├── .gitignore
├── README.md
├── sysinternals
├── downloads
│ ├── procfeatures.md
│ ├── filemon.md
│ ├── diskext.md
│ ├── regmon.md
│ ├── regjump.md
│ ├── diskview.md
│ ├── clockres.md
│ ├── adrestore.md
│ ├── whois.md
│ ├── hex2dec.md
│ ├── efsdump.md
│ ├── loadorder.md
│ ├── networking-utilities.md
│ ├── du.md
│ ├── reghide.md
│ ├── pipelist.md
│ ├── accessenum.md
│ ├── ru.md
│ ├── autologon.md
│ ├── volumeid.md
│ ├── sync.md
│ ├── adexplorer.md
│ ├── cpustres.md
│ ├── regdelnull.md
│ ├── logonsessions.md
│ ├── shareenum.md
│ ├── notmyfault.md
│ ├── findlinks.md
│ ├── movefile.md
│ ├── pendmoves.md
│ ├── psfile.md
│ ├── strings.md
│ ├── listdlls.md
│ ├── shellrunas.md
│ ├── adinsight.md
│ ├── security-utilities.md
│ ├── zoomit.md
│ ├── system-information.md
│ ├── streams.md
│ ├── diskmon.md
│ ├── winobj.md
│ ├── sysinternals-suite.md
│ ├── process-utilities.md
│ ├── junction.md
│ ├── misc-utilities.md
│ ├── vmmap.md
│ ├── desktops.md
│ ├── ldmdump.md
│ ├── tcpview.md
│ ├── psloggedon.md
│ ├── bluescreen.md
│ ├── testlimit.md
│ ├── rammap.md
│ ├── pssuspend.md
│ ├── ntfsinfo.md
│ ├── pskill.md
│ ├── pslist.md
│ ├── file-and-disk-utilities.md
│ ├── contig.md
│ ├── psservice.md
│ ├── ctrl2cap.md
│ ├── pagedefrag.md
│ ├── pstools.md
│ ├── procmon.md
│ ├── pspasswd.md
│ ├── psgetsid.md
│ ├── handle.md
│ ├── sigcheck.md
│ ├── process-explorer.md
│ ├── disk2vhd.md
│ └── accesschk.md
├── community.md
├── Announce
│ ├── SHA1Deprecation.md
│ └── TLSDeprecation.md
├── docfx.json
├── license-faq.md
└── learn
│ └── inside-native-applications.md
├── .openpublishing.build.ps1
├── LICENSE-CODE
├── ThirdPartyNotices
├── .openpublishing.publish.config.json
└── CONTRIBUTING.md
/.gitignore:
--------------------------------------------------------------------------------
1 | log/
2 | obj/
3 | _site/
4 | .optemp/
5 | _themes*/
6 |
7 | .openpublishing.buildcore.ps1
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Windows Sysinternals Documentation
2 |
3 | This is the source repository for https://docs.microsoft.com/sysinternals/
4 |
5 | ## Contributing
6 |
7 | Please see [CONTRIBUTING.md](./CONTRIBUTING.md) if you wish to contribute fixes or updates.
8 |
9 | ## Microsoft Open Source Code of Conduct
10 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
11 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
12 |
--------------------------------------------------------------------------------
/sysinternals/downloads/procfeatures.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: ProcFeatures
3 | title: ProcFeatures
4 | ms:assetid: '922f7441-5dec-40bb-a21b-aa777274344e'
5 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897554(v=MSDN.10)'
6 | ms.date: 09/01/2011
7 | ---
8 |
9 | ProcFeatures v1.1
10 | =================
11 |
12 | **By Mark Russinovich**
13 |
14 | Published: November 1, 2006
15 | Retired: September 1, 2011
16 |
17 | **NOTE:** ProcFeatures has been retired, as the latest additions to
18 | [**Coreinfo**](coreinfo.md)
19 | make this utility obsolete. Coreinfo v3 now shows the processor
20 | features supported by the system’s processors.
21 |
--------------------------------------------------------------------------------
/sysinternals/downloads/filemon.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: FileMon
3 | title: FileMon for Windows
4 | description: This monitoring tool lets you see all file access activity in real-time.
5 | ms:assetid: 'f0149462-bb51-4b25-9d47-39eb5eb1dee1'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896642(v=MSDN.10)'
7 | ---
8 |
9 | FileMon for Windows v7.04
10 | =========================
11 |
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: November 1, 2006
16 |
17 | FileMon and Regmon are no longer available for download. They have been
18 | replaced by [Process Monitor](procmon.md) on versions
19 | of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows
20 | Server 2003 SP1, and Windows Vista.
21 |
22 |
--------------------------------------------------------------------------------
/.openpublishing.build.ps1:
--------------------------------------------------------------------------------
1 | param(
2 | [string]$buildCorePowershellUrl = "https://opbuildstorageprod.blob.core.windows.net/opps1container/.openpublishing.buildcore.ps1",
3 | [string]$parameters
4 | )
5 | # Main
6 | $errorActionPreference = 'Stop'
7 |
8 | # Step-1: Download buildcore script to local
9 | echo "download build core script to local with source url: $buildCorePowershellUrl"
10 | $repositoryRoot = Split-Path -Parent $MyInvocation.MyCommand.Definition
11 | $buildCorePowershellDestination = "$repositoryRoot\.openpublishing.buildcore.ps1"
12 | Invoke-WebRequest $buildCorePowershellUrl -OutFile "$buildCorePowershellDestination"
13 |
14 | # Step-2: Run build core
15 | echo "run build core script with parameters: $parameters"
16 | & "$buildCorePowershellDestination" "$parameters"
17 | exit $LASTEXITCODE
18 |
--------------------------------------------------------------------------------
/sysinternals/community.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Sysinternals Community
3 | title: Sysinternals Community
4 | ms:assetid: 'e81be4ea-3647-4997-837f-74a3c8a298f7'
5 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb469929(v=MSDN.10)'
6 | ms.date: 06/13/2019
7 | ---
8 |
9 | # Sysinternals Community
10 |
11 | ## Follow on Twitter
12 |
13 | [Follow @Sysinternals](https://twitter.com/Sysinternals)
14 | [Follow @MarkRussinovich](https://twitter.com/markrussinovich)
15 |
16 | ## Search and Post Questions in the Forums
17 |
18 | The [Sysinternals Forums](https://social.technet.microsoft.com/Forums/en-US/home?category=sysinternals&filter=alltypes&sort=lastpostdesc) allow you to search a growing archive of technical questions and answers.
19 |
20 | ## [Browse the Forums](https://social.technet.microsoft.com/Forums/en-US/home?category=sysinternals&filter=alltypes&sort=lastpostdesc)
--------------------------------------------------------------------------------
/sysinternals/downloads/diskext.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: DiskExt
3 | title: DiskExt
4 | description: Display volume disk-mappings.
5 | ms:assetid: 'b13abe76-3276-4462-8591-46b0babf1336'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896648(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | DiskExt v1.2
11 | ============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/DiskExt.zip) [**Download DiskExt**](https://download.sysinternals.com/files/DiskExt.zip) **(146 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | *DiskExt* demonstrates the use of the
23 | IOCTL\_VOLUME\_GET\_VOLUME\_DISK\_EXTENTS command that returns
24 | information about what disks the partitions of a volume are located on
25 | (multipartition disks can reside on multiple disks) and where on the
26 | disk the partitions are located.
27 |
28 | [](https://download.sysinternals.com/files/DiskExt.zip) [**Download DiskExt**](https://download.sysinternals.com/files/DiskExt.zip) **(146 KB)**
--------------------------------------------------------------------------------
/sysinternals/downloads/regmon.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: RegMon
3 | title: RegMon for Windows
4 | description: This monitoring tool lets you see all Registry activity in real-time.
5 | ms:assetid: '531bc878-a910-4238-89bb-5831687e85d4'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896652(v=MSDN.10)'
7 | ms.date: 11/01/2006
8 | ---
9 |
10 | RegMon for Windows v7.04
11 | ========================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: November 1, 2006
16 |
17 | RegMon and FileMon are no longer available for download. They have been
18 | replaced by [Process Monitor](procmon.md) on versions
19 | of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows
20 | Server 2003 SP1, and Windows Vista.
21 |
22 | ## Related Utilities
23 |
24 | Here are some other monitoring tools available at Sysinternals:
25 |
26 | - [PortMon](portmon.md) -
27 | a serial and parallel port monitor
28 | - [Process
29 | Monitor](procmon.md) -
30 | a process and thread monitor
31 | - [DiskMon](diskmon.md) -
32 | a hard disk monitor
33 | - [DebugView](debugview.md) -
34 | a debug output monitor
35 |
36 |
--------------------------------------------------------------------------------
/LICENSE-CODE:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 | Copyright (c) Microsoft Corporation
3 |
4 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
5 | associated documentation files (the "Software"), to deal in the Software without restriction,
6 | including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense,
7 | and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so,
8 | subject to the following conditions:
9 |
10 | The above copyright notice and this permission notice shall be included in all copies or substantial
11 | portions of the Software.
12 |
13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT
14 | NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
15 | IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
16 | WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
17 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--------------------------------------------------------------------------------
/ThirdPartyNotices:
--------------------------------------------------------------------------------
1 | ##Legal Notices
2 | Microsoft and any contributors grant you a license to the Microsoft documentation and other content
3 | in this repository under the [Creative Commons Attribution 4.0 International Public License](https://creativecommons.org/licenses/by/4.0/legalcode),
4 | see the [LICENSE](LICENSE) file, and grant you a license to any code in the repository under the [MIT License](https://opensource.org/licenses/MIT), see the
5 | [LICENSE-CODE](LICENSE-CODE) file.
6 |
7 | Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation
8 | may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries.
9 | The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks.
10 | Microsoft's general trademark guidelines can be found at http://go.microsoft.com/fwlink/?LinkID=254653.
11 |
12 | Privacy information can be found at https://privacy.microsoft.com/en-us/
13 |
14 | Microsoft and any contributors reserve all others rights, whether under their respective copyrights, patents,
15 | or trademarks, whether by implication, estoppel or otherwise.
--------------------------------------------------------------------------------
/sysinternals/downloads/regjump.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: RegJump
3 | title: RegJump
4 | description: Jump to the registry path you specify in Regedit.
5 | ms:assetid: 'ff151201-32cc-4b44-b314-3ccb19171a2a'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963880(v=MSDN.10)'
7 | ms.date: 04/20/2015
8 | ---
9 |
10 | RegJump v1.1
11 | ============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: April 20, 2015
16 |
17 | [](https://download.sysinternals.com/files/RegJump.zip) [**Download RegJump**](https://download.sysinternals.com/files/RegJump.zip) **(53 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | This little command-line applet takes a registry path and makes Regedit
23 | open to that path. It accepts root keys in standard (e.g.
24 | HKEY\_LOCAL\_MACHINE) and abbreviated form (e.g. HKLM).
25 |
26 | **usage: regjump <<path>|-c>**
27 |
28 | |Parameter |Description |
29 | |---------|---------|
30 | | **-c** | Copy path from clipboard. |
31 |
32 |
33 | e.g.: regjump HKLM\\Software\\Microsoft\\Windows
34 |
35 | [](https://download.sysinternals.com/files/RegJump.zip) [**Download RegJump**](https://download.sysinternals.com/files/RegJump.zip) **(53 KB)**
--------------------------------------------------------------------------------
/sysinternals/downloads/diskview.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: DiskView
3 | title: DiskView
4 | description: Graphical disk sector utility.
5 | ms:assetid: '3f42dea1-2beb-46ff-b818-9012ccc0260d'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896650(v=MSDN.10)'
7 | ms.date: 03/25/2010
8 | ---
9 |
10 | DiskView v2.4
11 | =============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: March 25, 2010
16 |
17 | [](https://download.sysinternals.com/files/DiskView.zip) [**Download DiskView**](https://download.sysinternals.com/files/DiskView.zip) **(288 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/DiskView.exe).
19 |
20 |
21 | ## Introduction
22 |
23 | DiskView shows you a graphical map of your disk, allowing you to
24 | determine where a file is located or, by clicking on a cluster, seeing
25 | which file occupies it. Double-click to get more information about a
26 | file to which a cluster is allocated.
27 |
28 | 
29 |
30 | [](https://download.sysinternals.com/files/DiskView.zip) [**Download DiskView**](https://download.sysinternals.com/files/DiskView.zip) **(288 KB)**
31 |
32 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/DiskView.exe).
33 |
34 |
--------------------------------------------------------------------------------
/sysinternals/downloads/clockres.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: ClockRes
3 | title: ClockRes
4 | description: View the resolution of the system clock, which is also the maximum timer resolution.
5 | ms:assetid: '7fca750c-c71b-4c85-8275-80e6d4067b7c'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897568(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | ClockRes v2.1
11 | =============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/ClockRes.zip) [**Download ClockRes**](https://download.sysinternals.com/files/ClockRes.zip) **(142 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | Ever wondered what the resolution of the system clock was, or perhaps
23 | the maximum timer resolution that your application could obtain? The
24 | answer lies in a simple function named *GetSystemTimeAdjustment*, and
25 | the *ClockRes* applet performs the function and shows you the result.
26 |
27 |
28 | [](https://download.sysinternals.com/files/ClockRes.zip) [**Download ClockRes**](https://download.sysinternals.com/files/ClockRes.zip) **(142 KB)**
29 |
30 | **Runs on:**
31 |
32 | - Client: Windows Vista and higher
33 | - Server: Windows Server 2008 and higher
34 | - Nano Server: 2016 and higher
35 |
36 |
37 |
38 |
--------------------------------------------------------------------------------
/sysinternals/downloads/adrestore.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: AdRestore
3 | title: AdRestore
4 | description: Undelete Server 2003 Active Directory objects.
5 | ms:assetid: '8de4d67f-98dc-4222-ab3c-88844ac78ccb'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963906(v=MSDN.10)'
7 | ms.date: 11/01/2006
8 | ---
9 |
10 | AdRestore v1.1
11 | ==============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: November 1, 2006
16 |
17 | [](https://download.sysinternals.com/files/ADRestore.zip) [**Download AdRestore**](https://download.sysinternals.com/files/ADRestore.zip) **(42 KB)**
18 |
19 | ## Introduction
20 |
21 | Windows Server 2003 introduces the ability to restore deleted
22 | ("tombstoned") objects. This simple command-line utility enumerates the
23 | deleted objects in a domain and gives you the option of restoring each
24 | one. Source code is based on sample code in the Microsoft Platform SDK.
25 | This MS KB article describes the use of AdRestore:
26 |
27 | [840001: How to restore deleted user accounts and their group
28 | memberships in Active
29 | Directory](http://support.microsoft.com/?kbid=840001)
30 |
31 |
32 | [](https://download.sysinternals.com/files/ADRestore.zip) [**Download AdRestore**](https://download.sysinternals.com/files/ADRestore.zip) **(42 KB)**
33 |
--------------------------------------------------------------------------------
/sysinternals/downloads/whois.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Whois
3 | title: Whois
4 | description: See who owns an Internet address.
5 | ms:assetid: '31fa42da-10ab-4cb3-a206-72be17333805'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897435(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | Whois v1.20
11 | ===========
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: November 19, 2017
16 |
17 | [](https://download.sysinternals.com/files/WhoIs.zip) [**Download Whois**](https://download.sysinternals.com/files/WhoIs.zip) **(158 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | Whois performs the registration record for the domain name or IP address
23 | that you specify.
24 |
25 | ## Usage
26 |
27 | **Usage: whois \[-v\] domainname \[whois.server\]**
28 |
29 | |Parameter |Description |
30 | |---------|---------|
31 | | **-v** | Print whois information for referrals|
32 |
33 | Domainname can be either a DNS name (e.g. www.sysinternals.com) or IP
34 | address (e.g. 66.193.254.46).
35 |
36 | [](https://download.sysinternals.com/files/WhoIs.zip) [**Download Whois**](https://download.sysinternals.com/files/WhoIs.zip) **(158 KB)**
37 |
38 | **Runs on:**
39 |
40 | - Client: Windows Vista and higher
41 | - Server: Windows Server 2008 and higher
42 | - Nano Server: 2016 and higher
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/sysinternals/Announce/SHA1Deprecation.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: SHA1Deprecation
3 | title: Preparing for the mandatory use of SHA1
4 | ms.date: 06/20/2019
5 | ---
6 |
7 | Preparing for the deprecation of SHA-1 signatures
8 | ===========
9 |
10 | **By Mark Cook**
11 |
12 | Published: June 20, 2019
13 |
14 |
15 | ## Summary
16 |
17 | In support of our promise to provide best-in-class security to our customers, Microsoft are planning to discontinue support for SHA1 code signing certificates.
18 | Background details on the reasons for this and how it will affect you are available at [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).
19 |
20 | ## More Information
21 |
22 | Currently Sysinternals binaries are dual signed using for SHA-1 and SHA-2. As of July 31, 2019, these will be signed using only SHA-2 signatures.
23 |
24 | Prior to this date customers running our tools on legacy OS versions will need to install SHA-2 code signing support in order to run the SHA-2 signed versions.
25 | Although this support will typically be delivered via Windows Update, standalone security updates are also available for download.
26 | Refer to [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus) for details on these updates
27 |
28 |
29 |
30 |
--------------------------------------------------------------------------------
/sysinternals/downloads/hex2dec.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Hex2dec
3 | title: Hex2dec
4 | description: Convert hex numbers to decimal and vice versa.
5 | ms:assetid: '219d0d03-8ef3-42e2-bce5-7370d7e7c88f'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896736(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | Hex2dec v1.1
11 | ============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/Hex2Dec.zip) [**Download Hex2dec**](https://download.sysinternals.com/files/Hex2Dec.zip) **(152 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | Tired of running Calc every time you want to convert a hexadecimal number
23 | to decimal Now you can convert hex to decimal and vice versa with this
24 | simple command-line utility.
25 |
26 | **Usage: hex2dec \[hex|decimal\]**
27 |
28 | Include x or 0x as the prefix of the number to specify a hexadecimal
29 | value.
30 | e.g. To translate 1233 decimal to hexadecimal: hex2dec 1233
31 | e.g. To translate 0x1233 hexadecimal to decimal: hex2dec 0x1233
32 |
33 | [](https://download.sysinternals.com/files/Hex2Dec.zip) [**Download Hex2dec**](https://download.sysinternals.com/files/Hex2Dec.zip) **(152 KB)**
34 |
35 | **Runs on:**
36 |
37 | - Client: Windows Vista and higher
38 | - Server: Windows Server 2008 and higher
39 | - Nano Server: 2016 and higher
40 |
41 |
42 |
43 |
--------------------------------------------------------------------------------
/sysinternals/docfx.json:
--------------------------------------------------------------------------------
1 | {
2 | "build": {
3 | "content": [
4 | {
5 | "files": [
6 | "**/*.md",
7 | "**/*.yml"
8 | ],
9 | "exclude": [
10 | "**/obj/**",
11 | "**/includes/**",
12 | "**/_themes/**",
13 | "README.md",
14 | "LICENSE",
15 | "LICENSE-CODE",
16 | "ThirdPartyNotices"
17 | ]
18 | }
19 | ],
20 | "resource": [
21 | {
22 | "files": [
23 | "**/*.png",
24 | "**/*.gif",
25 | "**/*.jpg"
26 | ],
27 | "exclude": [
28 | "**/obj/**",
29 | "**/includes/**",
30 | "**/_themes/**"
31 | ]
32 | }
33 | ],
34 | "overwrite": [],
35 | "externalReference": [],
36 | "globalMetadata": {
37 | "uhfHeaderId": "MSDocsHeader-Sysinternals",
38 | "layout": "Conceptual",
39 | "breadcrumb_path": "~/bread/toc.yml",
40 | "author": "markruss",
41 | "ms.author": "markruss",
42 | "ms.prod": "windows-sysinternals",
43 | "ms.technology": "system-utilities",
44 | "ms.topic": "system-utilities",
45 | "titleSuffix": "Windows Sysinternals",
46 | "hide_comments": true,
47 | "contributors_to_exclude": ["v-kents"]
48 | },
49 | "fileMetadata": {},
50 | "template": [],
51 | "dest": "sysinternals",
52 | "markdownEngineName": "markdig"
53 | }
54 | }
55 |
--------------------------------------------------------------------------------
/.openpublishing.publish.config.json:
--------------------------------------------------------------------------------
1 | {
2 | "need_generate_pdf": true,
3 | "need_generate_intellisense": false,
4 | "docsets_to_publish": [
5 | {
6 | "docset_name": "sysinternals",
7 | "build_source_folder": "sysinternals",
8 | "build_output_subfolder": "sysinternals",
9 | "locale": "en-us",
10 | "monikers": [],
11 | "open_to_public_contributors": true,
12 | "type_mapping": {
13 | "Conceptual": "Content",
14 | "ManagedReference": "Content",
15 | "RestApi": "Content"
16 | },
17 | "build_entry_point": "docs",
18 | "template_folder": "_themes",
19 | "version": 0
20 | }
21 | ],
22 | "notification_subscribers": [],
23 | "branches_to_filter": [],
24 | "skip_source_output_uploading": false,
25 | "need_preview_pull_request": true,
26 | "dependent_repositories": [
27 | {
28 | "path_to_root": "_themes",
29 | "url": "https://github.com/Microsoft/templates.docs.msft",
30 | "branch": "master",
31 | "branch_mapping": {}
32 | },
33 | {
34 | "path_to_root": "_themes.pdf",
35 | "url": "https://github.com/Microsoft/templates.docs.msft.pdf",
36 | "branch": "master",
37 | "branch_mapping": {}
38 | }
39 | ],
40 | "branch_target_mapping": {
41 | "live": [
42 | "Publish",
43 | "Pdf"
44 | ]
45 | },
46 | "need_generate_pdf_url_template": true,
47 | "targets": {
48 | "pdf": {
49 | "template_folder": "_themes.pdf"
50 | }
51 | }
52 | }
--------------------------------------------------------------------------------
/sysinternals/downloads/efsdump.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: EFSDump
3 | title: EFSDump
4 | description: View information for encrypted files.
5 | ms:assetid: 'e6c7175a-2edd-48d6-bf40-d701aa597b01'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896735(v=MSDN.10)'
7 | ms.date: 11/01/2006
8 | ---
9 |
10 | EFSDump v1.02
11 | =============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: November 1, 2006
16 |
17 | [](https://download.sysinternals.com/files/EFSDump.zip) [**Download EFSDump**](https://download.sysinternals.com/files/EFSDump.zip) **(39 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | Windows 2000 introduces the Encrypting File System (EFS) so that users
23 | can protect their sensitive data. Several new APIs make their debut to
24 | support this facility, including one-QueryUsersOnEncryptedFile-that
25 | lets you see who has access to encrypted files. This applet uses the API
26 | to show you what accounts are authorized to access encrypted files.
27 |
28 |
29 | ## Using EFSDump
30 |
31 | |Parameter |Description |
32 | |---------|---------|
33 | | **-s** | Recurse subdirectories.|
34 |
35 |
36 | *EFSDump* takes wildcards e.g. 'efsdump \*.txt'.
37 |
38 | [](https://download.sysinternals.com/files/EFSDump.zip) [**Download EFSDump**](https://download.sysinternals.com/files/EFSDump.zip) **(39 KB)**
39 |
40 | **Runs on:**
41 |
42 | - Client: Windows Vista and higher.
43 | - Server: Windows Server 2008 and higher.
44 |
45 |
46 |
47 |
--------------------------------------------------------------------------------
/sysinternals/downloads/loadorder.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: LoadOrder
3 | title: LoadOrder
4 | description: See the order in which devices are loaded on your WinNT/2K system.
5 | ms:assetid: 'aa33a64d-d96b-4895-9724-dedb81f17581'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897416(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | LoadOrder v1.01
11 | ===============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 |
18 | [](https://download.sysinternals.com/files/LoadOrder.zip) [**Download LoadOrder**](https://download.sysinternals.com/files/LoadOrder.zip) **(318 KB)**
19 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/LoadOrd.exe).
20 |
21 |
22 | ## Introduction
23 |
24 | This applet shows you the order that a Windows NT or Windows 2000 system
25 | loads device drivers. Note that on Windows 2000 plug-and-play drivers
26 | may actually load in a different order than the one calculated, because
27 | plug-and-play drivers are loaded on demand during device detection and
28 | enumeration.
29 |
30 | [](https://download.sysinternals.com/files/LoadOrder.zip) [**Download LoadOrder**](https://download.sysinternals.com/files/LoadOrder.zip) **(318 KB)**
31 |
32 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/LoadOrd.exe).
33 |
34 |
35 | **Runs on:**
36 |
37 | - Client: Windows Vista and higher
38 | - Server: Windows Server 2008 and higher
39 | - Nano Server: 2016 and higher
40 |
41 |
42 |
43 |
--------------------------------------------------------------------------------
/sysinternals/license-faq.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Licensing FAQ
3 | title: Sysinternals Licensing FAQ
4 | ms:assetid: '50ed3280-1fb1-42ce-86cc-b1fbdde1afd2'
5 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb847944(v=MSDN.10)'
6 | ms.date: 09/28/2009
7 | ---
8 |
9 | Sysinternals Licensing FAQ
10 | ==========================
11 |
12 | Published: September 28, 2009
13 |
14 | ### Q: How many copies of Sysinternals utilities may I freely load or use on computers owned by my company?
15 | **A:** There is no limit to the number of times you may install and use
16 | the software on your devices or those you support.
17 |
18 | ### Q: May I distribute Sysinternals utilities in my software, on my website, or with my magazine?
19 | **A:** No. We are not offering any distribution licenses, even if the
20 | 3rd party is distributing them for free. We encourage people to download
21 | the utilities from our download center where they can be assured to get
22 | the most recent version of the utility.
23 |
24 | ### Q: Can I license or re-use any Sysinternals source code?
25 | **A:** No. We will no longer offer the Sysinternals source code for
26 | download or license.
27 |
28 | ### Q: Will the Sysinternals tools continue to be freely available?
29 | **A:** Yes, Microsoft has no plans to remove or charge for these tools..
30 |
31 | ### Q: Is there technical support available for the Sysinternals tools?
32 | **A:** No. All Sysinternals tools are offered 'as is' with no official
33 | Microsoft support. We do maintain a Sysinternals dedicated [community
34 | support forum](http://forum.sysinternals.com/):
35 |
--------------------------------------------------------------------------------
/sysinternals/downloads/networking-utilities.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Networking Utilities
3 | title: Sysinternals Networking Utilities
4 | description: Windows Sysinternals networking utilities
5 | ms:assetid: '677683af-3f5e-42ea-8116-9c92acd2c271'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb795532(v=MSDN.10)'
7 | ms.date: 07/22/2016
8 | ---
9 |
10 | Sysinternals Networking Utilities
11 | =================================
12 |
13 | [AD Explorer](adexplorer.md)
14 | Active Directory Explorer is an advanced Active Directory (AD) viewer
15 | and editor.
16 |
17 | [AD Insight](adinsight.md)
18 | AD Insight is an LDAP (Light-weight Directory Access Protocol) real-time
19 | monitoring tool aimed at troubleshooting Active Directory client
20 | applications.
21 |
22 | [AdRestore](adrestore.md)
23 | Undelete Server 2003 Active Directory objects.
24 |
25 | [PipeList](pipelist.md)
26 | Displays the named pipes on your system, including the number of maximum
27 | instances and active instances for each pipe.
28 |
29 | [PsFile](psfile.md)
30 | See what files are opened remotely.
31 |
32 | [PsPing](psping.md)
33 | Measures network performance.
34 |
35 | [PsTools](pstools.md)
36 | The PsTools suite includes command-line utilities for listing the
37 | processes running on local or remote computers, running processes
38 | remotely, rebooting computers, dumping event logs, and more.
39 |
40 | [ShareEnum](shareenum.md)
41 | Scan file shares on your network and view their security settings to
42 | close security holes.
43 |
44 | [TCPView](tcpview.md)
45 | Active socket command-line viewer.
46 |
47 | [Whois](whois.md)
48 | See who owns an Internet address.
49 |
50 |
--------------------------------------------------------------------------------
/sysinternals/downloads/du.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Disk Usage
3 | title: Disk Usage
4 | description: View disk usage by directory.
5 | ms:assetid: '428a14a6-d688-41bc-a769-5d5052ead7a0'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896651(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | Disk Usage v1.61
11 | ================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: February 13, 2017
16 |
17 | [](https://download.sysinternals.com/files/DU.zip)] [**Download Du**](https://download.sysinternals.com/files/DU.zip) **(174 KB)**
18 |
19 | ## Introduction
20 |
21 | Du (disk usage) reports the disk space usage for the directory you
22 | specify. By default it recurses directories to show the total size of a
23 | directory and its subdirectories.
24 |
25 | ## Using Disk Usage (DU)
26 |
27 | **Usage: du \[-c\[t\]\] \[-l <levels> | -n | -v\] \[-u\] \[-q\]
28 | <directory>**
29 |
30 | |Parameter |Description |
31 | |---------|---------|
32 | | **-c** | Print output as CSV. Use -ct for tab delimiting.|
33 | | **-l** | Specify subdirectory depth of information (default is all levels).|
34 | | **-n** | Do not recurse.|
35 | | **-v** | Show size (in KB) of intermediate directories.|
36 | | **-u** | Count each instance of a hardlinked file.|
37 | | **-q** | Quiet (no banner).|
38 |
39 | CSV output is formatted as:
40 |
41 | Path, CurrentFileCount, CurrentFileSize, FileCount, DirectoryCount,
42 | DirectorySize
43 |
44 | [](https://download.sysinternals.com/files/DU.zip)] [**Download Du**](https://download.sysinternals.com/files/DU.zip) **(174 KB)**
45 |
--------------------------------------------------------------------------------
/sysinternals/downloads/reghide.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Reghide
3 | title: Reghide
4 | ms:assetid: '2d5d1657-5dce-4ad3-8070-7e8882c9d1f7'
5 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Dd581628(v=MSDN.10)'
6 | ms.date: 01/11/2006
7 |
8 | ---
9 |
10 | Reghide
11 | =======
12 |
13 | Published: November 1, 2006
14 |
15 | [](https://download.sysinternals.com/files/RegHide.zip) [**Download RegHide**](https://download.sysinternals.com/files/RegHide.zip) **(38 KB)**
16 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Reghide.exe).
17 |
18 |
19 | ## Introduction
20 |
21 | A subtle but significant difference between the Win32 API and the Native
22 | API (see [Inside the Native API](~/learn/inside-native-applications.md) for
23 | more information on this largely undocumented interface) is the way that
24 | names are described. In the Win32 API strings are interpreted as
25 | NULL-terminated ANSI (8-bit) or wide character (16-bit) strings. In the
26 | Native API names are counted Unicode (16-bit) strings. While this
27 | distinction is usually not important, it leaves open an interesting
28 | situation: there is a class of names that can be referenced using the
29 | Native API, but that cannot be described using the Win32 API.
30 |
31 | [](https://download.sysinternals.com/files/RegHide.zip) [**Download RegHide**](https://download.sysinternals.com/files/RegHide.zip) **(38 KB)**
32 |
33 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Reghide.exe).
34 |
35 | **Runs on:**
36 |
37 | - Client: Windows Vista and higher.
38 | - Server: Windows Server 2008 and higher.
39 |
40 |
41 |
42 |
--------------------------------------------------------------------------------
/sysinternals/downloads/pipelist.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Pipelist
3 | title: Pipelist
4 | description: Displays the named pipes on your system, including the number of maximum instances and active instances for each pipe.
5 | ms:assetid: 'c379bcf5-754c-46b0-807d-1266658bd8be'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Dd581625(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | PipeList v1.02
11 | ==============
12 |
13 | Published: July 4, 2016
14 |
15 | [](https://download.sysinternals.com/files/PipeList.zip) [**Download PipeList**](https://download.sysinternals.com/files/PipeList.zip) **(211 KB)**
16 |
17 |
18 | ## Introduction
19 |
20 | Did you know that the device driver that implements named pipes is
21 | actually a file system driver? In fact, the driver's name is NPFS.SYS,
22 | for "Named Pipe File System". What you might also find surprising is
23 | that its possible to obtain a directory listing of the named pipes
24 | defined on a system. This fact is not documented, nor is it possible to
25 | do this using the Win32 API. Directly using NtQueryDirectoryFile, the
26 | native function that the Win32 FindFile APIs rely on, makes it possible
27 | to list the pipes. The directory listing NPFS returns also indicates the
28 | maximum number of pipe instances set for each pipe and the number of
29 | active instances.
30 |
31 | [](https://download.sysinternals.com/files/PipeList.zip) [**Download PipeList**](https://download.sysinternals.com/files/PipeList.zip) **(211 KB)**
32 |
33 | **Runs on:**
34 |
35 | - Client: Windows Vista and higher
36 | - Server: Windows Server 2008 and higher
37 | - Nano Server: 2016 and higher
38 |
39 |
40 |
41 |
--------------------------------------------------------------------------------
/sysinternals/downloads/accessenum.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: AccessEnum
3 | title: AccessEnum
4 | description: This simple yet powerful security tool shows you who has what access to directories, files and Registry keys on your systems.
5 | ms:assetid: 'dd3ac121-4a4b-48b4-98a7-8b0dfeda3007'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897332(v=MSDN.10)'
7 | ms.date: 11/01/2006
8 | ---
9 | AccessEnum v1.32
10 | ================
11 | **By Mark Russinovich**
12 |
13 | Published: November 1, 2006
14 |
15 | [](https://download.sysinternals.com/files/AccessEnum.zip) [**Download AccessEnum**](https://download.sysinternals.com/files/AccessEnum.zip) **(51 KB)**
16 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/AccessEnum.exe).
17 |
18 | ## Introduction
19 | While the flexible security model employed by Windows NT-based systems allows full control over security and file permissions, managing permissions so that users have appropriate access to files, directories and Registry keys can be difficult. There's no built-in way to quickly view user accesses to a tree of directories or keys. *AccessEnum* gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary.
20 |
21 | 
22 |
23 | ## How It Works
24 | *AccessEnum* uses standard Windows security APIs to populate its listview with read, write and deny access information.
25 |
26 | [](https://download.sysinternals.com/files/AccessEnum.zip) [**Download AccessEnum**](https://download.sysinternals.com/files/AccessEnum.zip) **(51 KB)**
27 |
28 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/AccessEnum.exe).
--------------------------------------------------------------------------------
/sysinternals/downloads/ru.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Registry Usage
3 | title: Registry Usage
4 | description: View the registry space usage for the specified registry key.
5 | ms:assetid: 'a0d594d7-9653-4dc3-8a32-d1ab452d04e7'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Dn194428(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | Registry Usage (RU) v1.2
11 | ========================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/RU.zip) [**Download RU**](https://download.sysinternals.com/files/RU.zip) **(156 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | Ru (registry usage) reports the registry space usage for the registry
23 | key you specify. By default it recurses subkeys to show the total size
24 | of a key and its subkeys.
25 |
26 | ## Using Registry Usage (RU)
27 |
28 | **usage: ru \[-c\[t\]\] \[-l <levels> | -n | -v\] \[-q\]
29 | <absolute path>**
30 |
31 | **usage: ru \[-c\[t\]\] \[-l <levels> | -n | -v\] \[-q\] -h
32 | <hive file> \[relative path\]**
33 |
34 | |Parameter |Description |
35 | |---------|---------|
36 | | **-c** | Print output as CSV. Specify -ct for tab delimiting. |
37 | | **-h** | Load the specified hive file, perform the size calculation, then unload it and compress it. |
38 | | **-l** | Specify subkey depth of information (default is one level). |
39 | | **-n** | Do not recurse. |
40 | | **-q** | Quiet (no banner). |
41 | | **-v** | Show size of all subkeys. |
42 |
43 | CSV output is formatted as:
44 |
45 | Path,CurrentValueCount,CurrentValueSize,ValueCount,KeyCount,KeySize,WriteTime
46 |
47 | [](https://download.sysinternals.com/files/RU.zip) [**Download RU**](https://download.sysinternals.com/files/RU.zip) **(156 KB)**
--------------------------------------------------------------------------------
/sysinternals/downloads/autologon.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Autologon
3 | title: Autologon
4 | description: Bypass password screen during logon.
5 | ms:assetid: '121f300c-85cb-418d-8199-48e587d864c3'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963905(v=MSDN.10)'
7 | ms.date: 08/29/2016
8 | ---
9 |
10 | Autologon v3.10
11 | ===========================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: August 29, 2016
16 |
17 | [](https://download.sysinternals.com/files/AutoLogon.zip) [**Download Autologon**](https://download.sysinternals.com/files/AutoLogon.zip) **(70 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Autologon.exe).
19 |
20 | ## Introduction
21 |
22 | Autologon enables you to easily configure Windows’ built-in autologon
23 | mechanism. Instead of waiting for a user to enter their name and
24 | password, Windows uses the credentials you enter with Autologon, which
25 | are encrypted in the Registry, to log on the specified user
26 | automatically.
27 |
28 | *Autologon* is easy enough to use. Just run autologon.exe, fill in the
29 | dialog, and hit Enable. To turn off auto-logon, hit *Disable*. Also, if
30 | the shift key is held down before the system performs an autologon, the
31 | autologon will be disabled for that logon. You can also pass the
32 | username, domain and password as command-line arguments:
33 |
34 | **autologon user domain password**
35 |
36 | **Note:** When Exchange Activesync password restrictions are in place,
37 | Windows will not process the autologon configuration.
38 |
39 |
40 |
41 | [](https://download.sysinternals.com/files/AutoLogon.zip) [**Download Autologon**](https://download.sysinternals.com/files/AutoLogon.zip) **(70 KB)**
42 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Autologon.exe).
43 |
--------------------------------------------------------------------------------
/sysinternals/downloads/volumeid.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: VolumeID
3 | title: VolumeID
4 | description: Set Volume ID of FAT or NTFS drives.
5 | ms:assetid: '2073ab9a-ad2e-4c86-96b9-4b4d520b8a1d'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897436(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | VolumeID v2.1
11 | =============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/VolumeId.zip) [**Download VolumeID**](https://download.sysinternals.com/files/VolumeId.zip) **(194 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | While Windows NT/2000 and Windows 95 and 98's built-in Label utility
23 | lets you change the labels of disk volumes, it does not provide any
24 | means for changing volume ids. This utiltity, VolumeID, allows you to
25 | change the ids of FAT and NTFS disks (floppies or hard drives).
26 |
27 | **Usage: volumeid <driveletter:> xxxx-xxxx**
28 |
29 | *This is a command-line program that you must run from a command-prompt
30 | window.*
31 |
32 | Note that changes on NTFS volumes won't be visible until the next
33 | reboot. In addition, you should shut down any applications you have
34 | running before changing a volume id. NT may become confused and think
35 | that the media (disk) has changed after a FAT volume id has changed and
36 | pop up messages indicating that you should reinsert the original disk
37 | (!). It may then fail the disk requests of applications using those
38 | drives.
39 |
40 | [](https://download.sysinternals.com/files/VolumeId.zip) [**Download VolumeID**](https://download.sysinternals.com/files/VolumeId.zip) **(194 KB)**
41 |
42 | **Runs on:**
43 |
44 | - Client: Windows Vista and higher
45 | - Server: Windows Server 2008 and higher
46 | - Nano Server: 2016 and higher
47 |
48 |
49 |
50 |
--------------------------------------------------------------------------------
/sysinternals/downloads/sync.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Sync
3 | title: Sync
4 | description: Flush cached data to disk.
5 | ms:assetid: 'c37d73b0-a75b-40ff-9b31-0d0dae62849e'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897438(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | Sync v2.2
11 | =========
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/Sync.zip) [**Download Sync**](https://download.sysinternals.com/files/Sync.zip) **(145 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | UNIX provides a standard utility called Sync, which can be used to
23 | direct the operating system to flush all file system data to disk in
24 | order to insure that it is stable and won't be lost in case of a system
25 | failure. Otherwise, any modified data present in the cache would be
26 | lost. Here is an equivalent that I wrote, called Sync, that works on all
27 | versions of Windows. Use it whenever you want to know that modified file
28 | data is safely stored on your hard drives. Unfortunately, Sync requires
29 | administrative privileges to run. This version also lets you flush
30 | removable drives such as ZIP drives.
31 |
32 | ## Using Sync
33 |
34 | **Usage: sync \[-r\] \[-e\] \[drive letter list\]**
35 |
36 | |Parameter |Description |
37 | |---------|---------|
38 | | **-r** | Flush removable drives. |
39 | | **-e** | Ejects removable drives. |
40 |
41 |
42 | Specifying specific drives (e.g. "c e") will result in Sync only
43 | flushing those drives.
44 |
45 | [](https://download.sysinternals.com/files/Sync.zip) [**Download Sync**](https://download.sysinternals.com/files/Sync.zip) **(145 KB)**
46 |
47 | **Runs on:**
48 |
49 | - Client: Windows Vista and higher
50 | - Server: Windows Server 2008 and higher
51 | - Nano Server: 2016 and higher
52 |
53 |
54 |
55 |
--------------------------------------------------------------------------------
/sysinternals/downloads/adexplorer.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: AD Explorer
3 | title: AD Explorer
4 | description: Active Directory Explorer is an advanced Active Directory (AD) viewer and editor.
5 | ms:assetid: 'da300ae9-b58f-4acc-a169-ce3b39867bc8'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb963907(v=MSDN.10)'
7 | ms.date: 11/15/2012
8 | ---
9 |
10 | Active Directory Explorer v1.44
11 | ===============================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: November 15, 2012
16 |
17 | [](https://download.sysinternals.com/files/AdExplorer.zip) [**Download AdExplorer**](https://download.sysinternals.com/files/AdExplorer.zip) **(244 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/ADExplorer.exe).
19 |
20 |
21 | ## Introduction
22 |
23 | Active Directory Explorer (AD Explorer) is an advanced Active Directory
24 | (AD) viewer and editor. You can use AD Explorer to easily navigate an AD
25 | database, define favorite locations, view object properties and
26 | attributes without having to open dialog boxes, edit permissions, view
27 | an object's schema, and execute sophisticated searches that you can save
28 | and re-execute.
29 |
30 | AD Explorer also includes the ability to save snapshots of an AD
31 | database for off-line viewing and comparisons. When you load a saved
32 | snapshot, you can navigate and explore it as you would a live database.
33 | If you have two snapshots of an AD database you can use AD Explorer's
34 | comparison functionality to see what objects, attributes and security
35 | permissions changed between them.
36 |
37 | 
38 |
39 | [](https://download.sysinternals.com/files/AdExplorer.zip) [**Download AdExplorer**](https://download.sysinternals.com/files/AdExplorer.zip) **(244 KB)**
40 |
41 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/ADExplorer.exe).
42 |
--------------------------------------------------------------------------------
/sysinternals/downloads/cpustres.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Cpustres
3 | title: Testlimit
4 | description: Windows CPU Stress utility.
5 | ms:assetid: 'cfbb8960-ca2c-48c3-a05e-ecb1970d3648'
6 | ms.date: 03/22/2019
7 | ---
8 |
9 | CpuStres v2.0
10 | ==============
11 |
12 | **By Pavel Yosifovich**
13 |
14 | Published: July 18, 2018
15 |
16 | [](https://download.sysinternals.com/files/CPUSTRES.zip) [**Download Cpustres**](https://download.sysinternals.com/files/CPUSTRES.zip) **(10 KB)**
17 |
18 |
19 | ## Introduction
20 |
21 | **Cpustres**
22 | Cpustres is a utility that can be used to simulate CPU activity by running
23 | up to 64 threads in a tight loop.
24 |
25 | Each thread can be started, paused or stopped independently and can be configured with the following parameters:
26 |
27 | - **Activity Level** This can be Low, Medium, Busy or Maximum which controls how long the thread sleepss between cycles. Setting this value to Maximum causes the thread to run continuously.
28 | - **Priority** This controls the thread priority. Refer to Windows Internals by Mark Russinovich for details on thread priorities
29 |
30 |
31 |
32 |
33 | **Runs on:**
34 |
35 | - Client: Windows Vista and higher
36 | - Server: Windows Server 2003 and higher
37 | - Nano Server: 2016 and higher
38 |
39 | ## Related Links
40 |
41 | - [**Windows Internals Book**](~/learn/windows-internals.md) The official updates and errata page for the definitive book on
42 | Windows internals, by Mark Russinovich and David Solomon.
43 | - [**Pavel's Blog**](http://blogs.microsoft.co.il/pavely/2016/06/11/enhanced-cpu-stress-tool/) Pavel Yosifovich's blog describing the tool
44 |
45 | ## Download
46 |
47 | [](https://download.sysinternals.com/files/CPUSTRES.zip)[**Download Cpustres**](https://download.sysinternals.com/files/CPUSTRES.zip) **(10 KB)**
48 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/cpustres.exe).
49 |
50 |
51 |
52 |
53 |
--------------------------------------------------------------------------------
/sysinternals/downloads/regdelnull.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: RegDelNull
3 | title: RegDelNull
4 | description: Scan for and delete Registry keys that contain embedded null-characters that are otherwise undeleteable by standard Registry-editing tools.
5 | ms:assetid: '8f4db30a-523f-4482-91d6-f6a68a11126c'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897448(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | RegDelNull v1.11
11 | ================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/Regdelnull.zip) [**Download RegDelNull**](https://download.sysinternals.com/files/Regdelnull.zip) **(152 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | This command-line utility searches for and allows you to delete Registry
23 | keys that contain embedded-null characters and that are otherwise
24 | undeleteable using standard Registry-editing tools. Note: deleting
25 | Registry keys may cause the applications they are associated with to
26 | fail.
27 |
28 |
29 |
30 | ## Using RegDelNull
31 |
32 | **Usage: regdelnull <path> \[-s\]**
33 |
34 | |Parameter |Description |
35 | |---------|---------|
36 | | **-s** | Recurse into subkeys. |
37 |
38 |
39 |
40 | Here's an example of RegDelNull when used on a system on which the
41 | [RegHide](reghide.md) sample
42 | program has created a null-embedded key:
43 |
44 | ```Shell
45 | C:\>regdelnull hklm -sRegDelNull v1.10 - Delete Registry keys with embedded Nulls
46 |
47 | Copyright (C) 2005-2006 Mark Russinovich
48 | Sysinternals - www.sysinternals.com
49 | Null-embedded key (Nulls are replaced by '*'):
50 | HKLM\SOFTWARE\Systems Internals\Can't touch me!*
51 | Delete (y/n) y
52 | Scan complete.
53 | ```
54 |
55 | [](https://download.sysinternals.com/files/Regdelnull.zip) [**Download RegDelNull**](https://download.sysinternals.com/files/Regdelnull.zip) **(152 KB)**
56 |
57 | **Runs on:**
58 |
59 | - Client: Windows Vista (32-bit) and higher
60 | - Server: Windows Server 2008 (32-bit) and higher
61 | - Nano Server: 2016 and higher
62 |
63 |
64 |
65 |
--------------------------------------------------------------------------------
/sysinternals/downloads/logonsessions.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: LogonSessions
3 | title: LogonSessions
4 | description: List the active logon sessions on a system.
5 | ms:assetid: 'b7415eea-e897-49ba-b304-dd6879718a74'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896769(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | LogonSessions v1.4
11 | ==================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/logonSessions.zip) [**Download LogonSessions**](https://download.sysinternals.com/files/logonSessions.zip) **(237 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | If you think that when you logon to a system there's only one active
23 | logon session, this utility will surprise you. It lists the currently
24 | active logon sessions and, if you specify the -p option, the processes
25 | running in each session.
26 |
27 | **Usage: logonsessions \[-c\[t\]\] \[-p\]**
28 |
29 |
30 | |Parameter |Description |
31 | |---------|---------|
32 | | **-c** | Print output as CSV. |
33 | | **-ct** | Print output as tab-delimited values. |
34 | | **-p** | List processes running in logon session. |
35 |
36 | ## Example output
37 | ```Shell
38 | C:\>logonsessions -p
39 |
40 | [13] Logon session 00000000:6a6d6160:
41 | User name: NTDEV\markruss
42 | Auth package: Kerberos
43 | Logon type: RemoteInteractive
44 | Session: 1
45 | Sid: S-1-5-21-397955417-626881126-188441444-3615555
46 | Logon time: 7/2/2015 6:05:31 PM
47 | Logon server: NTDEV-99
48 | DNS Domain: NTDEV.CORP.MICROSOFT.COM
49 | UPN: markruss@ntdev.microsoft.com
50 | 15368: ProcExp.exe
51 | 17528: ProcExp64.exe
52 | 13116: cmd.exe
53 | 17100: conhost.exe
54 | 6716: logonsessions.exe
55 | ```
56 |
57 | [](https://download.sysinternals.com/files/logonSessions.zip) [**Download LogonSessions**](https://download.sysinternals.com/files/logonSessions.zip) **(237 KB)**
58 |
59 | **Runs on:**
60 |
61 | - Client: Windows Vista (32-bit)and higher
62 | - Server: Windows Server 2008 and higher
63 | - Nano Server: 2016 and higher
64 |
65 |
66 |
67 |
--------------------------------------------------------------------------------
/sysinternals/downloads/shareenum.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: ShareEnum
3 | title: ShareEnum
4 | description: Scan file shares on your network and view their security settings to close security holes.
5 | ms:assetid: '03257fd3-88a5-44f8-8447-2d0055930c47'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897442(v=MSDN.10)'
7 | ms.date: 11/01/2006
8 | ---
9 |
10 | ShareEnum v1.6
11 | ==============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: November 1, 2006
16 |
17 | [](https://download.sysinternals.com/files/ShareEnum.zip) [**Download ShareEnum**](https://download.sysinternals.com/files/ShareEnum.zip) **(94 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/ShareEnum.exe).
19 |
20 |
21 | ## Introduction
22 |
23 | An aspect of Windows NT/2000/XP network security that's often overlooked
24 | is file shares. A common security flaw occurs when users define file
25 | shares with lax security, allowing unauthorized users to see sensitive
26 | files. There are no built-in tools to list shares viewable on a network
27 | and their security settings, but *ShareEnum* fills the void and allows
28 | you to lock down file shares in your network.
29 |
30 | When you run *ShareEnum* it uses NetBIOS enumeration to scan all the
31 | computers within the domains accessible to it, showing file and print
32 | shares and their security settings. Because only a domain administrator
33 | has the ability to view all network resources, *ShareEnum* is most
34 | effective when you run it from a domain administrator account.
35 |
36 | 
37 |
38 | ## How It Works
39 |
40 | ShareEnum uses **WNetEnumResource** to enumerate domains and the
41 | computers within them and **NetShareEnum** to enumerate shares on
42 | computers.
43 |
44 | [](https://download.sysinternals.com/files/ShareEnum.zip) [**Download ShareEnum**](https://download.sysinternals.com/files/ShareEnum.zip) **(94 KB)**
45 |
46 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/ShareEnum.exe).
47 |
48 | **Runs on:**
49 |
50 | - Client: Windows Vista and higher.
51 | - Server: Windows Server 2008 and higher.
52 |
53 |
54 |
55 |
--------------------------------------------------------------------------------
/sysinternals/downloads/notmyfault.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: NotMyFault
3 | title: NotMyFault
4 | description: Notmyfault is a tool that you can use to crash, hang, and cause kernel memory leaks on your Windows system.
5 | ms:assetid: 'fc881ee6-6e6a-480f-95d2-83458e2d09b7'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Mt742033(v=MSDN.10)'
7 | ms.date: 06/14/2019
8 | ---
9 |
10 | NotMyFault v4.20
11 | ================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: June 14, 2019
16 |
17 | [](https://download.sysinternals.com/files/NotMyFault.zip) [**Download NotMyFault**](https://download.sysinternals.com/files/NotMyFault.zip) **(1 MB)**
18 |
19 |
20 | ## Introduction
21 |
22 | Notmyfault is a tool that you can use to crash, hang, and cause kernel
23 | memory leaks on your Windows system. It’s useful for learning how to
24 | identify and diagnose device driver and hardware problems, and you can
25 | also use it to generate blue screen dump files on misbehaving systems.
26 | The download file includes 32-bit and 64-bit versions, as well as a
27 | command-line version that works on Nano Server. Chapter 7 in Windows
28 | Internals uses Notmyfault to demonstrate pool leak troubleshooting and
29 | Chapter 14 uses it for crash analysis examples.
30 |
31 |
32 | ## Screenshots
33 |
34 | 
35 |
36 | ## Usage
37 |
38 | You can use the GUI versions or the command-line version. Notmyfault
39 | requires administrative privileges.
40 |
41 | Usage:
42 |
43 | **notmyfaultc.exe crash crash\_type\_num**
44 | ```Shell
45 | crash type:
46 | 0x01: High IRQL fault (Kernel-mode)
47 | 0x02: Buffer overflow
48 | 0x03: Code overwrite
49 | 0x04: Stack trash
50 | 0x05: High IRQL fault (User-mode)
51 | 0x06: Stack overflow
52 | 0x07: Hardcoded breakpoint
53 | 0x08: Double Free
54 | ```
55 |
56 | Or **notmyfaultc.exe hang hang\_type\_num**
57 |
58 | ```Shell
59 | hang type:
60 | 0x01: Hang with IRP
61 | 0x02: Hang with DPC
62 | ```
63 |
64 | [](https://download.sysinternals.com/files/NotMyFault.zip) [**Download NotMyFault**](https://download.sysinternals.com/files/NotMyFault.zip) **(1 MB)**
65 |
--------------------------------------------------------------------------------
/sysinternals/downloads/findlinks.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: FindLinks
3 | title: FindLinks
4 | description: FindLinks reports the file index and any hard links (alternate file paths on the same volume) that exist for the specified file.
5 | ms:assetid: 'f3fb08e4-d0af-4191-b09d-08bf44694281'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Hh290814(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | FindLinks v1.1
11 | ==============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/FindLinks.zip) [**Download FindLinks**](https://download.sysinternals.com/files/FindLinks.zip) **(153 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/FindLinks.exe).
19 |
20 |
21 | ## Introduction
22 |
23 | FindLinks reports the file index and any hard links (alternate file
24 | paths on the same volume) that exist for the specified file. A file's
25 | data remains allocated so long as at it has at least one file name
26 | referencing it.
27 |
28 | ## Using FindLinks
29 |
30 | **Usage: findlinks <filename>**
31 |
32 | ## Example
33 |
34 | The following command reports the file paths that reference the same
35 | file data as C:\\Windows\\Notepad.exe:
36 |
37 | **C:\\>findlinks c:\\windows\\notepad.exe
38 |
39 | ```Shell
40 | FindLinks - Locate file hard links
41 | Copyright (C) 2011 Mark Russinovich
42 | Sysinternals -www.sysinternals.com
43 |
44 | c:\\windows\\notepad.exe
45 | Index: 0x000057D9
46 | Links: 3**
47 |
48 | Linking files:
49 | C:\Windows\winsxs\amd64_microsoft-windows-notepadwin_31bf3856ad364e35_6.1.7600.16385_none_9ebebe8614be1470\notepad.exe
50 | C:\Windows\winsxs\amd64_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_none_cb0f7f2289b0c21a\notepad.exe
51 | C:\Windows\System32\notepad.exe
52 | ```
53 |
54 | [](https://download.sysinternals.com/files/FindLinks.zip) [**Download FindLinks**](https://download.sysinternals.com/files/FindLinks.zip) **(153 KB)**
55 |
56 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/FindLinks.exe).
57 |
58 | **Runs on:**
59 |
60 | - Client: Windows Vista and higher
61 | - Server: Windows Server 2008 and higher
62 | - Nano Server: 2016 and higher
--------------------------------------------------------------------------------
/sysinternals/downloads/movefile.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: PendMoves
3 | title: PendMoves and MoveFile
4 | description: Allows you to schedule move and delete commands for the next reboot.
5 | ms:assetid: 'a49e9434-8fa3-4f2c-9ae1-8212360d4917'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897556(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 | PendMoves v1.02 and MoveFile v1.01
10 | =================================
11 |
12 | **By Mark Russinovich**
13 | Published: July 4, 2016
14 |
15 | [](https://download.sysinternals.com/files/PendMoves.zip) [**Download PendMovesand MoveFile**](https://download.sysinternals.com/files/PendMoves.zip) **(284 KB)**
16 |
17 |
18 | ## Introduction
19 | There are several applications, such as service packs and hotfixes, that must replace a file that's in use and is unable to. Windows therefore provides the MoveFileEx API to rename or delete a file and allows the caller to specify that they want the operation to take place the next time the system boots, before the files are referenced. Session Manager performs this task by reading the registered rename and delete commands from the HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\PendingFileRenameOperations value.
20 |
21 | ## PendMoves Usage
22 | This applet dumps the contents of the pending rename/delete value and also reports an error when the source file is not accessible.
23 |
24 | **Usage: pendmoves**
25 | Here is example output that shows a temporary installation file is scheduled for deletion at the next reboot:
26 |
27 | ```Shell
28 | C:\\>pendmoves
29 | PendMove v1.2
30 | Copyright (C) 2013 Mark Russinovich
31 | Sysinternals - www.sysinternals.com
32 |
33 | Source: C:\\Config.Msi\\3ec7bbbf.rbf
34 | Target: DELETE
35 | ```
36 |
37 | ## MoveFile usage
38 | The included MoveFile utililty allows you to schedule move and delete commands for the next reboot:
39 | **usage: movefile [source] [dest]**
40 | Specifying an empty destination ("") deletes the source at boot. An example that deletes test.exe is:
41 |
42 | ```Shell
43 | movefile test.exe ""
44 | ```
45 |
46 | [](https://download.sysinternals.com/files/PendMoves.zip) [**Download PendMovesand MoveFile**](https://download.sysinternals.com/files/PendMoves.zip) **(284 KB)**
47 |
--------------------------------------------------------------------------------
/sysinternals/downloads/pendmoves.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: PendMoves
3 | title: PendMoves and MoveFile
4 | description: Enumerate the list of file rename and delete commands that will be executed the next boot.
5 | ms:assetid: 'a49e9434-8fa3-4f2c-9ae1-8212360d4917'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897556(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 | PendMoves v1.02 and MoveFile v1.01
10 | =================================
11 |
12 | **By Mark Russinovich**
13 | Published: July 4, 2016
14 |
15 | [](https://download.sysinternals.com/files/PendMoves.zip) [**Download PendMovesand MoveFile**](https://download.sysinternals.com/files/PendMoves.zip) **(284 KB)**
16 |
17 |
18 | ## Introduction
19 | There are several applications, such as service packs and hotfixes, that must replace a file that's in use and is unable to. Windows therefore provides the MoveFileEx API to rename or delete a file and allows the caller to specify that they want the operation to take place the next time the system boots,before the files are referenced. Session Manager performs this task by reading the registered rename and delete commands from the HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\PendingFileRenameOperations value.
20 |
21 | ## PendMoves Usage
22 | This applet dumps the contents of the pending rename/delete value and also reports an error when the source file is notaccessible.
23 |
24 | **Usage: pendmoves**
25 | Here is example output that shows a temporary installation file is scheduled for deletion at the next reboot:
26 |
27 | ```Shell
28 | C:\\>pendmoves
29 | PendMove v1.2
30 | Copyright (C) 2013 Mark Russinovich
31 | Sysinternals - www.sysinternals.com
32 |
33 | Source: C:\\Config.Msi\\3ec7bbbf.rbf
34 | Target: DELETE
35 | ```
36 |
37 | ## MoveFile usage
38 | The included MoveFile utililty allows you to schedule move and delete commands for the next reboot:
39 | **usage: movefile [source] [dest]**
40 | Specifying an empty destination ("") deletes the source at boot. An example that deletes test.exe is:
41 |
42 | ```Shell
43 | movefile test.exe ""
44 | ```
45 |
46 | [](https://download.sysinternals.com/files/PendMoves.zip) [**Download PendMovesand MoveFile**](https://download.sysinternals.com/files/PendMoves.zip) **(284 KB)**
47 |
--------------------------------------------------------------------------------
/sysinternals/downloads/psfile.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: PsFile
3 | title: PsFile
4 | description: See what files are opened remotely.
5 | ms:assetid: '01e9104e-4b10-4fec-a69d-a521dcc1b1e3'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897552(v=MSDN.10)'
7 | ms.date: 06/29/2016
8 | ---
9 |
10 | PsFile v1.03
11 | ============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: June 29, 2016
16 |
17 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(1.6 MB)**
18 |
19 |
20 | ## Introduction
21 |
22 | The "net file" command shows you a list of the files that other
23 | computers have opened on the system upon which you execute the command,
24 | however it truncates long path names and doesn't let you see that
25 | information for remote systems. *PsFile* is a command-line utility that
26 | shows a list of files on a system that are opened remotely, and it also
27 | allows you to close opened files either by name or by a file
28 | identifier.
29 |
30 | ## Installation
31 |
32 | Just copy *PsFile* onto your executable path, and type "psfile".
33 |
34 | ## Using PsFile
35 |
36 | The default behavior of *PsFile* is to list the files on the local
37 | system that are open by remote systems. Typing a command followed by "-
38 | " displays information on the syntax for the command.
39 |
40 | **Usage: psfile \[\\\\RemoteComputer \[-u Username \[-p Password\]\]\]
41 | \[\[Id | path\] \[-c\]\]**
42 |
43 | |Parameter |Description |
44 | |---------|---------|
45 | | **-u** | Specifies optional user name for login to remote computer.|
46 | | **-p** | Specifies password for user name. If this is omitted, you will be prompted to enter the password without it being echoed to the screen.|
47 | | **Id** | Identifier (as assigned by PsFile) of the file for which to display information or to close.|
48 | | **Path** | Full or partial path of files to match for information display or close.|
49 | | **-c** | Closes the files identifed by ID or path.|
50 |
51 | ## How it Works
52 |
53 | *PsFile* uses the NET API, which is documented in the Platform SDK.
54 |
55 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(1.6 MB)**
--------------------------------------------------------------------------------
/sysinternals/downloads/strings.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Strings
3 | title: Strings
4 | description: Search for ANSI and UNICODE strings in binary images.
5 | ms:assetid: '516a3dc2-ae3c-48ea-9dd2-65d3635eee79'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897439(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | Strings v2.53
11 | =============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/Strings.zip) [**Download Strings**](https://download.sysinternals.com/files/Strings.zip) **(150 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | Working on NT and Win2K means that executables and object files will
23 | many times have embedded UNICODE strings that you cannot easily see with
24 | a standard ASCII strings or grep programs. So we decided to roll our
25 | own. Strings just scans the file you pass it for UNICODE (or ASCII)
26 | strings of a default length of 3 or more UNICODE (or ASCII) characters.
27 | Note that it works under Windows 95 as well.
28 |
29 |
30 |
31 | ## Using Strings
32 |
33 | **usage: strings \[-a\] \[-f offset\] \[-b bytes\] \[-n length\] \[-o\]
34 | \[-q\] \[-s\] \[-u\] <file or directory>**
35 |
36 | Strings takes wild-card expressions for file names, and additional
37 | command line parameters are defined as follows:
38 |
39 | |Parameter |Description |
40 | |---------|---------|
41 | | **-a** | Ascii-only search (Unicode and Ascii is default) |
42 | | **-b** | Bytes of file to scan |
43 | | **-f** | File offset at which to start scanning. |
44 | | **-o** | Print offset in file string was located |
45 | | **-n** | Minimum string length (default is 3) |
46 | | **-q** | Quiet (no banner) |
47 | | **-s** | Recurse subdirectories |
48 | | **-u** | Unicode-only search (Unicode and Ascii is default) |
49 |
50 | To search one or more files for the presence of a particular string
51 | using strings use a command like this:
52 |
53 | **strings \* | findstr /i TextToSearchFor**
54 |
55 | [](https://download.sysinternals.com/files/Strings.zip) [**Download Strings**](https://download.sysinternals.com/files/Strings.zip) **(150 KB)**
56 |
57 | **Runs on:**
58 |
59 | - Client: Windows Vista and higher
60 | - Server: Windows Server 2008 and higher
61 | - Nano Server: 2016 and higher
62 |
63 |
64 |
65 |
--------------------------------------------------------------------------------
/sysinternals/downloads/listdlls.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: ListDLLs
3 | title: ListDLLs
4 | description: List all the DLLs that are currently loaded, including where they are loaded and their version numbers.
5 | ms:assetid: 'b4a511a2-c7d8-4fda-9319-8048718a09eb'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896656(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | ListDLLs v3.2
11 | =============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/ListDlls.zip) [**Download ListDLLs**](https://download.sysinternals.com/files/ListDlls.zip) **(307 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | ListDLLs is a utility that reports the DLLs loaded into processes. You
23 | can use it to list all DLLs loaded into all processes, into a specific
24 | process, or to list the processes that have a particular DLL loaded.
25 | ListDLLs can also display full version information for DLLs, including
26 | their digital signature, and can be used to scan processes for unsigned
27 | DLLs.
28 |
29 | ## Usage
30 |
31 | **listdlls \[-r\] \[-v | -u\] \[processname|pid\]
32 | listdlls \[-r\] \[-v\] \[-d dllname\]**
33 |
34 |
35 | |Parameter |Description |
36 | |---------|---------|
37 | | **processname** | Dump DLLs loaded by process (partial name accepted).|
38 | | **pid** | Dump DLLs associated with the specified process id.|
39 | | **dllname** | Show only processes that have loaded the specified DLL.|
40 | | **-r** | Flag DLLs that relocated because they are not loaded at their base address.|
41 | | **-u** | Only list unsigned DLLs.|
42 | | **-v** | Show DLL version information.|
43 |
44 | Examples
45 | --------
46 |
47 | List the DLLs loaded into Outlook.exe, including their version
48 | information:
49 |
50 | **listdlls -v outlook**
51 |
52 | List any unsigned DLLs loaded into any process:
53 |
54 | **listdlls -u**
55 |
56 | Show processes that have loaded MSO.DLL:
57 |
58 | **listdlls -d mso.dll**
59 |
60 | [](https://download.sysinternals.com/files/ListDlls.zip) [**Download ListDLLs**](https://download.sysinternals.com/files/ListDlls.zip) **(307 KB)**
61 |
62 | **Runs on:**
63 |
64 | - Client: Windows Vista and higher
65 | - Server: Windows Server 2008 and higher
66 | - Nano Server: 2016 and higher
67 |
68 |
69 |
70 |
--------------------------------------------------------------------------------
/sysinternals/downloads/shellrunas.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: ShellRunas
3 | title: ShellRunas
4 | description: Launch programs as a different user via a convenient shell context-menu entry.
5 | ms:assetid: 'd3e6e430-46f4-48ba-8860-4e2daa38024f'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Cc300361(v=MSDN.10)'
7 | ms.date: 02/28/2008
8 | ---
9 |
10 | ShellRunas v1.01
11 | ================
12 |
13 | **By Mark Russinovich and Jon Schwartz**
14 |
15 | Published: February 28, 2008
16 |
17 | [](https://download.sysinternals.com/files/ShellRunas.zip) [**Download ShellRunas**](https://download.sysinternals.com/files/ShellRunas.zip) **(50 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | The command-line Runas utility is handy for launching programs under
23 | different accounts, but it’s not convenient if you’re a heavy Explorer
24 | user. ShellRunas provides functionality similar to that of Runas to
25 | launch programs as a different user via a convenient shell context-menu
26 | entry.
27 |
28 | **Screenshot**
29 |
30 | 
31 |
32 | ## Using ShellRunas
33 |
34 | **Usage:**
35 |
36 | **shellrunas /reg \[/quiet\]
37 | shellrunas /regnetonly \[/quiet\]
38 | shellrunas /unreg \[/quiet\]
39 | shellrunas \[/netonly\] <*program*> \[*arguments*\]**
40 |
41 |
42 | |Parameter |Description |
43 | |---------|---------|
44 | | **/reg** | Registers ShellRunas shell context-menu entry|
45 | | **/regnetonly** | Registers Shell /netonly context-menu entry
**Note:** a command prompt will flash when the program starts|
46 | | **/unreg** | Unregisters ShellRunas shell context-menu entry|
47 | | **/quiet** | Register or unregisters ShellRunas shell context-menu entry without result dialog|
48 | | **/netonly** | Use if specified credentials are for remote access only|
49 | | **<program>** | Runs program with specified credentials and parameters
50 |
51 | [](https://download.sysinternals.com/files/ShellRunas.zip) [**Download ShellRunas**](https://download.sysinternals.com/files/ShellRunas.zip) **(50 KB)**
52 |
53 | **Runs on:**
54 |
55 | - Client: Windows Vista and higher.
56 | - Server: Windows Server 2008 and higher.
57 |
58 | ## Getting Help
59 |
60 | If you have problems or questions, please visit the [Sysinternals Forum](http://forum.sysinternals.com).
61 |
62 |
63 |
64 |
--------------------------------------------------------------------------------
/sysinternals/downloads/adinsight.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: AdInsight
3 | title: AdInsight
4 | description: An LDAP (Light-weight Directory Access Protocol) real-time monitoring tool aimed at troubleshooting Active Directory client applications.
5 | ms:assetid: 'f3eb3300-3b79-45b4-bf1e-b4ae9fc68ca8'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897539(v=MSDN.10)'
7 | ms.date: 10/26/2015
8 | ---
9 |
10 | Insight for Active Directory v1.2
11 | =================================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: October 26, 2015
16 |
17 | [](https://download.sysinternals.com/files/AdInsight.zip) [**Download AdInsight**](https://download.sysinternals.com/files/AdInsight.zip) **(113 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/ADInsight.exe).
19 |
20 | ## Introduction
21 |
22 | ADInsight is an LDAP (Light-weight Directory Access Protocol) real-time
23 | monitoring tool aimed at troubleshooting Active Directory client
24 | applications. Use its detailed tracing of Active Directory client-server
25 | communications to solve Windows authentication, Exchange, DNS, and other
26 | problems.
27 |
28 | ADInsight uses DLL injection techniques to intercept calls that
29 | applications make in the Wldap32.dll library, which is the standard
30 | library underlying Active Directory APIs such ldap and ADSI. Unlike
31 | network monitoring tools, ADInsight intercepts and interprets all
32 | client-side APIs, including those that do not result in transmission to
33 | a server. ADInsight monitors any process into which it can load it’s
34 | tracing DLL, which means that it does not require administrative
35 | permissions, however, if run with administrative rights, it will also
36 | monitor system processes, including windows services.
37 |
38 | 
39 |
40 |
41 | [](https://download.sysinternals.com/files/AdInsight.zip) [**Download AdInsight**](https://download.sysinternals.com/files/AdInsight.zip) **(113 KB)**
42 |
43 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/ADInsight.exe).
44 |
45 | **Runs on:**
46 |
47 | - Client: Windows Vista and higher.
48 | - Server: Windows Server 2008 and higher.
49 |
50 | ## Related Links
51 |
52 | The Sysinternals
53 | [AdRestore](adrestore.md)
54 | utility enables you to restore deleted objects on Windows Server 2003
55 | domains.
56 |
57 | [AD Explorer](adexplorer.md)
58 | is an advanced Active Directory (AD) viewer and editor.
--------------------------------------------------------------------------------
/sysinternals/downloads/security-utilities.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Security Utilities
3 | title: Sysinternals Security Utilities
4 | description: Windows Sysinternals security utilities
5 | ms:assetid: '25e27bed-b251-4af4-b30a-c2a2a93a80d9'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb795534(v=MSDN.10)'
7 | ms.date: 07/22/2016
8 | ---
9 |
10 | Sysinternals Security Utilities
11 | ===============================
12 |
13 | [AccessChk](accesschk.md)
14 | This tool shows you the accesses the user or group you specify has to
15 | files, Registry keys or Windows services.
16 |
17 | [AccessEnum](accessenum.md)
18 | This simple yet powerful security tool shows you who has what access to
19 | directories, files and Registry keys on your systems. Use it to find
20 | holes in your permissions.
21 |
22 | [Autologon](autologon.md)
23 | Bypass password screen during logon.
24 |
25 | [Autoruns](autoruns.md)
26 | See what programs are configured to startup automatically when your
27 | system boots and you log in. Autoruns also shows you the full list of
28 | Registry and file locations where applications can configure auto-start
29 | settings.
30 |
31 | [LogonSessions](logonsessions.md)
32 | List active logon sessions
33 |
34 | [Process Explorer](process-explorer.md)
35 | Find out what files, registry keys and other objects processes have
36 | open, which DLLs they have loaded, and more. This uniquely powerful
37 | utility will even show you who owns each process.
38 |
39 | [PsExec](psexec.md)
40 | Execute processes with limited-user rights.
41 |
42 | [PsLoggedOn](psloggedon.md)
43 | Show users logged on to a system.
44 |
45 | [PsLogList](psloglist.md)
46 | Dump event log records.
47 |
48 | [PsTools](pstools.md)
49 | The PsTools suite includes command-line utilities for listing the
50 | processes running on local or remote computers, running processes
51 | remotely, rebooting computers, dumping event logs, and more.
52 |
53 | [Rootkit Revealer](rootkit-revealer.md)
54 | RootkitRevealer is an advanced rootkit detection utility.
55 |
56 | [SDelete](sdelete.md)
57 | Securely overwrite your sensitive files and cleanse your free space of
58 | previously deleted files using this DoD-compliant secure delete program.
59 |
60 | [ShareEnum](shareenum.md)
61 | Scan file shares on your network and view their security settings to
62 | close security holes.
63 |
64 | [ShellRunas](shellrunas.md)
65 | Launch programs as a different user via a convenient shell context-menu
66 | entry.
67 |
68 | [Sigcheck](sigcheck.md)
69 | Dump file version information and verify that images on your system are
70 | digitally signed.
71 |
72 | [Sysmon](sysmon.md)
73 | Monitors and reports key system activity via the Windows event log.
--------------------------------------------------------------------------------
/sysinternals/downloads/zoomit.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: ZoomIt
3 | title: ZoomIt
4 | description: Presentation utility for zooming and drawing on the screen.
5 | ms:assetid: '0b6c4abc-9482-4759-a9cd-bf77cb961dd4'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897434(v=MSDN.10)'
7 | ms.date: 06/20/2013
8 | ---
9 |
10 | ZoomIt v4.5
11 | ===========
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: June 20, 2013
16 |
17 | [](https://download.sysinternals.com/files/ZoomIt.zip) [**Download ZoomIt**](https://download.sysinternals.com/files/ZoomIt.zip) **(296 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/ZoomIt.exe).
19 |
20 |
21 | ## Introduction
22 |
23 | ZoomIt is a screen zoom and annotation tool for technical presentations
24 | that include application demonstrations. ZoomIt runs unobtrusively in
25 | the tray and activates with customizable hotkeys to zoom in on an area
26 | of the screen, move around while zoomed, and draw on the zoomed image. I
27 | wrote ZoomIt to fit my specific needs and use it in all my
28 | presentations.
29 |
30 | ZoomIt works on all versions of Windows and you can use pen input for
31 | ZoomIt drawing on tablet PCs.
32 |
33 | ## Using ZoomIt
34 |
35 | The first time you run ZoomIt it presents a configuration dialog that
36 | describes ZoomIt's behavior, let's you specify alternate hotkeys for
37 | zooming and for entering drawing mode without zooming, and customize the
38 | drawing pen color and size. I use the draw-without-zoom option to
39 | annotate the screen at its native resolution, for example. ZoomIt also
40 | includes a break timer feature that remains active even when you tab
41 | away from the timer window and allows you to return to the timer window
42 | by clicking on the ZoomIt tray icon.
43 |
44 | ### Shortcuts
45 |
46 | ZoomIt offers a number of shortcuts which can extend its usage greatly.
47 |
48 | | Function | Shortcut |
49 | |---|---|
50 | | Begin Zoom In Mode | Ctrl+1 |
51 | | Zoom In | Up Key |
52 | | Zoom Out | Down Key |
53 | | Begin Drawing (While zoomed) | Left-Click |
54 | | Begin Drawing (While not zoomed) | Ctrl+2 |
55 | | Red Pen Color | R |
56 | | Blue Pen Color | B |
57 | | Yellow Pen Color | Y |
58 | | Green Pen Color | G |
59 | | Show Meeting Timer | Ctrl + 3 |
60 | | Live Zoom Mode | Ctrl + 4 |
61 | | Zoom In (Live mode) | Ctrl + Up |
62 | | Zoom Out (Live mode) | Ctrl + Down |
63 |
64 | 
65 |
66 | [](https://download.sysinternals.com/files/ZoomIt.zip) [**Download ZoomIt**](https://download.sysinternals.com/files/ZoomIt.zip) **(296 KB)**
67 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/ZoomIt.exe).
68 |
--------------------------------------------------------------------------------
/sysinternals/downloads/system-information.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: System Information Utilities
3 | title: Sysinternals System Information Utilities
4 | description: Windows Sysinternals system information utilities
5 | ms:assetid: '86a95979-23f8-45f5-9480-f4ed9dab3aab'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb795535(v=MSDN.10)'
7 | ms.date: 09/08/2016
8 | ---
9 |
10 | Sysinternals System Information Utilities
11 | =========================================
12 |
13 | [Autoruns](autoruns.md)
14 | See what programs are configured to startup automatically when your
15 | system boots and you login. Autoruns also shows you the full list of
16 | Registry and file locations where applications can configure auto-start
17 | settings.
18 |
19 | [ClockRes](clockres.md)
20 | View the resolution of the system clock, which is also the maximum timer
21 | resolution.
22 |
23 | [Coreinfo](coreinfo.md)
24 | Coreinfo is a command-line utility that shows you the mapping between
25 | logical processors and the physical processor, NUMA node, and socket on
26 | which they reside, as well as the cache’s assigned to each logical
27 | processor.
28 |
29 | [Handle](handle.md)
30 | This handy command-line utility will show you what files are open by
31 | which processes, and much more.
32 |
33 | [LiveKd](livekd.md)
34 | Use Microsoft kernel debuggers to examine a live system.
35 |
36 | [LoadOrder](loadorder.md)
37 | See the order in which devices are loaded on your WinNT/2K system.
38 |
39 | [LogonSessions](logonsessions.md)
40 | List the active logon sessions on a system.
41 |
42 | [PendMoves](pendmoves.md)
43 | Enumerate the list of file rename and delete commands that will be
44 | executed the next boot.
45 |
46 | [Process Explorer](process-explorer.md)
47 | Find out what files, registry keys and other objects processes have
48 | open, which DLLs they have loaded, and more. This uniquely powerful
49 | utility will even show you who owns each process.
50 |
51 | [Process Monitor](procmon.md)
52 | Monitor file system, Registry, process, thread and DLL activity in
53 | real-time.
54 |
55 | [ProcFeatures](procfeatures.md)
56 | This applet reports processor and Windows support for Physical Address
57 | Extensions and No Execute buffer overflow protection.
58 |
59 | [PsInfo](psinfo.md)
60 | Obtain information about a system.
61 |
62 | [PsLoggedOn](psloggedon.md)
63 | Show users logged on to a system
64 |
65 | [PsTools](pstools.md)
66 | The PsTools suite includes command-line utilities for listing the
67 | processes running on local or remote computers, running processes
68 | remotely, rebooting computers, dumping event logs, and more.
69 |
70 | [RAMMap](rammap.md)
71 | An advanced physical memory usage analysis utility that presents usage
72 | information in different ways on its several different tabs.
73 |
74 | [WinObj](winobj.md)
75 | The ultimate Object Manager namespace viewer is here.
--------------------------------------------------------------------------------
/sysinternals/downloads/streams.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Streams
3 | title: Streams
4 | description: Reveal NTFS alternate streams.
5 | ms:assetid: '5e6c8d3a-0865-4e4d-9f23-bd4c431a27c3'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897440(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | Streams v1.6
11 | ============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/Streams.zip) [**Download Streams**](https://download.sysinternals.com/files/Streams.zip) **(140 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | The NTFS file system provides applications the ability to create
23 | alternate data streams of information. By default, all data is stored in
24 | a file's main unnamed data stream, but by using the syntax
25 | 'file:stream', you are able to read and write to alternates. Not all
26 | applications are written to access alternate streams, but you can
27 | demonstrate streams very simply. First, change to a directory on a NTFS
28 | drive from within a command prompt. Next, type 'echo hello >
29 | test:stream'. You've just created a stream named 'stream' that is
30 | associated with the file 'test'. Note that when you look at the size of
31 | test it is reported as 0, and the file looks empty when opened in any
32 | text editor. To see your stream enter 'more < test:stream' (the type
33 | command doesn't accept stream syntax so you have to use more).
34 |
35 | NT does not come with any tools that let you see which NTFS files have
36 | streams associated with them, so I've written one myself. Streams will
37 | examine the files and directories (note that directories can also have
38 | alternate data streams) you specify and inform you of the name and sizes
39 | of any named streams it encounters within those files. Streams makes use
40 | of an undocumented native function for retrieving file stream
41 | information.
42 |
43 |
44 |
45 | ## Using Streams
46 |
47 | **Usage: streams \[-s\] \[-d\] <file or directory>**
48 |
49 |
50 | | Parameter | Description |
51 | |-----------------------------------------------------------|-------------------------|
52 | | **-s** | Recurse subdirectories. |
53 | | **-d** | Delete streams. |
54 | | Streams takes wildcards e.g. 'streams \*.txt'. | |
55 |
56 | [](https://download.sysinternals.com/files/Streams.zip) [**Download Streams**](https://download.sysinternals.com/files/Streams.zip) **(140 KB)**
57 |
58 | **Runs on:**
59 |
60 | - Client: Windows Vista and higher
61 | - Server: Windows Server 2008 and higher
62 | - Nano Server: 2016 and higher
63 |
64 |
65 |
66 |
--------------------------------------------------------------------------------
/sysinternals/downloads/diskmon.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: DiskMon
3 | title: DiskMon for Windows
4 | description: This utility captures all hard disk activity or acts like a software disk activity light in your system tray.
5 | ms:assetid: 'f9e26786-be46-4276-a073-8764d4e9fba4'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896646(v=MSDN.10)'
7 | ms.date: 11/01/20106
8 | ---
9 |
10 | DiskMon for Windows v2.01
11 | =========================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: November 1, 2006
16 |
17 | [](https://download.sysinternals.com/files/DiskMon.zip) [**Download Diskmon**](https://download.sysinternals.com/files/DiskMon.zip) **(80 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Diskmon.exe).
19 |
20 | ## Introduction
21 |
22 | *DiskMon* is an application that logs and displays all hard disk
23 | activity on a Windows system. You can also minimize *DiskMon* to your
24 | system tray where it acts as a disk light, presenting a green icon when
25 | there is disk-read activity and a red icon when there is disk-write
26 | activity.
27 |
28 | ## Installation and Use
29 |
30 | Installing *DiskMon* is as easy as unzipping it and typing, "diskmon."
31 | The menus and toolbar buttons can be used to disable event capturing,
32 | control the scrolling of the listview, and to save the listview contents
33 | to an ASCII file.
34 |
35 | To have *DiskMon* function as a disk light in your system tray, select
36 | the Options|Minimize to Tray menu item, or start *DiskMon* with a "/l"
37 | (lower-case L) command-line switch e.g. diskmon /l. To reactivate the
38 | *DiskMon* window double-click on the *DiskMon* tray icon. To create a
39 | shortcut to Diskmon in the tray create a shortcut in your Program
40 | Files\\Startup folder, edit the properties of the shortcut and set the
41 | Target to point at the executable with the path in quotations and the
42 | switch outside the quotes:
43 |
44 | "C:\\Sysinternals Tools\\Diskmon.exe" /l
45 |
46 | Read and write offsets are presented in terms of sectors (512 bytes).
47 | Events can be either timed for their duration (in microseconds), or
48 | stamped with the absolute time that they were initiated. The History
49 | Depth dialog can be used to specify the maximum number of records that
50 | will be kept in the GUI (0 signifies no limit).
51 |
52 | 
53 |
54 | ## Implementation
55 |
56 | *DiskMon* uses kernel event tracing. Event tracing is documented in the
57 | Microsoft Platform SDK and the SDK contains source code to TraceDmp, on
58 | which *DiskMon* is based.
59 |
60 | [](https://download.sysinternals.com/files/DiskMon.zip) [**Download Diskmon**](https://download.sysinternals.com/files/DiskMon.zip) **(80 KB)**
61 |
62 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Diskmon.exe).
63 |
--------------------------------------------------------------------------------
/sysinternals/Announce/TLSDeprecation.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: TLSDeprecation
3 | title: Preparing for the mandatory use of TLS 1.2+
4 | ms.date: 09/17/2017
5 | ---
6 |
7 | Preparing for the mandatory use of TLS 1.2+
8 | ===========
9 |
10 | **By Mark Cook**
11 |
12 | Published: September 17, 2018
13 |
14 |
15 | ## Summary
16 |
17 | In support of our promise to provide best-in-class encryption to our customers, Microsoft are planning to discontinue support for Transport Layer Security (TLS) versions 1.0 and 1.1 soon.
18 | We understand that the security of your data is important, and we are committed to transparency about changes that could affect your use of the service.
19 | The [Microsoft TLS 1.0 implementation](https://support.microsoft.com/en-us/help/3117336/schannel-implementation-of-tls-1-0-in-windows-security-status-update-n) has no known security vulnerabilities. But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, we are discontinuing support for the use of TLS 1.0 and 1.1 on [https://docs.microsoft.com/en-us/sysinternals/](https://docs.microsoft.com/en-us/sysinternals) and [https://live.sysinternals.com](https://live.sysinternals.com).
20 | For information about how to remove TLS 1.0 and 1.1 dependencies, see the whitepaper [Solving the TLS 1.0 problem](https://www.microsoft.com/en-us/download/details.aspx?id=55266).
21 |
22 | ## More Information
23 |
24 | As of October 31, 2018, Sysinternals sites will no longer support TLS 1.0 and 1.1.
25 |
26 | By October 31, 2018, all client-server and browser-server combinations should use TLS version 1.2 (or a later version) to ensure connection without issues to [https://docs.microsoft.com/en-us/sysinternals/](https://docs.microsoft.com/en-us/sysinternals) or [https://live.sysinternals.com](https://live.sysinternals.com). This may require updates to certain client-server and browser-server combinations.
27 |
28 | If you do not update to TLS version 1.2 (or later) by October 31, 2018, you may experience issues when connecting and you will be required to update to TLS 1.2 as part of the resolution.
29 |
30 | The following are some clients that we know are unable to use TLS 1.2. Please update your clients to ensure uninterrupted access to the service.
31 |
32 | * Android 4.3 and earlier versions
33 | * Firefox version 5.0 and earlier versions
34 | * Internet Explorer 8-10 on Windows 7 and earlier versions
35 | * Internet Explorer 10 on Win Phone 8.0
36 | * Safari 6.0.4/OS X10.8.4 and earlier versions
37 |
38 | Although current analysis of connections to Microsoft Online services shows that most services/endpoints see very little TLS 1.0 and 1.1 usage, we are providing notice of this change so that you can update any affected clients or servers as necessary before support for TLS 1.0 and 1.1 ends.
39 |
40 | Note Using TLS 1.2 does not mean you must have TLS 1.0/1.1 disabled in your environments by October 31, 2018. If parts of your environment require the use of TLS 1.0 and 1.1 on or after October 31, 2018, you can leave the older protocol versions enabled.
41 |
42 |
43 |
44 |
--------------------------------------------------------------------------------
/sysinternals/downloads/winobj.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: WinObj
3 | title: WinObj
4 | description: The ultimate Object Manager namespace viewer is here.
5 | ms:assetid: 'f5aabfba-811c-4b35-8d76-e64fd7083177'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896657(v=MSDN.10)'
7 | ms.date: 02/14/2011
8 | ---
9 |
10 | WinObj v2.22
11 | ============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: February 14, 2011
16 |
17 | [](https://download.sysinternals.com/files/WinObj.zip) [**Download WinObj**](https://download.sysinternals.com/files/WinObj.zip) **(447 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Winobj.exe).
19 |
20 |
21 | ## Introduction
22 |
23 | *WinObj* is a must-have tool if you are a system administrator concerned
24 | about security, a developer tracking down object-related problems, or
25 | just curious about the Object Manager namespace.
26 |
27 | *WinObj* is a 32-bit Windows NT program that uses the native Windows NT
28 | API (provided by NTDLL.DLL) to access and display information on the NT
29 | Object Manager's name space. Winobj may seem similar to the Microsoft
30 | SDK's program of the same name, but the SDK version suffers from
31 | numerous significant bugs that prevent it from displaying accurate
32 | information (e.g. its handle and reference counting information are
33 | totally broken). In addition, our WinObj understands many more object
34 | types. Finally, Version 2.0 of our WinObj has user-interface
35 | enhancements, knows how to open device objects, and will let you view
36 | and change object security information using native NT security
37 | editors.
38 |
39 |
40 | ## Installation and Use
41 |
42 | There is no device driver component to WinObj, so you can run it like
43 | any Win32 program.
44 |
45 | 
46 |
47 |
48 | ## How it Works
49 |
50 | The Object Manager is in charge of managing NT objects. As part of this
51 | responsibility, it maintains an internal namespace where various
52 | operating system components, device drivers and Win32 programs can store
53 | and lookup objects. The native NT API provides routines that allow
54 | user-mode programs to browse the namespace and query the status of
55 | objects located there, but the interfaces are undocumented.
56 |
57 |
58 | ## More Information
59 |
60 | Helen Custer's *Inside Windows NT* provides a good overview of the
61 | Object Manager name space, and Mark's October 1997 [WindowsITPro
62 | Magazine](http://www.windowsitpro.com/) column, "Inside the Object
63 | Manager", is (of course) an excellent overview.
64 |
65 | [](https://download.sysinternals.com/files/WinObj.zip) [**Download WinObj**](https://download.sysinternals.com/files/WinObj.zip) **(447 KB)**
66 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Winobj.exe).
67 |
68 | **Runs on:**
69 |
70 | - Client: Windows Vista and higher.
71 | - Server: Windows Server 2008 and higher.
72 |
73 |
74 |
75 |
--------------------------------------------------------------------------------
/sysinternals/downloads/sysinternals-suite.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Sysinternals Suite
3 | title: Sysinternals Suite
4 | description: The Windows Sysinternals troubleshooting Utilities have been rolled up into a single suite of tools.
5 | ms:assetid: '0e18b180-9b7a-4c49-8120-c47c5a693683'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb842062(v=MSDN.10)'
7 | ms.date: 06/28/2019
8 | ---
9 |
10 | Sysinternals Suite
11 | ==================
12 |
13 |
14 | **By Mark Russinovich**
15 | Updated: September 20, 2019
16 |
17 | [**Download Sysinternals Suite**](https://download.sysinternals.com/files/SysinternalsSuite.zip) (25.9 MB)
18 | [**Download Sysinternals Suite for Nano Server**](https://download.sysinternals.com/files/SysinternalsSuite-Nano.zip) (5.1 MB)
19 | [**Download Sysinternals Suite for ARM64**](https://download.sysinternals.com/files/SysinternalsSuite-ARM64.zip) (164 KB)
20 |
21 | ## Introduction
22 | The Sysinternals Troubleshooting Utilities have been rolled up into a
23 | single Suite of tools. This file contains the individual troubleshooting
24 | tools and help files. It does not contain non-troubleshooting tools like
25 | the BSOD Screen Saver.
26 |
27 | The Suite is a bundling of the following selected Sysinternals
28 | Utilities:
29 | [AccessChk](accesschk.md), [AccessEnum](accessenum.md), [AdExplorer](adexplorer.md), [AdInsight](adinsight.md), [AdRestore](adrestore.md),
30 | [Autologon](autologon.md), [Autoruns](autoruns.md), [BgInfo](bginfo.md), [BlueScreen](bluescreen.md), [CacheSet](cacheset.md),
31 | [ClockRes](clockres.md), [Contig](contig.md), [Coreinfo](coreinfo.md), [Ctrl2Cap](ctrl2cap.md), [DebugView](debugview.md),
32 | [Desktops](desktops.md), [Disk2vhd](disk2vhd.md), [DiskExt](diskext.md), [DiskMon](diskmon.md), [DiskView](diskview.md),
33 | [Disk Usage (DU)](du.md), [EFSDump](efsdump.md), [FindLinks](findlinks.md), [Handle](handle.md), [Hex2dec](hex2dec.md),
34 | [Junction](junction.md), [LDMDump](ldmdump.md), [ListDLLs](listdlls.md), [LiveKd](livekd.md), [LoadOrder](loadorder.md),
35 | [LogonSessions](logonsessions.md), [MoveFile](movefile.md), [NotMyFault](notmyfault.md), [NTFSInfo](ntfsinfo.md), [PageDefrag](pagedefrag.md),
36 | [PendMoves](pendmoves.md), [PipeList](pipelist.md), [PortMon](portmon.md), [ProcDump](procdump.md), [Process Explorer](process-explorer.md),
37 | [Process Monitor](procmon.md), [PsExec](psexec.md), [PsFile](psfile.md), [PsGetSid](psgetsid.md), [PsInfo](psinfo.md),
38 | [PsKill](pskill.md), [PsList](pslist.md), [PsLoggedOn](psloggedon.md), [PsLogList](psloglist.md), [PsPasswd](pspasswd.md),
39 | [PsPing](psping.md), [PsService](psservice.md), [PsShutdown](psshutdown.md), [PsSuspend](pssuspend.md), [PsTools](pstools.md),
40 | [RAMMap](rammap.md), [RegDelNull](regdelnull.md), [RegHide](reghide.md), [RegJump](regjump.md), [Registry Usage (RU)](ru.md),
41 | [SDelete](sdelete.md), [ShareEnum](shareenum.md), [ShellRunas](shellrunas.md), [Sigcheck](sigcheck.md), [Streams](streams.md),
42 | [Strings](strings.md), [Sync](sync.md), [Sysmon](sysmon.md), [TCPView](tcpview.md), [VMMap](vmmap.md),
43 | [VolumeID](volumeid.md), [WhoIs](whois.md), [WinObj](winobj.md), [ZoomIt](zoomit.md)
44 |
--------------------------------------------------------------------------------
/sysinternals/downloads/process-utilities.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Process Utilities
3 | title: Sysinternals Process Utilities
4 | description: Windows Sysinternals process utilities
5 | ms:assetid: 'cb56073f-62a3-4ed8-9dd6-40c84cb9e2f5'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb795533(v=MSDN.10)'
7 | ms.date: 07/22/2016
8 | ---
9 |
10 | Sysinternals Process Utilities
11 | ==============================
12 |
13 | [Autoruns](autoruns.md)
14 | See what programs are configured to startup automatically when your
15 | system boots and you login. Autoruns also shows you the full list of
16 | Registry and file locations where applications can configure auto-start
17 | settings.
18 |
19 | [Handle](handle.md)
20 | This handy command-line utility will show you what files are open by
21 | which processes, and much more.
22 |
23 | [ListDLLs](listdlls.md)
24 | List all the DLLs that are currently loaded, including where they are
25 | loaded and their version numbers. Version 2.0 prints the full path names
26 | of loaded modules.
27 |
28 | [PortMon](portmon.md)
29 | Monitor serial and parallel port activity with this advanced monitoring
30 | tool. It knows about all standard serial and parallel IOCTLs and even
31 | shows you a portion of the data being sent and received. Version 3.x has
32 | powerful new UI enhancements and advanced filtering capabilities.
33 |
34 | [ProcDump](procdump.md)
35 | This new command-line utility is aimed at capturing process dumps of
36 | otherwise difficult to isolate and reproduce CPU spikes. It also serves
37 | as a general process dump creation utility and can also monitor and
38 | generate process dumps when a process has a hung window or unhandled
39 | exception.
40 |
41 | [Process Explorer](process-explorer.md)
42 | Find out what files, registry keys and other objects processes have
43 | open, which DLLs they have loaded, and more. This uniquely powerful
44 | utility will even show you who owns each process.
45 |
46 | [Process Monitor](procmon.md)
47 | Monitor file system, Registry, process, thread and DLL activity in
48 | real-time.
49 |
50 | [PsExec](psexec.md)
51 | Execute processes remotely.
52 |
53 | [PsGetSid](psgetsid.md)
54 | Displays the SID of a computer or a user.
55 |
56 | [PsKill](pskill.md)
57 | Terminate local or remote processes.
58 |
59 | [PsList](pslist.md)
60 | Show information about processes and threads.
61 |
62 | [PsService](psservice.md)
63 | View and control services.
64 |
65 | [PsSuspend](pssuspend.md)
66 | Suspend and resume processes.
67 |
68 | [PsTools](pstools.md)
69 | The PsTools suite includes command-line utilities for listing the
70 | processes running on local or remote computers, running processes
71 | remotely, rebooting computers, dumping event logs, and more.
72 |
73 | [ShellRunas](shellrunas.md)
74 | Launch programs as a different user via a convenient shell context-menu
75 | entry.
76 |
77 | [VMMap](vmmap.md)
78 | See a breakdown of a process's committed virtual memory types as well as
79 | the amount of physical memory (working set) assigned by the operating
80 | system to those types. Identify the sources of process memory usage and
81 | the memory cost of application features.
82 |
83 |
--------------------------------------------------------------------------------
/sysinternals/downloads/junction.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Junction
3 | title: Junction
4 | description: Create Win2K NTFS symbolic links.
5 | ms:assetid: '16f763c0-cb78-4d67-a865-63e79bef0c58'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896768(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | Junction v1.07
11 | ==============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/Junction.zip) [**Download Junction**](https://download.sysinternals.com/files/Junction.zip) **(212 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | Windows 2000 and higher supports directory symbolic links, where a
23 | directory serves as a symbolic link to another directory on the
24 | computer. For example, if the directory D:\\SYMLINK specified
25 | C:\\WINNT\\SYSTEM32 as its target, then an application accessing
26 | D:\\SYMLINK\\DRIVERS would in reality be accessing
27 | C:\\WINNT\\SYSTEM32\\DRIVERS. Directory symbolic links are known as NTFS
28 | junctions in Windows. Unfortunately, Windows comes with no tools for
29 | creating junctions—you have to purchase the Win2K Resource Kit, which
30 | comes with the linkd program for creating junctions. I therefore decided
31 | to write my own junction-creating tool: *Junction*. *Junction* not only
32 | allows you to create NTFS junctions, it allows you to see if files or
33 | directories are actually reparse points. Reparse points are the
34 | mechanism on which NTFS junctions are based, and they are used by
35 | Windows' Remote Storage Service (RSS), as well as volume mount points.
36 |
37 | Please read this [Microsoft KB
38 | article](http://support.microsoft.com/?kbid=205524) for tips on using
39 | junctions.
40 |
41 | > Windows does not support junctions to directories on remote shares.
42 |
43 | ## Using Junction
44 |
45 | Use junction to list junctions:
46 |
47 | **Usage: \[-s\]**
48 |
49 | |Parameter |Description |
50 | |---------|---------|
51 | | **-s** | Recurse subdirectories |
52 |
53 | **Examples:**
54 |
55 | To determine if a file is a junction, specify the file name:
56 |
57 | **junction c:\\test**
58 |
59 | To list junctions beneath a directory, include the –s switch:
60 |
61 | **junction -s c:\\**
62 |
63 | To create a junction c:\\Program-Files for "c:\\Program Files":
64 |
65 | **C:\\>md Program-Files**
66 |
67 | **C:\\>junction c:\\Program-Files "c:\\Program Files"**
68 |
69 | To delete a junction, use the –d switch:
70 |
71 | **junction -d c:\\Program-Files**
72 |
73 | ## Return codes
74 | **0** - on success
75 | **-1** - on failed creation of new junction
76 | **0** - on failed deletion of junction (e.g. if file not found)
77 | **0** - on the check if a file is a junction fails (e.g. if file not found)
78 |
79 |
80 | [](https://download.sysinternals.com/files/Junction.zip) [**Download Junction**](https://download.sysinternals.com/files/Junction.zip) **(212 KB)**
81 |
82 | **Runs on:**
83 |
84 | - Client: Windows Vista and higher
85 | - Server: Windows Server 2008 and higher
86 | - Nano Server: 2016 and higher
87 |
88 |
89 |
90 |
--------------------------------------------------------------------------------
/sysinternals/downloads/misc-utilities.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Miscellaneous Utilities
3 | title: Sysinternals Miscellaneous Utilities
4 | description: Windows Sysinternals miscellandous utilities
5 | ms:assetid: 'd46b4037-88ae-41d7-a41c-9660d7d96cf2'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb842059(v=MSDN.10)'
7 | ms.date: 07/29/2016
8 | ---
9 |
10 | Sysinternals Miscellaneous Utilities
11 | ====================================
12 |
13 | [AD Explorer](adexplorer.md)
14 | Active Directory Explorer is an advanced Active Directory (AD) viewer
15 | and editor.
16 |
17 | [AdRestore](adrestore.md)
18 | Restore tombstoned Active Directory objects in Server 2003 domains.
19 |
20 | [Autologon](autologon.md)
21 | Bypass password screen during logon.
22 |
23 | [BgInfo](bginfo.md)
24 | This fully-configurable program automatically generates desktop
25 | backgrounds that include important information about the system
26 | including IP addresses, computer name, network adapters, and more.
27 |
28 | [BlueScreen](bluescreen.md)
29 | This screen saver not only accurately simulates Blue Screens, but
30 | simulated reboots as well (complete with CHKDSK), and works on Windows
31 | Vista, Server 2008 and higher.
32 |
33 | [Ctrl2cap](ctrl2cap.md)
34 | This is a kernel-mode driver that demonstrates keyboard input filtering
35 | just above the keyboard class driver in order to turn caps-locks into
36 | control keys. Filtering at this level allows conversion and hiding of
37 | keys before NT even "sees" them. Ctrl2cap also shows how to use
38 | NtDisplayString() to print messages to the initialization blue-screen.
39 |
40 | [DebugView](debugview.md)
41 | Another first from Sysinternals: This program intercepts calls made to
42 | DbgPrint by device drivers and OutputDebugString made by Win32 programs.
43 | It allows for viewing and recording of debug session output on your
44 | local machine or across the Internet without an active debugger.
45 |
46 | [Desktops](desktops.md)
47 | This new utility enables you to create up to four virtual desktops and
48 | to use a tray interface or hotkeys to preview what’s on each desktop and
49 | easily switch between them.
50 |
51 | [Hex2dec](hex2dec.md)
52 | Convert hex numbers to decimal and vice versa.
53 |
54 | [NotMyFault](notmyfault.md)
55 | Notmyfault is a tool that you can use to crash, hang, and cause kernel
56 | memory leaks on your Windows system.
57 |
58 | [PsLogList](psloglist.md)
59 | Dump event log records.
60 |
61 | [PsTools](pstools.md)
62 | The PsTools suite includes command-line utilities for listing the
63 | processes running on local or remote computers, running processes
64 | remotely, rebooting computers, dumping event logs, and more.
65 |
66 | [RegDelNull](regdelnull.md)
67 | Scan for and delete Registry keys that contain embedded null-characters
68 | that are otherwise undeleteable by standard Registry-editing tools.
69 |
70 | [Registry Usage (RU)](ru.md)
71 | View the registry space usage for the specified registry key.
72 |
73 | [RegJump](regjump.md)
74 | Jump to the registry path you specify in Regedit.
75 |
76 | [Strings](strings.md)
77 | Search for ANSI and UNICODE strings in binary images.
78 |
79 | [ZoomIt](zoomit.md)
80 | Presentation utility for zooming and drawing on the screen.
--------------------------------------------------------------------------------
/sysinternals/downloads/vmmap.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: VMMap
3 | title: VMMap
4 | description: VMMap is a process virtual and physical memory analysis utility.
5 | ms:assetid: '0b5217b3-99e1-4742-b502-7574bb478a16'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Dd535533(v=MSDN.10)'
7 | ms.date: 07/20/2015
8 | ---
9 |
10 | VMMap v3.26
11 | ===========
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: June 11, 2018
16 |
17 | [](https://download.sysinternals.com/files/VMMap.zip) [**Download VMMap**](https://download.sysinternals.com/files/VMMap.zip) **(626 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/vmmap.exe).
19 |
20 |
21 | ## Introduction
22 |
23 | VMMap is a process virtual and physical memory analysis utility. It
24 | shows a breakdown of a process's committed virtual memory types as well
25 | as the amount of physical memory (working set) assigned by the operating
26 | system to those types. Besides graphical representations of memory
27 | usage, VMMap also shows summary information and a detailed process
28 | memory map. Powerful filtering and refresh capabilities allow you to
29 | identify the sources of process memory usage and the memory cost of
30 | application features.
31 |
32 | Besides flexible views for analyzing live processes, VMMap supports the
33 | export of data in multiple forms, including a native format that
34 | preserves all the information so that you can load back in. It also
35 | includes command-line options that enable scripting scenarios.
36 |
37 | VMMap is the ideal tool for developers wanting to understand and
38 | optimize their application's memory resource usage.
39 |
40 | ## Screenshot
41 |
42 | 
43 |
44 | ## Related Links
45 |
46 | - [**Windows Internals Book**](~/learn/windows-internals.md)
47 | The official updates and errata page for the definitive book on
48 | Windows internals, by Mark Russinovich and David Solomon.
49 | - [**Windows Sysinternals Administrator's Reference**](~/learn/troubleshooting-book.md)
50 | The official guide to the Sysinternals utilities by Mark Russinovich and
51 | Aaron Margosis, including descriptions of all the tools, their
52 | features, how to use them for troubleshooting, and example
53 | real-world cases of their use.
54 |
55 | [](https://download.sysinternals.com/files/VMMap.zip) [**Download VMMap**](https://download.sysinternals.com/files/VMMap.zip) **(586 KB)**
56 |
57 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/vmmap.exe).
58 |
59 | **Runs on:**
60 |
61 | - Client: Windows Vista and higher.
62 | - Server: Windows Server 2008 and higher.
63 |
64 |
65 | ## Getting Help
66 |
67 | If you have problems or questions, please visit the [Sysinternals
68 | Forum](http://forum.sysinternals.com).
69 |
70 |
71 |
72 | ## Learn More
73 |
74 | - [Defrag Tools: \#7 -
75 | VMMap](http://channel9.msdn.com/shows/defrag-tools/defrag-tools-7-vmmap)
76 | In this episode of Defrag Tools, Andrew Richards and Larry Larsen
77 | cover how to use VMMap to see how Virtual Memory is being used and
78 | if there have been any memory leaks.
79 |
80 |
81 |
82 |
--------------------------------------------------------------------------------
/sysinternals/downloads/desktops.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Desktops
3 | title: Desktops
4 | description: This utility enables you to create up to four virtual desktops and easily switch between them.
5 | ms:assetid: 'a6144f44-1b00-4308-94c0-6bf6e6a1aaee'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Cc817881(v=MSDN.10)'
7 | ms.date: 10/17/2012
8 | ---
9 |
10 | Desktops v2.0
11 | =============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: October 17, 2012
16 |
17 | [](https://download.sysinternals.com/files/Desktops.zip) [**Download Desktops**](https://download.sysinternals.com/files/Desktops.zip) **(61 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Desktops.exe).
19 |
20 |
21 | ## Introduction
22 |
23 | Desktops allows you to organize your applications on up to four virtual
24 | desktops. Read email on one, browse the web on the second, and do work
25 | in your productivity software on the third, without the clutter of the
26 | windows you're not using. After you configure hotkeys for switching
27 | desktops, you can create and switch desktops either by clicking on the
28 | tray icon to open a desktop preview and switching window, or by using
29 | the hotkeys.
30 |
31 |
32 |
33 | ## Using Desktops
34 |
35 | Unlike other virtual desktop utilities that implement their desktops by
36 | showing the windows that are active on a desktop and hiding the rest,
37 | Sysinternals Desktops uses a Windows desktop object for each desktop.
38 | Application windows are bound to a desktop object when they are created,
39 | so Windows maintains the connection between windows and desktops and
40 | knows which ones to show when you switch a desktop. That making
41 | Sysinternals Desktops very lightweight and free from bugs that the other
42 | approach is prone to where their view of active windows becomes
43 | inconsistent with the visible windows.
44 |
45 | Desktops reliance on Windows desktop objects means that it cannot
46 | provide some of the functionality of other virtual desktop utilities,
47 | however. For example, Windows doesn't provide a way to move a window
48 | from one desktop object to another, and because a separate Explorer
49 | process must run on each desktop to provide a taskbar and start menu,
50 | most tray applications are only visible on the first desktop. Further,
51 | there is no way to delete a desktop object, so Desktops does not provide
52 | a way to close a desktop, because that would result in orphaned windows
53 | and processes. The recommended way to exit Desktops is therefore to
54 | logoff.
55 |
56 |
57 |
58 | ## Screenshot
59 |
60 | 
61 | Configuration Dialog
62 |
63 |
64 |
65 | 
66 | Tray Desktop Switch Window
67 |
68 | [](https://download.sysinternals.com/files/Desktops.zip) [**Download Desktops**](https://download.sysinternals.com/files/Desktops.zip) **(61 KB)**
69 |
70 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Desktops.exe).
71 |
72 | **Runs on:**
73 |
74 | - Client: Windows Vista and higher.
75 | - Server: Windows Server 2008 and higher.
76 |
77 |
78 |
79 |
--------------------------------------------------------------------------------
/sysinternals/downloads/ldmdump.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: LDMDump
3 | title: LDMDump
4 | description: Dump the contents of the Logical Disk Manager's on-disk database, which describes the partitioning of Windows 2000 Dynamic disks.
5 | ms:assetid: '2767f738-9f1d-4eb0-8c75-4287b7ca0e13'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897413(v=MSDN.10)'
7 | ms.date: 11/01/2016
8 | ---
9 |
10 | LDMDump v1.02
11 | =============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: November 1, 2006
16 |
17 | [](https://download.sysinternals.com/files/LdmDump.zip) [**Download LDMDump**](https://download.sysinternals.com/files/LdmDump.zip) **(43 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | Windows 2000 introduces a new type of disk partitioning scheme that is
23 | managed by a component called the Logical Disk Manager (LDM). Basic
24 | disks implement standard DOS-style partition tables, whereas Dynamic
25 | disks use LDM partitioning. LDM partitioning offers several advantages
26 | over DOS partitioning including replication across disks, on-disk storage
27 | of advanced volume configuration (spanned volume, mirrored volumes,
28 | striped volumes and RAID-5 volumes). My March/April two-part series on
29 | Windows NT/2000 storage management in *Windows 2000 Magazine* describes
30 | the details of each partitioning scheme.
31 |
32 | Other than the Disk Management MMC-snapin and a tool called dmdiag in
33 | the Windows 2000 Resource Kit, there are no tools for investigating the
34 | internals of the LDM on-disk database that describes a system's
35 | partitioning layout. *LDMDump* is a utility that lets you examine
36 | exactly what is stored in a disk's copy of the system LDM database.
37 | *LDMDump* shows you the contents of the LDM database private header,
38 | table-of-contents, and object database (where partition, component and
39 | volume definitions are stored), and then summarizes its finding with
40 | partition table and volume listings.
41 |
42 | ## Installing and Using LDMDump
43 |
44 | To use *LDMDump* simply pass it the identifier of a disk.
45 |
46 | **Usage: ldmdump \[- \] \[-d\#\]**
47 |
48 | |Parameter |Description |
49 | |---------|---------|
50 | | **-** | Displays the supported options and the units of measurement used for output values.|
51 | | **-d\#** | Specifies the number of the disk for *LDMDump* to examine. For example, "ldmdump /d0" has *LDMDump* show the LDM database information stored on disk 0.|
52 |
53 | ## How it Works
54 |
55 | There are no published APIs available for obtaining detailed
56 | information about a disk's LDM partitioning, and the LDM database format
57 | is completely undocumented. *LDMDump* was developed based on study of
58 | LDM database contents on a variety of different systems and under
59 | changing conditions.
60 |
61 |
62 |
63 | ## More Information
64 |
65 | For more information on the LDM on-disk structure, see:
66 |
67 | - *Inside Storage Management, Part 2*, by Mark Russinovich, Windows
68 | 2000 Magazine, April 2000.
69 |
70 |
71 | [](https://download.sysinternals.com/files/LdmDump.zip) [**Download LDMDump**](https://download.sysinternals.com/files/LdmDump.zip) **(43 KB)**
72 |
73 | **Runs on:**
74 |
75 | - Client: Windows Vista and higher.
76 | - Server: Windows Server 2008 and higher.
77 |
78 |
79 |
80 |
--------------------------------------------------------------------------------
/sysinternals/downloads/tcpview.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: TCPView
3 | title: TCPView for Windows
4 | description: Active socket command-line viewer.
5 | ms:assetid: '0797e73a-a0c2-4266-b821-50bc561da3a6'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897437(v=MSDN.10)'
7 | ms.date: 07/25/2011
8 | ---
9 |
10 | TCPView v3.05
11 | =============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 25, 2011
16 |
17 | [](https://download.sysinternals.com/files/TCPView.zip) [**Download TCPView**](https://download.sysinternals.com/files/TCPView.zip) **(285 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Tcpview.exe).
19 |
20 |
21 | ## Introduction
22 |
23 | TCPView is a Windows program that will show you detailed listings of all
24 | TCP and UDP endpoints on your system, including the local and remote
25 | addresses and state of TCP connections. On Windows Server 2008, Vista,
26 | and XP, TCPView also reports the name of the process that owns the
27 | endpoint. TCPView provides a more informative and conveniently presented
28 | subset of the Netstat program that ships with Windows. The TCPView
29 | download includes Tcpvcon, a command-line version with the same
30 | functionality.
31 |
32 | 
33 |
34 |
35 |
36 | ## Using TCPView
37 |
38 | When you start TCPView it will enumerate all active TCP and UDP
39 | endpoints, resolving all IP addresses to their domain name versions. You
40 | can use a toolbar button or menu item to toggle the display of resolved
41 | names. On Windows XP systems, TCPView shows the name of the process that
42 | owns each endpoint.
43 |
44 | By default, TCPView updates every second, but you can use the
45 | **Options|Refresh Rate** menu item to change the rate. Endpoints that
46 | change state from one update to the next are highlighted in yellow;
47 | those that are deleted are shown in red, and new endpoints are shown in
48 | green.
49 |
50 | You can close established TCP/IP connections (those labeled with a state
51 | of ESTABLISHED) by selecting **File|Close Connections**, or by
52 | right-clicking on a connection and choosing **Close Connections** from
53 | the resulting context menu.
54 |
55 | You can save TCPView's output window to a file using the **Save** menu
56 | item.
57 |
58 |
59 |
60 | ## Using Tcpvcon
61 |
62 | Tcpvcon usage is similar to that of the built-in Windows netstat
63 | utility:
64 |
65 | **Usage: tcpvcon \[-a\] \[-c\] \[-n\] \[process name or PID\]**
66 |
67 | |Parameter |Description |
68 | |---------|---------|
69 | | **-a** | Show all endpoints (default is to show established TCP connections).|
70 | | **-c** | Print output as CSV.|
71 | | **-n** | Don't resolve addresses.|
72 |
73 |
74 | ## Microsoft TCPView KB Article
75 |
76 | This Microsoft KB article references TCPView:
77 |
78 | [816944: "Unexpected Error 0x8ffe2740 Occurred" Error Message When You
79 | Try to Start a Web Site](http://support.microsoft.com/kb/816944)
80 |
81 | [](https://download.sysinternals.com/files/TCPView.zip) [**Download TCPView**](https://download.sysinternals.com/files/TCPView.zip) **(285 KB)**
82 |
83 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Tcpview.exe).
84 |
85 | **Runs on:**
86 |
87 | - Client: Windows Vista and higher.
88 | - Server: Windows Server 2008 and higher.
89 |
90 |
91 |
92 |
--------------------------------------------------------------------------------
/sysinternals/downloads/psloggedon.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: PsLoggedOn
3 | title: PsLoggedOn
4 | description: Show users logged on to a system.
5 | ms:assetid: '05a9b41e-e4c2-457c-b46e-d6156fe069a1'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897545(v=MSDN.10)'
7 | ms.date: 06/29/2016
8 | ---
9 |
10 | PsLoggedOn v1.35
11 | ================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: June 29, 2016
16 |
17 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
18 |
19 |
20 | ## Introduction
21 |
22 | You can determine who is using resources on your local computer with the
23 | "net" command ("net session"), however, there is no built-in way to
24 | determine who is using the resources of a remote computer. In addition,
25 | NT comes with no tools to see who is logged onto a computer, either
26 | locally or remotely. *PsLoggedOn* is an applet that displays both the
27 | locally logged on users and users logged on via resources for either the
28 | local computer, or a remote one. If you specify a user name instead of a
29 | computer, *PsLoggedOn* searches the computers in the network
30 | neighborhood and tells you if the user is currently logged on.
31 |
32 | *PsLoggedOn*'s definition of a locally logged on user is one that has
33 | their profile loaded into the Registry, so *PsLoggedOn* determines who
34 | is logged on by scanning the keys under the HKEY\_USERS key. For each
35 | key that has a name that is a user SID (security Identifier),
36 | *PsLoggedOn* looks up the corresponding user name and displays it. To
37 | determine who is logged onto a computer via resource shares,
38 | *PsLoggedOn* uses the *NetSessionEnum* API. Note that *PsLoggedOn* will
39 | show you as logged on via resource share to remote computers that you
40 | query because a logon is required for *PsLoggedOn* to access the
41 | Registry of a remote system.
42 |
43 |
44 |
45 | ## Installation
46 |
47 | Just copy *PsLoggedOn* onto your executable path, and type
48 | "psloggedon".
49 |
50 |
51 |
52 | ## Using PsLoggedOn
53 |
54 | **Usage: psloggedon \[- \] \[-l\] \[-x\] \[\\\\computername |
55 | username\]**
56 |
57 | |Parameter |Description |
58 | |---------|---------|
59 | | **-** | Displays the supported options and the units of measurement used for output values.|
60 | | **-l** | Shows only local logons instead of both local and network resource logons.|
61 | | **-x** | Don't show logon times.|
62 | | **\\\\computername** | Specifies the name of the computer for which to list logon information.|
63 | | **username** | If you specify a user name *PsLoggedOn* searches the network for computers to which that user is logged on. This is useful if you want to ensure that a particular user is not logged on when you are about to change their user profile configuration.|
64 |
65 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
66 |
67 | **PsTools**
68 | *PsLoggedOn* is part of a growing kit of Sysinternals command-line tools
69 | that aid in the administration of local and remote systems named
70 | *PsTools*.
71 |
72 | **Runs on:**
73 |
74 | - Client: Windows Vista and higher.
75 | - Server: Windows Server 2008 and higher.
76 |
77 |
78 |
79 |
--------------------------------------------------------------------------------
/sysinternals/downloads/bluescreen.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: BlueScreen
3 | title: BlueScreen
4 | description: This screen saver not only accurately simulates Blue Screens, but simulated reboots as well.
5 | ms:assetid: '2682b9a8-04c3-44ab-9a5c-71c8650b5a2e'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897558(v=MSDN.10)'
7 | ms.date: 11/01/2006
8 | ---
9 |
10 | BlueScreen Screen Saver v3.2
11 | ============================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: November 1, 2006
16 |
17 | [](https://download.sysinternals.com/files/BlueScreen.zip) [**Download BlueScreen**](https://download.sysinternals.com/files/BlueScreen.zip) **(64 KB)**
18 |
19 | ## Introduction
20 |
21 | One of the most feared colors in the NT world is blue. The infamous Blue
22 | Screen of Death (BSOD) will pop up on an NT system whenever something
23 | has gone terribly wrong. Bluescreen is a screen saver that not only
24 | authentically mimics a BSOD, but will simulate startup screens seen
25 | during a system boot.
26 |
27 | - On NT 4.0 installations it simulates chkdsk of disk drives with
28 | errors!
29 | - On Windows 2000, Windows 95, and Windows 98 it presents the Windows
30 | 2000 startup splash screen, complete with rotating progress band and
31 | progress control updates!
32 | - On Windows XP and Windows Server 2003 it presents the XP/Server 2003
33 | startup splash screen with progress bar!
34 |
35 | Bluescreen cycles between different Blue Screens and simulated boots
36 | every 15 seconds or so. Virtually all the information shown on
37 | Bluescreen's BSOD and system start screen is obtained from your system
38 | configuration - its accuracy will fool even advanced NT developers. For
39 | example, the NT build number, processor revision, loaded drivers and
40 | addresses, disk drive characteristics, and memory size are all taken
41 | from the system Bluescreen is running on.
42 |
43 | Use Bluescreen to amaze your friends and scare your enemies!
44 |
45 | ## Installation and Use
46 |
47 | Note: before you can run Bluescreen on Windows 95 or 98, you must copy
48 | \\winnt\\system32\\ntoskrnl.exe from a Windows 2000 system to your
49 | \\Windows directory. Simply copy Sysinternals BLUESCRN.SCR to your
50 | \\system32 directory if on Windows NT/2K, or \\Windows\\System directory
51 | if on Windows 95 or 98. Right click on the desktop to bring up the
52 | Display settings dialog and then select the "Screen Saver" tab. Use the
53 | pull down list to find "Sysinternals Bluescreen" and apply it as your
54 | new screen saver. Select the "Settings" button to enable fake disk
55 | activity, which adds an extra touch of realism!
56 |
57 | ## More Information
58 |
59 | You can find out how real Blue Screens are generated, and what the
60 | information on the Blue Screen means in my December 1997 [*Windows ITPro
61 | Magazine*](http://www.windowsitpro.com/) NT Internals column, *"Inside
62 | the Blue Screen."*
63 |
64 | **Note: Some virus scanners flag the Bluescreen screen saver as a virus.
65 | If this is the case with your virus scanner, you may not be able to use
66 | this screen saver.**
67 |
68 | [](https://download.sysinternals.com/files/BlueScreen.zip) [**Download BlueScreen**](https://download.sysinternals.com/files/BlueScreen.zip) **(64 KB)**
69 |
70 | **Runs on:**
71 |
72 | - Client: Windows Vista and higher.
73 | - Server: Windows Server 2008 and higher.
74 |
75 |
76 |
77 |
--------------------------------------------------------------------------------
/sysinternals/downloads/testlimit.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Testlimit
3 | title: Testlimit
4 | description: Windows Stress test utility.
5 | ms:assetid: '2a241f34-ffa4-4102-88f4-8fcfdfc28e09'
6 | ms.date: 03/11/2019
7 | ---
8 |
9 | Testlimit v5.24
10 | ==============
11 |
12 | **By Mark Russinovich**
13 |
14 | Published: November 17, 2016
15 |
16 | [](https://download.sysinternals.com/files/Testlimit.zip) [**Download Testlimit**](https://download.sysinternals.com/files/Testlimit.zip) **(234 KB)**
17 |
18 |
19 | ## Introduction
20 |
21 | Testlimit is a command-line utility that can be used to stress-test
22 | your PC and/or applications by simulating low resource conditions for
23 | memory, handles, processes, threads and other system objects.
24 |
25 |
26 | **usage: Testlimit
27 | [[-h [-u]] | [-p [-n]] | [-t [-n [KB]]] | [-u [-i]] | [-g [object size]] | [-a|-d|-l|-m|-r|-s|-v [MB]] | [-w]] [-c [count]] [-e [seconds]]**
28 |
29 |
30 | |Parameter |Description |
31 | |---------|---------|
32 | | **-a** | Leak Address Windowing Extensions (AWE) memory in specified MBs (default is 1)|
33 | | **-c** | Count of number of objects to allocate (default is as many as possible). This must be the last option specified|
34 | | **-d** | Leak and touch memory in specified MBs (default is 1)|
35 | | **-e** | Seconds elapsed between allocations (default is 0)|
36 | | **-g** | Create GDI handles of specified size (default 1 byte). Specify a size of 0 to cause GDI object exhaustion|
37 | | **-h** | Create handles. Specify -u to also allocate file objects|
38 | | **-i** | Exhaust USER desktop heap|
39 | | **-l** | Allocate the specified amount of large pages (rounded to large size multiple)|
40 | | **-m** | Leak memory in specified MBs (default is 1)|
41 | | **-p** | Create processes - add -n to set min working set. Add -n to set min working set of processes to smallest|
42 | | **-r** | Reserve memory in specified MBs (default is 1)|
43 | | **-s** | Leak shared memory in specified MBs (default is 1)|
44 | | **-t** | Create threads - add -n to specify minimum stack reserve (in KB)|
45 | | **-u** | Create USER handles to menus|
46 | | **-v** | VirtualLock memory in specified MBs (default is 1)|
47 | | **-w** | Reset working set minimum to highest possible value|
48 |
49 | **Runs on:**
50 |
51 | - Client: Windows Vista and higher
52 | - Server: Windows Server 2003 and higher
53 | - Nano Server: 2016 and higher
54 |
55 | ## Related Links
56 |
57 | - [**Windows Internals Book**](~/learn/windows-internals.md) The official updates and errata page for the definitive book on
58 | Windows internals, by Mark Russinovich and David Solomon.
59 | - [**Windows Sysinternals Administrator's Reference**](~/learn/troubleshooting-book.md) The
60 | official guide to the Sysinternals utilities by Mark Russinovich and
61 | Aaron Margosis, including descriptions of all the tools, their
62 | features, how to use them for troubleshooting, and example
63 | real-world cases of their use.
64 |
65 | ## Download
66 |
67 | [](https://download.sysinternals.com/files/TestLimit.zip)[**Download Testlimit**](https://download.sysinternals.com/files/Testlimit.zip) **(234 KB)**
68 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Testlimit.exe).
69 |
70 |
71 |
72 |
73 |
--------------------------------------------------------------------------------
/sysinternals/downloads/rammap.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: RAMMap
3 | title: RAMMap
4 | description: An advanced physical memory usage analysis utility that presents usage information in different ways on its several different tabs.
5 | ms:assetid: 'e90bb927-b735-4888-bedc-588efd5fd7eb'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Ff700229(v=MSDN.10)'
7 | ms.date: 06/28/2019
8 | ---
9 |
10 | RAMMap v1.52
11 | ============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: June 28, 2019
16 |
17 | [](https://download.sysinternals.com/files/RAMMap.zip) [**Download RAMMap**](https://download.sysinternals.com/files/RAMMap.zip) **(479 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/RAMMap.exe).
19 |
20 |
21 | Have you ever wondered exactly how Windows is assigning physical memory,
22 | how much file data is cached in RAM, or how much RAM is used by the
23 | kernel and device drivers? RAMMap makes answering those questions easy.
24 | RAMMap is an advanced physical memory usage analysis utility for Windows
25 | Vista and higher. It presents usage information in different ways on its
26 | several different tabs:
27 |
28 | - *Use Counts:* usage summary by type and paging list
29 | - *Processes:* process working set sizes
30 | - *Priority Summary:* prioritized standby list sizes
31 | - *Physical Pages:* per-page use for all physical memory
32 | - *Physical Ranges:* physical memory addresses
33 | - *File Summary:* file data in RAM by file
34 | - *File Details:* individual physical pages by file
35 |
36 | Use RAMMap to gain understanding of the way Windows manages memory, to
37 | analyze application memory usage, or to answer specific questions about
38 | how RAM is being allocated. RAMMap’s refresh feature enables you to
39 | update the display and it includes support for saving and loading memory
40 | snapshots.
41 |
42 | For definitions of the labels RAMMap uses as well as to learn about the
43 | physical-memory allocation algorithms used by the Windows memory
44 | manager, please see [Windows Internals, 5^th^
45 | Edition](~/learn/windows-internals.md).
46 |
47 | 
48 |
49 |
50 |
51 | ## Related Links
52 |
53 | - [**Windows Internals Book**](~/learn/windows-internals.md)
54 | **The official updates and errata page for the definitive book on
55 | Windows internals, by Mark Russinovich and David Solomon.
56 | - [**Windows Sysinternals Administrator's Reference**](~/learn/troubleshooting-book.md)The
57 | official guide to the Sysinternals utilities by Mark Russinovich and
58 | Aaron Margosis, including descriptions of all the tools, their
59 | features, how to use them for troubleshooting, and example
60 | real-world cases of their use.
61 |
62 | [](https://download.sysinternals.com/files/RAMMap.zip) [**Download RAMMap**](https://download.sysinternals.com/files/RAMMap.zip) **(479 KB)**
63 |
64 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/RAMMap.exe).
65 |
66 | **Runs on:**
67 |
68 | - Client: Windows Vista and higher.
69 | - Server: Windows Server 2008 and higher.
70 |
71 | ## Learn More
72 |
73 | - [Defrag Tools: \#6 - RAMMap](http://channel9.msdn.com/shows/defrag-tools/defrag-tools-6-rammap)
74 | In this episode of Defrag Tools, Andrew Richards and Larry Larsen
75 | cover using RAMMap to see how RAM is being used and tell if there
76 | has been any memory pressure.
77 |
78 |
79 |
--------------------------------------------------------------------------------
/sysinternals/downloads/pssuspend.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: PsSuspend
3 | title: PsSuspend
4 | description: Suspend and resume processes.
5 | ms:assetid: '148ead94-34cd-47f1-83e2-f3fb3486ef7d'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897540(v=MSDN.10)'
7 | ms.date: 06/29/2016
8 | ---
9 |
10 | PsSuspend v1.07
11 | ===============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: June 29, 2016
16 |
17 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
18 |
19 |
20 | ## Introduction
21 |
22 | *PsSuspend* lets you suspend processes on the local or a remote system,
23 | which is desirable in cases where a process is consuming a resource
24 | (e.g. network, CPU or disk) that you want to allow different processes
25 | to use. Rather than kill the process that's consuming the resource,
26 | suspending permits you to let it continue operation at some later point
27 | in time.
28 |
29 |
30 |
31 | ## Installation
32 |
33 | Copy *PsSuspend* onto your executable path and type "pssuspend" with
34 | command-line options defined below.
35 |
36 |
37 |
38 | ## Using PsSuspend
39 |
40 | Running *PsSuspend* with a process ID directs it to suspend or resume
41 | the process of that ID on the local computer. If you specify a process
42 | name *PsSuspend* will suspend or resume all processes that have that
43 | name. Specify the -r switch to resume suspended processes.
44 |
45 | **Usage: pssuspend \[- \] \[-r\] \[\\\\computer \[-u username\] \[-p
46 | password\]\] <process name | process id>**
47 |
48 | |Parameter |Description |
49 | |---------|---------|
50 | | **-** | Displays the supported options.|
51 | | **-r** | Resumes the specified processes specified if they are suspended.|
52 | | **\\\\computer** | Specifies the computer on which the process you want to suspend or resume is executing. The remote computer must be accessible via the NT network neighborhood.|
53 | | **-u username** | If you want to suspend a process on a remote system and the account you are executing in does not have administrative privileges on the remote system then you must login as an administrator using this command-line option. If you do not include the password with the -p option then *PsSuspend* will prompt you for the password without echoing your input to the display.|
54 | | **-p password** | This option lets you specify the login password on the command line so that you can use *PsSuspend* from batch files. If you specify an account name and omit the -p option *PsSuspend* prompts you interactively for a password.|
55 | | **process id** | Specifies the process ID of the process you want to suspend or resume.|
56 | | **process name** | Specifies the process name of the process or processes you want to suspend or resume.
57 |
58 | *PsSuspend* is part of a growing kit of Sysinternals command-line tools
59 | that aid in the administration of local and remote systems named
60 | *PsTools*.
61 |
62 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
63 |
64 | **PsTools**
65 |
66 | *PsSuspend* is part of a growing kit of Sysinternals command-line tools
67 | that aid in the administration of local and remote systems named
68 | *PsTools*.
69 |
70 | **Runs on:**
71 |
72 | - Client: Windows Vista and higher.
73 | - Server: Windows Server 2008 and higher.
74 |
75 |
76 |
77 |
--------------------------------------------------------------------------------
/sysinternals/downloads/ntfsinfo.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: NTFSInfo
3 | title: NTFSInfo
4 | description: Use NTFSInfo to see detailed information about NTFS volumes.
5 | ms:assetid: 'a0e927ac-8cca-409b-bb5c-f93567b65ea7'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897424(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | NTFSInfo v1.2
11 | =============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/NTFSInfo.zip) [**Download NTFSInfo**](https://download.sysinternals.com/files/NTFSInfo.zip) **(143 KB)**
18 |
19 | ## Introduction
20 |
21 | *NTFSInfo* is a little applet that shows you information about NTFS
22 | volumes. Its dump includes the size of a drive's allocation units, where
23 | key NTFS files are located, and the sizes of the NTFS metadata files on
24 | the volume. This information is typically of little more than curiosity
25 | value, but *NTFSInfo* does show some interesting things. For example,
26 | you've probably heard about the NTFS equivalent of the FAT file system's
27 | File Allocation Table. Its called the Master File Table (MFT), and it is
28 | made up of constant sized records that describe the location of all the
29 | files and directories on the drive. What's surprising about the MFT is
30 | that it is managed as a file, just like any other. *NTFSInfo* will show
31 | you where on the disk (in terms of clusters) the MFT is located and how
32 | large it is, in addition to specifying how large the volume's clusters
33 | and MFT records are. In order to protect the MFT from fragmentation,
34 | NTFS reserves a portion of the disk around the MFT that it will not
35 | allocate to other files unless disk space runs low. This area is known
36 | as the MFT-Zone and *NTFSInfo* will tell you where on the disk the
37 | MFT-Zone is located and what percentage of the drive is reserved for it.
38 |
39 | You might also be surprised to know that like the MFT, all NTFS
40 | meta-data are managed in files. For instance, there is a file called
41 | \$Boot that is mapped to cover the drive's boot sector. The volume's
42 | cluster map is maintained in another file named \$Bitmap. These files
43 | reside right in the NTFS root directory, but you can't see them unless
44 | you know they are there. Try typing "dir /ah \$boot" at the root
45 | directory of an NTFS volume and you'll actually see the \$boot file.
46 | *NTFSInfo* performs the equivalent of the "dir /ah" to show you the
47 | names and sizes of all of NTFS (3.51 and 4.0) meta-data files.
48 |
49 | *NTFSInfo* is intended to accompany my January 1998 *Windows NT
50 | Magazine* "NT Internals" column, which describes NTFS internal data
51 | structures.
52 |
53 | ## Installation and Usage
54 |
55 | *NTFSInfo* works on all versions of NTFS, but NTFS for Windows NT 5.0
56 | has different meta-data files that *NTFSInfo* has not been programmed
57 | for yet. In order for *NTFSInfo* to work you must have administrative
58 | privilege.
59 |
60 | **Usage: NTFSInfo x**
61 |
62 | |Parameter |Description |
63 | |---------|---------|
64 | | **x** | The drive letter of the NTFS volume that you want to examine.|
65 |
66 | ## How It Works
67 |
68 | *NTFSInfo* uses an undocumented File System Control (FSCTL) call to
69 | obtain information from NTFS about a volume. It prints this information
70 | along with a directory dump of NTFS meta-data files.
71 |
72 | [](https://download.sysinternals.com/files/NTFSInfo.zip) [**Download NTFSInfo**](https://download.sysinternals.com/files/NTFSInfo.zip) **(143 KB)**
73 |
74 | **Runs on:**
75 |
76 | - Client: Windows Vista and higher
77 | - Server: Windows Server 2008 and higher
78 | - Nano Server: 2016 and higher
79 |
80 |
81 |
82 |
--------------------------------------------------------------------------------
/sysinternals/downloads/pskill.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: PsKill
3 | title: PsKill
4 | description: Terminate local or remote processes.
5 | ms:assetid: '12798522-e5f1-494c-8824-38db3162eea7'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896683(v=MSDN.10)'
7 | ms.date: 06/29/2016
8 | ---
9 |
10 | PsKill v1.16
11 | ============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: June 29, 2016
16 |
17 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
18 |
19 |
20 | ## Introduction
21 |
22 | Windows NT/2000 does not come with a command-line 'kill' utility. You
23 | can get one in the Windows NT or Win2K Resource Kit, but the kit's
24 | utility can only terminate processes on the local computer. *PsKill* is
25 | a kill utility that not only does what the Resource Kit's version does,
26 | but can also kill processes on remote systems. You don't even have to
27 | install a client on the target computer to use *PsKill* to terminate a
28 | remote process.
29 |
30 | ## Installation
31 |
32 | Just copy *PsKill* onto your executable path, and type pskill with
33 | command-line options defined below.
34 |
35 | ## Using PsKill
36 |
37 | See the September 2004 issue of Windows IT Pro Magazine for [Mark's
38 | article](http://windowsitpro.com/search/results/mark%27s%20article?filters=ss_type:article)
39 | that covers advanced usage of *PsKill*.
40 |
41 | Running *PsKill* with a process ID directs it to kill the process of
42 | that ID on the local computer. If you specify a process name *PsKill*
43 | will kill all processes that have that name.
44 |
45 | **Usage: pskill \[- \] \[-t\] \[\\\\computer \[-u username\] \[-p
46 | password\]\] <process name | process id>**
47 |
48 | |Parameter |Description |
49 | |---------|---------|
50 | | **-** | Displays the supported options.|
51 | | **-t** | Kill the process and its descendants.|
52 | | **\\\\computer** | Specifies the computer on which the process you want to terminate is executing. The remote computer must be accessible via the NT network neighborhood.|
53 | | **-u username** | If you want to kill a process on a remote system and the account you are executing in does not have administrative privileges on the remote system then you must login as an administrator using this command-line option. If you do not include the password with the -p option then *PsKill* will prompt you for the password without echoing your input to the display.|
54 | | **-p password** | This option lets you specify the login password on the command line so that you can use PsList from batch files. If you specify an account name and omit the -p option PsList prompts you interactively for a password.|
55 | | **process id** | Specifies the process ID of the process you want to kill.|
56 | | **process name** | Specifies the process name of the process or processes you want to kill.|
57 |
58 | ## PsKill Microsoft KB Article
59 |
60 | This Microsoft KB article references *PsKill*:
61 |
62 | [810596: PSVR2002: "There Is No Information to Display in This View"
63 | Error Message When You Try to Access a Project
64 | View](http://support.microsoft.com/kb/810596)
65 |
66 |
67 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
68 |
69 | **PsTools**
70 |
71 | *PsKill* is part of a growing kit of Sysinternals command-line tools
72 | that aid in the administration of local and remote systems named
73 | *PsTools*.
74 |
75 |
76 |
77 | **Runs on:**
78 |
79 | - Client: Windows Vista and higher.
80 | - Server: Windows Server 2008 and higher.
81 |
82 |
83 |
84 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contributing
2 |
3 | Thank you for your interest in contributing to the Windows Sysinternals documentation!
4 |
5 | In this topic, you'll see the basic process for adding or updating content in the [Windows Sysinternals documentation site](https://docs.microsoft.com/sysinternals).
6 |
7 | In this topic, we'll cover:
8 |
9 | * [Process for contributing](#process-for-contributing)
10 | * [DOs and DON'Ts](#dos-and-donts)
11 | * [Building the docs](#building-the-docs)
12 |
13 | ## Process for contributing
14 |
15 | **Step 1:** Fork the `MicrosoftDocs/sysinternals` repo.
16 |
17 | **Step 3:** Create a `branch` for your article.
18 |
19 | **Step 4:** Make your update.
20 |
21 | **Step 5:** Submit a Pull Request (PR) from your branch to `MicrosoftDocs/sysinternals/master`.
22 |
23 | If your PR is addressing an existing issue, add the `Fixes #Issue_Number` keyword to the commit message or PR description, so the issue can be automatically closed when the PR is merged. For more information, see [Closing issues via commit messages](https://help.github.com/articles/closing-issues-via-commit-messages/).
24 |
25 | The Windows Sysinternals team will review your PR and let you know if the change looks good or if there are any other updates/changes necessary in order to approve it.
26 |
27 | **Step 6:** Make any necessary updates to your branch as discussed with the team.
28 |
29 | The maintainers will merge your PR into the master branch once feedback has been applied and your change looks good.
30 |
31 | On a certain cadence, we push all commits from master branch into the live branch and then you'll be able to see your contribution live at https://docs.microsoft.com/sysinternals/.
32 |
33 | ## DOs and DON'Ts
34 |
35 | Below is a short list of guiding rules that you should keep in mind when you are contributing to the Windows Sysinternals documentation.
36 |
37 | - **DON'T** surprise us with big pull requests. Instead, file an issue and start a discussion so we can agree on a direction before you invest a large amount of time.
38 | - **DO** create a separate branch on your fork before working on the articles.
39 | - **DO** follow the [GitHub Flow workflow](https://guides.github.com/introduction/flow/).
40 | - **DO** blog and tweet (or whatever) about your contributions, frequently!
41 |
42 | ## Building the docs
43 |
44 | The documentation is written in [GitHub Flavored Markdown](https://help.github.com/categories/writing-on-github/) and built using [DocFX](https://dotnet.github.io/docfx/) and other internal publishing/building tools. It is hosted at [docs.microsoft.com](https://docs.microsoft.com/dotnet).
45 |
46 | If you want to build the docs locally, you need to install [DocFX](https://dotnet.github.io/docfx/); latest versions are the best.
47 |
48 | There are several ways to use DocFX, and most of them are covered in the [DocFX getting started guide](https://dotnet.github.io/docfx/tutorial/docfx_getting_started.html).
49 | The following instructions use the [command-line based](https://dotnet.github.io/docfx/tutorial/docfx_getting_started.html#2-use-docfx-as-a-command-line-tool) version of the tool.
50 | If you are comfortable with other ways listed on the link above, feel free to use those.
51 |
52 | **Note:** Currently DocFX requires the .NET Framework on Windows or Mono (for Linux or macOS). We hope to port it to .NET Core in the future.
53 |
54 | You can build and preview the resulting site locally using a built-in web server. Navigate to the core-docs folder on your machine and type the following command:
55 |
56 | ```
57 | docfx -t default --serve
58 | ```
59 |
60 | This starts the local preview on [localhost:8080](http://localhost:8080). You can then view the changes by going to `http://localhost:8080/[path]`, such as http://localhost:8080/articles/welcome.html.
61 |
62 | **Note:** the local preview currently doesn't contain any themes at the moment so the look and feel won't be the same as in the documentation site. We're working towards fixing that experience.
63 |
--------------------------------------------------------------------------------
/sysinternals/downloads/pslist.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: PsList
3 | title: PsList
4 | description: Show information about processes and threads.
5 | ms:assetid: '3922c630-462d-4c3a-8b02-532865f37df4'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896682(v=MSDN.10)'
7 | ms.date: 06/29/2016
8 | ---
9 |
10 | PsList v1.4
11 | ===========
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: June 29, 2016
16 |
17 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
18 |
19 |
20 | ## Introduction
21 |
22 |
23 | |Parameter |Description |
24 | |---------|---------|
25 | | **pslist exp** | would show statistics for all the processes that start with "exp", which would include Explorer.|
26 | | **-d** | Show thread detail.|
27 | | **-m** | Show memory detail.|
28 | | **-x** | Show processes, memory information and threads.|
29 | | **-t** | Show process tree.|
30 | | **-s \[n\]** | Run in task-manager mode, for optional seconds specified. Press Escape to abort.|
31 | | **-r n** | Task-manager mode refresh rate in seconds (default is 1).|
32 | | **\\\\computer** | Instead of showing process information for the local system, *PsList* will show information for the NT/Win2K system specified. Include the -u switch with a username and password to login to the remote system if your security credentials do not permit you to obtain performance counter information from the remote system.|
33 | | **-u** | username If you want to kill a process on a remote system and the account you are executing in does not have administrative privileges on the remote system then you must login as an administrator using this command-line option. If you do not include the password with the -p option then *PsList* will prompt you for the password without echoing your input to the display.|
34 | | **-p** | password This option lets you specify the login password on the command line so that you can use *PsList* from batch files. If you specify an account name and omit the -p option *PsList* prompts you interactively for a password.|
35 | | **name** | Show information about processes that begin with the name specified.|
36 | | **-e** | Exact match the process name.|
37 | | **pid** | Instead of listing all the running processes in the system, this parameter narrows *PsList's* scan to the process that has the specified PID. Thus:
**pslist 53**
would dump statistics for the process with the PID 53. |
38 |
39 | ## How it Works
40 |
41 | Like Windows NT/2K's built-in PerfMon monitoring tool, *PsList* uses the
42 | Windows NT/2K performance counters to obtain the information it
43 | displays. You can find documentation for Windows NT/2K performance
44 | counters, including the source code to Windows NT's built-in performance
45 | monitor, PerfMon, in MSDN.
46 |
47 | ## Memory Abbreviation Key
48 |
49 | All memory values are displayed in KB.
50 |
51 | - **Pri**: Priority
52 | - **Thd**: Number of Threads
53 | - **Hnd**: Number of Handles
54 | - **VM**: Virtual Memory
55 | - **WS**: Working Set
56 | - **Priv**: Private Virtual Memory
57 | - **Priv Pk**: Private Virtual Memory Peak
58 | - **Faults**: Page Faults
59 | - **NonP**: Non-Paged Pool
60 | - **Page**: Paged Pool
61 | - **Cswtch**: Context Switches
62 |
63 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
64 |
65 | **PsTools**
66 |
67 | *PsList* is part of a growing kit of Sysinternals command-line tools
68 | that aid in the administration of local and remote systems named
69 | *PsTools*.
70 |
71 | **Runs on:**
72 |
73 | - Client: Windows Vista and higher.
74 | - Server: Windows Server 2008 and higher.
75 |
76 |
77 |
78 |
--------------------------------------------------------------------------------
/sysinternals/downloads/file-and-disk-utilities.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: File and Disk Utilities
3 | title: File and Disk Utilities
4 | description: Windows Sysinternals file and disk utilities
5 | ms:assetid: '17988fd8-ed7b-4f90-95bd-e4d23baf441c'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb545046(v=MSDN.10)'
7 | ms.date: 07/22/2016
8 | ---
9 | # Sysinternals File and Disk Utilities
10 |
11 | [AccessChk](accesschk.md)
12 | This tool shows you the accesses the user or group you specify has
13 | to files, Registry keys or Windows services.
14 |
15 | [AccessEnum](accessenum.md)
16 | This simple yet powerful security tool shows you who has what access
17 | to directories, files and Registry keys on your systems. Use it to
18 | find holes in your permissions.
19 |
20 | [CacheSet](cacheset.md)
21 | CacheSet is a program that allows you to control the Cache Manager's
22 | working set size using functions provided by NT. It's compatible
23 | with all versions of NT.
24 |
25 | [Contig](contig.md)
26 | Wish you could quickly defragment your frequently used files? Use
27 | Contig to optimize individual files, or to create new files that are
28 | contiguous.
29 |
30 | [Disk2vhd](disk2vhd.md)
31 | Disk2vhd simplifies the migration of physical systems into virtual
32 | machines (p2v).
33 |
34 | [DiskExt](diskext.md)
35 | Display volume disk-mappings.
36 |
37 | [DiskMon](diskmon.md)
38 | This utility captures all hard disk activity or acts like a software
39 | disk activity light in your system tray.
40 |
41 | [DiskView](diskview.md)
42 | Graphical disk sector utility.
43 |
44 | [Disk Usage (DU)](du.md)
45 | View disk usage by directory.
46 |
47 | [EFSDump](efsdump.md)
48 | View information for encrypted files.
49 |
50 | [FindLinks](findlinks.md)
51 | FindLinks reports the file index and any hard links (alternate file
52 | paths on the same volume) that exist for the specified file. A
53 | file's data remains allocated so long as at it has at least one file
54 | name referencing it.
55 |
56 | [Junction](junction.md)
57 | Create Win2K NTFS symbolic links.
58 |
59 | [LDMDump](ldmdump.md)
60 | Dump the contents of the Logical Disk Manager"s on-disk database,
61 | which describes the partitioning of Windows 2000 Dynamic disks.
62 |
63 | [MoveFile](movefile.md)
64 | Schedule file rename and delete commands for the next reboot. This
65 | can be useful for cleaning stubborn or in-use malware files.
66 |
67 | [NTFSInfo](ntfsinfo.md)
68 | Use NTFSInfo to see detailed information about NTFS volumes,
69 | including the size and location of the Master File Table (MFT) and
70 | MFT-zone, as well as the sizes of the NTFS meta-data files.
71 |
72 | [PageDefrag](pagedefrag.md)
73 | Defragment the Windows paging file and Registry hives.
74 |
75 | [PendMoves](pendmoves.md)
76 | See what files are scheduled for delete or rename the next time the
77 | system boots.
78 |
79 | [Process Monitor](procmon.md)
80 | Monitor file system, Registry, process, thread and DLL activity in
81 | real-time.
82 |
83 | [PsFile](psfile.md)
84 | See what files are opened remotely.
85 |
86 | [PsTools](pstools.md)
87 | The PsTools suite includes command-line utilities for listing the
88 | processes running on local or remote computers, running processes
89 | remotely, rebooting computers, dumping event logs, and more.
90 |
91 | [SDelete](sdelete.md)
92 | Securely overwrite your sensitive files and cleanse your free space
93 | of previously deleted files using this DoD-compliant secure delete
94 | program.
95 |
96 | [ShareEnum](shareenum.md)
97 | Scan file shares on your network and view their security settings to
98 | close security holes.
99 |
100 | [Sigcheck](sigcheck.md)
101 | Dump file version information and verify that images on your system
102 | are digitally signed.
103 |
104 | [Streams](streams.md)
105 | Reveal NTFS alternate streams.
106 |
107 | [Sync](sync.md)
108 | Flush cached data to disk.
109 |
110 | [VolumeID](volumeid.md)
111 | Set Volume ID of FAT or NTFS drives.
--------------------------------------------------------------------------------
/sysinternals/downloads/contig.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Contig
3 | title: Contig
4 | description: Use Contig to optimize individual files, or to create new files that are contiguous.
5 | ms:assetid: '33371252-c217-4fc7-8d74-f9f0e20e0597'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897428(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | Contig v1.8
11 | ===========
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/Contig.zip) [ **Download Contig**](https://download.sysinternals.com/files/Contig.zip) **(241 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | There are a number of NT disk defraggers on the market, including
23 | Winternals *Defrag Manager*. These tools are useful for performing a
24 | general defragmentation of disks, but while most files are defragmented
25 | on drives processed by these utilities, some files may not be. In
26 | addition, it is difficult to ensure that particular files that are
27 | frequently used are defragmented - they may remain fragmented for
28 | reasons that are specific to the defragmentation algorithms used by the
29 | defragging product that has been applied. Finally, even if all files
30 | have been defragmented, subsequent changes to critical files could cause
31 | them to become fragmented. Only by running an entire defrag operation
32 | can one hope that they might be defragmented again.
33 |
34 | *Contig* is a single-file defragmenter that attempts to make files
35 | contiguous on disk. Its perfect for quickly optimizing files that are
36 | continuously becoming fragmented, or that you want to ensure are in as
37 | few fragments as possible.
38 |
39 | ## Using Contig
40 |
41 | *Contig* is a utility that defragments a specified file or files. Use it
42 | to optimize execution of your frequently used files.
43 |
44 | **Usage:**
45 |
46 | **\\src\\Contig\\Release\\Contig.exe \[-a\] \[-s\] \[-q\] \[-v\]
47 | \[existing file\]**
48 |
49 | **or \\src\\Contig\\Release\\Contig.exe \[-f\] \[-q\] \[-v\]
50 | \[drive:\]**
51 |
52 | **or \\src\\Contig\\Release\\Contig.exe \[-v\] \[-l\] -n \[new file\]
53 | \[new file length\]**
54 |
55 | |Parameter |Description |
56 | |---------|---------|
57 | | **-a** | Analyze fragmentation|
58 | | **-f** | Analyze free space fragmentation|
59 | | **-l** | Set valid data length for quick file creation (requires administrator rights)|
60 | | **-q** | Quiet mode|
61 | | **-s** | Recurse subdirectories|
62 | | **-v** | Verbose|
63 |
64 | *Contig* can also analyze and defragment the following NTFS metadata
65 | files:
66 |
67 | - \$Mft
68 | - \$LogFile
69 | - \$Volume
70 | - \$AttrDef
71 | - \$Bitmap
72 | - \$Boot
73 | - \$BadClus
74 | - \$Secure
75 | - \$UpCase
76 | - \$Extend
77 |
78 | ## How it Works
79 |
80 | *Contig* uses the native Windows NT defragmentation support that was
81 | introduced with NT 4.0 (see my documentation of the defrag APIs for more
82 | information). It first scans the disk collecting the locations and sizes
83 | of free areas. Then it determines where the file in question is located.
84 | Next, *Contig* decides whether the file can be optimized, based on free
85 | areas and the number of fragments the file currently consists of. If the
86 | file can be optimized, it is moved into the free spaces of the disk.
87 |
88 | ## More Information
89 |
90 | Helen Custer's *Inside Windows NT* provides a good overview of the
91 | Object Manager name space, and Mark's October 1997 Windows NT Magazine
92 | column,*"Inside the Object Manager",* is (of course) an excellent
93 | overview.
94 |
95 | [](https://download.sysinternals.com/files/Contig.zip) [ **Download Contig**](https://download.sysinternals.com/files/Contig.zip) **(241 KB)**
96 |
97 | **Runs on:**
98 |
99 | - Client: Windows Vista and higher
100 | - Server: Windows Server 2008 and higher
101 | - Nano Server: 2016 and higher
102 |
103 |
104 |
105 |
--------------------------------------------------------------------------------
/sysinternals/downloads/psservice.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: PsService
3 | title: PsService
4 | description: View and control services.
5 | ms:assetid: 'b634454d-e5d3-410b-9fe1-f1b4b4dc14dd'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897542(v=MSDN.10)'
7 | ms.date: 06/29/2016
8 | ---
9 |
10 | PsService v2.25
11 | ===============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: June 29, 2016
16 |
17 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
18 |
19 |
20 | ## Introduction
21 |
22 | *PsService* is a service viewer and controller for Windows. Like the SC
23 | utility that's included in the Windows NT and Windows 2000 Resource
24 | Kits, *PsService* displays the status, configuration, and dependencies
25 | of a service, and allows you to start, stop, pause, resume and restart
26 | them. Unlike the SC utility, *PsService* enables you to logon to a
27 | remote system using a different account, for cases when the account from
28 | which you run it doesn't have required permissions on the remote system.
29 | *PsService* includes a unique service-search capability, which
30 | identifies active instances of a service on your network. You would use
31 | the search feature if you wanted to locate systems running DHCP servers,
32 | for instance.
33 |
34 | Finally, *PsService* works on both NT 4, Windows 2000 and Windows Vista,
35 | whereas the Windows 2000 Resource Kit version of SC requires Windows
36 | 2000, and *PsService* doesn't require you to manually enter a "resume
37 | index" in order to obtain a complete listing of service information.>
38 |
39 | ## Installation
40 |
41 | Just copy *PsService* onto your executable path, and type "psservice".
42 |
43 |
44 |
45 | ## Using PsService
46 |
47 | The default behavior of *PsService* is to display the configured
48 | services (both running and stopped) on the local system. Entering a
49 | command on the command-line invokes a particular feature, and some
50 | commands accept options. Typing a command followed by "- " displays
51 | information on the syntax for the command.
52 |
53 | **Usage: psservice \[\\\\computer \[-u username\] \[-p password\]\]
54 | <command> <options>**
55 |
56 | |Parameter |Description |
57 | |---------|---------|
58 | | **query** | Displays the status of a service.|
59 | | **config** | Displays the configuration of a service.|
60 | | **setconfig** | Sets the start type (disabled, auto, demand) of a service.|
61 | | **start** | Starts a service.|
62 | | **stop** | Stops a service.|
63 | | **restart** | Stops and then restarts a service.|
64 | | **pause** | Pauses a service|
65 | | **cont** | Resumes a paused service.|
66 | | **depend** | Lists the services dependent on the one specified.|
67 | | **security** | Dumps the service's security descriptor.|
68 | | **find** | Searches the network for the specified service.|
69 | | **\\\\computer** | Targets the NT/Win2K system specified. Include the -u switch with a username and password to login to the remote system if your security credentials do not permit you to obtain performance counter information from the remote system. If you specify the -u option, but not a password with the -p option, *PsService* will prompt you to enter the password and will not echo it to the screen.|
70 |
71 | ## How it Works
72 |
73 | *PsService* uses the Service Control Manager APIs that are documented in
74 | the Platform SDK.
75 |
76 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
77 |
78 | **PsTools**
79 |
80 | *PsService* is part of a growing kit of Sysinternals command-line tools
81 | that aid in the administration of local and remote systems named
82 | *PsTools*.
83 |
84 | **Runs on:**
85 |
86 | - Client: Windows Vista and higher.
87 | - Server: Windows Server 2008 and higher.
88 |
89 |
90 |
91 |
--------------------------------------------------------------------------------
/sysinternals/downloads/ctrl2cap.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Ctrl2cap
3 | title: Ctrl2cap
4 | description: This is a kernel-mode driver that demonstrates keyboard input filtering in order to turn caps-locks into control keys.
5 | ms:assetid: 'e0dcb713-f196-4e45-a2f8-e7bf3f692ac9'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897578(v=MSDN.10)'
7 | ms.date: 11/01/2006
8 | ---
9 |
10 | Ctrl2Cap v2.0
11 | =============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: November 1, 2006
16 |
17 | [](https://download.sysinternals.com/files/Ctrl2Cap.zip) [**Download Ctrl2Cap**](https://download.sysinternals.com/files/Ctrl2Cap.zip) **(48 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | Ctrl2cap is a kernel-mode device driver that filters the system's
23 | keyboard class driver in order to convert caps-lock characters into
24 | control characters. People like myself that migrated to NT from UNIX are
25 | used to having the control key located where the caps-lock key is on the
26 | standard PC keyboard, so a utility like this is essential for our
27 | editing well-being.
28 |
29 |
30 |
31 | ## Installation and Use
32 |
33 | Install Ctrl2cap running the command "ctrl2cap /install" from the
34 | directory into which you've unzipped the Ctrl2cap files. To uninstall
35 | type "ctrl2cap /uninstall".
36 |
37 |
38 |
39 | ## How Ctrl2cap Works
40 |
41 | On NT 4 Ctrlcap is actually quite trivial. It simply attaches itself to
42 | the keyboard class driver so that it will catch keyboard read requests.
43 | For each request, it posts an I/O completion callback, at which point it
44 | takes a peek at the scancode that is being returned. If it happens to be
45 | a caps-lock, ctrl2cap changes it into a left-control.
46 |
47 | On Win2K Ctrl2cap is a WDM filter driver that layers in the keyboard
48 | class device's stack above the keyboard class device. This is in
49 | contrast to the Win2K DDK's kbfiltr example that layers itself between
50 | the i8042 port device and the keyboard class device. I chose to layer on
51 | top of the keyboard class device for several reasons:
52 |
53 | - It means that the Ctrl2cap IRP\_MJ\_READ interception and
54 | manipulation code is shared between the NT 4 and Win2K versions.
55 | - I don't need to supply an INF file and have the user go through the
56 | Device Manager to install Ctrl2cap - I simply modify the appropriate
57 | Registry value (the keyboard class devices's
58 | HKLM\\System\\CurrentControlSet\\Control\\Class UpperFilters value).
59 |
60 | The disadvantage of my approach is (and this an advantage or
61 | disadvantage depending on your point of view):
62 |
63 | - Because I don't install with an INF file via the Device Manager, the
64 | user is not warned that the Ctrl2cap driver file is not digitally
65 | signed by Microsoft.
66 |
67 | In this particular case, I felt that the advantages outweigh the
68 | disadvantages. However, before you model a Win2K keyboard filter on
69 | Ctrl2cap I strongly suggest that you study the kbfiltr example from the
70 | Win2K DDK. Kbfiltr's interception point in the key input sequence makes
71 | it very easy for kbfiltr to inject keystrokes into the input stream.
72 |
73 |
74 | ## More Information
75 |
76 | For more information on writing filter drivers (drivers that attach
77 | themselves to other drivers so that they can see their input and/or
78 | output), here are sources to check out:
79 |
80 | - The Windows NT and Windows 2000 DDK sample
81 | \\src\\storage\\filter\\diskperf
82 | - The Windows 2000 DDK sample \\src\\input\\kbfiltr
83 | - *"Examining the Windows NT File System,"* By Mark Russinovich, *Dr.
84 | Dobb's Journal*, February 1997
85 | - The accompanying file system filter driver,
86 | [Filemon](filemon.md)
87 |
88 | [](https://download.sysinternals.com/files/Ctrl2Cap.zip) [**Download Ctrl2Cap**](https://download.sysinternals.com/files/Ctrl2Cap.zip) **(48 KB)**
89 |
90 | **Runs on:**
91 |
92 | - Client: Windows Vista and higher.
93 | - Server: Windows Server 2008 and higher.
94 |
95 |
96 |
97 |
--------------------------------------------------------------------------------
/sysinternals/downloads/pagedefrag.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: PageDefrag
3 | title: PageDefrag
4 | description: Defragment your paging files and Registry hives.
5 | ms:assetid: '104b3934-81cc-4c7e-b874-6fd19127ed99'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897426(v=MSDN.10)'
7 | ms.date: 11/01/2006
8 | ---
9 |
10 | PageDefrag v2.32
11 | ================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: November 1, 2006
16 |
17 | [](https://download.sysinternals.com/files/PageDefrag.zip) [**Download PageDefrag**](https://download.sysinternals.com/files/PageDefrag.zip) **(70 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/pagedfrg.exe).
19 |
20 |
21 | ## Introduction
22 |
23 | One of the limitations of the Windows NT/2000 defragmentation interface
24 | is that it is not possible to defragment files that are open for
25 | exclusive access. Thus, standard defragmentation programs can neither
26 | show you how fragmented your paging files or Registry hives are, nor
27 | defragment them. Paging and Registry file fragmentation can be one of
28 | the leading causes of performance degradation related to file
29 | fragmentation in a system.
30 |
31 | *PageDefrag* uses advanced techniques to provide you what commercial
32 | defragmenters cannot: the ability for you to see how fragmented your
33 | paging files and Registry hives are, and to defragment them. In
34 | addition, it defragments event log files and Windows 2000/XP hibernation
35 | files (where system memory is saved when you hibernate a laptop).
36 |
37 |
38 |
39 | ## Installing and Using PageDefrag
40 |
41 | When you run *PageDefrag* (pagedfrg.exe) you will be presented a listbox
42 | that tells you how many clusters make up your paging files, event log
43 | files, and Registry hives (SAM, SYSTEM, SYSTEM.ALT, SECURITY, SOFTWARE,
44 | .DEFAULT), as well as how many fragments those files are in. If you feel
45 | that these files are fragmented enough to warrant a shot at
46 | defragmenting them, or if you want to defragment them at every boot,
47 | select the appropriate radio button choice and click OK.
48 |
49 | 
50 |
51 | When you direct *PageDefrag* to defragment, the next time the system
52 | boots it will attempt to do so. Immediately after CHKDSK examines your
53 | hard drives *PageDefrag* uses the standard file defragmentation APIs
54 | (see my [Inside Windows NT Disk
55 | Defragmenting](https://technet.microsoft.com/ea0299d6-a987-4a57-8927-0225e4ec350a)
56 | page for documentation of these APIs) to defragment the files. As it
57 | processes each file *PageDefrag* will print on the boot-time startup
58 | screen the file name and its success at defragmenting it. If it is
59 | successful at reducing the fragmentation it will tell you the number of
60 | clusters the file started with and the number it consists of after the
61 | defragmentation.
62 |
63 | In some cases *PageDefrag* may be unable to reduce fragmentation on one
64 | or more of the files, and it will indicate so on the boot-time Blue
65 | Screen. This can happen either because there is not enough space on the
66 | drive for defragmentation, or the free space itself is highly
67 | fragmented. For the best results you should use *PageDefrag* in
68 | conjunction with a commercial defragmentation utility or my free [Contig
69 | defragmenter](contig.md).
70 |
71 |
72 |
73 | ## Command-Line Options
74 |
75 | You can run *PageDefrag* non-interactively by specifying a command-line
76 | option for the setting you want:
77 |
78 | **Usage: pagedfrg \[-e | -o | -n\] \[-t <seconds>\]**
79 |
80 | |Parameter |Description |
81 | |---------|---------|
82 | | **-e** | Defrag every boot.|
83 | | **-o** | Defrag once.|
84 | | **-n** | Never defrag.|
85 | | **-t** | Set countdown to specified number of seconds.|
86 |
87 |
88 | [](https://download.sysinternals.com/files/PageDefrag.zip) [**Download PageDefrag**](https://download.sysinternals.com/files/PageDefrag.zip) **(70 KB)**
89 |
90 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/pagedfrg.exe).
91 |
--------------------------------------------------------------------------------
/sysinternals/downloads/pstools.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: PsTools
3 | title: PsTools
4 | description: Command-line utilities for listing the processes running on local or remote computers, running processes, rebooting computers, and more.
5 | ms:assetid: '559ea946-3d7d-47bb-821c-b47fd078dfb7'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896649(v=MSDN.10)'
7 | ms.date: 07/04/2016
8 | ---
9 |
10 | PsTools
11 | =======
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: July 4, 2016
16 |
17 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools Suite**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
18 |
19 |
20 | ## Introduction
21 |
22 | The Windows NT and Windows 2000 Resource Kits come with a number of
23 | command-line tools that help you administer your Windows NT/2K systems.
24 | Over time, I've grown a collection of similar tools, including some not
25 | included in the Resource Kits. What sets these tools apart is that they
26 | all allow you to manage remote systems as well as the local one. The
27 | first tool in the suite was PsList, a tool that lets you view detailed
28 | information about processes, and the suite is continually growing. The
29 | "Ps" prefix in PsList relates to the fact that the standard UNIX process
30 | listing command-line tool is named "ps", so I've adopted this prefix for
31 | all the tools in order to tie them together into a suite of tools named
32 | *PsTools*.
33 |
34 | > Some anti-virus scanners report that one or more of the tools are infected with a "remote admin" virus. None of the PsTools contain viruses, but they have been used by viruses, which is why they trigger virus notifications.*
35 |
36 | The tools included in the *PsTools* suite, which are downloadable as a
37 | package, are:
38 |
39 | - [*PsExec*](psexec.md) -
40 | execute processes remotely
41 | - [*PsFile*](psfile.md) -
42 | shows files opened remotely
43 | - [*PsGetSid*](psgetsid.md) -
44 | display the SID of a computer or a user
45 | - [*PsInfo*](psinfo.md) -
46 | list information about a system
47 | - [*PsPing*](psping.md) -
48 | measure network performance
49 | - [*PsKill*](pskill.md) -
50 | kill processes by name or process ID
51 | - [*PsList*](pslist.md) -
52 | list detailed information about processes
53 | - [*PsLoggedOn*](psloggedon.md) -
54 | see who's logged on locally and via resource sharing (full source is
55 | included)
56 | - [*PsLogList*](psloglist.md) -
57 | dump event log records
58 | - [*PsPasswd*](pspasswd.md) -
59 | changes account passwords
60 | - [*PsService*](psservice.md) -
61 | view and control services
62 | - [*PsShutdown*](psshutdown.md) -
63 | shuts down and optionally reboots a computer
64 | - [*PsSuspend*](pssuspend.md) -
65 | suspends processes
66 | - *PsUptime* - shows you how long a system has been running since its
67 | last reboot (PsUptime's functionality has been incorporated into
68 | [*PsInfo*](psinfo.md)
69 |
70 | The *PsTools* download package includes an HTML help file with complete
71 | usage information for all the tools.
72 |
73 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools Suite**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
74 |
75 | **Runs on:**
76 | - Client: Windows Vista and higher
77 | - Server: Windows Server 2008 and higher
78 | - Nano Server: 2016 and higher
79 |
80 | ### Installation
81 | None of the tools requires any special installation. You don't even need to install any client software on the remote computers at which you target them. Run them by typing their name and any command-line options you want. To show complete usage information, specify the "-? " command-line option.
82 | If you have questions or problems, please visit the [Sysinternals PsTools Forum](http://forum.sysinternals.com/forum_topics.asp?FID=8).
83 |
84 | ### Related Links
85 | [Introduction to the PsTools](https://technet.microsoft.com/en-us/library/2007.03.desktopfiles.aspx): Wes Miller gives a high-level overview of the Sysinternals PsTools in the March column of his TechNet Magazine column.
86 |
--------------------------------------------------------------------------------
/sysinternals/downloads/procmon.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Process Monitor
3 | title: Process Monitor
4 | description: Monitor file system, Registry, process, thread and DLL activity in real-time.
5 | ms:assetid: '37225635-4ad0-4b08-aa5e-4bba665b1d89'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896645(v=MSDN.10)'
7 | ms.date: 09/12/2017
8 | ---
9 |
10 | Process Monitor v3.52
11 | =====================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: March 24, 2019
16 |
17 | [](https://download.sysinternals.com/files/ProcessMonitor.zip) [**Download Process Monitor**](https://download.sysinternals.com/files/ProcessMonitor.zip) **(1029 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Procmon.exe).
19 |
20 |
21 | Introduction
22 | ------------
23 |
24 | *Process Monitor* is an advanced monitoring tool for Windows that shows
25 | real-time file system, Registry and process/thread activity. It combines
26 | the features of two legacy Sysinternals utilities, *Filemon* and
27 | *Regmon*, and adds an extensive list of enhancements including rich and
28 | non-destructive filtering, comprehensive event properties such session
29 | IDs and user names, reliable process information, full thread stacks
30 | with integrated symbol support for each operation, simultaneous logging
31 | to a file, and much more. Its uniquely powerful features will make
32 | Process Monitor a core utility in your system troubleshooting and
33 | malware hunting toolkit.
34 |
35 | ## Overview of Process Monitor Capabilities
36 |
37 | Process Monitor includes powerful monitoring and filtering capabilities,
38 | including:
39 |
40 | - More data captured for operation input and output parameters
41 | - Non-destructive filters allow you to set filters without losing data
42 | - Capture of thread stacks for each operation make it possible in many
43 | cases to identify the root cause of an operation
44 | - Reliable capture of process details, including image path, command
45 | line, user and session ID
46 | - Configurable and moveable columns for any event property
47 | - Filters can be set for any data field, including fields not
48 | configured as columns
49 | - Advanced logging architecture scales to tens of millions of captured
50 | events and gigabytes of log data
51 | - Process tree tool shows relationship of all processes referenced in
52 | a trace
53 | - Native log format preserves all data for loading in a different
54 | Process Monitor instance
55 | - Process tooltip for easy viewing of process image information
56 | - Detail tooltip allows convenient access to formatted data that
57 | doesn't fit in the column
58 | - Cancellable search
59 | - Boot time logging of all operations
60 |
61 | The best way to become familiar with Process Monitor's features is to
62 | read through the help file and then visit each of its menu items and
63 | options on a live system.
64 |
65 |
66 | ## Screenshots
67 |
68 | 
69 |
70 | 
71 |
72 | ## Related Links
73 |
74 | - [**Windows Internals Book**
75 | ](~/learn/windows-internals.md)The
76 | official updates and errata page for the definitive book on Windows
77 | internals, by Mark Russinovich and David Solomon.
78 | - [**Windows Sysinternals Administrator's Reference**
79 | ](~/learn/troubleshooting-book.md)The
80 | official guide to the Sysinternals utilities by Mark Russinovich and
81 | Aaron Margosis, including descriptions of all the tools, their
82 | features, how to use them for troubleshooting, and example
83 | real-world cases of their use.
84 |
85 | ## Download
86 |
87 | [](https://download.sysinternals.com/files/ProcessMonitor.zip) [**Download Process Monitor**](https://download.sysinternals.com/files/ProcessMonitor.zip) **(1029 KB)**
88 |
89 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/Procmon.exe).
90 |
91 | **Runs on:**
92 |
93 | - Client: Windows Vista and higher.
94 | - Server: Windows Server 2008 and higher.
95 |
96 |
97 |
--------------------------------------------------------------------------------
/sysinternals/downloads/pspasswd.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: PsPasswd
3 | title: PsPasswd
4 | description: Changes account passwords.
5 | ms:assetid: '0e454df6-b63b-404d-854c-e2f355630912'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897543(v=MSDN.10)'
7 | ms.date: 06/29/2016
8 | ---
9 |
10 | PsPasswd v1.24
11 | ==============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: June 29, 2016
16 |
17 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
18 |
19 |
20 | ## Introduction
21 |
22 | Systems administrators that manage local administrative accounts on
23 | multiple computers regularly need to change the account password as part
24 | of standard security practices. *PsPasswd* is a tool that lets you
25 | change an account password on the local or remote systems, enabling
26 | administrators to create batch files that run *PsPasswd* against the
27 | computers they manage in order to perform a mass change of the
28 | administrator password.
29 |
30 | PsPasswd uses Windows password reset APIs, so does not send passwords
31 | over the network in the clear.
32 |
33 |
34 |
35 | ## Installation
36 |
37 | Just copy *PsPasswd* onto your executable path, and type "pspasswd" with
38 | the command-line syntax shown below..
39 |
40 |
41 |
42 | ## Using PsPasswd
43 |
44 | You can use *PsPasswd* to change the password of a local or domain
45 | account on the local or a remote computer.
46 |
47 | **usage: pspasswd \[\[\\\\computer\[,computer\[,..\] | @file \[-u user
48 | \[-p psswd\]\]\] Username \[NewPassword\]**
49 |
50 |
51 | | Parameter | Description |
52 | |------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
53 | | **computer** | Perform the command on the remote computer or computers specified. If you omit the computer name the command runs on the local system, and if you specify a wildcard (\\\\\*), the command runs on all computers in the current domain. |
54 | | @file | Run the command on each computer listed in the text file specified. |
55 | | **-u** | Specifies optional user name for login to remote computer. |
56 | | **-p** | Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password. |
57 | | **Username** | Specifies name of account for password change. |
58 | | **NewPassword** | New password. If ommitted a NULL password is applied. |
59 |
60 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
61 |
62 | **PsTools**
63 | *PsPasswd* is part of a growing kit of Sysinternals command-line tools
64 | that aid in the administration of local and remote systems named
65 | *PsTools*.
66 |
67 | **Runs on:**
68 |
69 | - Client: Windows Vista and higher.
70 | - Server: Windows Server 2008 and higher.
71 |
72 |
73 |
74 |
--------------------------------------------------------------------------------
/sysinternals/downloads/psgetsid.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: PsGetSid
3 | title: PsGetSid
4 | ms:assetid: 'f7eefa28-72dd-4dc7-a41e-02e7ac7e35ae'
5 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897417(v=MSDN.10)'
6 | ms.date: 06/29/2016
7 | ---
8 |
9 | PsGetSid v1.45
10 | ==============
11 |
12 | **By Mark Russinovich**
13 |
14 | Published: June 29, 2016
15 |
16 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
17 |
18 |
19 | ## Introduction
20 |
21 | PsGetsid allows you to translate SIDs to their display name and vice
22 | versa. It works on builtin accounts, domain accounts, and local
23 | accounts.
24 |
25 | ## Installation
26 |
27 | Just copy *PsGetSid* onto your executable path, and type "psgetsid".
28 |
29 | ## Usage
30 |
31 | Usage: psgetsid \[\\\\computer\[,computer\[,...\] | @file\] \[-u
32 | username \[-p password\]\]\] \[account|SID\]
33 |
34 |
35 | | Parameter | Description |
36 | |------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
37 | | **-u** | Specifies optional user name for login to remote computer. |
38 | | **-p** | Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password. |
39 | | **Account** | PsGetSid will report the SID for the specified user account rather than the computer. |
40 | | **SID** | PsGetSid will report the account for the specified SID. |
41 | | **Computer** | Direct PsGetSid to perform the command on the remote computer or computers specified. If you omit the computer name PsGetSid runs the command on the local system, and if you specify a wildcard (\\\\\*), PsGetSid runs the command on all computers in the current domain. |
42 | | @file | PsGetSid will execute the command on each of the computers listed in the file. |
43 |
44 | If you want to see a computer's SID just pass the computer's name as a
45 | command-line argument. If you want to see a user's SID, name the account
46 | (e.g. "administrator") on the command-line and an optional computer
47 | name.
48 |
49 | Specify a user name if the account you are running from doesn't have
50 | administrative privileges on the computer you want to query. If you
51 | don't specify a password as an option, *PsGetSid* will prompt you for
52 | one so that you can type it in without having it echoed to the display.
53 |
54 | [](https://download.sysinternals.com/files/PSTools.zip) [**Download PsTools**](https://download.sysinternals.com/files/PSTools.zip) **(2.7 MB)**
55 |
56 |
57 | **PsTools**
58 |
59 | *PsGetSid* is part of a growing kit of Sysinternals command-line tools
60 | that aid in the administration of local and remote systems named
61 | *PsTools*.
62 |
63 |
64 |
65 | **Runs on:**
66 |
67 | - Client: Windows Vista and higher.
68 | - Server: Windows Server 2008 and higher.
69 |
70 |
71 |
72 |
--------------------------------------------------------------------------------
/sysinternals/downloads/handle.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Handle
3 | title: Handle
4 | description: This handy command-line utility will show you what files are open by which processes, and much more.
5 | ms:assetid: '05600b13-e4c8-473d-bb5d-d36a881686e5'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896655(v=MSDN.10)'
7 | ms.date: 06/14/2019
8 | ---
9 |
10 | Handle v4.22
11 | ============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: June 14, 2019
16 |
17 | [](https://download.sysinternals.com/files/Handle.zip) [**Download Handle**](https://download.sysinternals.com/files/Handle.zip) **(701 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | Ever wondered which program has a particular file or directory open? Now
23 | you can find out. *Handle* is a utility that displays information about
24 | open handles for any process in the system. You can use it to see the
25 | programs that have a file open, or to see the object types and names of
26 | all the handles of a program.
27 |
28 | You can also get a GUI-based version of this program, [*Process Explorer*](process-explorer.md),
29 | here at Sysinternals.
30 |
31 | ## Installation
32 |
33 | You run *Handle* by typing "handle". You must have administrative
34 | privilege to run *Handle*.
35 |
36 | ## Usage
37 |
38 | *Handle* is targeted at searching for open file references, so if you
39 | do not specify any command-line parameters it will list the values of
40 | all the handles in the system that refer to open files and the names of
41 | the files. It also takes several parameters that modify this behavior.
42 |
43 | **usage: handle \[\[-a\] \[-u\] | \[-c <handle> \[-l\] \[-y\]\] |
44 | \[-s\]\] \[-p <processname>|<pid>> \[name\]**
45 |
46 | |Parameter |Description |
47 | |---------|---------|
48 | | **-a** | Dump information about all types of handles, not just those that refer to files. Other types include ports, Registry keys, synchronization primitives, threads, and processes.|
49 | | **-c** | Closes the specified handle (interpreted as a hexadecimal number). You must specify the process by its PID.
**WARNING:** Closing handles can cause application or system instability.|
50 | | **-l** | Dump the sizes of pagefile-backed sections. |
51 | | **-y** | Don't prompt for close handle confirmation. |
52 | | **-s** | Print count of each type of handle open. |
53 | | **-u** | Show the owning user name when searching for handles. |
54 | | **-p** | Instead of examining all the handles in the system, this parameter narrows Handle's scan to those processes that begin with the name process. Thus:
**handle -p exp**
would dump the open files for all processes that start with "exp", which would include Explorer. |
55 | | **name** | This parameter is present so that you can direct Handle to search for references to an object with a particular name.
For example, if you wanted to know which process (if any) has "c:\windows\system32" open you could type:
**handle windows\system**
The name match is case-insensitive and the fragment specified can be anywhere in the paths you are interested in. |
56 |
57 | ## Handle Output
58 |
59 | When not in search mode (enabled by specifying a name fragment as a
60 | parameter), Handle divides its output into sections for each process it
61 | is printing handle information for. Dashed lines are used as a
62 | separator, immediately below which you will see the process name and its
63 | process id (PID). Beneath the process name are listed handle values (in
64 | hexadecimal), the type of object the handle is associated with, and the
65 | name of the object if it has one.
66 |
67 | When in search mode, *Handle* prints the process names and id's are
68 | listed on the left side and the names of the objects that had a match
69 | are on the right.
70 |
71 |
72 | ## More Information
73 |
74 | You can find more information on the Object Manager in *Windows
75 | Internals, 4th Edition* or by browsing the Object Manager name-space
76 | with
77 | [WinObj](winobj.md).
78 |
79 |
80 | ## Microsoft Handle KB Articles
81 |
82 | The following Microsoft KB articles reference Handle for diagnosing or
83 | troubleshooting various problems:
84 |
85 | - [245068: Err Msg: Access is Denied. You Don't Have Permissions or
86 | the File is in Use](http://support.microsoft.com/kb/245068)
87 | - [276525: Your Computer May Stop Responding When You Monitor Open
88 | Handles](http://support.microsoft.com/kb/276525)
89 |
90 |
91 | [](https://download.sysinternals.com/files/Handle.zip) [**Download Handle**](https://download.sysinternals.com/files/Handle.zip) **(701 KB)**
92 |
--------------------------------------------------------------------------------
/sysinternals/downloads/sigcheck.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Sigcheck
3 | title: Sigcheck
4 | description: Dump file version information and verify that images on your system are digitally signed.
5 | ms:assetid: 'fe633cd0-b369-4ca5-a9ae-c64e2d52acac'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb897441(v=MSDN.10)'
7 | ms.date: 05/22/2017
8 | ---
9 |
10 | Sigcheck v2.73
11 | ==============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: September 05, 2019
16 |
17 | [](https://download.sysinternals.com/files/Sigcheck.zip) [**Download Sigcheck**](https://download.sysinternals.com/files/Sigcheck.zip) **(799 KB)**
18 |
19 |
20 | ## Introduction
21 |
22 | Sigcheck is a command-line utility that shows file version number,
23 | timestamp information, and digital signature details, including
24 | certificate chains. It also includes an option to check a file’s status
25 | on [VirusTotal](https://www.virustotal.com/), a site that performs
26 | automated file scanning against over 40 antivirus engines, and an option
27 | to upload a file for scanning.
28 |
29 | **usage: sigcheck
30 | \[-a\]\[-h\]\[-i\]\[-e\]\[-l\]\[-n\]\[\[-s\]|\[-c|-ct\]|\[-m\]\]\[-q\]\[-r\]\[-u\]\[-vt\]\[-v\[r\]\[s\]\]\[-f
31 | catalog file\] <file or directory>**
32 |
33 | **usage: sigcheck -d \[-c|-ct\] <file or directory>**
34 |
35 | **usage: sigcheck -o \[-vt\]\[-v\[r\]\] <sigcheck csv file>**
36 |
37 | **usage: sigcheck -t\[u\]\[v\] \[-i\] \[-c|-ct\] <certificate store
38 | name|\*>**
39 |
40 | |Parameter |Description |
41 | |---------|---------|
42 | | **-a** | Show extended version information. The entropy measure reported is the bits per byte of information of the file's contents.|
43 | | **-c** | CSV output with comma delimiter|
44 | | **-ct** | CSV output with tab delimiter|
45 | | **-d** | Dump contents of a catalog file|
46 | | **-e** | Scan executable images only (regardless of their extension)|
47 | | **-f** | Look for signature in the specified catalog file|
48 | | **-h** | Show file hashes|
49 | | **-i** | Show catalog name and signing chain|
50 | | **-l** | Traverse symbolic links and directory junctions|
51 | | **-m** | Dump manifest|
52 | | **-n** | Only show file version number|
53 | | **-o** | Performs Virus Total lookups of hashes captured in a CSV file previously captured by Sigcheck when using the -h option. This usage is intended for scans of offline systems.|
54 | | **-q** | Quiet (no banner)|
55 | | **-r** | Disable check for certificate revocation|
56 | | **-s** | Recurse subdirectories|
57 | | **-t\[u\]\[v\]** | Dump contents of specified certificate store ('\*' for all stores).
Specify -tu to query the user store (machine store is the default).
Append '-v' to have Sigcheck download the trusted Microsoft root certificate list and only output valid certificates not rooted to a certificate on that list. If the site is not accessible, authrootstl.cab or authroot.stl in the current directory are used instead, if present.|
58 | | **-u** | If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files.|
59 | | **-v\[rs\]**| Query VirusTotal ([www.virustotal.com](https://www.virustotal.com/)) for malware based on file hash.
Add 'r' to open reports for files with non-zero detection.
Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes.|
60 | | **-vt** | Before using VirusTotal features, you must accept VirusTotal terms of service. See: If you haven't accepted the terms and you omit this option, you will be interactively prompted.|
61 |
62 | One way to use the tool is to check for unsigned files in your
63 | \\Windows\\System32 directories with this command:
64 |
65 | **sigcheck -u -e c:\\windows\\system32**
66 |
67 | You should investigate the purpose of any files that are not signed.
68 |
69 | [](https://download.sysinternals.com/files/Sigcheck.zip) [**Download Sigcheck**](https://download.sysinternals.com/files/Sigcheck.zip) **(799 KB)**
70 |
71 | **Runs on:**
72 |
73 | - Client: Windows Vista and higher
74 | - Server: Windows Server 2008 and higher
75 | - Nano Server: 2016 and higher
76 |
77 | ## Learn More
78 |
79 | - [Malware Hunting with the Sysinternals
80 | Tools](https://channel9.msdn.com/events/teched/northamerica/2013/atc-b308#fbid=mb6_bvqq9jj)
81 | In this presentation, Mark shows how to use the Sysinternals tools
82 | to identify, analyze and clean malware.
83 |
84 |
85 |
86 |
--------------------------------------------------------------------------------
/sysinternals/downloads/process-explorer.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Process Explorer
3 | title: Process Explorer
4 | description: Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more.
5 | ms:assetid: '32cbeee6-4335-44d5-b94b-160612b99738'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb896653(v=MSDN.10)'
7 | ms.date: 06/28/2019
8 | ---
9 |
10 | Process Explorer v16.30
11 | =======================
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: September 05, 2019
16 |
17 | [](https://download.sysinternals.com/files/ProcessExplorer.zip) [**Download Process Explorer**](https://download.sysinternals.com/files/ProcessExplorer.zip) **(1.9 MB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/procexp.exe).
19 |
20 | ## Introduction
21 |
22 | Ever wondered which program has a particular file or directory open? Now
23 | you can find out. *Process Explorer* shows you information about which
24 | handles and DLLs processes have opened or loaded.
25 |
26 | The *Process Explorer* display consists of two sub-windows. The top
27 | window always shows a list of the currently active processes, including
28 | the names of their owning accounts, whereas the information displayed in
29 | the bottom window depends on the mode that *Process Explorer* is in: if
30 | it is in handle mode you'll see the handles that the process selected in
31 | the top window has opened; if *Process Explorer* is in DLL mode you'll
32 | see the DLLs and memory-mapped files that the process has loaded.
33 | *Process Explorer* also has a powerful search capability that will
34 | quickly show you which processes have particular handles opened or DLLs
35 | loaded.
36 |
37 | The unique capabilities of *Process Explorer* make it useful for
38 | tracking down DLL-version problems or handle leaks, and provide insight
39 | into the way Windows and applications work.
40 |
41 | 
42 |
43 | 
44 |
45 | ## Related Links
46 |
47 | - [Windows Internals
48 | Book](~/learn/windows-internals.md)
49 | The official updates and errata page for the definitive book on
50 | Windows internals, by Mark Russinovich and David Solomon.
51 | - [Windows Sysinternals Administrator's
52 | Reference](~/learn/troubleshooting-book.md)
53 | The official guide to the Sysinternals utilities by Mark Russinovich
54 | and Aaron Margosis, including descriptions of all the tools, their
55 | features, how to use them for troubleshooting, and example
56 | real-world cases of their use.
57 |
58 | ## Download
59 |
60 | [](https://download.sysinternals.com/files/ProcessExplorer.zip) [**Download Process Explorer**](https://download.sysinternals.com/files/ProcessExplorer.zip) **(1.9 MB)**
61 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/procexp.exe).
62 |
63 | **Runs on:**
64 | - Client: Windows Vista and higher (Including IA64).
65 | - Server: Windows Server 2008 and higher (Including IA64).
66 |
67 | ## Installation
68 |
69 | Simply run *Process Explorer* (procexp.exe).
70 |
71 | The help file describes *Process Explorer* operation and usage. If you
72 | have problems or questions please visit the [Process Explorer forum on Technet](https://social.technet.microsoft.com/Forums/en-US/home?forum=procexplorer).
73 |
74 |
75 |
76 | ## Learn More
77 |
78 | Here are some other handle and DLL viewing tools and information
79 | available at Sysinternals:
80 |
81 | - [The case of the
82 | Unexplained...](https://channel9.msdn.com/events/teched/northamerica/2010/wcl315)
83 | In this video, Mark describes how he has solved seemingly unsolvable
84 | system and application problems on Windows.
85 | - [Handle](handle.md) -
86 | a command-line handle viewer
87 | - [ListDLLs](listdlls.md) -
88 | a command-line DLL viewer
89 | - [PsList](pslist.md) -
90 | local/remote command-line process lister
91 | - [PsKill](pskill.md) -
92 | local/remote command-line process killer
93 | - [Defrag Tools: \#2 - Process
94 | Explorer](http://channel9.msdn.com/shows/defrag-tools/defrag-tools-2-process-explorer)
95 | In this episode of Defrag Tools, Andrew Richards and Larry Larsen
96 | show how to use Process Explorer to view the details of processes,
97 | both at a point in time and historically.
98 | - [Windows Sysinternals Primer: Process Explorer, Process Monitor and
99 | More](https://channel9.msdn.com/events/teched/northamerica/2010/wcl314)
100 | Process Explorer gets a lot of attention in the first Sysinternals
101 | Primer delivered by Aaron Margosis and Tim Reckmeyer at TechEd 2010.
102 |
--------------------------------------------------------------------------------
/sysinternals/downloads/disk2vhd.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: Disk2vhd
3 | title: Disk2vhd
4 | description: Disk2vhd simplifies the migration of physical systems into virtual machines.
5 | ms:assetid: 'd2c9597c-1927-4ddc-9ec1-9e0f33166f90'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Ee656415(v=MSDN.10)'
7 | ms.date: 01/21/2014
8 | ---
9 |
10 | Disk2vhd v2.01
11 | ==============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: January 21, 2014
16 |
17 | [](https://download.sysinternals.com/files/Disk2vhd.zip) [**Download Disk2vhd**](https://download.sysinternals.com/files/Disk2vhd.zip) **(879 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/disk2vhd.exe).
19 |
20 |
21 | ## Introduction
22 |
23 | Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft's
24 | Virtual Machine disk format) versions of physical disks for use in
25 | Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The
26 | difference between Disk2vhd and other physical-to-virtual tools is that
27 | you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows'
28 | Volume Snapshot capability, introduced in Windows XP, to create
29 | consistent point-in-time snapshots of the volumes you want to include in
30 | a conversion. You can even have Disk2vhd create the VHDs on local
31 | volumes, even ones being converted (though performance is better when
32 | the VHD is on a disk different than ones being converted).
33 |
34 | The Disk2vhd user interface lists the volumes present on the system:
35 |
36 | 
37 |
38 | It will create one VHD for each disk on which selected volumes reside.
39 | It preserves the partitioning information of the disk, but only copies
40 | the data contents for volumes on the disk that are selected. This
41 | enables you to capture just system volumes and exclude data volumes, for
42 | example.
43 |
44 | > Virtual PC supports a maximum virtual disk size of 127GB. If
45 | > you create a VHD from a larger disk it will not be accessible from a
46 | > Virtual PC VM.
47 |
48 | To use VHDs produced by Disk2vhd, create a VM with the desired
49 | characteristics and add the VHDs to the VM's configuration as IDE disks.
50 | On first boot, a VM booting a captured copy of Windows will detect the
51 | VM's hardware and automatically install drivers, if present in the
52 | image. If the required drivers are not present, install them via the
53 | Virtual PC or Hyper-V integration components. You can also attach to
54 | VHDs using the Windows 7 or Windows Server 2008 R2 Disk Management or
55 | Diskpart utilities.
56 |
57 | > Do not attach to VHDs on the same system on which you created
58 | > them if you plan on booting from them. If you do so, Windows will
59 | > assign the VHD a new disk signature to avoid a collision with the
60 | > signature of the VHD’s source disk. Windows references disks in the
61 | > boot configuration database (BCD) by disk signature, so when that
62 | > happens Windows booted in a VM will fail to locate the boot disk.
63 | >
64 | > Disk2vhd does not support the conversion of volumes with Bitlocker enabled. If you wish to create a VHD for such a volume, turn off Bitlocker and wait for the volume to be fully decrypted first.
65 |
66 |
67 | Disk2vhd runs on Windows Vista, Windows Server 2008, and higher,
68 | including x64 systems.
69 |
70 | Here's a screenshot of a copy of a Windows Server 2008 R2 Hyper-V system
71 | running in a virtual machine on top of the system it was made from:
72 |
73 | [](/media/landing/sysinternals/disk2vhd_02.jpg)
74 | *(click image to zoom)*
75 |
76 | ## Command Line Usage
77 |
78 | Disk2vhd includes command-line options that enable you to script the
79 | creation of VHDs. Specify the volumes you want included in a snapshot by
80 | drive letter (e.g. c:) or use "\*" to include all volumes.
81 |
82 | Usage: **disk2vhd <\[drive: \[drive:\]...\]|\[\*\]>
83 | <vhdfile>**
84 | Example: **disk2vhd \* c:\\vhd\\snapshot.vhd**
85 |
86 | > Physical-to-virtual hard drive migration of a Windows
87 | > installation is a valid function for customers with Software Assurance
88 | > and full retail copies of Windows XP, Windows Vista, and Windows 7.
89 | > Software Assurance provides users valuable benefits—please contact
90 | > Microsoft Corporation for further information. Windows XP, Windows
91 | > Vista and Windows 7 installed by Original Equipment Manufacturers
92 | > (OEM) using OEM versions of these products may not be transferred to a
93 | > virtual hard drive in accordance with Microsoft licensing terms.
94 |
95 | [](https://download.sysinternals.com/files/Disk2vhd.zip) [**Download Disk2vhd**](https://download.sysinternals.com/files/Disk2vhd.zip) **(879 KB)**
96 |
97 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/disk2vhd.exe).
98 |
99 |
--------------------------------------------------------------------------------
/sysinternals/downloads/accesschk.md:
--------------------------------------------------------------------------------
1 | ---
2 | TOCTitle: AccessChk
3 | title: AccessChk
4 | description: AccessChk is a command-line tool for viewing the effective permissions on files, registry keys, services, processes, kernel objects, and more.
5 | ms:assetid: 'f15a6468-622f-4c89-98d7-94667c640675'
6 | ms:mtpsurl: 'https://technet.microsoft.com/en-us/Bb664922(v=MSDN.10)'
7 | ms.date: 02/17/2017
8 | ---
9 |
10 | AccessChk v6.12
11 | ===============
12 |
13 | **By Mark Russinovich**
14 |
15 | Published: November 19, 2017
16 |
17 | [](https://download.sysinternals.com/files/AccessChk.zip) [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(369 KB)**
18 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/accesschk.exe).
19 |
20 | ## Introduction
21 |
22 | As a part of ensuring that they've created a secure environment Windows
23 | administrators often need to know what kind of accesses specific users
24 | or groups have to resources including files, directories, Registry keys,
25 | global objects and Windows services. AccessChk quickly answers these
26 | questions with an intuitive interface and output.
27 |
28 | ## Installation
29 |
30 | AccessChk is a console program. Copy AccessChk onto your executable
31 | path. Typing "accesschk" displays its usage syntax.
32 |
33 | ## Using AccessChk
34 |
35 | **Usage: accesschk \[-s\]\[-e\]\[-u\]\[-r\]\[-w\]\[-n\]\[-v\]-\[f
36 | <account>,...\]\[\[-a\]|\[-k\]|\[-p \[-f\] \[-t\]\]|\[-h\]\[-o
37 | \[-t <object type>\]\]\[-c\]|\[-d\]\] \[\[-l
38 | \[-i\]\]|\[username\]\] <file, directory, registry key, process,
39 | service, object>**
40 |
41 |
42 | |Parameter |Description |
43 | |---------|---------|
44 | | **-a** | Name is a Windows account right. Specify "\*" as the name to show all rights assigned to a user. Note that when you specify a specific right, only groups and accounts directly assigned to the right are displayed.|
45 | | **-c** | Name is a Windows Service, e.g. ssdpsrv. Specify "\*" as the name to show all services and "scmanager" to check the security of the Service Control Manager.|
46 | | **-d** | Only process directories or top-level keys|
47 | | **-e** | Only show explicitly set-Integrity Levels (Windows Vista and higher only)|
48 | | **-f** | If following -p, shows full process token information including groups and privileges. Otherwise is a list of comma-separated accounts to filter from the output.|
49 | | **-h** | Name is a file or printer share. Specify '\*' as the name to show all shares.|
50 | | **-i** | Ignore objects with only inherited ACEs when dumping full access control lists.|
51 | | **-k** | Name is a Registry key, e.g. hklm\\software|
52 | | **-l** | Show full security descriptor. Add -i to ignore inherited ACEs.|
53 | | **-n** | Show only objects that have no access|
54 | | **-o** | Name is an object in the Object Manager namespace (default is root). To view the contents of a directory, specify the name with a trailing backslash or add -s. Add -t and an object type (e.g. section) to see only objects of a specific type.|
55 | | **-p** | Name is a process name or PID, e.g. cmd.exe (specify "\*" as the name to show all processes). Add -f to show full process token information, including groups and privileges. Add -t to show threads.|
56 | | **-q** | Omit Banner|
57 | | **-r** | Show only objects that have read access|
58 | | **-s** | Recurse|
59 | | **-t** | Object type filter, e.g. "section"|
60 | | **-u** | Suppress errors|
61 | | **-v** | Verbose (includes Windows Vista Integrity Level)|
62 | | **-w** | Show only objects that have write access|
63 |
64 | If you specify a user or group name and path, AccessChk will report the
65 | effective permissions for that account; otherwise it will show the
66 | effective access for accounts referenced in the security descriptor.
67 |
68 | By default, the path name is interpreted as a file system path (use the
69 | "\\pipe\\" prefix to specify a named pipe path). For each object,
70 | AccessChk prints R if the account has read access, W for write access,
71 | and nothing if it has neither. The -v switch has AccessChk dump the
72 | specific accesses granted to an account.
73 |
74 |
75 | ## Examples
76 |
77 | The following command reports the accesses that the Power Users account
78 | has to files and directories in \\Windows\\System32:
79 |
80 | **accesschk "power users" c:\\windows\\system32**
81 |
82 | This command shows which Windows services members of the Users group
83 | have write access to:
84 |
85 | **accesschk users -cw \***
86 |
87 | To see what Registry keys under HKLM\\CurrentUser a specific account has
88 | no access to:
89 |
90 | **accesschk -kns austin\\mruss hklm\\software**
91 |
92 | To see the security on the HKLM\\Software key:
93 |
94 | **accesschk -k hklm\\software**
95 |
96 | To see all files under \\Users\\Mark on Vista that have an explicit
97 | integrity level:
98 |
99 | **accesschk -e -s c:\\users\\mark**
100 |
101 | To see all global objects that Everyone can modify:
102 |
103 | **accesschk -wuo everyone \\basednamedobjects**
104 |
105 |
106 | [](https://download.sysinternals.com/files/AccessChk.zip) [**Download AccessChk**](https://download.sysinternals.com/files/AccessChk.zip) **(369 KB)**
107 | **Run now** from [Sysinternals Live](https://live.sysinternals.com/accesschk.exe).
108 |
--------------------------------------------------------------------------------
/sysinternals/learn/inside-native-applications.md:
--------------------------------------------------------------------------------
1 | ---
2 | title: Inside Native Applications
3 | ms.date: 11/01/2006
4 | ms.topic: conceptual
5 | ms.prod: windows-sysinternals
6 | ms.technology: system-utilities
7 | description: In this article I'm going to describe how native applications are built and how they work.
8 | ---
9 | Inside Native Applications
10 | ==========================
11 | Mark Russinovich
12 | Published: November 1, 2006
13 | ## Introduction
14 | If you have some familiarity with NT's architecture you are probably aware that the API that Win32 applications use isn't the "real" NT API. NT's operating environments, which include POSIX, OS/2 and Win32, talk to their client applications via their own APIs, but talk to NT using the NT "native" API. The native API is mostly undocumented, with only about 25 of its 250 functions described in the Windows NT Device Driver Kit.
15 |
16 | What most people don't know, however, is that "native" applications exist on NT that are not clients of any of the operating environments. These programs speak the native NT API and can't use operating environment APIs like Win32. Why would such programs be needed" Any program that must run before the Win32 subsystem is started (around the time the logon box appears) must be a native application. The most visible example of a native application is the "autochk" program that runs chkdsk during the initialization Blue Screen (its the program that prints the "."'s on the screen). Naturally, the Win32 operating environment server, CSRSS.EXE (Client-Server Runtime Subsystem), must also be a native application.
17 |
18 | In this article I'm going to describe how native applications are built and how they work.
19 |
20 | ## How Does Autochk Get Executed
21 | *Autochk* runs in between the time that NT's boot and system start drivers are loaded, and when paging is turned on. At this point in the boot sequence Session Manager (smss.exe) is getting NT's user-mode environment off-the-ground and no other programs are active. The **HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute** value, a MULTI_SZ, contains the names and arguments of programs that are executed by Session Manager, and is where Autochk is specified. Here is what you'll typically find if you look at this value, where "Autochk" is passed "*" as an argument:
22 |
23 | ```Shell
24 | Autocheck Autochk *
25 | ```
26 |
27 | *Session Manager* looks in the \\system32 directory for the executables listed in this value. When Autochk runs there are no files open so *Autochk* can open any volume in raw-mode, including the boot drive, and manipulate its on-disk data structures. This wouldn't be possible at any later point.
28 |
29 |
30 | ## Building Native Applications
31 | Microsoft doesn't document it, but the NT DDK Build utility knows how to make native applications (and its probably used to compile *Autochk*). You specify information in a SOURCES file that defines the application, the same as would be done for device drivers. However, instead of indicating to Build that you want a driver, you tell it you want a native applicationin the SOURCES file like this:
32 |
33 | ```Shell
34 | TARGETTYPE=PROGRAM
35 | ```
36 |
37 | The *Build* utility uses a standard makefile to guide it, \ddk\inc\makefile.def, which looks for a run-time library named nt.lib when compiling native applications. Unfortunately, Microsoft doesn't ship this file with the DDK (its included in the Server 2003 DDK, but I suspect that if you link with that version your native application won't run on XP or Windows 2000). However, you can work around this problem by including a line in makefile.def that overrides the selection of nt.lib by specifying Visual C++'s runtime library, msvcrt.lib
38 |
39 | If you run *Build* under the DDK's "Checked Build" environment it will produce a native application with full debug information under %BASEDIR%\lib\%CPU%\Checked (e.g. c:\ddk\lib\i386\checked\native.exe), and if you invoke it in the "Free Build" environment a release version of the program will end up in %BASEDIR%\lib\%CPU%\Free. These are the same places device driver images are placed by Build.
40 |
41 | Native applications have ".exe" file extensions but you cannot run them like Win32 .exe's. If you try you'll get the message:
42 |
43 | The application cannot be run in Windows NT mode.
44 |
45 | ## Inside a Native Application
46 | Instead of **winmain** or **main**, the entry point for native applications is **NtProcessStartup**. Also unlike the other Win32 entry points, native applications must reach into a data structure passed as its sole parameter to locate command-line arguments.
47 |
48 | The majority of a native application's runtime environment is provided by NTDLL.DLL, NT's native API export library. Native applications must create their own heap from which to allocate storage by using **RtlCreateHeap**, a NTDLL function. Memory is allocated from a heap with **RtlAllocateHeap** and freed with **RtlFreeHeap**. If a native application wishes to print something to the screen it must use the function **NtDisplayString**, which will output to the initialization Blue Screen.
49 |
50 | Native applications don't simply return from their startup function like Win32 programs, since there is no runtime code to return to. Instead, they must terminate themselves by calling **NtProcessTerminate**.
51 |
52 | The NTDLL runtime consists of hundreds of functions that allow native applications to perform file I/O, interact with device drivers, and perform interprocess communications. Unfortunately, as I stated earlier, the vast majority of these functions are undocumented.
53 |
--------------------------------------------------------------------------------