ADM291 A Tour of Sysinternals Tools - PowerPoint PPT Presentation

1 / 41

About This Presentation

Title:

ADM291 A Tour of Sysinternals Tools

Description:

Co-creator of Inside Windows 2000 An interactive internals ... Started with NTFSDOS, Regmon and Filemon hosted on Andrew ... Screen Saver. Check The ... – PowerPoint PPT presentation

Number of Views:865

Avg rating:3.0/5.0

Slides: 42

Provided by: markruss

Category:

more less

Transcript and Presenter's Notes

Title: ADM291 A Tour of Sysinternals Tools

1
ADM291A Tour of Sysinternals Tools

Mark RussinovichWinternals Software

2
About The Speaker

Co-author of Inside Windows 2000, 3rd Ed.
(Microsoft Press) with David Solomon
Contributing Editor and NTInternals columnist
forWindows and .NET Magazine
Creator of www.sysinternals.com
Co-founder and chief softwarearchitect of
Winternals Software (www.winternals.com)
Co-creator of Inside Windows 2000An interactive
internals tutorial (on DVD streaming Windows
media)

3
Outline

About Sysinternals
Monitoring Tools
Systems Administration Tools
File System Tools

4
About Sysinternals

Started with NTFSDOS, Regmon and Filemon hosted
on Andrew Schulmans site in mid-1996
www.ntinternals.com went live in late 1996
Under a dozen tools
1500 unique visitors/day

5
Sysinternals Today

Interesting statistics
75 tools, 2-dozen technical articles
25,000 unique visitors/day
30,000 downloads/day (4 GB of data)
150,000 unique visitors/month
36,000 newsletter subscribers
Almost 4-dozen KB-article references
Everything on the site is freeware
Cant redistribute without a license
Source code is licensed for use in commercial
products

6
Outline

About Sysinternals
Monitoring Tools
Systems Administration Tools
File-Related Tools

7
Monitoring

Filemon
Regmon
Process Explorer
TCPView

8
Filemon/Regmon

Watch all file system or Registry accesses in
real-time
Ideal for troubleshooting broken application
installations
Useful for developers tracking down bugs or
performance tuning file system access
Work on all Windows OSs, including 64-bit
Windows XP
Used extensively within Microsoft
PSS
Windows XP Application Compatibility
Microsoft Office 2000

9
Using Filemon/Regmon

Requires no install or reboot
Just start using them
Includes filters for including, excluding, and
highlighting output
Cant include/exclude filter result codes on
Filemon for WinNT/2K/XP
Requires admin privilege to run
Trick run once as admin and then you can use
them as unprivileged users

10
How Filemon Works

Filemon uses a driver to intercept file I/O
access
A VxD on Windows 9x/Me
A file system filter driver on Windows
NT/Windows 2000/Windows XP

Application
Filemon GUI
User Mode Kernel Mode
Filemon Driver
File System Driver
11
How Regmon Works

Regmon uses a driver to intercept Registry
operations
A hook VxD on Windows 9x/Me
A system-call intercepting driver on Windows
NT/Windows 2000/Windows XP

Application
Regmon GUI
User Mode Kernel Mode
Regmon Driver
Registry Subsystem
12
Process Explorer

Process Explorer (formerly HandleEx) starts where
Task Manager ends
See detailed information about running processes,
including their paths and command-lines
Description of EXE
SID from process security token
View the DLLs processes have loaded, including
version numbers
See what handles processes have opened
Examine services running within service processes
Process Explorer works on all Windows platforms

13
Common Process Explorer Uses

Detect DLL versioning problems
Compare the output from a good system with that
of a broken system
Use the search feature to determine what process
is holding a file or directory open
View the state of synchronization objects
(mutexes, semaphores, events)
Detect handle leaks using refresh difference
highlighting

14
How Process Explorer Works

Uses undocumented functions for
Enumerating loaded modules with full path names
Enumerating processes and handles
Obtains handle names using the aid of a driver
Related Tools
Handle command-line handle viewer
Listdlls command-line DLL viewer

15
TCPView

GUI version of Netstat
Works on all Windows platforms
Lists active TCP and UDP endpoints
Shows endpoint owner on Windows NT/2000/Windows
XP/.NET Server
Includes auto-refresh and difference highlighting
You can close established TCP/IP connections
Works using documented and undocumented IPHelper
library functions

16
Other Monitoring Tools

DebugView
Monitor application debug output
Diskmon
Monitor hard disk activity
Pmon
Monitor process and thread activity
Portmon
Monitor serial and parallel port traffic
Tokenmon
Monitor security-related activity

17
Outline

About Sysinternals
Monitoring Tools
Systems Administration Tools
File-Related Tools

18
Systems Administration

PsTools
PsList
PsKill
PsInfo
PsLogList
PsService
PsExec
PsSuspend
More
BgInfo
Autoruns

19
PsTools

PsTools consists of a total of 11 tools
They all work on Windows NT/Windows 2000/Windows
XP
They all work remotely as well as locally
None require manual remote software installation
Whered the Ps come from?
The UNIX process listing tool is named ps
The first PsTool was a UNIX ps-equivalent,
PsList

20
PsList

View detailed information about running
processes
Similar to tlist and pulist
Default view is mix of CPU and memory information
Other views show thread details, memory details,
or full information
Use the s switch to run it in a Task
Manager-type mode
Works using the performance counter API
WMI is only available by default on Windows
2000/Windows XP, not on Windows NT 4

21
PsKill

The perfect complement to PsList is PsKill
Similar to Resource Kit Kill and Remote Kill
See a process running on a remote (or local)
system with PsList, kill it with PsKill
Unlike Task Manager, PsKill lets you kill any
process if youre an admin
Uses Debug privilege
Uses auto-installed remote service and
TerminateProcess API

22
PsInfo

Get detailed information about a system
OS version
type (pro, server, etc.)
Service Pack
Hot-fixes
CPU and memory
Uptime
Volume information
Uses documented APIs
Registry (remote, if applicable)
WMI for XP product activation query

23
PsLogList

Dump and optionally clear event logs
Like eloglist from the Resource Kit
PsLogList lets you dump logs using alternate
credentials
Gets event strings from remote system
Like eloglist, dumps in tab-delimited format for
easy import into spreadsheets
Has extensive support for filtering on record
type and date range
Uses documented Event Log APIs, which work
remotely

24
PsService

Control Win32 services
Like the Resource Kits and XP/Server 2003s SC
Unlike SC, doesnt make you remember and manually
specify a resume handle
Same syntax as SC
Omits several esoteric SC options
Search the network for active instances of a
service
Uses documented Service Control Manager APIs,
which work remotely

25
PsExec

Remotely execute programs
Executes console programs interactively
Allows you to start programs as yourself , in
alternate user credentials, or in the System
account
With PsExec you can
Launch a remote command prompt to effect a
light-weight telnet
Remote-enable local only command-line tools
like IpConfig
Uses auto-installed remote service

26
PsExec

Options of interest include
-s Run in System account (instead of account of
user running PsExec)
-i Show GUI windows on interactive console
-d Dont wait for remote process to terminate
-c Copy an executable to the remote system

27
PsSuspend

Microsoft provides no process-suspend utility
like PsSuspend for pausing a process thats using
a resource
Memory
CPU
Network
Windows NT and 2000 have no suspend process
capability, so PsSuspend suspends individual
threads

28
BgInfo (Background Info)

If you manage more than a handful of systems,
youve run into the what machine is this
syndrome
BgInfo creates an auto-generated informative
desktop background
System name
Memory
IP Address
OS version
Whatever you want!

29
Autoruns

There are almost 2-dozen places that can be used
to configure automatically started applications
Autoruns shows you all of the locations and
displays programs configured to run in them
Double-click a folder or key to jump to it in
Explorer or Regedit
Double-click a configured application to view its
properties

30
Outline

About Sysinternals
Monitoring Tools
Systems Administration Tools
File-Related Tools

31
File-Related Tools

Contig
PageDefrag
Streams
Strings

32
Contig

Command-line Windows NT/Windows 2000/Windows XP
file defragmenter
Useful for
Defragmenting specific files
Creating new contiguous files
Defragmenting entire disks
Uses Windows NT/Windows 2000/Windows XP
defragmenting API, documented at Sysinternals

33
PageDefrag

Defragments paging files and Registry hives at
boot time
Implemented as native application
Launched by Session Manager because listed in
HKLM\System\CurrentControlSet\Control\Session
Manager\BootExecute value
Uses native API
Uses Contig defragmentation engine
Supports command-line options for scripted install

34
Streams

Streams, which require NTFS, used to be rarely
used
Now there are several components that make use of
them
Services for Macintosh
Explorer
Viruses
Streams can search directories for files with
streams and display their names

35
Strings

Some executables do not identify themselves with
version information or descriptive names
Strings will look inside a file image for
printable text that include
Registry key and value names
Debug strings
File names
Internal build information

36
After Hours

The Sysinternals Bluescreen Screen Saver

37
Check The Site Often

There are updates, bug fixes, new tools and
articles on a regular basis
Im always open to tool suggestions
Sign up for the newsletter to get inside
information on the tools and Windows internals

38
For More Info...