ADM 291 A Tour of Sysinternals Tools Mark

ADM 291 A Tour of Sysinternals Tools Mark Russinovich Winternals Software

About The Speaker Co-author of Inside Windows 2000, 3 rd Ed. (Microsoft Press) with David Solomon Contributing Editor and NT Internals columnist for Windows and. NET Magazine Creator of www. sysinternals. com Co-founder and chief software architect of Winternals Software (www. winternals. com) Co-creator of Inside Windows 2000—An interactive internals tutorial (on DVD & streaming Windows media)

Outline About Sysinternals Monitoring Tools Systems Administration Tools File System Tools

About Sysinternals Started with NTFSDOS, Regmon and Filemon hosted on Andrew Schulman’s site in mid-1996 www. ntinternals. com went live in late 1996 Under a dozen tools 1500 unique visitors/day

Sysinternals Today Interesting statistics: 75 tools, 2 -dozen technical articles 25, 000 unique visitors/day 30, 000 downloads/day (4 GB of data) 150, 000 unique visitors/month 36, 000 newsletter subscribers Almost 4 -dozen KB-article references Everything on the site is freeware Can’t redistribute without a license Source code is licensed for use in commercial products

Outline About Sysinternals Monitoring Tools Systems Administration Tools File-Related Tools

Monitoring Filemon Regmon Process Explorer TCPView

Filemon/Regmon Watch all file system or Registry accesses in real-time Ideal for troubleshooting broken application installations Useful for developers tracking down bugs or performance tuning file system access Work on all Windows® OSs, including 64 -bit Windows XP Used extensively within Microsoft PSS Windows XP Application Compatibility Microsoft® Office 2000

Using Filemon/Regmon Requires no install or reboot Just start using them Includes filters for including, excluding, and highlighting output Can’t include/exclude filter result codes on Filemon for Win. NT/2 K/XP Requires admin privilege to run Trick: run once as admin and then you can use them as unprivileged users

How Filemon Works Filemon uses a driver to intercept file I/O access A Vx. D on Windows 9 x/Me A “file system filter driver” on Windows NT®/Windows 2000/Windows XP Filemon GUI Application User Mode Kernel Mode Filemon Driver File System Driver

How Regmon Works Regmon uses a driver to intercept Registry operations A “hook” Vx. D on Windows 9 x/Me A system-call intercepting driver on Windows NT/Windows 2000/Windows XP Application Regmon GUI User Mode Kernel Mode Regmon Driver Registry Subsystem

Process Explorer (formerly Handle. Ex) starts where Task Manager ends: See detailed information about running processes, including their paths and command-lines Description of EXE SID from process security token View the DLLs processes have loaded, including version numbers See what handles processes have opened Examine services running within service processes Process Explorer works on all Windows platforms

Common Process Explorer Uses Detect DLL versioning problems Compare the output from a “good” system with that of a “broken” system Use the search feature to determine what process is holding a file or directory open View the state of synchronization objects (mutexes, semaphores, events) Detect handle leaks using refresh difference highlighting

How Process Explorer Works Uses undocumented functions for: Enumerating loaded modules with full path names Enumerating processes and handles Obtains handle names using the aid of a driver Related Tools: Handle – command-line handle viewer Listdlls – command-line DLL viewer

TCPView GUI version of Netstat Works on all Windows platforms Lists active TCP and UDP endpoints Shows endpoint owner on Windows NT/2000/Windows XP/. NET Server Includes auto-refresh and difference highlighting You can close established TCP/IP connections Works using documented and undocumented IPHelper library functions

Other Monitoring Tools Debug. View Monitor application debug output Diskmon Monitor hard disk activity Pmon Monitor process and thread activity Portmon Monitor serial and parallel port traffic Tokenmon Monitor security-related activity

Outline About Sysinternals Monitoring Tools Systems Administration Tools File-Related Tools

Systems Administration Ps. Tools Ps. List Ps. Kill Ps. Info Ps. Log. List Ps. Service Ps. Exec Ps. Suspend More… Bg. Info Autoruns

Ps. Tools consists of a total of 11 tools They all work on Windows NT/ Windows 2000/Windows XP They all work remotely as well as locally None require manual remote software installation Where’d the “Ps” come from? The UNIX process listing tool is named “ps” The first Ps. Tool was a UNIX “ps”-equivalent, Ps. List

Ps. List View detailed information about running processes Similar to tlist and pulist Default view is mix of CPU and memory information Other views show thread details, memory details, or full information Use the –s switch to run it in a Task Manager-type mode Works using the performance counter API WMI is only available by default on Windows 2000/Windows XP, not on Windows NT 4

Ps. Kill The perfect complement to Ps. List is Ps. Kill Similar to Resource Kit Kill and Remote Kill See a process running on a remote (or local) system with Ps. List, kill it with Ps. Kill Unlike Task Manager, Ps. Kill lets you kill any process if you’re an admin Uses “Debug” privilege Uses auto-installed remote service and Terminate. Process API

Ps. Info Get detailed information about a system OS version: type (pro, server, etc. ) Service Pack Hot-fixes CPU and memory Uptime Volume information Uses documented APIs: Registry (remote, if applicable) WMI for XP product activation query

Ps. Log. List Dump and optionally clear event logs Like eloglist from the Resource Kit Ps. Log. List lets you dump logs using alternate credentials Gets event strings from remote system Like eloglist, dumps in tab-delimited format for easy import into spreadsheets Has extensive support for filtering on record type and date range Uses documented Event Log APIs, which work remotely

Ps. Service Control Win 32® services Like the Resource Kit’s and XP/Server 2003’s SC Unlike SC, doesn’t make you remember and manually specify a “resume handle” Same syntax as SC Omits several esoteric SC options Search the network for active instances of a service Uses documented Service Control Manager APIs, which work remotely

Ps. Exec Remotely execute programs Executes console programs interactively Allows you to start programs as yourself , in alternate user credentials, or in the System account With Ps. Exec you can: Launch a remote command prompt to effect a light-weight telnet Remote-enable “local only” command-line tools like Ip. Config Uses auto-installed remote service

Ps. Exec Options of interest include: -s: Run in System account (instead of account of user running Ps. Exec) -i: Show GUI windows on interactive console -d: Don’t wait for remote process to terminate -c: Copy an executable to the remote system

Ps. Suspend Microsoft provides no process-suspend utility like Ps. Suspend for pausing a process that’s using a resource Memory CPU Network Windows NT and 2000 have no “suspend process” capability, so Ps. Suspend suspends individual threads

Bg. Info (Background Info) If you manage more than a handful of systems, you’ve run into the “what machine is this” syndrome Bg. Info creates an auto-generated informative desktop background System name Memory IP Address OS version Whatever you want!

Autoruns There almost 2 -dozen places that can be used to configure automatically started applications Autoruns shows you all of the locations and displays programs configured to run in them Double-click a folder or key to jump to it in Explorer or Regedit Double-click a configured application to view its properties

Outline About Sysinternals Monitoring Tools Systems Administration Tools File-Related Tools

File-Related Tools Contig Page. Defrag Streams Strings

Contig Command-line Windows NT/ Windows 2000/Windows XP file defragmenter Useful for: Defragmenting specific files Creating new contiguous files Defragmenting entire disks Uses Windows NT/Windows 2000/Windows XP defragmenting API, documented at Sysinternals

Page. Defragments paging files and Registry hives at boot time Implemented as “native” application: Launched by Session Manager because listed in HKLMSystemCurrent. Control. SetControlSes sion ManagerBoot. Execute value Uses “native” API Uses Contig defragmentation engine Supports command-line options for scripted install

Streams, which require NTFS, used to be rarely used Now there are several components that make use of them: Services for Macintosh Explorer Viruses Streams can search directories for files with streams and display their names

Strings Some executables do not identify themselves with version information or descriptive names Strings will look inside a file image for printable text that include: Registry key and value names Debug strings File names Internal build information

After Hours… The Sysinternals Bluescreen Saver

Check The Site Often… There are updates, bug fixes, new tools and articles on a regular basis I’m always open to tool suggestions Sign up for the newsletter to get inside information on the tools and Windows internals

For More Info. . . Video: Inside Windows 2000 – An Interactive Tutorial (on DVD & Windows Media) 11 hours of instruction with hands-on lab exercises Book: Inside Microsoft Windows 2000, Third Edition (Microsoft Press) Class: Come to London Sep 23 -25 Don’t forget to complete the on-line Session Feedback form on Attendee Web site

Community Resources http: //www. microsoft. com/communities/default. mspx Most Valuable Professional (MVP) http: //www. mvp. support. microsoft. com/ Newsgroups Converse online with Microsoft Newsgroups, including Worldwide http: //www. microsoft. com/communities/newsgroups/default. mspx User Groups Meet and learn with your peers http: //www. microsoft. com/communities/usergroups/default. mspx

evaluations