its device driver that
includes the NT name (e.g. \device\serial0) that you are interested in. The driver uses
standard filtering APIs to attach its own filter device object to the target device object.
First, it uses ZwCreateFile to open the target device. Then it translates the handle it
receives back from ZwCreateFile to a device object pointer. After creating its own filter
device object that matches the characteristics of the target, the driver calls
IoAttachDeviceByPointer to establish the filter. From that point on the Portmon driver
will see all requests aimed at the target device.

Portmon has built-in knowledge of all standard serial and parallel port IOCTLs, which are
the primary way that applications and drivers configure and read status information
from ports. The IOCTLs are defined in the DDK file \ddk\src\comm\inc\ntddser.h and
\ddk\src\comm\inc\ntddpar.h, and some are documented in the DDK.

How it Works: Windows 95 and 98

On Windows 95 and 98, the Portmon GUI relies on a dynamically loaded VxD to capture
serial and parallel activity. The Windows VCOMM (Virtual Communications) device driver
serves as the interface to parallel and serial devices, so applications that access ports
indirectly use its services. The Portmon VxD uses standard VxD service hooking to
intercept all accesses to VCOMM's functions. Like its NT device driver, Portmon's VxD
interprets requests to display them in a friendly format. On Windows 95 and 98 Portmon
monitors all ports so there is no port selection like on NT.

Download Portmon (226 KB)

Run now from Sysinternals Live .

ProcDump v11.0
Article • 12/12/2022

By Mark Russinovich and Andrew Richards

Published: 11/03/2022

Download ProcDump (714 KB)

Download ProcDump for Linux (GitHub)

https://www.microsoft.com/en-us/videoplayer/embed/RE591St?
autoplay=true&loop=true&controls=false&postJsllMsg=true

Created with ZoomIt

Introduction
ProcDump is a command-line utility whose primary purpose is monitoring an
application for CPU spikes and generating crash dumps during a spike that an
administrator or developer can use to determine the cause of the spike. ProcDump also
includes hung window monitoring (using the same definition of a window hang that
Windows and Task Manager use), unhandled exception monitoring and can generate
dumps based on the values of system performance counters. It also can serve as a
general process dump utility that you can embed in other scripts.

Using ProcDump
Capture Usage:

Windows Command Prompt

procdump.exe [-mm] [-ma] [-mt] [-mp] [-mc <Mask>] [-md <Callback_DLL>] [-mk]
[-n <Count>]
[-s <Seconds>]
[-c|-cl <CPU_Usage> [-u]]
[-m|-ml <Commit_Usage>]
[-p|-pl <Counter> <Threshold>]
[-h]
[-e [1] [-g] [-b] [-ld] [-ud] [-ct] [-et]]
[-l]
[-t]
[-f <Include_Filter>, ...]
[-fx <Exclude_Filter>, ...]
[-dc <Comment>]
[-o]
[-r [1..5] [-a]]
[-at <Timeout>]
[-wer]
[-64]
{
{{[-w] <Process_Name> | <Service_Name> | <PID>} [<Dump_File>
| <Dump_Folder>]}
|
{-x <Dump_Folder> <Image_File> [Argument, ...]}
}

Install Usage:

Windows Command Prompt

procdump.exe -i [Dump_Folder]
[-mm] [-ma] [-mt] [-mp] [-mc <Mask>] [-md <Callback_DLL>] [-mk]
[-r]
[-at <Timeout>]
[-k]
[-wer]

Uninstall Usage:

Windows Command Prompt

procdump.exe -u

Dump Types:

Dump Description
Type

-mm Write a 'Mini' dump file. (default)

- Includes directly and indirectly referenced memory (stacks and what they reference).
- Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).

-ma Write a 'Full' dump file.

- Includes all memory (Image, Mapped and Private).
- Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).

-mt Write a 'Triage' dump file.

- Includes directly referenced memory (stacks).
- Includes limited metadata (Process, Thread, Module and Handle).
- Removal of sensitive information is attempted but not guaranteed.
Dump Description
Type

-mp Write a 'MiniPlus' dump file.

- Includes all Private memory and all Read/Write Image or Mapped memory.
- Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).
- To minimize size, the largest Private memory area over 512MB is excluded.
A memory area is defined as the sum of same-sized memory allocations.
The dump is as detailed as a Full dump but 10%-75% the size.
- Note: CLR processes are dumped as Full (-ma) due to debugging limitations.

-mc Write a 'Custom' dump file.

- Includes the memory and metadata defined by the specified MINIDUMP_TYPE mask
(Hex).

-md Write a 'Callback' dump file.

- Includes the memory defined by the MiniDumpWriteDump callback routine named
MiniDumpCallbackRoutine of the specified DLL.
- Includes all metadata (Process, Thread, Module, Handle, Address Space, etc.).

-mk Also write a 'Kernel' dump file.

- Includes the kernel stacks of the threads in the process.
- OS doesn't support a kernel dump ( -mk ) when using a clone ( -r ).
- When using multiple dump sizes, a kernel dump is taken for each dump size.

Conditions:

Condition Description

-a Avoid outage. Requires -r . If the trigger will cause the target to suspend for a
prolonged time due to an exceeded concurrent dump limit, the trigger will be
skipped.

-at Avoid outage at Timeout. Cancel the trigger's collection at N seconds.

-b Treat debug breakpoints as exceptions (otherwise ignore them).

-c CPU threshold above which to create a dump of the process.

-cl CPU threshold below which to create a dump of the process.

-dc Add the specified string to the generated Dump Comment.

-e Write a dump when the process encounters an unhandled exception.

Include the 1 to create dump on first chance exceptions.
Add -ld to create a dump when a DLL (module) is loaded (filtering applies).
Add -ud to create a dump when a DLL (module) is unloaded (filtering applies).
Add -ct to create a dump when a thread is created.
Add -et to create a dump when a thread exits.
Condition Description

-f Filter (include) on the content of exceptions, debug logging and filename at DLL
load/unload. Wildcards (*) are supported.

-fx Filter (exclude) on the content of exceptions, debug logging and filename at DLL
load/unload. Wildcards (*) are supported.

-g Run as a native debugger in a managed process (no interop).

-h Write dump if process has a hung window (does not respond to window messages
for at least 5 seconds).

-k Kill the process after cloning ( -r ), or at end of dump collection.

-l Display the debug logging of the process.

-m Memory commit threshold in MB at which to create a dump.

-ml Trigger when memory commit drops below specified MB value.

-n Number of dumps to write before exiting.

-o Overwrite an existing dump file.

-p Trigger when the Performance Counter is at, or exceeds, the specified Threshold.
Some Counters and/or Instance Names can be case-sensitive.

-pl Trigger when the Performance Counter falls below the specified Threshold.

-r Dump using a clone. Concurrent limit is optional (default 1, max 5). OS doesn't
support a kernel dump ( -mk ) when using a clone ( -r ). CAUTION: a high concurrency
value may impact system performance.
- Windows 7: Uses Reflection. OS doesn't support -e .
- Windows 8.0: Uses Reflection. OS doesn't support -e .
- Windows 8.1+: Uses PSS. All trigger types are supported.

-s Consecutive seconds before dump is written (default is 10).

-t Write a dump when the process terminates.

-u Treat CPU usage relative to a single core (used with -c ).

-v DEBUG ONLY: Verbose output.

-w Wait for the specified process to launch if it's not running.

-wer Queue the (largest) dump to Windows Error Reporting.

-x Launch the specified image with optional arguments. If it is a Store Application or

Package, ProcDump will start on the next activation (only).
Condition Description

-y HIDDEN: Store Application activation.

-64 By default ProcDump will capture a 32-bit dump of a 32-bit process when running
on 64-bit Windows. This option overrides to create a 64-bit dump. Only use for
WOW64 subsystem debugging.

License Agreement:

Use the -accepteula command line option to automatically accept the Sysinternals
license agreement.

Automated Termination:

-cancel <Target Process PID>

Using this option or setting an event with the name ProcDump-<PID> is the same as
typing Ctrl+C to gracefully terminate ProcDump. Graceful termination ensures the
process is resumed if a capture is active. The cancellation applies to ALL ProcDump
instances monitoring the process.

Filename:

Default dump filename: PROCESSNAME_YYMMDD_HHMMSS.dmp

The following substitutions are supported:

Substitution Explanation

PROCESSNAME Process Name

PID Process ID

EXCEPTIONCODE Exception Code

YYMMDD Year/Month/Day

HHMMSS Hour/Minute/Second

Examples
Write a mini dump of a process named 'notepad' (only one match can exist):

Windows Command Prompt

C:\>procdump notepad
Write a Full dump of a process with PID '4572':

Windows Command Prompt

C:\>procdump -ma 4572

Write a Mini first, and then a Full dump of a process with PID '4572':

Windows Command Prompt

C:\>procdump -mm -ma 4572

Write 3 Mini dumps 5 seconds apart of a process named 'notepad':

Windows Command Prompt

C:\>procdump -n 3 -s 5 notepad

Write up to 3 Mini dumps of a process named 'consume' when it exceeds 20% CPU
usage for five seconds:

Windows Command Prompt

C:\>procdump -n 3 -s 5 -c 20 consume

Write a Mini dump for a process named 'hang.exe' when one of its windows is
unresponsive for more than 5 seconds:

Windows Command Prompt

C:\>procdump -h hang.exe

Write a Full and Kernel dump for a process named 'hang.exe' when one of its
windows is unresponsive for more than 5 seconds:

Windows Command Prompt

C:\>procdump -ma -mk -h hang.exe

Write a Mini dump of a process named 'outlook' when total system CPU usage
exceeds 20% for 10 seconds:
Windows Command Prompt

C:\>procdump outlook -s 10 -p "\Processor(_Total)\% Processor Time" 20

Write a Full dump of a process named 'outlook' when Outlook's handle count
exceeds 10,000:

Windows Command Prompt

C:\>procdump -ma outlook -p "\Process(Outlook)\Handle Count" 10000

Write a Full dump of 'svchost' PID 1234, Instance #87, when the handle count
exceeds 10,000:

Windows Command Prompt

C:\>procdump -ma 1234 -p "\Process(svchost#87)\Handle Count" 10000

Note: Multiple Instance Counters

If there are multiple instances of the counter, you'll need to include the Name
and/or Instance number.

txt

\Processor(NNN)\% Processor Time

\Thermal Zone Information(<name>)\Temperature
\Process(<name>[#NNN])\<counter>

Older OSes require you to append the PID for \Process counters.

txt

\Process(<name>[_PID])\<counter>

Tip: Use Performance Monitor to view the counters (esp. case sensitivity).
Tip: For \Process(*) based counters, use PowerShell to map a PID to its #NNN .

pwsh

Get-Counter -Counter "\Process(*)\ID Process"

Write a Full dump for a 2nd chance exception:

Windows Command Prompt

C:\>procdump -ma -e w3wp.exe

Write a Full dump for a 1st or 2nd chance exception:

Windows Command Prompt

C:\>procdump -ma -e 1 w3wp.exe

Write a Full dump for a debug string message:

Windows Command Prompt

C:\>procdump -ma -l w3wp.exe

Write up to 10 Full dumps of each 1st or 2nd chance exception of w3wp.exe:

Windows Command Prompt

C:\>procdump -ma -n 10 -e 1 w3wp.exe

Write up to 10 Full dumps if an exception's code/name/msg contains ' NotFound ':

Windows Command Prompt

C:\>procdump -ma -n 10 -e 1 -f NotFound w3wp.exe

Write up to 10 Full dumps if a debug string message contains ' NotFound ':

Windows Command Prompt

C:\>procdump -ma -n 10 -l -f NotFound w3wp.exe

Wait for a process called 'notepad' (and monitor it for exceptions):

Windows Command Prompt

C:\>procdump -e -w notepad

Launch a process called 'notepad' (and monitor it for exceptions):

Windows Command Prompt

C:\>procdump -e -x c:\dumps notepad

Register for launch, and attempt to activate, a store 'application'. A new ProcDump
instance will start when it is activated:

Windows Command Prompt

C:\>procdump -e -x c:\dumps Microsoft.BingMaps_8wekyb3d8bbwe!AppexMaps

Windows Command Prompt

C:\>procdump -e -x c:\dumps
Microsoft.BingMaps_1.2.0.136_x64__8wekyb3d8bbwe

Write a MiniPlus dump of the Microsoft Exchange Information Store when it has an
unhandled exception:

Windows Command Prompt

C:\>procdump -mp -e store.exe

Display without writing a dump, the exception codes/names of w3wp.exe:

Windows Command Prompt

C:\>procdump -e 1 -f "" w3wp.exe

Windows 7/8.0; Use Reflection to reduce outage for 5 consecutive triggers:

Windows Command Prompt

C:\>procdump -r -ma -n 5 -s 15 wmplayer.exe

Windows 8.1+; Use PSS to reduce outage for 5 concurrent triggers:

Windows Command Prompt

C:\>procdump -r 5 -ma -n 5 -s 15 wmplayer.exe

Install ProcDump as the (AeDebug) postmortem debugger:

Windows Command Prompt

C:\>procdump -ma -i c:\dumps

..or..

Windows Command Prompt

C:\Dumps>procdump -ma -i

Uninstall ProcDump as the (AeDebug) postmortem debugger:

Windows Command Prompt

C:\>procdump -u

See a list of example command lines (the examples are listed above):

Windows Command Prompt

C:\>procdump -? -e

Download ProcDump (714 KB)

Download ProcDump for Linux (GitHub)

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.

Learn More
Defrag Tools: #9 - ProcDump This episode of Defrag Tools covers what the tool
captures and expected outage durations
Defrag Tools: #10 - ProcDump - Triggers This episode covers trigger options in
particular 1st & 2nd chance exceptions
Defrag Tools: #11 - ProcDump - Windows 8 & Process Monitor This episode covers
modern application support and Process Monitor logging support
Process Explorer v17.06
Article • 05/28/2024

By Mark Russinovich

Published: May 28, 2024

Download Process Explorer (3.3 MB)

Run now from Sysinternals Live .

https://www.microsoft.com/en-us/videoplayer/embed/RE5d5Rd?
autoplay=true&loop=true&controls=false&postJsllMsg=true

Created with ZoomIt

Introduction
Ever wondered which program has a particular file or directory open? Now you can find
out. Process Explorer shows you information about which handles and DLLs processes
have opened or loaded.

The Process Explorer display consists of two sub-windows. The top window always shows
a list of the currently active processes, including the names of their owning accounts,
whereas the information displayed in the bottom window depends on the mode that
Process Explorer is in: if it is in handle mode you'll see the handles that the process
selected in the top window has opened; if Process Explorer is in DLL mode you'll see the
DLLs and memory-mapped files that the process has loaded. Process Explorer also has a
powerful search capability that will quickly show you which processes have particular
handles opened or DLLs loaded.

The unique capabilities of Process Explorer make it useful for tracking down DLL-version
problems or handle leaks, and provide insight into the way Windows and applications
work.

Download
Download Process Explorer (3.3 MB)
Run now from Sysinternals Live .

Runs on:

Client: Windows 10 and higher.

Server: Windows Server 2016 and higher.

Installation
Simply run Process Explorer (procexp.exe).

The help file describes Process Explorer operation and usage. If you have problems or
questions, visit the Process Explorer section on Microsoft Q&A.

Note on use of symbols

When you configure the path to DBGHELP.DLL and the symbol path uses the symbol
server, the location of DBGHELP.DLL also has to contain the SYMSRV.DLL supporting the
server paths used. See SymSrv documentation or more information on how to use
symbol servers.

Learn More
Here are some other handle and DLL viewing tools and information available at
Sysinternals:

The case of the Unexplained... In this video, Mark describes how he has solved
seemingly unsolvable system and application problems on Windows.
Handle - a command-line handle viewer
ListDLLs - a command-line DLL viewer
PsList - local/remote command-line process lister
PsKill - local/remote command-line process killer
Defrag Tools: #2 - Process Explorer In this episode of Defrag Tools, Andrew
Richards and Larry Larsen show how to use Process Explorer to view the details of
processes, both at a point in time and historically.
Windows Sysinternals Primer: Process Explorer, Process Monitor and More Process
Explorer gets a lot of attention in the first Sysinternals Primer delivered by Aaron
Margosis and Tim Reckmeyer at TechEd 2010.
Process Monitor v4.01
Article • 06/20/2024

By Mark Russinovich

Published: June 20, 2024

Download Process Monitor (2.9 MB)

Download Procmon for Linux (GitHub)

Run now from Sysinternals Live .

Introduction
Process Monitor is an advanced monitoring tool for Windows that shows real-time file
system, Registry and process/thread activity. It combines the features of two legacy
Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements
including rich and non-destructive filtering, comprehensive event properties such as
session IDs and user names, reliable process information, full thread stacks with
integrated symbol support for each operation, simultaneous logging to a file, and much
more. Its uniquely powerful features will make Process Monitor a core utility in your
system troubleshooting and malware hunting toolkit.

Overview of Process Monitor Capabilities

Process Monitor includes powerful monitoring and filtering capabilities, including:

More data captured for operation input and output parameters

Non-destructive filters allow you to set filters without losing data
Capture of thread stacks for each operation make it possible in many cases to
identify the root cause of an operation
Reliable capture of process details, including image path, command line, user and
session ID
Configurable and moveable columns for any event property
Filters can be set for any data field, including fields not configured as columns
Advanced logging architecture scales to tens of millions of captured events and
gigabytes of log data
Process tree tool shows relationship of all processes referenced in a trace
Native log format preserves all data for loading in a different Process Monitor
instance
Process tooltip for easy viewing of process image information
Detail tooltip allows convenient access to formatted data that doesn't fit in the
column
Cancellable search
Boot time logging of all operations

The best way to become familiar with Process Monitor's features is to read through the
help file and then visit each of its menu items and options on a live system.

Screenshots
Related Links
Windows Internals Book
The official updates and errata page for the definitive book on Windows internals,
by Mark Russinovich and David Solomon.
Windows Sysinternals Administrator's Reference
The official guide to the Sysinternals utilities by Mark Russinovich and Aaron
Margosis, including descriptions of all the tools, their features, how to use them for
troubleshooting, and example real-world cases of their use.

Download
Download Process Monitor (2.9 MB)

Run now from Sysinternals Live .

Runs on:

Client: Windows 10 and higher.

Server: Windows Server 2012 and higher.
PsExec v2.43
Article • 03/30/2023

By Mark Russinovich

Published: April 11, 2023

Download PsTools (5 MB)

Introduction
Utilities like Telnet and remote control programs like Symantec's PC Anywhere let you
execute programs on remote systems, but they can be a pain to set up and require that
you install client software on the remote systems that you wish to access. PsExec is a
light-weight telnet-replacement that lets you execute processes on other systems,
complete with full interactivity for console applications, without having to manually
install client software. PsExec's most powerful uses include launching interactive
command-prompts on remote systems and remote-enabling tools like IpConfig that
otherwise do not have the ability to show information about remote systems.

Note: some anti-virus scanners report that one or more of the tools are infected with a
"remote admin" virus. None of the PsTools contain viruses, but they have been used by
viruses, which is why they trigger virus notifications.

Installation
Just copy PsExec onto your executable path. Typing "psexec" displays its usage syntax.

Using PsExec
See the July 2004 issue of Windows IT Pro Magazine for Mark's article that covers
advanced usage of PsExec.

Usage:

Windows Command Prompt

psexec [\\\\computer[,computer2[,...] | @file]][-u user [-p psswd]][-n s][-r

servicename][-h][-l][-s|-e][-x][-i [session]][-c [-f|-v]][-w directory][-d]
[-<priority>][-g n][-a n,n,...][-accepteula][-nobanner] cmd [arguments]
Parameter Description

-a Separate processors on which the application can run with commas where 1 is the
lowest numbered CPU. For example, to run the application on CPU 2 and CPU 4,
enter: "-a 2,4"

-c Copy the specified executable to the remote system for execution. If you omit this
option the application must be in the system path on the remote system.

-d Don't wait for process to terminate (non-interactive).

-e Does not load the specified account’s profile.

-f Copy the specified program even if the file already exists on the remote system.

-i Run the program so that it interacts with the desktop of the specified session on the
remote system. If no session is specified the process runs in the console session.
This flag is required when attempting to run console applications interactively (with
redirected standard IO).

-h If the target system is Vista or higher, has the process run with the account's
elevated token, if available.

-l Run process as limited user (strips the Administrators group and allows only
privileges assigned to the Users group). On Windows Vista the process runs with
Low Integrity.

-n Specifies timeout in seconds connecting to remote computers.

-p Specifies optional password for user name. If you omit this you will be prompted to
enter a hidden password.

-r Specifies the name of the remote service to create or interact with.

-s Run the remote process in the System account.

-u Specifies optional user name for login to remote computer.

-v Copy the specified file only if it has a higher version number or is newer on than the
one on the remote system.

-w Set the working directory of the process (relative to remote computer).

-x Display the UI on the Winlogon secure desktop (local system only).

-priority Specifies -low, -belownormal, -abovenormal, -high or -realtime to run the process at
a different priority. Use -background to run at low memory and I/O priority on Vista.

computer Direct PsExec to run the application on the remote computer or computers
specified. If you omit the computer name, PsExec runs the application on the local
system, and if you specify a wildcard (\\*), PsExec runs the command on all
computers in the current domain.
Parameter Description

@file PsExec will execute the command on each of the computers listed in the file.

cmd Name of application to execute.

arguments Arguments to pass (note that file paths must be absolute paths on the target
system).

- This flag suppresses the display of the license dialog.

accepteula

-nobanner This flag suppresses the startup banner and copyright message.

You can enclose applications that have spaces in their name with quotation marks e.g.

Windows Command Prompt

psexec \\marklap "c:\\long name app.exe"

Input is only passed to the remote system when you press the Enter key. Typing Ctrl-C
terminates the remote process.

If you omit a user name, the process will run in the context of your account on the
remote system, but will not have access to network resources (because it is
impersonating). Specify a valid user name in the Domain\User syntax if the remote
process requires access to network resources or to run in a different account. Note that
the password and command are encrypted in transit to the remote system.

Error codes returned by PsExec are specific to the applications you execute, not PsExec.

Examples
This article I wrote describes how PsExec works and gives tips on how to use it:

The following command launches an interactive command prompt on \\marklap :

Windows Command Prompt

psexec -i \\marklap cmd

This command executes IpConfig on the remote system with the /all switch, and
displays the resulting output locally:

Windows Command Prompt

psexec -i \\marklap ipconfig /all

This command copies the program test.exe to the remote system and executes it
interactively:

Windows Command Prompt

psexec -i \\marklap -c test.exe

Specify the full path to a program that is already installed on a remote system if its not
on the system's path:

Windows Command Prompt

psexec -i \\marklap c:\bin\test.exe

Run Regedit interactively in the System account to view the contents of the SAM and
SECURITY keys::

Windows Command Prompt

psexec -i -d -s c:\windows\regedit.exe

To run Internet Explorer as with limited-user privileges use this command:

Windows Command Prompt

psexec -l -d "c:\program files\internet explorer\iexplore.exe"

Download PsTools (5 MB)

PSTools

PsExec is part of a growing kit of Sysinternals command-line tools that aid in the
administration of local and remote systems named PsTools.

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.
PsGetSid v1.46
Article • 03/30/2023

By Mark Russinovich

Published: March 30, 2023

Download PsTools (5 MB)

Introduction
PsGetsid allows you to translate SIDs to their display name and vice versa. It works on
builtin accounts, domain accounts, and local accounts.

Installation
Just copy PsGetSid onto your executable path, and type "psgetsid".

Usage
Usage: psgetsid [\\computer[,computer[,...] | @file\] [-u username [-p password]]]
[account|SID]

Parameter Description

-u Specifies optional user name for login to remote computer.

-p Specifies optional password for user name. If you omit this you will be prompted to
enter a hidden password.

Account PsGetSid will report the SID for the specified user account rather than the computer.

SID PsGetSid will report the account for the specified SID.

Computer Direct PsGetSid to perform the command on the remote computer or computers
specified. If you omit the computer name PsGetSid runs the command on the local
system, and if you specify a wildcard (\\*), PsGetSid runs the command on all
computers in the current domain.

@file PsGetSid will execute the command on each of the computers listed in the file.

If you want to see a computer's SID just pass the computer's name as a command-line
argument. If you want to see a user's SID, name the account (e.g. "administrator") on the
command-line and an optional computer name.

Specify a user name if the account you are running from doesn't have administrative
privileges on the computer you want to query. If you don't specify a password as an
option, PsGetSid will prompt you for one so that you can type it in without having it
echoed to the display.

Download PsTools (5 MB)

PsTools

PsGetSid is part of a growing kit of Sysinternals command-line tools that aid in the
administration of local and remote systems named PsTools.

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.
PsKill v1.17
Article • 03/30/2023

By Mark Russinovich

Published: March 30, 2023

Download PsTools (5 MB)

Introduction
Windows NT/2000 does not come with a command-line 'kill' utility. You can get one in
the Windows NT or Win2K Resource Kit, but the kit's utility can only terminate processes
on the local computer. PsKill is a kill utility that not only does what the Resource Kit's
version does, but can also kill processes on remote systems. You don't even have to
install a client on the target computer to use PsKill to terminate a remote process.

Installation
Just copy PsKill onto your executable path, and type pskill with command-line options
defined below.

Using PsKill
See the September 2004 issue of Windows IT Pro Magazine for Mark's article that
covers advanced usage of PsKill.

Running PsKill with a process ID directs it to kill the process of that ID on the local
computer. If you specify a process name PsKill will kill all processes that have that name.

Usage: pskill [- ] [-t] [\\computer [-u username] [-p password]] <process name |
process id>

Parameter Description

- Displays the supported options.

-t Kill the process and its descendants.

\\computer Specifies the computer on which the process you want to terminate is executing.
The remote computer must be accessible via the NT network neighborhood.
Parameter Description

-u username If you want to kill a process on a remote system and the account you are
executing in does not have administrative privileges on the remote system then
you must login as an administrator using this command-line option. If you do
not include the password with the -p option then PsKill will prompt you for the
password without echoing your input to the display.

-p password This option lets you specify the login password on the command line so that you
can use PsList from batch files. If you specify an account name and omit the -p
option PsList prompts you interactively for a password.

process id Specifies the process ID of the process you want to kill.

process name Specifies the process name of the process or processes you want to kill.

PsKill Microsoft KB Article

This Microsoft KB article references PsKill:

810596: PSVR2002: "There Is No Information to Display in This View" Error Message

When You Try to Access a Project View (https://support.microsoft.com/kb/810596)

Download PsTools (5 MB)

PsTools

PsKill is part of a growing kit of Sysinternals command-line tools that aid in the
administration of local and remote systems named PsTools.

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.
PsList v1.41
Article • 03/30/2023

By Mark Russinovich

Published: March 30, 2023

Download PsTools (5 MB)

Introduction
Parameter Description

pslist exp Show statistics for all the processes that start with "exp", which would include
Explorer.

-d Show thread detail.

-m Show memory detail.

-x Show processes, memory information and threads.

-t Show process tree.

-s [n] Run in task-manager mode, for optional seconds specified. Press Escape to abort.

-r n Task-manager mode refresh rate in seconds (default is 1).

\\computer Instead of showing process information for the local system, PsList will show
information for the NT/Win2K system specified. Include the -u switch with a
username and password to login to the remote system if your security credentials
do not permit you to obtain performance counter information from the remote
system.

-u Specifies optional user name for login to remote computer.

-p This option lets you specify the login password on the command line so that you
can use PsList from batch files. If you specify an account name and omit the -p
option PsList prompts you interactively for a password.

name Show information about processes that begin with the name specified.

-e Exact match the process name.

Parameter Description

pid Instead of listing all the running processes in the system, this parameter narrows
PsList's scan to the process that has the specified PID. Thus:
pslist 53
would dump statistics for the process with the PID 53.

How it Works
Like Windows NT/2K's built-in PerfMon monitoring tool, PsList uses the Windows NT/2K
performance counters to obtain the information it displays. You can find documentation
for Windows NT/2K performance counters, including the source code to Windows NT's
built-in performance monitor, PerfMon, in MSDN.

Memory Abbreviation Key

All memory values are displayed in KB.

Pri: Priority
Thd: Number of Threads
Hnd: Number of Handles
VM: Virtual Memory
WS: Working Set
Priv: Private Virtual Memory
Priv Pk: Private Virtual Memory Peak
Faults: Page Faults
NonP: Non-Paged Pool
Page: Paged Pool
Cswtch: Context Switches

Download PsTools (5 MB)

PsTools

PsList is part of a growing kit of Sysinternals command-line tools that aid in the
administration of local and remote systems named PsTools.

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.
PsService v2.26
Article • 03/30/2023

By Mark Russinovich

Published: March 30, 2023

Download PsTools (5 MB)

Introduction
PsService is a service viewer and controller for Windows. Like the SC utility that's
included in the Windows NT and Windows 2000 Resource Kits, PsService displays the
status, configuration, and dependencies of a service, and allows you to start, stop,
pause, resume and restart them. Unlike the SC utility, PsService enables you to logon to
a remote system using a different account, for cases when the account from which you
run it doesn't have required permissions on the remote system. PsService includes a
unique service-search capability, which identifies active instances of a service on your
network. You would use the search feature if you wanted to locate systems running
DHCP servers, for instance.

Finally, PsService works on both NT 4, Windows 2000 and Windows Vista, whereas the
Windows 2000 Resource Kit version of SC requires Windows 2000, and PsService doesn't
require you to manually enter a "resume index" in order to obtain a complete listing of
service information.>

Installation
Just copy PsService onto your executable path, and type "psservice".

Using PsService
The default behavior of PsService is to display the configured services (both running and
stopped) on the local system. Entering a command on the command-line invokes a
particular feature, and some commands accept options. Typing a command followed by
"- " displays information on the syntax for the command.

Usage: psservice [\\computer [-u username] [-p password]] <command> <options>

Parameter Description

query Displays the status of a service.

config Displays the configuration of a service.

setconfig Sets the start type (disabled, auto, demand) of a service.

start Starts a service.

stop Stops a service.

restart Stops and then restarts a service.

pause Pauses a service

cont Resumes a paused service.

depend Lists the services dependent on the one specified.

security Dumps the service's security descriptor.

find Searches the network for the specified service.

\\computer Targets the NT/Win2K system specified. Include the -u switch with a username and
password to login to the remote system if your security credentials do not permit
you to obtain performance counter information from the remote system. If you
specify the -u option, but not a password with the -p option, PsService will prompt
you to enter the password and will not echo it to the screen.

How it Works
PsService uses the Service Control Manager APIs that are documented in the Platform
SDK.

Download PsTools (5 MB)

PsTools

PsService is part of a growing kit of Sysinternals command-line tools that aid in the
administration of local and remote systems named PsTools.

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.
PsSuspend v1.08
Article • 03/30/2023

By Mark Russinovich

Published: March 30, 2023

Download PsTools (5 MB)

Introduction
PsSuspend lets you suspend processes on the local or a remote system, which is
desirable in cases where a process is consuming a resource (e.g. network, CPU or disk)
that you want to allow different processes to use. Rather than kill the process that's
consuming the resource, suspending permits you to let it continue operation at some
later point in time.

Installation
Copy PsSuspend onto your executable path and type "pssuspend" with command-line
options defined below.

Using PsSuspend
Running PsSuspend with a process ID directs it to suspend or resume the process of that
ID on the local computer. If you specify a process name PsSuspend will suspend or
resume all processes that have that name. Specify the -r switch to resume suspended
processes.

Usage: pssuspend [- ] [-r] [\\computer [-u username] [-p password]] <process name |
process id>

Parameter Description

- Displays the supported options.

-r Resumes the specified processes specified if they are suspended.

\\computer Specifies the computer on which the process you want to suspend or resume is
executing. The remote computer must be accessible via the NT network
neighborhood.
Parameter Description

-u username If you want to suspend a process on a remote system and the account you are
executing in does not have administrative privileges on the remote system then
you must login as an administrator using this command-line option. If you do
not include the password with the -p option then PsSuspend will prompt you for
the password without echoing your input to the display.

-p password This option lets you specify the login password on the command line so that you
can use PsSuspend from batch files. If you specify an account name and omit the
-p option PsSuspend prompts you interactively for a password.

process id Specifies the process ID of the process you want to suspend or resume.

process name Specifies the process name of the process or processes you want to suspend or
resume.

PsSuspend is part of a growing kit of Sysinternals command-line tools that aid in the
administration of local and remote systems named PsTools.

Download PsTools (5 MB)

PsTools

PsSuspend is part of a growing kit of Sysinternals command-line tools that aid in the
administration of local and remote systems named PsTools.

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.
PsTools
Article • 03/30/2023

By Mark Russinovich

Published: April 11, 2023

Download PsTools Suite (5 MB)

Introduction
The Windows NT and Windows 2000 Resource Kits come with a number of command-
line tools that help you administer your Windows NT/2K systems. Over time, I've grown
a collection of similar tools, including some not included in the Resource Kits. What sets
these tools apart is that they all allow you to manage remote systems as well as the local
one. The first tool in the suite was PsList, a tool that lets you view detailed information
about processes, and the suite is continually growing. The "Ps" prefix in PsList relates to
the fact that the standard UNIX process listing command-line tool is named "ps", so I've
adopted this prefix for all the tools in order to tie them together into a suite of tools
named PsTools.

７ Note

Some anti-virus scanners report that one or more of the tools are infected with a
"remote admin" virus. None of the PsTools contain viruses, but they have been used
by viruses, which is why they trigger virus notifications.

The tools included in the PsTools suite, which are downloadable as a package, are:

PsExec - execute processes remotely

PsFile - shows files opened remotely
PsGetSid - display the SID of a computer or a user
PsInfo - list information about a system
PsPing - measure network performance
PsKill - kill processes by name or process ID
PsList - list detailed information about processes
PsLoggedOn - see who's logged on locally and via resource sharing (full source is
included)
PsLogList - dump event log records
PsPasswd - changes account passwords
PsService - view and control services
PsShutdown - shuts down and optionally reboots a computer
PsSuspend - suspends processes
PsUptime - shows you how long a system has been running since its last reboot
(PsUptime's functionality has been incorporated into PsInfo

The PsTools download package includes an HTML help file with complete usage
information for all the tools.

Download PsTools Suite (5 MB)

Runs on:

Client: Windows 8.1 and higher

Server: Windows Server 2012 and higher
Nano Server: 2016 and higher

Installation
None of the tools requires any special installation. You don't even need to install any
client software on the remote computers at which you target them. Run them by typing
their name and any command-line options you want. To show complete usage
information, specify the "-? " command-line option. If you have questions or problems,
visit the Sysinternals PsTools forum.

Related Links
Introduction to the PsTools : Wes Miller gives a high-level overview of the Sysinternals
PsTools in the March column of his TechNet Magazine column.
ShellRunas v1.02
Article • 10/12/2021

By Mark Russinovich and Jon Schwartz

Published: October 12, 2021

Download ShellRunas (90 KB)

Introduction
The command-line Runas utility is handy for launching programs under different
accounts, but it’s not convenient if you’re a heavy Explorer user. ShellRunas provides
functionality similar to that of Runas to launch programs as a different user via a
convenient shell context-menu entry.

Screenshot

Using ShellRunas
Usage:

shellrunas /reg [/quiet]

shellrunas /regnetonly [/quiet]
shellrunas /unreg [/quiet]
shellrunas [/netonly] <program> [arguments]

Parameter Description
Parameter Description

/reg Registers ShellRunas shell context-menu entry

/regnetonly Registers Shell /netonly context-menu entry

Note: a command prompt will flash when the program starts

/unreg Unregisters ShellRunas shell context-menu entry

/quiet Register or unregisters ShellRunas shell context-menu entry without result

dialog

/netonly Use if specified credentials are for remote access only

<program> Runs program with specified credentials and parameters

Download ShellRunas (90 KB)

Runs on:

Client: Windows Vista and higher.

Server: Windows Server 2008 and higher.

Getting Help
If you have problems or questions, please visit the Sysinternals Forum .
VMMap v3.4
Article • 10/18/2023

By Mark Russinovich

Published: October 18, 2023

Download VMMap (7.6 MB)

Run now from Sysinternals Live .

Introduction
VMMap is a process virtual and physical memory analysis utility. It shows a breakdown
of a process's committed virtual memory types as well as the amount of physical
memory (working set) assigned by the operating system to those types. Besides
graphical representations of memory usage, VMMap also shows summary information
and a detailed process memory map. Powerful filtering and refresh capabilities allow you
to identify the sources of process memory usage and the memory cost of application
features.

Besides flexible views for analyzing live processes, VMMap supports the export of data
in multiple forms, including a native format that preserves all the information so that
you can load back in. It also includes command-line options that enable scripting
scenarios.

VMMap is the ideal tool for developers wanting to understand and optimize their
application's memory resource usage.

Screenshot
Related Links
Windows Internals Book
The official updates and errata page for the definitive book on Windows internals,
by Mark Russinovich and David Solomon.
Windows Sysinternals Administrator's Reference The official guide to the
Sysinternals utilities by Mark Russinovich and Aaron Margosis, including
descriptions of all the tools, their features, how to use them for troubleshooting,
and example real-world cases of their use.

Download VMMap (7.6 MB)

Run now from Sysinternals Live .

Runs on:

Client: Windows 10 and higher.

Server: Windows Server 2016 and higher.

Learn More
Defrag Tools: #7 - VMMap
In this episode of Defrag Tools, Andrew Richards and Larry Larsen cover how to use
VMMap to see how Virtual Memory is being used and if there have been any
memory leaks.
Sysinternals Security Utilities
Article • 03/30/2023

AccessChk
This tool shows you the level of access the user or group you specify has to files,
Registry keys or Windows services.

AccessEnum
This simple yet powerful security tool shows you who has what access to directories,
files and Registry keys on your systems. Use it to find holes in your permissions.

Autologon
Bypass password screen during logon.

Autoruns
See what programs are configured to startup automatically when your system boots and
you log in. Autoruns also shows you the full list of Registry and file locations where
applications can configure auto-start settings.

LogonSessions
List active logon sessions

PsExec
Execute processes with limited-user rights.

PsLoggedOn
Show users logged on to a system.

PsLogList
Dump event log records.

Rootkit Revealer
RootkitRevealer is an advanced rootkit detection utility.
SDelete
Securely overwrite your sensitive files and cleanse your free space of previously deleted
files using this DoD-compliant secure delete program.

ShareEnum
Scan file shares on your network and view their security settings to close security holes.

ShellRunas
Launch programs as a different user via a convenient shell context-menu entry.

Sigcheck
Dump file version information and verify that images on your system are digitally
signed.

Sysmon
Monitors and reports key system activity via the Windows event log.
Autologon v3.10
Article • 07/27/2021

By Mark Russinovich

Published: August 29, 2016

Download Autologon (495 KB)

Run now from Sysinternals Live .

Introduction
Autologon enables you to easily configure Windows’ built-in autologon mechanism.
Instead of waiting for a user to enter their name and password, Windows uses the
credentials you enter with Autologon, which are encrypted in the Registry, to log on the
specified user automatically.

[!WARNING] Although the password is encrypted in the registry as an LSA secret, a user
with administrative rights can easily retrieve and decrypt it. (For more information see
Protecting the Automatic Logon Password )

Autologon is easy enough to use. Just run autologon.exe, fill in the dialog, and hit
Enable. The next time the system starts, Windows will try to use the entered credentials
to log on the user at the console. Note that Autologon does not verify the submitted
credentials, nor does it verify that the specified user account is allowed to log on to the
computer.

To turn off auto-logon, hit Disable. Also, if the shift key is held down before the system
performs an autologon, the autologon will be disabled for that logon. You can also pass
the username, domain and password as command-line arguments:

autologon user domain password

Note: When Exchange Activesync password restrictions are in place, Windows will not
process the autologon configuration.

Download Autologon (495 KB)

Run now from Sysinternals Live .
LogonSessions v1.41
Article • 03/23/2021

By Mark Russinovich

Published: November 25, 2020

Download LogonSessions (667 KB)

Introduction
If you think that when you logon to a system there's only one active logon session, this
utility will surprise you. It lists the currently active logon sessions and, if you specify the -
p option, the processes running in each session.

Usage: logonsessions [-c[t]] [-p]

Parameter Description

-c Print output as CSV.

-ct Print output as tab-delimited values.

-p List processes running in logon session.

Example output
Shell

C:\>logonsessions -p

[13] Logon session 00000000:6a6d6160:

User name: NTDEV\markruss
Auth package: Kerberos
Logon type: RemoteInteractive
Session: 1
Sid: S-1-5-21-397955417-626881126-188441444-3615555
Logon time: 7/2/2015 6:05:31 PM
Logon server: NTDEV-99
DNS Domain: NTDEV.CORP.MICROSOFT.COM
UPN: [email protected]
15368: ProcExp.exe
17528: ProcExp64.exe
13116: cmd.exe
17100: conhost.exe
6716: logonsessions.exe

Download LogonSessions (667 KB)

Runs on:

Client: Windows Vista (32-bit)and higher

Server: Windows Server 2008 and higher
Nano Server: 2016 and higher
NewSID v4.10
Article • 06/22/2021

By Mark Russinovich

Published: November 1, 2006

Note: NewSID has been retired and is no longer available for download. Please see Mark
Russinovich’s blog post: NewSID Retirement and the Machine SID Duplication Myth

IMPORTANT
Regarding SIDs, Microsoft does not support images that are prepared using NewSID, we
only support images that are prepared using SysPrep. Microsoft has not tested NewSID
for all deployment cloning options.

For more information on Microsoft's official policy, please see the following Knowledge
Base article:

The Microsoft policy concerning disk duplication of Windows XP installations

Introduction
Many organizations use disk image cloning to perform mass rollouts of Windows. This
technique involves copying the disks of a fully installed and configured Windows
computer onto the disk drives of other computers. These other computers effectively
appear to have been through the same install process, and are immediately available for
use.

While this method saves hours of work and hassle over other rollout approaches, it has
the major problem that every cloned system has an identical Computer Security
Identifier (SID). This fact compromises security in Workgroup environments, and
removable media security can also be compromised in networks with multiple identical
computer SIDs.

Demand from the Windows community has lead several companies to develop
programs that can change a computer's SID after a system has been cloned. However,
Symantec's SID Changer andSymantec's Ghost Walker are only sold as part of each
company's high-end product. Further, they both run from a DOS command prompt
(Altiris' changer is similar to NewSID).
NewSID is a program we developed that changes a computer's SID. It is free and is a
Win32 program, meaning that it can easily be run on systems that have been previously
cloned.

Please read this entire article before you use this program.

Version Information:

Version 4.0 introduces support for Windows XP and .NET Server, a wizard-style
interface, allows you to specify the SID that you want applied, Registry compaction
and also the option to rename a computer (which results in a change of both
NetBIOS and DNS names).
Version 3.02 corrects a bug where NewSid would not correctly copy default values
with invalid value types when renaming a key with an old SID to a new SID. NT
actually makes use of such invalid values at certain times in the SAM. The symptom
of this bug was error messages reporting access denied when account information
was updated by an authorized user.
Version 3.01 adds a work-around for an inaccessible Registry key that is created by
Microsoft Transaction Server. Without the work-around NewSID would quit
prematurely.
Version 3.0 introduces a SID-sync feature that directs NewSID to obtain a SID to
apply from another computer.
Version 2.0 has an automated-mode option, and let's you change the computer
name as well.
Version 1.2 fixes a bug in that was introduced in 1.1 where some file system
security descriptors were not updated.
Version 1.1 corrects a relatively minor bug that affected only certain installations. It
also has been updated to change SIDs associated with the permission settings of
file and printer shares.

Cloning and Alternate Rollout Methods

One of the most popular ways of performing mass Windows rollouts (typically hundreds
of computers) in corporate environments is based on the technique of disk cloning. A
system administrator installs the base operating system and add-on software used in
the company on a template computer. After configuring the machine for operation in
the company network, automated disk or system duplication tools (such as
Symantec's Ghost, PowerQuest's Image Drive, and Altiris' RapiDeploy) are used to
copy the template computer's drives onto tens or hundreds of computers. These clones
are then given final tweaks, such as the assignment of unique names, and then used by
company employees.
Another popular way of rolling out is by using the Microsoft sysdiff utility (part of the
Windows Resource Kit). This tool requires that the system administrator perform a full
install (usually a scripted unattended installation) on each computer, and then sysdiff
automates the application of add-on software install images.

Because the installation is skipped, and because disk sector copying is more efficient
than file copying, a cloned-based rollout can save dozens of hours over a comparable
sysdiff install. In addition, the system administrator does not have to learn how to use
unattended install or sysdiff, or create and debug install scripts. This alone saves hours
of work.

The SID Duplication Problem

The problem with cloning is that it is only supported by Microsoft in a very limited
sense. Microsoft has stated that cloning systems is only supported if it is done before
the GUI portion of Windows Setup has been reached. When the install reaches this point
the computer is assigned a name and a unique computer SID. If a system is cloned after
this step the cloned machines will all have identical computer SIDs. Note that just
changing the computer name or adding the computer to a different domain does not
change the computer SID. Changing the name or domain only changes the domain SID
if the computer was previously associated with a domain.

To understand the problem that cloning can cause, it is first necessary to understand
how individual local accounts on a computer are assigned SIDs. The SIDs of local
accounts consist of the computer's SID and an appended RID (Relative Identifier). The
RID starts at a fixed value, and is increased by one for each account created. This means
that the second account on one computer, for example, will be given the same RID as
the second account on a clone. The result is that both accounts have the same SID.

Duplicate SIDs aren't an issue in a Domain-based environment since domain accounts

have SID's based on the Domain SID. But, according to Microsoft Knowledge Base article
Q162001, "Do Not Disk Duplicate Installed Versions of Windows NT", in a Workgroup
environment security is based on local account SIDs. Thus, if two computers have users
with the same SID, the Workgroup will not be able to distinguish between the users. All
resources, including files and Registry keys, that one user has access to, the other will as
well.

Another instance where duplicate SIDs can cause problems is where there is removable
media formatted with NTFS, and local account security attributes are applied to files and
directories. If such a media is moved to a different computer that has the same SID, then
local accounts that otherwise would not be able to access the files might be able to if
their account IDs happened to match those in the security attributes. This is not be
possible if computers have different SIDs.

An article Mark has written, entitled "NT Rollout Options," was published in the June
issue of Windows NT Magazine. It discusses the duplicate SID issue in more detail, and
presents Microsoft's official stance on cloning. To see if you have a duplicate SID issue
on your network, use PsGetSid to display machine SIDs.

NewSID
NewSID is a program we developed to change a computer's SID. It first generates a
random SID for the computer, and proceeds to update instances of the existing
computer SID it finds in the Registry and in file security descriptors, replacing
occurrences with the new SID. NewSID requires administrative privileges to run. It has
two functions: changing the SID, and changing the computer name.

To use NewSID's auto-run option, specify "/a" on the command line. You can also direct
it to automatically change the computer's name by including the new name after the
"/a" switch. For example:

newsid /a [newname]

Would have NewSID run without prompting, change the computer name to "newname"
and have it reboot the computer if everything goes okay.

Note: If the system on which you wish to run NewSID is running IISAdmin you must stop
the IISAdmin service before running NewSID. Use this command to stop the IISAdmin
service: net stop iisadmin /y

NewSID's SID-synchronizing feature that allows you to specify that, instead of randomly
generating one, the new SID should be obtained from a different computer. This
functionality makes it possible to move a Backup Domain Controller (BDC) to a new
Domain, since a BDC's relationship to a Domain is identified by it having the same
computer SID as the other Domain Controllers (DCs). Simply choose the "Synchronize
SID" button and enter the target computer's name. You must have permissions to
change the security settings of the target computer's Registry keys, which typically
means that you must be logged in as a domain administrator to use this feature.

Note that when you run NewSID that the size of the Registry will grow, so make sure
that the maximum Registry size will accommodate growth. We have found that this
growth has no perceptible impact on system performance. The reason the Registry
grows is that it becomes fragmented as temporary security settings are applied by
NewSID. When the settings are removed the Registry is not compacted.
Important: Note that while we have thoroughly tested NewSID, you must use it at your
own risk. As with any software that changes file and Registry settings, it is highly
recommended that you completely back-up your computer before running NewSID.

Moving a BDC
Here are the steps you should follow when you want to move a BDC from one domain
to another:

1. Boot up the BDC you want to move and log in. Use NewSID to synchronize the SID
of the BDC with the PDC of the domain to which you wish to move the BDC.
2. Reboot the system for which you changed the SID (the BDC). Since the domain the
BDC is now associated with already has an active PDC, it will boot as a BDC in its
new domain.
3. The BDC will show up as a workstation in Server Manager, so use the "Add to
Domain" button to add the BDC to its new domain. Be sure to specify the BDC
radio button when adding.

How it Works
NewSID starts by reading the existing computer SID. A computer's SID is stored in the
Registry's SECURITY hive under SECURITY\SAM\Domains\Account. This key has a value
named F and a value named V. The V value is a binary value that has the computer SID
embedded within it at the end of its data. NewSID ensures that this SID is in a standard
format (3 32-bit subauthorities preceded by three 32-bit authority fields).

Next, NewSID generates a new random SID for the computer. NewSID's generation takes
great pains to create a truly random 96-bit value, which replaces the 96-bits of the 3
subauthority values that make up a computer SID.

Three phases to the computer SID replacement follow. In the first phase, the SECURITY
and SAM Registry hives are scanned for occurrences of the old computer SID in key
values, as well as the names of the keys. When the SID is found in a value it is replaced
with the new computer SID, and when the SID is found in a name, the key and its
subkeys are copied to a new subkey that has the same name except with the new SID
replacing the old.

The final two phases involve updating security descriptors. Registry keys and NTFS files
have security associated with them. Security descriptors consist of an entry that
identifies which account owns the resource, which group is the primary group owner, an
optional list of entries that specify actions permitted by users or groups (known as the
Discretionary Access Control List - DACL), and an optional list of entries that specify
which actions performed by certain users or groups will generate entries in the system
Event Log (System Access Control List - SACL). A user or a group is identified in these
security descriptors with their SIDs, and as I stated earlier, local user accounts (other
than the built-in accounts such as Administrator, Guest, and so on) have their SIDs made
up of the computer SID plus a RID.

The first part of security descriptor updates occurs on all NTFS file system files on the
computer. Every security descriptor is scanned for occurrences of the computer SID.
When NewSID finds one, it replaces it with the new computer SID.

The second part of security descriptor updates is performed on the Registry. First,
NewSID must make sure that it scans all hives, not just those that are loaded. Every user
account has a Registry hive that is loaded as HKEY_CURRENT_USER when the user is
logged in, but remains on disk in the user's profile directory when they are not. NewSID
identifies the locations of all user hive locations by enumerating the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
key, which points at the directories in which they are stored. It then loads them into the
Registry using RegLoadKey under HKEY_LOCAL_MACHINE and scans the entire Registry,
examining each security descriptor in search of the old computer SID. Updates are
performed the same as for files, and when its done NewSID unloads the user hives it
loaded. As a final step NewSID scans the HKEY_USERS key, which contains the hive of
the currently logged-in user as well as the .Default hive. This is necessary because a hive
can't be loaded twice, so the logged-in user hive won't be loaded into
HKEY_LOCAL_MACHINE when NewSID is loading other user hives.

Finally, NewSID must update the ProfileList subkeys to refer to the new account SIDs.
This step is necessary to have Windows NT correctly associate profiles with the user
accounts after the account SIDs are changed to reflect the new computer SID.

NewSID ensures that it can access and modify every file and Registry key in the system
by giving itself the following privileges: System, Backup, Restore and Take Ownership.
PsLoggedOn v1.35
Article • 03/23/2021

By Mark Russinovich

Published: June 29, 2016

Download PsTools (2.7 MB)

Introduction
You can determine who is using resources on your local computer with the "net"
command ("net session"), however, there is no built-in way to determine who is using
the resources of a remote computer. In addition, NT comes with no tools to see who is
logged onto a computer, either locally or remotely. PsLoggedOn is an applet that
displays both the locally logged on users and users logged on via resources for either
the local computer, or a remote one. If you specify a user name instead of a computer,
PsLoggedOn searches the computers in the network neighborhood and tells you if the
user is currently logged on.

PsLoggedOn's definition of a locally logged on user is one that has their profile loaded
into the Registry, so PsLoggedOn determines who is logged on by scanning the keys
under the HKEY_USERS key. For each key that has a name that is a user SID (security
Identifier), PsLoggedOn looks up the corresponding user name and displays it. To
determine who is logged onto a computer via resource shares, PsLoggedOn uses the
NetSessionEnum API. Note that PsLoggedOn will show you as logged on via resource
share to remote computers that you query because a logon is required for PsLoggedOn
to access the Registry of a remote system.

Installation
Just copy PsLoggedOn onto your executable path, and type "psloggedon".

Using PsLoggedOn
Usage: psloggedon [- ] [-l] [-x] [\\computername | username]

Parameter Description
Parameter Description

- Displays the supported options and the units of measurement used for
output values.

-l Shows only local logons instead of both local and network resource logons.

-x Don't show logon times.

\\computername Specifies the name of the computer for which to list logon information.

username If you specify a user name PsLoggedOn searches the network for computers
to which that user is logged on. This is useful if you want to ensure that a
particular user is not logged on when you are about to change their user
profile configuration.

Download PsTools (2.7 MB)

PsTools
PsLoggedOn is part of a growing kit of Sysinternals command-line tools that aid in the
administration of local and remote systems named PsTools.

Runs on:

Client: Windows Vista and higher.

Server: Windows Server 2008 and higher.
PsLogList v2.82
Article • 03/30/2023

By Mark Russinovich

Published: March 30, 2023

Download PsTools (5 MB)

Introduction
The Resource Kit comes with a utility, elogdump, that lets you dump the contents of an
Event Log on the local or a remote computer. PsLogList is a clone of elogdump except
that PsLogList lets you login to remote systems in situations your current set of security
credentials would not permit access to the Event Log, and PsLogList retrieves message
strings from the computer on which the event log you view resides.

Installation
Just copy PsLogList onto your executable path, and type "psloglist".

Using PsLogList
The default behavior of PsLogList is to show the contents of the System Event Log on the
local computer, with visually-friendly formatting of Event Log records. Command line
options let you view logs on different computers, use a different account to view a log,
or to have the output formatted in a string-search friendly way.

usage: psloglist [- ] [\\computer[,computer[,...] | @file [-u username [-p password]]] [-

s [-t delimiter]] [-m #|-n #|-h #|-d #|-w][-c][-x][-r][-a mm/dd/yy][-b mm/dd/yy][-f
filter] [-i ID[,ID[,...] | -e ID[,ID[,...]]] [-o event source[,event source][,..]]] [-q event
source[,event source][,..]]] [-l event log file] <eventlog>

Parameter Description

@file Execute the command on each of the computers listed in the file.

-a Dump records timestamped after specified date.

-b Dump records timestamped before specified date.

Parameter Description

-c Clear the event log after displaying.

-d Only display records from previous n days.

-c Clear the event log after displaying.

-e Exclude events with the specified ID or IDs (up to 10).

-f Filter event types with filter string (e.g. "-f w" to filter warnings).

-h Only display records from previous n hours.

-i Show only events with the specified ID or IDs (up to 10).

-l Dump records from the specified event log file.

-m Only display records from previous n minutes.

-n Only display the number of most recent entries specified.

-o Show only records from the specified event source (e.g. \"-o cdrom\").

-p Specifies optional password for user name. If you omit this you will be prompted to
enter a hidden password.

-q Omit records from the specified event source or sources (e.g. \"-q cdrom\").

-r SDump log from least recent to most recent.

-s This switch has PsLogList print Event Log records one-per-line, with comma
delimited fields. This format is convenient for text searches, e.g. psloglist

-t The default delimiter is a comma, but can be overridden with the specified character.

-u Specifies optional user name for login to remote computer.

-w Wait for new events, dumping them as they generate (local system only).

-x Dump extended data

eventlog eventlog

How it Works
Like Win NT/2K's built-in Event Viewer and the Resource Kit's elogdump, PsLogList uses
the Event Log API, which is documented in Windows Platform SDK. PsLogList loads
message source modules on the system where the event log being viewed resides so
that it correctly displays event log messages.
Download PsTools (5 MB)

PsTools
PsLogList is part of a growing kit of Sysinternals command-line tools that aid in the
administration of local and remote systems named PsTools.

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.
RootkitRevealer v1.71
Article • 06/07/2023

By Mark Russinovich

Published: November 1, 2006

Download RootkitRevealer (231 KB)

Run now from Sysinternals Live .

Introduction
RootkitRevealer is an advanced rootkit detection utility. It runs on Windows XP (32-bit)
and Windows Server 2003 (32-bit), and its output lists Registry and file system API
discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
RootkitRevealer successfully detects many persistent rootkits including AFX, Vanquish
and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that
don't attempt to hide their files or registry keys). If you use it to identify the presence of
a rootkit please let us know!

The reason that there is no longer a command-line version is that malware authors have
started targeting RootkitRevealer's scan by using its executable name. We've therefore
updated RootkitRevealer to execute its scan from a randomly named copy of itself that
runs as a Windows service. This type of execution is not conducive to a command-line
interface. Note that you can use command-line options to execute an automatic scan
with results logged to a file, which is the equivalent of the command-line version's
behavior.

What is a Rootkit?
The term rootkit is used to describe the mechanisms and techniques whereby malware,
including viruses, spyware, and trojans, attempt to hide their presence from spyware
blockers, antivirus, and system management utilities. There are several rootkit
classifications depending on whether the malware survives reboot and whether it
executes in user mode or kernel mode.

Persistent Rootkits
A persistent rootkit is one associated with malware that activates each time the system
boots. Because such malware contain code that must be executed automatically each
system start or when a user logs in, they must store code in a persistent store, such as
the Registry or file system, and configure a method by which the code executes without
user intervention.

Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and therefore does not
survive a reboot.

User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For example, a
user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile
APIs, which are used by file system exploration utilities, including Explorer and the
command prompt, to enumerate the contents of file system directories. When an
application performs a directory listing that would otherwise return results that contain
entries identifying the files associated with the rootkit, the rootkit intercepts and
modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients and kernel-
mode services and more sophisticated user-mode rootkits intercept file system, Registry,
and process enumeration functions of the Native API. This prevents their detection by
scanners that compare the results of a Windows API enumeration with that returned by
a native API enumeration.

Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they intercept the
native API in kernel-mode, but they can also directly manipulate kernel-mode data
structures. A common technique for hiding the presence of a malware process is to
remove the process from the kernel's list of active processes. Since process
management APIs rely on the contents of the list, the malware process will not display in
process management tools like Task Manager or Process Explorer.

How RootkitRevealer Works

Since persistent rootkits work by changing API results so that a system view using APIs
differs from the actual view in storage, RootkitRevealer compares the results of a system
scan at the highest level with that at the lowest level. The highest level is the Windows
API and the lowest level is the raw contents of a file system volume or Registry hive (a
hive file is the Registry's on-disk storage format). Thus, rootkits, whether user mode or
kernel mode, that manipulate the Windows API or native API to remove their presence
from a directory listing, for example, will be seen by RootkitRevealer as a discrepancy
between the information returned by the Windows API and that seen in the raw scan of
a FAT or NTFS volume's file system structures.
Can a Rootkit hide from RootkitRevealer
It is theoretically possible for a rootkit to hide from RootkitRevealer. Doing so would
require intercepting RootkitRevealer's reads of Registry hive data or file system data and
changing the contents of the data such that the rootkit's Registry data or files are not
present. However, this would require a level of sophistication not seen in rootkits to
date. Changes to the data would require both an intimate knowledge of the NTFS, FAT
and Registry hive formats, plus the ability to change data structures such that they hide
the rootkit, but do not cause inconsistent or invalid structures or side-effect
discrepancies that would be flagged by RootkitRevealer.

Is there a sure-fire way to know of a rootkit's presence

In general, not from within a running system. A kernel-mode rootkit can control any
aspect of a system's behavior so information returned by any API, including the raw
reads of Registry hive and file system data performed by RootkitRevealer, can be
compromised. While comparing an on-line scan of a system and an off-line scan from a
secure environment such as a boot into an CD-based operating system installation is
more reliable, rootkits can target such tools to evade detection by even them.

The bottom line is that there will never be a universal rootkit scanner, but the most
powerful scanners will be on-line/off-line comparison scanners that integrate with
antivirus.

Using RootkitRevealer
RootkitRevealer requires that the account from which its run has assigned to it the
Backup files and directories, Load drivers and Perform volume maintenance tasks (on
Windows XP and higher) privileges. The Administrators group is assigned these
privileges by default. In order to minimize false positives run RootkitRevealer on an idle
system.

For best results exit all applications and keep the system otherwise idle during the
RootkitRevealer scanning process.

If you have questions or problems please visit the Sysinternals RootkitRevealer Forum .

Manual Scanning
To scan a system launch it on the system and press the Scan button. RootkitRevealer
scans the system reporting its actions in a status area at the bottom of its window and
noting discrepancies in the output list. The options you can configure:
Hide NTFS Metadata Files: this option is on by default and has RootkitRevealer not
show standard NTFS metadata files, which are hidden from the Windows API.
Scan Registry: this option is on by default. Deselecting it has RootkitRevealer not
perform a Registry scan.

Launching an Automatic Scan

RootkitRevealer supports several options for auto-scanning systems:

Usage: rootkitrevealer [-a [-c] [-m] [-r] outputfile]

Parameter Description

-a Automatically scan and exit when done.

-c Format output as CSV.

-m Show NTFS metadata files.

-r Don't scan the Registry.

Note that the file output location must be on a local volume.

If you specify the -c option it does not report progress and discrepancies are printed in
CSV format for easy import into a database. You can perform scans of remote systems
by executing it with the Sysinternals PsExec utility using a command-line like the
following:

psexec \\remote -c rootkitrevealer.exe -a c:\windows\system32\rootkit.log

Interpreting the Output

This is a screenshot of RootkitRevealer detecting the presence of the popular
HackerDefender rootkit. The Registry key discrepancies show that the Registry keys
storing HackerDefender's device driver and service settings are not visible to the
Windows API, but are present in the raw scan of the Registry hive data. Similarly, the
HackerDefender-associated files are not visible to Windows API directory scans, but are
present in the scan of the raw file system data.
You should examine all discrepancies and determine the likelihood that they indicate the
presence of a rootkit. Unfortunately, there is no definitive way to determine, based on
the output, if a rootkit is present, but you should examine all reported discrepancies to
ensure that they are explainable. If you determine that you have a rootkit installed,
search the web for removal instructions. If you are unsure as to how to remove a rootkit
you should reformat the system's hard disk and reinstall Windows.

In addition to the information below on possible RootkitRevealer discrepancies, the

RootkitRevealer Forum at Sysinternals discusses detected rootkits and specific false-
positives.

Hidden from Windows API

These discrepancies are the ones exhibited by most rootkits; however, if you haven't
checked the Hide NTFS metadata files you should expect to see a number of such
entries on any NTFS volume, since NTFS hides its metadata files, such as $MFT and
$Secure, from the Windows API. The metadata files present on NTFS volumes vary by
version of NTFS and the NTFS features that have been enabled on the volume. There are
also antivirus products, such as Kaspersky Antivirus, that use rootkit techniques to hide
data they store in NTFS alternate data streams. If you are running such a virus scanner
you'll see a Hidden from Windows API discrepancy for an alternate data stream on every
NTFS file. RootkitRevealer does not support output filters because rootkits can take
advantage of any filtering. Finally, if a file is deleted during a scan you may also see this
discrepancy.

This is a list of NTFS metadata files defined as of Windows Server 2003:

$AttrDef
$BadClus
$BadClus:$Bad
$BitMap
$Boot
$LogFile
$Mft
$MftMirr
$Secure
$UpCase
$Volume
$Extend
$Extend\$Reparse
$Extend\$ObjId
$Extend\$UsnJrnl
$Extend\$UsnJrnl:$Max
$Extend\$Quota

Access is Denied.
RootkitRevealer should never report this discrepancy since it uses mechanisms that
allow it to access any file, directory, or registry key on a system.

Visible in Windows API, directory index, but not in MFT.

Visible in Windows API, but not in MFT or directory index.
Visible in Windows API, MFT, but not in directory index.
Visible in directory index, but not Windows API or MFT.

A file system scan consists of three components: the Windows API, the NTFS Master File
Table (MFT), and the NTFS on-disk directory index structures. These discrepancies
indicate that a file appears in only one or two of the scans. A common reason is that a
file is either created or deleted during the scans. This is an example of RootkitRevealer's
discrepancy report for a file created during the scanning:

C:\newfile.txt
3/1/2005 5:26 PM
8 bytes
Visible in Windows API, but not in MFT or directory index.

Windows API length not consistent with raw hive data.

Rootkits can attempt to hide themselves by misrepresenting the size of a Registry value
so that its contents aren't visible to the Windows API. You should examine any such
discrepancy, though it may also appear as a result of Registry values that change during
a scan.

Type mismatch between Windows API and raw hive data.

Registry values have a type, such as DWORD and REG_SZ, and this discrepancy notes
that the type of a value as reported through the Windows API differs from that of the
raw hive data. A rootkit can mask its data by storing it as a REG_BINARY value, for
example, and making the Windows API believe it to be a REG_SZ value; if it stores a 0 at
the start of the data the Windows API will not be able to access subsequent data.

Key name contains embedded nulls.

The Windows API treats key names as null-terminated strings, whereas the kernel treats
them as counted strings. Thus, it is possible to create Registry keys that are visible to the
operating system, yet only partially visible to Registry tools like Regedit. The Reghide
sample code at Sysinternals demonstrates this technique, which is used by both malware
and rootkits to hide Registry data. Use the Sysinternals RegDelNull utility to delete keys
with embedded nulls.

Data mismatch between Windows API and raw hive data.

This discrepancy will occur if a Registry value is updated while the Registry scan is in
progress. Values that change frequently include timestamps such as the Microsoft SQL
Server uptime value, shown below, and virus scanner "last scan" values. You should
investigate any reported value to ensure that its a valid application or system Registry
value.

HKLM\SOFTWARE\Microsoft\Microsoft SQL
Server\RECOVERYMANAGER\MSSQLServer\uptime_time_utc
3/1/2005 4:33 PM
8 bytes

Rootkit Resources
The following Web sites and books are sources of more information on rootkits:

Sony, Rootkits and Digital Rights Management Gone Too Far

Read Mark's blog entry on his discovery and analysis of a Sony rootkit on one of his
computers.

Unearthing Rootkits
Mark's June Windows IT Pro Magazine article provides an overview of rootkit
technologies and how RootkitRevealer works.

Rootkits: Subverting the Windows Kernel

This book by Greg Hoglund and Jamie Butler is the most comprehensive treatment of
rootkits available.

www.phrack.org
This site stores the archive of Phrack, a cracker-oriented magazine where developers
discuss flaws in security-related products, rootkit techniques, and other malware tricks.
The Art of Computer Virus Research and Defense , by Peter Szor

Malware: Fighting Malicious Code , by Ed Skoudis and Lenny Zeltser

Windows Internals, 4th Edition, by Mark Russinovich and Dave Solomon (the book
doesn't talk about rootkits, but understanding the Windows architecture is helpful to
understanding rootkits).

Download RootkitRevealer (231 KB)

Run now from Sysinternals Live .

Sysmon v15.15
Article • 07/23/2024

By Mark Russinovich and Thomas Garnier

Published: July 23, 2024

Download Sysmon (4.6 MB)

Download Sysmon for Linux (GitHub)

Introduction
System Monitor (Sysmon) is a Windows system service and device driver that, once
installed on a system, remains resident across system reboots to monitor and log system
activity to the Windows event log. It provides detailed information about process
creations, network connections, and changes to file creation time. By collecting the
events it generates using Windows Event Collection or SIEM agents and
subsequently analyzing them, you can identify malicious or anomalous activity and
understand how intruders and malware operate on your network. The service runs as a
protected process, thus disallowing a wide range of user mode interactions.

Note that Sysmon does not provide analysis of the events it generates, nor does it
attempt to hide itself from attackers.

Overview of Sysmon Capabilities

Sysmon includes the following capabilities:

Logs process creation with full command line for both current and parent
processes.
Records the hash of process image files using SHA1 (the default), MD5, SHA256 or
IMPHASH.
Multiple hashes can be used at the same time.
Includes a process GUID in process create events to allow for correlation of events
even when Windows reuses process IDs.
Includes a session GUID in each event to allow correlation of events on same logon
session.
Logs loading of drivers or DLLs with their signatures and hashes.
Logs opens for raw read access of disks and volumes.
Optionally logs network connections, including each connection’s source process,
IP addresses, port numbers, hostnames and port names.
Detects changes in file creation time to understand when a file was really created.
Modification of file create timestamps is a technique commonly used by malware
to cover its tracks.
Automatically reload configuration if changed in the registry.
Rule filtering to include or exclude certain events dynamically.
Generates events from early in the boot process to capture activity made by even
sophisticated kernel-mode malware.

Screenshots

Usage
Common usage featuring simple command-line options to install and uninstall Sysmon,
as well as to check and modify its configuration:

Install: sysmon64 -i [<configfile>]

Update configuration: sysmon64 -c [<configfile>]
Install event manifest: sysmon64 -m
Print schema: sysmon64 -s
Uninstall: sysmon64 -u [force]

ﾉ Expand table
Parameter Description

-i Install service and driver. Optionally take a configuration file.

-c Update configuration of an installed Sysmon driver or dump the current

configuration if no other argument is provided. Optionally takes a configuration file.

-m Install the event manifest (implicitly done on service install as well).

-s Print configuration schema definition.

-u Uninstall service and driver. Using -u force causes uninstall to proceed even when
some components are not installed.

The service logs events immediately and the driver installs as a boot-start driver to
capture activity from early in the boot that the service will write to the event log when it
starts.

On Vista and higher, events are stored in Applications and Services

Logs/Microsoft/Windows/Sysmon/Operational . On older systems, events are written to the
System event log.

If you need more information on configuration files, use the -? config command.

Specify -accepteula to automatically accept the EULA on installation, otherwise you will
be interactively prompted to accept it.

Neither install nor uninstall requires a reboot.

Examples
Install with default settings (process images hashed with SHA1 and no network
monitoring)

Windows Command Prompt

sysmon -accepteula -i

Install Sysmon with a configuration file (as described below)

Windows Command Prompt

sysmon -accepteula -i c:\windows\config.xml

Uninstall
Windows Command Prompt

sysmon -u

Dump the current configuration

Windows Command Prompt

sysmon -c

Reconfigure an active Sysmon with a configuration file (as described below)

Windows Command Prompt

sysmon -c c:\windows\config.xml

Change the configuration to default settings

Windows Command Prompt

sysmon -c --

Show the configuration schema

Windows Command Prompt

sysmon -s

Events
On Vista and higher, events are stored in Applications and Services
Logs/Microsoft/Windows/Sysmon/Operational , and on older systems events are written to

the System event log. Event timestamps are in UTC standard time.

The following are examples of each event type that Sysmon generates.

Event ID 1: Process creation

The process creation event provides extended information about a newly created
process. The full command line provides context on the process execution. The
ProcessGUID field is a unique value for this process across a domain to make event
correlation easier. The hash is a full hash of the file with the algorithms in the HashType
field.

Event ID 2: A process changed a file creation time

The change file creation time event is registered when a file creation time is explicitly
modified by a process. This event helps tracking the real creation time of a file. Attackers
may change the file creation time of a backdoor to make it look like it was installed with
the operating system. Note that many processes legitimately change the creation time
of a file; it does not necessarily indicate malicious activity.

Event ID 3: Network connection

The network connection event logs TCP/UDP connections on the machine. It is disabled
by default. Each connection is linked to a process through the ProcessId and
ProcessGuid fields. The event also contains the source and destination host names IP

addresses, port numbers and IPv6 status.

Event ID 4: Sysmon service state changed

The service state change event reports the state of the Sysmon service (started or
stopped).

Event ID 5: Process terminated

The process terminate event reports when a process terminates. It provides the UtcTime ,
ProcessGuid and ProcessId of the process.

Event ID 6: Driver loaded

The driver loaded events provides information about a driver being loaded on the
system. The configured hashes are provided as well as signature information. The
signature is created asynchronously for performance reasons and indicates if the file was
removed after loading.

Event ID 7: Image loaded

The image loaded event logs when a module is loaded in a specific process. This event is
disabled by default and needs to be configured with the " –l " option. It indicates the
process in which the module is loaded, hashes and signature information. The signature
is created asynchronously for performance reasons and indicates if the file was removed
after loading. This event should be configured carefully, as monitoring all image load
events will generate a significant amount of logging.

Event ID 8: CreateRemoteThread
The CreateRemoteThread event detects when a process creates a thread in another
process. This technique is used by malware to inject code and hide in other processes.
The event indicates the source and target process. It gives information on the code that
will be run in the new thread: StartAddress , StartModule and StartFunction . Note that
StartModule and StartFunction fields are inferred, they might be empty if the starting

address is outside loaded modules or known exported functions.

Event ID 9: RawAccessRead
The RawAccessRead event detects when a process conducts reading operations from the
drive using the \\.\ denotation. This technique is often used by malware for data
exfiltration of files that are locked for reading, as well as to avoid file access auditing
tools. The event indicates the source process and target device.

Event ID 10: ProcessAccess

The process accessed event reports when a process opens another process, an
operation that’s often followed by information queries or reading and writing the
address space of the target process. This enables detection of hacking tools that read
the memory contents of processes like Local Security Authority (Lsass.exe) in order to
steal credentials for use in Pass-the-Hash attacks. Enabling it can generate significant
amounts of logging if there are diagnostic utilities active that repeatedly open processes
to query their state, so it generally should only be done so with filters that remove
expected accesses.

Event ID 11: FileCreate

File create operations are logged when a file is created or overwritten. This event is
useful for monitoring autostart locations, like the Startup folder, as well as temporary
and download directories, which are common places malware drops during initial
infection.

Event ID 12: RegistryEvent (Object create and delete)

Registry key and value create and delete operations map to this event type, which can
be useful for monitoring for changes to Registry autostart locations, or specific malware
registry modifications.

Sysmon uses abbreviated versions of Registry root key names, with the following
mappings:

ﾉ Expand table

Key name Abbreviation

HKEY_LOCAL_MACHINE HKLM

HKEY_USERS HKU

HKEY_LOCAL_MACHINE\System\ControlSet00x HKLM\System\CurrentControlSet

HKEY_LOCAL_MACHINE\Classes HKCR

Event ID 13: RegistryEvent (Value Set)

This Registry event type identifies Registry value modifications. The event records the
value written for Registry values of type DWORD and QWORD .

Event ID 14: RegistryEvent (Key and Value Rename)

Registry key and value rename operations map to this event type, recording the new
name of the key or value that was renamed.

Event ID 15: FileCreateStreamHash

This event logs when a named file stream is created, and it generates events that log the
hash of the contents of the file to which the stream is assigned (the unnamed stream),
as well as the contents of the named stream. There are malware variants that drop their
executables or configuration settings via browser downloads, and this event is aimed at
capturing that based on the browser attaching a Zone.Identifier "mark of the web"
stream.

Event ID 16: ServiceConfigurationChange

This event logs changes in the Sysmon configuration - for example when the filtering
rules are updated.
Event ID 17: PipeEvent (Pipe Created)
This event generates when a named pipe is created. Malware often uses named pipes
for interprocess communication.

Event ID 18: PipeEvent (Pipe Connected)

This event logs when a named pipe connection is made between a client and a server.

Event ID 19: WmiEvent (WmiEventFilter activity detected)

When a WMI event filter is registered, which is a method used by malware to execute,
this event logs the WMI namespace, filter name and filter expression.

Event ID 20: WmiEvent (WmiEventConsumer activity

detected)
This event logs the registration of WMI consumers, recording the consumer name, log,
and destination.

Event ID 21: WmiEvent (WmiEventConsumerToFilter

activity detected)
When a consumer binds to a filter, this event logs the consumer name and filter path.

Event ID 22: DNSEvent (DNS query)

This event is generated when a process executes a DNS query, whether the result is
successful or fails, cached or not. The telemetry for this event was added for Windows
8.1 so it is not available on Windows 7 and earlier.

Event ID 23: FileDelete (File Delete archived)

A file was deleted. Additionally to logging the event, the deleted file is also saved in the
ArchiveDirectory (which is C:\Sysmon by default). Under normal operating conditions

this directory might grow to an unreasonable size - see event ID 26: FileDeleteDetected
for similar behavior but without saving the deleted files.
Event ID 24: ClipboardChange (New content in the
clipboard)
This event is generated when the system clipboard contents change.

Event ID 25: ProcessTampering (Process image change)

This event is generated when process hiding techniques such as "hollow" or "herpaderp"
are being detected.

Event ID 26: FileDeleteDetected (File Delete logged)

A file was deleted.

Event ID 27: FileBlockExecutable

This event is generated when Sysmon detects and blocks the creation of executable files
(PE format).

Event ID 28: FileBlockShredding

This event is generated when Sysmon detects and blocks file shredding from tools such
as SDelete.

Event ID 29: FileExecutableDetected

This event is generated when Sysmon detects the creation of a new executable file (PE
format).

Event ID 255: Error

This event is generated when an error occurred within Sysmon. They can happen if the
system is under heavy load and certain tasks could not be performed or a bug exists in
the Sysmon service, or even if certain security and integrity conditions are not met. You
can report any bugs on the Sysinternals forum or over Twitter (@markrussinovich ).

Configuration files
Configuration files can be specified after the -i (installation) or -c (installation)
configuration switches. They make it easier to deploy a preset configuration and to filter
captured events.

A simple configuration xml file looks like this:

XML

<Sysmon schemaversion="4.82">

<HashAlgorithms>*</HashAlgorithms>
<EventFiltering>


<DriverLoad onmatch="exclude">
<Signature condition="contains">microsoft</Signature>
<Signature condition="contains">windows</Signature>
</DriverLoad>

<ProcessTerminate onmatch="include" />


<NetworkConnect onmatch="include">
<DestinationPort>443</DestinationPort>
<DestinationPort>80</DestinationPort>
</NetworkConnect>
<NetworkConnect onmatch="exclude">
<Image condition="end with">iexplore.exe</Image>
</NetworkConnect>
</EventFiltering>
</Sysmon>

The configuration file contains a schemaversion attribute on the Sysmon tag. This
version is independent from the Sysmon binary version and allows the parsing of older
configuration files. You can get the current schema version by using the " -? config "
command line. Configuration entries are directly under the Sysmon tag and filters are
under the EventFiltering tag.

Configuration Entries
Configuration entries are similar to command line switches and include the following

Configuration entries include the following:

ﾉ Expand table

Entry Value Description

ArchiveDirectory String Name of directories at volume roots into which copy-on-

delete files are moved. The directory is protected with a
Entry Value Description

System ACL (you can use PsExec from Sysinternals to access

the directory using psexec -sid cmd ). Default: Sysmon

CheckRevocation Boolean Controls signature revocation checks. Default: True

CopyOnDeletePE Boolean Preserves deleted executable image files. Default: False

CopyOnDeleteSIDs Strings Comma-separated list of account SIDs for which file deletes
will be preserved.

CopyOnDeleteExtensions Strings Extensions for files that are preserved on delete.

CopyOnDeleteProcesses Strings Process name(s) for which file deletes will be preserved.

DnsLookup Boolean Controls reverse DNS lookup. Default: True

DriverName String Uses specified name for driver and service images.

HashAlgorithms Strings Hash algorithm(s) to apply for hashing. Algorithms

supported include MD5, SHA1, SHA256, IMPHASH and *
(all). Default: None

Command line switches have their configuration entry described in the Sysmon usage
output. Parameters are optional based on the tag. If a command line switch also enables
an event, it needs to be configured though its filter tag. You can specify the -s switch to
have Sysmon print the full configuration schema, including event tags as well as the field
names and types for each event. For example, here’s the schema for the RawAccessRead
event type:

XML

<event name="SYSMON_RAWACCESS_READ" value="9" level="Informational

"template="RawAccessRead detected" rulename="RawAccessRead" version="2">
<data name="UtcTime" inType="win:UnicodeString" outType="xs:string"/>
<data name="ProcessGuid" inType="win:GUID"/>
<data name="ProcessId" inType="win:UInt32" outType="win:PID"/>
<data name="Image" inType="win:UnicodeString" outType="xs:string"/>
<data name="Device" inType="win:UnicodeString" outType="xs:string"/>
</event>

Event filtering entries

Event filtering allows you to filter generated events. In many cases events can be noisy
and gathering everything is not possible. For example, you might be interested in
network connections only for a certain process, but not all of them. You can filter the
output on the host reducing the data to collect.

Each event has its own filter tag under the EventFiltering node in a configuration file:

ﾉ Expand table

ID Tag Event

1 ProcessCreate Process Create

2 FileCreateTime File creation time

3 NetworkConnect Network connection detected

4 n/a Sysmon service state change (cannot be filtered)

5 ProcessTerminate Process terminated

6 DriverLoad Driver Loaded

7 ImageLoad Image loaded

8 CreateRemoteThread CreateRemoteThread detected

9 RawAccessRead RawAccessRead detected

10 ProcessAccess Process accessed

11 FileCreate File created

12 RegistryEvent Registry object added or deleted

13 RegistryEvent Registry value set

14 RegistryEvent Registry object renamed

15 FileCreateStreamHash File stream created

16 n/a Sysmon configuration change (cannot be filtered)

17 PipeEvent Named pipe created

18 PipeEvent Named pipe connected

19 WmiEvent WMI filter

20 WmiEvent WMI consumer

21 WmiEvent WMI consumer filter

22 DNSQuery DNS query

ID Tag Event

23 FileDelete File Delete archived

24 ClipboardChange New content in the clipboard

25 ProcessTampering Process image change

26 FileDeleteDetected File Delete logged

27 FileBlockExecutable File Block Executable

28 FileBlockShredding File Block Shredding

29 FileExecutableDetected File Executable Detected

You can also find these tags in the event viewer on the task name.

The onmatch filter is applied if events are matched. It can be changed with the onmatch
attribute for the filter tag. If the value is "include" , it means only matched events are
included. If it is set to "exclude" , the event will be included except if a rule match. You
can specify both an include filter set and an exclude filter set for each event ID, where
exclude matches take precedence.

Each filter can include zero or more rules. Each tag under the filter tag is a field name
from the event. Rules that specify a condition for the same field name behave as OR
conditions, and ones that specify different field name behave as AND conditions. Field
rules can also use conditions to match a value. The conditions are as follows (all are case
insensitive):

ﾉ Expand table

Condition Description

is Default, values are equals

is any The field is one of the ; delimited values

is not Values are different

contains The field contains this value

contains any The field contains any of the ; delimited values

contains all The field contains all of the ; delimited values

excludes The field does not contain this value

Condition Description

excludes The field does not contain one or more of the ; delimited values
any

excludes all The field does not contain any of the ; delimited values

begin with The field begins with this value

end with The field ends with this value

not begin The field does not begin with this value
with

not end The field does not end with this value
with

less than Lexicographical comparison is less than zero

more than Lexicographical comparison is more than zero

image Match an image path (full path or only image name). For example: lsass.exe will
match c:\windows\system32\lsass.exe

You can use a different condition by specifying it as an attribute. This excludes network
activity from processes with iexplore.exe in their path:

XML

<NetworkConnect onmatch="exclude">
<Image condition="contains">iexplore.exe</Image>
</NetworkConnect>

To have Sysmon report which rule match resulted in an event being logged, add names
to rules:

XML

<NetworkConnect onmatch="exclude">
<Image name="network iexplore" condition="contains">iexplore.exe</Image>
</NetworkConnect>

You can use both include and exclude rules for the same tag, where exclude rules
override include rules. Within a rule, filter conditions have OR behavior.

In the sample configuration shown earlier, the networking filter uses both an include
and exclude rule to capture activity to port 80 and 443 by all processes except those
that have iexplore.exe in their name.
It is also possible to override the way that rules are combined by using a rule group
which allows the rule combine type for one or more events to be set explicitly to AND or
OR.

The following example demonstrates this usage. In the first rule group, a process create
event will be generated when timeout.exe is executed only with a command line
argument of 100 , but a process terminate event will be generated for the termination of
ping.exe and timeout.exe .

XML

<EventFiltering>
<RuleGroup name="group 1" groupRelation="and">
<ProcessCreate onmatch="include">
<Image condition="contains">timeout.exe</Image>
<CommandLine condition="contains">100</CommandLine>
</ProcessCreate>
</RuleGroup>
<RuleGroup groupRelation="or">
<ProcessTerminate onmatch="include">
<Image condition="contains">timeout.exe</Image>
<Image condition="contains">ping.exe</Image>
</ProcessTerminate>
</RuleGroup>
<ImageLoad onmatch="include"/>
</EventFiltering>

Download Sysmon (4.6 MB)

Runs on:

Client: Windows 10 and higher.

Server: Windows Server 2016 and higher.
Sysinternals System Information Utilities
Article • 03/23/2021

ClockRes
View the resolution of the system clock, which is also the maximum timer resolution.

Coreinfo
Coreinfo is a command-line utility that shows you the mapping between logical
processors and the physical processor, NUMA node, and socket on which they reside, as
well as the cache’s assigned to each logical processor.

Handle
This handy command-line utility will show you what files are open by which processes,
and much more.

LiveKd
Use Microsoft kernel debuggers to examine a live system.

LoadOrder
See the order in which devices are loaded on your WinNT/2K system.

LogonSessions
List the active logon sessions on a system.

PendMoves
Enumerate the list of file rename and delete commands that will be executed the next
boot.

Process Monitor
Monitor file system, Registry, process, thread and DLL activity in real-time.

ProcFeatures
This applet reports processor and Windows support for Physical Address Extensions and
No Execute buffer overflow protection.

PsInfo
Obtain information about a system.

PsLoggedOn
Show users logged on to a system

RAMMap
An advanced physical memory usage analysis utility that presents usage information in
different ways on its several different tabs.

WinObj
The ultimate Object Manager namespace viewer is here.
ClockRes v2.1
Article • 03/23/2021

By Mark Russinovich

Published: July 4, 2016

Download ClockRes (494 KB)

Introduction
Ever wondered what the resolution of the system clock was, or perhaps the maximum
timer resolution that your application could obtain? The answer lies in a simple function
named GetSystemTimeAdjustment, and the ClockRes applet performs the function and
shows you the result.

Download ClockRes (494 KB)

Runs on:

Client: Windows Vista and higher

Server: Windows Server 2008 and higher
Nano Server: 2016 and higher
Coreinfo v3.6
Article • 06/07/2023

By Mark Russinovich

Published: September 29, 2022

Download Coreinfo (531 KB)

Introduction
Coreinfo is a command-line utility that shows you the mapping between logical
processors and the physical processor, NUMA node, and socket on which they reside, as
well as the cache’s assigned to each logical processor. It uses the Windows’
GetLogicalProcessorInformation function to obtain this information and prints it to
the screen, representing a mapping to a logical processor with an asterisk e.g. ‘*’.
Coreinfo is useful for gaining insight into the processor and cache topology of your
system.

Installation
Extract the archive to a directory and then run Coreinfo by typing from that directory
Coreinfo in the console on a 32 bit Windows version or Coreinfo64 for a 64 bit version.

Using CoreInfo
For each resource it shows a map of the OS-visible processors that correspond to the
specified resources, with '*' representing the applicable processors. For example, on a 4-
core system, a line in the cache output with a map of shared by cores 3 and 4.

Usage: coreinfo [-c][-f][-g][-l][-n][-s][-m][-v]

Parameter Description

-c Dump information on cores.

-f Dump core feature information.

-g Dump information on groups.

-l Dump information on caches.

Parameter Description

-n Dump information on NUMA nodes.

-s Dump information on sockets.

-m Dump NUMA access cost.

-v Dump only virtualization-related features including support for

second level address translation.

(requires administrative rights

on Intel systems).

All options except -v are selected by default.

Coreinfo Output:

shell

Coreinfo v3.03 - Dump information on system CPU and memory topology

Intel(R) Xeon(R) CPU W3520 @ 2.67GHz

Intel64 Family 6 Model 26 Stepping 5, GenuineIntel
EM64T * Supports 64-bit mode
VMX - Supports Intel hardware-assisted virtualization
SVM - Supports AMD hardware-assisted virtualization
HYPERVISOR * Hypervisor is present
HTT * Supports hyper-threading

SMX - Supports Intel trusted execution

SKINIT - Supports AMD SKINIT
EIST * Supports Enhanced Intel Speedstep

NX * Supports no-execute page protection

PAGE1GB - Supports 1GB large pages
PAE * Supports > 32-bit physical addresses
PAT * Supports Page Attribute Table
PSE * Supports 4-MB pages
PSE36 * Supports > 32-bit address 4-MB pages
PGE * Supports global bit in page tables
SS * Supports bus snooping for cache operations
VME * Supports Virtual-8086 mode

FPU * Implements i387 FP instructions

MMX * Supports MMX instruction set
MMXEXT - Implements AMD MMX extensions
3DNOW - Supports 3DNow! instructions
3DNOWEXT - Supports 3DNow! extension instructions
SSE * Supports Streaming SIMD Extensions
SSE2 * Supports Streaming SIMD Extensions 2
SSE3 * Supports Streaming SIMD Extensions 3
SSSE3 * Supports Supplemental SIMD Extensions 3
SSE4.1 * Supports Streaming SIMD Extensions 4.1
SSE4.2 * Supports Streaming SIMD Extensions 4.2

AES - Supports AES extensions

AVX - Supports AVX instruction extensions
FMA - Supports FMA extensions using YMM state
MSR * Implements RDMSR/WRMSR instructions
MTTR * Supports Mmeory Type Range Registers
XSAVE - Supports XSAVE/XRSTOR instructions
OSXSAVE - Supports XSETBV/XGETBV instructions

CMOV * Supports CMOVcc instruction

CLFSH * Supports CLFLUSH instruction
CX8 * Supports compare and exchange 8-byte instructions
CX16 * Supports CMPXCHG16B instruction
DCA - Supports prefetch from memory-mapped device
F16C - Supports half-precision instruction
FXSR * Supports FXSAVE/FXSTOR instructions
FFXSR - Supports optimized FXSAVE/FSRSTOR instruction
MONITOR - Supports MONITOR and MWAIT instructions
MOVBE - Supports MOVBE instruction
PCLULDQ - Supports PCLMULDQ instruction
POPCNT * Supports POPCNT instruction
SEP * Supports fast system call instructions

DE * Supports I/O breakpoints including CR4.DE

DTES64 - Can write history of 64-bit branch addresses
DS - Implements memory-resident debug buffer
DS-CPL - Supports Debug Store feature with CPL
PCID - Supports PCIDs and settable CR4.PCIDE
PDCM - Supports Performance Capabilities MSR
RDTSCP * Supports RDTSCP instruction
TSC * Supports RDTSC instruction
TSC-DEADLINE - Local APIC supports one-shot deadline timer
xTPR * Supports disabling task priority messages

ACPI * Implements MSR for power management

TM * Implements thermal monitor circuitry
TM2 * Implements Thermal Monitor 2 control
APIC * Implements software-accessible local APIC
x2APIC - Supports x2APIC

CNXT-ID - L1 data cache mode adaptive or BIOS

MCE * Supports Machine Check, INT18 and CR4.MCE

MCA * Implements Machine Check Architecture
PBE * Supports use of FERR#/PBE# pin

PSN - Implements 96-bit processor serial number

Logical to Physical Processor Map:

*--- Physical Processor 0
-*-- Physical Processor 1
--*- Physical Processor 2
---* Physical Processor 3

Logical Processor to Socket Map:

**** Socket 0

Logical Processor to NUMA Node Map:

**** NUMA Node 0

Logical Processor to Cache Map:

*--- Data Cache 0, Level 1, 32 KB, Assoc 8, LineSize 64
*--- Instruction Cache 0, Level 1, 32 KB, Assoc 4, LineSize 64
*--- Unified Cache 0, Level 2, 256 KB, Assoc 8, LineSize 64
-*-- Data Cache 1, Level 1, 32 KB, Assoc 8, LineSize 64
-*-- Instruction Cache 1, Level 1, 32 KB, Assoc 4, LineSize 64
-*-- Unified Cache 1, Level 2, 256 KB, Assoc 8, LineSize 64
--*- Data Cache 2, Level 1, 32 KB, Assoc 8, LineSize 64
--*- Instruction Cache 2, Level 1, 32 KB, Assoc 4, LineSize 64
--*- Unified Cache 2, Level 2, 256 KB, Assoc 8, LineSize 64
---* Data Cache 3, Level 1, 32 KB, Assoc 8, LineSize 64
---* Instruction Cache 3, Level 1, 32 KB, Assoc 4, LineSize 64
---* Unified Cache 3, Level 2, 256 KB, Assoc 8, LineSize 64
**** Unified Cache 4, Level 3, 8 MB, Assoc 16, LineSize 64

Logical Processor to Group Map:

**** Group 0

Download Coreinfo (531 KB)

LiveKd v5.63
Article • 03/23/2021

By Mark Russinovich and Ken Johnson

Published: April 28, 2020

Download LiveKd (700 KB)

Introduction
LiveKD, a utility I wrote for the CD included with Inside Windows 2000, 3rd Edition, is now
freely available. LiveKD allows you to run the Kd and Windbg Microsoft kernel
debuggers, which are part of the Debugging Tools for Windows package , locally on a
live system. Execute all the debugger commands that work on crash dump files to look
deep inside the system. See the Debugging Tools for Windows documentation and our
book for information on how to explore a system with the kernel debuggers.

While the latest versions of Windbg and Kd have a similar capability on Windows Vista
and Server 2008, LiveKD enables more functionality, such as viewing thread stacks with
the !thread command, than Windbg and Kd's own live kernel debugging facility.

Installation
First download and install the Debugging Tools for Windows package from Microsoft's
web site:

https://msdn.microsoft.com/library/windows/hardware/ff551063(v=vs.85).aspx

If you install the tools to their default directory of \Program Files\Microsoft\Debugging

Tools for Windows, you can run LiveKD from any directory; otherwise you should copy
LiveKD to the directory in which the tools are installed.

If you haven't installed symbols for the system on which you run LiveKD, LiveKD will ask
if you want it to automatically configure the system to use Microsoft's symbol server
(see the Debugging Tools for Windows documentation for information on symbol files
and the Microsoft symbol server).

NOTE: The Microsoft debugger will complain that it can't find symbols for LIVEKDD.SYS.
This is expected, since I have not made symbols for LIVEKDD.SYS available, and does not
affect the behavior of the debugger.
Using LiveKd
usage:

liveKd [[-w]|[-k <debugger>]|[-o filename]] [-vsym] [-m[flags] [[-mp process]|[pid]]]

Parameter Description

-hv Specifies the name or GUID of the Hyper-V VM to debug.

-hvd Includes hypervisor pages (Windows 8.1 and above only).

-hvl Lists the names and GUIDs of running Hyper-V VMs.

-k Specifies complete path and filename of debugger image to execute

-m Creates a mirror dump, which is a consistent view of kernel memory.

Only kernel mode memory will be available, and this option may need significant
amounts of available physical memory. A flags mask that specifies which regions to
include may optionally be provided (drawn from the following table, default 0x18F8):
0001 - process private, 0002 - mapped file,
0004 - shared section, 0008 - page table pages,
0010 - paged pool, 0020 - non-paged pool,
0040 - system PTEs, 0080 - session pages,
0100 - metadata files, 0200 - AWE user pages,
0400 - driver pages, 0800 - kernel stacks,
1000 - WS metadata, 2000 - large pages
The default captures most kernel memory contents and is recommended.
This option may be used with -o to save faster, consistent dumps.
Mirror dumps require Windows Vista or Windows Server 2008 or above.
Sysinternals RamMap provides a graphical summary of the distribution of the
available memory regions that can be selected for inclusion.

-ml Generate live dump using native support (Windows 8.1 and above only).

-mp Specifies a single process whose user mode memory contents should be included in
a mirror dump. Only effective with the -m option.

-o Saves a memory.dmp to disk instead of launching the debugger.

-p Pauses the target Hyper-V VM while LiveKd is active (recommended for use with -o).
Specifies the name or GUID of the Hyper-V VM to debug.

-hvl Lists the names and GUIDs of running Hyper-V VMs.

Parameter Description

-vsym Displays verbose debugging information about symbol load operations.

-w Runs windbg instead of kd

All other options are passed through to the debugger.

Note: Use Ctrl-Break to terminate and restart the debugger if it hangs.

By default LiveKd runs kd.exe.

Download LiveKd (700 KB)

Runs on:

Client: Windows Vista and higher.

Server: Windows Server 2008 and higher.
LoadOrder v1.02
Article • 10/12/2021

By Mark Russinovich

Published: October 12, 2021

Download LoadOrder (1.1 MB)

Run now from Sysinternals Live .

Introduction
This applet shows you the order that a Windows NT or Windows 2000 system loads
device drivers. Note that on Windows 2000 plug-and-play drivers may actually load in a
different order than the one calculated, because plug-and-play drivers are loaded on
demand during device detection and enumeration.

Download LoadOrder (1.1 MB)

Run now from Sysinternals Live .

Runs on:

Client: Windows Vista and higher

Server: Windows Server 2008 and higher
Nano Server: 2016 and higher
ProcFeatures v1.1
Article • 07/19/2022

By Mark Russinovich

Published: November 1, 2006

Retired: September 1, 2011

） Important

ProcFeatures has been retired, as the latest additions to Coreinfo make this utility
obsolete. Coreinfo v3 now shows the processor features supported by the system’s
processors.
PsInfo v1.79
Article • 03/30/2023

By Mark Russinovich

Published: March 30, 2023

Download PsTools (5 MB)

Introduction
PsInfo is a command-line tool that gathers key information about the local or remote
Windows NT/2000 system, including the type of installation, kernel build, registered
organization and owner, number of processors and their type, amount of physical
memory, the install date of the system, and if its a trial version, the expiration date.

Installation
Just copy PsInfo onto your executable path, and type "psinfo".

Using PsInfo
By default PsInfo shows information for the local system. Specify a remote computer
name to obtain information from the remote system. Since PsInfo relies on remote
Registry access to obtain its data, the remote system must be running the Remote
Registry service and the account from which you run PsInfo must have access to the
HKLM\System portion of the remote Registry.

In order to aid in automated Service Pack updates, PsInfo returns as a value the Service
Pack number of system (e.g. 0 for no service pack, 1 for SP 1, etc).

Usage: psinfo [[\\computer[,computer[,..] | @file [-u user

[-p psswd]]] [-h] [-s] [-d] [-c [-t delimiter]] [filter]

Parameter Description

\\computer Perform the command on the remote computer or computers specified. If you omit
the computer name the command runs on the local system, and if you specify a
wildcard (\\*), the command runs on all computers in the current domain.

@file Run the command on each computer listed in the text file specified.
Parameter Description

-u Specifies optional user name for login to remote computer.

-p Specifies optional password for user name. If you omit this you will be prompted to
enter a hidden password.

-h Show list of installed hotfixes.

-s Show list of installed applications.

-d Show disk volume information.

-c Print in CSV format.

-t The default delimiter for the -c option is a comma, but can be overridden with the
specified character.

filter Psinfo will only show data for the field matching the filter. e.g. "psinfo service" lists
only the service pack field.

Example Output
Shell

C:\> psinfo \\development -h -d

PsInfo v1.6 - local and remote system information viewer

System information for \\DEVELOPMENT:

Uptime: 28 days, 0 hours, 15 minutes, 12 seconds
Kernel version: Microsoft Windows XP, Multiprocessor Free
Product type Professional
Product version: 5.1
Service pack: 0
Kernel build number: 2600
Registered organization: Sysinternals
Registered owner: Mark Russinovich
Install date: 1/2/2002, 5:29:21 PM
Activation status: Activated
IE version: 6.0000
System root: C:\WINDOWS
Processors: 2
Processor speed: 1.0 GHz
Processor type: Intel Pentium III
Physical memory: 1024 MB
Volume Type Format Label Size Free Free
A: Removable 0%
C: Fixed NTFS WINXP 7.8 GB 1.3 GB 16%
D: Fixed NTFS DEV 10.7 GB 809.7 MB 7%
E: Fixed NTFS SRC 4.5 GB 1.8 GB 41%
F: Fixed NTFS MSDN 2.4 GB 587.5 MB 24%
G: Fixed NTFS GAMES 8.0 GB 1.0 GB 13%
H: CD-ROM CDFS JEDIOUTCAST 633.6 MB 0%
I: CD-ROM 0%
Q: Remote 0%
T: Fixed NTFS Test 502.0 MB 496.7 MB 99%
OS Hot Fix Installed
Q147222 1/2/2002
Q309521 1/4/2002
Q311889 1/4/2002
Q313484 1/4/2002
Q314147 3/6/2002
Q314862 3/13/2002
Q315000 1/8/2002
Q315403 3/13/2002
Q317277 3/20/2002

How it Works
PsInfo uses the Remote Registry API to read system information from a system's
Registry, and WMI to determine whether Windows XP installations have been activated.

Download PsTools (5 MB)

PsTools

PsInfo is part of a growing kit of Sysinternals command-line tools that aid in the
administration of local and remote systems named PsTools.

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.
RAMMap v1.61
Article • 07/19/2022

By Mark Russinovich

Published: May 11, 2022

Download RAMMap (671 KB)

Run now from Sysinternals Live .

Have you ever wondered exactly how Windows is assigning physical memory, how much
file data is cached in RAM, or how much RAM is used by the kernel and device drivers?
RAMMap makes answering those questions easy. RAMMap is an advanced physical
memory usage analysis utility for Windows Vista and higher. It presents usage
information in different ways on its several different tabs:

Use Counts: usage summary by type and paging list

Processes: process working set sizes
Priority Summary: prioritized standby list sizes
Physical Pages: per-page use for all physical memory
Physical Ranges: physical memory addresses
File Summary: file data in RAM by file
File Details: individual physical pages by file

Use RAMMap to gain understanding of the way Windows manages memory, to analyze
application memory usage, or to answer specific questions about how RAM is being
allocated. RAMMap’s refresh feature enables you to update the display and it includes
support for saving and loading memory snapshots.

For definitions of the labels RAMMap uses as well as to learn about the physical-
memory allocation algorithms used by the Windows memory manager, please see
Windows Internals, 5^th^ Edition.
Related Links
Windows Internals Book The official updates and errata page for the definitive
book on Windows internals, by Mark Russinovich and David Solomon.
Windows Sysinternals Administrator's ReferenceThe official guide to the
Sysinternals utilities by Mark Russinovich and Aaron Margosis, including
descriptions of all the tools, their features, how to use them for troubleshooting,
and example real-world cases of their use.

Download RAMMap (671 KB)

Run now from Sysinternals Live .

Runs on:

Client: Windows Vista and higher.

Server: Windows Server 2008 and higher.

Learn More
Defrag Tools: #6 - RAMMap
In this episode of Defrag Tools, Andrew Richards and Larry Larsen cover using
RAMMap to see how RAM is being used and tell if there has been any memory
pressure.
WinObj v3.14
Article • 07/26/2023

By Mark Russinovich

Published: January 27, 2022

Download WinObj (1.8 MB)

Run now from Sysinternals Live .

Introduction
WinObj is a must-have tool if you are a system administrator concerned about security,
a developer tracking down object-related problems, or just curious about the Object
Manager namespace.

WinObj is a program that uses the native Windows API (provided by NTDLL.DLL) to
access and display information on the NT Object Manager's namespace. Winobj may
seem similar to the Microsoft SDK's program of the same name, but the SDK version
suffers from numerous significant bugs that prevent it from displaying accurate
information (e.g. its handle and reference counting information are totally broken). In
addition, our WinObj understands many more object types. Finally, Version 3.0 of our
WinObj has user-interface enhancements (including a dark theme), knows how to open
device objects, provides dynamic updates when objects are created/destroyed, and
allows searching and filtering.

Installation and Use

There is no device driver component to WinObj, so you can run it like any Win32
program.
How it Works
The Object Manager is in charge of managing NT objects. As part of this responsibility, it
maintains an internal namespace where various operating system components, device
drivers and Win32 programs can store and lookup objects. The native NT API provides
routines that allow user-mode programs to browse the namespace and query the status
of objects located there, but the interfaces are undocumented.

More Information
Helen Custer's Inside Windows NT provides a good overview of the Object Manager
namespace, and Mark's October 1997 WindowsITPro Magazine column, "Inside the
Object Manager", is (of course) an excellent overview.

Download WinObj (1.8 MB)

Run now from Sysinternals Live .

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.
Sysinternals Miscellaneous Utilities
Article • 08/16/2022

AD Explorer
Active Directory Explorer is an advanced Active Directory (AD) viewer and editor.

AdRestore
Restore tombstoned Active Directory objects in Server 2003 domains.

Autologon
Bypass password screen during logon.

BgInfo
This fully-configurable program automatically generates desktop backgrounds that
include important information about the system including IP addresses, computer name,
network adapters, and more.

BlueScreen
This screen saver not only accurately simulates Blue Screens, but simulated reboots as
well (complete with CHKDSK), and works on Windows Vista, Server 2008 and higher.

Ctrl2cap
This is a kernel-mode driver that demonstrates keyboard input filtering just above the
keyboard class driver in order to turn caps-locks into control keys. Filtering at this level
allows conversion and hiding of keys before NT even "sees" them. Ctrl2cap also shows
how to use NtDisplayString() to print messages to the initialization blue-screen.

DebugView
Another first from Sysinternals: This program intercepts calls made to DbgPrint by
device drivers and OutputDebugString made by Win32 programs. It allows for viewing
and recording of debug session output on your local machine or across the Internet
without an active debugger.

Desktops
This new utility enables you to create up to four virtual desktops and to use a tray
interface or hotkeys to preview what’s on each desktop and easily switch between them.

Hex2dec
Convert hex numbers to decimal and vice versa.

NotMyFault
Notmyfault is a tool that you can use to crash, hang, and cause kernel memory leaks on
your Windows system.
PsLogList
Dump event log records.

RegDelNull
Scan for and delete Registry keys that contain embedded null-characters that are
otherwise undeleteable by standard Registry-editing tools.

Registry Usage (RU)

View the registry space usage for the specified registry key.

RegJump
Jump to the registry path you specify in Regedit.

Strings
Search for ANSI and UNICODE strings in binary images.

ZoomIt
Presentation utility for zooming and drawing on the screen.
BgInfo v4.33
Article • 02/13/2025

By Mark Russinovich

Published: February 13, 2025

Download BgInfo (2.2 MB)

Run now from Sysinternals Live .

Introduction
How many times have you walked up to a system in your office and needed to click
through several diagnostic windows to remind yourself of important aspects of its
configuration, such as its name, IP address, or operating system version? If you manage
multiple computers you probably need BGInfo. It automatically displays relevant
information about a Windows computer on the desktop's background, such as the
computer name, IP address, service pack version, and more. You can edit any field as
well as the font and background colors, and can place it in your startup folder so that it
runs every boot, or even configure it to display as the background for the logon screen.

Because BGInfo simply writes a new desktop bitmap and exits, you don't have to worry
about it consuming system resources or interfering with other applications.

Sysinternals BgInfo
Installation and Use
See Mark's Windows IT Pro Magazine Power Tools article for a primer on using BgInfo.
If you have questions or problems, please visit the Sysinternals BgInfo Forum.

By placing BGInfo in your Startup folder, you can ensure that the system information
being displayed is up to date each time you boot. Once you've settled on the
information to be displayed, use the command-line option /timer:0 to update the
display without showing the dialog box.

You can also use the Windows Scheduler to run BGInfo on a regular basis to ensure
long-running systems are kept up to date.

If you create a BGInfo configuration file (using the File|Save Settings menu item) you
can automatically import and use those settings on other systems by adding the
/I<path> or /iq<path> command line option.

Using BgInfo
When you run BGInfo it shows you the appearance and content of its default desktop
background. If left untouched it will automatically apply these settings and exit after its
10 second count-down timer expires.

Selecting any button or menu item will disable the timer, allowing you to customize the
layout and content of the background information.
If you want BGInfo to edit or use a configuration stored in a file (instead of the default
configuration which is stored in the registry) specify the name of the file on the
command line:

BGInfo MyConfig.bgi

Appearance Buttons
Fields: Selects what information appears on the desktop, and the order in which it is
displayed. For networking fields (NIC, IP, MAC, etc.) a separate entry is created for each
network card on the system. Use the Custom button to add special information you
define yourself.

Background: Selects the color and/or wallpaper to use for the background. If you select
the Copy existing settings option then BGInfo will use whatever information is currently
selected by the logged on user. This option allows end users to personalize their
desktop while still displaying the BGInfo information.

Position: Selects the location on the screen at which to place the text. If some items are
very long (for example some network card names) you can use the Limit Lines to item
to wrap them. The Compensate for Taskbar position checkbox adjusts the position of
the text to ensure that it is not covered by the Taskbar. The Multiple Monitor
Configuration button allows you to specify how multiple monitors attached to a single
console should be handled.

Desktops: Selects which desktops are updated when the configuration is applied. By
default only the User Desktop wallpaper is changed. Enabling the Logon Desktop for
Console users option specifies that the wallpaper should be displayed on the logon
desktop that is presented before anyone has logged onto the system. On Windows
95/98/ME systems the same desktop is used for users and the login screen, so this
option has no effect. Enabling the Logon Desktop for Terminal Services users option
specifies that the wallpaper should be displayed on the Terminal Services login screen.
This option is useful only on servers running Terminal Services.

Preview: Displays the background as it will appear when applied to your system.

Configuration Menu Items

These are options that control how the bitmap is produced, where it is located and how
to import/export settings.

File | Open: Opens a BGInfo configuration file.

File | Save As: Saves a copy of the current BGInfo configuration to a new file. Once
created, you can have BGInfo use the file later by simply specifying it on the command
line, or by using File|Open menu option.

File|Reset Default Settings: Removes all configuration information and resets BGInfo to
its default (install-time) state. Use this if you can't determine how to undo a change, or if
BGInfo becomes confused about the current state of the bitmap.

File|Database: Specifies a .XLS, .MDB or .TXT file or a connection string to an SQL

database that BGInfo should use to store the information it generates. Use this to collect
a history of one or more systems on your network. You must ensure that all systems that
access the file have the same version of MDAC and JET database support installed. It is
recommended you use at least MDAC 2.5 and JET 4.0. If specifying an XLS file the file
must already exist.

If you prefer to have BGInfo update the database without modifying the user's wallpaper
you can unselect all desktops in the Desktops dialog; BGInfo will still update the
database.

Bitmap|256 Colors: Limits the bitmap to 256 colors. This option produces a smaller
bitmap.

Bitmap|High Color/True Color: Creates a 16-bit or 24-bit color bitmap.

Bitmap|Match Display: Creates a bitmap with color depth matching that of the display.
Because the bitmap generated by BGInfo is not updated when a user changes the
display's color depth you may see unexpected results (especially dithering of the text
and background) with some combinations of bitmap and display depth.

Bitmap|Location: Specifies the location to place the output bitmap file. On Terminal
Services servers the bitmap should be placed in a location that is unique to each user.

Edit|Insert Image: Allows you to insert a bitmap image into the output. Because BGInfo's
configuration information is stored in the registry and Windows limits the size of registry
values you may encounter errors when inserting larger images. On Windows 9x/Me
systems the limit is 16K, while on NT/2000/XP systems the limit is 64K.

Command Line Options

ﾉ Expand table
Parameter Description

<path> Specifies the name of a configuration file to use for the current session. Changes to
the configuration are automatically saved back to the file when OK or Apply is
pressed. If this parameter is not present BGInfo uses the default configuration
information which is stored in the registry under the current user
("HKEY_CURRENT_USER\Software\Winternals\BGInfo").

/timer Specifies the timeout value for the countdown timer, in seconds. Specifying zero
will update the display without displaying the configuration dialog. Specifying 300
seconds or longer disables the timer altogether.

/popup Causes BGInfo to create a popup window containing the configured information
without updating the desktop. The information is formatted exactly as it would if
displayed on the desktop, but resides in a fitted window instead. When using this
option the history database is not updated.

/silent Suppresses error messages.

/taskbar Causes BGInfo to place an icon in the taskbar's status area without updating the
desktop. Clicking the icon causes the configured information to appear in a popup
window. When using this option the history database is not updated.

/all Specifies that BGInfo should change the wallpaper for any and all users currently
logged in to the system. This option is useful within a Terminal Services
environment, or when BGInfo is scheduled to run periodically on a system used by
more than one person (see Using a Schedule below).

/log Causes BGInfo to write errors to the specified log file instead of generating a
warning dialog box. This is useful for tracking down errors that occur when BGInfo
is run under the scheduler.

/rtf Causes BGInfo to write its output text to an RTF file. All formatting information and
colors are included.

Download BgInfo ] (2.2 MB)

Run now from Sysinternals Live .

Runs on:

Client: Windows 10 and higher.

Server: Windows Server 2016 and higher.
BlueScreen Screen Saver v3.2
Article • 09/15/2022

By Mark Russinovich

Published: November 1, 2006

Download BlueScreen (64 KB)

Introduction
One of the most feared colors in the NT world is blue. The infamous Blue Screen of
Death (BSOD) will pop up on an NT system whenever something has gone terribly
wrong. Bluescreen is a screen saver that not only authentically mimics a BSOD, but will
simulate startup screens seen during a system boot.

On NT 4.0 installations it simulates chkdsk of disk drives with errors!

On Windows 2000, Windows 95, and Windows 98 it presents the Windows 2000
startup splash screen, complete with rotating progress band and progress control
updates!
On Windows XP and Windows Server 2003 it presents the XP/Server 2003 startup
splash screen with progress bar!

Bluescreen cycles between different Blue Screens and simulated boots every 15 seconds
or so. Virtually all the information shown on Bluescreen's BSOD and system start screen
is obtained from your system configuration - its accuracy will fool even advanced NT
developers. For example, the NT build number, processor revision, loaded drivers and
addresses, disk drive characteristics, and memory size are all taken from the system
Bluescreen is running on.

Use Bluescreen to amaze your friends and scare your enemies!

Installation and Use

Note: before you can run Bluescreen on Windows 95 or 98, you must copy
\winnt\system32\ntoskrnl.exe from a Windows 2000 system to your \Windows directory.
Simply copy Sysinternals BLUESCRN.SCR to your \system32 directory if on Windows
NT/2K, or \Windows\System directory if on Windows 95 or 98. Right click on the
desktop to bring up the Display settings dialog and then select the "Screen Saver" tab.
Use the pull down list to find "Sysinternals Bluescreen" and apply it as your new screen
saver. Select the "Settings" button to enable fake disk activity, which adds an extra touch
of realism!

More Information
You can find out how real Blue Screens are generated, and what the information on the
Blue Screen means in my December 1997 Windows ITPro Magazine NT Internals
column, "Inside the Blue Screen."

Note: Some virus scanners flag the Bluescreen screen saver as a virus. If this is the
case with your virus scanner, you may not be able to use this screen saver.

Download BlueScreen (64 KB)

Runs on:

Client: Windows Vista and higher.

Server: Windows Server 2008 and higher.
CpuStres v2.0
Article • 03/23/2021

By Pavel Yosifovich

Published: July 18, 2018

Download CpuStres (2.2 MB)

Introduction
CpuStres
CpuStres is a utility that can be used to simulate CPU activity by running up to 64
threads in a tight loop.

Each thread can be started, paused or stopped independently and can be configured
with the following parameters:

Activity Level This can be Low, Medium, Busy or Maximum which controls how
long the thread sleepss between cycles. Setting this value to Maximum causes the
thread to run continuously.
Priority This controls the thread priority. Refer to Windows Internals by Mark
Russinovich for details on thread priorities

Runs on:

Client: Windows Vista and higher

Server: Windows Server 2003 and higher
Nano Server: 2016 and higher

Related Links
Windows Internals Book The official updates and errata page for the definitive
book on Windows internals, by Mark Russinovich and David Solomon.

Download
Download CpuStres (2.2 MB)
Run now from Sysinternals Live .
Ctrl2Cap v3.0
Article • 02/13/2025

By Mark Russinovich

Published: February 13, 2025

Download Ctrl2Cap (132 KB)

Introduction
Ctrl2Cap is a tool to help remap the Caps Lock key to Ctrl. People like myself that
migrated to NT from UNIX are used to having the control key located where the caps-
lock key is on the standard PC keyboard, so a utility like this is essential for our editing
well-being.

Installation and Use

Install Ctrl2Cap running the command ctrl2cap /install from the directory into which
you've unzipped the Ctrl2Cap files. To uninstall type ctrl2cap /uninstall .

Download Ctrl2Cap (132 KB)

Runs on:

Client: Windows 10 and higher.

Server: Windows Server 2016 and higher.
DebugView v4.90
Article • 03/23/2021

By Mark Russinovich

Published: April 23, 2019

Download DebugView (1.3 MB)

Run now from Sysinternals Live .

Introduction
DebugView is an application that lets you monitor debug output on your local system,
or any computer on the network that you can reach via TCP/IP. It is capable of
displaying both kernel-mode and Win32 debug output, so you don't need a debugger
to catch the debug output your applications or device drivers generate, nor do you need
to modify your applications or drivers to use non-standard debug output APIs.

DebugView Capture
Under Windows 2000, XP, Server 2003 and Vista DebugView will capture:

Win32 OutputDebugString
Kernel-mode DbgPrint
All kernel-mode variants of DbgPrint implemented in Windows XP and Server
2003

DebugView also extracts kernel-mode debug output generated before a crash from
Window's 2000/XP crash dump files if DebugView was capturing at the time of the crash.

DebugView Capabilities
DebugView has a powerful array of features for controlling and managing debug output.

Features new to version 4.6:

Support for Windows Vista 32-bit and 64-bit

Features new to version 4.5:

Support for log-file rollover: To better support long-running captures, DebugView
can now create a new log file each day, optionally clearing the display when doing
so.

Features new to version 4.4:

Support for Windows Server 2003 64-bit Edition and Windows XP 64-bit Edition
for x64:DebugView now captures kernel-mode debug output on 64-bit versions of
Windows.
Clock-time toggle: you can now toggle between clock time and elapsed time
modes.

Features new to version 4.3:

Support for Windows XP SP2:DebugView now captures kernel-mode debug

output on Windows XP SP2.
More highlighting filters: Many people have asked for more highlighting filters.
Log file wrapping: A new log file option has DebugView wrap around to the start
of the log file when the specified size limit is reached.
Larger buffers: Larger Win32 and kernel-mode buffers lessen the chance of
dropped debug output.
Clear-output string: When DebugView sees the special debug output string
"DBGVIEWCLEAR" it clears the output.
Client minimize-to-tray: You can now run the client minimized in the tray.

Features new to version 4.2:

Kernel-hook bug fixed:DebugView sometimes mistakenly report that it couldn't

hook kernel-mode debug output on Windows XP and Server 2003.
Client global-capture option: A new option allows the client to capture console
Win32 debug output on Terminal Server systems when run from a non-console
session.
Filtering improved: Filters can be much longer and now apply to Win32 process
IDs when process IDs are included in the output.
Crash-dump support improved: Several bugs related to extracting kernel-mode
output from crash dumps are fixed and DebugView now loads resulting log files.
More highlight filters:DebugView now has 10 highlight filters, up from 5.
Insert comments: A new menu item lets you insert comments into output.
New switches: New command-line switches allow you to specify history depth and
load log files.
Better balloon tips: If an output line is wider than the screen its mouse hover
balloon tip word wraps.
Features new to version 4.1:

Save and load filters: You can save and load filters, including the highlighting
colors.
Load saved logs: You can now load a log file back into the DebugView output
window.
Capture boot-time kernel-mode debug output: Under Windows 2000, you can
use DebugView to capture debug output generated by drivers from the earliest
point in the boot process.

Here is a list highlighting some of DebugView's other features:

Remote monitoring: Capture kernel-mode and/or Win32 debug output from any
computer accessible via TCP/IP - even across the Internet. You can monitor
multiple remote computers simultaneously. DebugView will even install its client
software itself if you are running it on a Windows 2000 system and are capturing
from another Windows 2000 system in the same Network Neighborhood.
Most-recent-filter lists:DebugView remembers your most recent filter selections,
with an interface that makes it easy to reselect them.
Process ID option: Toggle the display of process IDs for Win32 debug output.
Clipboard copy: Select multiple lines in the output window and copy their contents
to the clipboard.
Log-to-file: Write debug output to a file as its being captured.
Printing: Print all or part of captured debug output to a printer.
One-file payload:DebugView is implemented as one file.
Crash-Dump Support:DebugView can recover its buffers from a crash dump and
save the output to a log file so that users can send you the output your Windows
driver generated right up to the time of a crash.

The on-line help file describes all these features, and more, in detail.

Installation and Use

Simply execute the DebugView program file (dbgview.exe) and DebugView will
immediately start capturing debug output. Note that if you run DebugView on Windows
2000/XP you must have administrative privilege to view kernel-mode debug output.
Menus, hot-keys, or toolbar buttons can be used to clear the window, save the
monitored data to a file, search output, change the window font, and more. The on-line
help describes all of DebugView's features.
This is a screenshot of DebugView capturing Win32 debug output from a remote
system. Note the presence of a highlighting filter.

Download DebugView (1.3 MB)

Run now from Sysinternals Live .

Desktops v2.01
Article • 12/16/2021

By Mark Russinovich

Published: October 12, 2021

Download Desktops (199 KB)

Run now from Sysinternals Live .

Introduction
Desktops allows you to organize your applications on up to four virtual desktops. Read
email on one, browse the web on the second, and do work in your productivity software
on the third, without the clutter of the windows you're not using. After you configure
hotkeys for switching desktops, you can create and switch desktops either by clicking on
the tray icon to open a desktop preview and switching window, or by using the hotkeys.

Using Desktops
Unlike other virtual desktop utilities that implement their desktops by showing the
windows that are active on a desktop and hiding the rest, Sysinternals Desktops uses a
Windows desktop object for each desktop. Application windows are bound to a desktop
object when they are created, so Windows maintains the connection between windows
and desktops and knows which ones to show when you switch a desktop. That making
Sysinternals Desktops very lightweight and free from bugs that the other approach is
prone to where their view of active windows becomes inconsistent with the visible
windows.

Desktops reliance on Windows desktop objects means that it cannot provide some of
the functionality of other virtual desktop utilities, however. For example, Windows
doesn't provide a way to move a window from one desktop object to another, and
because a separate Explorer process must run on each desktop to provide a taskbar and
start menu, most tray applications are only visible on the first desktop. Further, there is
no way to delete a desktop object, so Desktops does not provide a way to close a
desktop, because that would result in orphaned windows and processes. The
recommended way to exit Desktops is therefore to logoff.

Screenshot
Configuration Dialog

Tray Desktop Switch Window

Download Desktops (199 KB)

Run now from Sysinternals Live .

Runs on:

Client: Windows 7, Windows 8, Windows 8.1 & Windows 10.

Server: Windows Server 2008 - Windows Server 2022.
Hex2dec v1.1
Article • 10/18/2023

By Mark Russinovich

Published: July 4, 2016

Download Hex2dec (578 KB)

Introduction
Tired of running Calc to convert between hexadecimal and decimal? Now you can with
this simple command-line utility.

Usage: hex2dec [hex|decimal]

Include x or 0x as the prefix of the number to specify a hexadecimal value.

e.g. To translate 1233 decimal to hexadecimal: hex2dec 1233
e.g. To translate 0x1233 hexadecimal to decimal: hex2dec 0x1233

Download Hex2dec (578 KB)

Runs on:

Client: Windows Vista and higher

Server: Windows Server 2008 and higher
Nano Server: 2016 and higher
NotMyFault v4.21
Article • 09/29/2022

By Mark Russinovich

Published: September 29, 2022

Download NotMyFault (1.4 MB)

Introduction
Notmyfault is a tool that you can use to crash, hang, and cause kernel memory leaks on
your Windows system. It’s useful for learning how to identify and diagnose device driver
and hardware problems, and you can also use it to generate blue screen dump files on
misbehaving systems. The download file includes 32-bit and 64-bit versions, as well as a
command-line version that works on Nano Server. Chapter 7 in Windows Internals uses
Notmyfault to demonstrate pool leak troubleshooting and Chapter 14 uses it for crash
analysis examples.

Screenshots
Usage
You can use the GUI versions or the command-line version. Notmyfault requires
administrative privileges.

Usage:

notmyfaultc.exe crash crash_type_num

Shell

crash type:
0x01: High IRQL fault (Kernel-mode)
0x02: Buffer overflow
0x03: Code overwrite
0x04: Stack trash
0x05: High IRQL fault (User-mode)
0x06: Stack overflow
0x07: Hardcoded breakpoint
0x08: Double Free

Or notmyfaultc.exe hang hang_type_num

Shell

hang type:
0x01: Hang with IRP
0x02: Hang with DPC

Download NotMyFault (1.4 MB)

PsPasswd v1.25
Article • 03/30/2023

By Mark Russinovich

Published: March 30, 2023

Download PsTools (5 MB)

Introduction
Systems administrators that manage local administrative accounts on multiple
computers regularly need to change the account password as part of standard security
practices. PsPasswd is a tool that lets you change an account password on the local or
remote systems, enabling administrators to create batch files that run PsPasswd against
the computers they manage in order to perform a mass change of the administrator
password.

PsPasswd uses Windows password reset APIs, so does not send passwords over the
network in the clear.

Installation
Just copy PsPasswd onto your executable path, and type "pspasswd" with the command-
line syntax shown below..

Using PsPasswd
You can use PsPasswd to change the password of a local or domain account on the local
or a remote computer.

usage: pspasswd [[\\computer[,computer[,..] | @file [-u user [-p psswd]]] Username

[NewPassword]

Parameter Description

computer Perform the command on the remote computer or computers specified. If you
omit the computer name the command runs on the local system, and if you
specify a wildcard (\\*), the command runs on all computers in the current
domain.
Parameter Description

@file Run the command on each computer listed in the text file specified.

-u Specifies optional user name for login to remote computer.

-p Specifies optional password for user name. If you omit this you will be prompted
to enter a hidden password.

Username Specifies name of account for password change.

NewPassword New password. If omitted a NULL password is applied.

Download PsTools (5 MB)

PsTools
PsPasswd is part of a growing kit of Sysinternals command-line tools that aid in the
administration of local and remote systems named PsTools.

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.
PsShutdown v2.6
Article • 03/30/2023

By Mark Russinovich

Published: March 30, 2023

Download PsTools (5 MB)

Introduction
PsShutdown is a command-line utility similar to the shutdown utility from the Windows
2000 Resource Kit, but with the ability to do much more. In addition to supporting the
same options for shutting down or rebooting the local or a remote computer,
PsShutdown can logoff the console user or lock the console (locking requires Windows
2000 or higher). PsShutdown requires no manual installation of client software.

Installation
Just copy PsShutdown onto your executable path, and type psshutdown with command-
line options defined below.

Using PsShutdown
See the February 2005 issue of Windows IT Pro Magazine for Mark's article
(https://www.windowsitpro.com/article/articleid/44973/44973.html) that covers
advanced usage of PsKill.

You can use PsShutdown to initiate a shutdown of the local or a remote computer, logoff
a user, lock a system, or to abort an imminent shutdown.

Usage: psshutdown [[\\computer[,computer[,..] | @file [-u user [-p psswd]]] -s|-r|-h|-

d|-k|-a|-l|-o|-x [-f] [-c] [-t nn|h:m] [-n s] [-v nn] [-e [u|p]:xx:yy] [-m "message"]

Parameter Description

- Displays the supported options.

computer Perform the command on the remote computer or computers specified. If you omit
the computer name the command runs on the local system, and if you specify a
wildcard (\\*), the command runs on all computers in the current domain.
Parameter Description

@file Run the command on each computer listed in the text file specified.

-u Specifies optional user name for login to remote computer.

-p Specifies optional password for user name. If you omit this you will be prompted to
enter a hidden password.

-a Aborts a shutdown (only possible while a countdown is in progress).

-c Allows the shutdown to be aborted by the interactive user.

-d Suspend the computer.

-e Shutdown reason code.

Specify 'u' for user reason codes and 'p' for planned shutdown reason codes.

xx is the major reason code (must be less than 256).

yy is the minor reason code (must be less than 65536).

-f Forces all running applications to exit during the shutdown instead of giving them a
chance to gracefully save their data.

-h Hibernate the computer.

-k Poweroff the computer (reboot if poweroff is not supported).

-l Lock the computer.

-m This option lets you specify a message to display to logged-on users when a
shutdown countdown commences.

-n Specifies timeout in seconds connecting to remote computers.

-o Logoff the console user.

-r Reboot after shutdown.

-s Shutdown without power off.

-t Specifies the countdown in seconds until the shutdown (default: 20 seconds) or the
time of shutdown (in 24 hour notation).

-x Turn monitor off (system will initiate Modern Standby if supported)

-v Display message for the specified number of seconds before the shutdown. If you
omit this parameter the shutdown notification dialog displays and specifying a value
of 0 results in no dialog.
Download PsTools (5 MB)

PsTools

PsShutdown is part of a growing kit of Sysinternals command-line tools that aid in the
administration of local and remote systems named PsTools.

Runs on:

Client: Windows 8.1 and higher.

Server: Windows Server 2012 and higher.
Remote Desktop Connection Manager v3.1
Article • 05/05/2025

By Julian Burger

Published: May 5, 2025

Download Remote Desktop Connection Manager (116.1 MB)

Run now from Sysinternals Live .

Introduction
RDCMan manages multiple remote desktop connections. It is useful for managing server labs
where you need regular access to each machine such as automated checkin systems and data
centers.

Servers are organized into named groups. You can connect or disconnect to all servers in a
group with a single command. You can view all the servers in a group as a set of thumbnails,
showing live action in each session. Servers can inherit their logon settings from a parent
group or a credential store. Thus when you change your lab account password, you only need
to change the password stored by RDCMan in one place. Passwords are stored securely by
encrypting with either CryptProtectData using the (locally) logged on user's authority or an
X509 certificate.

User with OS versions prior to Win7/Vista will need to get version 6 of the Terminal Services
Client. You can obtain this from the Microsoft Download Center: XP; Win2003

Upgrade note: RDG files with this version of RDCMan are not compatible with older program
versions. Any legacy RDG file opened and saved with this version will be backed up as
filename.old

The Display
The Remote Desktop Connection Manager display consists of the menu, a tree with groups of
servers, a splitter bar, and a client area.

The Menu
There are several top-level menus in RDCMan:
File - load, save, and close RDCMan file groups
Edit - add, remove, and edit the properties of servers and groups.
Session - connect, disconnect and log off sessions
View - options to control the visibility of the server tree, virtual groups and size of the
client area
Remote Desktops - allows access to the groups and servers in a hierarchical fashion,
similar to the server tree; primarily useful when the Server Tree is hidden
Tools - change application properties
Help - learn about RDCMan (you probably already found this)

The Tree
Most work, such as adding, removing, and editing servers and groups, can be accomplished via
right-clicking on a tree node. Servers and groups can be moved using drag-and-drop.

Keyboard shortcuts:

Enter: Connect to selected server.

Shift+Enter: Connect to the selected server using the Connect As feature.
Delete: Remove selected server or group.
Shift+Delete: Remove selected server or group without question.
Alt+Enter: Open properties dialog for selected server or group.
Tab: If a connected server is selected, give it focus.

Use the [View.Server tree location] menu option to locate the tree at the left or right edge of
the window.

The server tree can be docked, auto-hidden, or always hidden via the [View.Server tree
visibility] menu option. When the server tree is not displayed, servers can still be accessed
through the Remote Desktops menu. When the tree is auto-hidden, the splitter bar remains
visible at the left side of the window. Hovering over it will bring the server tree back into view.

The Client Area

The client area display depends on the node selected in the tree. If a server is selected, the
client area shows the remote desktop client for that server. If a group is selected, the client area
shows a thumbnail of the servers within that group. The size of the client area can be specified
via the View menu, as well as resizing the RDCMan window. Use [View.Lock window size] to
prevent the window from being resized by dragging the frame.

Caution: Connected servers can receive focus from keyboard navigation of the thumbnail
view. It is not always obvious which server has focus, so be careful. There is a setting to
control this: [Display Settings.Allow thumbnail session interaction].

Full Screen Mode

To work with a server in full screen mode, select the server to give it focus and press
Ctrl+Alt+Break (this key is configurable, see Shortcut Keys.) To leave full screen mode, press
Ctrl+Alt+Break again or use the minimize/restore buttons in the connection title bar. Multiple
monitors can be spanned if enabled by the monitor spanning option.

Shortcut Keys
You can find the full list of Terminal Services shortcut keys here. Some of these can be
configured from the Hot Keys tab.

Files
The top-level unit of organization in RDCMan is a remote desktop file group. File groups are
collections of groups and/or servers that are stored in a single physical file. Servers can't live
outside of a group and groups can't live outside of a file.

A file has all the characteristics of a server group other than being able to change its parent.

Groups
A group contains a list of servers and configuration information such as logon credentials.
Configuration settings can be inherited from another group or the application defaults. Groups
can be nested but are homogeneous: a group may either contain groups or servers, but not
both. All the servers in a group can be connected or disconnected at once.

When a group is selected in the tree view, the servers underneath it are displayed in a
thumbnail view. The thumbnails can show the actual server windows or simply the connection
status. Global thumbnail view properties can be adjusted via the [Tools.Options.Client Area]
tab while group/server-specific settings are in Display Settings.

Smart Groups
Smart groups are populated dynamically based on a set of rules. All ancestors of sibling groups
of the smart group are eligible for inclusion.

The Connected Virtual Group

When a server is in the connected state, it is automatically added the to Connected virtual
group. Servers cannot be explicitly added or removed from the Connected group.

The Connected group can be toggled on/off via the View menu.

The Reconnect Virtual Group

There are sometimes situations where a server disconnects and will be intentionally offline for
an unspecified length of time, e.g. when rebooting after an OS update. When this is the case,
drag the server in question to the Reconnect group. RDCMan will continually attempt to
connect to the server until it is successful.

The Reconnect group can be toggled on/off via the View menu.

The Favorites Virtual Group

The Favorites virtual group is a flat file of your favorite servers. You can add any server from the
server tree. This is helpful when you have many servers in the tree and often work with a
handful of servers from different groups.

The Favorites group can be toggled on/off via the View menu.

The Connect To Virtual Group

The Connect To Virtual Group contains the servers that are not members of user-created
groups. See Ad Hoc Connections for details.

The Connect To group is visible while ad hoc connections exist and disappears when there are
none.

The Recent Virtual Group

The Recent Virtual Group contains the servers that have been recently accessed.

The Recent group can be toggled on/off via the View menu.

Servers
A server has a server name (the computer's network name or IP address), an optional display
name, and logon information. The logon information may be inherited from another group.
Adding Servers Manually
Servers names following a pattern can be bulk added to a group. There are two pattern classes:

Iteration - {a,b,c} iterates over the comma-delimited contents.

Range - [1-5] iterates the numerical range. Prefix the lower bound with 0 's to specify the
minimum width.

Examples:

server1{a,b,c} : Adds server1a , server1b , server1c

server[001-15] : Adds server001 , server002 , ..., server015

{dca,dcb}rack[1-5]sql[1-2] : Adds dcarack1sql1 , dcarack1sql2 , dcarack2sql1 , ...,

dcarack5sql2 , dcbrack1sql1 , ... dcbrack5sql2

Importing Servers from a Text File

Servers can be imported into a group from a text file. The file format is simply one server name
per line:

txt

Server1
SecondServer
YANS

Server names may also be explicitly specified in the dialog.

All servers are imported into the same group with the same preferences. If a server is imported
that has the same name as an existing server, the existing server's preferences are updated to
the new ones.

Ad Hoc Connections
Ad hoc server connections can be created via the [Session.Connect to] feature. These servers
will be added to the Connect To Virtual Group. From there they can be converted into real
servers by moving them to a user-created group. Servers remaining in the Connect To group
are not persisted when RDCMan exits.

Windows Azure
In the [Connection Settings] tab, enter the role name and role instance name into Load
balance config as described here e.g. Cookie:
mstshash=MyServiceWebRole#MyServiceWebRole_IN_0#Microsoft.WindowsAzure.Plugins.RemoteAcce
ss.Rdp

Session Actions
While in a session, the focus can be released to another session or the server tree.

Focus release left (default value is Ctrl+Alt+Left) : This selects the previously selected
session.
Focus release right (default value is Ctrl+Alt+Right): This brings up a dialog to choose
where to focus. There will be buttons for up to the of the most-recently used session as
well as a button for the server tree and one to minimize RDCMan.

Certain key combinations and Windows actions can be tricky to perform over the remote
session--particularly when RDCMan itself is started within a remote session--e.g. Ctrl+Alt+Del.
These are available from the [Session.Send keys] and [Session.Remote actions] menu items.

Global Options
The [Tool.Options] menu item brings up the Options Dialog. Global settings, e.g. the client
area size, are modifiable from here. Most server-related options, e.g. hot keys and those on the
experience page, will not take effect until the next time that server is connected.

General
Hide main menu until ALT pressed
The main menu can be hidden until the ALT key is pressed or the window caption area is left
clicked.

Auto save interval

You can have RDCMan periodically save the open files automatically. Check the auto-save
check box and specify the interval (in minutes) for saving. An interval of 0 will not save
periodically but will suppress the save prompt when exiting RDCMan.

Prompt to reconnect connected servers on startup

RDCMan remembers which servers where connected when the program was exited. On the
next run you are prompted to choose which servers to reconnect. Disabling this option
automatically reconnects all previously connected servers. See Command Line for command
line switches that affect this behavior.
Default group settings
Clicking this button opens a dialog to configure the settings for the base level of the
inheritance hierarchy. E.g. if a File group is set to inherit from its parent, this is where the
settings come from.

Tree
Click to select gives focus to remote client
When selecting a node in the server tree control with a mouse click, the default behavior is to
keep focus on the tree control. There is an option to change this to focus on the selected
server.

Dim nodes when the tree control is inactive

RDCMan can dim the tree control when it is inactive. This presents a more obvious visual
distinction of keyboard focus.

Client Area
Client Area Size
This option resizes the client area of the RDCMan window. The options are also available from
the [View.Client size] menu.

Thumbnail Unit Size

The thumbnail unit size can be specified as an absolute pixel size or a relative percentage of
the client panel width.

Hot Keys
Many of the remote desktop hot keys are configurable. There is a limited mapping, however.
For example if the default key is ALT-something, the replacement must also be ALT-something.
To change a hot key, navigate to the text box for the hot key and press the new "something"
key.

Experience
Depending on the bandwidth available from your machine, you will want to limit Windows UI
features to improve performance. The connection speed drop down can be used to set all
options together, or they can be individually customized. The features are: desktop
backgrounds, showing full window contents when dragging, menu and window animation, and
windows themes.
Full Screen
Show full screen connection bar
Auto-hide connection bar
When a server is displayed in full-screen mode, the remote desktop activeX control provides a
UI connection bar at the top of the window. This bar can be toggled on and off. When it is on,
you can choose to have it pinned or auto-hidden.

Full screen window is always on top

When RDCMan is displaying a server in full-screen mode, you can choose to have the window
always displayed as the top-most window.

Use multiple monitors when necessary

By default, a full screen session is restricted to the monitor containing the server window. You
can enable multiple monitor spanning in the full screen options. If the remote desktop is larger
than window's monitor, it will span as many monitors as needed to fit the remote session. Note
that only rectangular areas are used, so if you have two monitors with differing vertical
resolutions, the shorter of the two is used. Also, there is a hard limit of 4096x2048 for the
remote desktop control.

Local Options
Groups and Servers have a number of tabbed property pages with various customization
options. Many of these pages are common to groups and servers. When the "Inherit from
parent" check box is checked, the settings that follow are inherited from the parent container.
Most server-related changes, e.g. remote desktop size, will not take effect until the next time
that server is connected.

File Settings
This page only appears for the properties of a file. It contains options for the file's group name,
shows the full path to the file (which can't be edited), and has a comment field.

Group Settings
This page only appears for the properties of a group. It contains options for the group name,
parent nesting, and a comment.

Server Settings
This page only appears for the properties of a server. It contains options for the server name,
its display name, parent nesting, and a comment. SCVMM virtual machines can be connected
to via RDP into the host using the VM console connect option. Use the PowerShell command:

PowerShell

get-vm | ft ElementName,Name,Id

to determine the id corresponding to the VM.

Logon Credentials
The Logon Credentials property page contains options pertaining to remote login. The user
name, password, and domain are set on this page. The domain and user name can be specified
together by using the domain\user format. When logging in to a machine "domain" rather
than a Windows domain, you can specify [server] or [display]. This former will be substituted
with the server name, the latter with the display name, at logon time. It is useful when you have
a group of machines which require logging in as administrator. The Logon Settings entered in
the properties pages are used by default for new connections. If you want to temporarily
customize these settings for a new connection, connect using the Connect As menu item.

Gateway Settings
The Gateway Settings property page has options for using a TS Gateway Server. The Gateway
name, authentication method, and local address bypass options are on this page. Users of
operating systems starting from Vista SP1 and Longhorn server will have additional options
regarding logon credentials:

Explicit entry of Gateway user name and password Ability to share the Gateway credentials with
the remote server

Connection Settings
The Connection Settings tab includes settings to customize how a session is connected and
what happens upon logon.

You can specify whether the console session should be connected to as well as the remote
desktop connection port.

There are also settings that allow you to run a program upon connection. Enter the program
name and, optionally, the working directory for that program. Note that these only have an
effect if you are connecting to the console session for the first time. That is, reconnecting to a
session or connecting to a session other than the console session will not run the program. (At
least, this is how Terminal Services appears to work based on empirical observation.)

Remote Desktop Settings

The size of the remote desktop is specified on this page. This is the logical desktop size, not
the physical client view of it. For example, if the remote desktop size is 1280 x 1024 and client
size is 1024 x 768, you would see a 1024 x 768 view of the remote desktop with scroll bars. If
the client size were 1600 x 1200, the entire remote desktop would be visible, offset by a gray
border.

Specifying "Same as client area" will make the remote desktop the same size as the RDCMan
client panel, i.e. the RDCMan window client area excluding the server tree. Specifying "Full
screen" will make the remote desktop the same size as the screen that the server is viewed on.
Note that the remote desktop size is determined upon connecting to a server. Changing this
setting for a connected server will have no effect.

The maximum size of the remote desktop is determined by the version of the remote desktop
activeX control. Version 5 (pre-Vista) had a maximum of 1600 x 1200; Version 6 (Vista) has a
maximum of 4096 x 2048. This limit is enforced at connection time, not during data entry. This
is in case the same RDCMan file is shared by multiple computers.

Local Resources
Various resources of the remote server may be delivered to the client. The remote computer
sound can be played locally, played remotely, or disabled entirely. Windows key combinations
(for example, those involving the actual Windows key as well as other specials like Alt+Tab) can
be applied always to the client machine, always to the remote machine, or to the client when
windowed and the remote machine when in full screen mode. Client drive, port, printer, smart
card, and clipboard resources can be automatically shared to the remote machine.

Security Settings
You can specify whether authentication of the remote machine is required before a connection
is established.

Display Settings
Thumbnail display settings are customizable from this page.
The first option is: thumbnail scale. This specifies how many thumbnail units to allocate to the
display of a given server. All servers default to a scale of 1. You can change this to increase the
display of important servers. For example, a server could be scaled by 3 or 5 making the
remote session quite usable in the thumbnail display while still permitting a view of many other
servers. This is the only option for servers.

There are three additional options for groups: preview session in thumbnail, allow thumbnail
session interaction, and show disconnected thumbnails. The first whether or not the thumbnail
view shows the actual live connection, continually updated. The second, dependent on the first,
specifies whether the thumbnail session is usable. The final option controls whether
disconnected servers appear in the thumbnail view.

Encryption Settings
RDCMan can encrypt the passwords stored in files either with the local user's credentials via
CryptProtectData or an X509 certificate. The Encryption Settings tab is available in the Default
Group Settings and File Settings dialogs.

Personal certificates of the current user which have a private key are available for encryption.
You can create such a certificate in the following manner:

PowerShell

New-SelfSignedCertificate -KeySpec KeyExchange -KeyExportPolicy Exportable -

HashAlgorithm SHA1 -KeyLength 2048 -CertStoreLocation "cert:\CurrentUser\My" -
Subject "CN=MyRDCManCert"

This will create a certificate called " MyRDCManCert " in the Personal Certificates store of the
current user. To install this cert on another computer, you must export it with the private key.

Profile Management
Credential profiles can be added, edited, and removed from this tab.

List Remote Sessions

RDCMan has limited support for managing remote sessions other than those connected from
it. The [Session.List Sessions] menu item invokes the feature.

Note that the account running RDCMan must have Query Information permissions on the
remote server to list the sessions. Furthermore, the remote session must be directly reachable
rather than via a gateway server. Disconnect and Logoff permissions must be granted to
perform those operations. See msdn for more information on remote desktop permissions.

Command Line
By default, RDCMan will open the files that were loaded at the time of the last program
shutdown. You can override this by specifying a file (or files) explicitly on the RDCMan
command line. Additionally, the following switches are accepted:

/reset - reset the persisted application preferences such as window location and size.

/noopen - do not open the previously loaded files, starting with an empty environment.
/c server1[,server2...] - connect specified servers

/reconnect - connect all servers that were connected at shutdown without prompting

/noconnect - do not prompt to connect servers that were connected at shutdown

Find Servers
There is a dialog for finding servers accessed via Ctrl+F or the Edit.Find (servers) command. All
servers matching a regular expression pattern are displayed in the dialog and can be acted on
via a context menu. The pattern is matched against the full name ( group\server ).

Credential Profiles
Credential profiles store logon credentials globally to RDCMan or in a file. This allows for using
the same stored credentials across groups that do not have a common ancestor. One use
scenario is to store credentials used for logging into servers and gateways in a single place.
When a password changes, it can be edited once. Another scenario is when sharing RDG files
across a group. Instead of storing passwords in the file (which would have issues due to the
user-specific nature of the encryption RDCMan uses), a profile is created such as "Me" which
each user defines in their Global store.

You can update the settings for a credential profile in two ways. The first is to edit from a
credentials dialog and then save the exact same profile name/domain to the same store (file or
global). That will ask if you want to update. The other way is to go to the group properties for
the credential store (again, file or global) and use the Profile Management tab.

File scope credential profile passwords are encrypted according to the containing file's
Encryption Settings. Global credential profiles use the Default Group Settings.
Policies
RDCMan retrieves policy information from the
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\RDCMan registry key.

DisableLogOff - Create this DWORD value as non-zero to disable the log off command

throughout RDCMan.

FAQ
How do I use smartcard credentials to logon?

Enable "Redirect smart cards" in the Local Resources tab.

I get an error connecting through a gateway such as Error 50331656. Why?

Gateways must be specified as FQDN.

How do I make auto-logon work?

You must enable the Group Policy controlling it. Use the MMC "Group Policy" Snap-in and
navigate to "Local Computer Policy/Computer Configuration/Administrative
Templates/Windows Components/Terminal Services/Encryption and Security". Double-
click "Always prompt client for password upon connection" and click the "Disabled" box.

How do I resize the remote desktop while a server is connected?

You can't. To resize you must disconnect and reconnect (use the Reconnect feature to do
this in one step). RDCMan servers have the option, under Display Settings, to
automatically reconnect with the new resolution for both docked and undocked servers.

Download
Download Remote Desktop Connection Manager (116.1 MB)
Run now from Sysinternals Live .

Runs on:

Client: Windows 10 and higher.

Server: Windows Server 2016 and higher.
RegDelNull v1.11
Article • 03/23/2021

By Mark Russinovich

Published: July 4, 2016

Download RegDelNull (511 KB)

Introduction
This command-line utility searches for and allows you to delete Registry keys that
contain embedded-null characters and that are otherwise undeleteable using standard
Registry-editing tools. Note: deleting Registry keys may cause the applications they are
associated with to fail.

Using RegDelNull
Usage: regdelnull <path> [-s]

Parameter Description

-s Recurse into subkeys.

Here's an example of RegDelNull when used on a system on which the RegHide sample
program has created a null-embedded key:

Shell

C:\>regdelnull hklm -sRegDelNull v1.10 - Delete Registry keys with embedded

Nulls

Sysinternals - www.sysinternals.com
Null-embedded key (Nulls are replaced by '*'):
HKLM\SOFTWARE\Systems Internals\Can't touch me!*
Delete (y/n) y
Scan complete.

Download RegDelNull (511 KB)

Runs on:
Client: Windows Vista (32-bit) and higher
Server: Windows Server 2008 (32-bit) and higher
Nano Server: 2016 and higher
Registry Usage (RU) v1.2
Article • 03/23/2021

By Mark Russinovich

Published: July 4, 2016

Download RU (507 KB)

Introduction
Ru (registry usage) reports the registry space usage for the registry key you specify. By
default it recurses subkeys to show the total size of a key and its subkeys.

Using Registry Usage (RU)

usage: ru [-c[t]] [-l <levels> | -n | -v] [-q] <absolute path>

usage: ru [-c[t]] [-l <levels> | -n | -v] [-q] -h <hive file> [relative path]

Parameter Description

-c Print output as CSV. Specify -ct for tab delimiting.

-h Load the specified hive file, perform the size calculation, then unload it and
compress it.

-l Specify subkey depth of information (default is one level).

-n Do not recurse.

-q Quiet (no banner).

-v Show size of all subkeys.

CSV output is formatted as:

Path,CurrentValueCount,CurrentValueSize,ValueCount,KeyCount,KeySize,WriteTime

Download RU (507 KB)

Reghide
Article • 03/23/2021

Published: November 1, 2006

Download RegHide (38 KB) Run now from Sysinternals Live .

Introduction
A subtle but significant difference between the Win32 API and the Native API (see Inside
the Native API for more information on this largely undocumented interface) is the way
that names are described. In the Win32 API strings are interpreted as NULL-terminated
ANSI (8-bit) or wide character (16-bit) strings. In the Native API names are counted
Unicode (16-bit) strings. While this distinction is usually not important, it leaves open an
interesting situation: there is a class of names that can be referenced using the Native
API, but that cannot be described using the Win32 API.

Download RegHide (38 KB)

Run now from Sysinternals Live .

Runs on:

Client: Windows Vista and higher.

Server: Windows Server 2008 and higher.
RegJump v1.11
Article • 10/15/2021

By Mark Russinovich

Published: October 12, 2021

Download RegJump (164 KB)

Introduction
This little command-line applet takes a registry path and makes Regedit open to that
path. It accepts root keys in standard (e.g. HKEY_LOCAL_MACHINE) and abbreviated
form (e.g. HKLM).

usage: regjump <<path>|-c>

Parameter Description

-c Copy path from clipboard.

e.g.: regjump HKLM\Software\Microsoft\Windows

Download RegJump (164 KB)

Strings v2.54
Article • 06/22/2021

By Mark Russinovich

Published: June 22, 2021

Download Strings (534 KB)

Introduction
Working on NT and Win2K means that executables and object files will many times have
embedded UNICODE strings that you cannot easily see with a standard ASCII strings or
grep programs. So we decided to roll our own. Strings just scans the file you pass it for
UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII)
characters. Note that it works under Windows 95 as well.

Using Strings
Usage:

Windows Command Prompt

strings [-a] [-f offset] [-b bytes] [-n length] [-o] [-q] [-s] [-u] <file or
directory>

Strings takes wild-card expressions for file names, and additional command line
parameters are defined as follows:

Parameter Description

-a Ascii-only search (Unicode and Ascii is default)

-b Bytes of file to scan

-f File offset at which to start scanning.

-o Print offset in file string was located

-n Minimum string length (default is 3)

-s Recurse subdirectories
Parameter Description

-u Unicode-only search (Unicode and Ascii is default)

-nobanner Do not display the startup banner and copyright message.

To search one or more files for the presence of a particular string using strings use a
command like this:

Windows Command Prompt

strings * | findstr /i TextToSearchFor

Download Strings (534 KB)

Runs on:

Client: Windows Vista and higher

Server: Windows Server 2008 and higher
Nano Server: 2016 and higher
Testlimit v5.24
Article • 03/23/2021

By Mark Russinovich

Published: November 17, 2016

Download Testlimit (234 KB)

Introduction
Testlimit is a command-line utility that can be used to stress-test your PC and/or
applications by simulating low resource conditions for memory, handles, processes,
threads and other system objects.

usage: Testlimit [[-h [-u]] | [-p [-n]] | [-t [-n [KB]]] | [-u [-i]] | [-g [object size]] | [-a|-d|-
l|-m|-r|-s|-v [MB]] | [-w]] [-c [count]] [-e [seconds]]

Parameter Description

-a Leak Address Windowing Extensions (AWE) memory in specified MBs (default is 1)

-c Count of number of objects to allocate (default is as many as possible). This must be

the last option specified

-d Leak and touch memory in specified MBs (default is 1)

-e Seconds elapsed between allocations (default is 0)

-g Create GDI handles of specified size (default 1 byte). Specify a size of 0 to cause GDI
object exhaustion

-h Create handles. Specify -u to also allocate file objects

-i Exhaust USER desktop heap

-l Allocate the specified amount of large pages (rounded to large size multiple)

-m Leak memory in specified MBs (default is 1)

-p Create processes - add -n to set min working set. Add -n to set min working set of
processes to smallest

-r Reserve memory in specified MBs (default is 1)

-s Leak shared memory in specified MBs (default is 1)

Parameter Description

-t Create threads - add -n to specify minimum stack reserve (in KB)

-u Create USER handles to menus

-v VirtualLock memory in specified MBs (default is 1)

-w Reset working set minimum to highest possible value

Runs on:

Client: Windows Vista and higher

Server: Windows Server 2003 and higher
Nano Server: 2016 and higher

Download
Download Testlimit (234 KB)
Run now from Sysinternals Live .
ZoomIt v9.0
Article • 01/29/2025

By Mark Russinovich

Published: December 16, 2024

Download ZoomIt (1.4 MB)

Run now from Sysinternals Live .

Download from Microsoft PowerToys (GitHub)

https://learn-video.azurefd.net/vod/player?id=31330ae9-ccc2-4001-a9ce-
35dcbb8b5aa2&locale=en-us&embedUrl=%2Fsysinternals%2Fdownloads%2Fzoomit

Created with ZoomIt

Introduction
ZoomIt is a screen zoom, annotation, and recording tool for technical presentations and
demos. You can also use ZoomIt to snip screenshots to the clipboard or to a file. ZoomIt
runs unobtrusively in the tray and activates with customizable hotkeys to zoom in on an
area of the screen, move around while zoomed, and draw on the zoomed image. I wrote
ZoomIt to fit my specific needs and use it in all my presentations.

ZoomIt works on all versions of Windows and you can use touch and pen input for
ZoomIt drawing on tablets.

Using ZoomIt
The first time you run ZoomIt it presents a configuration dialog that describes ZoomIt's
behavior, let's you specify alternate hotkeys for zooming and for entering drawing mode
without zooming, and customize the drawing pen color and size. I use the draw-
without-zoom option to annotate the screen at its native resolution, for example.
ZoomIt also includes a break timer feature that remains active even when you tab away
from the timer window and allows you to return to the timer window by clicking on the
ZoomIt tray icon.

Shortcuts
ZoomIt offers a number of shortcuts which can extend its usage greatly.

ﾉ Expand table

Function Shortcut

Zoom Mode Ctrl + 1

Zoom In Mouse Scroll Up or Up

Arrow

Zoom Out Mouse Scroll Down or

Down Arrow

Start Drawing (While In Zoom Mode) Left-Click

Stop Drawing (While In Zoom Mode) Right-Click

Start Drawing (While Not In Zoom Mode) Ctrl + 2

Increase/Decrease Line And Cursor Size (Drawing Mode) Ctrl + Mouse Scroll
Up/Down or Arrow Keys

Center The Cursor (Drawing Mode) Space Bar

Whiteboard (Drawing Mode) W

Blackboard (Drawing Mode) K

Type in Text (Left Aligned) T

Type in Text (Right Aligned) Shift + T

Increase/Decrease Font Size (Typing Mode) Ctrl + Mouse Scroll

Up/Down or Arrow Keys

Red Pen R

Red Highlight Pen Shift + R

Green Pen G

Green Highlight Pen Shift + G

Blue Pen B

Blue Highlight Pen Shift + B

Yellow Pen Y

Yellow Highlight Pen Shift + Y

Orange Pen O
Function Shortcut

Orange Highlight Pen Shift + O

Pink Pen P

Pink Highlight Pen Shift + P

Blur Pen X

Draw a Straight Line Hold Shift

Draw a Rectangle Hold Ctrl

Draw an Ellipse Hold Tab

Draw an Arrow Hold Ctrl + Shift

Erase Last Drawing Ctrl + Z

Erase All Drawings E

Copy Screenshot to Clipboard Ctrl + C

Crop Screenshot to Clipboard Ctrl + Shift + C

Save Screenshot as PNG Ctrl + S

Save Cropped Screenshot to a File Ctrl + Shift + S

Copy a Region of The Screen To Clipboard Ctrl + 6

Save a Region of The Screen To a File Ctrl + Shift + 6

Start/Stop Full Screen Recording Saved as MP4 (Windows 10 May Ctrl + 5

2019 Update And Higher)

Crop Screen Recording Saved as MP4 (Windows 10 May 2019 Update Ctrl + Shift + 5
And Higher)

Screen Record Only The Window That The Mouse Cursor is Positioned Ctrl + Alt + 5
Over Saved as MP4 (Windows 10 May 2019 Update And Higher)

Show Countdown Timer Ctrl + 3

Increase/Decrease Time Ctrl + Mouse Scroll

Up/Down or Arrow Keys

Minimize Timer (Without Pausing It) Alt + Tab

Show Timer When Minimized Left-Click On The

ZoomIt Icon
Function Shortcut

LiveZoom Mode Ctrl + 4

LiveDraw Mode Ctrl + Shift + 4

Start DemoType Ctrl + 7

Move back to the previous snippet (DemoType) Ctrl + Shift + 7

Advance to the next snippet (DemoType User-driven Mode) Space Bar

Exit Esc or Right-Click

Download ZoomIt (1.4 MB)

Run now from Sysinternals Live .

Download from Microsoft PowerToys (GitHub)

Sysinternals Suite
Article • 05/05/2025

By Mark Russinovich
Updated: May 5, 2025

Download Sysinternals Suite (166.1 MB)

Download Sysinternals Suite for Nano Server (9.5 MB)
Download Sysinternals Suite for ARM64 (15 MB)
Install Sysinternals Suite from the Microsoft Store

Introduction
The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. This
file contains the individual troubleshooting tools and help files. It does not contain non-
troubleshooting tools like the BSOD Screen Saver.

The Suite is a bundling of the following selected Sysinternals Utilities: AccessChk, AccessEnum,
AdExplorer, AdInsight, AdRestore, Autologon, Autoruns, BgInfo, BlueScreen, CacheSet,
ClockRes, Contig, Coreinfo, Ctrl2Cap, DebugView, Desktops, Disk2vhd, DiskExt, DiskMon,
DiskView, Disk Usage (DU), EFSDump, FindLinks, Handle, Hex2dec, Junction, LDMDump,
ListDLLs, LiveKd, LoadOrder, LogonSessions, MoveFile, NotMyFault, NTFSInfo, PendMoves,
PipeList, PortMon, ProcDump, Process Explorer, Process Monitor, PsExec, PsFile, PsGetSid,
PsInfo, PsKill, PsList, PsLoggedOn, PsLogList, PsPasswd, PsPing, PsService, PsShutdown,
PsSuspend, PsTools, RAMMap, RDCMan, RegDelNull, RegHide, RegJump, Registry Usage (RU),
SDelete, ShareEnum, ShellRunas, Sigcheck, Streams, Strings, Sync, Sysmon, TCPView, VMMap,
VolumeID, WhoIs, WinObj, ZoomIt
Microsoft Store
Article • 05/05/2025

Sysinternals Suite
Version 2025.5
May 5, 2025

Sysinternals Suite is installed as an MSIX bundle from the Microsoft Store.

Usage
Like most other MSIX packages, Sysinternals Suite is installed per user, but the binaries are stored
in a secure location and shared by users. Graphical tools, like Process Explorer, are added to the
Windows Start menu. Starting with Windows 11, they are grouped in a Sysinternals Suite folder
(VisualGroup property).

７ Note

Windows 10 does not support Start menu folders for MSIX packages so the tools are not
grouped in a Sysinternals Suite folder.

All executables are available from the path via Windows app execution aliases:

txt

Microsoft.SysinternalsSuite_8wekyb3d8bbwe "Sysinternals Suite"

accesschk.exe AccessEnum.exe ADExplorer.exe ADInsight.exe

adrestore.exe Autologon.exe Autoruns.exe autorunsc.exe
Bginfo.exe Cacheset.exe Clockres.exe Contig.exe
Coreinfo.exe CPUSTRES.EXE Dbgview.exe Desktops.exe
disk2vhd.exe diskext.exe Diskmon.exe DiskView.exe
du.exe efsdump.exe FindLinks.exe handle.exe
hex2dec.exe junction.exe Listdlls.exe livekd.exe
LoadOrd.exe LoadOrdC.exe logonsessions.exe movefile.exe
notmyfault.exe notmyfaultc.exe ntfsinfo.exe pendmoves.exe
pipelist.exe procdump.exe procexp.exe Procmon.exe
PsExec.exe psfile.exe PsGetsid.exe PsInfo.exe
pskill.exe pslist.exe PsLoggedon.exe psloglist.exe
pspasswd.exe psping.exe PsService.exe psshutdown.exe
pssuspend.exe RAMMap.exe RDCMan.exe RegDelNull.exe
regjump.exe ru.exe sdelete.exe ShareEnum.exe
ShellRunas.exe sigcheck.exe streams.exe strings.exe
sync.exe Sysmon.exe tcpvcon.exe tcpview.exe
Testlimit.exe vmmap.exe Volumeid.exe whois.exe
Winobj.exe ZoomIt.exe

App Execution Aliases

To view all, search for "Manage app execution aliases" from Windows Search or Settings.
They are a special type of reparse point managed by Windows for MSIX packages.
They are stored in a directory in the user profile, which is in the path:
%LOCALAPPDATA%\Microsoft\WindowsApps
The full list for Sysinternals Suite is in the following directory:
%LOCALAPPDATA%\Microsoft\WindowsApps\Microsoft.SysinternalsSuite_8wekyb3d8bbwe
Looking here is a way to list all app execution aliases from the package.
They are deleted when the MSIX package is uninstalled.

Processor Architecture
The MSIX bundle contains separate packages for ARM64, x64, and x86.
Only the package matching the OS is downloaded and installed.
Packaged executables do not have a suffix ('64' for x64, '64a' for ARM64).
For example, procexp.exe on x64 is the same as the unpackaged procexp64.exe.
Sysinternals Community
Article • 11/25/2020

Follow on Twitter
Follow @Sysinternals
Follow @MarkRussinovich

Search and Post Questions on Microsoft Q&A

Windows Sysinternals on Q&A allows you to search a growing archive of technical
questions and answers.
Sysinternals Resources
Article • 10/12/2022

Books
Windows Internals Book
The official updates and errata page for the definitive book on Windows internals, by
Mark Russinovich and David Solomon.

Troubleshooting with the Windows Sysinternals Tools

The official guide to the Sysinternals utilities by Mark Russinovich and Aaron Margosis,
including descriptions of all the tools, their features, how to use them for
troubleshooting, and example real-world cases of their use.

Articles
Inside the Windows Vista Kernel: Part 1
Inside the Windows Vista Kernel: Part 2
Inside the Windows Vista Kernel: Part 3
Inside Windows Vista User Account Control
Inside Windows Server 2008 Kernel Changes

Videos and Webcasts

Sysinternals@25
Find all the videos from this special event:

Fireside Chat with Mark Russinovich

Sysinternals Overview
Process Explorer Deep Dive
Process Monitor Deep Dive
Sysmon Deep Dive
Autoruns Deep Dive
ProcDump Deep Dive
PsTools Deep Dive
Sysinternals for Linux Deep Dive

Candid talk from the man behind your favorite Windows tools
Mark talks with Larry Seltzer about the history and future of Sysinternals.
Defrag Tools Shows
Episodes 1 – 12 of the Defrag Tools shows focus on Sysinternals tools. Each episode
covers a specific tool used on the tech support show Defrag , covering when and why
to use the tools, and providing tips on how to get the most out of them:

Defrag Tools: #1 - Building your USB thumbdrive

Defrag Tools: #2 - Process Explorer
Defrag Tools: #3 - Process Monitor
Defrag Tools: #4 - Process Monitor - Examples
Defrag Tools: #5 - Autoruns and MSConfig
Defrag Tools: #6 - RAMMap
Defrag Tools: #7 - VMMap
Defrag Tools: #8 - Mark Russinovich
Defrag Tools: #9 - ProcDump
Defrag Tools: #10 - ProcDump - Triggers
Defrag Tools: #11 - ProcDump - Windows 8 & Process Monitor
Defrag Tools: #12 - TaskMgr and ResMon

Mark's Webcasts
Two dozen of Mark’s top-rated presentations on Sysinternals, Windows internals, and
Windows Azure are available for on-demand viewing. Get tips and techniques on using
the Sysinternals tools to troubleshoot directly from their author.

TWC: Sysinternals Primer: TechEd 2014 Edition

The latest edition of the popular Sysinternals Primer series with Aaron Margosis, Mark
Russinovich’s co-author of The Windows Sysinternals Administrator’s Reference. The
Sysinternals utilities are vital tools for any computer professional on the Windows
platform. Mark Russinovich's popular “Case Of The Unexplained” demonstrates some of
their capabilities in advanced troubleshooting scenarios. This complementary tutorial
series focuses primarily on the utilities themselves, deep-diving into as many features as
time allows. Expect to see some advanced analysis, such as manipulating Procmon
results with Windows PowerShell, and interesting/useful new features.

Sysinternals Primer: Autoruns, Disk2Vhd, ProcDump, BgInfo and AccessChk

The Sysinternals utilities are vital tools for any computer professional on the Windows
platform. Mark Russinovich's popular "Case Of The Unexplained" demonstrates some of
their capabilities in advanced troubleshooting scenarios. This complementary tutorial
session focuses primarily on the utilities themselves, giving you tips and techniques for
using their full functionality for troubleshooting and systems management. This session
follows the same format as last year’s highly-rated delivery, and covers a different set of
the most useful Sysinternals tools.
Unintended Consequences of Security Lockdowns (uses Sysinternals utilities a lot)
Security-conscious organizations often lock down their systems based on prescriptive
guidance from Microsoft, US Federal government agencies or other security
organizations. Sometimes these settings can lead to unpleasant surprises and
unexpected side effects. This session describes and demonstrates some of the common
issues that can arise, and whether and how those settings actually help or hurt. Is there
benefit to not granting Administrators the “Debug” privilege? Does “Hide mechanisms
to remove zone information” break anything? Is the “Require trusted path for credential
entry” setting worth the inconvenience? Come see!

Windows Sysinternals Primer: Process Explorer, Process Monitor and More

Newsletter
Sysinternals Newsletter Archive
Mark's Webcasts
Article • 07/26/2023

Watch free on-demand recordings of Mark’s top-rated presentations from TechEd,

BUILD and other conferences on Azure, security, Windows troubleshooting, malware
hunting. If you have a question about a topic in any of these webcasts, please visit the
Sysinternals Forum for answers and help from other users and our moderators.

Case of the Unexplained

The Case of the Unexplained 2016
The Case of the Unexplained 2015
The Case of the Unexplained 2014
The Case of the Unexplained 2013
The Case of the Unexplained 2012
The Case of the Unexplained 2011
The Case of the Unexplained 2010
Mark’s “The Case of…” blog posts come alive in these recorded webcasts of his
#1-rated TechEd sessions. Learn how to troubleshoot the toughest Windows and
application problems by watching Mark use Sysinternals and other advanced tools
to solve real-world examples. Be sure to check out all webcasts since they include
totally different troubleshooting examples and demonstrate different techniques.

Microsoft Azure
The Next Generation of Azure Compute Platform Learn about ways to integrate
with Azure Resource Manager (ARM) to enable role-based access control (RBAC),
tagging,and template-based deployments,and how Windows containers with
Docker compatibility make your code deploy instantly and work consistently in any
environment. Also learn how Service Fabric, Microsoft’s hyper-scale micro-service
PaaS that powers everything from Azure DB to Cortana, brings applications state-
of-the art high-density, high availability and stateful computing capabilities.
Mark Russinovich and Mark Minasi on Cloud Computing Join Mark Russinovich
and Mark Minasi for a lively discussion as they share their views on the cloud
computing disruption and what it means for IT pros and developers. Mark
Russinovich brings his perspective from leading Microsoft Azure architecture and
Mark Minasi brings his IT expertise and view from outside.
Public Cloud Security: Surviving in a Hostile Multi-Tenant Environment The rise
of public cloud computing has brought with it a new set of security considerations
that are not widely understood. With a unique perspective from working on the
security systems of a public cloud, Mark describes public cloud service provider
and cloud customer threats, including malicious insiders, shared technology, data
breaches, and data loss. For each, he assesses the risks and explores the value of
mitigations like encryption-at-rest, encryption-in-flight, and other security best
practices, separating hype from reality so that you can make educated decisions as
your organization moves to the cloud.
Mark Russinovich and Mark Minasi on Cloud Computing
(https://channel9.msdn.com/events/teched/northamerica/2014/dcim-b386) Join
Mark Russinovich and Mark Minasi for a lively discussion as they share their views
on the cloud computing disruption and what it means for IT pros and developers.
Mark Russinovich brings his perspective from leading Microsoft Azure architecture
and Mark Minasi brings his IT expertise and view from outside. The economics of
public cloud, future of PaaS and IaaS, how enterprises will bridge their on-premises
environments with the cloud, how you should look at security in the public cloud,
and what skills are important for IT pros and developers are just some of the areas
they explore together.
Infrastructure Services on Microsoft Azure: Virtual Machines and Virtual Networks
(https://channel9.msdn.com/events/teched/northamerica/2013/mdc-b212) This
session gives an overview of the new Windows Azure infrastructure services (IaaS),
including support for Windows Server and Linux persistent virtual machines, new
networking capabilities for hybrid applications and on-premises/cloud
connectivity, and support for applications that consist of PaaS and IaaS roles. Mark
explains how IaaS fits into Windows Azure to extend existing server applications to
cloud and shows demonstrations of IaaS VM deployment and complex multi-VM
applications.
Microsoft Azure Internals Mark Russinovich goes under the hood of the Microsoft
datacenter operating system. Intended for developers who have already gotten
their hands dirty with Windows Azure and understand its basic concepts, this
session gives an inside look at the architectural design of the Windows Azure
compute platform. Learn about Microsoft’s datacenter architecture, what goes on
behind the scenes when you deploy and update a Windows Azure app and how it
monitors and responds to the health of machines, its own components, and the
apps it hosts.
Introduction to Microsoft Azure: The Cloud Operating System Join Mark
Russinovich for an overview of Microsoft’s new cloud OS. Assuming no prior
knowledge of Windows Azure, this session will start by explaining the Windows
Azure Platform-as-a-Service (PaaS) app philosophy and how it differs from that of
traditional server apps. Then, demonstrating key concepts with a real Windows
Azure service built and deployed to the cloud, we’ll describe the Windows Azure
service model, including concepts like update and fault domains. The session will
then conclude by discussing the different service update options and detail the
recovery steps Windows Azure follows when it detects that a service or a hardware
device has failed.
Inside Microsoft Azure: The Cloud Operating System Mark Russinovich goes under
the hood of Microsoft’s new cloud OS. Intended for developers who have already
gotten their hands dirty with Windows Azure and understand its basic concepts,
this session gives an inside look at the architectural design of Windows Azure’s
compute platform. You’ll learn about Microsoft’s datacenter architecture, what
goes on behind the scenes when you deploy and update a Windows Azure app
and how it monitors and responds to the health of machines, its own components
and the apps it hosts.
Channel9: MarkRussinovich: Microsoft Azure, Cloud Operating Systems and
Platformas a Service Mark talks about what he’s working on in the Windows
Azure team, why the world is moving to the cloud, and what Platform-as-a-Service
(PaaS) means and how Windows Azure delivers PaaS.

Windows Internals
Tech-Ed North America 2011: Mysteries of Windows Memory Management
Revealed, Part1
(https://channel9.msdn.com/events/teched/northamerica/2011/wcl405) [Tech-Ed
North America 2011: Mysteries of Windows Memory Management Revealed, Part2
(https://channel9.msdn.com/events/teched/northamerica/2011/wcl406) If you
want to know the difference between System Committed memory and Process
Committed memory, wondered what all those memory numbers shown by Task
Manager really mean, or want to gain insight into the memory-related impact of a
process, then this talk is for you. Watch Mark in this on-demand webcast from
North America 2011.
Pushing the Limits of Windows
(https://channel9.msdn.com/events/teched/europe/2009/cli402) Watch as Mark
explains Windows limits related to object handles, virtual memory and physical
memory. Along the way he explains where the limits come from and how to
monitor your applications so that you're warned when they approach the limits
and so that you can size your systems to accommodate their resource
requirements.
Inside Windows Server 2008R2 Virtualization and VHD Improvements
(https://channel9.msdn.com/events/teched/northamerica/2009/vir401) Mark takes
you inside new Windows virtualization and VHD features, including live VM
migration, core parking and timer coalescing, hypervisor power management
support,and new hardware-assisted guest memory management. He delivers the
entire presentation from a Windows installation that was booted from VHD to
show you how Windows implements a native VHD stack and how the boot
architecture has changed to accommodate booting from VHD images.
Channel9: Mark Russinovich goes Inside Windows 7 Mark talks about kernel
changes in Windows 7 and Windows Server 2008R2, including the removal of the
scheduler's dispatcher lock, support for up to 256 CPUs, boot from VHD, MinWin,
core parking for power savings and more.
Channel9: Mark Russinovich: Inside Windows 7 Redux In a follow-on to the
previous Inside Windows 7 discussion, Mark digs into the insides of Windows 7,
way deep down in the system (the cumulative effects of which help to make
Windows 7 Microsoft's most reliable, scalable and efficient general purpose
operating system to date).
Channel9: Mark talks about working at Microsoft, Windows Server 2008's kernel,
MinWin vs ServerCore and Hyper-V Channel 9 chats with Technical Fellow and
Sysinternals founder Mark Russinovich to dig a bit into what's new in the Windows
Server 2008 kernel. Of course, we talk about many things including HyperV,
application virtualization, kernel architecture, and more....

Security
TWC: Pass-the-Hash: How Attackers Spread and How to Stop Them Pass-the-
hash transforms the breach of one machine into total compromise of
infrastructure. The publication of attacks, and lack of tools to respond, have forced
enterprises to rely on onerous and ineffective techniques. In this session, we
deconstruct the PtH threat, show how the attack is performed, and how it can be
addressed using new features and functionality recently introduced in Windows.
TWC: Malware Hunting with Mark Russinovich and the Sysinternals Tools Mark
provides an overview of several Sysinternals tools, including Process Monitor,
Process Explorer, and Autoruns, focusing on the features useful for malware
analysis and removal. These utilities enable deep inspection and control of
processes, file system and registry activity, and autostart execution points. He
demonstrates their malware-hunting capabilities by presenting several current,
real-world malware samples and using the tools to identify and clean malware.
License to Kill: Malware Hunting with the Sysinternals tools This session provides
an overview of several Sysinternals tools, including Process Monitor, Process
Explorer, and Autoruns, focusing on the features useful for malware analysis and
removal. These utilities enable deep inspection and control of processes, file
system and registry activity, and autostart execution points. You will see demos for
their malware-hunting capabilities through several real-world cases that used the
tools to identify and clean malware,and conclude by performing a live analysis of a
Stuxnet infection’s system impact.
Zero Day: A Non-Fiction View Mark makes the case for how his hit cyberthriller,
ZeroDay, is likely to be realized in non-fiction form in this 20-minute short version
of his well-popular RSA Conference session.
Zero Day Malware Cleaning with the Sysinternals tools Slides from Mark’s
highly-rated Blackhat US 2011 presentation how to use the Sysinternals tools to
hunt down and eliminate malware.
Channel9: Mark Talks about Windows Security and Core Architecture Check out
Mark’s Channel 9 interview where he talks about how he got started with Windows
internals, new security features in Windows Vista, User Account Control,and what
he’s doing at Microsoft.

Defrag Tools
Defrag Tools Shows Episodes 1 – 12 of the Defrag Tools shows focus on
Sysinternals tools. Each episode covers a specific tool used on the tech support
show Defrag , covering when and why to use the tools, and providing tips on
how to get the most out of them:
Defrag Tools: #1- Building your USB thumbdrive
Defrag Tools: #2- Process Explorer
Defrag Tools: #3- Process Monitor
Defrag Tools: #4- Process Monitor- Examples
Defrag Tools: #5- Autoruns and MSConfig
Defrag Tools: #6- RAMMap
Defrag Tools: #7- VMMap
Defrag Tools: #8- Mark Russinovich
Defrag Tools: #9- ProcDump
Defrag Tools: #10- ProcDump- Triggers
Defrag Tools: #11- ProcDump- Windows 8 & Process Monitor
Defrag Tools: #12- TaskMgr and ResMon
Windows Internals Book
Article • 09/15/2022

Windows Internals 7th edition (Part 1) covers the architecture and core internals of
Windows 10 and Windows Server 2016. This book helps you:

Understand the Windows system architecture and its general components

Explore internal data structures using tools like the kernel debugger
Understand how Windows uses processes for management and isolation
Understand and view thread scheduling and how CPU resources are managed
Dig into the Windows security model including recent advances in security
mitigations
Understand how Windows manages virtual and physical memory
Understand how the I/O system manages physical devices and device drivers

The 7th edition was written by Pavel Yosifovich, Alex Ionescu, Mark Russinovich and
David Solomon. New material has been added since the 6th edition (which covered
Windows 7 and Windows Server 2008 R2).

The 7th edition’s part 2 (written by Andrea Allievi, Mark E. Russinovich, Alex Ionescu and
David A. Solomon) is now available, and provides an invaluable resource on missing
topics from the first part of the 7th edition. These include the boot process, new storage
technologies, and Windows system and management mechanisms.

Table of contents of the 7th edition, part 1:

Chapter 1: Concepts and Tools
Chapter 2: System Architecture
Chapter 3: Processes and Jobs
Chapter 4: Threads
Chapter 5: Memory Management
Chapter 6: I/O System
Chapter 7: Security

The book is available for purchase on the Microsoft Press site (7th edition Part 1 ; 7th
Edition Part 2 ).

History of the Book

This is the seventh edition of a book that was originally called Inside Windows NT
(Microsoft Press, 1992), written by Helen Custer (prior to the initial release of Microsoft
Windows NT 3.1). Inside Windows NT was the first book ever published about Windows
NT and provided key insights into the architecture and design of the system. Inside
Windows NT, Second Edition (Microsoft Press, 1998) was written by David Solomon. It
updated the original book to cover Windows NT 4.0 and had a greatly increased level of
technical depth. Inside Windows 2000, Third Edition (Microsoft Press, 2000) was
authored by David Solomon and Mark Russinovich. It added many new topics, such as
startup and shutdown, service internals, registry internals, file-system drivers, and
networking. It also covered kernel changes in Windows 2000, such as the Windows
Driver Model (WDM), Plug and Play, power management, Windows Management
Instrumentation (WMI), encryption, the job object, and Terminal Services. Windows
Internals, Fourth Edition was the Windows XP and Windows Server 2003 update and
added more content focused on helping IT professionals make use of their knowledge
of Windows internals, such as using key tools from Windows Sysinternals and analyzing
crash dumps.

Windows Internals, Fifth Edition was the update for Windows Vista and Windows Server
2008. It saw Mark Russinovich move on to a full-time job at Microsoft (where he is now
the Azure CTO) and the addition of a new co-author, Alex Ionescu. New content
included the image loader, user-mode debugging facility, Advanced Local Procedure
Call (ALPC), and Hyper-V. The next release, Windows Internals, Sixth Edition, was fully
updated to address the many kernel changes in Windows 7 and Windows Server 2008
R2, with many new hands-on experiments to reflect changes in the tools as well.

Seventh Edition Changes

Since this series’ last update, Windows has gone through several releases, coming up to
Windows 10 and Windows Server 2016. Windows 10 itself, being the current going-
forward name for Windows, has had several releases since its initial Release-to-
Manufacturing, or RTM, each labeled with a 4-digit version number indicating year and
month of release, such as Windows 10, version 1703 that was completed in March 2017.
The above implies that Windows has gone through at least 6 versions since Windows 7.
Starting with Windows 8, Microsoft began a process of OS convergence, which is
beneficial from a development perspective as well as for the Windows engineering team
itself. Windows 8 and Windows Phone 8 had converged kernels, with modern app
convergence arriving in Windows 8.1 and Windows Phone 8.1. The convergence story
was complete with Windows 10, which runs on desktops/laptops, servers, XBOX One,
phones (Windows Mobile 10), HoloLens, and various Internet of Things (IoT) devices.
With this grand unification completed, the time was right for a new edition of the series,
which could now finally catch up with almost half a decade of changes, in what will now
be a more stabilized kernel architecture going forward. As such, this latest book covers
aspects of Windows from Windows 8 to Windows 10, version 1703. Additionally, this
edition welcomes Pavel Yosifovich as its new co-author.

Book tools
Several tools have been specifically written for the book, and they are available with full
source code at the WindowsInternals GitHub repository .
Troubleshooting with the Windows
Sysinternals Tools
Article • 07/19/2022

An update to Windows Sysinternals Administrator’s Reference

By Mark Russinovich and Aaron Margosis
Troubleshooting with the Windows Sysinternals Tools is the official book on the
Sysinternals tools, written by tool author and Sysinternals cofounder Mark Russinovich,
and Windows expert Aaron Margosis. The book covers all 65+ tools in detail, with full
chapters on the major tools like Process Explorer, Process Monitor, and Autoruns. In
addition to tips and tricks in the tool chapters, it includes 45 "Case of the Unexplained…"
examples of the tools used by users to solve real-world problems. Buy the book today
and take your Windows troubleshooting and systems management skills to the next
level.

Ordering the Book

You can purchase the book from these online retailers:

Microsoft Press Store

Amazon
Barnes & Noble
Independent booksellers – Shop local

You can also read it online through O'REILLY Media .

Description of the Book

IT pros and power users consider the free Windows Sysinternals tools indispensable for
diagnosing, troubleshooting, and deeply understanding the Windows platform. In this
extensively updated guide, Sysinternals creator Mark Russinovich and expert Windows
consultant Aaron Margosis help you use these powerful tools to optimize any Windows
system’s reliability, efficiency, performance, and security. The authors first explain
Sysinternals’ capabilities and help you get started fast. Next, they offer in-depth
coverage of each major tool, from Process Explorer and Process Monitor to Sysinternals’
security and file utilities. Then, building on this knowledge, they show the tools being
used to solve real-world cases involving error messages, hangs, sluggishness, malware
infections, and much more.
Windows Sysinternals creator Mark Russinovich and Aaron Margosis show you how to:

Use Process Explorer to display detailed process and system information

Use Process Monitor to capture low-level system events, and quickly filter the
output to narrow down root causes
List, categorize, and manage software that runs when you start or sign in to your
computer, or when you run Microsoft Office or Internet Explorer
Verify digital signatures of files, of running programs, and of the modules loaded in
those programs
Use Autoruns, Process Explorer, Sigcheck, and Process Monitor features that can
identify and clean malware infestations
Inspect permissions on files, keys, services, shares, and other objects
Use Sysmon to monitor security-relevant events across your network
Generate memory dumps when a process meets specified criteria
Execute processes remotely, and close files that were opened remotely
Manage Active Directory objects and trace LDAP API calls
Capture detailed data about processors, memory, and clocks
Troubleshoot unbootable devices, file-in-use errors, unexplained communication,
and many other problems
Understand Windows core concepts that aren’t well-documented elsewhere

Sample Chapter
You can read samples from the book at this link on Amazon.com .

Table of Contents
Part I: Getting started
Chapter 1 Getting started with the Sysinternals utilities
Chapter 2 Windows core concepts
Part II: Usage guide
Chapter 3 Process Explorer
Chapter 4 Autoruns
Chapter 5 Process Monitor
Chapter 6 ProcDump
Chapter 7 PsTools
Chapter 8 Process and diagnostic utilities
Chapter 9 Security utilities
Chapter 10 Active Directory utilities
Chapter 11 Desktop utilities
Chapter 12 File utilities
Chapter 13 Disk utilities
Chapter 14 Network and communication utilities
Chapter 15 System information utilities
Chapter 16 Miscellaneous utilities
Part III: Troubleshooting — "The Case of the Unexplained..."
Chapter 17 Error messages
Chapter 18 Crashes
Chapter 19 Hangs and sluggish performance
Chapter 20 Malware
Chapter 21 Understanding system behavior
Chapter 22 Developer troubleshooting

Errata
See the Errata & Updates tab on the Microsoft Press web site
Inside Native Applications
Article • 03/23/2021

Mark Russinovich Published: November 1, 2006

Introduction
If you have some familiarity with NT's architecture you are probably aware that the API
that Win32 applications use isn't the "real" NT API. NT's operating environments, which
include POSIX, OS/2 and Win32, talk to their client applications via their own APIs, but
talk to NT using the NT "native" API. The native API is mostly undocumented, with only
about 25 of its 250 functions described in the Windows NT Device Driver Kit.

What most people don't know, however, is that "native" applications exist on NT that
are not clients of any of the operating environments. These programs speak the native
NT API and can't use operating environment APIs like Win32. Why would such programs
be needed" Any program that must run before the Win32 subsystem is started (around
the time the logon box appears) must be a native application. The most visible example
of a native application is the "autochk" program that runs chkdsk during the
initialization Blue Screen (its the program that prints the "."'s on the screen). Naturally,
the Win32 operating environment server, CSRSS.EXE (Client-Server Runtime Subsystem),
must also be a native application.

In this article I'm going to describe how native applications are built and how they work.

How Does Autochk Get Executed

Autochk runs in between the time that NT's boot and system start drivers are loaded,
and when paging is turned on. At this point in the boot sequence Session Manager
(smss.exe) is getting NT's user-mode environment off-the-ground and no other
programs are active. The HKLM\System\CurrentControlSet\Control\Session
Manager\BootExecute value, a MULTI_SZ, contains the names and arguments of
programs that are executed by Session Manager, and is where Autochk is specified.
Here is what you'll typically find if you look at this value, where "Autochk" is passed "*"
as an argument:

Shell

Autocheck Autochk *
Session Manager looks in the <winnt>\system32 directory for the executables listed in
this value. When Autochk runs there are no files open so Autochk can open any volume
in raw-mode, including the boot drive, and manipulate its on-disk data structures. This
wouldn't be possible at any later point.

Building Native Applications

Microsoft doesn't document it, but the NT DDK Build utility knows how to make native
applications (and its probably used to compile Autochk). You specify information in a
SOURCES file that defines the application, the same as would be done for device drivers.
However, instead of indicating to Build that you want a driver, you tell it you want a
native applicationin the SOURCES file like this:

Shell

TARGETTYPE=PROGRAM

The Build utility uses a standard makefile to guide it, \ddk\inc\makefile.def, which looks
for a run-time library named nt.lib when compiling native applications. Unfortunately,
Microsoft doesn't ship this file with the DDK (its included in the Server 2003 DDK, but I
suspect that if you link with that version your native application won't run on XP or
Windows 2000). However, you can work around this problem by including a line in
makefile.def that overrides the selection of nt.lib by specifying Visual C++'s runtime
library, msvcrt.lib

If you run Build under the DDK's "Checked Build" environment it will produce a native
application with full debug information under %BASEDIR%\lib%CPU%\Checked (e.g.
c:\ddk\lib\i386\checked\native.exe), and if you invoke it in the "Free Build" environment
a release version of the program will end up in %BASEDIR%\lib%CPU%\Free. These are
the same places device driver images are placed by Build.

Native applications have ".exe" file extensions but you cannot run them like Win32
.exe's. If you try you'll get the message:

The application cannot be run in Windows NT mode.

Inside a Native Application

Instead of winmain or main, the entry point for native applications is NtProcessStartup.
Also unlike the other Win32 entry points, native applications must reach into a data
structure passed as its sole parameter to locate command-line arguments.
The majority of a native application's runtime environment is provided by NTDLL.DLL,
NT's native API export library. Native applications must create their own heap from
which to allocate storage by using RtlCreateHeap, a NTDLL function. Memory is
allocated from a heap with RtlAllocateHeap and freed with RtlFreeHeap. If a native
application wishes to print something to the screen it must use the function
NtDisplayString, which will output to the initialization Blue Screen.

Native applications don't simply return from their startup function like Win32 programs,
since there is no runtime code to return to. Instead, they must terminate themselves by
calling NtProcessTerminate.

The NTDLL runtime consists of hundreds of functions that allow native applications to
perform file I/O, interact with device drivers, and perform interprocess communications.
Unfortunately, as I stated earlier, the vast majority of these functions are undocumented.
Sysinternals Newsletter Archive
Article • 07/27/2021

Volume 1
Number 1 - April 14, 1999
Number 2 - May 15, 1999
Number 3 - June 19, 1999
Number 4 - August 5, 1999
Number 5 - October 12, 1999
Volume 2
Number 1 - January 6, 2000
Number 2 - March 27, 2000
Number 3 - June 14, 2000
Number 4 - August 30, 2000
Number 5 - November 30, 2000
Volume 3
Number 1 - April 18, 2001
Number 2 - August 20, 2001
Volume 4
Number 1 - January 7, 2002
Number 2 - August 12, 2002
Number 3 - October 16, 2002
Volume 5
Number 1 - February 19, 2003
Number 2 - June 23, 2003
Volume 6
Number 1 - April 27, 2004
Number 2 - July 30, 2004
Volume 7
Number 1 - January 5, 2005
Special Announcement - April 11, 2005
Number 2 - August 24, 2005
Volume 8
Number 1 - March 2, 2006
Number 2, Sysinternals Site Migration - October 30, 2006
Number 3, Sysinternals TechCenter - November 06, 2006
Number 4, Web Site Updates - November 08, 2006
Sysinternals Software License Terms
Article • 05/24/2023

These license terms are an agreement between Sysinternals (a wholly owned subsidiary
of Microsoft Corporation) and you. Please read them. They apply to the software you are
downloading from technet.microsoft.com/sysinternals, which includes the media on
which you received it, if any. The terms also apply to any Sysinternals

updates,
supplements,
Internet-based services,
and support services

for this software, unless other terms accompany those items. If so, those terms apply.

BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT
THEM, DO NOT USE THE SOFTWARE.

If you comply with these license terms, you have the rights below.

Installation and User Rights

You may install and use any number of copies of the software on your devices.

Scope of License
The software is licensed, not sold. This agreement only gives you some rights to use the
software. Sysinternals reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the software only as expressly permitted in
this agreement. In doing so, you must comply with any technical limitations in the
software that only allow you to use it in certain ways. You may not

work around any technical limitations in the software;

reverse engineer, decompile or disassemble the software, except and only to the
extent that applicable law expressly permits, despite this limitation;
make more copies of the software than specified in this agreement or allowed by
applicable law, despite this limitation;
publish the software for others to copy;
rent, lease or lend the software;
transfer the software or this agreement to any third party; or
use the software for commercial software hosting services.
Sensitive Information
Please be aware that, similar to other debug tools that capture “process state”
information, files saved by Sysinternals tools may include personally identifiable or other
sensitive information (such as usernames, passwords, paths to files accessed, and paths
to registry accessed). By using this software, you acknowledge that you are aware of this
and take sole responsibility for any personally identifiable or other sensitive information
provided to Microsoft or any other party through your use of the software.

Data Collection
The Sysinternals tools do not collect any data. Please refer to the Microsoft Privacy
Statement .

Documentation
Any person that has valid access to your computer or internal network may copy and
use the documentation for your internal, reference purposes.

Export Restrictions
The software is subject to United States export laws and regulations. You must comply
with all domestic and international export laws and regulations that apply to the
software. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting .

Support Services
Because this software is "as is," we may not provide support services for it.

Entire Agreement
This agreement, and the terms for supplements, updates, Internet-based services and
support services that you use, are the entire agreement for the software and support
services.

Applicable Law
United States . If you acquired the software in the United States , Washington state law
governs the interpretation of this agreement and applies to claims for breach of it,
regardless of conflict of laws principles. The laws of the state where you live govern all
other claims, including claims under state consumer protection laws, unfair competition
laws, and in tort.

Outside the United States . If you acquired the software in any other country, the laws of
that country apply.

Legal Effect
This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you
acquired the software. This agreement does not change your rights under the laws of
your country if the laws of your country do not permit it to do so.

Disclaimer of Warranty
The software is licensed "as-is." You bear the risk of using it. Sysinternals gives no
express warranties, guarantees or conditions. You may have additional consumer rights
under your local laws which this agreement cannot change. To the extent permitted
under your local laws, sysinternals excludes the implied warranties of merchantability,
fitness for a particular purpose and non-infringement.

Limitation on and Exclusion of Remedies and

Damages
You can recover from sysinternals and its suppliers only direct damages up to U.S. $5.00.
You cannot recover any other damages, including consequential, lost profits, special,
indirect or incidental damages.

This limitation applies to

anything related to the software, services, content (including code) on third party
Internet sites, or third party programs; and
claims for breach of contract, breach of warranty, guarantee or condition, strict
liability, negligence, or other tort to the extent permitted by applicable law.

It also applies even if Sysinternals knew or should have known about the possibility of
the damages. The above limitation or exclusion may not apply to you because your
country may not allow the exclusion or limitation of incidental, consequential or other
damages.

Please note: As this software is distributed in Quebec , Canada , some of the clauses in
this agreement are provided below in French.

Remarque : Ce logiciel étant distribué au Québec, Canada, certaines des clauses dans
ce contrat sont fournies ci-dessous en français.

EXONÉRATION DE GARANTIE. Le logiciel visé par une licence est offert « tel quel ».
Toute utilisation de ce logiciel est à votre seule risque et péril. Sysinternals n'accorde
aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu
du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La
ou elles sont permises par le droit locale, les garanties implicites de qualité marchande,
d'adéquation à un usage particulier et d'absence de contrefaçon sont exclues.

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR

LES DOMMAGES. Vous pouvez obtenir de Sysinternals et de ses fournisseurs une
indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne
pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les
dommages spéciaux, indirects ou accessoires et pertes de bénéfices.

Cette limitation concerne :

tout ce qui est relié au logiciel, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
les réclamations au titre de violation de contrat ou de garantie, ou au titre de
responsabilité stricte, de négligence ou d'une autre faute dans la limite autorisée
par la loi en vigueur.

Elle s'applique également, même si Sysinternals connaissait ou devrait connaître

l'éventualité d'un tel dommage. Si votre pays n'autorise pas l'exclusion ou la limitation
de responsabilité pour les dommages indirects, accessoires ou de quelque nature que
ce soit, il se peut que la limitation ou l'exclusion ci-dessus ne s'appliquera pas à votre
égard.

EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez
avoir d'autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas
les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.
Sysinternals Licensing FAQ
FAQ

Published: September 28, 2009

How many copies of Sysinternals utilities

may I freely load or use on computers
owned by my company?
There is no limit to the number of times you may install and use the software on your devices
or those you support.

May I distribute Sysinternals utilities in my

software, on my website, or with my
magazine?
No. We are not offering any distribution licenses, even if the 3rd party is distributing them for
free. We encourage people to download the utilities from our download center where they can
be assured to get the most recent version of the utility.

Can I license or re-use any Sysinternals

source code?
No. We will no longer offer the Sysinternals source code for download or license.

Will the Sysinternals tools continue to be

freely available?
Yes, Microsoft has no plans to remove or charge for these tools.

Is there technical support available for the

Sysinternals tools?
No. All Sysinternals tools are offered 'as is' with no official Microsoft support. We do maintain a
Sysinternals dedicated community support forum: https://forum.sysinternals.com/ .

Sysinternals Suite - User Manual
No ratings yet
Sysinternals Suite - User Manual
263 pages
Tools Used in Configuration Network and Computer System
66% (32)
Tools Used in Configuration Network and Computer System
6 pages
SysInternals Docs
100% (1)
SysInternals Docs
191 pages
Inter-Process Communication: Message Passing
No ratings yet
Inter-Process Communication: Message Passing
41 pages
Process Scheduling - Module2
No ratings yet
Process Scheduling - Module2
61 pages
Windows Command For Security Analysis
No ratings yet
Windows Command For Security Analysis
33 pages
What Are The SysInternals Tools and How Do You Use Them
No ratings yet
What Are The SysInternals Tools and How Do You Use Them
129 pages
Sysinternals Guide
No ratings yet
Sysinternals Guide
213 pages
Best Win 10 Deployment Guide PDF
0% (1)
Best Win 10 Deployment Guide PDF
1,387 pages
Ferramentas Poderosas
No ratings yet
Ferramentas Poderosas
210 pages
CSS10-1ST Quarter - Week 1
No ratings yet
CSS10-1ST Quarter - Week 1
21 pages
Five Best Computer Diagnostic Tools
No ratings yet
Five Best Computer Diagnostic Tools
14 pages
Python Threads
No ratings yet
Python Threads
84 pages
Appletcontinues
No ratings yet
Appletcontinues
47 pages
Tools Used in Computer Network and Computer System
78% (9)
Tools Used in Computer Network and Computer System
43 pages
Changes From Version 15
No ratings yet
Changes From Version 15
16 pages
Windows Server 2003 Commands
No ratings yet
Windows Server 2003 Commands
3 pages
Sysinternals Utility Suite For Windows 2000, XP, 2003, Vista, and 2008
No ratings yet
Sysinternals Utility Suite For Windows 2000, XP, 2003, Vista, and 2008
5 pages
Hiren's Boot CD 8
No ratings yet
Hiren's Boot CD 8
10 pages
Unit Objectives: Use System Configuration Tools View System Information and Logs Use Task Manager Edit Configuration Files
No ratings yet
Unit Objectives: Use System Configuration Tools View System Information and Logs Use Task Manager Edit Configuration Files
67 pages
Sysinternals Utilities - Sysinternals - Microsoft Learn
No ratings yet
Sysinternals Utilities - Sysinternals - Microsoft Learn
5 pages
DA3ISM
No ratings yet
DA3ISM
21 pages
Windows Fundamentals 2
No ratings yet
Windows Fundamentals 2
7 pages
System Monitoring
No ratings yet
System Monitoring
19 pages
Hiren's BootCD 15.2 - All in One Bootable CD WWW - Hiren.info
No ratings yet
Hiren's BootCD 15.2 - All in One Bootable CD WWW - Hiren.info
14 pages
CMD Commands PDF Free
No ratings yet
CMD Commands PDF Free
4 pages
Types of Utilities Software
No ratings yet
Types of Utilities Software
4 pages
BSC It Assignments
100% (2)
BSC It Assignments
3 pages
Gargagafgsfdgfdsgafg
No ratings yet
Gargagafgsfdgfdsgafg
4 pages
50 Windows Tools & Tricks
No ratings yet
50 Windows Tools & Tricks
24 pages
Hiren S Boot Usb11
No ratings yet
Hiren S Boot Usb11
17 pages
Utility CD
100% (1)
Utility CD
9 pages
Autodesk Moldflow-Manual de Instalación
No ratings yet
Autodesk Moldflow-Manual de Instalación
3 pages
Activities of Administrative Tool
No ratings yet
Activities of Administrative Tool
8 pages
5 Utilities of Windows 10
No ratings yet
5 Utilities of Windows 10
6 pages
Lesson 2: Managing Windows
No ratings yet
Lesson 2: Managing Windows
35 pages
Windows 10 Live Analysis Using Sysinternals Lasw26-Precourse-free
No ratings yet
Windows 10 Live Analysis Using Sysinternals Lasw26-Precourse-free
9 pages
Run Commands
No ratings yet
Run Commands
5 pages
Hiren Boot 9.5
No ratings yet
Hiren Boot 9.5
14 pages
Tools Used For Computer System and Network Configuration
69% (13)
Tools Used For Computer System and Network Configuration
8 pages
List of Run Commands in Windows 7 Program Name Run Command
No ratings yet
List of Run Commands in Windows 7 Program Name Run Command
49 pages
Hiren's BootCD 13.0
No ratings yet
Hiren's BootCD 13.0
13 pages
Log
No ratings yet
Log
2,708 pages
RTOS Implementation On STM32.
No ratings yet
RTOS Implementation On STM32.
32 pages
Hirens Tutorial
No ratings yet
Hirens Tutorial
7 pages
Mike's Recommended Software List
No ratings yet
Mike's Recommended Software List
5 pages
Dell Compellent Using Storage Center With FCoE and Linux
No ratings yet
Dell Compellent Using Storage Center With FCoE and Linux
30 pages
Useful Run Commands
No ratings yet
Useful Run Commands
20 pages
Kubernetes Notes
No ratings yet
Kubernetes Notes
22 pages
Hiren's 11.0
No ratings yet
Hiren's 11.0
14 pages
Hiren's BootCD v15
No ratings yet
Hiren's BootCD v15
12 pages
Reed Me
No ratings yet
Reed Me
7 pages
Hirens bootCD 10.4
No ratings yet
Hirens bootCD 10.4
4 pages
Hiren's BootCD 15.2
No ratings yet
Hiren's BootCD 15.2
10 pages
VDCF - Virtual Datacenter Control Framework: VDCF Ldom Product Administration Guide
No ratings yet
VDCF - Virtual Datacenter Control Framework: VDCF Ldom Product Administration Guide
27 pages
An A-Z Index of The Windows CMD Command Line
No ratings yet
An A-Z Index of The Windows CMD Command Line
5 pages
Hiren'S Bootcd 15.1: All in One Bootable CD Which Has All These Utilities
No ratings yet
Hiren'S Bootcd 15.1: All in One Bootable CD Which Has All These Utilities
10 pages
Chapter 7. Synchronization Examples
No ratings yet
Chapter 7. Synchronization Examples
39 pages
Os Question Bank New
No ratings yet
Os Question Bank New
7 pages
Module3 - Fixed Partitions - Best Fit
No ratings yet
Module3 - Fixed Partitions - Best Fit
6 pages
Tux Linux Ascii
No ratings yet
Tux Linux Ascii
1 page
Brom
No ratings yet
Brom
13 pages
1 CPS393 LinuxBashIntro-1
No ratings yet
1 CPS393 LinuxBashIntro-1
109 pages
Chapter-01 Tanenbaum
No ratings yet
Chapter-01 Tanenbaum
18 pages
Elmasri 6e Ch21 Transaction Processing
No ratings yet
Elmasri 6e Ch21 Transaction Processing
82 pages
LPKF Flowshow Se V1.11: Update Procedure
No ratings yet
LPKF Flowshow Se V1.11: Update Procedure
9 pages
Exam Sheet
No ratings yet
Exam Sheet
7 pages
Excercise Solution 3-5
No ratings yet
Excercise Solution 3-5
5 pages
UC 3 Set Up Server
No ratings yet
UC 3 Set Up Server
3 pages
Log
No ratings yet
Log
13 pages
Slipstream in SQL Server
No ratings yet
Slipstream in SQL Server
4 pages
EWARM DDFFormat
No ratings yet
EWARM DDFFormat
6 pages
Linux Notes
No ratings yet
Linux Notes
21 pages
Log
No ratings yet
Log
3 pages
Agar MJM
No ratings yet
Agar MJM
2 pages
C1140bootm12423cJA1binl PDF
No ratings yet
C1140bootm12423cJA1binl PDF
4 pages
Linux for Beginners: Linux Command Line, Linux Programming and Linux Operating System
From Everand
Linux for Beginners: Linux Command Line, Linux Programming and Linux Operating System
Steve Will
4.5/5 (3)
Windows Failover Clustering Design Handbook
From Everand
Windows Failover Clustering Design Handbook
Stefanos Evangelou
No ratings yet
LINUX SECURITY AND ADMINISTRATION: Safeguarding Your Linux System with Proactive Administration Practices (2024 Guide for Beginners)
From Everand
LINUX SECURITY AND ADMINISTRATION: Safeguarding Your Linux System with Proactive Administration Practices (2024 Guide for Beginners)
RANDALL BLAIR
No ratings yet
Linux Services Deployment
From Everand
Linux Services Deployment
Fabian Mestre
No ratings yet
Kali Linux
From Everand
Kali Linux
Brandon Jones
No ratings yet
Windows Operating System Interview Questions and Answers
From Everand
Windows Operating System Interview Questions and Answers
Manish Soni
No ratings yet
PC Essentials | Learn Basic Computing
From Everand
PC Essentials | Learn Basic Computing
Nolo Nob
No ratings yet
Linux Essentials - A Beginner's Guide To Linux Operating System
From Everand
Linux Essentials - A Beginner's Guide To Linux Operating System
Adidas Wilson
3/5 (1)
Linux Distro Super Ringan Super Stabil Untuk Penggunaan Harian & Infrastruktur Penting Edisi Bahasa Inggris
From Everand
Linux Distro Super Ringan Super Stabil Untuk Penggunaan Harian & Infrastruktur Penting Edisi Bahasa Inggris
Cyber Jannah Sakura
No ratings yet
The Most Lightest & The Most Stable Free Linux Distro OS For Daily Life plus For Critical Environment
From Everand
The Most Lightest & The Most Stable Free Linux Distro OS For Daily Life plus For Critical Environment
Cyber Jannah Sakura
No ratings yet
Windows 10: A Complete Guide to Using Windows 10
From Everand
Windows 10: A Complete Guide to Using Windows 10
Sam Griffin
No ratings yet
C# for Beginners: Learn in 24 Hours
From Everand
C# for Beginners: Learn in 24 Hours
Alex Nordeen
No ratings yet
Windows Vista Sp2 Install Guide English Edition
From Everand
Windows Vista Sp2 Install Guide English Edition
Cyber Jannah Studio
No ratings yet
Free Open Source Linux OS For Data Recovery & Data Rescue Bilingual Version Ultimate
From Everand
Free Open Source Linux OS For Data Recovery & Data Rescue Bilingual Version Ultimate
Cyber Jannah Sakura
No ratings yet