Troubleshooting with the Windows Sysinternals Tools, 2nd Edition

About

Features

• Process Explorer, Process Monitor, and 70 other powerful (and free!) utilities
• Applicable to all technical roles on Windows, including hobbyists, developers, and researchers
• Includes an expanded “Case of the Unexplained," detailed coverage of new tools and updated features in existing tools, and a “Procmon and ProcDump, Better Together” feature demonstrating new capabilities that the tools now enable in each other



Description

• Copyright 2017
• Dimensions: 7-3/8" x 9"
• Pages: 688
• Edition: 2nd

• Book
• ISBN-10: 0-7356-8444-8
• ISBN-13: 978-0-7356-8444-7

Optimize Windows system reliability and performance with Sysinternals

IT pros and power users consider the free Windows Sysinternals tools indispensable for diagnosing, troubleshooting, and deeply understanding the Windows platform. In this extensively updated guide, Sysinternals creator Mark Russinovich and Windows expert Aaron Margosis help you use these powerful tools to optimize any Windows system’s reliability, efficiency, performance, and security. The authors first explain Sysinternals’ capabilities and help you get started fast. Next, they offer in-depth coverage of each major tool, from Process Explorer and Process Monitor to Sysinternals’ security and file utilities. Then, building on this knowledge, they show the tools being used to solve real-world cases involving error messages, hangs, sluggishness, malware infections, and much more.

Windows Sysinternals creator Mark Russinovich and Aaron Margosis show you how to:

• Use Process Explorer to display detailed process and system information
• Use Process Monitor to capture low-level system events, and quickly filter the output to narrow down root causes
• List, categorize, and manage software that starts when you start or sign in to your computer, or when you run Microsoft Office or Internet Explorer
• Verify digital signatures of files, of running programs, and of the modules loaded in those programs
• Use Autoruns, Process Explorer, Sigcheck, and Process Monitor features that can identify and clean malware infestations
• Inspect permissions on files, keys, services, shares, and other objects
• Use Sysmon to monitor security-relevant events across your network
• Generate memory dumps when a process meets specified criteria
• Execute processes remotely, and close files that were opened remotely
• Manage Active Directory objects and trace LDAP API calls
• Capture detailed data about processors, memory, and clocks
• Troubleshoot unbootable devices, file-in-use errors, unexplained communication, and many other problems
• Understand Windows core concepts that aren’t well-documented elsewhere



Sample Content

Sample Pages

Download the sample pages (includes Chapter 4 and the Index.)

Table of Contents

Part I      Getting started

Chapter 1 Getting started with the Sysinternals utilities          

Overview of the utilities

The Windows Sysinternals website

Sysinternals license information

Chapter 2 Windows core concepts                                         

Administrative rights

Processes, threads, and jobs

User mode and kernel mode

Handles

Application isolation

Call stacks and symbols

Sessions, window stations, desktops, and window messages

Chapter 3 Process Explorer              

Procexp overview

Main window

DLLs and handles

Process details

Thread details

Verifying image signatures

VirusTotal analysis

System information

Display options

Procexp as a Task Manager replacement

Miscellaneous features

Keyboard shortcut reference

Chapter 4 Autoruns                                                            

Autoruns fundamentals

Autostart categories

Saving and comparing results

AutorunsC

Autoruns and malware

Part II     Usage guide

Chapter 5 Process Monitor                                                   

Getting started with Procmon

Events

Filtering, highlighting, and bookmarking

Process Tree

Saving and opening Procmon traces

Logging boot, post-logoff, and shutdown activity

Long-running traces and controlling log sizes

Importing and exporting configuration settings

Automating Procmon: command-line options

Analysis tools

Injecting custom debug output into Procmon traces

Toolbar reference

Chapter 6 ProcDump  

Command-line syntax

Specifying which process to monitor

Specifying the dump file path

Specifying criteria for a dump

Monitoring exceptions

Dump file options

Miniplus dumps

ProcDump and Procmon: Better together

Running ProcDump noninteractively

Viewing the dump in the debugger

Chapter 7 PsTools                                                               

Common features

PsExec

PsFile

PsGetSid

PsInfo

PsKill

PsList

PsLoggedOn

PsLogList

PsPasswd

PsService

PsShutdown

PsSuspend

PsTools command-line syntax

PsTools system requirements

Chapter 8 Process and diagnostic utilities                               

VMMap

DebugView

LiveKd

ListDLLs

Handle

Chapter 9 Security utilities                                             

SigCheck

AccessChk

Sysmon

AccessEnum

ShareEnum

ShellRunAs

Autologon

LogonSessions

SDelete

Chapter 10  Active Directory utilities                                    

AdExplorer

AdInsight

AdRestore

Chapter 11  Desktop utilities                                                

BgInfo

Desktops.

ZoomIt

Chapter 12  File utilities                                                       

Strings

Streams

NTFS link utilities

Disk Usage (DU)

Post-reboot file operation utilities

Chapter 13  Disk utilities                                                      

Disk2Vhd

Sync

DiskView

Contig

DiskExt

LDMDump

VolumeID

Chapter 14  Network and communication utilities                   

PsPing

TCPView

Whois

Chapter 15  System information utilities                                

RAMMap

Registry Usage (RU)

CoreInfo

WinObj

LoadOrder

PipeList

ClockRes

Chapter 16  Miscellaneous utilities                                         

RegJump

Hex2Dec

RegDelNull

Bluescreen Screen Saver

Ctrl2Cap

Part III    Troubleshooting—“The Case of the
Unexplained…”

Chapter 17  Error messages                                                 

Troubleshooting error messages

The Case of the Locked Folder

The Case of the File In Use Error

The Case of the Unknown Photo Viewer Error

The Case of the Failing ActiveX Registration

The Case of the Failed Play-To

The Case of the Installation Failure

The Case of the Unreadable Text Files

The Case of the Missing Folder Association

The Case of the Temporary Registry Profiles

The Case of the Office RMS Error

The Case of the Failed Forest Functional Level Raise

Chapter 18  Crashes                                                            

Troubleshooting crashes

The Case of the Failed AV Update

The Case of the Crashing Proksi Utility

The Case of the Failed Network Location Awareness Service 

The Case of the Failed EMET Upgrade

The Case of the Missing Crash Dump

The Case of the Random Sluggishness

Chapter 19  Hangs and sluggish performance

Troubleshooting hangs and sluggish performance

The Case of the IExplore-Pegged CPU

The Case of the Runaway Website

The Case of the Excessive ReadyBoost

The Case of the Stuttering Laptop Blu-ray Player

The Case of the Company 15-Minute Logons

The Case of the Hanging PayPal Emails

The Case of the Hanging Accounting Software

The Case of the Slow Keynote Demo

The Case of the Slow Project File Opens

The Compound Case of the Outlook Hangs

Chapter 20  Malware                                                           

Troubleshooting malware

Stuxnet

The Case of the Strange Reboots

The Case of the Fake Java Updater

The Case of the Winwebsec Scareware

The Case of the Runaway GPU

The Case of the Unexplained FTP Connections

The Case of the Misconfigured Service

The Case of the Sysinternals-Blocking Malware

The Case of the Process-Killing Malware

The Case of the Fake System Component

The Case of the Mysterious ASEP

Chapter 21  Understanding system behavior                           

The Case of the Q: Drive

The Case of the Unexplained Network Connections

The Case of the Short-Lived Processes

The Case of the App Install Recorder

The Case of the Unknown NTLM Communications

Chapter 22  Developer troubleshooting                                   

The Case of the Broken Kerberos Delegation

The Case of the ProcDump Memory Leak

  



Updates

Submit Errata

