The easiest way to get to the Sysinternals Web site (Figure 1) is to browse to http://www.sysinternals.com, which redirects to the Microsoft TechNet home of Sysinternals, currently at http://technet.microsoft.com/sysinternals.
In addition to all the Sysinternals utilities, the site contains or
links to many related resources, including training, books, blogs,
articles, webcasts, upcoming events, and the Sysinternals community
Figure 1. The Windows Sysinternals Web site.
1. Downloading the Utilities
can download just the Sysinternals utilities that you need one at a
time, or download the entire set in a single compressed (.zip) file
called the Sysinternals Suite.
Links on the Sysinternals home page take you to pages that link to
individual utilities. The Utilities Index lists all the utilities on one
page; links to categories such as “File and Disk Utilities” or
“Networking Utilities” take you to pages that list only subsets of the
Each download is packaged
as a compressed (.zip) file that contains the executable (or
executables), an End User License Agreement (EULA) text file, and for
some of the utilities, an online help file.
The individual PsTool
utilities are available for download only in bundles—either the PsTools
suite or the full Sysinternals Suite.
My co-author, Aaron, makes it his
habit to create a “C:\Program Files\Sysinternals” folder and extract the
Sysinternals Suite into it, where it cannot be modified by
non-administrative users. He then adds that location to the Path system
environment variable so that he can easily launch the utilities from
anywhere, including from the Windows 7 Start menu search box as shown in
Figure 2. Launching Procmon via Path search from the Start menu search box.
extracting content from the downloaded .zip files, you should first
remove the marker that tells Windows to treat the content as untrusted
and that results in warnings and errors like those shown in Figure 3 and Figure 4.
The Windows Attachment Execution Service adds an alternate data stream
(ADS) to the .zip file indicating that it came from the Internet. When
you extract the files with Windows Explorer, it propagates the ADS to
all extracted files.
Figure 3. Windows displays a warning when files from the Internet are opened.
Figure 4. Compiled HTML Help (CHM) files fail to display content when marked as having come from the Internet.
way to remove the ADS is to open the .zip file’s Properties dialog box
in Windows Explorer and click the Unblock button near the bottom of the
General tab as shown in Figure 5. Another way is to use the Sysinternals Streams utility.
Figure 5. The Unblock button appears near the bottom of the downloaded file’s Properties dialog box.
2. Running the Utilities Directly from the Web
Live is a service that enables you to execute Sysinternals utilities
directly from the Web without first having to hunt for, download, and
extract them. Another advantage of Sysinternals Live is that it
guarantees you run the latest versions of the utilities.
To run a utility using Sysinternals Live from Internet Explorer, type http://live.sysinternals.com/utilityname.exe
in the address bar (for example,
http://live.sysinternals.com/procmon.exe). Alternatively, you can
specify the Sysinternals Live path in Universal Naming Convention (UNC)
(Note the addition of the “tools” subdirectory, which is not required
when you specify a utility’s URL.) For example, you can run the latest
version of Process Monitor by running \\live.sysinternals.com\tools\procmon.exe.
The UNC syntax for
launching utilities using Sysinternals Live requires that the WebClient
service be running. In newer versions of Windows, the service might not
be configured to start automatically. Starting the service directly (for
example, by running net start webclient) requires administrative rights. You can start the service indirectly without administrative rights by running net use \\live.sysinternals.com from a command prompt or by browsing to \\live.sysinternals.com with Windows Explorer.
You can also map a drive letter
to \\live.sysinternals.com\tools or open the folder as a remote share
in Windows Explorer, as shown in Figure 6. Similarly, you can view the entire Sysinternals Live directory in a browser at http://live.sysinternals.com.
Figure 6. Sysinternals Live displayed in Windows Explorer.
3. Single Executable Image
simplify packaging, distribution, and portability without relying on
installation programs, all of the Sysinternals utilities are single
32-bit executable images that can be launched directly. They embed any
additional files they might need as resources and extract them either
into the folder in which the program resides or, if that folder isn’t
writable (for example, if it’s on read-only media), into the current
user’s %TEMP% folder. The program deletes extracted files when it no
longer needs them.
Supporting both 32-bit and
64-bit systems is one example where the Sysinternals utilities make use
of this technique. For utilities that require 64-bit versions to run
correctly on 64-bit Windows, the main 32-bit program identifies the CPU
architecture, extracts the appropriate x64 or IA64 binary, and launches
it. When running Process Explorer on x64, for instance, you will see
Procexp64.exe running as a child process of Procexp.exe.
If the program file extracts to
%TEMP%, the program will fail to run if the permissions on %TEMP% have
been modified to remove Execute permissions.
Most of the
Sysinternals utilities that use a kernel-mode driver extract the driver
file to %SystemRoot%\System32\Drivers, load the driver, and then delete
the file. The driver image remains in memory until the system is shut
down. When running a newer version of a utility that has an updated
driver, a reboot might be required to load the new driver.
4. The Windows Sysinternals Forums
The Windows Sysinternals Forums at http://forum.sysinternals.com (shown in Figure 7)
are the first and best place to get answers to your questions about the
Sysinternals utilities and to report bugs. You can search for posts and
topics by keyword to see whether anyone else has had the same issue as
you. There are forums dedicated to each of the major Sysinternals
utilities, as well as a forum for suggesting ideas for new features or
utilities. The Forums also host community discussion about Windows
internals, development, troubleshooting, and malware.
You must register and log in to
post to the Forums, but registration requires minimal information. After
you register, you can also subscribe for notifications about replies to
topics or new posts to particular forums, and you can send private
messages to and receive messages from other forum members.
Figure 7. The Windows Sysinternals Forums.
5. Windows Sysinternals Site Blog
to the Sysinternals Site Discussion blog is the best way to receive
notifications when new utilities are published, existing utilities are
updated, or other new content becomes available on the Sysinternals
site. The site blog is located at http://blogs.technet.com/b/sysinternals. Although the front page notes only major utility updates, the site blog reports all updates, including minor ones.
6. Mark’s Blog
My own blog covers
Windows internals, security, and troubleshooting topics. The blog
features two popular article series related to Sysinternals: “The Case
of...” articles, which document how to solve everyday problems with the
Sysinternals utilities; and “Pushing the Limits,” which describes
resource limits in Windows, how to monitor them, and the effect of
hitting them. You can access my blog by using the following URL:
You also can find a full listing of my blog posts by title by clicking on the Mark’s Blog link on the Sysinternals home page.
7. Mark’s Webcasts
You can find a full list
of recordings of my presentations from TechEd and other conferences for
free on-demand viewing—including my top-rated “Case of the
Unexplained...” sessions, Sysinternals troubleshooting how-to sessions,
my Channel 9 interviews and the Springboard Virtual Roundtables that I
hosted—by clicking on the Mark’s Webcasts link on the Sysinternals home
page. The webcasts available at the time of this book’s publication are
included on this book’s companion media.