Question

Microsoft TechNet is a treasure‐trove of all things Microsoft, including troubleshooting, downloads, and training. From the website https://technet.microsoft.com , you can find free training, libraries, wikis, forums, and blogs. When your Microsoft workstation fails hard with a BSOD, where do you go to look up the error codes and event IDs? TechNet! Where do you go to find utilities to help you manage, troubleshoot, and diagnose your Windows machines and applications? TechNet!

When you visit the TechNet website, the fastest way to find the Sysinternals suite is to just search for it in the upper‐right corner. The Sysinternals suite bundles many smaller utilities into one big beautiful tool. One of the best things about the Sysinternals suite is that it is portable. Figure 2.5 shows the download link. You do not have to install each tool. You can put the entire suite of tools on a USB drive and use them from any PC.

Figure 2.5 : Microsoft Sysinternals suite download

The tools include utilities such as Process Explorer, which is a lot like Task Manager with a ton of extra features, or Autoruns, which helps you deal with startup processes. Another tool inside the suite is PsExec, which is a lightweight replacement for Telnet. One of my favorite tools is Notmyfault. Seriously, that's the name of the tool. You can use it to crash or handle kernel memory leaks—helpful when troubleshooting device driver issues, which has been the cause of at least half of my BSODs. In Lab 2.5 , you'll use Sysinternals.

---

LAB 2.5 : SYSINTERNALS

1. Open a browser and navigate to https://technet.microsoft.com .
2. In the Search field, look for Sysinternals. The first link you should see is “Download Sysinternals Suite.”

   The zipped file will be about 24MB. Unzipped, it will be approximately 60MB. It will easily fit on a USB drive.

3. Save the file to your hard drive and extract all files. Make a conscious note of the location. (I say this because I have been known to misplace my tools.)
4. Once the tools are unzipped, open the folder and change the view to List, as you see in Figure 2.6 . This will allow you to see everything at one time.

Figure 2.6 : List of all Sysinternals tools

---

There are so many wonderful tools in this file that it can be difficult to know where to start. The following list includes the tools that I have used quite regularly as well as some that I may not use as much but have been helpful in certain situations:

• Process Explorer This tool is one of the most used utilities in Sysinternals. It is a simple tool, but it can clue you in on every process, every DLL, and every activity occurring on your PC. In Figure 2.7 , you see processes, CPU usage, PID, and other information. One of my favorite features of Process Explorer is the ability to check processes with VirusTotal if you suspect your machine is compromised.

  

  Figure 2.7 : Sysinternals Process Explorer

• PsList One way to see processes on a machine is to press Ctrl+Alt+Delete on your keyboard and navigate to your Task Manager. The Task Manager is a great tool but works only on the local machine. You can run PsList remotely to get a list of processes running on someone else's machine.
• PsKill This tool can be used to kill or terminate processes running on either your machine or someone else's machine. Find the process ID with PsList and terminate it with PsKill.
• Autoruns Malware is the bane of our IT existence. It can be insidious and invade the startup folder. It will be one the hardest things you will ever try to clean. Autoruns can help by looking through all possible locations where applications are listed to autostart. You can filter Autoruns so that the good things you need to start are not listed, and you can concentrate on the number of things that invade a system.
• ZoomIt This utility can be used to magnify a certain area of the screen. It can integrate with PowerPoint so that during a presentation you can trigger certain functions with macro keys. You can live zoom, draw, type, and even configure a break timer if your audience requires one during a class.
• PsLoggedOn This tool can find users who are logged on to a system. PsLoggedOn uses a scan of the registry to look through the HKEY_USERS key to see what profiles are loaded. This can be extremely helpful when you need to know who has a session established on a PC.
• SDelete This is a tool that you should not need often but could definitely come in handy. If you ever need to delete something permanently so that even the best of the best file recovery tools cannot retrieve the data, SDelete will take the sectors where the file is stored and write over them with 0s. If you are ever in need of a permanent disposal of a file or folder, you will want to use this tool.
• PsExec There will be times that you will want to execute programs on remote systems. Telnet runs on port 23 and sends credentials over a network in the clear. PsExec is a much better choice, allowing you to execute processes without having to manually install other software. You can launch interactive command prompts and enable remote tools.
• Notmyfault If you have a server that is not performing as it should or you are seeing out‐of‐resources errors and the machine is very slow, you can use Notmyfault to troubleshoot more advanced operating system performance issues and application or process crashes.