Monday, February 9, 2015

Lesson 1: What Are the SysInternals Tools and How Do You Use Them?

This How-To Geek School series will teach you how to use SysInternals tools like a pro, so your geek cred will never be in question. Not that we are questioning your geek skills. You do use SysInternals tools, right?
SCHOOL NAVIGATION
  1. What Are the SysInternals Tools and How Do You Use Them?
  2. Understanding Process Explorer
  3. Using Process Explorer to Troubleshoot and Diagnose
  4. Understanding Process Monitor
  5. Using Process Monitor to Troubleshoot and Find Registry Hacks
  6. Using Autoruns to Deal with Startup Processes and Malware
  7. Using BgInfo to Display System Information on the Desktop
  8. Using PsTools to Control Other PCs from the Command Line
  9. Analyzing and Managing Your Files, Folders, and Drives
  10. Wrapping Up and Using the Tools Together
There are many other admin tools built into Windows, available for free on the web, or even through commercial sources, but none of them are quite as indispensible as the SysInternals suite of tools. That’s right, there’s a full set of free tools to do almost any administrator task, from monitoring or starting processes to peeking under the hood to see what files and registry keys your applications are really accessing.
These tools are used by every single reputable computer guy — if you want to separate the wheat from the chaff, just ask your local PC repair guy what Process Explorer is used for. If he doesn’t have a clue, he’s probably not quite as good as he says. (Don’t worry, if you don’t have a clue about procexp.exe either, we’ll cover that in-depth starting in lesson 2 of this series tomorrow).
Remember that time Sony tried to embed rootkits into their music CDs? Yeah, it was a SysInternals utility that first detected the problem, and it was the SysInternals guys that made the announcement. In 2006, Microsoft finally bought the company behind SysInternals, and they continue to provide the utilities for free on their web site.
This series will walk you through each of the important tools in the kit, get you familiar with them and their many features, and then help you understand how to use them in a real-world scenario. It’s a lot of very geeky material, but it’ll be a fun ride, so be sure to stay tuned.

What Are the SysInternals Tools Exactly?

The SysInternals suite of tools is simply a set of Windows applications that can be downloaded for free from their section of the Microsoft Technet web site. They are all portable, which means that not only do you not have to install them, you can stick them on a flash drive and use them from any PC. In fact, you can actually run them without installing through SysInternals Live (which we’ll illustrate in a bit).
The tools include utilities such as Process Explorer, which is a lot like Task Manager with a plethora of extra features, or Process Monitor, which monitors your PC for filesystem, registry, or even network activity from almost any process on your system.
Autoruns helps you deal with startup processes, TCPView shows you what is connecting to resources on the internet, and there is an entire set of tools that run from the command line to help you deal with processes, services, and more.
Process Explorer is probably the most useful tool in the kit.
Most of these tools are going to require administrator access on your computer, so you’d be wise to test them out in a virtual machine or a test computer if you aren’t sure what you are doing — these are some heavy duty tools.
For example, say you have a really slow PC to troubleshoot, and you want to inspect all of the threads for a particular application, and then you want to see the entire stack for one of those threads to see exactly what DLLs and functions are being called. Process Explorer makes this trivial — you can simply double-click on the process, flip over to the Threads tab, and then click the Stack button.
This stack has not yet overflowed.
What does all this mean? Wait until lessons 2 and 3, where we will do our best to explain the concepts to you, and more importantly, explain why you’d want to bother digging this deep.

How Do You Get the Tools?

Getting your hands on any of the SysInternals tools is as easy as heading to the web site, downloading the zip file with all of the utilities, or just grabbing the zip file for the individual application that you want to use.
Either way, unzip, and double-click on the particular utility you’d like to open. That’s it. There’s no installer.

Running the Tools from SysInternals Live

If you don’t want to be troubled to download and unzip and then run the application, and you don’t want to keep a USB drive updated with the latest versions, or you just don’t have access to your drive while working on somebody else’s computer, you can always resort to SysInternals Live.
Basically what happened is that a number of years ago, the SysInternals guys were curious whether they could find a new way to distribute their software… so they created a Windows file share off their server and gave everybody on the internet access to it.
So you can simply type \\live.sysinternals.com\ into the Windows Run box after pulling that up with the WIN + R shortcut key, and you’ll be able to browse their file share and look around.
Note: the \\server\share format is called a UNC (Universal Naming Convention) path, and it works just about anywhere in Windows. You can utilize it in the explorer address bar, file open and save dialog boxes, or anywhere that you’d normally use a file path.
Screenshot_3_23_14__11_01_PM
The useful folder is probably the Tools one, that has all of the different utilities listed, and easily accessible with nothing more than a mouse click.
Browsing for the utilities on a remotely accessible file share really isn’t the fastest way to do things, though, so thankfully there is a much quicker way to launch any SysInternals utility from any internet-connected Windows PC.
Just follow this format to directly launch one of the utilities through the Run box:
\\live.sysinternals.com\tools\<toolname>
For instance, to launch Process Explorer, the executable name is procexp.exe, so you can use \\live.sysinternals.com\tools\procexp.exe to launch Process Explorer, or change procexp.exe to procmon.exe to launch Process Monitor instead.
Windows_8_1__More_crapware__conduit__etc___Running__1
When you do launch one of the utilities, you’ll be prompted with a security warning dialog before you actually run any of them. This is a good thing, of course, because you wouldn’t want Windows to let anybody run anything from a file share. That would be a disaster!
Windows_8_1__More_crapware__conduit__etc___Running_
We’d highly recommend just downloading and putting a copy of the tools on every PC that you touch, rather than running from the Live site every time. But in a pinch, it’s great to know that you can do it.

Next Lesson: Understanding Process Explorer

Tomorrow’s lesson will familiarize you with the Process Explorer application, a task manager replacement with many more features. The interface is packed full of data and options, so we’ll go through and explain everything that you need to know — like what all those colors in the process list actually mean.
After that, we’ll cover how to use it in the real world to deal with problem processes, malware, and more. Then we’ll head into Process Monitor territory, and explain how to use one of the most powerful troubleshooting applications to figure out what is really going on under the hood of your PC.
And next week we’ll take a trip through some of the other utilities, like Autoruns, Bginfo, and many of the command line utilities included in the toolkit.
There’s a lot of material to cover, so go grab yourself a copy of the utilities so you can follow along starting tomorrow.
Next Page: Understanding Process Explorer

No comments:

Post a Comment