KINDLY REPLY HOW YOU LIKE IT

Programming Tutorials on different platforms

Any general and specialized interesting programming language training and exploration . Fun with knowledge .

Search This Blog

Saturday, March 27, 2010

WINDOWS SYS-INTERNALS : ALL VITAL INFORMATION

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool's Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/toolname or \\live.sysinternals.com\tools\toolname.
You can view the entire Sysinternals Live tools directory in a browser at http://live.sysinternals.com.

• AdExplorer v1.30
This update to AdExplorer, an Active Directory editor, has major node expansion performance improvements and a number of minor bug fixes.
• VMMap v2.6
VMMap, a powerful process virtual and physical memory analysis tool, now shows both graphical and numeric breakdowns of private virtual memory, as well as heap configuration flags.
• ProcDump v1.7
This update to ProcDump, a command-line utility that will generate memory dumps of processes based on various selectable criteria, now supports periodic timed dumps as well as dumps based on virtual memory thresholds.
• AccessChk v4.24
AccessChk, a utility that shows effective security permissions for files, registry keys, services, and more, now supports process token.
• VMMap v2.5
This update to VMMap, a process memory analysis utility, now identifies thread environment blocks (TEBs), the process environment block (PEB), and reserved memory.
• Disk2vhd v1.4
Disk2vhd now includes an option for Windows XP and Windows Server 2003 that directs it to fix up the kernel and HAL to make the VHDs generated for these systems bootable in Virtual PC. It also skips sectors with CRC errors to enable the conversion of systems with failing disks.
Process Explorer v12
http://technet.microsoft.com/hi-in/sysinternals/bb896653%28en-us%29.aspx
Introduction

Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.

Active Directory Explorer v1.3
By Bryce Cogswell and Mark Russinovich
http://technet.microsoft.com/hi-in/sysinternals/bb963907%28en-us%29.aspx
Active Directory Explorer (AD Explorer) is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.
AD Explorer also includes the ability to save snapshots of an AD database for off-line viewing and comparisons. When you load a saved snapshot, you can navigate and explorer it as you would a live database. If you have two snapshots of an AD database you can use AD Explorer's comparison functionality to see what objects, attributes and security permissions changed between them.

VMMap v2.62
By Mark Russinovich and Bryce Cogswell
http://technet.microsoft.com/hi-in/sysinternals/dd535533.aspx
Introduction
VMMap is a process virtual and physical memory analysis utility. It shows a breakdown of a process's committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Besides graphical representations of memory usage, VMMap also shows summary information and a detailed process memory map. Powerful filtering and refresh capabilities allow you to identify the sources of process memory usage and the memory cost of application features.
Besides flexible views for analyzing live processes, VMMap supports the export of data in multiple forms, including a native format that preserves all the information so that you can load back in. It also includes command-line options that enable scripting scenarios.
VMMap is the ideal tool for developers wanting to understand and optimize their application's memory resource usage.

ProcDump v1.72
By Mark Russinovich
http://technet.microsoft.com/hi-in/sysinternals/dd996900%28en-us%29.aspx
ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use) and unhandled exception monitoring. It also can serve as a general process dump utility that you can embed in other scripts.
Using ProcDump

usage: procdump [-64] [[-c CPU usage] [-u] [-s seconds]] [-n exceeds] [-e] [-h] [-m commit usage] [-ma] [-o] [-r] [-t] < [dump file]] | [-x [arguments]>
-64 By default Procdump will capture a 32-bit dump of a 32-bit process when running on 64-bit Windows. This option overrides to create a 64-bit dump.
-c CPU threshold at which to create a dump of the process.
-e Write a dump when the process encounters an unhandled exception.
-h Write dump if process has a hung window (does not respond to
window messages for at least 5 seconds).
-m Memory commit threshold in MB at which to create a dump of the process.
-ma Write a dump file with all process memory. The default dump format includes thread and handle information.
-n Number of dumps to write before exiting.
-o Overwrite an existing dump file.
-r Reflect (clone) the process for the dump to minimize the time the process is suspended (Windows 7 and higher only).
-s Consecutive seconds CPU threshold must be hit before dump is written (default is 10).
-t Write a dump when the process terminates.
-u Treat CPU usage relative to a single core.
-x Launch the specified image with optional arguments.
Use the -accepteula command line option to automatically accept the Sysinternals license agreement.

To just create a dump of a running process, omit the CPU threshold. If you omit the dump file name, it defaults to .dmp.
Examples
Write up to 3 dumps of a process named "consume" when it exceeds 20% CPU usage for three seconds to the directory c:\dump\consume with the name consume.dmp:
C:\>procdump -c 20 -n 3 -o consume c:\dump\consume
Write a dump for a process named "hang.exe" when one of its windows is unresponsive for more than 5 seconds:
C:\>procdump -h hang.exe hungwindow.dmp
Write 3 dumps 5 seconds apart:
C:\>procdump -s 5 -n 3 notepad.exe notepad.dmp
Launch a process and then monitor it for excessive CPU usage:
C:\>procdump -c 30 -s 10 -x consume.exe consume.dmp
Write a dump of a process named "iexplore" to a dump file that has the default name iexplore.dmp:
C:\>procdump iexplore
AccessChk v4.24
By Mark Russinovich
Introduction

As a part of ensuring that they've created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.
Installation
AccessChk is a console program. Copy AccessChk onto your executable path. Typing "accesschk" displays its usage syntax.

Using AccessChk
Usage: accesschk [-s][-e][-u][-r][-w][-n][-v][[-a]|[-k]| [-p [-f] [-t]][-o [-t object type]][-c]|[-d]] [username]
-a Name is a Windows account right. Specify "*" as the name to show all rights assigned to a user. Note that when you specify a specific right, only groups and accounts directly assigned to the right are displayed.
-c Name is a Windows Service, e.g. ssdpsrv. Specify "*" as the name to show all services and "scmanager" to check the security of the Service Control Manager.
-d Only process directories or top-level keys
-e Only show explicitly set-Integrity Levels (Windows Vista only)
-f Show full process token information including groups and privileges
-k Name is a Registry key, e.g. hklm\software
-n Show only objects that have no access
-o Name is an object in the Object Manager namespace (default is root). To view the contents of a directory, specify the name with a trailing backslash or add -s. Add -t and an object type (e.g. section) to see only objects of a specific type.
-p Name is a process name or PID, e.g. cmd.exe (specify "*" as the name to show all processes). Add -f to show full process token information, including groups and privileges. Add -t to show threads.
-q Omit Banner
-r Show only objects that have read access
-s Recurse
-t Object type filter, e.g. "section"
-u Suppress errors
-v Verbose (includes Windows Vista Integrity Level)
-w Show only objects that have write access
If you specify a user or group name and path, AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor.
By default, the path name is interpreted as a file system path (use the "\pipe\" prefix to specify a named pipe path). For each object, AccessChk prints R if the account has read access, W for write access, and nothing if it has neither. The -v switch has AccessChk dump the specific accesses granted to an account.

Examples
The following command reports the accesses that the Power Users account has to files and directories in \Windows\System32:
accesschk "power users" c:\windows\system32
This command shows which Windows services members of the Users group have write access to:
accesschk users -cw *
To see what Registry keys under HKLM\CurrentUser a specific account has no access to:
accesschk -kns austin\mruss hklm\software
To see the security on the HKLM\Software key:
accesschk -k hklm\software
To see all files under \Users\Mark on Vista that have an explicit integrity level:
accesschk -e -s c:\users\mark
To see all global objects that Everyone can modify:
accesschk -wuo everyone \basednamedobjects

Disk2vhd v1.5
By Mark Russinovich and Bryce Cogswell
http://technet.microsoft.com/hi-in/sysinternals/ee656415%28en-us%29.aspx
Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft's Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs). The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on a system that’s online. Disk2vhd uses Windows' Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes you want to include in a conversion. You can even have Disk2vhd create the VHDs on local volumes, even ones being converted (though performance is better when the VHD is on a disk different than ones being converted).
The Disk2vhd user interface lists the volumes present on the system:
It will create one VHD for each disk on which selected volumes reside. It preserves the partitioning information of the disk, but only copies the data contents for volumes on the disk that are selected. This enables you to capture just system volumes and exclude data volumes, for example.
Note: Virtual PC supports a maximum virtual disk size of 127GB. If you create a VHD from a larger disk it will not be accessible from a Virtual PC VM.
To use VHDs produced by Disk2vhd, create a VM with the desired characteristics and add the VHDs to the VM's configuration as IDE disks. On first boot, a VM booting a captured copy of Windows will detect the VM's hardware and automatically install drivers, if present in the image. If the required drivers are not present, install them via the Virtual PC or Hyper-V integration components. You can also attach to VHDs using the Windows 7 or Windows Server 2008 R2 Disk Management or Diskpart utilities.
Note: do not attach to VHDs on the same system on which you created them if you plan on booting from them. If you do so, Windows will assign the VHD a new disk signature to avoid a collision with the signature of the VHD’s source disk. Windows references disks in the boot configuration database (BCD) by disk signature, so when that happens Windows booted in a VM will fail to locate the boot disk.
Disk2vhd runs Windows XP SP2, Windows Server 2003 SP1, and higher, including x64 systems.
Here's a screenshot of a copy of a Windows Server 2008 R2 Hyper-V system running in a virtual machine on top of the system it was made from:
Command Line Usage

Disk2vhd includes command-line options that enable you to script the creation of VHDs. Specify the volumes you want included in a snapshot by drive letter (e.g. c:) or use "*" to include all volumes.
Usage: disk2vhd <[drive: [drive:]...]|[*]>
Example: disk2vhd * c:\vhd\snapshot.vhd

Sysinternals Security Utilities
AccessChk
This tool shows you the accesses the user or group you specify has to files, Registry keys or Windows services.
AccessEnum
This simple yet powerful security tool shows you who has what access to directories, files and Registry keys on your systems. Use it to find holes in your permissions.
Autologon
Bypass password screen during logon.
Autoruns
See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.
LogonSessions
List active logon sessions
Process Explorer
Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.
PsExec
Execute processes with limited-user rights.
PsLoggedOn
Show users logged on to a system.
PsLogList
Dump event log records.
PsTools
The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
RootkitRevealer
Scan your system for rootkit-based malware
SDelete
Securely overwrite your sensitive files and cleanse your free space of previously deleted files using this DoD-compliant secure delete program.
ShareEnum
Scan file shares on your network and view their security settings to close security holes.
ShellRunas
Launch programs as a different user via a convenient shell context-menu entry.
Sigcheck
Dump file version information and verify that images on your system are digitally signed.

http://technet.microsoft.com/hi-in/sysinternals/bb795534%28en-us%29.aspx
Process Monitor v2.8
By Mark Russinovich and Bryce Cogswell
http://technet.microsoft.com/hi-in/sysinternals/bb896645%28en-us%29.aspx
PsTools
By Mark Russinovich
Published: July 1, 2009
http://technet.microsoft.com/hi-in/sysinternals/bb896649%28en-us%29.aspx
PageDefrag v2.32
By Mark Russinovich
http://technet.microsoft.com/hi-in/sysinternals/bb897426%28en-us%29.aspx
RootkitRevealer v1.71
By Bryce Cogswell and Mark Russinovich
Published: November 1, 2006
http://technet.microsoft.com/hi-in/sysinternals/bb897445%28en-us%29.aspx
TCPView for Windows v2.54
By Mark Russinovich
Published: March 17, 2009
http://technet.microsoft.com/hi-in/sysinternals/bb897437%28en-us%29.aspx
BgInfo v4.16
By Bryce Cogswell
Published: October 1, 2009
http://technet.microsoft.com/hi-in/sysinternals/bb897557%28en-us%29.aspx
BlueScreen Screen Saver v3.2
By Mark Russinovich
Published: November 1, 2006
http://technet.microsoft.com/hi-in/sysinternals/bb897558%28en-us%29.aspx
Desktops v1.02
By Mark Russinovich and Bryce Cogswell
Published: January 19, 2010
http://technet.microsoft.com/hi-in/sysinternals/cc817881%28en-us%29.aspx

Sysinternals Networking Utilities
AD Explorer
Active Directory Explorer is an advanced Active Directory (AD) viewer and editor.
AD Insight
AD Insight is an LDAP (Light-weight Directory Access Protocol) real-time monitoring tool aimed at troubleshooting Active Directory client applications.
AdRestore
Undelete Server 2003 Active Directory objects.
PipeList
Displays the named pipes on your system, including the number of maximum instances and active instances for each pipe.
PsFile
See what files are opened remotely.
PsTools
The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
ShareEnum
Scan file shares on your network and view their security settings to close security holes.
TCPView
Active socket command-line viewer.
Whois
See who owns an Internet address.
http://technet.microsoft.com/hi-in/sysinternals/bb795532%28en-us%29.aspx
Sysinternals Process Utilities
Autoruns
See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.
Handle
This handy command-line utility will show you what files are open by which processes, and much more.
ListDLLs
List all the DLLs that are currently loaded, including where they are loaded and their version numbers. Version 2.0 prints the full path names of loaded modules.
PortMon
Monitor serial and parallel port activity with this advanced monitoring tool. It knows about all standard serial and parallel IOCTLs and even shows you a portion of the data being sent and received. Version 3.x has powerful new UI enhancements and advanced filtering capabilities.
ProcDump
This new command-line utility is aimed at capturing process dumps of otherwise difficult to isolate and reproduce CPU spikes. It also serves as a general process dump creation utility and can also monitor and generate process dumps when a process has a hung window or unhandled exception.
Process Explorer
Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.
Process Monitor
Monitor file system, Registry, process, thread and DLL activity in real-time.
PsExec
Execute processes remotely.
PsGetSid
Displays the SID of a computer or a user.
PsKill
Terminate local or remote processes.
PsList
Show information about processes and threads.
PsService
View and control services.
PsSuspend
Suspend and resume processes.
PsTools
The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
ShellRunas
Launch programs as a different user via a convenient shell context-menu entry.
VMMap
See a breakdown of a process's committed virtual memory types as well as the amount of physical memory (working set) assigned by the operating system to those types. Identify the sources of process memory usage and the memory cost of application features.
http://technet.microsoft.com/hi-in/sysinternals/bb795533%28en-us%29.aspx
Sysinternals Security Utilities
AccessChk
This tool shows you the accesses the user or group you specify has to files, Registry keys or Windows services.
AccessEnum
This simple yet powerful security tool shows you who has what access to directories, files and Registry keys on your systems. Use it to find holes in your permissions.
Autologon
Bypass password screen during logon.
Autoruns
See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.
LogonSessions
List active logon sessions
Process Explorer
Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.
PsExec
Execute processes with limited-user rights.
PsLoggedOn
Show users logged on to a system.
PsLogList
Dump event log records.
PsTools
The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
RootkitRevealer
Scan your system for rootkit-based malware
SDelete
Securely overwrite your sensitive files and cleanse your free space of previously deleted files using this DoD-compliant secure delete program.
ShareEnum
Scan file shares on your network and view their security settings to close security holes.
ShellRunas
Launch programs as a different user via a convenient shell context-menu entry.
Sigcheck
Dump file version information and verify that images on your system are digitally signed.
http://technet.microsoft.com/hi-in/sysinternals/bb795534%28en-us%29.aspx
Sysinternals System Information Utilities
Autoruns
See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.
ClockRes
View the resolution of the system clock, which is also the maximum timer resolution.
Coreinfo
Coreinfo is a command-line utility that shows you the mapping between logical processors and the physical processor, NUMA node, and socket on which they reside, as well as the cache’s assigned to each logical processor.
Handle
This handy command-line utility will show you what files are open by which processes, and much more.
LiveKd
Use Microsoft kernel debuggers to examine a live system.
LoadOrder
See the order in which devices are loaded on your WinNT/2K system.
LogonSessions
List the active logon sessions on a system.
PendMoves
Enumerate the list of file rename and delete commands that will be executed the next boot.
Process Explorer
Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.
Process Monitor
Monitor file system, Registry, process, thread and DLL activity in real-time.
ProcFeatures
This applet reports processor and Windows support for Physical Address Extensions and No Execute buffer overflow protection.
PsInfo
Obtain information about a system.
PsLoggedOn
Show users logged on to a system
PsTools
The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
WinObj
The ultimate Object Manager namespace viewer is here.
http://technet.microsoft.com/hi-in/sysinternals/bb795535%28en-us%29.aspx
Sysinternals Miscellaneous Utilities
AD Explorer
Active Directory Explorer is an advanced Active Directory (AD) viewer and editor.
AdRestore
Restore tombstoned Active Directory objects in Server 2003 domains.
Autologon
Bypass password screen during logon.
BgInfo
This fully-configurable program automatically generates desktop backgrounds that include important information about the system including IP addresses, computer name, network adapters, and more.
BlueScreen
This screen saver not only accurately simulates Blue Screens, but simulated reboots as well (complete with CHKDSK), and works on Windows NT 4, Windows 2000, Windows XP, Server 2003 and Windows 9x.
Ctrl2cap
This is a kernel-mode driver that demonstrates keyboard input filtering just above the keyboard class driver in order to turn caps-locks into control keys. Filtering at this level allows conversion and hiding of keys before NT even "sees" them. Ctrl2cap also shows how to use NtDisplayString() to print messages to the initialization blue-screen.
DebugView
Another first from Sysinternals: This program intercepts calls made to DbgPrint by device drivers and OutputDebugString made by Win32 programs. It allows for viewing and recording of debug session output on your local machine or across the Internet without an active debugger.
Desktops
This new utility enables you to create up to four virtual desktops and to use a tray interface or hotkeys to preview what’s on each desktop and easily switch between them.
Hex2dec
Convert hex numbers to decimal and vice versa.
PsLogList
Dump event log records.
PsTools
The PsTools suite includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
RegDelNull
Scan for and delete Registry keys that contain embedded null-characters that are otherwise undeleteable by standard Registry-editing tools.
RegJump
Jump to the registry path you specify in Regedit.
Strings
Search for ANSI and UNICODE strings in binary images.
ZoomIt
Presentation utility for zooming and drawing on the screen.
http://technet.microsoft.com/hi-in/sysinternals/bb842059%28en-us%29.aspx


OTHER URLS :
http://channel9.msdn.com/shows/Going+Deep/Mark-Russinovich-From-Winternals-to-Microsoft-On-Windows-Security-Windows-CoreArch/
http://blogs.technet.com/Sysinternals/
http://technet.microsoft.com/hi-in/sysinternals/bb963890%28en-us%29.aspx