No power user runs Windows with just stock settings; the plethora of third-party PC utilities is an embarrassment of riches. But what about Microsoft’s own contributions? Tools like SyncToy and Pro Photos are pretty well known, but there’s actually a wealth of advanced tools buried in the Sysinternals section of Microsoft’s Technet site for IT professionals.
The Sysinternals site hosts some of the most powerful Windows utilities you can find. Yet surprisingly, not too many people know about them, since TechNet is primarily a System Administrator resource. Whether you’re looking for more powerful ways to find out what’s under the hood of Windows, need help creating VHD images for use with virtualization hosts, or just wanting to play a joke on your co-workers, these little-known utilities have you covered. We cherry pick and go over the features of the ten most useful Sysinternals tools, and then show you the best of the rest. Read on to dive into this awesome stash of Microsoft-sanctioned tools and tweakers for Windows XP, Vista, and 7!
1. Process Explorer
What’s going on when you start your system or run a particular Window program? Process Explorer knows. This tool enables you see the interaction between Windows programs, components, and programs.
To get information about any program, double-click it to open a multi-tabbed properties sheet. How much CPU time and I/O is the program using? Click the Performance Graph tab to find out.
Other tabs reveal process threads, security settings, environment settings, and file (Image) information, TCP and UDP ports used, and additional performance details.
Use the menus to customize color highlighting, select how much information to display, and to search for particular handles or DLL files. Process Explorer provides an unparalleled “inside view” of your system.
Download Process Explorer here!
2. Autoruns
No matter how fast your computer, Windows services and startup programs help slow it down at boot time. Autoruns digs far deeper than Windows MSConfig to show you exactly what’s running when you start your computer.
The default Everything tab shows you every startup program and service. To help you manage what’s going on in a more digestible fashion, use the tabs to view specific items: Logon, Explorer, Internet Explorer, Scheduled Tasks, Services, Drivers, Winsock Providers, Print Monitors, LSA Providers, Network Providers, Sidebar Gadgets, Codecs, Boot Execute, Image Hijacks, AppInit, KnownDLLs, and Winlogon.
By default, Autoruns in limited access mode, even for administrators. If you want to enable or disable an option, you might see an Access is Denied error message. Click Run as Administrator, and after Autoruns restarts, make your change.
You can use Autoruns to clear away a lot of startup clutter (for example, if you’re running a proprietary print monitor for a printer you don’t have installed anymore). However, be wary of seemingly “duplicate” entries. For example, in the KnownDLLs tab on a 64-bit system, you will see the same DLL name in two places: the System32 folder and the Syswow64 folder. Don’t disable them!
3. Process Monitor
Process Monitor provides a continuously-updated look at the programs and services running in your system. As you open and close programs, search the web, print documents, and perform other activities, Process Monitor tracks every activity.
To learn more about a particular event, double-click it to open its properties sheet. Click the Process tab to see the file name, version, path, modules, and other information.
Once you open the properties sheet, use the up and down arrows at the bottom of each tab to move to the next or previous entry in the main window. Summaries available from the Tools menu provide condensed information about file usage, network usage, and other categories.
Download Process Monitor here!
4. Sigcheck
Sigcheck is an “old-school” (command-line) utility designed to sniff out file and digital signature information for programs and drivers. If you’re having problems with particular programs or hardware, use Sigcheck to find out if you have outdated versions or unsigned drivers. To check for unsigned executable files, use the –u and –e options as shown in this example: sigcheck –u –e c:\windows\system32
You can run sigcheck.exe without options to see a complete list of options. In this example, we found that the 64-bit version of FRAPS DirectX screen capture is unsigned.
5. BGInfo
If you like informative wallpaper, BGInfo’s the program for you. It replaces the normal wallpaper on the system with a complete summary of the computer’s hardware, memory, operating system, network, and drives.
If you’d prefer less information, want to display the information in a pop-up window instead of on the desktop, saved to a database for capture and analysis, or run automatically, BGInfo offers extensive customization, including command-line options.
BGInfo’s a great tool when you’re setting up a network or want to provide non-technical users with an easy way to find system information they can provide in case of a network or system problem.
6. Desktops
No matter how many monitors you have or how large they are, you’re going to run out of desktop space eventually – or even now. Desktops enables you to create up to four desktops with different running programs and switch between them easily.
You can switch by using keystrokes, or by opening the Desktops icon in the Taskbar and selecting the appropriate desktop. Each window can have different programs running, and, on Windows 7, different programs in the Taskbar’s jump list.
If you’re on a tight budget, out of desk space, or just want to make your desktop do more, Desktops could be the answer.
7. ZoomIt
If you’re responsible for presentations or training, and you’re looking for an easy way to emphasize information, ZoomIt’s on your side. You can use it to zoom your screen, make annotations by drawing and typing on the screen, and, with Windows Vista and Windows 7, you can use Live Zoom for adjustable zoom levels.
You can use freehand or controlled shape drawing in several colors and erase your markups by pressing the letter ‘e’. ZoomIt also supports tablets, so you don’t need an expensive touchscreen system to annotate your presentations on the fly.
8. PsTools Suite
The PsTools Suite provides powerful command-line tools for discovering basic system information (PsInfo), remote file usage (PsFile), services in use (PsService), and many others. Use these tools to help automate local and remote system management.
9. Sdelete
Sdelete is a secure deletion utility that is especially designed for dealing with NTFS file systems as well as older FAT file systems, such as those used on removable media and external hard disks. You can use Sdelete to securely delete files and folders, clean free space, and clean an entire disk. Sdelete supports the DOD 5220.22-M standard for secure deletion.
10. BlueScreen
Want to show co-workers or trainees what a BSOD looks like? Download and run BlueScreen on Windows XP, Windows 2003 Server, or earlier versions. You can run it interactively or right-click it and install it as a screen saver. It cycles through various BSODs that are based on the components in the user’s system, so it’s a great gag – as well as a good training tool.
The Best of the Rest
Sysinternals offers lots of additional goodies, and here are ten more of our favorites:
RootkitRevealer – Use it to find suspected rootkits on Windows XP 32-bit computers
LogonSessions – Who else is logged onto your computer? If you’re on a network, this utility will help avoid unpleasant surprises.
ShareEnum – Instead of hopscotching around in My Network Places or the Network and Sharing Center, use ShareEnum to find out the network shares in your current domain, IP address range, or workgroup.
PendMoves and MoveFile - It’s getting easier to move files in Windows – unless they’re in use. Use this pair of command-line utilities to find out which files are scheduled to be moved after the next reboot, and to delete files on reboot. MoveFile is also a handy way to remove malware that can’t be removed while in use.
Sync – Worried about losing data on removable-media drives when you disconnect them? Use Sync to flush all file system data from cache to disk before you “pull the plug.”
PageDefrag – Fragmented paging (swap) files and registry hive files are bad news for 32-bit Windows XP users. Prevent problems by using PageDefrag to defragment these files.
Contig – If you change the contents of particular files frequently, these are the files that are most likely to become fragmented. Optimize them with Contig.
TCPView – Use it to find out what TCP and UDP ports are in use on your system, and what devices are at the other end.
Diskext – Displays volume and drive information for all physical and logical drives on your computer.
AccessChk – Who has access to system resources? Find out with AccessChk.
Tips for Using Sysinternals
Sysinternals utilities are powerful, but not all of them are easy to use. To optimize their functionality, keep these tips in mind:
- To run command-line Sysinternals tools easily, copy them to the Windows folder. By default, cmd.exe, the command interpreter for Windows, looks in \Windows and a few other folders for executable files. If you prefer to run Sysinternals from their own folders, you will need to navigate to the appropriate folder.
- Run Cmd.exe as Administrator. Because many of these utilities are command-line based, you should right-click Cmd.exe and select Run as Administrator, then start the program from the command line.
- Can’t open the program or help file? It may be blocked. If you can’t run a program or the HTML Help file doesn’t list any content, Windows has probably blocked the file for security reasons. To unblock the file, right-click the file and select Properties. Click Unblock on the General tab, then OK. You can then open the help file or run the program.
