The Hidden Treasures of Sysinternals

Barence writes "PC Pro contributing editor Jon Honeyball has written a nice feature on the latest treasures to be found on the Windows Sysinternals website. Among them are a tool for creating virtual hard disks from physical drives, a hard disk read-write monitoring tool, and a utility for putting ISO images onto flash drives. They're free, but they're effective."

pstools best by far

psexec has saved my ass SO many times it's not even funny. psexec \\almostcrashedserver cmd.exe

Re:pstools best by far

yay, windows! where you have to download third-party "sysinternals" tools to get the most basic functionality that any stock Unix provides out of the box. woohoo for progress! let's celebrate this with much praise and ado.

Re:pstools best by far

[__aaclcg7560]

You mean Cygwin isn't enough?

Re:pstools best by far

[afidel]

Uh, it hasn't been third party for a long time.

Re:pstools best by far

[ChipMonk]

As a convicted monopolist, it behooves Microsoft to own as many tools remain third-party as possible.

FTFY.

Duh

[afidel]

There's a reason MS bought the company and hired Mark, he consistently puts out the most useful tools for in the trenches Windows diagnostics. Heck MS's PSS would routinely have you use his tools even before the purchase because nothing they put out internally was nearly as useful.

Re:Duh

[toastar]

MS also killed ERD Commander?

Re:Duh

[afidel]

Nope, it was reborn as the MS diagnostic and recovery toolset. link

Re:Duh

[Jeng]

And here I thought that Mark got hired to turn Windows Vista into Windows 7. ( I have no idea, but it was my thought at the time that they bought the best kernal hacker out there to redo Vista. )

Glad to see that not only are Marks old free tools still free, but that Microsoft is allowing new tools of his to be free also. Very un-microsoft of microsoft.

Re:Duh

[mcgrew]

"The Hidden Treasures of Sysinternals"

Why are they hidden? This is the sort of thing that should be documented. Of course, MS documantation is completely lame. Half the time when I hit F1 trying to find out how to do something in MS Access, it points me to a nonexistant menu item. It makes me think of the late Lilly Tomlin's "Ernestine the telephone operator" -- "We're the phone company. We don't HAVE To."

People badmouth Linux docs, but I have a far easier time finding how to do something in Linux than Windows. How good is Apple documentation?

Re:Duh

[toastar]

I happily stand corrected.

Re:Duh

[plague3106]

Right, because putting up an easily found website is hiding the tools.

Re:Duh

[EvanED]

Heck MS's PSS would routinely have you use his tools even before the purchase because nothing they put out internally was nearly as useful.

Around the time MS hired Russinovich a lot of people on Slashdot were worried that it would mean the death of Sysinternals's tools, but what you say is why that argument was almost ridiculous: there'd have been open revolt within MS if that went down.

(I suppose they could have kept the tools internal to MS, but that didn't seem likely.)

Re:Duh

[bertok]

There's a reason MS bought the company and hired Mark, he consistently puts out the most useful tools for in the trenches Windows diagnostics. Heck MS's PSS would routinely have you use his tools even before the purchase because nothing they put out internally was nearly as useful.

And the very first thing they did, within mere days of the acquisition, is they took his ultra-efficient, elegant little tools and put a 200KB EULA popup into every one of them.

A GUI popup.

Even into the command line tools.

I threw up in my mouth a little when I saw that.

Re:Duh

[phud]

Lilly Tomlin is not late, except perhaps for dinner.

Re:Duh

[The+Angry+Mick]

How good is Apple documentation?

Not very, sadly.

I think what's happened is that software manufacturers woke up to the fact that documentation was a pain better reserved for someone else's ass.

I'm not sure if things are related (I suspect they are), but it seems to me that once Microsoft started their own publishing house, the quality of "F1" materials tanked severely. People that got frustrated simply chucked out another $45 for a thick and immediately outdated book, and Microsoft deposited another healthy chunk of change in the bank. Other companies surely noticed this and followed suit.

Re:Duh

Might be a pain, but you can always use the /accepteula command-line switch...

Re:Duh

[RAMMS+EIN]

``And the very first thing they did, within mere days of the acquisition, is they took his ultra-efficient, elegant little tools and put a 200KB EULA popup into every one of them.''

A fine example of how proprietary software is so much more user-friendly than open-source software.

``A GUI popup.

Even into the command line tools.''

That, of course, is to make them more user-friendly. Everybody knows the command-line is just for Unix hippies who still live in the 1970s.

Re:Duh

[riffer]

Yeah, me too. I was horrified. In fact, as soon as I read that Mark was going to the dark side, I did a full rip of the entire SysInternals website, just to make sure I'd have an untainted copy of all his wonderful, useful Windows tools. I was very glad I did that when I saw Microsoft freaking triple the size of some of the binaries...

Re:Duh

[unitron]

Lilly Tomlin is not late, except perhaps for dinner.

Well, she did say that she tried to be cynical but couldn't keep up. :-)

Perhaps it is Ernestine who is no longer answering the bell.

Re:Duh

[rduke15]

How good is Apple documentation?

It has become much better.

I remember a time in OS9 or early OSX when it was totally useless, doing nothing more than telling you to click here and there (all the obvious things you had already done), and carefully NOT explaining anything.

When I used 10.5.x for a few months last year and the year before, I easily found the information I needed, and it tended to be detailed enough.

Re:Duh

[ozmanjusri]

Why are they hidden?

They're not. This whole article is a marketing puff piece.

You'll see similar articles all over the web, like "Win 7 cheat code" etc. Windows 7 adoption is slowing, as its honeymoon period ends and the computer buying public realise, despite the intense hype, it's just not a very interesting product. That's why they're touting the phony 10% adoption figure now and not showing any true growth curve.

Re:Duh

[The+Archon+V2.0]

In fact, as soon as I read that Mark was going to the dark side, I did a full rip of the entire SysInternals website

You too? That makes three of us so far that I know about.

Re:Duh

[Anachragnome]

Microsoft bought Sysinternals because Process Explorer was outing them in terms of what they were doing COVERTLY on Windows machines.

I proved this to myself by using the latest version of Process Explorer, copying the results, wiping my hard drive (I was about to do a reformat anyways and decided it was a good time to do some experimenting), reinstalling the old, PRE-MS version of Process Explorer (v.10.20)...and getting different results as far as what Microsoft was running in the background. I simply compared the results, and they were different...on the exact same Windows install. I do not remember what was different, nor do I care. The point is that they were HIDING something from Process Explorer (any version post 10.20) now that they had control of the once-3rd-party app.

Another slimy thing they do is retroactively replace older versions of Process Explorer with the new version ON DEVICES THAT DO NOT EVEN RUN WINDOWS.

I have numerous thumb-drives that I have wiped entirely clean and installed my own selection of tools and open-source apps on. I then loan them to friends to fix their own machines (as well as provide them with non-MS, non-Adobe alternatives). All of these drives have Process Explorer v10.20 on them. Often, they would be returned only to find that the v10.20 had been over-written with the latest version. It took me a while to figure out what was going on. ANY version of Windows, post XPsp2, has the latest version of Process Explorer buried in it somewhere and will AUTOMATICALLY over-write any old version, REGARDLESS OF WHERE IT IS FOUND. So, if you have v.10.20 on a thumbdrive and plug it into a post-XPsp2 machine, the machine will change the executable on the drive to the latest version without permission. I now have to keep a known-clean version of v10.20 secure from such monkey business.

Good luck finding version 10.20 though. I ended up having to get my copy from a CHINESE server, as Microsoft had cease-and-desisted everyone offering the old versions even though they were not charging for it.

To be blunt, I do not trust Sysinternals or any of their products anymore.

Re:Duh

[riffer]

I wouldn't be surprised if there's hundreds more.... Only reason I don't post the mirror is because a) I don't want to be sued by MS and 2) I respect Mark's choice. He certainly deserves big compensation for the amazing work he's done with SysInternals.

Re:Duh

[geekoid]

If by open revolt, you mean muttering under their breath, then you are correct.

Re:Duh

[jonwil]

Maybe if you posted proof (i.e. details of the items being hidden from MS releases of Process Explorer) people might care.

Re:Duh

[AbRASiON]

Nowadays really that isn't that big of a deal, I mean as long as the tools aren't a 50mb download or more.
The question is, was anything added to the newer versions? bug fixes or features. Microsoft aren't the best company in the world but improvements are improvements, if something is fixed a binary size 3x larger isn't the worst thing in the world.

Re:Duh

[drsmithy]

I stated my opinion, in such a way that anyone can verify it for themselves...and get modded a Troll.

Because you're trolling with paranoid conspiracy theories.

Curious readers can find older copies of Process Explorer here and verify for themselves that running it under - or merely inserting a USB key into a system with - newer versions of Windows (eg Win7) does not result in it being automatically overwritten with 10.2.

Re:Duh

[IICV]

Always? It never worked on newsid (though admittedly that utility isn't particularly useful). I had to issue a registry command first.

Re:Duh

[riffer]

It's a big deal because it's fundamentally insane to write 200KB of code to do an EULA. Especially for the COMMAND-LINE ONLY tools. It defies all sense of rationality and common-sense. A cavalier attitude of "oh it's no big deal to make programs bigger nowadays" is the reason why Windows 7 is a fucking resource pig compared to Linux. And frankly, Linux is a pig when you look at heavily optimized, lightweight OS's like QNX. Er... sorry... rant mode off.

Re:Duh

[Gr8Apes]

People badmouth Linux docs, but I have a far easier time finding how to do something in Linux than Windows. How good is Apple documentation?

Let's put it this way, a 3 year old's chicken scratch on toilet paper that's been flushed down the toilet, retrieved from the sewer and dried is more useful than most MS documentation.

Re:Duh

[Helen+O'Boyle]

Parent wrote the $64,000 question: Why would the exact same list of services running under svchost.exe use different amounts of memory when reported by two different versions of Process Explorer?

Plausible answer: because one of the versions of Process Explorer has a bug, and the other either does not, or has a different bug.

Re:Duh

[drsmithy]

Funny that the link you provided is comprised ENTIRELY of mirrors for sites that no longer have v10.20 available. Many of those mirrors were dead. The only versions that were available there are v9.3 (very old version with many of the functions of 10.20 missing) and v10.21, the first MS version.

So now it's *too* old ? You should have been more specific in the first place, Goldilocks.

Thanks for lending some credence to my original post. You simply validated my assertion that MS has pulled as many old versions from the web as they could possibly get away with.

The very first Google result for "Process Explorer 10.2" takes you a site you can download it from.

Re:Duh

[Gr8Apes]

Let me introduce you to the future of MS OS servers: Server 2008 R2 Server Core.

The next iteration of the GUI.

Oh, and it's not fully 64 bit. Turns out MS's installer still requires 32 bit components. Probably for those GUI popups.

Re:Duh

[jonwil]

I have tested with process explorer 11.33 (latest from the MS site) and the old 8.41 that I had lying around (being unable to find the 10.xx version you mentioned)

I am running Windows XP 32 bit updated with every update Microsoft Update has on its list (including all the optional ones)
No change was made by Windows to my 8.41 version of process explorer, nor was it replaced by any newer version.
The list of services listed for every instance of svchost.exe is identical for both versions of process explorer. All memory usage numbers match between both copies.

Re:Duh

[0ld_d0g]

Process Explorer uses public APIs to get all the data. As does Task Manager. Your "proof" isn't very convincing. Anyone can write process explorer. Here, watch.

#include
#include
#include

void PrintMemoryInfo( DWORD processID )
{
        HANDLE hProcess;
        PROCESS_MEMORY_COUNTERS_EX pmc;

        printf( "\nProcess ID: %u\n", processID );

        hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, processID );

        if (NULL == hProcess) return;

        ZeroMemory(&pmc,sizeof(pmc));
        if ( GetProcessMemoryInfo( hProcess, (PROCESS_MEMORY_COUNTERS*)&pmc, sizeof(pmc)) )
        {
                printf( "\tPageFaultCount: 0x%08X\n", pmc.PageFaultCount );
                printf( "\tPeakWorkingSetSize: 0x%08X\n", pmc.PeakWorkingSetSize );
                printf( "\tWorkingSetSize: 0x%08X\n", pmc.WorkingSetSize );
                printf( "\tQuotaPeakPagedPoolUsage: 0x%08X\n", pmc.QuotaPeakPagedPoolUsage );
                printf( "\tQuotaPagedPoolUsage: 0x%08X\n", pmc.QuotaPagedPoolUsage );
                printf( "\tQuotaPeakNonPagedPoolUsage: 0x%08X\n", pmc.QuotaPeakNonPagedPoolUsage );
                printf( "\tQuotaNonPagedPoolUsage: 0x%08X\n", pmc.QuotaNonPagedPoolUsage );
                printf( "\tPagefileUsage: 0x%08X\n", pmc.PagefileUsage );
                printf( "\tPeakPagefileUsage: 0x%08X\n", pmc.PeakPagefileUsage );
                printf( "\tPrivateUsage: 0x%08X\n", pmc.PrivateUsage );
        }
        CloseHandle( hProcess );
}

int main( )
{
        DWORD aProcesses[1024], cbNeeded, cProcesses;
        unsigned int i;

        if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
                return 1;

        cProcesses = cbNeeded / sizeof(DWORD);

        for ( i = 0; i

Thats pretty much all process exploirer does (ofcource with more robust code). And as far as automatically overwriting itself. This is 100% false. I have had to re-download the new version EVERY single time.

Re:Duh

[0ld_d0g]

bah.. ofcource. The damn tags screwed me over. http://pastebin.com/m622979a6

Does anyone else thing its sad that a technical site has bugs preventing people from pasting code in comments?

Re:Duh

[xtracto]

IIRC Microsoft bought Sysinternals a bit after the Sony Rootkit fiasco, which was put to light by Mark.

When I came to know that Mark was going to Microsoft I was sad. Not because of "the dark side" or whatnot, but because I though the public lost an intelligent, independent and very knowledgable (spell?) public opinion.

It is *very* very very unlikely that Mark would do a similar thing that he did with Sony when he was independent as now his voice and actions are controlled by the MS PR.

That is what really made me sad.

xtracto

Re:Duh

[hairyfeet]

Same here, I figured better safe than sorry. With a full Sysinternals suite on a flash along with the "Computer Repair Utility Toolkit V2" (I'd provide a link but some FOSSies had a fit and made the original website take it down. I'm sure you can find it on MegaUpload) that I update with new AV and antimalware tools it is like having a "shop on a stick" that lets me fix a good 80%+ of the problems I run into on customer's boxes out in the field.

With those two suites and Dependency Walker on a 2Gb flash stick I can carry all my "save my ass" tools in my pocket, making my life a whole lot easier. I've found we PC repairmen are a lot like plumbers, as when we go to visit friends we often get "Hey, while you are here..." and with the Sysinternals suite and the above tools I can fix most problems in no time flat. So if you read this, thanks Mark, your tools kick ass.

Re:Duh

[hairyfeet]

Well I have had it replace the Task Manager on this XP Home box for a couple of months now, went to check the about and found it was 11.30 (so no updating) and went and downloaded the 10.2 from Filehippo (the "secret showing" one) and other than the fonts being shitty on 10.2 I didn't find any difference in processes nor memory. Considering there are more than a dozen things you can watch under the memory heading (private bytes, working set etc) maybe he just is looking at different columns on the two?

Considering how many guys play with sysinternals and would just looooove to find something hinky going on with MSFT I'm gonna have to call bullshit without screenshots. It isn't like there aren't a ton of places to host pics on the net, and if it really is hiding processes then he shouldn't need a full clean install to show us this. But I tried both 10.2 and 11.30 and found no updating and no differences other than fonts on 3 different machines, XP Home, XP Pro, Windows 7.

Re:Duh

[dotgain]

So now it's *too* old ? You should have been more specific in the first place, Goldilocks.

He did specifically say 10.20 in his origial post. Time for bed, grandpa.

Re:Duh

[jonwil]

The EULA for the 10.2 version (the one on FileHippo) clearly indicates that its a post-Microsoft release.

Re:Duh

[ShakaUVM]

And the very first thing they did, within mere days of the acquisition, is they took his ultra-efficient, elegant little tools and put a 200KB EULA popup into every one of them.

A GUI popup.

Even into the command line tools.

Of course, between Win95 and later versions, they took their GUI "winipconfig", removed the easy to use GUI from it, and re-released it as "ipconfig".

You know they were thinking, Why on earth should our users simply be able to click to release and renew their DHCP leases? That's too crazy for the average user. Let's make sure they know how to bring up a command line first, to prove they're worthy.

Re:Duh

[StuartHankins]

Sounds like you missed the point entirely, having the EULA is the stupid part. Putting a graphical EULA on a command-line tool is just totally bizarre and goes further to show how stupid MS can be.

MS was a hacker-friendly (in the good sense of the word) company a long time ago, now it's just a shell of itself -- a law company run by lawyers. Everything they do now revolves around suing, or threats of suing, whether it's the BSA, Software "Assurance" or the nasty click-through EULAs. I go out of my way to avoid their products.

Re:Duh

[drsmithy]

He did specifically say 10.20 in his origial post. Time for bed, grandpa.

From his post:

ANY version of Windows, post XPsp2, has the latest version of Process Explorer buried in it somewhere and will AUTOMATICALLY over-write any old version, REGARDLESS OF WHERE IT IS FOUND.

Re:Duh

[NJRoadfan]

Nope, it was reborn as the MS diagnostic and recovery toolset. link

In the process, they removed a few (minor) tools. They also altered Locksmith to write a log entry when someone resets a password.

Re:Duh

[dotgain]

Rather than quoting him, why don't you just go and reread the post, where you'll see it's quite obvious he's only interested in version 10.20.

Re:Duh

[kiwimate]

Glad to see that not only are Marks old free tools still free, but that Microsoft is allowing new tools of his to be free also. Very un-microsoft of microsoft.

Not really. Microsoft will charge for the primary applications, but it is generally in their best interest to have a whole bunch of useful scripts and tools and so forth available for free. (Somehow they never really got this hint on the old NT Resource Kit, boo.)

There is a wealth of stuff out there on the download section of their website. Just a week ago I needed a batch converter to convert Word 2003 documents to Word 2007 DOCX format. Lo and behold, if you can edit an INI file you can use the Office Migration Toolkit. Yep, it's free. Makes sense...they wanted to make it easy for people to upgrade to Office 2007, so they put out tools to scan for certain types of documents, convert them, report on what was out there, etc. This is not uncommon; especially when upgrading or migrating, Microsoft will put out a whole slew of support tools.

Re:Duh

[hairyfeet]

Ooooookay, fine. I am now breaking out my "Win32 Technet" folder given to me by my buddy Glen in 2004. Since it has been sitting zipped up since 2004 there is NO way that it can be the "MSFT tainted" version, yes? Especially since it is on a DVD?

Now I have run the Win32 Technet version and compared my results to the 11.30 I have on here. Nope, same processes, same memory, same old same, except the fonts are shittier on the old version. So I have tried 3 different versions so far, one off a DVD from 2004, and no "hidden evil" yet. So I really think if there is some "hidden evil" that this guy has managed to find then screenshots or I call bullshit.

Re:Duh

[AK+Marc]

People that got frustrated simply chucked out another $45 for a thick and immediately outdated book, and Microsoft deposited another healthy chunk of change in the bank.

Long ago, when that started, support was cheap. I went from F1 to calling for help. Then, they noticed (or the same bean-counters went to the tech department) and support became crappier and more expensive at the same time. And that lead to Google support, and the 1,000,000,000 hits per error code.

Re:Duh

[drsmithy]

Rather than quoting him, why don't you just go and reread the post, where you'll see it's quite obvious he's only interested in version 10.20.

Strangely enough, I reread it in the process of quoting it. The primary interest is obviously in 10.20 (which, as I noted in another post, is downloadable from the first site found looking for "Process Explorer 10.2") but the assertion was about "all earlier versions".

As I said originally, he's trolling with paranoid conspiracy theories. While Slashdot, as one of the internet's premier anti-Microsoft sites, is certainly the right place to be doing that, making a claim so trivial to demonstrate as false was just sloppy.

Comment removed

[account_deleted]

Comment removed based on user account deletion

It's all stuff that ships with Linux

[tjstork]

You know, sysinternals was amazing piece of reverse engineering work and some of the utilities that came out of it were pretty interesting as examples of that reverse engineering work.

But...

All that stuff is junk compared to what Linux does for utilities!

I mean, my ubuntu has had burning ISOs and copying them any which way now for at leas 5 years. I can type sensors and get the motherboard temperature, fan speeds, everything. I mean, if you are into doing hardware and low level OS hardware interfacing stuff, there's enough gobblygook in /proc to keep anyone happy from Linux, and then there's all the log files and then the source.

I mean, yeah, Windows has its advantages, but sysinternals isn't one of them. sysinternals is just proof that for a lot of applications you have to be a hero to get it to do anything simply because the source is closed.

Re:It's all stuff that ships with Linux

[Sinning]

But the mobile market is booming.

Re:It's all stuff that ships with Linux

[heffrey]

Let me see if I've got this straight. A great set of tools that run on Windows demonstrates how rubbish Windows is. A great set of tools that run on Linux demonstrates how fantastic Linux is.

This sounds a bit like Raymond Chen's post today: http://blogs.msdn.com/oldnewthing/archive/2010/02/09/9960102.aspx.

Re:It's all stuff that ships with Linux

[Lunix+Nutcase]

At 8-10% penetration? And that's only if you aggregate all Linux based OSes together.

Re:It's all stuff that ships with Linux

[Whatsisname]

The tools on sysinternals are tools that should come with windows from day one.

Re:It's all stuff that ships with Linux

[Lunix+Nutcase]

Why? Most people won't use them. Then what will happen is you same people would be the whining about how Microsoft is "bloating" Windows with all sorts of applications.

Re:It's all stuff that ships with Linux

[BarryJacobsen]

The tools on sysinternals are tools that should come with windows from day one.

Yeah. And an image editor - wait, no, 3 image editors a few which work only on the command line. And five word processors. Ten calculators. A utility to write random data to the disk.

The average user doesn't need these tools. The people who can make use of them without messing other things up already know about them.

Re:It's all stuff that ships with Linux

[GerardAtJob]

I hate to say this, but you were generous indeed... (I was hoping for more!!!)

http://www.canalys.com/pr/2009/r2009112.html

But.. even 2-3% means many millions of devices... ;)

Re:It's all stuff that ships with Linux

[heffrey]

Anyone who is capable of using these tools is capable of finding them. Personally, on all machines that I use I copy a folder containing around 200 useful utilities (e.g. grep, ls, cat, cp, bzip2, cpuz, console, depends, ps*, diff, gawk, gzip, less, strings, rapidee, sleep, tar, touch, whoami, whois, zip) and then add it to the path. But, I don't think my mum's going to be using psexec anytime soon.

Re:It's all stuff that ships with Linux

[houstonbofh]

No one gives a shit about your tinker toy Loonix box you fucking obese neckbeard.

Thank you for speaking for the entire population. Why do we even need those expensive polls? They could just ask you...

Re:It's all stuff that ships with Linux

[houstonbofh]

Yeah. And an image editor - wait, no, 3 image editors a few which work only on the command line. And five word processors. Ten calculators. A utility to write random data to the disk.

You want MS Word to come for free? That is asking a lot...

Re:It's all stuff that ships with Linux

[Machtyn]

I agreed with you right up until you stated sysinternals isn't one of Windows advantages. Just because it is bringing similar *nix functionality to Windows doesn't make it disadvantageous. I would argue that without sysinternals, Windows would be bunk compared to *nix systems (from a administrative and/or development standpoint.)

Re:It's all stuff that ships with Linux

[Pr0xY]

Why compromise and have the installer have a checkbox for "advanced tools?" 99% of people will blindly click next without checking it, they won't get it, the other 1% will actually read what is being asked of them and possibly install it.

Seems like it would be simple to include it without bloating things at all.

Re:It's all stuff that ships with Linux

[The+Spoonman]

You're trying to apply logic to a religious war. :)

Re:It's all stuff that ships with Linux

[mcgrew]

"Bloat" isn't putting apps on a CD you can choose to install or not, it's forcing unnecessary features that few will use in an app or OS.

IE is bloat, since it's welded to the OS and there are superior alternatives; on most people I know who use windows, it's superflous since they use Firefox.

IINM these utilities, both in Windows in Linux, aren't mandatory like IE is.

Re:It's all stuff that ships with Linux

[10101001+10101001]

Let me see if I've got this straight. A great set of tools that run on Windows demonstrates how rubbish Windows is. A great set of tools that run on Linux demonstrates how fantastic Linux is.

Yep. As pointed out by the GP, the Sysinternal Windows tools are a by-product of reverse engineering. Specifically, they seem to heavily rely upon the Windows Native API (NTAPI) since the Windows 32 subsytem (Win32) wouldn't readily or at all allow them to do what they do. Since the NTAPI is rather undocumented, it was an impressive feat for the utilities to be created.

However, the fact that an impressive feat was even necessary to obtain Linux-like* parity is the fundamental problem. Doing the same things in Linux are trivial in comparison in most instances because the Linux kernel exposes the information quite freely to user space; and it's generally well documented, so it doesn't even require the semi-heroic effort of understanding the Linux kernel's source code to find out how to use that information or where it is.

Sysinternals is in many ways a good example of fighting against the system because the system is incomplete. Certainly, there are instances were Linux falls into this problem as well as Windows (most of the video subsystem being outside the kernel for most video cards, for example). And even though the source code is available, that obviously doesn't mean that fixing the problem is a simple matter because even if you create a solution, it doesn't mean others will adopt it and absolve you of a good deal of the upkeep. But, in the end, the heroic struggles (and the melodrama) just doesn't exist when the source is available (or even if there's enough documentation and enough functionality exposed to compensate for where the core system lacks). So, that does tend to ruin the "wow" factor when it comes to anyone announcing software for your platform, since unless the software is a new app of an area you're interested in (which on the whole is uncommon), there aren't any effective OS patches to be created that will likely effect you.

*Really, any open source OS would do, but I don't know enough about any others to speak about how they function when it comes to kernel/user space things.

Re:It's all stuff that ships with Linux

[The+Bungi]

How these tools are used and % of userbase that cares about them:

Windows:

- <- Developers
------------------- <- Everyone else

Linux:

------------------- <- Developers
- <- Everyone else

Do you really think the average office worker cares about examining mount points or finding out how many USER handles a process is using? That's why Microsoft doesn't ship any of that with Windows, and they probably never will. More importantly, I'd rather have a third party write these kinds of tools. They're not limited by what marketing and support think is a good idea to ship. If Microsoft made them they probably wouldn't be as useful - not to mention everyone would whine about how they're evil because they're killing a niche.

As long as these tools are available, I could care less where I have to get them from or what I couldn't do before I install them. Duh.

Re:It's all stuff that ships with Linux

[COMON$]

Well the more irritating thing here is that this is not news. I am a windows guy, however:

1.ESX has been doing P2V on the fly for free for years.

2. Diskmon has been out so long that I assumed everyone knew about it.

3. ISO utility? Seriously? Makes me wonder where all of you were before CD ROM drives, anyone remember doing upgrades from hard disk after copying the OS down so it would install? what year was that '95?

For once I have to side with the Linux snobs...this is OLD news for anyone who has been working with windows for more than a couple years. If you are a linux user, here is your moment to say..."wow, you weren't able to do that before?"

Re:It's all stuff that ships with Linux

[jalefkowit]

The vast majority of Windows users never use the installer. It comes preinstalled on a system they buy from an OEM.

Re:It's all stuff that ships with Linux

[LordLimecat]

I was unaware that there was an equivalent (in terms of features and ease of use) to Process Explorer or FileMon on linux. Mind sharing what they are?

Keep in mind that there may be multiple sources for all that info on linux (running strings on binary etc) but the beauty of ProcExp is that it has tons of useful information at a glance-- what services are spawned under a given process, what threads are in use (and their CPU usage), the commandline used to start an image, strings within both the binary and the memory space, and any IO info you could desire... all at your fingertips.

Re:It's all stuff that ships with Linux

[schon]

Let me see if I've got this straight.

Nope, you don't have it "straight". Allow me to point out where your misunderstanding lies.

A great set of tools that run on Windows demonstrates how rubbish Windows is. A great set of tools that run on Linux demonstrates how fantastic Linux is.

No, a great set of tools that doesn't come with Windows demonstrates how rubbish Windows is. A great set of tools that Linux comes with demonstrates how fantastic Linux is.

I don't blame you for not understanding this - after all, it's only the title of his post, and you only quoted it once.

Re:It's all stuff that ships with Linux

[Quantumstate]

But it still fits on one CD while Windows 7 with much less content somehow manages to fill a DVD.

Re:It's all stuff that ships with Linux

[jgtg32a]

Needs more default apps

Re:It's all stuff that ships with Linux

[interval1066]

Why? Most people won't use them.

Grep and wget. Anyone who discovers these two, really simple to use command line (well, shell, lets get politically correct here) utilities, whether Windows nubes or not, are usually shocked by their complete and utter lack on said platform. Linux gurus can't understand why the DOS shell doesn't have them, and nubes wonder how in the world they never found out about them. After I install windows ports on their systems they say they have started using the DOS shell to use these two utils all the time. I've seen this reaction over and over again.

Re:It's all stuff that ships with Linux

[zuperduperman]

> The average user doesn't need these tools. The people who can make use of them without messing other things up already know about them

Some of them yes. But I've always been utterly mystified about why some incredibly useful things don't (or didn't) come with Windows.

Eg: there is all this integrated stuff for CD burning but NO WAY TO BURN AN ISO!!! Which happens to be 99% of my use of the CD / DVD burner. (Yes, this is rectified in 7). And just as bad, no way to mount or see the contents of an ISO file. And this is a format that Microsoft themselves ship software in!

Eg: no virtual desktop utility. I can understand they think most users barely grok their single desktop, but for the love of god, why not ship a simple util for flipping desktops. There are half a dozen freeware ones out there, how hard would it be???

Eg: why the heck is the built in text editor so completely and utterly lame? What is the point???? Microsoft doesn't make a text editor, there is no market here, it's just a pain in the ass to go to fix stuff on grandma's computer and find the only editor there is the lamest thing on the planet.

Re:It's all stuff that ships with Linux

[that+this+is+not+und]

It's nice to have wget on a 'doze box, but I've not figured out how to get it to read a ~/.wgetrc file the way my NetBSD box does. You want the following line in your .wgetrc file, it allows you to mirror sites whether the site admin. approves or not:

robots=off

Re:It's all stuff that ships with Linux

[that+this+is+not+und]

The Interix package (now called 'Services for Unix' and crippled after Microsoft bought the publisher) runs on the Native API. It's a complete POSIX subsystem that runs alongside the Win32 subsystem, independently.

If you have real Interix, and not the gimped Microsoft product, you have an entire POSIX subsystem. It isn't like cygwin which is just a kludge that runs out of a Win32 dll file.

Back in about 1999 when Softway Systems (the creators of Interix) were looking for direction from their market on which way to go, they sent out a questionnaire to customers asking if they should open-source publish the Interix toolchain. Less than a year later they were bought and absorbed into Microsoft.

Re:It's all stuff that ships with Linux

[that+this+is+not+und]

There were some early ports of tools to Win32 that made it bearable in the early days of NT. Back in NT before 4.0, there were UNIX shops making a change over to NT and people brought some of their favorite tools along with them. In particular, there is a ps.exe, kill.exe, and nice.exe package that is really powerful and simple. You can still download it some places packaged as littles.zip. The binaries are about 18k each. And one of the nice things about them, actually, as opposed to the 'process viewer' that Sysinternals publishes, is that they are NOT network-wide. The Sysinternals equivalent that I tried out lets you scan processes over the network to somebody else's box, which brands them as highly malicious 'hacking tools' in many companies. The tinys.zip tool set is so small it fits in almost any space at all. Kill.exe won't let you kill any process, but it will let you snuff out anything running with your permissions.

To supplement this comment, I just tried to google littles.zip and found there are still a very few places it can be downloaded. It's slowly disappearing, in part probably because nobody seems to remember it's there. But there are people who know it's out there and want it gone. The last time I permitted the AVG antivirus package to 'protect' my W2K box, it silently deleted kill.exe as part of the 'protection' without announcing a thing. It's malware, you see.

It's still downloadable at these sites it seems.

Re:It's all stuff that ships with Linux

[that+this+is+not+und]

I mis-named it 'tinys.zip' in part of the above comment.

Re:It's all stuff that ships with Linux

[lgw]

The NTAPI is largely documented (at least today), the docs just come with the DDK, instead of with Visual Studio. For more in-depth documentation, there are several books available from MS authors.

Re:It's all stuff that ships with Linux

[EvanED]

Grep and wget.

Yeah, it's too bad that Windows doesn't come with a command line utility like Grep.

(Okay, I can't speak to their power, but most of the time I use grep I'm doing something that 'find' could do just fine; 99% of the rest of the time the only thing 'find' couldn't handle is a recursive search, and then 'findstr' would work.)

As for WGet, I'm surprised you selected that; I am a heavy user of both Linux and Windows + Cygwin and I use wget no more than once in a blue moon. Something like 'sed' in my mind is missing way more than wget. (For the curious, in the last ~10,000 commands stored in my shell history (dating back to July 2009, though this makes me suspicious that not everything is there), the most commonly used ones are: cd (1290), scons (1061), ls (981), python (520), make (496), cvs (484), cat (423), fg (296), git (248), and exit (196). 'wget' was used three times, which puts it about the median.)

Re:It's all stuff that ships with Linux

[that+this+is+not+und]

needing a GUI

It's a security feature. It keeps people from being able to do anything on the server without a keyboard/monitor/mouse.

Also sells more KVM switches to datacenters. Always a good thing, no?

Re:It's all stuff that ships with Linux

[EvanED]

'wget' was used three times

In fact, this was incorrect; I got that number by grepping my history for 'wget' and piping to 'wc -l'. One of those occurrences was 'grep wget zsh-history', issued as I was gathering these statistics, so really I've only used wget twice in the last 10,000 commands.

Re:It's all stuff that ships with Linux

[Anpheus]

The issue is that they're Mark's tools, not anyone else's, and so they conform to what he wants or needs in an application. It doesn't meet the Windows guidelines, nor should it fall under Microsoft's Support Lifecycle. Believe it or not, everything installed in Windows by default falls under that. If diskpart is having a problem, they will use Windows Update to patch it and make it not a problem.

With how frequently sysinternals stuff is updated, it'd be a ton of unnecessary windows updates for changes to programs only the IT department is going to use, ever.

Re:It's all stuff that ships with Linux

[Elshar]

I can only think of one or two of those utilities which do not come with a standard, fully-functional linux distro or BSD flavor. Why on earth do you carry around a folder containing common utilities?

Just looking at the list, grep, ls, cat, cp?! Really? You've used a *nix dist in the past 15 years that didn't come with cp, grep, cat or ls?

I do the same, but mine doesn't contain ubiquitous utilities.

Re:It's all stuff that ships with Linux

[10101001+10101001]

Or, in other words, thanks to people like Mark Russinovich, Bryce Cogswell, and various MS authors, NTAPI is now largely documented. So, now Windows is approaching the point that people could readily write very useful, fundamental utilities as easily as they could on Linux. That's certainly a step up, but it doesn't sound like the most proactive of situations on Microsoft's part. But, then, I was under the impression MS didn't really want the NTAPI documented, so they could change it if it became necessary (specifically in fixing bad design, which almost all APIs invariably develop if they're used over long spans of time; you should look at Linux's syscall table for an example) without worrying about backwards compatibility. So, it'd seem to me to be rather a mixed blessing for Windows to be approach Linux parity.

Re:It's all stuff that ships with Linux

[interval1066]

why the heck is the built in text editor so completely and utterly lame?

Agreed. I get frustrated that every time I want to open a flat file that isn't suffixed with ".txt" I have to flip the little filter doo-dad to "*.*". Its the height of arrogance to assume that any flat file that notepad is capable of opening should be suffixed with "*.txt". DOS' own batch files have to be un-filtered to pick them. What a pain in the ass.

Re:It's all stuff that ships with Linux

[UnknownSoldier]

So basically it took how many years for MS to re-implement grep ??

It's not installed by default on either WinXP or Vista. Might as well just install Cygwin and get some real utilities while you're at it instead of farting around with the MS toys.

Re:It's all stuff that ships with Linux

[FlyingBishop]

The 95% of users that don't care still need them on their computers, for when the other 5% come calling to fix a problem.

And it wouldn't hurt the users that don't care to take a little responsibility for maintenance.

Re:It's all stuff that ships with Linux

[socsoc]

Yep and then the remainder of users reinstall it after wiping the OEM install with all of it's "helpful" crapware.

Re:It's all stuff that ships with Linux

[socsoc]

It all depends on the desired usage of that box. Let's say a production web server, while you may cd and ls a lot, you're gonna do a lot more grep and probably even more top or wget than you would make.

Re:It's all stuff that ships with Linux

[socsoc]

But you're not an average user, you read /.

You and I burn isos, grandma just wants to put some photos onto a CD. If the user wants to burn an iso, odds are that they'll have a tool preference too.

There's a powertoy for virtual desktops, I haven't used it in years and it wasn't that hot, but it was there for XP.

Throw Crimson Editor or something similar on her machine if you are really editing that much, for a fair price E Editor is good too.

I'd be happy with an edition of Windows that provided nearly no built in programs (most of the accessories menu, media player, burning capabilities, etc) and allowed me to install what I need, just give me the shell and handle drivers. Even if the initial few programs (like a browser) had to be sneakernet to get them on the box. Hell, it'd make small business networks without AD way easier to control too.

Re:It's all stuff that ships with Linux

[zuperduperman]

I'm not complaining that I can't install what I want. I'm complaining that simple basic functions needed to manage a computer don't even come with the computer itself.

They obviously see the need for an editor or they wouldn't ship Notepad. But if you're going to ship an editor, what on earth is the logic in shipping a totally crap one? It would take them about 3 days to code something better than Notepad. After 15 years you have to assume that failing to do so is strategic - they *really* want to have a crap editor on Windows. I don't get it.

Re:It's all stuff that ships with Linux

[Gr8Apes]

After running Linux and OS X for the past 3 years solid, and only running windows 50% or less at work the previous 6 years, I can say that find, grep, and history are probably my 3 most used and missing commands, along with a reasonable shell. Follow that with ssh and scp, and the ability to easily manage any machine from any other with proper credentials and minimal bandwidth, and you get the idea. It's not windows.

Yes, I'm aware of some of the native "ports' of these commands. Most are flawed implementations (esp grep and find) and do not work as expected.

Re:It's all stuff that ships with Linux

[slaad]

Are there any linux utilities that are comparable in depth to process explorer?

Re:It's all stuff that ships with Linux

[EvanED]

So basically it took how many years for MS to re-implement grep ?

Not as many as you're implying. (Okay, I don't when findstr showed up, but that's 'find' in an installation of MS-DOS 6.22. That's as far back as I have media for.)

It's not installed by default on either WinXP or Vista.

What default installation are you using? I just did a default installation of XP (based on a CD image with SP2 included) -- not that there was really anything in the installation that lets you choose components -- and I have find and findstr (opening the command prompt, running find and findstr, and taking that screenshot were the first things I did when I got to the desktop).

Re:It's all stuff that ships with Linux

[EvanED]

Let's say a production web server, while you may cd and ls a lot, you're gonna do a lot more grep and probably even more top or wget than you would make.

Oh, I totally agree. But if you're on a production web server, hopefully you're not a "Windows nube" like interval1066 was talking about. :-)

Point is that 99.9% of Windows users wouldn't use wget if they had it.

Re:It's all stuff that ships with Linux

[bhtooefr]

At which point, the files are included in C:\i386, and a quick trip to Start>Control Panel>Features and Programs will install them.

Re:It's all stuff that ships with Linux

[hairyfeet]

It sounds like what you want buddy is to bookmark Ninite. Launch IE after a clean install and in a couple of minutes...BAM! You have a usable box all ready to go. Anything most folks would need from Grandma to geeks, from Firefox and Flash to Notepad++, Putty, and Eclipse, all a single click away from installing in any combo YOU choose, oh and NO TOOLBARS! And if there is a freeware program you want but don't see? Let them know and there is a good chance they'll add it.

So personally I would much rather have it this way than "One OS to rule them all" which as you've noted ends up with dumbed down programs that just don't cut the mustard. With Ninite you got everything from browsers to utilities, any combo you want, all with a single installer. For building a new PC or dealing with one with crappy programs Ninite is a must. Give it a try, I bet you'll like it.

Oh and for your little ISO mount problem I would recommend Kels CPL Bonus Pack which is just control panel geeker heaven. Virtual CD, CPU/GPU-Z, Memtest, USB Format Tool, just about everything a geek could want installed into easy to use control panel icons. Easy uninstall through add/remove if you don't like it too. Windows just tries too hard to be "grandma friendly" to have decent geek tools. Better to just use the above and set it up your way easy peasy.

Re:It's all stuff that ships with Linux

[bhtooefr]

More like, their time is spent working on trying to advance the OS without breaking compatibility (resulting in ugly hacks like NTVDM,) and then fixing the things that they broke anyway (like, oh, NTVDM's security flaws.)

Also, as for requiring the user to manually select a filetype other than .txt, you don't want newbies just diving in and editing every file they see in Notepad.

And yes, they WILL do that

Or worse, something like, "I opened my programs in Notepad and there was all sorts of weird letters in them, I think they had a virus, so I deleted them!"

Re:It's all stuff that ships with Linux

[tjstork]

Let me see if I've got this straight. A great set of tools that run on Windows demonstrates how rubbish Windows is. A great set of tools that run on Linux demonstrates how fantastic Linux is.

The point is not about how good the sysinternals tools are, but what it took to write them. Mark Russovich did an amazing job reverse engineering Windows to do what he did, but somebody with 1/10th of the work and savvy could have pieced the same level of information about Linux just by either asking the right people (who are not under NDA because its open source), or, just looking at the source.

Re:It's all stuff that ships with Linux

[StuartHankins]

Shhh... you'll 'splode their minds. Let them sit happily in their Windows world, blissfully unaware of larger, more stable and secure systems and how they work. You can buy a Windows monkey for 1/3 the price of a decent 'NIX admin, and this is in part why.

Re:It's all stuff that ships with Linux

[StuartHankins]

Whooooshhhh

Re:It's all stuff that ships with Linux

[StuartHankins]

Next time add a few more words so we know what you're talking about -- are you trying to say that IE is hopelessly married to every windows OS until 7? Then you would agree with me.

On XP (I don't use 7 and probably never will) you can't even access some CHM files unless you have IE. Many features such as Windows Update require IE (the "automatic updates" utility is almost worse than useless). Many third party apps pull up IE even when it's set by prefs to NOT be the system browser. So yes, it's broken and "welded to the OS" is an apt description.

Perhaps you sent the link as a warning, as in "don't upgrade to this", in which case I thank you for your warning and assure you that I don't need Windows and have in fact decided to get off the Microsoft incompatibility, stability and security merry-go-round as of XP. You guys can opt to stay and sink with the ship; I'm outta there.

Re:It's all stuff that ships with Linux

[StuartHankins]

Mod parent up. If MS is known for anything (well, maybe except for issues with stability and security) bloatware is very high on the list.

Re:It's all stuff that ships with Linux

[StuartHankins]

I thought perhaps Notepad was coded with a very early version of MS coding tools, and they thought it was a joke to see how long they could keep it in there. I mean, seriously, when an app you put on your commercial software CD and install by default has been redone countless times -- in better ways -- in introductory programming courses, that's saying something.

Re:It's all stuff that ships with Linux

[StuartHankins]

So your answer is to preserve Windows' out-of-the-box "dummy mode" and require people who need real tools to hunt down and install them?

Larger flamewars have been created on the exclusion of a repository to a Linux distro's default spin. It's not that we can't add something manually, it's that we have large numbers of machines and you're adding steps to the install / maintenance process. It's much simpler to have basic tools added by the OS or at least in its distro so they can be updated as a whole. Surely MS can take one of their crappy videos off the DVD to free up the 15MB it would take for a copy of all these tools.

In other words, yes I have CygWin installed on quite a few servers, but the process of setting them up and keeping them updated is significantly more trouble than keeping Windows programs patched (other than the frequency and size of Windows patches, which create their own problems). Since there's no built-in way to get updates for CygWin I either have to cobble something together or do without automated updates. If you don't see the difference then you've never worked with large groups of machines.

Re:It's all stuff that ships with Linux

[heffrey]

These are tools for running on Windows!! So, no, they are not ubiquitous.

Re:It's all stuff that ships with Linux

[interval1066]

As for WGet, I'm surprised you selected that; I am a heavy user of both Linux and Windows + Cygwin and I use wget no more than once in a blue moon.

Well, speak for yourself, and, of course I'm not going to make comments that everyone will agree with. But you agree with the gist of what I'm saying?

Re:It's all stuff that ships with Linux

[V+for+Vendetta]

But it still fits on one CD while Windows 7 with much less content somehow manages to fill a DVD.

A Windows 7 DVD might include "much less content" if you count applications/tools coming along with it. But it holds all versions of Windows 7 (which is just one version in reality, where the license key decides what features you can use, i.e. upgrading from Home Premium to Prof. required me to just enter the new key ... no additional installation was required). This includes the Ultimate version with all of its included 35 languages you can switch between at runtime (and therefore the needed localisation resources).

Re:It's all stuff that ships with Linux

[kiwimate]

Wordpad? Or is that too complex? What exactly do you want in a simple stripped down editor?

Re:It's all stuff that ships with Linux

[MrNiceguy_KS]

Add a shortcut to Notepad to the "Send To" folder.

Re:It's all stuff that ships with Linux

[Laur]

along with a reasonable shell

Have you tried the native Windows port of zsh? It was unmaintained for several years but has recently been picked up again, might be worth checking out.

Re:It's all stuff that ships with Linux

[lgw]

I'm pretty sure the NTAPI was largely documents in the 3.51 days, with the docs accompanying the 3.51 DDK. It has never really been a secret, though of course people who write Windows drivers for a living benefit from mangement thinking it is. There are portions of the API they don't want documented precisely because they plan to break the interfaces from release to release, so they don't want anyone using them, but it's a minority of the functions.

The NTAPI is the fundamnetal core of NT for the original design: it's the key abstraction layer between the various user-mode system libraries (Win32, WOW, OS2 compatibility, POSIX compatibility, and WOW64 all call it) and the various architecture-specific kernel stuff. I'm pretty sure it has this reputation for secrecy only because thit's not described at all in the extensive docs that come with Visual Studio.

Internally, there's a huge divide at Micrsoft between the apps guys, who use Visual Studio to do their work, and the kernel guys, who use SlickEdit and C and view everyone else as inferior. Not only is the kernel stuff undocumented in Visual Studio, it's entirely the wrong toolkit. The Windows DDK is (or at least was, a few years ago) far closer to the style of work Unix guys are used to.

Re:It's all stuff that ships with Linux

[10101001+10101001]

I'm pretty sure the NTAPI was largely documents in the 3.51 days, with the docs accompanying the 3.51 DDK.

It appears that NtCreatFile wasn't documented until the 2000 DDK. Given that's a rather critical function of an OS API, I'm not sure if you're correct.

It has never really been a secret, though of course people who write Windows drivers for a living benefit from mangement thinking it is. ...

Internally, there's a huge divide at Micrsoft between the apps guys, who use Visual Studio to do their work, and the kernel guys, who use SlickEdit and C and view everyone else as inferior. Not only is the kernel stuff undocumented in Visual Studio, it's entirely the wrong toolkit.

Even if it wasn't a secret, per se, it does sound like efforts were made to obfuscate the information. Considering most Visual Studio developers are of the VB kind, I can understand why documentation would focus on using the Win32 API. Still, it seems a bit extreme to outright exclude such information. But, then, having a whole other toolkit just for kernel stuff seems a bit extreme as well.

The Windows DDK is (or at least was, a few years ago) far closer to the style of work Unix guys are used to.

While that's good to know, why would I ever think to look in the *driver* development kit to develop a console or gui application? Even if you're correct that as early as the 3.51 DDK mostly documented the NTAPI (I'm not entirely sure how much of NTinternals.net really covers [previously] undocumented NTAPI stuff), there was enough obfuscation to make some developers become Window development superstars of a sort because core parts of the OS are unknown to the general development population. Overall, that really doesn't seem a net positive.

Re:It's all stuff that ships with Linux

[dotancohen]

Can you make a tarball or rar archive available with the contents of that folder? I'd love to get my hands on such a thing. Thanks!

Re:It's all stuff that ships with Linux

[Harik]

And it wouldn't hurt the users to become carpenters and build their own houses, and farmers and grow their own food, and mechanics and fix their own car, and programmers to write their own software, and actors to star in their own plays, and lawyers to argue their own cases, and neurosurgeons to perform brain surgury on themselves, and pilots to fly themselves....

It's an idiotic statement when used for any other profession, patently ridiculous when applied to everything at once, yet strangely common among computer geeks. Why? "Because I know it" is an invalid answer for anyone who is not perfect at every possible profession.

Why is it SO IMPORTANT that every machine have these tools so that you, the hotshot computer guy who knows everything about windows (HAH!) can avoid having to keep a USB stick on your keychain?

Re:It's all stuff that ships with Linux

[lgw]

FYI, the Win32 API is the system library for user-mode code. You can't even call NTAPI (without some hacks) from user mode. It's just the Windows architecture: Win32 for user-mode code, NTAPI for kernel code.

First?

[I_have_a_life]

Process Explorer is what Windows should ship with instead of task manager.

Process Monitor is so kick ass... I can't even put it in words.

Re:First?

[Spad]

I'm still rather disappointed that Windows 7 didn't ship with Process Explorer as a replacement for Task Manager, it's almost universally better,

Re:First?

[Jeng]

Stuck on a win2k machine at work, but I was fairly certain that Vista and 7 both came with a very kick ass upgraded process explorer?

Re:First?

[Dishevel]

Almost?

Re:First?

[Antity-H]

almost ? it _is_ universally better !

Re:First?

[I_have_a_life]

While it's true that the task manager on Server 2008, 2008 R2, Vista, and Windows 7 is much better than what you get on Server 2003 and XP, Process Explorer just goes above and beyond.

Double click on a process and you can see.

1. TCP and UDP connections that the process has open.

2. If the process is svchost.exe it will show you every service hosted by the process so you can track it back to what is listed in services.msc.

3. It will show you each individual thread that belongs to the process.

4. If you have Debugging Tools for Windows and the right symbols you can even see the stack trace of each individual process thread.

5. Allows you to suspend any process.

6. You can see every open handle associated with the process.

7. Using the cross-hair tool you can track any window back to it's process ID.

8. You can see every environment variable that applies to the process.

9. All app domains and .Net performance objects that apply to the process.

10. More things I'm sure that I'm not aware of.

It's the ultimate windows process information tool. Fuck the Task Manager and fuck Cygwin they got nothing on Process Explorer and Process Monitor. Add WinDbg to the mix and a copy of Windows Internals and I'm pretty sure you have everything you need to resolve any issue that doesn't require having access to actual source code.

Re:First?

[jgtg32a]

The first tab of Task Manager is kinda nice to have, it shows all of the active windows. It saves me the trouble of digging through all the processes or running the identify function in PE

Re:First?

[Spad]

It's good, but it's not *as* good and it's not a viable direct replacement for Task Manager (not can it easily become one).

Re:First?

[Idbar]

I start using it, because you were able to run a search of the files used by processes. Particularly, when you're trying to move or delete a file and Windows complains that "something is using the file". Since then, it's a must have on any Windows machine I use.

Re:First?

[COMON$]

Man some mod is having fun with this thread. It is the replacement for task manager. Right now you can open task manager for a general overview, then if you need more details to see what handles are in use or what is using network resources, disk resources, memory resources...etc it will tell you. Not much different from process explorer just not as good reporting functionality.

Re:First?

[Anachragnome]

The problem is a matter of trust.

Who here actually TRUSTS Microsoft?

The fact that Process Explorer v10.20 (or older) was from a NON-MS source is why I trusted it.

Alas, the current incarnations have MS fingers all over their insides and that trust is now gone, as far as I am concerned.

Process Explorer v10.20, Revo Uninstaller and Unlocker pretty much give the user full control of a Windows XPsp2 machine. And they are all free, as in beer.

Re:First?

[pod]

That is asinine. Why would the handle be reused in the exact memory space, and why would the original process still have access to it?

Re:First?

[LordLucless]

Nothing wrong with searching by file to find which process is locking it. Parent says nothing about forcibly freeing the handlers. I used it all the time - it generally said explorer.exe was holding the handle, so I killed explorer, deleted the file from commandline, and restarted explorer. Killing the process that holds the process is fine - as long as you don't mind losing that process.

Re:First?

[hesaigo999ca]

The fact that taskmanager these days is so easy to replace or rootkit, and hide what is really going on, I wonder if it really would be better to ship these instead, it would give possibly some more obstacles for a virus to take over your computer....if the code was well written, I believe that taskmanager is so easy to spike because it has a lot of holes...
just my 2 cents.

Re:First?

[StuartHankins]

Some of us have large numbers of older systems and servers to maintain, and simply magically upgrading everything isn't an option. Especially in today's financial climate, many companies are holding onto "known working" systems and delaying upgrades.

Re:First?

[Dishevel]

I guess you have a small point there.

You are Winner!

Re:First?

[jgtg32a]

Yea, I'm going to Disney.

But seriously I've learned to live w/o it.

Re:First?

[pod]

Memory protection. handle1 and handle2 are obviously within the process's own memory, and can be reused. But if the handle points to some memory space (buffer, handler, kernel struct, whatever), that the process does not own (regardless if it did in the past), the access should be disallowed. A process can't just willy nilly read and write whatever memory it wants. I can't just set handle1 to a random value and start writing away to it corrupting something else.

In your example, though, handle2 could not be 1000, because the program has not closed handle1 yet, so as far as it knows it is still valid. When it tries to write to it, however, that should fail, because the kernel internals it was pointing to have been flushed and closed. If those internals have been re-used by another process, the access should be disallowed.

It's Sysinternals, slashdotters

Not to be confused with the Sisinternals porn website.

Re:It's Sysinternals, slashdotters

[Ksevio]

So that everyone else doesn't have to check, there isn't actually a porn website called "Sisinternals"...yet.

free BUT effective

> They're free, but they're effective.

What an unusual combination of attributes!

Re:free BUT effective

[Machtyn]

I know! It's like that free "demo" language program I keep hearing about! I can't believe they're giving away a FREE "demo".

Re:free BUT effective

[mcgrew]

They're free, but they're effective.
What an unusual combination of attributes!

Air and sunshine are free, and they're pretty effective, too. What is it with people that they equate "free" with "worthless?"

Re:free BUT effective

[formfeed]

They're free, but they're effective

The logic of a true MS follower
-or of someone who had been held captive in a Redmond basement for years,
forced to watch MS propaganda while evil Steve tormented him with a chair.

Re:free BUT effective

[CubicleView]

I agree with the parent, but you could agrue that due to the quality of most of the "free" apps available out there, only a negligable amount of them would be considered effective.

Putting ISO's onto a usb stick and making bootable

[gblackwo]

This is very useful- I was one of the people who stuck the Windows 7 MSDNAA downloaded iso onto a flash drive in order to install it to my desktop and laptop.

The more difficult part for normal users is not extracting the iso to the drive but making the drive bootable- which unless you have a utility (Like the one in the article)- requires some command line work. This would make the process way quicker.

Latest, Really?

[Asadullah+Ahmad]

I have been using SysInternals stuff starting from TCPView, which was pretty useful for me back then. But how exactly is DiskMon a latest treasure? It's been around for ages, unless now it monitors on kernel level.

Re:Latest, Really?

[fahrbot-bot]

But how exactly is DiskMon a latest treasure?

Because the PC Pro editor just discovered it and doesn't know any better.

Re:Latest, Really?

[Asadullah+Ahmad]

So in Slashdot land, answering a rhetorical question always gets you more points than asking it? ;-)

Among them are a tool for creating virtual hard di

[GerardAtJob]

Among them are a tool for creating virtual hard disks from physical drives...
subst? That's old stuff... but nice for the other tools!!

Be careful using the P2V tool.

[mbourgon]

Tried using it on my box as a backup tool for a clean install of Win7. AVOID IF YOU ARE GOING TO USE THE SAME PHYSICAL DRIVE. Windows 7 couldn't mount or boot it. Known issue, and extremely aggravating.

Re:Be careful using the P2V tool.

[klocwerk]

It says so in the readme file, and it's a feature not a bug to keep you from hosing your system because you didn't read the readme...

When you first fire up the new VHD it replaces the disk ID with a new one so that it's unique. This causes much trouble if the computer has two of the same disk ID at the same time when it goes to change one, as you might imagine.

Re:Be careful using the P2V tool.

[nahdude812]

And where does it store this ID so that it knows for sure it's the same volume in the future? That's right, on the disk. Clone the disk, and the ID gets cloned too. Now the OS is confused because two disks have the same ID, and it's not sure which one is which (sure it can address them differently still, but which one should it boot from, etc?)

Re:Be careful using the P2V tool.

[Harik]

And what happens when there's two paths to the same physical disk? That's not impossible now, under configurations that the tool is supposed to handle. The OS really needs to be able to handle the situation because it IS the same - the physical disk and virtual disks are different 'paths' to the same thing.

Disk2vhd vs SelfImage

[lymond01]

I used SelfImage recently to dd a windows 2003 box to an LVM-based virtual machine on Proxmox, a Debian-based Virtual Machine Server. Worked a treat. While I see the benefit of created a Microsoft VHD if you're an MS shop, we're a mix so being able to pump a live physical disk into a remote logical volume was great.

Is time for multidesktop for windows?

[Tei]

One of the reasons I can't use Windows for real work is because of the lack of multidesktop. For me is very important the ability to switch from one desktop to other, never having the screen of the taskbar cluttered, having my "graphic things" open in a desktop, and my "programming things" in other. I can't understand how people can work withouth it. Is like browsing withouth tabs, only worse :-)

I know that there are a few free and now free tools that try to provide MD to windows, but all falls flat. The guy behind sysinternals tried to, and was almost a success, but nope. It seems theres some architecture limit that stop this thing to work smoothly on windows, but that is just natural on the X system.

This and the horrible console that Windows have, makes working with windows infuriating.

Re:Is time for multidesktop for windows?

[Jaysyn]

WinXP had multiple desktops if you just installed one of the free PowerToys.

Re:Is time for multidesktop for windows?

[Spad]

Powershell is a massive improvement over the traditional Windows console (which really hasn't changed significantly since the early DOS days); yes, it is in part just a re-implementation of but it is a joy to work with as a Windows admin.

Re:Is time for multidesktop for windows?

[sjaskow]

Um, have you tried Virtual Dimension: http://virt-dimension.sourceforge.net/ ? I don't know if it works on > Vista but it has worked great for me on Windows 2000 and XP.

Re:Is time for multidesktop for windows?

[Spad]

That obviously should have said:

...just a re-implementation of <insert favourite *nix shell here>...

Re:Is time for multidesktop for windows?

[strength_of_10_men]

The guy behind sysinternals tried to, and was almost a success, but nope.

Is the failure you're talking about this?

What are the shortcomings of Sysinternals' Desktops?

I haven't tried other solutions but I occasionally use this and it works fairly well.

Re:Is time for multidesktop for windows?

[fuzzyfuzzyfungus]

The trouble with virtual desktops isn't so much the virtual desktops themselves, which more or less work fine(the one from Sysinternals even uses the actual Windows desktop objects, not some nasty window hiding hack) though are subject to some limitations since MS never really intended for them; but the fact that most application developers never considered them as a possibility.

Running any of the Windows virtual desktop setups for any length of time is a good way to run into some really, really, weird bugs with applications that made various assumptions about there being only one desktop.

Re:Is time for multidesktop for windows?

[Antity-H]

I just wish they would include some kind of sed in the default shell

oh and while I am at it, how about a way to set a variable from the result of an expression without resorting to a pseudo for loop ?
you know something like
set var=`echo toto`
instead of
for /F %%x in (`echo toto`) do set var=%%x

even better how about an improved version of echo which would be able to write the following to a file when %var% is 1 ?
echo var=%var%>>test.bat

try it and have sooooo much fun discovering that the "right" syntax is
echo var=^%var%>>test.bat

how sick is that ?

Re:Is time for multidesktop for windows?

[snakeplissken]

as an example, using the sysinternals 4 desktop prog, firefox won't open a new window other than on the desktop it is already running on, try opening a new instance on another desktop and i get a message that firefox is already running! well i knew that!
this on winxp pro sp3

snake

Re:Is time for multidesktop for windows?

[EvanED]

That's obviously coming from someone who hasn't spend much time with PowerShell.

I don't make the claim that PS is better (or worse) than the Unix shells, but it does bring a bunch of things to the table that aren't in any common shell. In particular, the ability to pipe objects between processes instead of just text.

In fact, besides "a capable command line tool", there's really almost nothing that MS took from Unix with PowerShell. (In particular, in some very obnoxious ways it still behaves like cmd.exe, and it still is hosted in the god-awful terminal program that cmd is.)

For instance, here's the output of 'dir' in PowerShell:

Mode LastWriteTime Length Name
 
d---- 12/2/2009 4:48 PM examples-v3
d---- 12/16/2009 1:40 PM swyx
-a--- 11/20/2009 2:49 AM 2069 file.dot
-a--- 11/19/2009 11:22 AM 1461 file.dot~
...

Suppose I want just the name? Under Unix, I'd have to pass some ls-specific flag to get just the name. (Pretend ls worked the opposite it does, and gave long listings by default. This detail doesn't change what I'm saying.) In PowerShell, I just say I want the name field, with dir | select-object name:

Name
 
examples-v3
swyx
file.dot
file.dot~
...

I want the name and time it was created? That's dir | select-object Name,CreationTime:

Name CreationTime
 
examples-v3 12/2/2009 4:48:55 PM
swyx 11/2/2009 4:57:30 PM
file.dot 11/19/2009 11:22:33 AM
file.dot~ 11/19/2009 11:24:34 AM
...

The same syntax works for other commands. This is get-process | select-object Id,ProcessName:

Id ProcessName
 
2956 afscreds
  276 afsd_service
2664 alg
3444 ccApp
1080 ccSvcHst
1676 cmd
3020 Console
  376 csrss
...

That's because what 'dir' and 'get-process' actually output is a list of objects, which PowerShell then formats in the table it displays. 'select-object' (I don't claim it's well-named) removes unselected fields from the given objects. 'select-object' (I don't claim it's well-named) removes unselected fields from the given objects.

(lameness filter blah blah blah... using up some space blah blah blah. Hey, did you hear about the /. poster who got trolled? Oh, that's everyone right.)

Re:Is time for multidesktop for windows?

[jgtg32a]

It acts a bit funny with FF, you can only have FF open on 1 of the desktops. You can't move programs between desktops. Those are really the only two problems I have.
 
I love that Desktops

Re:Is time for multidesktop for windows?

[Spad]

Yeah, my phrasing was terrible; I meant to imply that it was a case of Microsoft copying the principle of *nix shells rather than being a copy *of* one. Powershell is indeed a lot better in many respects, though I can't claim to be an expert on *nix shells, such as the ability to make .NET and win32 function calls inline in Powershell scripts to make use of things like crypto libraries and windows GUI elements.

Re:Is time for multidesktop for windows?

[buchanmilne]

I doubt this has anything to do with bugs regarding multi desktop. The same issue exists on all platforms with or without multiple desktops. You can't have two firefox instances running at the same time with the same firefox profile, which is why the have a locking mechanism so they can pop up that dialog.

Did you really use File->New Window for this? Or, did you try and start a new process? Starting a new process will fail, opening a new window from the existing process will succeed. The question is, do popups from the 2nd window (now on a different desktop) open in the correct desktop.

Re:Is time for multidesktop for windows?

[devent]

Oh yes, that's really easier that to type ls -l, ps -ef or ps -ef|grep firefox

Sorry, but the real advantages in the *nix shells is that every output is just plain simple text. That means, I can grep it, parse it, format it what ever I like and won't be restricted to the PowerShell to do anything use full.

Re:Is time for multidesktop for windows?

[socsoc]

FF only lets you launch a single process. I don't think that has anything to do with virtual desktops.

Re:Is time for multidesktop for windows?

[EvanED]

Oh yes, that's really easier that to type ls -l, ps -ef or ps -ef|grep firefox

Okay, now what's your command line for printing just the file name and it's size? (Pretend you can't use 'du' or something like that.) Or just a list of process IDs with their command lines. (Both of these may be possible -- but the point is that the means of doing so isn't discoverable, you have to read the docs. In PowerShell, these operations *are* somewhat discoverable.)

Besides, I never claimed that PowerShell was better or easier to use than the Unix shells. (I certainly don't claim it's as concise; verbosity is pretty common with Windows API names and such too.) My main claim is that it's merely different -- different enough that to say that it's a copy on anything more than a "hey look, Windows has a half decent command line" level does a disservice to what the PowerShell team did.

Sorry, but the real advantages in the *nix shells is that every output is just plain simple text. That means, I can grep it, parse it, format it what ever I like and won't be restricted to the PowerShell to do anything use full.

The fact that "every output is just plain simple text" can very much be a drawback too, because it means that a lot of the time you wind up doing some ad-hoc parsing that often works "well enough" but has problems.

For instance, take something that I did earlier today for this post: extract from my shell history file a list of the commands I have run so I could sort them and count occurrences.

My history file has lines that look like this:

: 1265787576:0;tail zsh-history

(The first number is the timestamp, the second number is duration.) Give me a command line that will return a list of command names I've run, so that I can then pipe it to "sort | uniq -c | sort -g".

No really, I'm not kidding; come up with what you would do before reading on.

My assertion is that this would be trivial in the PowerShell world, if there was a "history" command that would return a list of objects containing, e.g., a CommandPath field. Just 'get-history | select-object CommandPath'.

What did I do in Linux? This:
cat zsh-history | cut "-d;" -f2 | cut "-d " -f1
This isn't so ugly... but it also has a ton of problems:

• If I had quoted a command name -- say because the path had spaces -- then those quotes wouldn't have been removed for the sort step and would have been counted separately from an unquoted command. Worse, if the path had actually contained spaces, it would have only picked up the path until the first space.
• Running a command by specifying a full path shows up differently than letting the shell search $PATH for it. Piping through 'basename' or something could fix this -- but at the cost of incorrectly collapsing commands that are in different directories into one entry.
• I occasionally started a command with an environment variable explicitly set on the command line -- e.g. BLAH=foo cmd. In this case, the output from my pipeline would say the command is BLAH=foo.

How many of these problems did your solution have?

(I don't claim that mine is the best possible one -- but I don't know a way to do better without adding *substantial* complexity, and I'm quite comfortable at the command line and at least somewhat conversant with most of the standard Unix utilities.)

disk2vhd

[micromuncher]

This was a god send to me, after VMWare Converter could not/would not convert a machine of mine, even after registry and driver cleaning, it just failed near the end without a meaningful error message in the log.

I used disk2vhd, booted up the image in VirtualBox, and bingo - working image.

Free doesn't imply ineffective (and vice-versa)

[noidentity]

They're free and they're effective

There, fixed that for you. Saying "free but effective" suggests that free implies ineffective.

Re:Free doesn't imply ineffective (and vice-versa)

[WinstonWolfIT]

Saying "free but effective" suggests that free suggests ineffective.

There, fixed that for you. Saying "implies" means a -> b

Re:Free doesn't imply ineffective (and vice-versa)

[porges]

Not in non-mathematical English it doesn't. Which is, I admit, confusing. So perhaps "implies" is best avoided in English discussions among math types, after all.

Re:Free doesn't imply ineffective (and vice-versa)

[WinstonWolfIT]

Don't be disingenuous -- in /., are you happy or sad is answered yes.

Re:Free doesn't imply ineffective (and vice-versa)

[hk117]

Free utilities do tend to be ineffective.
Otherwise we'd all be following in the footsteps of Stallman.
For every Process Explorer and nmap there's the rest of the bell curve.

Nothing hidden about them...

[syousef]

They're excellent for a wide range of things. Filemon (now superceded but still available) is an excellent tool for working out what files a piece of software is opening (eg. if you're trying to find config files). Regmon does something similar for the registry. Process explorer is stellar for getting more detail on a process than task manager will ever give (like where the image is running from and what DLLs it's using). Sysinternals filled a gap in diagnostic software. In a Windows environment they're as basic to me as netstat or ping. (speaking of which check out sysinternals tcpview). Especially good for tracing a user mode process right through. There are a lot of other utils to unlock the power of your Windows environment too.

Two sysinternals that weren't mentioned worth knowing about:

streams - view or remove hidden file streams attached to a file not normally seen in explorer. Especially good for removing that pesky "downloaded files are bad" warning when something is marked as being from the Internet zone.

junction - One of a handful of tools that allows you to create junctions (simliar to but not the same as hard directory links) in Windows XP.

The other non-sys-internals thing that every power user should know about is windbg and the debugging symbols. Indespesible for tracking down the culprit if you get blue screens due to device drivers (though obviously non-developers are not going to be able to do much about fixing the fault apart from downloading a different version or removing the device driver)

Re:Nothing hidden about them...

[EXrider]

Filemon and Regmon are also incredibly useful for finding out what poorly coded software packages (such as MS's own GP 9) with permissions issues are trying to do to files and registry. I've used them on several occasions to put together post-install scripts to change permissions, allowing programs to at least run under a regular user account w/out admin privileges.

Re:the iso to usb tool only accepts win7 isos

[gblackwo]

Even though the application is written specifically for your windows 7 iso- it isn't clear that it won't work for other iso's. Maybe if someone downloads it we will know for sure.

For speedy access

[Spad]

Don't forget live.sysinternals.com for instant access to any of the tools.

Re:For speedy access

Save the text below as updatetools.cmd and run it as a scheduled task once a month.

set to_dir=%~dp0
pushd \\live.sysinternals.com\tools
xcopy /Y /D /C *.* %to_dir%
popd

Re:For speedy access

[rduke15]

Great link! Thanks.

And to have them all on your USB stick, just cd to it, and do :

      wget -cm http://live.sysinternals.com/

Re:For speedy access

[rduke15]

http://downloads.sourceforge.net/gnuwin32/wget-1.11.4-1-setup.exe

Re:Best Buy

ironically... mark sued geeksquad for using these and his other tools!

Performance Monitor

[rwa2]

Barely related to the topic (except that the Sysinternals monitors did a lot of this first), but I've had limited success googling...

The Windows 7 Performance Monitor is very very nice... what utilities under Linux would give it similar abilities to show per-process cpu/mem/disk/network/file/I/O usage?

So far I've managed to scrape together a variety of disparate tools to report on most of those things, but it would be nice if it could all be builtin to e.g. gkrellm or gnome-system-monitor or something.

* (the venerable) top: for sorting by CPU / mem virtual/reserved/shared, but not much else.
* iftop, ntop : to show realtime network activity per host:port (not just an aggregate for the interface). It would be nice to also be able to see net activity per process, though.
* dstat, sar : can print out some disk I/O related numbers at intervals, suitable for plotting. But "dstat --top-bio" only lists the process using the most disk I/O. And other than running "lsof" and trying to manually correlate PIDs, is there a way to actually figure out what file is being written / read?
* ltrace, strace, and dtrace : can tap into a running program and show library and sys.os function calls, (such as files being opened, etc.) but they put in some execution overhead.
* pmap : for digging into memory mapped to processes; would be neat to be able to visualize this... e.g. to see what apps have how much memory swapped to disk, or if something is still mapped to an older version of a shared library after an upgrade, etc.

Re:Performance Monitor

[eeeuh]

Maybe you could give atop http://www.atoptool.nl/ a try?
It shows (per process) disk-IO and nicely integrates cpu/disk/network/io statistics, it can also store statistics for later playback.

When trying to trace which file is getting a lot of IO you might want to take al look at the filedescriptors in /proc//fd in conjunction with lsof/strace. I Don't know of a nicely integrated tool for that unfortunately.

Re:Performance Monitor

[electrostatic]

What's Running is easy to use and provides lots of info on Processes, services, IP connections, modules, drivers, plus associated file locations, memory use, and other bits.
http://www.whatsrunning.net/main.aspx/

Re:Performance Monitor

[EvanED]

I have 'top' aliased to 'htop' on my Linux setup, htop is that awesome.

Re:Performance Monitor

[StuartHankins]

KSysGuard and SystemTap do the majority of what you say you need.

Re:Performance Monitor

[rwa2]

Thanks for the responses... I'd played with atop and htop before, but not enough to find their useful bits.

I forgot to mention iotop, which does show which processes are using disk I/O.

Also just found a nifty thing called smem, which does a pretty nice job showing and sorting which apps have memory swapped out, and how much is shared and unique.

windowssucks tag?

[Angst+Badger]

Well, yes, of course Windows sucks, but the SysInternals package really does mitigate the suckage to a surprising degree. Arguably, it's stuff that should have been part of Windows all along. I've been using it for a couple of years and it has made it much, much easier to beat Windows into submission. It's also extremely useful for finding and removing the crap that virus and malware scanners are apparently incapable of dealing with, as well as finding the mounds of not-actually-temporary temporary files that both Windows and a lot of applications like to consume unreasonable amounts of drive space with.

Re:windowssucks tag?

There's a difference between useful utility programs and bloat. I am not surprised it took a Windows user to conflate them, though.

Wonderful tools

[Sycraft-fu]

These have been available for a long time, used to just be from a site called Sysinternals run by Russonivich before Microsoft hired him. This guy is, literally, the person who wrote the book on Windows. Windows Internals is the current name, used to be called Inside Windows 2000. A wonderful technical document of the internal workings of Windows.

At any rate, Russonivich produces extremely useful tools. Not the sort of thing you want in the hands of inexperienced users, as many of them can break your system, but extremely powerful. I use them all the time in the course of my job, especially when there's manual malware removal that needs to be done. So far, malware is unaware of the ability to suspend a process, which Process Explorer will do. So you suspend the malware, its watcher process doesn't know to restart it. You then use autoruns to remove the startup entries. At that point you can reboot, it won't start, and you can clean up the residuals.

Re:Wonderful tools

[Krneki]

+1 Suspend is an awesome function to quickly disable viruses.

Re:Wonderful tools

[EvanED]

Don't do that. Go to ctrl panel, administrative tools, services, find the "Windows Update" service (I think that's it's name) in the list, and tell it to stop.

Re:Wonderful tools

[oljanx]

"So far, malware is unaware of the ability to suspend a process" Detecting whether a Windows process has been suspended is trivial. It can be done by making calls into the kernel. It could be as simple as monitoring a file the malware is expected to write to every few seconds. I'd guess that the method you've described would defeat only a small percentage of malware in the wild today.

Re:Wonderful tools

[Krneki]

This, my friend, is a fantastic solution.

Re:Wonderful tools

[Sycraft-fu]

You can guess that but you'd guess wrong. I have yet to find a malware that is aware of this. I'm not saying they couldn't be, I'm saying they aren't.

Re:THIS is why I love Windows!

[hduff]

There is nothing like these tools for any other platform on the market. Mark Russinovich is THE MAN!

You mean other than UNIX and Linux systems? I don't see any comparable functionality that is not already available on those systems. It's great that the MS environment gets some useful diagnostic funtionality too; sad they haven't always had it.

Author means filemon not diskmon

[syousef]

Now that I read more carefully author of referenced article must mean Filemon not Diskmon. Diskmon doesn't tell you what files are open (at least not the version I have). Filemon does.

Re:Author means filemon not diskmon

[Dr_Barnowl]

It still tells you which process is thrashing the disk, which is what he wanted to find out.

Re:Author means filemon not diskmon

[vrt3]

It still tells you which process is thrashing the disk, which is what he wanted to find out.

That would be interesting indeed, but how do I do that? I just downloaded it to try it, but the only columns I see are a sequence number, time, duration, the disk number, request type, sector number and length. I can't find a process ID or process name anywhere.

Re:Among them are a tool for creating virtual hard

[Otter+Popinski]

Article is referring to this tool: disk2vhd

Re:Whatabout Virtualbox?

[MikeDaSpike]

It's possible. Create a hardware profile in the vista partition. In that profile change the hard disk controllers to generic ones. Now you can boot your vista partition without any bluescreens. For how to boot it in VB read section 9 of the VBox manual. http://www.virtualbox.org/manual/UserManual.html#rawdisk

Re:the iso to usb tool only accepts win7 isos

[interiot]

There are no silver-bullet solutions for booting ISOs via USB. A silver-bullet solution requires doing "floppy emulation", which is something that can't be easily done in a general-purpose way. For CD booting, each BIOS has this functionality implemented differently. For USB booting, the bootloader has to figure out how to do this. MEMDISK and GRUB4DOS are the only ones I know that do floppy emulation.

But then you have to do CD drive emulation too.

The way almost all ISO=>USB booters work is to pull the pieces apart and make them work without floppy+CD drive emulation. But this requires intimate knowledge of how that ISO normally boots, and thus it can't be a silver-bullet solution.

Re:Putting ISO's onto a usb stick and making boota

[Monkeedude1212]

I think I would be able to use all 3 of the tools they mentioned in the summary - I also enjoy the idea of an ISO boot from a flash drive - as that means I only ever have to store all my ISO's on a hard drive, and then put them on the flash drive when I need to use them, no more need for blank CD's.

I also think creating virtual hard drives from physical ones is a good idea. I have been trying to go more virtual lately, just to keep up with the trends and add some security, but its difficult to get into full swing when all your apps are already installed on the root Machine.

As for the read-write monitoring, I have seen more and more failed hard drives lately, maybe its just my experience, but I have this looming feeling that it'll happen to me soon, and I'll want a record of whats going on.

I read it as: free, not open source, but effective

[anton_kg]

"free" is indeed means not necessary effective to me. I always suspect it might become "not free" tomorrow or I won't be able to add functionality for my specific task if I need to.

A non-sysintenrals thing... but....

[mindstrm]

It's not from sysinternals, but for tiny little utils, Spacemonger - the older version - not the new "installable" one - is absolutely fantastic for finding out where disk-space went..... can't live without it in any windows shop.

this is their second attempt

[anton_kg]

last time they had to shutdown the website and re-licence the tool (http://store.microsoft.com/Help/ISO-Tool) because of GPL violations. I wounder if they use http://unetbootin.sourceforge.net/ source code this time ;-)

Re:this is their second attempt

[anton_kg]

I'm talking their own tool. They had to remove it: http://arstechnica.com/microsoft/news/2009/11/microsoft-pulls-windows-7-tool-after-gpl-violation-claims.ars

Re:Best Buy

[zero0ne]

I understand the joke... but lets be serious here, I would be surprised if even 5% of their staff understands how to use these tools correctly.

When they first started GeekSquad in my area, I was there for a total of 3 months (~15/hr was a good chunk of cash for a college student).

I saw:

- people returning towers that ended up having the actual folder we used to document our steps INSIDE the case (surprised the thing didnt overheat)

- employees trying to remove a power supply without properly unscrewing and detaching the cables from the mobo.

- managers press their staff to push the ~$70 backup "deal" onto customers (4.7GB of backup no less)

- a virus on a PC that looked like it filled up the entire hard drive with empty avi files that had a random porn like name given to em.

- much more I cant recall right now (I've tried to delete it from my memory)

I stopped showing up shortly after.

The only thing I have downloaded from there so far

[FunPika]

Is this wonderful screensaver. >:)

Multiple ISOs on one flash drive

[richardellisjr]

Speaking of booting from an ISO on a flash drive... does anyone know a way to store multiple ISOs files on a flash drive so that you can choose which to boot from? Would make installing the various OSs I use a lot easier than searching for the correct CD/DVD each time I install.

Re:Multiple ISOs on one flash drive

[anton_kg]

Yep. You should be able to do it with grub boot manager and isolinux (http://syslinux.zytor.com/wiki/index.php/ISOLINUX#ISOLINUX_and_Windows_install_disks)

Re:Whatabout Virtualbox?

[SCPRedMage]

http://www.virtualbox.org/manual/UserManual.html#vdidetails

Third bullet point:

VirtualBox also fully supports the VHD format used by Microsoft.

Re:I read it as: free, not open source, but effect

[noidentity]

"not necessarily effective" doesn't mean "ineffective". By saying "free but x", you're saying that free implies "not x", not just "not necessarily x". If it were the latter, you wouldn't describe it as being apparently contradictory to it being free.

Re:Putting ISO's onto a usb stick and making boota

[jez9999]

wtf is the command line? I'm on Slashdot, so you can understand how this is new territory for me. It sounds complicated and scary.

"Access Denied"

[TheNinjaroach]

Process Explorer kicks the crap out of Task Manager simply for the fact that it doesn't give access denied error messages to admins trying to end protected system processes. Try ending the same processes with Process Explorer and it "just works" -- which goes to show that the Task Manager error message has nothing to do with actual account privileges. The first time I found this I realized it's no wonder Windows has such a problem with malware, the applications I run have more access to my system processes than I do!

Re:"Access Denied"

[snowgirl]

Process Explorer kicks the crap out of Task Manager simply for the fact that it doesn't give access denied error messages to admins trying to end protected system processes. Try ending the same processes with Process Explorer and it "just works" -- which goes to show that the Task Manager error message has nothing to do with actual account privileges. The first time I found this I realized it's no wonder Windows has such a problem with malware, the applications I run have more access to my system processes than I do!

There is an error message reported with Server 2003 when attempting to install the MUI pack onto Server 2003 x64 German, saying that the architecture is wrong, or something like that. The reason why it is reporting this message is because the installer grouped two return codes into the same function: it checked the architecture, and then it also checked the language. Even though the architecture matches, the language (MUI can only be installed on English versions) mismatches, and thus it reports the error.

The error used to say, "the architecture and/or language may be wrong", but when Server 2003 SP1 shipped, x64 only had English and Japanese, meaning that the "language" error was highly unlikely, so they dumped that part of the message.

Eventually, I had to come back with the answer, "it's wrong, it's a bug, and there's nothing we can do to fix it, because the bug is in the software that has already shipped, and short of patching it on-the-fly, there's no way we can maim SP2 to make the error message turn up correctly anymore."

There are a lot of reasons for error messages to be thrown up, and sometimes developers don't get picky and just throw up the most convenient one. Most likely, Task Manager knows that killing the appropriate process is a bad idea, and MSFT has taken the choice to not hand you enough rope to hang yourself. I certainly know that sending a SEGV signal to init is a bad idea in *nix, even if certain flavors will let you do it or not.

Re:"Access Denied"

[TheNinjaroach]

I certainly know that sending a SEGV signal to init is a bad idea in *nix, even if certain flavors will let you do it or not.

I've never used any flavor of Linux that ever pretended to know better than root, and that's just the way I like it.

Re:"Access Denied"

[snowgirl]

I certainly know that sending a SEGV signal to init is a bad idea in *nix, even if certain flavors will let you do it or not.

I've never used any flavor of Linux that ever pretended to know better than root, and that's just the way I like it.

Actually, you can't send SIGKILL to the init process in linux. To quote the manpage:

The only signals that can be sent task number one, the init process, are those for which init has explicitly installed signal handlers. This is done to assure the system is not brought down accidentally.

Re:THIS is why I love Windows!

[TheNinjaroach]

Spoken by someone who apparently hasn't used any other platform on the market.

Re:Those that do not understand UNIX

heh.. The original Unix design would *SUCK* in 2010. Hell they didn't even have a way to do proper multi-threading in the kernel. Not to mention the ugly kernel locks giving terrible SMP characteristics. Linux used to suffer from those flaws too too until they deviated from mainstream Unix. But because most people are ignorant about these difference they just lump them together.

IMO for its time NT was a far superior design than any mainstream Unix out there. The NT kernel is still rock solid, but the win32 subsystem is showing its age..

Re:Putting ISO's onto a usb stick and making boota

[ottothecow]

I always use the program that ubuntu provides to make live usb ubuntu installs (unetbootin or something). It has an option to use any ISO rather than pulling down the ubuntu files.

It's not great though (it likes to stop in the middle and you have no way of knowing if it is just going slow or has crashed)...I'll have to give this a try.

Re:I read it as: free, not open source, but effect

[jpate]

Obligatory comment mentioning that (copylefted) Free software is the only kind of software where your suspicions do not apply.

Re:Best Buy

[geminidomino]

He knows that. His post isn't funny without that fact.

It wasn't all that funny WITH that fact. ;)

Re:We've had them on UNIX for ages now!

[man_of_mr_e]

Ummm.. I would think that doing a block copy of an ISO image to a USB drive would result in a corrupt disk, though I suppose you could always force the mount to mount it as a CDFS, but even so it would seem to the disk characteristics of a floppy vs cd would be totally different.

My understanding is that you have to do more than a block for block translate to make a bootable USB device from an ISO image.

Re:THIS is why I love Windows!

[geminidomino]

Whoosh.

Other Sysinternals tools

[the_saint1138]

Slightly off-topic, but I just wanted to say that sysinternals' Process Explorer and Autoruns are the two most valuable anti-virus tools on the planet. No Windows-savvy geek should be caught without them. Also, I've yet to see a nicer interface on any linux tool that does the same.

Re:Other Sysinternals tools

[jgtg32a]

I've used PE for years, just got Autoruns and it is very nice.

Re:I read it as: free, not open source, but effect

[anton_kg]

there are 3 points of view here:
- English grammar (and you are right about it)
- lack of respect to a free tools by author
- my own interpretation from open source point of view

Re:the iso to usb tool only accepts win7 isos

[interiot]

That's incomplete emulation. By floppy emulation, I mean that when a CD starts booting, the BIOS makes something show up on the A: drive, and makes it look (to the software) very very close to what a real floppy would look like (ie. responds to BIOS calls (INT 13h) in the way that a floppy does).

For starters, you can't make a disk partition look like an unpartitioned drive.

Re:Those that do not understand UNIX

[EvanED]

My personal response to that is "Those who do understand Unix are condemned to think it's actually a good idea."

Re:Those that do not understand UNIX

[jgtg32a]

Maybe but I would love for you to point me in the direction of a tool that is half as awesome as process explorer
 
Seriously though, me love you long time

Re:Newsid

[jtdennis]

NewSID does work with Vista, but it was retired last year. Russinovich looked into the common belief of why everyone thought we needed to change the SID and determined that it wasn't necessary. His full post is here

Re:THIS is why I love Windows!

[EvanED]

You mean other than UNIX and Linux systems? I don't see any comparable functionality that is not already available on those systems.

If you're so confidant, perhaps you can answer this guy's questions.

Re:THIS is why I love Windows!

[jgtg32a]

Process Explorer would like to have a word with you.

Re:Putting ISO's onto a usb stick and making boota

[clarkn0va]

I've had mixed luck using unetbootin with non-Linux isos. freedos works fine, but I don't think I've ever made it work with any Windows product, including Win7 and Office2007OPK.

Re:Putting ISO's onto a usb stick and making boota

[ottothecow]

Odd, I am pretty sure that that is how I installed my current win7 system but I have had it work poorly with something in the past.

Re:the iso to usb tool only accepts win7 isos

[interiot]

I'm not sure. I guess I have been poking around in mostly older ISOs. There are various tools to see if an ISO is marked as no-emulation or floppy-emulation, if you have some Windows installer ISOs lying around (I don't have any with me at work right now, sorry... I might check when I get home). Bart's BBIE can also extract the floppy boot image if you want to look into a specific boot floppy. (and then WinImage can be used to look inside the files in the floppy .img)

Re:Flamebait?

[S-100]

Get used to nut-job moderators. I had a post with NO mod points flagged as "overrated".

Umm

[The+MAZZTer]

The ISO tool isn't by Sysinternals, and Filemon (he said that instead of Diskmon) has been discontinued in favor of the more versatile Process Monitor.

Re:Those that do not understand UNIX

[buchanmilne]

If you mean for the pure same (or more) functionality (but not necessarily concerned with a GUI), lsof has been around for ever.

Although to get the exact functionality (choose a process, find what files it has open) you need to run 'ps' to get the pid of interest, then lsof -p $pid (which may be a little bit more effort), the advantage of lsof is if you don't know exactly what file, or exactly what process, because then you can pipe the output for all processes to grep/awk/sed/perl to filter on a user, file, specific block device etc. (using patterns/regular expressions) or script killing the potentially multiple process with open files in a filesystem you have to take offline.

lsof shows the current working directory, the binary itself (useful in case a process has changed it's process label), the shared libraries, any open files (which includes real files, stdin/stdout/stderr, and open sockets).

If you don't mean exactly the same functionality, but which could be used for some similar problems, see the Linux Trace Toolkit - Next Generation, which provides a similar GUI for a slightly different purpose.

Re:Those that do not understand UNIX

[buchanmilne]

So it turns out that there is a GUI for lsof.

I've never needed a GUI for lsof, but I guess some people would say it is required if there is a similar GUI tool for Windows ...

Re:the iso to usb tool only accepts win7 isos

[buchanmilne]

Don't use it on all ISOs without first checking if it is required. For example, AFAIK recent Fedora and Mandriva ship hybrid ISOs, using unetbootin is both unnecessary (dd is sufficient to transfer to the ISO to a usb stick such that it will boot, Mandriva provides a GUI tool for Windows and Linux for those who forget to dd to the entire block device, not the partition ...) and harmful (if you run unetbootin, it will break the feature, and *not* boot from the USB stick).

MOD PARENT UP!

[chevman]

MOD PARENT UP!

Another noise article...

[thePowerOfGrayskull]

Why is it we have so many articles that are just pass-through sites (if we're lucky) to the actual thing they're talking about? Is that what "journalism" has become -- regurgitating single-source information from other places?

Re:The only thing I have downloaded from there so

[socsoc]

This one bit me in the ass because I forgot that I enabled it. I was pissed when I returned from an extended break...

Free, BUT effective?

[wolf1oo]

-They're free, but they're effective.

I wonder what on earth the original writer meant by that? Apparently this world believes free software is bad. Ugh :(
Tools such as these and many more have existed inherently in Unix and especially GNU/Linux based systems for at least twenty years now. And, not that I have tried the software released by MS, but I'm willing to bet the open source software is more malleable, capable, and provides much more functionality.

Re:Newsid

[zoloto]

For those who are still insistent on using it, NewSID v4.10 can be downloaded from here

Is there a tool for this?

[hackingbear]

I have been frustrated by the inability to safe-remove / unmount a removable drive in Windows Vista. The Safe-Remove tool comes with the system works poorly. A lot of times, even if my drive has been idled for over two days, it cannot stop the system daemon svchost, which is the only program accessing the drive as shown in the resource monitor. It forces me to shut down the system. Is there a tool to force the programs and the system daemon to give up accessing the drive? Something this generic is not searchable.

UpdateTools.cmd correction and explanation

[Futurepower(R)]

Quotes are needed around to_dir if the initial folder name has spaces:

:: UpdateTools.cmd
::
:: Copies or updates the Sysinternals tools from
:: Microsoft's live.sysinternals.com web site.
::
:: Set the to_dir local environment variable
:: to the current path in which this batch
:: file is located.
SET to_dir=%~dp0
::
:: Save the current folder and switch to
:: the \\live.sysinternals.com\tools folder.
PUSHD \\live.sysinternals.com\tools
::
:: Use the XCOPY command to copy all the files
:: from the tools sub-folder to the current folder.
:: /Y Overwrite existing files without notification.
:: /D Copy only files that don't exist, or newer files.
:: /C Continue copying even if there are errors.
:: Use quote marks around to_dir because there
:: may be spaces in the initial folder name.
XCOPY /Y /D /C *.* "%to_dir%"
::
:: Switch back to the original folder, the one
:: in which this batch file is located.
POPD

Re:Newsid

[RulerOf]

In short, SID regeneration is only 100% necessary in workgroup environments, from what I recall, but I remember reading or hearing that Microsoft won't support a cloned system unless it's been sysprepped. Is that still true?

An even better process manager

[jonaskoelker]

Process Explorer is what Windows should ship with instead of task manager.

I vote for psdoom ;-)

not so hidden...

[bostei2008]

they have been around for a long long time.

Re:the iso to usb tool only accepts win7 isos

[cbhacking]

Technically true, but it's still pretty damn easy. Most systems will happily treat any UMS device as a bootable drive, in which case you just have to do the same things that make a hard disk bootable; mark one partition active and install a bootloader. Simply installing a bootloader to the MBR should also work. In Windows, you can mark a partition active (including one on a flashdrive) using diskpart.exe (command line tool that comes with Windows and should be in your PATH). After that, it's just a matter of copying some bootable media on there; WinPE works pretty well, for example (I have a modified Win7 install image, useful either for installations or diagnostics/repairs).

Getting the files is the easy part; either burn the image, mount it, or unpack it with a tool like 7-zip. Then just copy the files onto the flashdrive, and you're good to go.

For Windows 7 Ultimate Too?

[tjstork]

Do you really think the average office worker cares about examining mount points or finding out how many USER handles a process is using? That's why Microsoft doesn't ship any of that with Windows, and they probably never will.

That argument only holds water with Windows 7 Home. Windows 7 Professional and Windows 7 Ultimate is the mainstream developer platform.

Linux with all of the tools and Windows with, well, whatever it comes with, occupy about the same size of a DVD. I would think that Windows 7 Professional or Ultimate should come with all of these sorts of tools, and indeed, but instead, I can burn an ISO with Linux, but not Win7, out of the box.

Re:We've had them on UNIX for ages now!

[jijacob]

My understanding is that you have to do more than a block for block translate to make a bootable USB device from an ISO image.

This is correct. With DD you have to start with an IMG file specifically for flash drive/non-cd use. Ubuntu does ship with a couple other tools (unetbootin and the USB startup disk creator come to mind) that will write from a CD-format .iso.

Re:Flamebait?

[mcgrew]

Oh, I'm used to it, but it still irks me when someone's useful comment is buried like that. I've been modbombed quite often, but it seldom hurts anything, as someone else mods it back up. I just wanted to draw attention to the guy's comment that some asshat tried to bury.

I wish they'd bring back the old style metamoderation.

Re:THIS is why I love Windows!

[StuartHankins]

Well, I'm not a "confidant" but I will try to answer your post. That post you refer to is someone looking for a laundry list of tools to be delivered in a SINGLE app / interface (and I'd shudder at having all of that together in a blob). Basically they're wanting an iStat-type GUI tool... which would have to fill the entire screen (or screens) just to display all that info. On larger systems the concept would be even less useful.

KSysGuard does most of what they want in a single interface. SystemTap will give the rest.

Re:Newsid

[jtdennis]

It probably is still policy. Sysprep is now included in %windir%\system32\sysprep in Vista and Windows 7. I've been working with it for a few months and it's much easier to use over older versions.

Re:Newsid

[StuartHankins]

Unfortunately in this case Russinovich was wrong, at least for XP installations. Microsoft still recommends changing the SID, claiming that you risk allowing access to data (as well as other nasties) if you don't change the SID. http://support.microsoft.com/default.aspx?scid=kb;en-us;314828 To further clarify, from that same page:

Microsoft does not provide support for computers on which Windows XP is installed by duplication of fully installed copies of Windows XP. Microsoft does support computers on which Windows XP is installed by use of disk-duplication software and the System Preparation tool (Sysprep.exe).

Wrong twice...

[thijsh]

It is easy to replace the task manager by putting a single check in the menu.
And the only thing missing in my opinion is the 'Network' tab, I only use the task manager for this otherwise I would always use ProceXP (and I was told by Mark Russinovich this will be added sometime in the near future).

P.S. In my personal opinion Mark Russinovich is the *only* person at Microsoft who has any idea of what makes Windows actually tick... To any sysadmin he should be the hero that makes life a little easier.

Re:We've had them on UNIX for ages now!

[man_of_mr_e]

It's amazing how many people blindly say that you can use dd for this, obviously never having done it themselves.

Do a google search, and you find tons of people saying the same thing, finding the real information is actually quite difficult.

Re:Putting ISO's onto a usb stick and making boota

[MrNemesis]

Same here. unetbootin is great for blowing a Linux ISO onto a USB stick, but I've yet to see it work with any ISO that's not Linux-based and it doesn't seem to deal with multiple images on the same stick very well. What I really want is a USB bootloader that you can just point at a list of ISO files and boot straight from them, as 95% of the CD's I burn are fiddly 1-5MB firmware/BIOS updaters which'll only be used once or twice. Similarly, it'd be great to have an 8GB USB stick with a truckload of ISOs on it to allow you to carry your entire wallet of diagnostic/recovery discs on your keyring.

GRUB2 is meant to have this functionality but I've never managed to get it to work. Shall give GRUB4DOS a whirl perhaps, it seems alot more clear cut.