The Windows Sysinternals Web Site

7/16/2011 9:00:12 AM
The easiest way to get to the Sysinternals Web site (Figure 1) is to browse to, which redirects to the Microsoft TechNet home of Sysinternals, currently at In addition to all the Sysinternals utilities, the site contains or links to many related resources, including training, books, blogs, articles, webcasts, upcoming events, and the Sysinternals community forum.
Figure 1. The Windows Sysinternals Web site.

1. Downloading the Utilities

You can download just the Sysinternals utilities that you need one at a time, or download the entire set in a single compressed (.zip) file called the Sysinternals Suite. Links on the Sysinternals home page take you to pages that link to individual utilities. The Utilities Index lists all the utilities on one page; links to categories such as “File and Disk Utilities” or “Networking Utilities” take you to pages that list only subsets of the utilities.

Each download is packaged as a compressed (.zip) file that contains the executable (or executables), an End User License Agreement (EULA) text file, and for some of the utilities, an online help file.


The individual PsTool utilities are available for download only in bundles—either the PsTools suite or the full Sysinternals Suite.

My co-author, Aaron, makes it his habit to create a “C:\Program Files\Sysinternals” folder and extract the Sysinternals Suite into it, where it cannot be modified by non-administrative users. He then adds that location to the Path system environment variable so that he can easily launch the utilities from anywhere, including from the Windows 7 Start menu search box as shown in Figure 2.

Figure 2. Launching Procmon via Path search from the Start menu search box.

“Unblock” .zip Files Before Extracting Files

Before extracting content from the downloaded .zip files, you should first remove the marker that tells Windows to treat the content as untrusted and that results in warnings and errors like those shown in Figure 3 and Figure 4. The Windows Attachment Execution Service adds an alternate data stream (ADS) to the .zip file indicating that it came from the Internet. When you extract the files with Windows Explorer, it propagates the ADS to all extracted files.

Figure 3. Windows displays a warning when files from the Internet are opened.

Figure 4. Compiled HTML Help (CHM) files fail to display content when marked as having come from the Internet.

One way to remove the ADS is to open the .zip file’s Properties dialog box in Windows Explorer and click the Unblock button near the bottom of the General tab as shown in Figure 5. Another way is to use the Sysinternals Streams utility.

Figure 5. The Unblock button appears near the bottom of the downloaded file’s Properties dialog box.

2. Running the Utilities Directly from the Web

Sysinternals Live is a service that enables you to execute Sysinternals utilities directly from the Web without first having to hunt for, download, and extract them. Another advantage of Sysinternals Live is that it guarantees you run the latest versions of the utilities.

To run a utility using Sysinternals Live from Internet Explorer, type in the address bar (for example, Alternatively, you can specify the Sysinternals Live path in Universal Naming Convention (UNC) as \\\tools\utilityname.exe. (Note the addition of the “tools” subdirectory, which is not required when you specify a utility’s URL.) For example, you can run the latest version of Process Monitor by running \\\tools\procmon.exe.


The UNC syntax for launching utilities using Sysinternals Live requires that the WebClient service be running. In newer versions of Windows, the service might not be configured to start automatically. Starting the service directly (for example, by running net start webclient) requires administrative rights. You can start the service indirectly without administrative rights by running net use \\ from a command prompt or by browsing to \\ with Windows Explorer.

You can also map a drive letter to \\\tools or open the folder as a remote share in Windows Explorer, as shown in Figure 6. Similarly, you can view the entire Sysinternals Live directory in a browser at

Figure 6. Sysinternals Live displayed in Windows Explorer.

3. Single Executable Image

To simplify packaging, distribution, and portability without relying on installation programs, all of the Sysinternals utilities are single 32-bit executable images that can be launched directly. They embed any additional files they might need as resources and extract them either into the folder in which the program resides or, if that folder isn’t writable (for example, if it’s on read-only media), into the current user’s %TEMP% folder. The program deletes extracted files when it no longer needs them.

Supporting both 32-bit and 64-bit systems is one example where the Sysinternals utilities make use of this technique. For utilities that require 64-bit versions to run correctly on 64-bit Windows, the main 32-bit program identifies the CPU architecture, extracts the appropriate x64 or IA64 binary, and launches it. When running Process Explorer on x64, for instance, you will see Procexp64.exe running as a child process of Procexp.exe.


If the program file extracts to %TEMP%, the program will fail to run if the permissions on %TEMP% have been modified to remove Execute permissions.

Most of the Sysinternals utilities that use a kernel-mode driver extract the driver file to %SystemRoot%\System32\Drivers, load the driver, and then delete the file. The driver image remains in memory until the system is shut down. When running a newer version of a utility that has an updated driver, a reboot might be required to load the new driver.

4. The Windows Sysinternals Forums

The Windows Sysinternals Forums at (shown in Figure 7) are the first and best place to get answers to your questions about the Sysinternals utilities and to report bugs. You can search for posts and topics by keyword to see whether anyone else has had the same issue as you. There are forums dedicated to each of the major Sysinternals utilities, as well as a forum for suggesting ideas for new features or utilities. The Forums also host community discussion about Windows internals, development, troubleshooting, and malware.

You must register and log in to post to the Forums, but registration requires minimal information. After you register, you can also subscribe for notifications about replies to topics or new posts to particular forums, and you can send private messages to and receive messages from other forum members.

Figure 7. The Windows Sysinternals Forums.

5. Windows Sysinternals Site Blog

Subscribing to the Sysinternals Site Discussion blog is the best way to receive notifications when new utilities are published, existing utilities are updated, or other new content becomes available on the Sysinternals site. The site blog is located at Although the front page notes only major utility updates, the site blog reports all updates, including minor ones.

6. Mark’s Blog

My own blog covers Windows internals, security, and troubleshooting topics. The blog features two popular article series related to Sysinternals: “The Case of...” articles, which document how to solve everyday problems with the Sysinternals utilities; and “Pushing the Limits,” which describes resource limits in Windows, how to monitor them, and the effect of hitting them. You can access my blog by using the following URL:

You also can find a full listing of my blog posts by title by clicking on the Mark’s Blog link on the Sysinternals home page.

7. Mark’s Webcasts

You can find a full list of recordings of my presentations from TechEd and other conferences for free on-demand viewing—including my top-rated “Case of the Unexplained...” sessions, Sysinternals troubleshooting how-to sessions, my Channel 9 interviews and the Springboard Virtual Roundtables that I hosted—by clicking on the Mark’s Webcasts link on the Sysinternals home page. The webcasts available at the time of this book’s publication are included on this book’s companion media.

Other -----------------
- Overview of Internet Explorer 8 (part 4) - Installing Add-Ons to IE8 & Configuring Windows Internet Explorer 8 Options
- Overview of Internet Explorer 8 (part 3) - Using New Security and Safety Features of IE8 & Working with SmartScreen Filters
- Overview of Internet Explorer 8 (part 2) - Defining IE8 Web Slices & Using IE8 Compatibility View
- Overview of Internet Explorer 8 (part 1) - Defining IE8 Accelerators
- Windows 7 : Configuring Hardware and Applications - Managing Applications
- Windows 7 : Configuring Hardware and Applications - Managing Printers
- Windows 7 : Configuring Hardware (part 2) - Installing and Updating Device Drivers & Driver Signing
- Windows 7 : Configuring Hardware (part 1) - Device Stage & Using Device Manager
- Windows 7 : Scripting Windows with PowerShell - Creating PowerShell Scripts
- Windows 7 : Scripting Windows with PowerShell - Scripting Objects
- Windows 7 : Scripting Windows with PowerShell - Running PowerShell Cmdlets
- Windows 7 : Scripting Windows with PowerShell - Getting Started with PowerShell
- Scripting Windows 7 with WSH : Programming the Windows Management Instrumentation Service
- Scripting Windows 7 with WSH : Scripting Internet Explorer
- Scripting Windows 7 with WSH : Programming the WshNetwork Object
- Scripting Windows 7 with WSH : Programming the WshShell Object (part 2)
- Scripting Windows 7 with WSH : Programming the WshShell Object (part 1)
- Scripting Windows 7 with WSH : Programming the WScript Object
- Scripting Windows 7 with WSH : Programming Objects
- Scripting Windows 7 with WSH : Scripts and Script Execution
Most View
- Exchange Server 2010 : Availability Planning for Mailbox Servers (part 4) - DAG Networks
- BizTalk 2009 : Using XML Namespaces (part 2) - Using Port Filters and Content-Based Routing
- BizTalk Server 2009 : The core principles of a service-oriented architecture (part 2)
- Keyword Research Tools (part 6)
- Microsoft XNA Game Studio 3.0 : Adding Bread to Your Game (part 1) - Using a Structure to Hold Sprite Information, Using the Gamepad Thumbsticks to Control Movement
- Microsoft Exchange Server 2003: Configuring Recipient Objects (part 4) - Configuring Storage Limits for Individual Mailboxes
- Writing Your First Phone Application - Adding Code (part 2)
- SQL Server 2008 R2 : Space Allocation Structures
- Windows Help Desk (Part 2) - AppCleaner backup, Moving partitions to resize them
- Windows 7 : Using Volume Activation (part 2) - Volume Activation Scenarios
Top 10
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 3) - Configuring Recipient Filtering
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 2)
- Implementing Edge Services for an Exchange Server 2007 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 1)
- Implementing Edge Services for an Exchange Server 2007 Environment : Installing and Configuring the Edge Transport Server Components
- What's New in SharePoint 2013 (part 7) - BCS
- What's New in SharePoint 2013 (part 6) - SEARCH
- What's New in SharePoint 2013 (part 6) - WEB CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 5) - ENTERPRISE CONTENT MANAGEMENT
- What's New in SharePoint 2013 (part 4) - WORKFLOWS
- What's New in SharePoint 2013 (part 3) - REMOTE EVENTS