The Hidden Treasures of Sysinternals

Barence writes "PC Pro contributing editor Jon Honeyball has written a nice feature on the latest treasures to be found on the Windows Sysinternals website. Among them are a tool for creating virtual hard disks from physical drives, a hard disk read-write monitoring tool, and a utility for putting ISO images onto flash drives. They're free, but they're effective."

Duh

[afidel]

There's a reason MS bought the company and hired Mark, he consistently puts out the most useful tools for in the trenches Windows diagnostics. Heck MS's PSS would routinely have you use his tools even before the purchase because nothing they put out internally was nearly as useful.

Re:Duh

[RAMMS+EIN]

``And the very first thing they did, within mere days of the acquisition, is they took his ultra-efficient, elegant little tools and put a 200KB EULA popup into every one of them.''

A fine example of how proprietary software is so much more user-friendly than open-source software.

``A GUI popup.

Even into the command line tools.''

That, of course, is to make them more user-friendly. Everybody knows the command-line is just for Unix hippies who still live in the 1970s.

It's all stuff that ships with Linux

[tjstork]

You know, sysinternals was amazing piece of reverse engineering work and some of the utilities that came out of it were pretty interesting as examples of that reverse engineering work.

But...

All that stuff is junk compared to what Linux does for utilities!

I mean, my ubuntu has had burning ISOs and copying them any which way now for at leas 5 years. I can type sensors and get the motherboard temperature, fan speeds, everything. I mean, if you are into doing hardware and low level OS hardware interfacing stuff, there's enough gobblygook in /proc to keep anyone happy from Linux, and then there's all the log files and then the source.

I mean, yeah, Windows has its advantages, but sysinternals isn't one of them. sysinternals is just proof that for a lot of applications you have to be a hero to get it to do anything simply because the source is closed.

Re:It's all stuff that ships with Linux

[heffrey]

Let me see if I've got this straight. A great set of tools that run on Windows demonstrates how rubbish Windows is. A great set of tools that run on Linux demonstrates how fantastic Linux is.

This sounds a bit like Raymond Chen's post today: http://blogs.msdn.com/oldnewthing/archive/2010/02/09/9960102.aspx.

Re:It's all stuff that ships with Linux

[Lunix+Nutcase]

At 8-10% penetration? And that's only if you aggregate all Linux based OSes together.

Re:It's all stuff that ships with Linux

[Whatsisname]

The tools on sysinternals are tools that should come with windows from day one.

Re:It's all stuff that ships with Linux

[Pr0xY]

Why compromise and have the installer have a checkbox for "advanced tools?" 99% of people will blindly click next without checking it, they won't get it, the other 1% will actually read what is being asked of them and possibly install it.

Seems like it would be simple to include it without bloating things at all.

Re:It's all stuff that ships with Linux

[mcgrew]

"Bloat" isn't putting apps on a CD you can choose to install or not, it's forcing unnecessary features that few will use in an app or OS.

IE is bloat, since it's welded to the OS and there are superior alternatives; on most people I know who use windows, it's superflous since they use Firefox.

IINM these utilities, both in Windows in Linux, aren't mandatory like IE is.

Re:It's all stuff that ships with Linux

[10101001+10101001]

Let me see if I've got this straight. A great set of tools that run on Windows demonstrates how rubbish Windows is. A great set of tools that run on Linux demonstrates how fantastic Linux is.

Yep. As pointed out by the GP, the Sysinternal Windows tools are a by-product of reverse engineering. Specifically, they seem to heavily rely upon the Windows Native API (NTAPI) since the Windows 32 subsytem (Win32) wouldn't readily or at all allow them to do what they do. Since the NTAPI is rather undocumented, it was an impressive feat for the utilities to be created.

However, the fact that an impressive feat was even necessary to obtain Linux-like* parity is the fundamental problem. Doing the same things in Linux are trivial in comparison in most instances because the Linux kernel exposes the information quite freely to user space; and it's generally well documented, so it doesn't even require the semi-heroic effort of understanding the Linux kernel's source code to find out how to use that information or where it is.

Sysinternals is in many ways a good example of fighting against the system because the system is incomplete. Certainly, there are instances were Linux falls into this problem as well as Windows (most of the video subsystem being outside the kernel for most video cards, for example). And even though the source code is available, that obviously doesn't mean that fixing the problem is a simple matter because even if you create a solution, it doesn't mean others will adopt it and absolve you of a good deal of the upkeep. But, in the end, the heroic struggles (and the melodrama) just doesn't exist when the source is available (or even if there's enough documentation and enough functionality exposed to compensate for where the core system lacks). So, that does tend to ruin the "wow" factor when it comes to anyone announcing software for your platform, since unless the software is a new app of an area you're interested in (which on the whole is uncommon), there aren't any effective OS patches to be created that will likely effect you.

*Really, any open source OS would do, but I don't know enough about any others to speak about how they function when it comes to kernel/user space things.

Re:It's all stuff that ships with Linux

[The+Bungi]

How these tools are used and % of userbase that cares about them:

Windows:

- <- Developers
------------------- <- Everyone else

Linux:

------------------- <- Developers
- <- Everyone else

Do you really think the average office worker cares about examining mount points or finding out how many USER handles a process is using? That's why Microsoft doesn't ship any of that with Windows, and they probably never will. More importantly, I'd rather have a third party write these kinds of tools. They're not limited by what marketing and support think is a good idea to ship. If Microsoft made them they probably wouldn't be as useful - not to mention everyone would whine about how they're evil because they're killing a niche.

As long as these tools are available, I could care less where I have to get them from or what I couldn't do before I install them. Duh.

Re:It's all stuff that ships with Linux

[Quantumstate]

But it still fits on one CD while Windows 7 with much less content somehow manages to fill a DVD.

Free doesn't imply ineffective (and vice-versa)

[noidentity]

They're free and they're effective

There, fixed that for you. Saying "free but effective" suggests that free implies ineffective.

Re:Latest, Really?

[fahrbot-bot]

But how exactly is DiskMon a latest treasure?

Because the PC Pro editor just discovered it and doesn't know any better.

windowssucks tag?

[Angst+Badger]

Well, yes, of course Windows sucks, but the SysInternals package really does mitigate the suckage to a surprising degree. Arguably, it's stuff that should have been part of Windows all along. I've been using it for a couple of years and it has made it much, much easier to beat Windows into submission. It's also extremely useful for finding and removing the crap that virus and malware scanners are apparently incapable of dealing with, as well as finding the mounds of not-actually-temporary temporary files that both Windows and a lot of applications like to consume unreasonable amounts of drive space with.

Those that do not understand UNIX

are condemned to reinvent it. Poorly.

Re:Best Buy

[zero0ne]

I understand the joke... but lets be serious here, I would be surprised if even 5% of their staff understands how to use these tools correctly.

When they first started GeekSquad in my area, I was there for a total of 3 months (~15/hr was a good chunk of cash for a college student).

I saw:

- people returning towers that ended up having the actual folder we used to document our steps INSIDE the case (surprised the thing didnt overheat)

- employees trying to remove a power supply without properly unscrewing and detaching the cables from the mobo.

- managers press their staff to push the ~$70 backup "deal" onto customers (4.7GB of backup no less)

- a virus on a PC that looked like it filled up the entire hard drive with empty avi files that had a random porn like name given to em.

- much more I cant recall right now (I've tried to delete it from my memory)

I stopped showing up shortly after.

"Access Denied"

[TheNinjaroach]

Process Explorer kicks the crap out of Task Manager simply for the fact that it doesn't give access denied error messages to admins trying to end protected system processes. Try ending the same processes with Process Explorer and it "just works" -- which goes to show that the Task Manager error message has nothing to do with actual account privileges. The first time I found this I realized it's no wonder Windows has such a problem with malware, the applications I run have more access to my system processes than I do!

Re:Is time for multidesktop for windows?

[EvanED]

That's obviously coming from someone who hasn't spend much time with PowerShell.

I don't make the claim that PS is better (or worse) than the Unix shells, but it does bring a bunch of things to the table that aren't in any common shell. In particular, the ability to pipe objects between processes instead of just text.

In fact, besides "a capable command line tool", there's really almost nothing that MS took from Unix with PowerShell. (In particular, in some very obnoxious ways it still behaves like cmd.exe, and it still is hosted in the god-awful terminal program that cmd is.)

For instance, here's the output of 'dir' in PowerShell:

Mode LastWriteTime Length Name
 
d---- 12/2/2009 4:48 PM examples-v3
d---- 12/16/2009 1:40 PM swyx
-a--- 11/20/2009 2:49 AM 2069 file.dot
-a--- 11/19/2009 11:22 AM 1461 file.dot~
...

Suppose I want just the name? Under Unix, I'd have to pass some ls-specific flag to get just the name. (Pretend ls worked the opposite it does, and gave long listings by default. This detail doesn't change what I'm saying.) In PowerShell, I just say I want the name field, with dir | select-object name:

Name
 
examples-v3
swyx
file.dot
file.dot~
...

I want the name and time it was created? That's dir | select-object Name,CreationTime:

Name CreationTime
 
examples-v3 12/2/2009 4:48:55 PM
swyx 11/2/2009 4:57:30 PM
file.dot 11/19/2009 11:22:33 AM
file.dot~ 11/19/2009 11:24:34 AM
...

The same syntax works for other commands. This is get-process | select-object Id,ProcessName:

Id ProcessName
 
2956 afscreds
  276 afsd_service
2664 alg
3444 ccApp
1080 ccSvcHst
1676 cmd
3020 Console
  376 csrss
...

That's because what 'dir' and 'get-process' actually output is a list of objects, which PowerShell then formats in the table it displays. 'select-object' (I don't claim it's well-named) removes unselected fields from the given objects. 'select-object' (I don't claim it's well-named) removes unselected fields from the given objects.

(lameness filter blah blah blah... using up some space blah blah blah. Hey, did you hear about the /. poster who got trolled? Oh, that's everyone right.)

Re:Wonderful tools

[EvanED]

Don't do that. Go to ctrl panel, administrative tools, services, find the "Windows Update" service (I think that's it's name) in the list, and tell it to stop.

Re:First?

[Spad]

It's good, but it's not *as* good and it's not a viable direct replacement for Task Manager (not can it easily become one).

Re:Is time for multidesktop for windows?

[devent]

Oh yes, that's really easier that to type ls -l, ps -ef or ps -ef|grep firefox

Sorry, but the real advantages in the *nix shells is that every output is just plain simple text. That means, I can grep it, parse it, format it what ever I like and won't be restricted to the PowerShell to do anything use full.

Re:Is time for multidesktop for windows?

[EvanED]

Oh yes, that's really easier that to type ls -l, ps -ef or ps -ef|grep firefox

Okay, now what's your command line for printing just the file name and it's size? (Pretend you can't use 'du' or something like that.) Or just a list of process IDs with their command lines. (Both of these may be possible -- but the point is that the means of doing so isn't discoverable, you have to read the docs. In PowerShell, these operations *are* somewhat discoverable.)

Besides, I never claimed that PowerShell was better or easier to use than the Unix shells. (I certainly don't claim it's as concise; verbosity is pretty common with Windows API names and such too.) My main claim is that it's merely different -- different enough that to say that it's a copy on anything more than a "hey look, Windows has a half decent command line" level does a disservice to what the PowerShell team did.

Sorry, but the real advantages in the *nix shells is that every output is just plain simple text. That means, I can grep it, parse it, format it what ever I like and won't be restricted to the PowerShell to do anything use full.

The fact that "every output is just plain simple text" can very much be a drawback too, because it means that a lot of the time you wind up doing some ad-hoc parsing that often works "well enough" but has problems.

For instance, take something that I did earlier today for this post: extract from my shell history file a list of the commands I have run so I could sort them and count occurrences.

My history file has lines that look like this:

: 1265787576:0;tail zsh-history

(The first number is the timestamp, the second number is duration.) Give me a command line that will return a list of command names I've run, so that I can then pipe it to "sort | uniq -c | sort -g".

No really, I'm not kidding; come up with what you would do before reading on.

My assertion is that this would be trivial in the PowerShell world, if there was a "history" command that would return a list of objects containing, e.g., a CommandPath field. Just 'get-history | select-object CommandPath'.

What did I do in Linux? This:
cat zsh-history | cut "-d;" -f2 | cut "-d " -f1
This isn't so ugly... but it also has a ton of problems:

• If I had quoted a command name -- say because the path had spaces -- then those quotes wouldn't have been removed for the sort step and would have been counted separately from an unquoted command. Worse, if the path had actually contained spaces, it would have only picked up the path until the first space.
• Running a command by specifying a full path shows up differently than letting the shell search $PATH for it. Piping through 'basename' or something could fix this -- but at the cost of incorrectly collapsing commands that are in different directories into one entry.
• I occasionally started a command with an environment variable explicitly set on the command line -- e.g. BLAH=foo cmd. In this case, the output from my pipeline would say the command is BLAH=foo.

How many of these problems did your solution have?

(I don't claim that mine is the best possible one -- but I don't know a way to do better without adding *substantial* complexity, and I'm quite comfortable at the command line and at least somewhat conversant with most of the standard Unix utilities.)