Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Windows® Sysinternals Administrator’s Reference
Foreword
Introduction
Tools the Book Covers
The History of Sysinternals
Who Should Read This Book
Assumptions
Organization of This Book
Conventions and Features in This Book
System Requirements
Acknowledgments
Errata & Book Support
We Want to Hear from You
Stay in Touch
I. Getting Started
1. Getting Started with the Sysinternals Utilities
Overview of the Utilities
The Windows Sysinternals Web Site
Downloading the Utilities
Running the Utilities Directly from the Web
Single Executable Image
The Windows Sysinternals Forums
Windows Sysinternals Site Blog
Mark’s Blog
Mark’s Webcasts
Sysinternals License Information
End User License Agreement and the /accepteula Switch
Frequently Asked Questions About Sysinternals Licensing
2. Windows Core Concepts
Administrative Rights
Running a Program with Administrative Rights on Windows XP and Windows Server 2003
Running a Program with Administrative Rights on Windows Vista or Newer
Processes, Threads, and Jobs
User Mode and Kernel Mode
Handles
Call Stacks and Symbols
What Is a Call Stack?
What Are Symbols?
Configuring Symbols
Sessions, Window Stations, Desktops, and Window Messages
Terminal Services Sessions
Window Stations
Desktops
Window Messages
II. Usage Guide
3. Process Explorer
Procexp Overview
Measuring CPU Consumption
Administrative Rights
Main Window
Process List
Process Highlighting
Updating the Display
Default Columns
Process Tree
Tooltips
What You Can Expect to See
System processes
Startup and Logon Processes
User Processes
Process Actions
Customizing Column Selections
Process Image Tab
Process Performance Tab
Process Memory Tab
.NET Tab
Process I/O Tab
Process Network Tab
Process Disk Tab
Column Sets
Saving Displayed Data
Toolbar Reference
Graphs
Toolbar Buttons
Identifying the Process That Owns a Window
Status Bar
DLLs and Handles
Finding DLLs or Handles
DLL View
Customizing DLL View
Peering Deeper into DLLs
Handle View
Customizing Handle View
Process Details
Image Tab
Performance Tab
Performance Graph Tab
Threads Tab
TCP/IP Tab
Security Tab
Environment Tab
Strings Tab
Services Tab
.NET Tabs
Job Tab
Thread Details
Verifying Image Signatures
System Information
Display Options
Procexp as a Task Manager Replacement
Creating Processes from Procexp
Other User Sessions
Miscellaneous Features
Shutdown Options
Command-Line Switches
Restoring Procexp Defaults
Keyboard Shortcut Reference
4. Process Monitor
Getting Started with Procmon
Events
Understanding the Column Display Defaults
Customizing the Column Display
Event Properties Dialog Box
Event Tab
Process Tab
Stack Tab
Displaying Profiling Events
Finding an Event
Copying Event Data
Jumping to a Registry or File Location
Searching Online
Filtering and Highlighting
Configuring Filters
Configuring Highlighting
Advanced Output
Saving Filters for Later Use
Process Tree
Saving and Opening Procmon Traces
Saving Procmon Traces
Opening Saved Procmon Traces
Logging Boot, Post-Logoff, and Shutdown Activity
Boot Logging
Keeping Procmon Running After Logoff
Long-Running Traces and Controlling Log Sizes
Drop Filtered Events
History Depth
Backing Files
Importing and Exporting Configuration Settings
Automating Procmon: Command-Line Options
Analysis Tools
Process Activity Summary
File Summary
Registry Summary
Stack Summary
Network Summary
Cross Reference Summary
Count Occurrences
Injecting Debug Output into Procmon Traces
Toolbar Reference
5. Autoruns
Autoruns Fundamentals
Disabling or Deleting Autostart Entries
Autoruns and Administrative Permissions
Verifying Code Signatures
Hiding Microsoft Entries
Getting More Information About an Entry
Viewing the Autostarts of Other Users
Viewing ASEPs of an Offline System
Listing Unused ASEPs
Changing the Font
Autostart Categories
Logon
Explorer
Internet Explorer
Scheduled Tasks
Services
Drivers
Codecs
Boot Execute
Image Hijacks
AppInit
KnownDLLs
Winlogon
Winsock Providers
Print Monitors
LSA Providers
Network Providers
Sidebar Gadgets
Saving and Comparing Results
Saving as Tab-Delimited Text
Saving in Binary (.arn) Format
Viewing and Comparing Saved Results
AutorunsC
Autoruns and Malware
6. PsTools
Common Features
Remote Operations
Remote Operations on Multiple Computers
Alternate Credentials
Troubleshooting Remote PsTools Connections
Basic Connectivity
User Accounts
PsExec
Remote Process Exit
Redirected Console Output
PsExec Alternate Credentials
PsExec Command-Line Options
Process Performance Options
Remote Connectivity Options
Runtime Environment Options
PsFile
PsGetSid
PsInfo
PsKill
PsList
PsLoggedOn
PsLogList
PsPasswd
PsService
Query
Config
Depend
Security
Find
SetConfig
Start, Stop, Restart, Pause, Continue
PsShutdown
PsSuspend
PsTools Command-Line Syntax
PsExec
PsFile
PsGetSid
PsInfo
PsKill
PsList
PsLoggedOn
PsLogList
PsPasswd
PsService
PsShutdown
PsSuspend
PsTools System Requirements
7. Process and Diagnostic Utilities
VMMap
Starting VMMap and Choosing a Process
View a Running Process
Launch and Trace a New Process
The VMMap window
Memory Types
Memory Information
Timeline and Snapshots
Viewing Text Within Memory Regions
Finding and Copying Text
Viewing Allocations from Instrumented Processes
Address Space Fragmentation
Saving and Loading Snapshot Results
VMMap Command-Line Options
–64
–p {PID | processname} [outputfile]
–o inputfile
Restoring VMMap defaults
ProcDump
Command-Line Syntax
Specifying Which Process to Monitor
Specifying the Dump File Path
Specifying Criteria for a Dump
Dump File Options
Miniplus Dumps
Running ProcDump Noninteractively
Capturing All Application Crashes with ProcDump
Viewing the Dump in the Debugger
DebugView
What Is Debug Output?
The DebugView Display
Capturing User-Mode Debug Output
Capturing Kernel-Mode Debug Output
Searching, Filtering, and Highlighting Output
Clearing the Display
Searching
Filtering
Highlighting
Saving and Restoring Filter and Highlight Rules
History Depth
Saving, Logging, and Printing
Logging
Printing
Remote Monitoring
Running the DebugView Agent
LiveKd
LiveKd Requirements
Running LiveKd
LiveKd Examples
ListDLLs
Handle
Handle List and Search
Handle Counts
Closing Handles
8. Security Utilities
SigCheck
Signature Verification
Which Files to Scan
Additional File Information
Output Format
AccessChk
What Are “Effective Permissions”?
Using AccessChk
Object Type
Searching for Access Rights
Output Options
AccessEnum
ShareEnum
ShellRunAs
Autologon
LogonSessions
SDelete
Using SDelete
How SDelete Works
9. Active Directory Utilities
AdExplorer
Connecting to a Domain
The AdExplorer Display
Objects
Attributes
Searching
Snapshots
AdExplorer Configuration
AdInsight
AdInsight Data Capture
Display Options
Setting Time Display Options
Display Names
Finding Information of Interest
Finding Text
Highlighting Events
Viewing Associated Events
Finding Event Errors
Filtering Results
Saving and Exporting AdInsight Data
Command-Line Options
AdRestore
10. Desktop Utilities
BgInfo
Configuring Data to Display
Appearance Options
Saving BgInfo Configuration for Later Use
Other Output Options
Updating Other Desktops
Desktops
ZoomIt
Using ZoomIt
Zoom Mode
Drawing Mode
Typing Mode
Break Timer
LiveZoom
11. File Utilities
Strings
Streams
NTFS Link Utilities
Junction
FindLinks
DU (Disk Usage)
Post-Reboot File Operation Utilities
PendMoves
MoveFile
12. Disk Utilities
Disk2Vhd
Diskmon
Sync
DiskView
Contig
PageDefrag
DiskExt
LDMDump
VolumeID
13. Network and Communication Utilities
TCPView
Whois
Portmon
Searching, Filtering, and Highlighting
Saving, Logging, and Printing
14. System Information Utilities
RAMMap
Use Counts
Processes
Priority Summary
Physical Pages
Physical Ranges
File Summary
File Details
Purging Physical Memory
Saving and Loading Snapshots
CoreInfo
ProcFeatures
WinObj
LoadOrder
PipeList
ClockRes
15. Miscellaneous Utilities
RegJump
Hex2Dec
RegDelNull
Bluescreen Screen Saver
Ctrl2Cap
III. Troubleshooting—“The Case of the Unexplained...”
16. Error Messages
The Case of the Locked Folder
The Case of the Failed AV Update
The Case of the Failed Lotus Notes Backups
The Case of the Failed Play-To
The Case of the Crashing Proksi Utility
The Case of the Installation Failure
The Troubleshooting
The Analysis
What Is IniFileMapping?
What Is Autorun.inf?
Why Did This Computer Have an IniFileMapping for Autorun.inf?
Why Did This Application Install Fail?
The Case of the Missing Folder Association
The Case of the Temporary Registry Profiles
17. Hangs and Sluggish Performance
The Case of the IExplore-Pegged CPU
The Case of the Excessive ReadyBoost
The Case of the Slow Keynote Demo
The Case of the Slow Project File Opens
The Compound Case of the Outlook Hangs
18. Malware
The Case of the Sysinternals-Blocking Malware
The Case of the Process-Killing Malware
The Case of the Fake System Component
The Case of the Mysterious ASEP
A. About the Authors
Index
About the Authors
← Prev
Back
Next →
← Prev
Back
Next →