Инструменты sysinternals suite

Using SDelete

SDelete is a command line utility that takes a number of options. In
any given use, it allows you to delete one or more files and/or
directories, or to cleanse the free space on a logical disk. SDelete
accepts wild card characters as part of the directory or file specifier.

Usage: sdelete <file or directory>
sdelete ] <drive letter >
sdelete &ltphysical disk number>

Parameter Description
-c Clean free space. Specify an option amount of space to leave free for use by a running system.
-p Specifies number of overwrite passes (default is 1).
-r Remove Read-Only attribute.
-s Recurse subdirectories.
-z Zero free space (good for virtual disk optimization).
-nobanner Do not display the startup banner and copyright message.

Examples

This command executes an ICMP ping test for 10 iterations with 3 warmup
iterations:

To execute a TCP connect test, specify the port number. The following
command executes connect
attempts against the target as quickly as
possible, only printing a summary when finished with the 100 iterations
and 1 warmup iteration:

To configure a server for latency and bandwidth tests, simply specify
the option and the source address and port the server will bind to:

A buffer size is required to perform a TCP latency test. This example
measures the round trip latency of sending an 8KB packet to the target
server, printing a histogram with 100 buckets when completed:

This command tests bandwidth to a PsPing server listening at the target
IP address for 10 seconds and produces a histogram with 100 buckets.
Note that the test must run for at least one second after warmup for a
histogram to generate. Simply add to have PsPing perform a UDP
bandwidth test.

Download PsTools (2.7 MB)

How it Works: Windows 95 and 98

On Windows 95 and 98, the Portmon GUI relies on a dynamically loaded
VxD to capture serial and parallel activity. The Windows VCOMM (Virtual
Communications) device driver serves as the interface to parallel and
serial devices, so applications that access ports indirectly use its
services. The Portmon VxD uses standard VxD service hooking to
intercept all accesses to VCOMM’s functions. Like its NT device driver,
Portmon’s VxD interprets requests to display them in a friendly
format. On Windows 95 and 98 Portmon monitors all ports so there is no
port selection like on NT.

Download Portmon (226 KB)

Run now from Sysinternals Live.

Installation and Use

Simply execute the Portmon program file (portmon.exe) and Portmon
will immediately start capturing debug output. To run Portmon on
Windows 95 you must get the WinSock2
update from Microsoft. Note
that if you run Portmon on Windows NT/2K portmon.exe must be located
on a non-network drive and you must have administrative privilege.
Menus, hot-keys, or toolbar buttons can be used to clear the window,
save the monitored data to a file, search output, change the window
font, and more. The on-line help describes all of Portmon’s features.

Portmon understands all serial and parallel port I/O control (IOCTLs)
commands and will display them along with interesting information
regarding their associated parameters. For read and write requests
Portmon displays the first several dozen bytes of the buffer, using
‘.’ to represent non-printable characters. The Show Hex menu option lets
you toggle between ASCII and raw hex output of buffer data.

Using PsPing

PsPing implements Ping functionality, TCP ping, latency and bandwidth
measurement. Use the following command-line options to show the usage
for each test type:

Usage:

Parameter Description
-? I Usage for ICMP ping.
-? T Usage for TCP ping.
-? L Usage for latency test.
-? B Usage for bandwidth test.

ICMP ping usage:

Parameter Description
-h Print histogram (default bucket count is 20).
If you specify a single argument, it’s interpreted as a bucket count and the histogram will contain that number of buckets covering the entire time range of values. Specify a comma-separated list of times to create a custom histogram (e.g. «0.01,0.05,1,5,10»).
-i Interval in seconds. Specify 0 for fast ping.
-l Request size. Append ‘k’ for kilobytes and ‘m’ for megabytes.
-n Number of pings or append ‘s’ to specify seconds e.g. ’10s’.
-q Don’t output during pings.
-t Ping until stopped with Ctrl+C and type Ctrl+Break for statistics.
-w Warmup with the specified number of iterations (default is 1).
-4 Force using IPv4.
-6 Force using IPv6.

For high-speed ping tests use -q and -i 0.

TCP ping usage:

Parameter Description
-h Print histogram (default bucket count is 20).
If you specify a single argument, it’s interpreted as a bucket count and the histogram will contain that number of buckets covering the entire time range of values. Specify a comma-separated list of times to create a custom histogram (e.g. «0.01,0.05,1,5,10»).
-i Interval in seconds. Specify 0 for fast ping.
-l Request size. Append ‘k’ for kilobytes and ‘m’ for megabytes.
-n Number of pings or append ‘s’ to specify seconds e.g. ’10s’.
-q Don’t output during pings.
-t Ping until stopped with Ctrl+C and type Ctrl+Break for statistics.
-w Warmup with the specified number of iterations (default is 1).
-4 Force using IPv4.
-6 Force using IPv6.

For high-speed ping tests use -q and -i 0.

TCP and UDP latency usage:

server:

client:

Parameter Description
-f Open source firewall port during the run.
-u UDP (default is TCP).
-h Print histogram (default bucket count is 20).
If you specify a single argument, it’s interpreted as a bucket count and the histogram will contain that number of buckets covering the entire time range of values. Specify a comma-separated list of times to create a custom histogram (e.g. «0.01,0.05,1,5,10»).
-l Request size. Append ‘k’ for kilobytes and ‘m’ for megabytes.
-n Number of sends/receives. Append ‘s’ to specify seconds e.g. ’10s’
-r Receive from the server instead of sending.
-w Warmup with the specified number of iterations (default is 5).
-4 Force using IPv4.
-6 Force using IPv6.
-s Server listening address and port.

The server can serve both latency and bandwidth tests and remains active
until you terminate it with Control-C.

TCP and UDP bandwidth usage:

server:

client:

Parameter Description
-f Open source firewall port during the run.
-u UDP (default is TCP).
-b Bandwidth test.
-h Print histogram (default bucket count is 20).
If you specify a single argument, it’s interpreted as a bucket count and the histogram will contain that number of buckets covering the entire time range of values. Specify a comma-separated list of times to create a custom histogram (e.g. «0.01,0.05,1,5,10»).
-i Number of outstanding I/Os (default is min of 16 and 2x CPU cores).
-l Request size. Append ‘k’ for kilobytes and ‘m’ for megabytes.
-n Number of sends/receives. Append ‘s’ to specify seconds e.g. ’10s’
-r Receive from the server instead of sending.
-w Warmup for the specified iterations (default is 2x CPU cores).
-4 Force using IPv4.
-6 Force using IPv6.
-s Server listening address and port.

The server can serve both latency and bandwidth tests and remains active
until you terminate it with Control-C.

Обзор утилиты Sysinternals Tools

Как определить, каким приложением занят файл

Я просматривал рабочий календарь, когда почтовая программа Outlook 2010 внезапно сообщила об ошибке и закрылась. После перезапуска она не смогла открыть OST-файл, и сегодня я расскажу, как решил эту проблему за три минуты.

При запуске программа выдавала такую ошибку:

Process Explorer. Обзор некоторых возможностей

Process Explorer – альтернатива стандартному Task Manager-у. Эта утилита, как и многие другие утилиты Sysinternals, здорово расширяет возможности контроля и управления системой. Главное новшество только что вышедшей 14-ой версии — возможность мониторить сетевую активность процессов. Далее небольшой обзор возможностей этой утилиты, которые считаю наиболее полезными для себя.

Для справки. С 2006 года Sysinternals была приобретена Microsoft, а ключевая фигура этой компании – Марк Руссинович с тех пор работает в Microsoft. Марк известен своими утилитами, книгой Windows Internals, блогом и является признанным специалистом по архитектуре Windows.

  • Колонки в главном окне
  • Сервисы внутри svchost
  • Суммарные графики активности, процесс с максимальной активностью
  • Суммарные графики активности в трее, процесс с максимальной активностью
  • Сетевые соединения процесса
  • Потоки процесса, их активность, стек потока с загрузкой символов
  • Информация по использованию памяти в системе
  • Handles и DLL процесса
  • Поиск handles и DLL

Обзор утилиты Process Explorer от Sysinternals.com

Обзоры утилит от Sysinternals.com:

Этот обзор — продолжение цикла статей о свободно распространяемых на Sysinternals.com утилитах. В этом обзоре будет рассмотрен интерфейс и основные возможности утилиты Process Explorer, которая окажет неоценимую помощь в просмотре и управлении процессами. Скачать утилиту можно на странице загрузки Process Explorer. Размер архива 268 килобайт.
Утилита не требует установки. Достаточно распаковать архив и запустить файл procexp.exe. Откроется главное окно утилиты, которое показано на рисунке ниже.

Охота на вредоносное ПО с помощью Sysinternals Tools. Часть 1

Вступление

В последние несколько лет Марк Руссинович представляет свои презентации на ежегодном саммите MVP в Редмонде. В прошлом марте его выступление было связано с довольно интересной темой — Использование некоторых популярных системных утилит для обнаружения вредоносного ПО в системе. Утилиты можно бесплатно скачать с сайта Microsoft TechNet.
В первой части я изложу, что я извлекла из этих выступлений и покажу, как использовать некоторые из этих программ.

Autorunsc Usage

Autorunsc is the command-line version of Autoruns. Its usage syntax is:

Usage: autorunsc
| ]]

Parameter Description
-a Autostart entry selection:
* All.
b Boot execute.
d Appinit DLLs.
e Explorer addons.
g Sidebar gadgets (Vista and higher)
h Image hijacks.
i Internet Explorer addons.
k Known DLLs.
l Logon startups (this is the default).
m WMI entries.
n Winsock protocol and network providers.
o Codecs.
p Printer monitor DLLs.
r LSA security providers.
s Autostart services and non-disabled drivers.
t Scheduled tasks.
w Winlogon entries.
-c Print output as CSV.
-ct Print output as tab-delimited values.
-h Show file hashes.
-m Hide Microsoft entries (signed entries if used with -v).
-s Verify digital signatures.
-t Show timestamps in normalized UTC (YYYYMMDD-hhmmss).
-u If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files.
-x Print output as XML.
-v Query VirusTotal for malware based on file hash. Add ‘r’ to open reports for files with non-zero detection. Files reported as not previously scanned will be uploaded to VirusTotal if the ‘s’ option is specified. Note scan results may not be available for five or more minutes.
-vt Before using VirusTotal features, you must accept the VirusTotal terms of service. If you haven’t accepted the terms and you omit this option, you will be interactively prompted.
-z Specifies the offline Windows system to scan.
user Specifies the name of the user account for which autorun items will be shown. Specify ‘*’ to scan all user profiles.

Серия уроков по пакету утилит SysInternals

1. Что такое инструменты SysInternals и как их использовать?

2. Знакомство с Process Explorer

3. Использование Process Explorer для устранения неполадок и диагностики

4. Понимание Process Monitor

5. Как пользоваться Process Monitor для устранения неполадок и нахождения скрытых ключей реестра

6. Использование Autoruns для работы с автоматически запускаемыми процессами и вредоносным ПО

В этой серии практических рекомендаций вы научитесь использовать инструменты SysInternals как профессионал, благодаря чему вы сможете лучше понимать и контролировать происходящее в вашей операционной системе.

В Windows есть множество других инструментов администрирования, доступных бесплатно в Интернете или даже из коммерческих источников, но ни один из них не является столь же незаменимым, как набор инструментов SysInternals. Это полный набор бесплатных инструментов для выполнения практически любых задач администратора, от мониторинга или запуска процессов до просмотра секретов, к каким файлам и ключам реестра действительно обращаются ваши приложения.

Эти инструменты использует каждый уважаемый компьютерщик — если вы хотите отделить зерна от плевел, просто спросите своего местного мастера по ремонту компьютеров, для чего используется Process Explorer. Если он ничего не понимает, вероятно, он не так хорош, как говорит. (Не волнуйтесь, если вы этого тоже не знаете, вы познакомитесь с этой утилитой в следующей части).

Помните тот раз, когда Sony пыталась встроить руткиты в свои музыкальные компакт-диски? Да, это была утилита SysInternals, которая первой обнаружила проблему, и именно ребята из SysInternals рассказали об этом. В 2006 году Microsoft наконец купила компанию, стоящую за SysInternals, и они продолжают бесплатно предоставлять эти утилиты на своём веб-сайте.

В этой серии статей вы познакомитесь с каждым из важных инструментов в комплекте, познакомитесь с ними и их многочисленными функциями, а затем эти инструкции помогут понять, как использовать их в реальных условиях. Интересного материала очень много, но поездка будет увлекательной, так что следите за обновлениями.

Introduction

CacheSet is an applet that allows you to manipulate the working-set
parameters of the system file cache. Unlike CacheMan, CacheSet runs on
all versions of NT and will work without modifications on new Service
Pack releases. In addition to providing you the ability to control the
minimum and maximum working set sizes, it also allows you to reset the
Cache’s working set, forcing it to grow as necessary from a minimal
starting point. Also unlike CacheMan, changes made with CacheSet have
an immediate effect on the size of the Cache.

Use CacheSet to performance tune the system Cache size in a way not
possible without tweaking internal variables the way CacheMan does.

Note: To use CacheSet on NT 4.0 Service Pack 4 and later you must have
the «Increase Quota» privilege (administrator accounts have this
privilege by default). CacheSet has been updated to enable this
privilege so that it works on SP4.

Introduction

One feature of Windows NT/2000’s (Win2K) C2-compliance is that it
implements object reuse protection. This means that when an application
allocates file space or virtual memory it is unable to view data that
was previously stored in the resources Windows NT/2K allocates for it.
Windows NT zero-fills memory and zeroes the sectors on disk where a file
is placed before it presents either type of resource to an application.
However, object reuse does not dictate that the space that a file
occupies before it is deleted be zeroed. This is because Windows NT/2K
is designed with the assumption that the operating system controls
access to system resources. However, when the operating system is not
active it is possible to use raw disk editors and recovery tools to view
and recover data that the operating system has deallocated. Even when
you encrypt files with Win2K’s Encrypting File System (EFS), a file’s
original unencrypted file data is left on the disk after a new encrypted
version of the file is created.

The only way to ensure that deleted files, as well as files that you
encrypt with EFS, are safe from recovery is to use a secure delete
application. Secure delete applications overwrite a deleted file’s
on-disk data using techniques that are shown to make disk data
unrecoverable, even using recovery technology that can read patterns in
magnetic media that reveal weakly deleted files. SDelete (Secure
Delete) is such an application. You can use SDelete both to securely
delete existing files, as well as to securely erase any file data that
exists in the unallocated portions of a disk (including files that you
have already deleted or encrypted). SDelete implements the Department
of Defense clearing and sanitizing standard DOD 5220.22-M, to give you
confidence that once deleted with SDelete, your file data is gone
forever. Note that SDelete securely deletes file data, but not file
names located in free disk space.

Утилиты для тонкой настройки Windows

Незаменимый набор бесплатных утилит для обслуживания и управления Windows. Сборник SysInternals Suite содержит более 120 бесплатных инструментов и приложений. В основном утилиты предназначены для настройки, оптимизации и тестирования операционной системы Windows, а также для работы со сторонними приложениями. Дополнительно включены полезные утилиты для диагностики основных аппаратных средств компьютера.

В SysInternals Suite собраны все полезные инструменты для обслуживания и выявления неполадок в ОС Windows. Большинство из утилит были разработаны и поддерживаются одним из самых известных технических сотрудников Microsoft Марком Руссинович (Mark Russinovich).

Входящие в сборку утилиты в основном предназначены для опытных пользователей ПК, так как многие из них имеют доступ к скрытым системным настройка и способны при некорректном обращении нарушить работу Windows.

Одни из самых популярных системных утилит:

Process Explorer

Позволяет всячески контролировать активные процессы в системе. Дает возможность управлять приоритетами ресурсов для любого из отображенных процессов. Способна полностью закрыть процесс или перезапустить заново.

Autoruns

Очень мощное приложение для управления автозапуском. Определяет и позволяет контролировать подключение драйверов, модулей, сервисов и других компонентов в месте с запуском системы. Программа обладает большим набором инструментов для контроля и настройки разнообразных параметров операционных систем Windows.

Desktops

Небольшая и полезная программа для создания и управления виртуальными рабочими столами. Поддерживает создание до 4-х рабочих столов, которые помогут распределить Ваши иконки и другие объекты для более удобной и функциональной работы.

accesschk, accesschk64, AccessEnum, ADExplorer, ADInsight, adrestore, Autologon, Autoruns, Autoruns64, autorunsc, autorunsc64, Bginfo, Cacheset, Clockres, Clockres64, Contig, Contig64, Coreinfo, ctrl2cap, Dbgview, Desktops, disk2vhd, diskext, diskext64, Diskmon, DiskView, du, du64, efsdump, FindLinks, FindLinks64, handle, handle64, hex2dec, hex2dec64, junction, junction64, ldmdump, Listdlls, Listdlls64, livekd, livekd64, LoadOrd, LoadOrd64, LoadOrdC, LoadOrdC64, logonsessions, logonsessions64, movefile, movefile64, notmyfault, notmyfault64, notmyfaultc, notmyfaultc64, ntfsinfo, ntfsinfo64, pagedfrg, pendmoves, pendmoves64, pipelist, pipelist64, portmon, procdump, procdump64, procexp, procexp64, Procmon, PsExec, PsExec64, psfile, psfile64, PsGetsid, PsGetsid64, PsInfo, PsInfo64, pskill, pskill64, pslist, pslist64, PsLoggedon, PsLoggedon64, psloglist, pspasswd, pspasswd64, psping, psping64, PsService, PsService64, psshutdown, pssuspend, pssuspend64, RAMMap, RegDelNULL, RegDelNULL64, regjump, RootkitRevealer, ru, ru64, sdelete, sdelete64, ShareEnum, ShellRunas, sigcheck, sigcheck64, streams, streams64, strings, strings64, sync, sync64, Sysmon, Sysmon64, Tcpvcon, Tcpview, Testlimit, Testlimit64, vmmap, Volumeid, Volumeid64, whois, whois64, Winobj, ZoomIt.

Using PsExec

See the July 2004 issue of Windows IT Pro Magazine for Mark’s
article that covers
advanced usage of PsExec.

Usage:

Parameter Description
-a Separate processors on which the application can run with commas where 1 is the lowest numbered CPU. For example, to run the application on CPU 2 and CPU 4, enter: «-a 2,4»
-c Copy the specified executable to the remote system for execution. If you omit this option the application must be in the system path on the remote system.
-d Don’t wait for process to terminate (non-interactive).
-e Does not load the specified account’s profile.
-f Copy the specified program even if the file already exists on the remote system.
-i Run the program so that it interacts with the desktop of the specified session on the remote system. If no session is specified the process runs in the console session. This flag is required when attempting to run console applications interactively (with redirected standard IO).
-h If the target system is Vista or higher, has the process run with the account’s elevated token, if available.
-l Run process as limited user (strips the Administrators group and allows only privileges assigned to the Users group). On Windows Vista the process runs with Low Integrity.
-n Specifies timeout in seconds connecting to remote computers.
-p Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password.
-r Specifies the name of the remote service to create or interact with.
-s Run the remote process in the System account.
-u Specifies optional user name for login to remote computer.
-v Copy the specified file only if it has a higher version number or is newer on than the one on the remote system.
-w Set the working directory of the process (relative to remote computer).
-x Display the UI on the Winlogon secure desktop (local system only).
-priority Specifies -low, -belownormal, -abovenormal, -high or -realtime to run the process at a different priority. Use -background to run at low memory and I/O priority on Vista.
computer Direct PsExec to run the application on the remote computer or computers specified. If you omit the computer name, PsExec runs the application on the local system, and if you specify a wildcard (\\*), PsExec runs the command on all computers in the current domain.
@file PsExec will execute the command on each of the computers listed in the file.
cmd Name of application to execute.
arguments Arguments to pass (note that file paths must be absolute paths on the target system).
-accepteula This flag suppresses the display of the license dialog.

You can enclose applications that have spaces in their name with
quotation marks e.g.

Input is only passed to the remote system when you press the Enter key.
Typing Ctrl-C terminates the remote process.

If you omit a user name, the process will run in the context of your
account on the remote system, but will not have access to network
resources (because it is impersonating). Specify a valid user name in
the syntax if the remote process requires access to network
resources or to run in a different account. Note that the password and
command are encrypted in transit to the remote system.

Error codes returned by PsExec are specific to the applications you
execute, not PsExec.

Examples

This article I wrote describes how PsExec
works and gives tips
on how to use it:

The following command launches an interactive command prompt on
:

This command executes IpConfig on the remote system with the
switch, and displays the resulting output locally:

This command copies the program to the remote system and
executes it interactively:

Specify the full path to a program that is already installed on a remote
system if its not on the system’s path:

Run Regedit interactively in the System account to view the contents of
the SAM and SECURITY keys::

To run Internet Explorer as with limited-user privileges use this
command:

Download PsTools (3.5 MB)

PSTools

PsExec is part of a growing kit of Sysinternals command-line tools
that aid in the administration of local and remote systems named
PsTools.

Runs on:

  • Client: Windows Vista and higher.
  • Server: Windows Server 2008 and higher.

Process Monitor

If Process Explorer is created to manage and kill processes, Process Monitor is designed to monitor and get information of every process on your system to know what it is doing. For instance, you may want to know what reg keys are being used by a program to store the settings, what processes are accessing the internet, what reg keys are being modified when you are making changes, etc. Process Monitor can monitor a wide range of activities like real-time file system changes, registry activities, thread activities, processes activities, etc.

Moreover, the application also has a rich filtering system that lets you narrow down and get extensive information about any process and its activities on your system. As you can tell, this is a pretty advanced tool that is very useful in troubleshooting scenarios.

How to use: Download file, extract and then execute the file “procmon.exe”. As soon as you launch, the application will scan for any and all processes on your system. The scan may take some time and the application may even become unresponsive while scanning. So, wait until the scan is completed. After the scan, you will see all the active process. To see the process properties, simply right-click on the process and select “Properties.”

Обзор служебных утилит Sysinternals

Конечно можно посетить страницу Windows Sysinternals, на https://technet.microsoft.com/sysinternals и использовав алфавитный указатель утилит, выбрать только нужные инструменты. Для чуть более точного подхода, попробуйте шесть отдельных категорий: файл и диск, сеть, процесс, безопасность, системная информация и прочие.

Но гораздо проще скачать весь набор Sysinternals (https://technet.microsoft.com/sysinternals/bb842062) и разархивировать его в собственную папку.

Как удобная альтернатива, для экономии места на диске и уточнения того, что вы планируете использовать самые последние версии утилит, воспользуйтесь службой Sysinternals Live. На https://live.sysinternals.com, вы найдёте полный перечень всех инструментов и файлы поддержки. Если вы знаете название нужного вам инструмента, можно ввести этот путь в проводнике Windows или в командной строке, например, https://live.sysinternals.com/<toolname> или \\live.sysinternals.com\tools\<toolname>. (Подсказка: сохраните избранное для быстрого доступа как web-ярлыки.)

Служба Sysinternals Live позволяет запускать последние в коллекции версии каждого инструмента с помощью одного клика.

Некоторые инструменты Sysinternals полностью конкретизированы и имеют характерный графический интерфейс. Другие, предназначены для интерактивного запуска в командной строке или с помощью скриптов.

Using AccessChk

Usage:

Parameter Description
-a Name is a Windows account right. Specify as the name to show all rights assigned to a user. Note that when you specify a specific right, only groups and accounts directly assigned to the right are displayed.
-c Name is a Windows Service, e.g. . Specify as the name to show all services and to check the security of the Service Control Manager.
-d Only process directories or top-level keys
-e Only show explicitly set-Integrity Levels (Windows Vista and higher only)
-f If following , shows full process token information including groups and privileges. Otherwise is a list of comma-separated accounts to filter from the output.
-h Name is a file or printer share. Specify as the name to show all shares.
-i Ignore objects with only inherited ACEs when dumping full access control lists.
-k Name is a Registry key, e.g.
-l Show full security descriptor. Add to ignore inherited ACEs.
-n Show only objects that have no access
-o Name is an object in the Object Manager namespace (default is root). To view the contents of a directory, specify the name with a trailing backslash or add . Add and an object type (e.g. section) to see only objects of a specific type.
-p Name is a process name or PID, e.g. (specify as the name to show all processes). Add to show full process token information, including groups and privileges. Add to show threads.
-q Omit Banner
-r Show only objects that have read access
-s Recurse
-t Object type filter, e.g.
-u Suppress errors
-v Verbose (includes Windows Vista Integrity Level)
-w Show only objects that have write access

If you specify a user or group name and path, AccessChk will report the
effective permissions for that account; otherwise it will show the
effective access for accounts referenced in the security descriptor.

By default, the path name is interpreted as a file system path (use the
prefix to specify a named pipe path). For each object,
AccessChk prints if the account has read access, for write access,
and nothing if it has neither. The switch has AccessChk dump the
specific accesses granted to an account.

Installation and Use

Simply execute the Portmon program file (portmon.exe) and Portmon
will immediately start capturing debug output. To run Portmon on
Windows 95 you must get the WinSock2
update from Microsoft. Note
that if you run Portmon on Windows NT/2K portmon.exe must be located
on a non-network drive and you must have administrative privilege.
Menus, hot-keys, or toolbar buttons can be used to clear the window,
save the monitored data to a file, search output, change the window
font, and more. The on-line help describes all of Portmon’s features.

Portmon understands all serial and parallel port I/O control (IOCTLs)
commands and will display them along with interesting information
regarding their associated parameters. For read and write requests
Portmon displays the first several dozen bytes of the buffer, using
‘.’ to represent non-printable characters. The Show Hex menu option lets
you toggle between ASCII and raw hex output of buffer data.

SDelete

SDelete is one of those tools that you don’t need often but a must have due to its importance. In case you are wondering, SDelete is a command line tool used to delete files and folders permanently. Files deleted with SDelete are not recoverable even with best of the file recovery tools. The workings of SDelete is simple, it will find the sectors where the file is stored and rewrites those sectors with zeros. Thus, the files are irrecoverable. So, if you ever want to securely delete a file or folder, use SDelete.

How to use: As a said before, SDelete is command line tool. To start off, download and extract the file. Now, open the command prompt in the same window by clicking “Shift + Right-click” and then selecting “Open command prompt here.” In the command prompt, execute the below command while replacing the dummy file path with the actual file path.

sdelete D:\path\to\file

There are also other parameters that you can set to clear free space, delete entire drives, the number of passes, etc. You can get those details from the official download page.

There are more tools in the Sysinternals suite like PStools, PortMon, AccessChk, AutoLogon, Diskmon, Coreinfo, Sysmon, etc., that are helpful in a lot of situations. The good thing is, you can get the entire Sysinternals suite in single zip file. So, download and store it in your pen drive. These tools will be useful when the time comes.

Hope that helps and do comment below sharing your thoughts and experiences about using the above tools or to share your favorite Sysinternals utilities.

Autoruns

More often than not, every program you install on your system will add itself to the system startup. This helps the application to be ready for use as soon as the system starts. However, the most applications are in the startup queue, the slower system startup will be. Not only programs but there will several things that start with Windows like scheduled tasks, services, drivers, codecs, Explorer shell extensions, browser helper objects, toolbars, etc.

To deal with this, you can simply use the Autoruns application. It provides all the necessary options to manage the startup items. Moreover, it also plays well with Process Explorer. The application’s user interface may look pretty dated but it is neatly divided into categories. Being a powerful application, only disable an entry if you are sure.

How to run: Just like Process Explorer, Autoruns is also portable. So, download, extract and execute the application “autoruns.exe”. Once opened, you can disable any autorun entry by deselecting the checkbox. The “autorunsc.exe” file you see in the zip file is the command line version.

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *

Adblock
detector