liminfo

Sysinternals

Free reference guide: Sysinternals

25 results

About Sysinternals

The Sysinternals Reference is a searchable command guide covering 25 tools from the Microsoft Sysinternals Suite, organized into 6 categories: Process (Process Explorer, Process Monitor, PsExec, PsList, PsKill), File (Handle, Strings, SDelete, Junction, Sigcheck), Network (TCPView, PsPing, Whois), Security (PsLoggedOn, AccessChk, Autoruns, SysMon), System Info (PsInfo, WinObj, RAMMap, VMMap), and Disk (DiskMon, Disk2vhd, DiskView, Contig).

Each tool entry includes the executable name, a concise description, and practical command-line examples with flags and parameters. For instance, PsExec shows remote command execution with user credentials, Process Monitor covers filter setup for file/registry/network events with boot logging, and Autoruns demonstrates VirusTotal integration for auto-start program validation.

This reference is designed for Windows system administrators, security analysts, incident responders, and IT professionals who need quick access to Sysinternals command syntax. The searchable interface with category filtering makes it easy to find the right tool and command without downloading documentation or navigating Microsoft's website.

Key Features

  • 25 Sysinternals tools covered: Process Explorer, PsExec, Autoruns, TCPView, SysMon, and more
  • 6 organized categories: Process, File, Network, Security, System Info, Disk
  • Command-line syntax with real flags: psexec \\remote-pc -u admin, accesschk -wvu, sdelete -p 3
  • VirusTotal integration examples for Sigcheck, Autoruns, and Process Explorer
  • Remote administration commands: PsExec, PsList, PsKill, PsLoggedOn, PsInfo for \\remote-pc
  • Memory analysis tools: RAMMap for physical memory pages, VMMap for virtual address space and leak detection
  • Disk utilities: Disk2vhd for physical-to-virtual conversion, Contig for individual file defragmentation
  • Searchable and filterable reference with instant category switching

Frequently Asked Questions

What Sysinternals tools are included in this reference?

The reference covers 25 tools: Process Explorer, Process Monitor, PsExec, PsList, PsKill (Process); Handle, Strings, SDelete, Junction, Sigcheck (File); TCPView, PsPing, Whois (Network); PsLoggedOn, AccessChk, Autoruns, SysMon (Security); PsInfo, WinObj, RAMMap, VMMap (System Info); DiskMon, Disk2vhd, DiskView, Contig (Disk).

How do I use PsExec for remote command execution?

PsExec runs processes on remote systems. Basic syntax: psexec \\remote-pc cmd (opens remote command prompt), psexec \\remote-pc -u admin -p pass ipconfig (runs with credentials), psexec -s cmd (runs as SYSTEM account). PsExec requires admin shares (ADMIN$) to be accessible on the target machine.

What is the difference between Process Explorer and Process Monitor?

Process Explorer (procexp.exe) is an advanced task manager showing process trees, DLL/handle search, CPU/memory graphs, and VirusTotal integration. Process Monitor (procmon.exe) is a real-time monitoring tool that captures file system, registry, and network events with powerful filtering by process name, path, or operation. Use Explorer for overview, Monitor for detailed event tracing.

How does Autoruns help with security analysis?

Autoruns (autoruns.exe) shows all auto-start locations: startup programs, services, drivers, scheduled tasks, and browser extensions. It integrates with VirusTotal for malware scanning. You can disable or delete suspicious entries. This makes it essential for malware removal and forensic analysis of persistence mechanisms.

What is SysMon and how do I install it?

SysMon (System Monitor) is a Windows service that logs detailed system activity to the Windows Event Log. Install with: sysmon -i sysmon-config.xml. It tracks process creation, network connections, and file creation events. Logs appear in Microsoft-Windows-Sysmon event log and are commonly used with SIEM systems for security monitoring.

How can I find which process has a file locked?

Use Handle.exe: handle.exe filename.txt will show which process has the file open. You can also search by process: handle.exe -p explorer shows all handles held by Explorer. In Process Explorer, use Find > Find Handle or DLL (Ctrl+F) to search for file or DLL names across all processes.

What disk tools are available for virtual machine migration?

Disk2vhd converts physical disks to VHD/VHDX format for physical-to-virtual (P2V) migration: disk2vhd C: D: output.vhdx. DiskView provides a visual cluster map showing physical file locations and fragmentation. DiskMon monitors real-time read/write activity at the sector level. Contig performs individual file defragmentation: contig file.exe.

How do I check file permissions with AccessChk?

AccessChk verifies effective permissions on files, registry keys, and services. Examples: accesschk -wvu "Users" C:\folder (check user write access), accesschk -ucqv service_name (check service permissions), accesschk -uwdqs "Users" * (find writable folders). This is essential for security audits and privilege escalation testing.