Slashdot Mirror
The Hidden Treasures of Sysinternals
Barence writes "PC Pro contributing editor Jon Honeyball has written a nice feature on the latest treasures to be found on the Windows Sysinternals website. Among them are a tool for creating virtual hard disks from physical drives, a hard disk read-write monitoring tool, and a utility for putting ISO images onto flash drives. They're free, but they're effective."
There's a reason MS bought the company and hired Mark, he consistently puts out the most useful tools for in the trenches Windows diagnostics. Heck MS's PSS would routinely have you use his tools even before the purchase because nothing they put out internally was nearly as useful.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Comment removed based on user account deletion
You know, sysinternals was amazing piece of reverse engineering work and some of the utilities that came out of it were pretty interesting as examples of that reverse engineering work.
But...
All that stuff is junk compared to what Linux does for utilities!
I mean, my ubuntu has had burning ISOs and copying them any which way now for at leas 5 years. I can type sensors and get the motherboard temperature, fan speeds, everything. I mean, if you are into doing hardware and low level OS hardware interfacing stuff, there's enough gobblygook in /proc to keep anyone happy from Linux, and then there's all the log files and then the source.
I mean, yeah, Windows has its advantages, but sysinternals isn't one of them. sysinternals is just proof that for a lot of applications you have to be a hero to get it to do anything simply because the source is closed.
This is my sig.
Process Explorer is what Windows should ship with instead of task manager.
Process Monitor is so kick ass... I can't even put it in words.
Not to be confused with the Sisinternals porn website.
> They're free, but they're effective.
What an unusual combination of attributes!
This is very useful- I was one of the people who stuck the Windows 7 MSDNAA downloaded iso onto a flash drive in order to install it to my desktop and laptop.
The more difficult part for normal users is not extracting the iso to the drive but making the drive bootable- which unless you have a utility (Like the one in the article)- requires some command line work. This would make the process way quicker.
Tried using it on my box as a backup tool for a clean install of Win7. AVOID IF YOU ARE GOING TO USE THE SAME PHYSICAL DRIVE. Windows 7 couldn't mount or boot it. Known issue, and extremely aggravating.
"Sometimes a woman is a kind of religion, she can save your soul & set you free from all your sins" - Bad Examples
I used SelfImage recently to dd a windows 2003 box to an LVM-based virtual machine on Proxmox, a Debian-based Virtual Machine Server. Worked a treat. While I see the benefit of created a Microsoft VHD if you're an MS shop, we're a mix so being able to pump a live physical disk into a remote logical volume was great.
There, fixed that for you. Saying "free but effective" suggests that free implies ineffective.
They're excellent for a wide range of things. Filemon (now superceded but still available) is an excellent tool for working out what files a piece of software is opening (eg. if you're trying to find config files). Regmon does something similar for the registry. Process explorer is stellar for getting more detail on a process than task manager will ever give (like where the image is running from and what DLLs it's using). Sysinternals filled a gap in diagnostic software. In a Windows environment they're as basic to me as netstat or ping. (speaking of which check out sysinternals tcpview). Especially good for tracing a user mode process right through. There are a lot of other utils to unlock the power of your Windows environment too.
Two sysinternals that weren't mentioned worth knowing about:
streams - view or remove hidden file streams attached to a file not normally seen in explorer. Especially good for removing that pesky "downloaded files are bad" warning when something is marked as being from the Internet zone.
junction - One of a handful of tools that allows you to create junctions (simliar to but not the same as hard directory links) in Windows XP.
The other non-sys-internals thing that every power user should know about is windbg and the debugging symbols. Indespesible for tracking down the culprit if you get blue screens due to device drivers (though obviously non-developers are not going to be able to do much about fixing the fault apart from downloading a different version or removing the device driver)
These posts express my own personal views, not those of my employer
Don't forget live.sysinternals.com for instant access to any of the tools.
These have been available for a long time, used to just be from a site called Sysinternals run by Russonivich before Microsoft hired him. This guy is, literally, the person who wrote the book on Windows. Windows Internals is the current name, used to be called Inside Windows 2000. A wonderful technical document of the internal workings of Windows.
At any rate, Russonivich produces extremely useful tools. Not the sort of thing you want in the hands of inexperienced users, as many of them can break your system, but extremely powerful. I use them all the time in the course of my job, especially when there's manual malware removal that needs to be done. So far, malware is unaware of the ability to suspend a process, which Process Explorer will do. So you suspend the malware, its watcher process doesn't know to restart it. You then use autoruns to remove the startup entries. At that point you can reboot, it won't start, and you can clean up the residuals.
There is nothing like these tools for any other platform on the market. Mark Russinovich is THE MAN!
You mean other than UNIX and Linux systems? I don't see any comparable functionality that is not already available on those systems. It's great that the MS environment gets some useful diagnostic funtionality too; sad they haven't always had it.
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
There are no silver-bullet solutions for booting ISOs via USB. A silver-bullet solution requires doing "floppy emulation", which is something that can't be easily done in a general-purpose way. For CD booting, each BIOS has this functionality implemented differently. For USB booting, the bootloader has to figure out how to do this. MEMDISK and GRUB4DOS are the only ones I know that do floppy emulation.
But then you have to do CD drive emulation too.
The way almost all ISO=>USB booters work is to pull the pieces apart and make them work without floppy+CD drive emulation. But this requires intimate knowledge of how that ISO normally boots, and thus it can't be a silver-bullet solution.
Uh, it hasn't been third party for a long time.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
Process Explorer kicks the crap out of Task Manager simply for the fact that it doesn't give access denied error messages to admins trying to end protected system processes. Try ending the same processes with Process Explorer and it "just works" -- which goes to show that the Task Manager error message has nothing to do with actual account privileges. The first time I found this I realized it's no wonder Windows has such a problem with malware, the applications I run have more access to my system processes than I do!
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
Oh yes, that's really easier that to type ls -l, ps -ef or ps -ef|grep firefox
Sorry, but the real advantages in the *nix shells is that every output is just plain simple text. That means, I can grep it, parse it, format it what ever I like and won't be restricted to the PowerShell to do anything use full.
http://www.mueller-public.de - My site http://www.anr-institute.com/ - Advanced Natural Research Institute
Oh yes, that's really easier that to type ls -l, ps -ef or ps -ef|grep firefox
Okay, now what's your command line for printing just the file name and it's size? (Pretend you can't use 'du' or something like that.) Or just a list of process IDs with their command lines. (Both of these may be possible -- but the point is that the means of doing so isn't discoverable, you have to read the docs. In PowerShell, these operations *are* somewhat discoverable.)
Besides, I never claimed that PowerShell was better or easier to use than the Unix shells. (I certainly don't claim it's as concise; verbosity is pretty common with Windows API names and such too.) My main claim is that it's merely different -- different enough that to say that it's a copy on anything more than a "hey look, Windows has a half decent command line" level does a disservice to what the PowerShell team did.
Sorry, but the real advantages in the *nix shells is that every output is just plain simple text. That means, I can grep it, parse it, format it what ever I like and won't be restricted to the PowerShell to do anything use full.
The fact that "every output is just plain simple text" can very much be a drawback too, because it means that a lot of the time you wind up doing some ad-hoc parsing that often works "well enough" but has problems.
For instance, take something that I did earlier today for this post: extract from my shell history file a list of the commands I have run so I could sort them and count occurrences.
My history file has lines that look like this:
(The first number is the timestamp, the second number is duration.) Give me a command line that will return a list of command names I've run, so that I can then pipe it to "sort | uniq -c | sort -g".
No really, I'm not kidding; come up with what you would do before reading on.
My assertion is that this would be trivial in the PowerShell world, if there was a "history" command that would return a list of objects containing, e.g., a CommandPath field. Just 'get-history | select-object CommandPath'.
What did I do in Linux? This:
cat zsh-history | cut "-d;" -f2 | cut "-d " -f1
This isn't so ugly... but it also has a ton of problems:
How many of these problems did your solution have?
(I don't claim that mine is the best possible one -- but I don't know a way to do better without adding *substantial* complexity, and I'm quite comfortable at the command line and at least somewhat conversant with most of the standard Unix utilities.)