RTM’d today: Windows Sysinternals Administrator's Reference

  • Article

656727.inddWe’re very happy to announce that Windows Sysinternals Administrator's Reference , by Mark Russinovich and Aaron Margosis (Microsoft Press, 2011; ISBN: 9780735656727; 496 pages), shipped to the printer today! Hard copies should begin being shipped from our distributor to customers on June 27.

You can order the book here as well as here.

Today’s post shares the book’s Introduction and its Contents at a Glance.

Introduction

The Sysinternals Suite is a set of over 70 advanced diagnostic and troubleshooting utilities
for the Microsoft Windows platform written by me—Mark Russinovich—and Bryce Cogswell.
Since Microsoft’s acquisition of Sysinternals in 2006, these utilities have been available for
free download from Microsoft’s Windows Sysinternals Web site (part of Microsoft TechNet).

The goal of this book is to familiarize you with the Sysinternals utilities and help you 
understand how to use them to their fullest. The book will also show you examples of how
I and other Sysinternals users have leveraged the utilities to solve real problems on Windows
systems.

Although I coauthored this book with Aaron Margosis, the book is written as if I am   speaking.
This is not at all a comment on Aaron’s contribution to the book; without his hard work, this
book would not exist.

Tools the Book Covers

This book describes all of the Sysinternals utilities that are available on the Windows
Sysinternals Web site (https://technet.microsoft.com/en-us/sysinternals/default.aspx) and all
of their features as of the time of this writing (summer, 2011). However, Sysinternals is highly
dynamic: existing utilities regularly gain new capabilities, and new utilities are introduced
from time to time. (To keep up, follow the RSS feed of the “Sysinternals Site Discussion” blog:
https://blogs.technet.com/b/sysinternals/.) So, by the time you read this book, some parts of
it may already be out of date. That said, you should always keep the Sysinternals utilities 
updated to take advantage of new features and bug fixes.

This book does not cover Sysinternals utilities that have been deprecated and are no longer
available on the Sysinternals site. If you are still using RegMon (Registry Monitor) or FileMon
(File Monitor), you should replace them with Process Monitor, described in Chapter 4. Rootkit
Revealer, one of the computer industry’s first rootkit detectors (and the tool that   discovered
the “Sony rootkit”), has served its purpose and has been retired. Similarly, a few other   utilities
(such as Newsid and EfsDump) that used to provide unique value have been retired be-
cause either they were no longer needed or equivalent functionality was eventually added
to Windows.

The History of Sysinternals

The first Sysinternals utility I wrote, Ctrl2cap, was born of necessity. Before I started using
Windows NT in 1995, I mostly used UNIX systems, which have keyboards that place the Ctrl
key where the Caps Lock key is on standard PC keyboards. Rather than adapt to the new
layout, I set out to learn about Windows NT device driver development and to write a driver
that converts Caps Lock key presses into Ctrl key presses as they make their way from the
keyboard into the Windows NT input system. Ctrl2cap is still posted on the Sysinternals site
today, and I still use it on all my systems.

Ctrl2cap was the first of many tools I wrote to learn about the way Windows NT works under
the hood while at the same providing some useful functionality. The next tool I wrote,
NTFSDOS, I developed with Bryce Cogswell. I had met Bryce in graduate school at Carnegie
Mellon University, and we had written several academic papers together and worked on
a startup project where we developed software for Windows 3.1. I pitched the idea of a
tool that would allow users to retrieve data from an NTFS-formatted partition by using the 
ubiquitous DOS floppy. Bryce thought it would be a fun programming challenge, and we 
divided up the work and released the first version about a month later.

I also wrote the next two tools, Filemon and Regmon, with Bryce. These three utilities—
NTFSDOS, Filemon, and Regmon—became the foundation for Sysinternals. Filemon and
Regmon, both of which we released for Windows 95 and Windows NT, showed file sys-
tem and registry activity, becoming the first tools anywhere to do so and making them 
indispensible troubleshooting aids.

Bryce and I decided to make the tools available for others to use, but we didn’t have a Web
site of our own, so we initially published them on the site of a friend, Andrew Schulman,
who I’d met in conjunction with his own work uncovering the internal operation of DOS
and Windows 95. Going through an intermediary didn’t allow us to update the tools with
enhancements and bug fixes as quickly as we wanted, so in September 1996 Bryce and I 
created NTInternals.com to host the tools and articles we wrote about the internal operation
of Windows 95 and Windows NT. Bryce and I had also developed tools that we decided we
could sell for some side income, so the same month, we also founded Winternals Software, a
commercial software company that we bootstrapped by driving traffic with a single banner
ad on NTInternals.com. The first utility we released as Winternals Software was NTRecover,
a utility that enabled users to mount the disks of unbootable Windows NT systems from a
working system and access them as if they were locally attached disks.

The mission of NTInternals.com was to distribute freeware tools that leveraged our deep 
understanding of the Windows operating system in order to deliver powerful diagnostic,
monitoring, and management capabilities. Within a few months, the site, shown below as it
looked in December 1996 (thanks to the Internet Archive’s Wayback Machine), drew 1,500
visitors per day, making it one of the most popular utility sites for Windows in the early days
of the Internet revolution. In 1998, at the “encouragement” of Microsoft lawyers, we changed
the site’s name to Sysinternals.com.

Over the next several years, the utilities continued to evolve. We added more utilities as we
needed them, as our early power users suggested enhancements, or when we thought of a
new way to show information about Windows.

image

The Sysinternals utilities fell into three basic categories: those used to help programmers,
those for system troubleshooting, and those for systems management. DebugView, a utility
that captures and displays program debug statements, was one of the early developer-
oriented tools that I wrote to aid my own development of device drivers. DLLView, a tool for
displaying the DLLs that processes have loaded, and HandleEx, a process-listing GUI utility
that showed open handles, were two of the early troubleshooting tools. (I merged DLLView
and HandleEx to create Process Explorer in 2001.) The PsTools, discussed in Chapter 6, are
some of the most popular management utilities, bundled into a suite for easy download.
PsList, the first PsTool, was inspired initially by the UNIX “ps” command, which provides a
process listing. The utilities grew in number and functionality, becoming a software suite of
utilities that allowed you to easily perform many tasks on a remote system without requiring
installation of special software on the remote system beforehand.

Also in 1996, I began writing for Windows IT Pro magazine, highlighting Windows internals
and the Sysinternals utilities and contributing additional feature articles, including a 
controversial article in 1996 that established my name within Microsoft itself, though not
necessarily in a positive way. The article, “Inside the Difference Between Windows NT
Workstation and Windows NT Server,” pointed out the limited differences between Windows
NT Workstation and Windows NT Server, which contradicted Microsoft’s marketing message.
As the utilities continued to evolve and grow, I began to contemplate writing a book on
Windows internals. Such a book already existed, Inside Windows NT (Microsoft Press, 1992),
the first edition of which was written by Helen Custer alongside the original release of
Windows NT 3.1. The second edition was rewritten and enhanced for Windows NT 4.0 by
David Solomon, a well-established operating system expert, trainer, and writer who had
worked at DEC. Instead of writing a book from scratch, I contacted him and suggested
that I coauthor the third edition, which would cover Windows 2000. My relationship with
Microsoft had been on the mend since the 1996 article as the result of my sending Windows
bug reports directly to Windows developers, but David still had to obtain permission, which
Microsoft granted.

As a result, David Solomon and I coauthored the third, fourth, and fifth editions of the book,
which we renamed Windows Internals at the fourth edition. (The fifth edition of Windows
Internals was published in 2009.) Not long after we finished Inside Windows 2000 (Microsoft
Press, 2000), I joined David to teach his Windows internals seminars, adding my own content.
Offered around the world, even at Microsoft to the developers of Windows, these classes
have long used the Sysinternals utilities to show students how to peer deep into Windows
internals and learn more when they returned to their developer and IT professional roles at
home. David still offers Windows internals classes at https://www.solsem.com/.

By 2006, my relationship with Microsoft had been strong for several years, Winternals had
a full line of enterprise management software and had grown to about 100 employees,
and Sysinternals had two million downloads per day. On July 18, 2006, Microsoft acquired
Winternals and Sysinternals. Not long after, Bryce and I (there we are below in 2006) moved
to Redmond to become a part of the Windows team. Today, I serve as one of Microsoft’s
small group of Technical Fellows, providing technical leadership to help drive the direction of
the company. I’m now in the Windows Azure group, working on the “kernel” of Microsoft’s
cloud operating system.

image

Two of the goals of the acquisition were to make sure that the tools Bryce and I developed
would continue to be freely available and that the community we built would thrive, and
they have. Today, the Windows Sysinternals site on technet.microsoft.com is one of the
most frequently visited sites on TechNet, averaging 50,000 visitors per day and three mil-
lion   downloads per month. Sysinternals power users come back time and again for the 
latest versions of the utilities and for new utilities, such as the recently released RAMMap
and VMMap, as well as to participate in the Sysinternals community, a growing forum with
over 30,000 registered users at the time of this writing. I remain dedicated to continuing to 
enhance the existing tools and to add new tools, including ones focused on Windows Azure.

Many people suggested that a book on the tools would be valuable, but it wasn’t until David
Solomon suggested that one was way overdue that I started the project. My responsibilities
at Microsoft did not permit me to devote the time necessary to write another book, but
David pointed out that I could find someone to help. I was pleased that Aaron Margosis
agreed to partner with me. Aaron is a Principal Consultant with Microsoft Public Sector
Services who is known for his deep understanding of Windows security and application 
compatibility. I have known Aaron for many years and his excellent writing skills, familiarity
with Windows internals, and proficiency with the Sysinternals tools made him an ideal
coauthor.

Who Should Read This Book

This book exists for Windows IT professionals and power users who want to make the most
of the Sysinternals tools. Regardless of your experience with the tools, and whether you 
manage the systems of a large enterprise, a small business, or the PCs of your family and
friends, you’re sure to discover new tools, pick up tips, and learn techniques that will help you
more effectively troubleshoot the toughest Windows problems and simplify your system-
management operations and monitoring.

Assumptions

This book expects that you have familiarity with the Windows operating system. Basic 
familiarity with concepts such as processes, threads, virtual memory, and the Windows
command prompt, is helpful, though some of these concepts are discussed in Chapter 2,
“Windows Core Concepts”.

Organization of This Book

The book is divided into three parts. Part I, “Getting Started,” provides an overview of the
Sysinternals utilities and the Sysinternals Web site, describes features common to all of the
utilities, tells you where to go for help, and discusses some Windows core concepts that will
help you better understand the platform and the information reported by the utilities.
Part II, “Usage Guide,” is a detailed reference guide covering all of the Sysinternals utilities’
features, command-line options, system requirements, and caveats. With plentiful screen
shots and usage examples, this section should answer just about any question you have
about the utilities. Major utilities such as Process Explorer and Process Monitor each get their
own chapter; subsequent chapters cover utilities by category, such as security utilities, Active
Directory utilities, and file utilities.

Part III, “Troubleshooting—‘The Case of the Unexplained…’,” contains stories of real-world
problem solving using the Sysinternals utilities from Aaron and me, as well as from 
administrators and power users from around the world.

Contents at a Glance

Part I     Getting Started
     1  Getting Started with the Sysinternals Utilities  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 3
     2  Windows Core Concepts  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .15

Part II     Usage Guide
     3  Process Explorer  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 39
     4  Process Monitor   .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .101
     5  Autoruns .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  145
     6  PsTools   .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 171
     7  Process and Diagnostic Utilities   .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  211
     8  Security Utilities   .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 261
     9  Active Directory Utilities   .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 287
     10  Desktop Utilities  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .309
     11  File Utilities   .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 325
     12  Disk Utilities  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .335
     13  Network and Communication Utilities   .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  351
     14  System Information Utilities   .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  359
     15  Miscellaneous Utilities  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  377

Part III     Troubleshooting—”The Case of the Unexplained...”
     16  Error Messages   .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  383
     17  Hangs and Sluggish Performance   .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 405
     18  Malware  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  . 427

We hope that you will enjoy the book as much as you enjoy the Sysinternals tools.