The Windows Club

TheWindowsClub covers authentic Windows 11, Windows 10 tips, tutorials, how-to's, features, freeware. Created by Anand Khanse, MVP.

Sysinternals Suite: Manage, troubleshoot, diagnose Windows systems and apps

Download Windows Speedup Tool to fix errors and make PC run faster

The Sysinternals set of utilities and web site was created by Mark Russinovich and Bryce Cogswell to host their advanced system utilities and technical information. Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot, and diagnose your Windows systems and applications.

Microsoft Sysinternals Suite : Manage, troubleshoot, diagnose Windows systems, apps

Windows Sysinternals Suite

The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. This file contains individual troubleshooting tools and helps files. However, it does not contain any non-troubleshooting tools like the BSOD Screen Saver or NotMyFault.

The major category of the tools are as follows:

  • File and Disk Utilities
  • Networking Utilities
  • Process Utilities
  • Security Utilities
  • System Information
  • Miscellaneous

The list of tools are:

  • AccessChk is a command-line tool for viewing the effective permissions on files, registry keys, services, processes, kernel objects, and more.
  • AccessEnum is simple yet powerful security tool shows you who has what access to directories, files and Registry keys on your systems. Use it to find holes in your permissions.
  • AdExplorer or Active Directory Explorer is an advanced Active Directory (AD) viewer and editor.
  • AdInsight is an LDAP (Light-weight Directory Access Protocol) real-time monitoring tool aimed at troubleshooting Active Directory client applications.
  • AdRestore – Undelete Server Active Directory objects.
  • Autologon lets you bypass password screen during logon.
  • Autorun lets you see what programs are configured to startup automatically when your system boots and you login.
  • BgInfo is fully-configurable program automatically generates desktop backgrounds that include important information about the system including IP addresses, computer name, network adapters, and more.
  • BlueScreen screen saver not only accurately simulates Blue Screens, but simulated reboots as well (complete with CHKDSK).
  • CacheSet is a program that allows you to control the Cache Manager’s working set size using functions provided by NT. It’s compatible with all versions of NT.
  • ClockRes lets you view the resolution of the system clock, which is also the maximum timer resolution.
  • Contig lets you quickly defragment your frequently used files? Use Contig to optimize individual files, or to create new files that are contiguous.
  • Coreinfo is a command-line utility that shows you the mapping between logical processors and the physical processor, NUMA node, and socket on which they reside.
  • Ctrl2cap is a kernel-mode driver that demonstrates keyboard input filtering just above the keyboard class driver in order to turn caps-locks into control keys.
  • DebugView intercepts calls made to DbgPrint by device drivers and OutputDebugString made by Win32 programs.
    Desktops is new utility enables you to create up to four virtual desktops and to use a tray interface or hotkeys to preview what’s on each desktop and easily switch between them.
  • Disk2vhd simplifies the migration of physical systems into virtual machines (p2v.md).
  • DiskExt display volume disk-mappings.
  • Diskmon captures all hard disk activity or acts like a software disk activity light in your system tray.
  • DiskView offers a Graphical disk sector utility.
  • Disk Usage lets you view disk usage by directory.
  • EFSDump lets you view information for encrypted files.
  • FindLinks reports the file index and any hard links (alternate file paths on the same volume.md) that exist for the specified file.
  • Handle will show you what files are open by which processes, and much more.
  • Hex2dec – Convert hex numbers to decimal and vice versa.
  • Junction – Create Win2K NTFS symbolic links.
  • LDMDump – Dump the contents of the Logical Disk Manager’s on-disk database, which describes the partitioning of Windows Dynamic disks.
  • ListDLLs list all the DLLs that are currently loaded, including where they are loaded and their version numbers.
  • LiveKd – Use Microsoft kernel debuggers to examine a live system.
  • LoadOrder – See the order in which devices are loaded on your system.
  • LogonSessions lists the active logon sessions on a system.
  • MoveFile allows you to schedule move and delete commands for the next reboot.
  • Notmyfault is a tool that you can use to crash, hang, and cause kernel memory leaks on your Windows system.
  • Use NTFSInfo to see detailed information about NTFS volumes, including the size and location of the Master File Table (MFT) and MFT-zone files.
  • PendMoves enumerates the list of file rename and delete commands that will be executed the next boot.
  • PipeList displays the named pipes on your system, including the number of maximum instances and active instances for each pipe.
  • PortMon knows about all standard serial and parallel IOCTLs and even shows you a portion of the data being sent and received.
  • ProcDump is aimed at capturing process dumps of otherwise difficult to isolate and reproduce CPU spikes.
  • Process Explorer – Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.
  • Process Monitor – Monitor file system, Registry, process, thread and DLL activity in real-time.
  • PsExec – Execute processes on remote systems.
  • PsFile – See what files are opened remotely.
  • PsGetSid displays the SID of a computer or a user.
  • PsInfo obtains information about a system.
  • PsKill – Terminate local or remote processes.
  • PsPing measures network performance.
  • PsList – Show information about processes and threads.
  • PsLoggedOn – Show users logged on to a system.
  • PsLogList – Dump event log records.
  • PsPasswd – Changes account passwords.
  • PsService – View and control services.
  • PsShutdown shuts down and optionally reboots a computer.
  • PsSuspend – Suspend and resume processes.
  • The PsTools suite lists processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
  • RAMMap is an advanced physical memory usage analysis utility that presents usage information in different ways on its several different tabs.
  • RegDelNull – Scan for and delete Registry keys that contain embedded null-characters that are otherwise undeleteable by standard Registry-editing tools.
  • Registry Usage – View the registry space usage for the specified registry key.
  • RegJump – Jump to the registry path you specify in Regedit.
  • SDelete – Securely overwrite your sensitive files and cleanse your free space of previously deleted files using this DoD-compliant secure delete program.
  • ShareEnum – Scan file shares on your network and view their security settings to close security holes.
  • ShellRunas – Launch programs as a different user via a convenient shell context-menu entry.
  • Sigcheck – Dump file version information and verify that images on your system are digitally signed.
  • Streams – Reveal NTFS alternate streams.
  • Strings – Search for ANSI and UNICODE strings in binary images.
  • Sync – Flush cached data to disk.
  • Sysmon – Monitors and reports key system activity via the Windows event log.
  • TCPView – Active socket command-line viewer.
  • VMMap is a process virtual and physical memory analysis utility.
  • VolumeId – Set Volume ID of FAT or NTFS drives.
  • Whois – See who owns an Internet address.
  • WinObj – The ultimate Object Manager namespace viewer is here.
  • ZoomIt – Presentation utility for zooming and drawing on the screen.

Sysinternals Live

You can also view the entire Sysinternals Live tools directory in a browser at https://live.sysinternals.com/. You can either right-click on an individual file and download it or enter a tool’s Sysinternals Live path into Windows Explorer or a command prompt as live.sysinternals.com/<toolname> or  \\live.sysinternals.com\tools\<toolname>.

Microsoft rolled out a major update for Sysinternals, including Sysmon clipboard monitoring, Procmon enhanced filter edit dialog, Prodump CoreCLR, AdExplorer, Disk Usage, VMMap, RAMMap. It also included several ARM ports of existing Windows Sysinternals tools as ARM machines are now being used by many.

We strongly recommend you to explore all the tools and then download them from the official Microsoft website. You can expand each section on the left side and then read about each utility and what it does.  The page has a list of parameters and options and what they do can do.

I wish there were a User Interface for tools like this, which can easily be run by selecting options and then seeing the result. So, basic users will have to learn it bit by bit.

AshishMohta@TWC

Ashish holds a Bachelor's in Computer Engineering and is a veteran Windows. He has been a Microsoft MVP (2008-2010) and excels in writing tutorials to improve the day-to-day experience with your devices.