New book: Troubleshooting with the Windows Sysinternals Tools, Second Edition

  • Article

We’re pleased to announce the availability of Troubleshooting with the Windows Sysinternals Tools, 2nd Edition (ISBN 9780735684447), by Mark Russinovich and Aaron Margosis.

Purchase from these online retailers:

Microsoft Press Store Amazon Barnes & Noble Independent booksellers – Shop local

Optimize Windows system reliability and performance with Sysinternals

IT pros and power users consider the free Windows Sysinternals tools indispensable for diagnosing, troubleshooting, and deeply understanding the Windows platform. In this extensively updated guide, Sysinternals creator Mark Russinovich and Windows expert Aaron Margosis help you use these powerful tools to optimize any Windows system’s reliability, efficiency, performance, and security. The authors first explain Sysinternals’ capabilities and help you get started fast. Next, they offer in-depth coverage of each major tool, from Process Explorer and Process Monitor to Sysinternals’ security and file utilities. Then, building on this knowledge, they show the tools being used to solve real-world cases involving error messages, hangs, sluggishness, malware infections, and much more.

Windows Sysinternals creator Mark Russinovich and Aaron Margosis show you how to:

  • Use Process Explorer to display detailed process and system information
  • Use Process Monitor to capture low-level system events, and quickly filter the output to narrow down root causes
  • List, categorize, and manage software that starts when you start or sign in to your computer, or when you run Microsoft Office or Internet Explorer
  • Verify digital signatures of files, of running programs, and of the modules loaded in those programs
  • Use Autoruns, Process Explorer, Sigcheck, and Process Monitor features that can identify and clean malware infestations
  • Inspect permissions on files, keys, services, shares, and other objects
  • Use Sysmon to monitor security-relevant events across your network
  • Generate memory dumps when a process meets specified criteria
  • Execute processes remotely, and close files that were opened remotely
  • Manage Active Directory objects and trace LDAP API calls
  • Capture detailed data about processors, memory, and clocks
  • Troubleshoot unbootable devices, file-in-use errors, unexplained communication, and many other problems
  • Understand Windows core concepts that aren’t well-documented elsewhere

Introduction

The Sysinternals Suite is a set of over 70 advanced diagnostic and troubleshooting utilities for the Microsoft Windows platform written by me—Mark Russinovich—and Bryce Cogswell. Since Microsoft’s acquisition of Sysinternals in 2006, these utilities have been available for free download from Microsoft’s Windows Sysinternals website (part of Microsoft TechNet).

The goal of this book is to familiarize you with the Sysinternals utilities and help you understand how to use them to their fullest. The book will also show you examples of how I and other Sysinternals users have leveraged the utilities to solve real problems on Windows systems.

Although I coauthored this book with Aaron Margosis, the book is written as if I am speaking. This is not at all a comment on Aaron’s contribution to the book; without his hard work, this book would not exist.

Tools the book covers

This book describes all of the Sysinternals utilities that are available on the Windows Sysinternals website (https://technet.microsoft.com/en-us/sysinternals/default.aspx) and all of their features as of the time of this writing (early summer, 2016). However, Sysinternals is highly dynamic: existing utilities regularly gain new capabilities, and new utilities are introduced from time to time. (To keep up, follow the RSS feed of the “Sysinternals Site Discussion” blog: https://blogs.technet.microsoft.com/sysinternals/.) So, by the time you read this book, some parts of it might already be out of date. That said, you should always keep the Sysinternals utilities updated to take advantage of new features and bug fixes.

This book does not cover Sysinternals utilities that have been deprecated and are no longer available on the Sysinternals site. If you are still using RegMon (Registry Monitor) or FileMon (File Monitor), you should replace them with Process Monitor, described in Chapter 5. Rootkit Revealer, one of the computer industry’s first rootkit detectors (and the tool that discovered the “Sony rootkit”), has served its purpose and has been retired. Similarly, a few other utilities (such as Newsid and EfsDump) that used to provide unique value have been retired because either they were no longer needed or `equivalent functionality was eventually added to Windows.

About the authors

Mark Russinovich is Chief Technology Officer of Microsoft Azure, where he oversees the technical strategy and architecture of Microsoft’s cloud computing platform. He is a widely recognized expert in distributed systems, operating system internals, and cybersecurity. He is the author of the Jeff Aiken cyberthriller novels, Zero Day, Trojan Horse, and Rogue Code, and co-author of the Microsoft Press Windows Internals books. Russinovich joined Microsoft in 2006 when Microsoft acquired Winternals Software, the company he cofounded in 1996, as well as Sysinternals, where he authors and publishes dozens of popular Windows administration and diagnostic utilities. He is a featured speaker at major industry conferences, including Microsoft Ignite, Microsoft //build, RSA Conference, and more.

You can contact Mark at markruss@microsoft.com and follow him on Twitter at https://www.twitter.com/markrussinovich.

Aaron Margosis is a Principal Consultant with Microsoft’s Global Cybersecurity Practice, where he has worked with security-conscious customers since 1999. Aaron specializes in Windows security, least-privilege, application compatibility, and the configuration of locked-down environments. He is a top speaker at Microsoft conferences, and created many of the tools commonly used by organizations implementing high-security environments, including LUA Buglight, Policy Analyzer, IE Zone Analyzer, LGPO.exe (Local Group Policy Object utility), and MakeMeAdmin, which can be downloaded through his blog (https://blogs.msdn.microsoft.com/aaron_margosis) or through two team blogs for which he is a primary author (https://blogs.technet.microsoft.com/fdcc and https://blogs.technet.microsoft.com/SecGuide).

You can contact Aaron at aaronmar@microsoft.com, and follow him on Twitter at https://www.twitter.com/AaronMargosis.