Slashdot Mirror
The Hidden Treasures of Sysinternals
Barence writes "PC Pro contributing editor Jon Honeyball has written a nice feature on the latest treasures to be found on the Windows Sysinternals website. Among them are a tool for creating virtual hard disks from physical drives, a hard disk read-write monitoring tool, and a utility for putting ISO images onto flash drives. They're free, but they're effective."
psexec has saved my ass SO many times it's not even funny. psexec \\almostcrashedserver cmd.exe
There's a reason MS bought the company and hired Mark, he consistently puts out the most useful tools for in the trenches Windows diagnostics. Heck MS's PSS would routinely have you use his tools even before the purchase because nothing they put out internally was nearly as useful.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Comment removed based on user account deletion
You know, sysinternals was amazing piece of reverse engineering work and some of the utilities that came out of it were pretty interesting as examples of that reverse engineering work.
But...
All that stuff is junk compared to what Linux does for utilities!
I mean, my ubuntu has had burning ISOs and copying them any which way now for at leas 5 years. I can type sensors and get the motherboard temperature, fan speeds, everything. I mean, if you are into doing hardware and low level OS hardware interfacing stuff, there's enough gobblygook in /proc to keep anyone happy from Linux, and then there's all the log files and then the source.
I mean, yeah, Windows has its advantages, but sysinternals isn't one of them. sysinternals is just proof that for a lot of applications you have to be a hero to get it to do anything simply because the source is closed.
This is my sig.
Process Explorer is what Windows should ship with instead of task manager.
Process Monitor is so kick ass... I can't even put it in words.
Not to be confused with the Sisinternals porn website.
> They're free, but they're effective.
What an unusual combination of attributes!
This is very useful- I was one of the people who stuck the Windows 7 MSDNAA downloaded iso onto a flash drive in order to install it to my desktop and laptop.
The more difficult part for normal users is not extracting the iso to the drive but making the drive bootable- which unless you have a utility (Like the one in the article)- requires some command line work. This would make the process way quicker.
Tried using it on my box as a backup tool for a clean install of Win7. AVOID IF YOU ARE GOING TO USE THE SAME PHYSICAL DRIVE. Windows 7 couldn't mount or boot it. Known issue, and extremely aggravating.
"Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
I used SelfImage recently to dd a windows 2003 box to an LVM-based virtual machine on Proxmox, a Debian-based Virtual Machine Server. Worked a treat. While I see the benefit of created a Microsoft VHD if you're an MS shop, we're a mix so being able to pump a live physical disk into a remote logical volume was great.
This was a god send to me, after VMWare Converter could not/would not convert a machine of mine, even after registry and driver cleaning, it just failed near the end without a meaningful error message in the log.
I used disk2vhd, booted up the image in VirtualBox, and bingo - working image.
/\/\icro/\/\uncher
There, fixed that for you. Saying "free but effective" suggests that free implies ineffective.
They're excellent for a wide range of things. Filemon (now superceded but still available) is an excellent tool for working out what files a piece of software is opening (eg. if you're trying to find config files). Regmon does something similar for the registry. Process explorer is stellar for getting more detail on a process than task manager will ever give (like where the image is running from and what DLLs it's using). Sysinternals filled a gap in diagnostic software. In a Windows environment they're as basic to me as netstat or ping. (speaking of which check out sysinternals tcpview). Especially good for tracing a user mode process right through. There are a lot of other utils to unlock the power of your Windows environment too.
Two sysinternals that weren't mentioned worth knowing about:
streams - view or remove hidden file streams attached to a file not normally seen in explorer. Especially good for removing that pesky "downloaded files are bad" warning when something is marked as being from the Internet zone.
junction - One of a handful of tools that allows you to create junctions (simliar to but not the same as hard directory links) in Windows XP.
The other non-sys-internals thing that every power user should know about is windbg and the debugging symbols. Indespesible for tracking down the culprit if you get blue screens due to device drivers (though obviously non-developers are not going to be able to do much about fixing the fault apart from downloading a different version or removing the device driver)
These posts express my own personal views, not those of my employer
Because the PC Pro editor just discovered it and doesn't know any better.
It must have been something you assimilated. . . .
Don't forget live.sysinternals.com for instant access to any of the tools.
Well, yes, of course Windows sucks, but the SysInternals package really does mitigate the suckage to a surprising degree. Arguably, it's stuff that should have been part of Windows all along. I've been using it for a couple of years and it has made it much, much easier to beat Windows into submission. It's also extremely useful for finding and removing the crap that virus and malware scanners are apparently incapable of dealing with, as well as finding the mounds of not-actually-temporary temporary files that both Windows and a lot of applications like to consume unreasonable amounts of drive space with.
Proud member of the Weirdo-American community.
These have been available for a long time, used to just be from a site called Sysinternals run by Russonivich before Microsoft hired him. This guy is, literally, the person who wrote the book on Windows. Windows Internals is the current name, used to be called Inside Windows 2000. A wonderful technical document of the internal workings of Windows.
At any rate, Russonivich produces extremely useful tools. Not the sort of thing you want in the hands of inexperienced users, as many of them can break your system, but extremely powerful. I use them all the time in the course of my job, especially when there's manual malware removal that needs to be done. So far, malware is unaware of the ability to suspend a process, which Process Explorer will do. So you suspend the malware, its watcher process doesn't know to restart it. You then use autoruns to remove the startup entries. At that point you can reboot, it won't start, and you can clean up the residuals.
The guy behind sysinternals tried to, and was almost a success, but nope.
Is the failure you're talking about this?
What are the shortcomings of Sysinternals' Desktops?
I haven't tried other solutions but I occasionally use this and it works fairly well.
There is nothing like these tools for any other platform on the market. Mark Russinovich is THE MAN!
You mean other than UNIX and Linux systems? I don't see any comparable functionality that is not already available on those systems. It's great that the MS environment gets some useful diagnostic funtionality too; sad they haven't always had it.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
Maybe you could give atop http://www.atoptool.nl/ a try?
It shows (per process) disk-IO and nicely integrates cpu/disk/network/io statistics, it can also store statistics for later playback.
When trying to trace which file is getting a lot of IO you might want to take al look at the filedescriptors in /proc//fd in conjunction with lsof/strace. I Don't know of a nicely integrated tool for that unfortunately.
It's possible. Create a hardware profile in the vista partition. In that profile change the hard disk controllers to generic ones. Now you can boot your vista partition without any bluescreens. For how to boot it in VB read section 9 of the VBox manual. http://www.virtualbox.org/manual/UserManual.html#rawdisk
There are no silver-bullet solutions for booting ISOs via USB. A silver-bullet solution requires doing "floppy emulation", which is something that can't be easily done in a general-purpose way. For CD booting, each BIOS has this functionality implemented differently. For USB booting, the bootloader has to figure out how to do this. MEMDISK and GRUB4DOS are the only ones I know that do floppy emulation.
But then you have to do CD drive emulation too.
The way almost all ISO=>USB booters work is to pull the pieces apart and make them work without floppy+CD drive emulation. But this requires intimate knowledge of how that ISO normally boots, and thus it can't be a silver-bullet solution.
It's not from sysinternals, but for tiny little utils, Spacemonger - the older version - not the new "installable" one - is absolutely fantastic for finding out where disk-space went..... can't live without it in any windows shop.
I understand the joke... but lets be serious here, I would be surprised if even 5% of their staff understands how to use these tools correctly.
When they first started GeekSquad in my area, I was there for a total of 3 months (~15/hr was a good chunk of cash for a college student).
I saw:
- people returning towers that ended up having the actual folder we used to document our steps INSIDE the case (surprised the thing didnt overheat)
- employees trying to remove a power supply without properly unscrewing and detaching the cables from the mobo.
- managers press their staff to push the ~$70 backup "deal" onto customers (4.7GB of backup no less)
- a virus on a PC that looked like it filled up the entire hard drive with empty avi files that had a random porn like name given to em.
- much more I cant recall right now (I've tried to delete it from my memory)
I stopped showing up shortly after.
Process Explorer kicks the crap out of Task Manager simply for the fact that it doesn't give access denied error messages to admins trying to end protected system processes. Try ending the same processes with Process Explorer and it "just works" -- which goes to show that the Task Manager error message has nothing to do with actual account privileges. The first time I found this I realized it's no wonder Windows has such a problem with malware, the applications I run have more access to my system processes than I do!
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
That's obviously coming from someone who hasn't spend much time with PowerShell.
I don't make the claim that PS is better (or worse) than the Unix shells, but it does bring a bunch of things to the table that aren't in any common shell. In particular, the ability to pipe objects between processes instead of just text.
In fact, besides "a capable command line tool", there's really almost nothing that MS took from Unix with PowerShell. (In particular, in some very obnoxious ways it still behaves like cmd.exe, and it still is hosted in the god-awful terminal program that cmd is.)
For instance, here's the output of 'dir' in PowerShell:
Suppose I want just the name? Under Unix, I'd have to pass some ls-specific flag to get just the name. (Pretend ls worked the opposite it does, and gave long listings by default. This detail doesn't change what I'm saying.) In PowerShell, I just say I want the name field, with dir | select-object name:
I want the name and time it was created? That's dir | select-object Name,CreationTime:
The same syntax works for other commands. This is get-process | select-object Id,ProcessName:
That's because what 'dir' and 'get-process' actually output is a list of objects, which PowerShell then formats in the table it displays. 'select-object' (I don't claim it's well-named) removes unselected fields from the given objects. 'select-object' (I don't claim it's well-named) removes unselected fields from the given objects.
(lameness filter blah blah blah... using up some space blah blah blah. Hey, did you hear about the /. poster who got trolled? Oh, that's everyone right.)
NewSID does work with Vista, but it was retired last year. Russinovich looked into the common belief of why everyone thought we needed to change the SID and determined that it wasn't necessary. His full post is here
-- "Freedom is the right of all sentient beings" -Optimus Prime
Oh yes, that's really easier that to type ls -l, ps -ef or ps -ef|grep firefox
Sorry, but the real advantages in the *nix shells is that every output is just plain simple text. That means, I can grep it, parse it, format it what ever I like and won't be restricted to the PowerShell to do anything use full.
http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
Oh yes, that's really easier that to type ls -l, ps -ef or ps -ef|grep firefox
Okay, now what's your command line for printing just the file name and it's size? (Pretend you can't use 'du' or something like that.) Or just a list of process IDs with their command lines. (Both of these may be possible -- but the point is that the means of doing so isn't discoverable, you have to read the docs. In PowerShell, these operations *are* somewhat discoverable.)
Besides, I never claimed that PowerShell was better or easier to use than the Unix shells. (I certainly don't claim it's as concise; verbosity is pretty common with Windows API names and such too.) My main claim is that it's merely different -- different enough that to say that it's a copy on anything more than a "hey look, Windows has a half decent command line" level does a disservice to what the PowerShell team did.
Sorry, but the real advantages in the *nix shells is that every output is just plain simple text. That means, I can grep it, parse it, format it what ever I like and won't be restricted to the PowerShell to do anything use full.
The fact that "every output is just plain simple text" can very much be a drawback too, because it means that a lot of the time you wind up doing some ad-hoc parsing that often works "well enough" but has problems.
For instance, take something that I did earlier today for this post: extract from my shell history file a list of the commands I have run so I could sort them and count occurrences.
My history file has lines that look like this:
(The first number is the timestamp, the second number is duration.) Give me a command line that will return a list of command names I've run, so that I can then pipe it to "sort | uniq -c | sort -g".
No really, I'm not kidding; come up with what you would do before reading on.
My assertion is that this would be trivial in the PowerShell world, if there was a "history" command that would return a list of objects containing, e.g., a CommandPath field. Just 'get-history | select-object CommandPath'.
What did I do in Linux? This:
cat zsh-history | cut "-d;" -f2 | cut "-d " -f1
This isn't so ugly... but it also has a ton of problems:
How many of these problems did your solution have?
(I don't claim that mine is the best possible one -- but I don't know a way to do better without adding *substantial* complexity, and I'm quite comfortable at the command line and at least somewhat conversant with most of the standard Unix utilities.)